wengjq
commented
3 years ago @coding-bunny Can some other dependent packages can be updated?
Open coding-bunny opened 3 years ago
wengjq
commented
3 years ago @coding-bunny Can some other dependent packages can be updated?
coding-bunny
commented
3 years ago It seems to be able to update other private dependencies yes
wengjq
commented
3 years ago I also encountered the same problem,When I encounter these two dependencies,For example,vue、vue-template-compiler、is-windows、prettier and so on。Very stable reproduction!https://github.com/dependabot/dependabot-core/issues/3869
jurre
commented
3 years ago @coding-bunny could you please share a little more information like the package.json and package-lock.json files, your dependabot config file etc, that'll help us figure out what's going on.
coding-bunny
commented
3 years ago If I see it happen again I'll add it here.
coding-bunny
commented
3 years ago found another example where it happened in one of our private repositories that has a dependency on another private repository:
updater | I, [2021-09-29T10:43:00.161530 #8] INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | warning: parser/current is loading parser/ruby27, which recognizes
updater | warning: 2.7.4-compliant syntax, but you are running 2.7.1.
updater | warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_214705855> Starting job processing
updater | INFO <job_214705855> Starting update job for customink/application_service_catalog
updater | INFO <job_214705855> Checking if nokogiri 1.12.4 needs updating
proxy | 2021/09/29 10:43:03 [016] GET https://rubygems.org:443/api/v1/versions/nokogiri.json
proxy | 2021/09/29 10:43:03 [016] 200 https://rubygems.org:443/api/v1/versions/nokogiri.json
updater | INFO <job_214705855> Latest version is 1.12.5
proxy | 2021/09/29 10:43:04 [019] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:04 [019] * authenticating git server request (host: github.com)
proxy | 2021/09/29 10:43:04 [019] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:04 [019] * auth'd git request returned 404, retrying without auth
proxy | 2021/09/29 10:43:05 [019] * de-auth'd request returned 401, replacing response
proxy | 2021/09/29 10:43:05 [022] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:05 [022] * authenticating git server request (host: github.com)
proxy | 2021/09/29 10:43:05 [022] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:05 [022] * auth'd git request returned 404, retrying without auth
proxy | 2021/09/29 10:43:05 [022] * de-auth'd request returned 401, replacing response
proxy | 2021/09/29 10:43:05 [025] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:05 [025] * authenticating git server request (host: github.com)
proxy | 2021/09/29 10:43:05 [025] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:05 [025] * auth'd git request returned 404, retrying without auth
proxy | 2021/09/29 10:43:05 [025] * de-auth'd request returned 401, replacing response
proxy | 2021/09/29 10:43:06 [028] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:06 [028] * authenticating git server request (host: github.com)
proxy | 2021/09/29 10:43:06 [028] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:06 [028] * auth'd git request returned 404, retrying without auth
proxy | 2021/09/29 10:43:06 [028] * de-auth'd request returned 401, replacing response
proxy | 2021/09/29 10:43:06 [030] GET https://github.com:443/customink/is_it_up.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:06 [030] * authenticating git server request (host: github.com)
proxy | 2021/09/29 10:43:06 [030] 200 https://github.com:443/customink/is_it_up.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:06 [032] GET https://github.com:443/customink/is_it_working.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:06 [032] * authenticating git server request (host: github.com)
proxy | 2021/09/29 10:43:06 [032] 200 https://github.com:443/customink/is_it_working.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:06 [034] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:06 [034] * authenticating git server request (host: github.com)
proxy | 2021/09/29 10:43:07 [034] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2021/09/29 10:43:07 [034] * auth'd git request returned 404, retrying without auth
proxy | 2021/09/29 10:43:07 [034] * de-auth'd request returned 401, replacing response
updater | INFO <job_214705855> Handled error whilst updating nokogiri: git_dependencies_not_reachable {:"dependency-urls"=>["git@github.com:customink/inkycop.git"]}
updater | INFO <job_214705855> Finished job processing
updater | time="2021-09-29T10:43:07Z" level=info msg="task complete" container_id=job-214705855-updater exit_code=0 job_id=214705855 step=updaterThis is what is inside the Gemfile:
source 'https://rubygems.org'
git_source(:github) { |repo| "git@github.com:#{repo}.git" }
group :development, :test do
gem 'bundle-audit'
gem 'byebug', platforms: %i[mri mingw x64_mingw]
gem 'factory_bot_rails'
gem 'inkycop', github: 'customink/inkycop', tag: '3.11.2'
gem 'rspec-rails'
endI kind of expect Dependabot to have access to our private repositories when it's added on the Company level.
coding-bunny
commented
3 years ago Happens to both Ruby projects and/or nodeJS/Yarn updates. Every time it tries to check for a private dependency the process just fails.
jurre
commented
3 years ago I kind of expect Dependabot to have access to our private repositories when it's added on the Company level.
You'll need to explicitly give dependabot access to the repository: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-repositories
coding-bunny
commented
3 years ago It has. Dependabot has been configured to access all our private repositories.
dentarg
commented
3 years ago It has. Dependabot has been configured to access all our private repositories.
Yeah, I'm seeing the same thing.
Something that could be improved, the yellow box on the alert says it fails to fetch one repo:
Dependabot failed to update your dependencies The following git repository was unreachable and caused the update to fail: foo-repo.
but in our case our Gemfile uses two private repos, and logs say both fail (exactly like https://github.com/dependabot/dependabot-core/issues/3868#issuecomment-930066176)
asciimike
commented
3 years ago Sorry for the confusion here :(
The bundler issue is likely because we don't allow bundler fetches from private repos (as documented), due to the insecure-external-code-execution flag not being present. It's on our roadmap to allow that flag to apply and to thus allow bundler access and execution from private repos, but it might be a little longer.
The solution at present is to put the dependency in a private registry (which can use the above flag), or wait for us to fix the inconsistency.
Looks like the fix is tracked in https://github.com/dependabot/dependabot-core/issues/3494 externally.
dentarg
commented
3 years ago @asciimike Thanks for the clarification. Hope you can get to that rather sooner than later.
Would I be able to workaround this, and make Dependabot work for my repo, if I was vendoring my dependencies? (i.e. no need to fetch the private repo)
asciimike
commented
3 years ago I admit that I don't immediately know; my assumption is that even if you vendor deps, we'd still need to make requests to the locations those deps are stored in order to determine if they need to be updated, which would require access.
dentarg
commented
3 years ago Maybe @jurre or @feelepxyz knows?
coding-bunny
commented
3 years ago Sorry for the confusion here :(
The
bundlerissue is likely because we don't allowbundlerfetches from private repos (as documented), due to theinsecure-external-code-executionflag not being present. It's on our roadmap to allow that flag to apply and to thus allowbundleraccess and execution from private repos, but it might be a little longer.The solution at present is to put the dependency in a private registry (which can use the above flag), or wait for us to fix the inconsistency.
Looks like the fix is tracked in #3494 externally.
Sorry but this explanation makes no sense. If Dependabot is unable to pull any updates from a private repository, shouldn't it fail on every single gem update it tries to update because of the private repository index that needs to be pulled? Yet I have projects in the same organization that receive updates for both public and private gems without a single problem, yet another project in the same organization is failing with these errors.
asciimike
commented
3 years ago If Dependabot is unable to pull any updates from a private repository, shouldn't it fail on every single gem update it tries to update because of the private repository index that needs to be pulled?
That would be my assumption. Is the other project failing on the same dependencies or different dependencies? Has that other project been granted access to the repos in question?
coding-bunny
commented
3 years ago No, the other projects happily get updates for a private gem we maintain. Hence why the explanation made no sense to me, nor the linked documentation.
asciimike
commented
3 years ago So what I'm hearing is:
Repo C (also private) has configured Dependabot access to Repo A, but is not able to update a direct dependency on the gem in Repo A
Is that correct? Are there differences in how the gemfiles in B and C are written, or is the gem from A consumed directly in B and not in C (or vice versa)?
coding-bunny
commented
3 years ago Yeah that explanation sounds correct, and no there's no real difference from what I can tell on a first glance. I can take a deeper dive at these projects tomorrow, combined with the error logs and see whether the failing projects return the same error, and thus might reveal a config problem or not.
I'll report back when I find something.
brcarp
commented
2 years ago Also in customink org, we had similar issue with an application that included the following in its Gemfile:
# Custom Ink internal gems
gem "client_client", github: "customink/client_client", tag: "v0.2.4"
gem "decorator_client", github: "customink/decorator_client", tag: "v2.6.0"
gem "foreman-export-monit", github: "customink/foreman-export-monit", tag: "v0.0.4"
gem "ink_colors", github: "customink/ink_colors", tag: "v1.7.7"
gem "messaging_helper", github: "customink/messaging_helper", tag: "v2.1.1"
gem "omniauth-customink", github: "customink/omniauth-customink", tag: "v0.1.3"
gem "quote_client", github: "customink/quote_client", tag: "v0.0.15"
gem "reviews_client", github: "customink/reviews_client", tag: "v0.2.0"
gem "service_config", github: "customink/service_config", tag: "v0.3.1"
gem "supplier_client", github: "customink/supplier_client", tag: "v2.4.2"
# [...]
# (other sources/groups not relevant to this issue)
# [...]
group :development, :test do
gem "database_cleaner"
gem "faker"
gem "named_seeds"
gem "pry"
gem "pry-byebug"
gem "pry-stack_explorer"
gem "rspec-rails"
gem "rubocop-junit_formatter"
gem "ruby-oci8", "2.2.9"
gem "rubyzip", require: "zip"
gem "stuffed_bunny", require: false
gem "inkycop", github: "customink/inkycop", tag: "v0.0.13"
endWe ultimately gave up and worked around this by packaging all the gems in our org's private package repository and switching the Gemfile to use those, but it adds a hurlde because it requires both our GitHub Actions and our developers in their local environments to have packaged-scoped access tokens added to their bundle config.
coding-bunny
commented
2 years ago Found again an issue with one of our repositories not being able to apply a Dependabot update from an Alert:
proxy | time="2022-04-14T06:16:57Z" level=info msg="proxy starting" commit=0cfe6fc8a85a641097e4d9faf5c8349b892b1e40
proxy | 2022/04/14 06:16:57 Listening (:1080)
updater | 2022-04-14T06:16:57.225808076 [anonymous-instance:main:WARN:src/firecracker/src/main.rs:370] You are using a deprecated parameter: --seccomp-level 2, that will be removed in a future version.
updater | 2022-04-14T06:16:57.248357787 [345939629:main:WARN:src/devices/src/legacy/serial.rs:432] Detached the serial input due to peer close/error.
updater | time="2022-04-14T06:16:58Z" level=info msg="guest starting" commit=284b5dacb1face4d3c6d1a0b48f574503fb7ea54
updater | time="2022-04-14T06:16:58Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=345939629 updater_timeout=30m0s updater_version=0.180.5-6fcec953c00ec2a7270e2e6c7912aa60a97d92d8
updater | I, [2022-04-14T06:17:00.161749 #8] INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_345939629> Starting job processing
proxy | 2022/04/14 06:17:02 [002] GET https://api.github.com:443/repos/customink/application-service-catalog
proxy | 2022/04/14 06:17:02 [002] * authenticating github api request
proxy | 2022/04/14 06:17:02 [002] 200 https://api.github.com:443/repos/customink/application-service-catalog
proxy | 2022/04/14 06:17:02 [004] GET https://api.github.com:443/repos/customink/application-service-catalog/git/refs/heads/main
proxy | 2022/04/14 06:17:02 [004] * authenticating github api request
proxy | 2022/04/14 06:17:02 [004] 200 https://api.github.com:443/repos/customink/application-service-catalog/git/refs/heads/main
proxy | 2022/04/14 06:17:02 [006] GET https://api.github.com:443/repos/customink/application-service-catalog/contents/?ref=825d98dedd50b8aadc46b547f8c29a04922f069c
proxy | 2022/04/14 06:17:02 [006] * authenticating github api request
proxy | 2022/04/14 06:17:02 [006] 200 https://api.github.com:443/repos/customink/application-service-catalog/contents/?ref=825d98dedd50b8aadc46b547f8c29a04922f069c
proxy | 2022/04/14 06:17:02 [008] GET https://api.github.com:443/repos/customink/application-service-catalog/contents/Gemfile?ref=825d98dedd50b8aadc46b547f8c29a04922f069c
proxy | 2022/04/14 06:17:02 [008] * authenticating github api request
proxy | 2022/04/14 06:17:02 [008] 200 https://api.github.com:443/repos/customink/application-service-catalog/contents/Gemfile?ref=825d98dedd50b8aadc46b547f8c29a04922f069c
proxy | 2022/04/14 06:17:02 [010] GET https://api.github.com:443/repos/customink/application-service-catalog/contents/Gemfile.lock?ref=825d98dedd50b8aadc46b547f8c29a04922f069c
proxy | 2022/04/14 06:17:02 [010] * authenticating github api request
proxy | 2022/04/14 06:17:03 [010] 200 https://api.github.com:443/repos/customink/application-service-catalog/contents/Gemfile.lock?ref=825d98dedd50b8aadc46b547f8c29a04922f069c
updater | INFO <job_345939629> Finished job processing
updater | time="2022-04-14T06:17:03Z" level=info msg="task complete" container_id=job-345939629-file-fetcher exit_code=0 job_id=345939629 step=fetcher
updater | I, [2022-04-14T06:17:04.212992 #8] INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_345939629> Starting job processing
updater | INFO <job_345939629> Starting update job for customink/application-service-catalog
updater | INFO <job_345939629> Checking if nokogiri 1.13.3 needs updating
proxy | 2022/04/14 06:17:08 [016] GET https://rubygems.org:443/api/v1/versions/nokogiri.json
proxy | 2022/04/14 06:17:08 [016] 200 https://rubygems.org:443/api/v1/versions/nokogiri.json
updater | INFO <job_345939629> Latest version is 1.13.4
proxy | 2022/04/14 06:17:09 [019] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:09 [019] * authenticating git server request (host: github.com)
proxy | 2022/04/14 06:17:09 [019] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:09 [019] * auth'd git request returned 404, retrying without auth
proxy | 2022/04/14 06:17:09 [019] * de-auth'd request returned 401, replacing response
proxy | 2022/04/14 06:17:09 [022] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:09 [022] * authenticating git server request (host: github.com)
proxy | 2022/04/14 06:17:09 [022] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:09 [022] * auth'd git request returned 404, retrying without auth
proxy | 2022/04/14 06:17:09 [022] * de-auth'd request returned 401, replacing response
proxy | 2022/04/14 06:17:10 [025] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:10 [025] * authenticating git server request (host: github.com)
proxy | 2022/04/14 06:17:10 [025] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:10 [025] * auth'd git request returned 404, retrying without auth
proxy | 2022/04/14 06:17:10 [025] * de-auth'd request returned 401, replacing response
proxy | 2022/04/14 06:17:10 [028] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:10 [028] * authenticating git server request (host: github.com)
proxy | 2022/04/14 06:17:10 [028] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:10 [028] * auth'd git request returned 404, retrying without auth
proxy | 2022/04/14 06:17:10 [028] * de-auth'd request returned 401, replacing response
proxy | 2022/04/14 06:17:11 [030] GET https://github.com:443/customink/is_it_up.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:11 [030] * authenticating git server request (host: github.com)
proxy | 2022/04/14 06:17:11 [030] 200 https://github.com:443/customink/is_it_up.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:11 [032] GET https://github.com:443/customink/is_it_working.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:11 [032] * authenticating git server request (host: github.com)
proxy | 2022/04/14 06:17:11 [032] 200 https://github.com:443/customink/is_it_working.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:11 [034] GET https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:11 [034] * authenticating git server request (host: github.com)
proxy | 2022/04/14 06:17:11 [034] 404 https://github.com:443/customink/inkycop.git/info/refs?service=git-upload-pack
proxy | 2022/04/14 06:17:11 [034] * auth'd git request returned 404, retrying without auth
proxy | 2022/04/14 06:17:11 [034] * de-auth'd request returned 401, replacing response
updater | INFO <job_345939629> Handled error whilst updating nokogiri: git_dependencies_not_reachable {:"dependency-urls"=>["git@github.com:customink/inkycop.git"]}
updater | INFO <job_345939629> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | time="2022-04-14T06:17:11Z" level=info msg="task complete" container_id=job-345939629-updater exit_code=0 job_id=345939629 step=updaterYet Dependabot has successfully created pull requests on this repository before and even has one open. So Dependabot is supposed to work just fine.
coding-bunny
commented
1 year ago Found another Repository in our company that suffers from this problem, this time a Ruby one:
proxy | time="2023-01-09T22:06:04Z" level=info msg="proxy starting" commit=fc45a32e8f82525e670fa69379341b14500e5769
proxy | 2023/01/09 22:06:04 Listening (:1080)
updater | 2023-01-09T22:06:04.377220869 [574222841:main:WARN:src/devices/src/legacy/serial.rs:214] Detached the serial input due to peer close/error.
updater | time="2023-01-09T22:06:06Z" level=info msg="guest starting" commit=e11c2fa785c9682a812f8aeda27b517be1dfffb5
updater | time="2023-01-09T22:06:06Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=574222841 updater_timeout=30m0s updater_version=ec4f67bdf41e86c9cc28f3dc0a9e701a663a225a
updater | I, [2023-01-09T22:06:07.664662 #8] INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_574222841> Starting job processing
proxy | 2023/01/09 22:06:09 [002] GET https://api.github.com:443/repos/customink/infrastructure-deployment-utility
proxy | 2023/01/09 22:06:09 [002] * authenticating github api request
proxy | 2023/01/09 22:06:09 [002] 401 https://api.github.com:443/repos/customink/infrastructure-deployment-utility
updater | ERROR <job_574222841> Error during file fetching; aborting
updater | INFO <job_574222841> Finished job processing
updater | INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | time="2023-01-09T22:06:10Z" level=info msg="task complete" container_id=job-574222841-file-fetcher exit_code=0 job_id=574222841 step=fetcher
updater | time="2023-01-09T22:06:10Z" level=warning msg="failed during fetch, skipping updater" job_id=574222841
deivid-rodriguez
commented
1 year ago Regarding this part of the error message in the previous comment:
updater | INFO <job_345939629> Handled error whilst updating nokogiri: git_dependencies_not_reachable {:"dependency-urls"=>["git@github.com:customink/inkycop.git"]}Dependabot should be using https instead 🤔, it seems to be failing to replace the protocol? Does that come from your lockfile?
coding-bunny
commented
1 year ago Yes, we have most private ruby dependencies set to use git as protocol and not the https. Easier to use the SSH access for everyone instead of constantly juggling tokens.
And yes, Dependabot should swap protocols
jeffwidman
commented
1 year ago Related--likely the same root cause:
Package ecosystem npm Package manager version yarn 1.22.10 Language version node 12.19.0 Manifest location and content prior to update /yarn.lock dependabot.yml content
Updated dependency
What you expected to see, versus what you actually saw Expected the dependencies to be updated Native package manager behavior Works locally Images of the diff or a link to the PR, issue or logs / 🕹 Bonus points: Smallest manifest that reproduces the issue