Terraform manager applies non-existent version number when using less-than/equals (`<=`)

[bryan-bar]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

Terraform

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

/edbterraform/data/terraform/versions.tf

dependabot.yml content

version: 2

updates:
# Terraform - One entry per directory we want to scan as per https://github.com/dependabot/dependabot-core/issues/649
  - package-ecosystem: "terraform"
    directory: "/edbterraform/data/terraform"
    schedule:
      interval: "weekly"
    labels:
      - "dependency"
      - "terraform"
      - "dependabot"

Updated dependency

EnterpriseDB/biganimal v0.6.1 -> v0.7.1

What you expected to see, versus what you actually saw

The wrong patch number is applied while using less than/equals, <=, constraint. The minor and patch version should both be updated since the dependabot logs show the latest provider as 0.7.0, which is the latest release as of 2024-01-12. This bug report was created 2024-02-02.

Expected: <= 0.6.1 -> <= 0.7.0

Result: <= 0.6.1 -> <= 0.7.1

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Pull Request: https://github.com/EnterpriseDB/edb-terraform/pull/109 PR title: Update EnterpriseDB/biganimal requirement from <= 0.6.1 to <= 0.7.1 in /edbterraform/data/terraform

Dependabot Logs:

updater | 2024/02/02 06:32:19 INFO <job_781986058> Starting job processing
updater | 2024/02/02 06:32:19 INFO <job_781986058> Starting PR update job for EnterpriseDB/edb-terraform
updater | 2024/02/02 06:32:19 INFO <job_781986058> Checking if EnterpriseDB/biganimal  needs updating
  proxy | 2024/02/02 06:32:20 [012] GET https://registry.terraform.io:443/.well-known/terraform.json
  proxy | 2024/02/02 06:32:20 [012] 200 https://registry.terraform.io:443/.well-known/terraform.json
  proxy | 2024/02/02 06:32:20 [016] GET https://registry.terraform.io:443/v1/providers/EnterpriseDB/biganimal/versions
  proxy | 2024/02/02 06:32:20 [016] 200 https://registry.terraform.io:443/v1/providers/EnterpriseDB/biganimal/versions
updater | 2024/02/02 06:32:20 INFO <job_781986058> Latest version is 0.7.0
updater | 2024/02/02 06:32:20 INFO <job_781986058> Requirements to unlock own
updater | 2024/02/02 06:32:20 INFO <job_781986058> Requirements update strategy 
updater | 2024/02/02 06:32:20 INFO <job_781986058> Updating EnterpriseDB/biganimal from  to 0.7.0
updater | 2024/02/02 06:32:20 INFO <job_781986058> Submitting EnterpriseDB/biganimal pull request for update
updater | 2024/02/02 06:32:20 INFO <job_781986058> Finished job processing
updater | 2024/02/02 06:32:20 INFO Results:
updater | +-----------------------------------------------------+
updater | |         Changes to Dependabot Pull Requests         |
updater | +---------+-------------------------------------------+
updater | | updated | EnterpriseDB/biganimal ( from  to 0.7.0 ) |
updater | +---------+-------------------------------------------+

Dependabot PR changelog: Commit:

Smallest manifest that reproduces the issue

terraform {
  required_providers {

    biganimal = {
      source = "registry.terraform.io/EnterpriseDB/biganimal"
      version = "<= 0.6.1"
    }

    toolbox = {
      source = "registry.terraform.io/bryan-bar/toolbox"
      version = "<= 0.2.2"
    }

    aws = {
      source = "registry.terraform.io/hashicorp/aws"
      version = "<= 5.34.0"
    }

    azurerm = {
      source = "registry.terraform.io/hashicorp/azurerm"
      version = "<= 3.89.0"
    }

    google = {
      source = "registry.terraform.io/hashicorp/google"
      version = "<= 5.14.0"
    }

    kubernetes = {
      source = "registry.terraform.io/hashicorp/kubernetes"
      version = "<= 2.25.2"
    }

    null = {
      source = "registry.terraform.io/hashicorp/null"
      version = "<= 3.2.2"
    }

    time = {
      source = "registry.terraform.io/hashicorp/time"
      version = "<= 0.10.0"
    }

    local = {
      source = "registry.terraform.io/hashicorp/local"
      version = "<= 2.4.1"
    }

    random = {
      source = "registry.terraform.io/hashicorp/random"
      version = "<= 3.6.0"
    }

    tls = {
      source = "registry.terraform.io/hashicorp/tls"
      version = "<= 4.0.5"
    }

  }
}

[bryan-bar]

Two issues that might be related: https://github.com/dependabot/dependabot-core/issues/5772 https://github.com/dependabot/dependabot-core/issues/6592

[bryan-bar]

Recent PRs from AWS and Azure with the wrong minor version applied:

Dependabot log:

updater | +-------------------------------------------------+
updater | |       Changes to Dependabot Pull Requests       |
updater | +---------+---------------------------------------+
updater | | created | hashicorp/azurerm ( from  to 3.90.0 ) |
updater | | created | hashicorp/aws ( from  to 5.35.0 )     |
updater | +---------+---------------------------------------+

AWS: https://github.com/EnterpriseDB/edb-terraform/pull/114 Update hashicorp/aws requirement from <= 5.34.0 to <= 5.36.0 in /edbterraform/data/terraform

Azure: https://github.com/EnterpriseDB/edb-terraform/pull/113 Update hashicorp/azurerm requirement from <= 3.89.0 to <= 3.91.0 in /edbterraform/data/terraform

[spenserblack]

I've found that this can also affect the Cargo ecosystem (Rust). At the time of writing this gix 0.63 does not exist, yet dependabot made https://github.com/spenserblack/gengo/pull/344/commits/2fe106369d1330d4ac5ece30ed7c9d2ba5c160ed in https://github.com/spenserblack/gengo/pull/344

[caspermeijn]

I've found that this can also affect the Cargo ecosystem (Rust). At the time of writing this gix 0.63 does not exist, yet dependabot made spenserblack/gengo@2fe1063 in spenserblack/gengo#344

I opened a PR with a fix for the Cargo ecosystem. Can you review the fix? Let's not clutter this issue with more Cargo talk and discuss it there. #9828