search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.7k stars 1.02k forks source link

Unable to parse Gradle version catalog when using non standard format #9028

Open nikammerlaan opened 9 months ago

nikammerlaan commented 9 months ago

Is there an existing issue for this?

Package ecosystem

Gradle

Package manager version

8.5

Language version

No response

Manifest location and content before the Dependabot update

/gradle/libs.versions.toml

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

N/A

What you expected to see, versus what you actually saw

This is a valid libs.versions.toml file for Gradle, but Dependabot is unable to parse it and errors. The file contains an old dependency, so I would expect it to create a PR to update it.

Native package manager behavior

N/A

Images of the diff or a link to the PR, issue, or logs

  proxy | 2024/02/10 06:04:01 proxy starting, commit: bd9d653be769ec5f7b059e15d95d9ed3257252f3
  proxy | 2024/02/10 06:04:01 Listening (:1080)
updater | 2024-02-10T06:04:01.930819863 [785388618:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2024-02-10T06:04:03Z" level=info msg="guest starting" commit=409d83fb821a7c266460959144006f8ddc985a54
updater | time="2024-02-10T06:04:03Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=785388618 updater_timeout=45m0s updater_version=4188c3809767fb723b68ef939a75de1a7e7a9372-gradle
updater | 2024/02/10 06:04:06 INFO <job_785388618> Starting job processing
  proxy | 2024/02/10 06:04:07 [002] GET https://github.com:443/nikammerlaan/version-catalog-dependabot-bug-repro/info/refs?service=git-upload-pack
  proxy | 2024/02/10 06:04:07 [002] * authenticating git server request (host: github.com)
  proxy | 2024/02/10 06:04:07 [002] 200 https://github.com:443/nikammerlaan/version-catalog-dependabot-bug-repro/info/refs?service=git-upload-pack
  proxy | 2024/02/10 06:04:07 [004] POST https://github.com:443/nikammerlaan/version-catalog-dependabot-bug-repro/git-upload-pack
  proxy | 2024/02/10 06:04:07 [004] * authenticating git server request (host: github.com)
  proxy | 2024/02/10 06:04:07 [004] 200 https://github.com:443/nikammerlaan/version-catalog-dependabot-bug-repro/git-upload-pack
  proxy | 2024/02/10 06:04:07 [006] POST https://github.com:443/nikammerlaan/version-catalog-dependabot-bug-repro/git-upload-pack
  proxy | 2024/02/10 06:04:07 [006] * authenticating git server request (host: github.com)
  proxy | 2024/02/10 06:04:07 [006] 200 https://github.com:443/nikammerlaan/version-catalog-dependabot-bug-repro/git-upload-pack
updater | 2024/02/10 06:04:07 INFO <job_785388618> Finished job processing
updater | time="2024-02-10T06:04:07Z" level=info msg="task complete" container_id=job-785388618-file-fetcher exit_code=0 job_id=785388618 step=fetcher
updater | 2024/02/10 06:04:10 INFO <job_785388618> Starting job processing
updater | 2024/02/10 06:04:10 INFO <job_785388618> Finished job processing
updater | 2024/02/10 06:04:10 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +-------------------------------+
updater | |            Errors             |
updater | +-------------------------------+
updater | | dependency_file_not_parseable |
updater | +-------------------------------+
updater | time="2024-02-10T06:04:10Z" level=info msg="task complete" container_id=job-785388618-updater exit_code=0 job_id=785388618 step=updater

Smallest manifest that reproduces the issue

A libs.verisons.toml file as simple as this will trigger the issue:

versions.guava = "32.1.3-jre"
libraries.guava = { module = "com.google.guava:guava", version.ref = "guava" }

versions.jedis = "5.1.0"
libraries.jedis = { module = "redis.clients:jedis", version.ref = "jedis" }

This slightly different config is parsed without error:

versions.guava = "32.1.3-jre"
libraries.guava = { module = "com.google.guava:guava", version.ref = "guava" }

The issue appears to be related to the specific ordering of declarations.

Here's a full repo that reproduces the issue.

Hansanto commented 7 months ago

Now we can put catalog declaration in settings.gradle.kts with for example:

dependencyResolutionManagement {
    versionCatalogs {
        create("libs") {
            version("kotlin", "1.9.22")
            version("ktor", "2.3.9")

            plugin("kt-multiplatform", "org.jetbrains.kotlin.multiplatform").versionRef("kotlin")

            library("ktor-core", "io.ktor", "ktor-client-core").versionRef("ktor")
            library("ktor-serialization", "io.ktor", "ktor-client-serialization").versionRef("ktor")

            // optional
            bundle(
                "ktor",
                listOf("ktor-core", "ktor-serialization")
            )
       }
    }
}

And use that in build.gradle.kts:

plugins {
    alias(libs.plugins.kt.multiplatform)
}

// ...

kotlin {
   sourceSets {
      val commonMain by getting {
            dependencies {
                // individual
                // api(libs.ktor.core)
                // api(libs.ktor.serialization)

                // or by bundle
                api(libs.bundles.ktor)
            }
        }
}