Open lamont-granquist opened 4 years ago
@feelepxyz I remember looking at something like this with you in the past. But I don't recall if this particular scenario is still restricted for security reasons.
Wasn't me, it was actually @tas50 but yeah, we work together.
I think that eval_gemfile is restricted for security reasons. But that's why I want a magic comment to make your parser just skip this line like it wasn't there. We don't need you parsing it and don't need to expose you to the security hole (I want you to behave just like the whole line was commented out)
My apologies. I misunderstood your original post. We definitely like the idea of adding helpful features. But the team is pretty swamped right now scaling Dependabot for the GitHub integration, so it may be a while before we can get to doing this.
@lamont-granquist @rebelagentm yeah it's currently restricted to prevent untrusted code from executing when we parse the gemfile. We should probably add explicit support for this conditional require pattern instead of an ignore comment. Would love any help implementing this as we're pretty swamped at the moment.
I think we'll want to ignore any eval_gemfiles that are wrapped inside an if
statement here: https://github.com/dependabot/dependabot-core/blob/master/bundler/lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb
As reported above, dependabot can't interpret my Gemfile neither.
# frozen_string_literal: true
source "https://rubygems.org"
gem 'cocoapods', '~> 1.8.0'
gem 'fastlane', '~> 2.148.0'
gem 'dotenv'
plugins_path = File.join(File.dirname(__FILE__), 'fastlane', 'Pluginfile')
eval_gemfile(plugins_path) if File.exist?(plugins_path)
Failure message:
Dependabot only supports uninterpolated string arguments to eval_gemfile. Got `plugins_path`
I think we'll want to ignore any eval_gemfiles that are wrapped inside an if statement here:
Like @feelepxyz said, I hope it will come soon.
I confirm that also the following does not succeed.
gemfile_shared_path = ENV.fetch('GEMFILE_SHARED_PATH', './Gemfile.shared')
eval_gemfile(gemfile_shared_path)
Dependabot only supports uninterpolated string arguments to eval_gemfile. Got plugins_path
:-(
any update about this ?
What I'd like to be able to do is just tell dependabot to completely ignore that line:
You can probably do this:
eval_gemfile("./Gemfile.local") if ENV["GEMFILE_LOCAL"]
It'll evaluate to false, and Gemfile.local
will not be included. But that will require you to set that env variable locally, so it's not great.
As reported above, dependabot can't interpret my Gemfile neither.
# frozen_string_literal: true source "https://rubygems.org" gem 'cocoapods', '~> 1.8.0' gem 'fastlane', '~> 2.148.0' gem 'dotenv' plugins_path = File.join(File.dirname(__FILE__), 'fastlane', 'Pluginfile') eval_gemfile(plugins_path) if File.exist?(plugins_path)
Failure message:
Dependabot only supports uninterpolated string arguments to eval_gemfile. Got `plugins_path`
I think we'll want to ignore any eval_gemfiles that are wrapped inside an if statement here:
Like @feelepxyz said, I hope it will come soon.
Did you manage to bypass this? one year later I still have the same problem
Just wondering has this issue being resolved or any recommended approach to bypass?
I'm facing the same issue too
👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.
I'm still hoping this gets resolved.
We have this our Gemfile in order to let devs add debugging gems (for very complicated reasons we cannot just agree to set a debugging gems and include the globally into a group):
I got rid of the old string interpolation that was present there, but dependabot still complains now that it can't find Gemfile.local.
What I'd like to be able to do is just tell dependabot to completely ignore that line:
We have some other context dependent lines in our Gemfiles that might need to be skipped as well (and it might be useful to be able to skip entire blocks of code with something like
# dependabot:ignore:start
and# dependabot:ignore:end
or something like that.