puppetlabs / bolt

Bolt is an open source orchestration tool that automates the manual work it takes to maintain your infrastructure on an as-needed basis or as part of a greater orchestration workflow. It can be installed on your local workstation and connects directly to remote nodes with SSH or WinRM, so you are not required to install any agent software.
https://puppet.com/docs/bolt/latest/bolt.html
Apache License 2.0
500 stars 225 forks source link

bolt should not use EoL upstream software #3341

Open bastelfreak opened 2 months ago

bastelfreak commented 2 months ago

Describe the Bug

latest bolt ships quite old dependencies. My biggest concern is Ruby:

[root@pe ~]# /opt/puppetlabs/bolt/bin/ruby --version
ruby 2.7.8p225 (2023-03-30 revision 1f4d455848) [x86_64-linux]
[root@pe ~]# /opt/puppetlabs/bolt/bin/bolt --version
3.30.0
[root@pe ~]#

This version is EoL upstream and does not receive any fixes. hiera-eyaml also lacks one major version:

[root@pe ~]# /opt/puppetlabs/bolt/bin/bolt --version
3.30.0
[root@pe ~]# /opt/puppetlabs/bolt/bin/eyaml --version
Welcome to eyaml 3.4.0

Usage:
eyaml subcommand [global-opts] [subcommand-opts]

Available subcommands:
           edit: edit an eyaml file
        encrypt: encrypt some data
        recrypt: recrypt an eyaml file
        version: show version information
     createkeys: create a set of keys with which to encrypt/decrypt eyaml data
        decrypt: decrypt some data

For more help on an individual command, use --help on that command

Installed Plugins:

[root@pe ~]#

Also the list of outdated gems is quite high:

[root@pe ~]# /opt/puppetlabs/bolt/bin/gem outdated
CFPropertyList (2.3.6 < 3.0.7)
addressable (2.8.6 < 2.8.7)
aws-partitions (1.913.0 < 1.963.0)
aws-sdk-core (3.191.6 < 3.201.4)
aws-sdk-ec2 (1.448.0 < 1.469.0)
aws-sigv4 (1.8.0 < 1.9.1)
benchmark (0.1.0 < 0.3.0)
bigdecimal (2.0.0 < 3.1.8)
builder (3.2.4 < 3.3.0)
bundler (2.1.4 < 2.5.17)
cgi (0.1.0.2 < 0.4.1)
colored2 (3.1.2 < 4.0.0)
concurrent-ruby (1.2.3 < 1.3.4)
cri (2.15.11 < 2.15.12)
csv (3.1.2 < 3.3.0)
date (3.0.3 < 3.3.4)
delegate (0.1.0 < 0.3.1)
did_you_mean (1.4.0 < 1.6.3)
erubi (1.12.0 < 1.13.0)
etc (1.1.0 < 1.4.3)
facter (4.7.0 < 4.8.0)
faraday (1.10.3 < 2.10.1)
faraday-em_http (1.0.0 < 2.0.0)
faraday-excon (1.1.0 < 2.1.0)
faraday-httpclient (1.0.1 < 2.0.1)
faraday-net_http (1.0.1 < 3.2.0)
faraday-net_http_persistent (1.2.0 < 2.1.0)
faraday-patron (1.0.0 < 2.0.1)
faraday-rack (1.0.0 < 2.0.0)
faraday-retry (1.0.3 < 2.2.1)
fast_gettext (2.3.0 < 3.0.0)
fcntl (1.0.0 < 1.1.0)
ffi (1.16.3 < 1.17.0)
fiddle (1.0.0 < 1.1.2)
fileutils (1.4.1 < 1.7.2)
forwardable (1.3.1 < 1.3.3)
getoptlong (0.1.0 < 0.2.1)
hiera-eyaml (3.4.0 < 4.1.0)
highline (2.1.0 < 3.1.0)
hocon (1.3.1 < 1.4.0)
io-console (0.5.6 < 0.7.2)
ipaddr (1.2.2 < 1.2.6)
irb (1.2.6 < 1.14.0)
json (2.3.0 < 2.7.2)
jwt (2.7.1 < 2.8.2)
logger (1.4.2 < 1.6.0)
logging (2.3.1 < 2.4.0)
matrix (0.2.0 < 0.4.2)
minitar (0.9 < 1.0.1)
minitest (5.13.0 < 5.24.1)
multipart-post (2.4.0 < 2.4.1)
mutex_m (0.1.0 < 0.2.0)
net-pop (0.1.0 < 0.1.2)
net-smtp (0.1.0 < 0.5.0)
net-ssh (6.1.0 < 7.2.3)
nori (2.6.0 < 2.7.1)
observer (0.1.0 < 0.1.2)
open3 (0.1.0 < 0.2.1)
openssl (2.1.4 < 3.2.0)
ostruct (0.2.0 < 0.6.0)
power_assert (1.1.7 < 2.0.3)
pstore (0.1.0 < 0.1.3)
psych (3.1.0 < 5.1.2)
public_suffix (5.0.5 < 6.0.1)
puppet (7.30.0 < 8.8.1)
puppet_forge (3.2.0 < 5.0.4)
r10k (3.16.0 < 4.1.0)
racc (1.4.16 < 1.8.1)
rake (13.0.1 < 13.2.1)
rdoc (6.2.1.1 < 6.7.0)
readline (0.0.2 < 0.0.4)
readline-ext (0.1.0 < 0.2.0)
reline (0.1.5 < 0.5.9)
rexml (3.2.3.1 < 3.3.5)
rss (0.2.8 < 0.3.1)
ruby_smb (1.1.0 < 3.3.9)
rubyntlm (0.6.3 < 0.6.5)
singleton (0.1.0 < 0.2.0)
stringio (0.1.0 < 3.1.1)
strscan (1.0.3 < 3.1.0)
sys-filesystem (1.4.4 < 1.5.0)
test-unit (3.3.4 < 3.6.2)
thor (1.2.2 < 1.3.1)
timeout (0.1.0 < 0.4.1)
tracer (0.1.0 < 0.2.3)
uri (0.10.0.2 < 0.13.0)
winrm (2.3.6 < 2.3.9)
xmlrpc (0.3.0 < 0.3.3)
yaml (0.1.0 < 0.3.0)
zlib (1.1.0 < 3.1.1)
[root@pe ~]#

In particular I want to point out:

[root@pe ~]# /opt/puppetlabs/bolt/bin/gem info log4r

*** LOCAL GEMS ***

log4r (1.1.10)
    Author: Colby Gutierrez-Kraybill
    Homepage: http://log4r.rubyforge.org
    Installed at: /opt/puppetlabs/bolt/lib/ruby/gems/2.7.0

    Log4r, logging framework for ruby
[root@pe ~]#

Which has a dead upstream. The last release is from 2012, the website is down and the source code isn't available anymore, only the rubygems.org artifacts.

Expected Behavior

Don't ship outdated dependencies. At least not those that are dead upstream.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'

Environment

Additional Context

Add any other context about the problem here.

donoghuc commented 2 months ago

Thanks, we are working on doing a major refresh including ruby env in bolt 4. Coming soon.