[Bundler]: Gems sourced directly from Git repositories

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

https://docs.github.com/en/code-security/dependabot

MIT License

4.63k stars 992 forks source link

[Bundler]: Gems sourced directly from Git repositories #6816

Open THETCR opened 1 year ago

THETCR commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

Bundler

Package manager version

2.4.7

Language version

3.1.3

Manifest location and content before the Dependabot update

# frozen_string_literal: true

ruby "3.1.3"
source "https://rubygems.org"

gem "dependabot-omnibus", git: "https://github.com/dependabot/dependabot-core.git"

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Dependabot::DependencyFileNotEvaluatable, failure to parse the manifest with a JSON::ParserError.

Native package manager behavior

Works as stipulated in the Bundler documentation.

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

deivid-rodriguez commented 1 year ago

We're adding support for Bundler 2.4 at #6303. I guess this should get fixed after that, since you seem to be running Bundler 2.4?

THETCR commented 1 year ago

@deivid-rodriguez Same result with Bundler 2.3.26.

deivid-rodriguez commented 1 year ago

Alright, can you then post the exact error you're getting, and exact steps so that we can reproduce this error ourselves?

andrcuns commented 1 year ago

It actually works just fine for me when consumed directly from a branch.

It was able to bump sha version just fine. The only difference is that I also set the branch parameter explicitly in the Gemfile

jeffwidman commented 1 year ago

Any update @THETCR ?

Otherwise we'll need to close due to lack of information.

THETCR commented 1 year ago

@jeffwidman

It seems the issue is not only with Git sources. The same issue is also happening in the CI/CD of the dependabot-script repository. As shown here: https://github.com/dependabot/dependabot-script/actions/runs/5050327896/jobs/9060910598?pr=921

This happens regardless of the Bundler version used.

It results in the native helper returning an empty String. The same as discussed here: https://github.com/dependabot/dependabot-core/pull/6521

THETCR commented 1 year ago

@deivid-rodriguez

As stated above. The exact same issue is happening in the official dependabot-script repository. So this does not only apply to Gems sourced from Git, but Bundler in general.

THETCR commented 1 year ago

@deivid-rodriguez @jeffwidman

It explicitly broke with the following commit: 7fccc8d

When Bundler is loading the spec files it searches for the vendored Dependabot gems in the .bundle/ruby/3.1.0/bundler/gems/ directory, starting from the directory with the package manifest. Subsequently throwing an error that the Dependabot gem is not installed yet.

deivid-rodriguez commented 1 year ago

Thank you @THETCR for persisting on figuring this out. Unfortunately I lack the time to dig into this right now, but since you seem to now understand the problem better, feel free to create a PR to fix this. That should speed up resolution of this issue.