Bundler changing the specified platform

[saturnflyer]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

bundler

Package manager version

bundler 2.5.5

Language version

Ruby 3.3.1

Manifest location and content before the Dependabot update

/Gemfile

dependabot.yml content

version: 2 updates:

• package-ecosystem: 'bundler' directory: '/' schedule: interval: 'daily' groups: production: dependency-type: 'production' development: dependency-type: 'development' patches: update-types:

  • 'patch'

• package-ecosystem: 'npm' directory: '/' schedule: interval: 'daily'

• package-ecosystem: 'docker' directory: '/' schedule: interval: 'weekly'

Updated dependency

from:

• ffi (1.17.0)

to:

• ffi (1.17.0-x86_64-linux-gnu)

What you expected to see, versus what you actually saw

There should be no change to this gem. But the platform was updated

Expected:

PLATFORMS
   ruby

Actual:

PLATFORMS
   x86_64-linux

Native package manager behavior

> bundle update ffi
Fetching gem metadata from https://rubygems.pkg.github.com/sofware/..
Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...
Bundler attempted to update ffi but its version stayed the same
Bundle updated!

Images of the diff or a link to the PR, issue, or logs

Smallest manifest that reproduces the issue

No response

[saturnflyer]

This issue seems to reflect the same problem with the platform changing https://github.com/dependabot/dependabot-core/issues/10034

[deivid-rodriguez]

Can you share a public PR with this problem? I'd like to have a look.

[saturnflyer]

@deivid-rodriguez this is in a private repository. I'll see if I can recreate it in a public one

[saturnflyer]

Had this come up in another private repo when updating the clearance gem

I don't understand how it would get x86_64-darwin

[saturnflyer]

@deivid-rodriguez I'm trying to recreate this over here https://github.com/saturnflyer/dependabot-bug/pull/1/files but dependabot isn't changing the platform. I'll see if adding additional dependencies makes a difference

[jorg-vr]

we are having the same issue in our dependabot prs.

Examples:

• https://github.com/dodona-edu/dodona/pull/5657/commits/659907d16c04ce294b4cd5b5a85d99670c2efe5b
• https://github.com/dodona-edu/dodona/pull/5658/commits/ba3ee1b8e497c8cf867e2bc324c38faf8c919675
• https://github.com/dodona-edu/dodona/pull/5659/commits/157a4cb1e4798c941d78319a40c89ca0c5ea5586

The added system specification breaks building in for example our github actions

[jdongelmans]

I can also report we have the same in some of our repositories, it removes the ruby platform and adds the x86_64-darwin for seemingly no apparent reason.

Weird thing is that with the exact same dependabot.yml it works fine in other repo's.

version: 2
updates:
  - package-ecosystem: bundler
    directory: '/'
    schedule:
      interval: daily
    open-pull-requests-limit: 10
    groups:
      security-updates:
        applies-to: security-updates
        patterns:
          - '*'
        update-types:
          - 'minor'
          - 'patch'
      version-updates:
        applies-to: version-updates
        patterns:
          - '*'
        update-types:
          - 'minor'
          - 'patch'

[deivid-rodriguez]

Thanks for sharing those PRs, will look into this.

[deivid-rodriguez]

I identified this as a problem in Bundler. Will work on a solution upstream and propose an update of the Bundler version used by Dependabot once ready.

[deivid-rodriguez]

I have an upstream fix! Probably won't be included in the next release, but in the one after.

[deivid-rodriguez]

So some updates here, upstream PR is merged and I plan to release it by the end of next week.

[deivid-rodriguez]

Fixes are now released, so this issue should be gone (🤞) once Dependabot upgrades through #10246.

[deivid-rodriguez]

Let me know if you're still seeing issues after this update, thanks!

[laasem]

Hello @deivid-rodriguez! Has this update been released? Can't find it in latest tag.

[jdongelmans]

@laasem Yeah it looks like it missed the release indeed.

I also still have the issue persisting in my repo's after the latest Dependabot runs so hopefully it will catch the next one!

[deivid-rodriguez]

mmmm I guess if you're using Dependabot as a standalone tool you need to wait for the next release, but if you're using Github.com's dependabot updates service, I'd say this has already been deployed. Maybe there are still some issues? Can you point to a public PR where this is still happening?

[jorg-vr]

This resolved for me in most but not all prs.

It still persisted here: https://github.com/dodona-edu/dodona/pull/5706/commits/fc0dd9d9e2cc941c98da13ad98dc3e45808244a3

[deivid-rodriguez]

In that case, ffi is actually a transitive dependency of image_processing, so it's expected.

It's not clear whether bundler should "upgrade platforms" when running bundle update. It currently does so, so from dependabot-core's point of view, this is expected.

The behavior could be changed upstream, but I'm not fully sure if we want to change it, because otherwise if a gem author releases a platforms specific variant of a gem that you do want to use, you' won't be able to pick up that upgrade if we change the behavior.