Bundler :"Could not find [gem] in any of the sources" when gem required_ruby_version > 3.1.3 and using vendor/cache

[bensheldon]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

Bundler

Package manager version

No response

Language version

Ruby 3.2+

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

• Any gem with require_ruby_version > 3.1.3
• In our case, this is vernier which has spec.required_ruby_version = ">= 3.2.1"

What you expected to see, versus what you actually saw

This error seems to happen when both of the following conditions are met:

1. The Gemfile contains a gem whose gemspec declares a required_ruby_version that is greater than Dependabot's Ruby version (currently Ruby v3.1.3)
2. The project has used bundler package to vendor the .gem files into vendor/cache

When both of these conditions happen, Dependabot will fail to update with Bundler::GemNotFound: Could not find [gem] in any of the sources. Here is an example:

{
    "error":"Could not find vernier-0.4.0 in any of the sources",
    "error_class":"Bundler::GemNotFound",
    "trace":[
        "/usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler/spec_set.rb:149:in `block in materialized_for_all_platforms'",
        "/usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler/spec_set.rb:145:in `map'",
        "/usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler/spec_set.rb:145:in `materialized_for_all_platforms'",
        "/usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler/runtime.rb:112:in `cache'",
        "/opt/bundler/v2/lib/functions/lockfile_updater.rb:81:in `block in cache_vendored_gems'",
        "/usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler/settings.rb:158:in `temporary'",
        "/opt/bundler/v2/lib/functions/lockfile_updater.rb:79:in `cache_vendored_gems'",
        "/opt/bundler/v2/lib/functions/lockfile_updater.rb:49:in `generate_lockfile'",
        "/opt/bundler/v2/lib/functions/lockfile_updater.rb:24:in `run'",
        "/opt/bundler/v2/lib/functions.rb:37:in `update_lockfile'",
        "/opt/bundler/v2/run.rb:33:in `<main>'"
    ]
}

This error was generated using dependabot dry run on a stripped down project: https://github.com/bensheldon/dep-resolution-experiment

Below is the full command log/stacktrace:

Dependabot command log

``` [dependabot-core-dev] ~ $ DEBUG_HELPERS=1 LOCAL_GITHUB_ACCESS_TOKEN="XXX" bin/dry-run.rb bundler bensheldon/dep-resolution-experiment => cloning into /home/dependabot/tmp/bensheldon/dep-resolution-experiment 🎈 Ecosystem Versions log: {:package_managers=>{"bundler"=>"2"}} => parsing dependency files {"BUNDLE_PATH"=>"/home/dependabot/tmp/20240209-97-ysmxor/.bundle", "GEM_HOME"=>"/opt/bundler/v2/.bundle"} ruby /opt/bundler/v2/run.rb {"function":"parsed_gemfile","args":{"gemfile_name":"Gemfile","lockfile_name":"Gemfile.lock","dir":"/home/dependabot/tmp/bensheldon/dep-resolution-experiment"}} => updating 2 dependencies: activesupport, vernier === activesupport (7.1.0) => checking for updates 1/2 {"BUNDLE_PATH"=>"/home/dependabot/tmp/20240209-97-ysmxor/.bundle", "GEM_HOME"=>"/opt/bundler/v2/.bundle"} ruby /opt/bundler/v2/run.rb {"function":"dependency_source_type","args":{"dir":"/home/dependabot/tmp/20240209-97-ysmxor/dependabot_20240209-97-f0er82","gemfile_name":"Gemfile","dependency_name":"activesupport","credentials":[{"type":"git_source","host":"github.com","username":"x-access-token","password":"XXX"}]}} 🌍 --> GET https://rubygems.org/api/v1/versions/activesupport.json 🌍 <-- 200 https://rubygems.org/api/v1/versions/activesupport.json => latest available version is 7.1.3 {"BUNDLE_PATH"=>"/home/dependabot/tmp/20240209-97-ysmxor/.bundle", "GEM_HOME"=>"/opt/bundler/v2/.bundle"} ruby /opt/bundler/v2/run.rb {"function":"resolve_version","args":{"dependency_name":"activesupport","dependency_requirements":[{"requirement":">= 0","groups":["default"],"source":null,"file":"Gemfile"}],"gemfile_name":"Gemfile","lockfile_name":"Gemfile.lock","dir":"/home/dependabot/tmp/bensheldon/dep-resolution-experiment","credentials":[{"type":"git_source","host":"github.com","username":"x-access-token","password":"XXX"}]}} /home/dependabot/common/lib/dependabot/shared_helpers.rb:190:in `run_helper_subprocess': Illformed requirement ["system"] (Dependabot::SharedHelpers::HelperSubprocessFailed) from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `bind_call' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `validate_call_skip_block_type' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:111:in `block in create_validator_slow_skip_block_type' from /home/dependabot/bundler/lib/dependabot/bundler/native_helpers.rb:64:in `block in run_bundler_subprocess' from /usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler.rb:386:in `block in with_original_env' from /usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler.rb:658:in `with_env' from /usr/local/lib/ruby/gems/3.1.0/gems/bundler-2.5.3/lib/bundler.rb:386:in `with_original_env' from /home/dependabot/bundler/lib/dependabot/bundler/native_helpers.rb:60:in `run_bundler_subprocess' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `bind_call' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:169:in `validate_call_skip_block_type' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:111:in `block in create_validator_slow_skip_block_type' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker/version_resolver.rb:90:in `block (2 levels) in fetch_latest_resolvable_version_details' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb:56:in `block in in_a_native_bundler_context' from /home/dependabot/common/lib/dependabot/shared_helpers.rb:58:in `block in in_a_temporary_repo_directory' from /home/dependabot/common/lib/dependabot/shared_helpers.rb:58:in `chdir' from /home/dependabot/common/lib/dependabot/shared_helpers.rb:58:in `in_a_temporary_repo_directory' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `bind_call' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `validate_call' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:193:in `block in create_validator_slow' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb:52:in `in_a_native_bundler_context' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker/version_resolver.rb:89:in `block in fetch_latest_resolvable_version_details' from /home/dependabot/common/lib/dependabot/shared_helpers.rb:266:in `with_git_configured' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `bind_call' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:272:in `validate_call' from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11193/lib/types/private/methods/call_validation.rb:193:in `block in create_validator_slow' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker/version_resolver.rb:85:in `fetch_latest_resolvable_version_details' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker/version_resolver.rb:47:in `latest_resolvable_version_details' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker.rb:205:in `latest_resolvable_version_details' from /home/dependabot/bundler/lib/dependabot/bundler/update_checker.rb:28:in `latest_resolvable_version' from bin/dry-run.rb:649:in `block in

' from bin/dry-run.rb:611:in `each' from bin/dry-run.rb:611:in `

' ```

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

https://github.com/bensheldon/dep-resolution-experiment

[jurre]

It's curious to me that having the files committed to vendor/cache makes a difference. The obvious solution of course is for us to upgrade our ruby version, we are currently blocked on bundler 1 support for that but also we could run into the same scenario with some gem that declares it wants < 3.2. It looks like we are able to circumvent the resolution checks without vendoring so it suggests that it might be possible to do it with a vendored cache as well

[composerinteralia]

It's curious to me that having the files committed to vendor/cache makes a difference.

This looks like a difference:

https://github.com/dependabot/dependabot-core/blob/422975959118998319e6ff28ba8aa17f99c459ed/bundler/helpers/v2/lib/functions/lockfile_updater.rb#L49

[composerinteralia]

Might not be related, but I wonder if we also need to add Ruby 3.3 to https://github.com/dependabot/dependabot-core/blob/422975959118998319e6ff28ba8aa17f99c459ed/bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb#L29

[jurre]

Might not be related, but I wonder if we also need to add Ruby 3.3 to

https://github.com/dependabot/dependabot-core/blob/422975959118998319e6ff28ba8aa17f99c459ed/bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb#L29

Yeah I thought this might be related by I tried it and just adding 3.3.0 didn't do the trick. I spent a few minutes debugging and I do think there's a way that we can get bundler to resolve this, but I need to carve out some more time to get to the bottom of it. I'll try to find that time soon, would love to see this resolved

[composerinteralia]

@bensheldon and I paired on this last week and adding 3.3 there didn't seem to be enough (although we probably want that regardless). We had some initial luck with patching https://github.com/rubygems/rubygems/blob/62a21b44e3af5dcde95e4f1ff7ed8133b6b77772/bundler/lib/bundler/match_metadata.rb#L9-L11 to return true though (we saw evidence of it working at one point while we were hacking around, but didn't quite get to working code).

[jurre]

So, while the underlying issue isn't entirely fixed and might happen again when our Ruby become out of date, but Dependabot is now on Ruby 3.3.1 since #9597, so that should improve things a bit for now at least.

[kroehre]

@jurre We're having the opposite issue, dependabot has been failing for us for a month now (presumably since https://github.com/dependabot/dependabot-core/pull/9597) on a gem that has require_ruby_version < 3.3.0. Is there a way for us to configure the ruby version to fix this?