Requirements to unlock update_not_possible for composer files with out PRs

tinglesoftware / dependabot-azure-devops

Tools for updating dependencies in Azure DevOps repositories using https://dependabot.com

MIT License

189 stars 63 forks source link

Requirements to unlock update_not_possible for composer files with out PRs #1005

Closed cancan101 closed 3 months ago

cancan101 commented 6 months ago

Describe the bug I am seeing this in the logs:

Checking if sentry/sentry-symfony 4.8.0 needs updating
🌍 --> GET https://repo.packagist.org/p2/sentry/sentry-symfony.json
🌍 <-- 200 https://repo.packagist.org/p2/sentry/sentry-symfony.json
Requirements to unlock update_not_possible
Requirements update strategy bump_versions

To Reproduce Steps to reproduce the behavior:

Set up repos per: https://marketplace.visualstudio.com/items?itemName=tingle-software.dependabot
Trigger pipeline run

Expected behavior Messages in log like: "Latest version is 4.13.2" along with associated PR

Extension (please complete the following information):

Host: Azure DevOps
Version 1.26.662

Additional context I copied over the composer.json, composer.lock and dependabot.yml to github and it ran fine there.

cancan101 commented 6 months ago

If I am reading the code right, it looks to be hitting https://github.com/tinglesoftware/dependabot-azure-devops/blob/48fc66941b8c097c11ef1f0d988517e03d1e5626/updater/bin/update_script.rb#L606 with requirements_to_unlock = update_not_possible from https://github.com/tinglesoftware/dependabot-azure-devops/blob/48fc66941b8c097c11ef1f0d988517e03d1e5626/updater/bin/update_script.rb#L592-L603

mburumaxwell commented 6 months ago

It is possible that the package cannot be updated because there is a version restriction in the dependabot.yml file (i.e., ignore or allow nodes), or because there is a transitive dependency that blocks the update. A repro would help here. Also, try the same setup in a private repository on GitHub.

cancan101 commented 6 months ago

Yep, I already tried on GitHub and the Dependabot there was able upgrade fine. Likewise, composer update --dry-run seems to work as well.

mburumaxwell commented 6 months ago

A public repro (AzDO) would help here

THETCR commented 6 months ago

This also happens with NPM. Even when the version constraints use a caret for upward versions. "foo": "^2.35.0" will not be updated to version 2.35.1

This started happening with the update to Dependabot 0.244.0

cancan101 commented 6 months ago

There is a new version of dependabot that was just released, not sure if that fixes issue.

mburumaxwell commented 6 months ago

Is there a commit/PR referencing the fix? Please reference it because I couldn't find it in the release notes.

New version updates come on Monday mostly.

cancan101 commented 6 months ago

I created a public repos on Azure DO demonstrating the issue: https://dev.azure.com/laticrete/Public%20Repos/_build/results?buildId=7836&view=logs&j=12f1170f-54f2-53f3-20dd-22fc7dff55f9&t=1f93c1a3-255b-505a-53c9-c382114aabf5

I tried testing older versions of the dependabot-azure-devops Docker image but they did not work either (i.e. I am not sure this was broken in 0.244.0).

mburumaxwell commented 6 months ago

Just pushed a new version with the new version of dependabot. Could you confirm the issue persists before I start to look into the repro you provided?

cancan101 commented 6 months ago

What is the new version? Don't think I am seeing it onGH.

mburumaxwell commented 6 months ago

https://github.com/tinglesoftware/dependabot-azure-devops/releases/tag/1.26.4

cancan101 commented 6 months ago

That did not look to fix the issue.

mburumaxwell commented 6 months ago

If I understand this correctly, this started with dependabot-ominbus@0.244.0? If that is so, before I can repro, you can use the following in your pipeline:

steps:
 - dependabot@1
   inputs:
+    dockerImageTag: '1.26.1'

cancan101 commented 6 months ago

If I understand this correctly, this started with dependabot-ominbus@0.244.0?

I don't think that is the case. @THETCR indicated it was the case, but I think the issue still exists on older image tags.

cancan101 commented 6 months ago

Please let me know if there is any additional information that I can provide to help diagnose the issue.

cancan101 commented 5 months ago

I am still seeing this issue on 1.27.685: https://dev.azure.com/laticrete/Public%20Repos/_build/results?buildId=8205&view=logs&j=12f1170f-54f2-53f3-20dd-22fc7dff55f9&t=1f93c1a3-255b-505a-53c9-c382114aabf5

cancan101 commented 5 months ago

I am still observing this issue. The output has changed slightly:

Checking if pimcore/pimcore 10.5.12 needs updating
🌍 --> GET https://repo.packagist.org/p2/pimcore/pimcore.json
🌍 <-- 200 https://repo.packagist.org/p2/pimcore/pimcore.json
Requirements to unlock update_not_possible
Requirements update strategy #<Dependabot::RequirementsUpdateStrategy::BumpVersionsIfNecessary>
Done
Finishing: dependabot

and this is the entirety of the composer.json file (there should be a new version of pimcore/pimcore found):

{
  "name": "pimcore/test",
  "type": "project",
  "config": {
    "allow-plugins": {
      "php-http/discovery": true
    }
  },
  "require": {
    "pimcore/pimcore": "^10.5.12"
  }
}

mburumaxwell commented 3 months ago

I suspect this has been fixed in version 1.29 Kindly check.

cancan101 commented 3 months ago

Confirmed, this has been fixed with 1.29.