search

tinglesoftware / dependabot-azure-devops

Tools for updating dependencies in Azure DevOps repositories using https://dependabot.com
MIT License
180 stars 59 forks source link

After updating from 1.28.0 to 1.29.1, Python (requirements.txt) dependencies cannot be updated anymore #1167

Open wssbck opened 2 weeks ago

wssbck commented 2 weeks ago

Describe the bug After updating from 1.28.0 to 1.29.1, while NPM and Maven-based environments are still being correctly updated, the Python one (based on requirements.txt) will face the following issue:

/home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.260.0/lib/dependabot/python/authed_url_builder.rb:26:in `authed_url': undefined method `sub' for nil (NoMethodError)

        url.sub("://", "://#{basic_auth_details}@")
           ^^^^
    from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.260.0/lib/dependabot/python/file_updater.rb:126:in `block in pip_compile_index_urls'
    from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.260.0/lib/dependabot/python/file_updater.rb:126:in `map'
    from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.260.0/lib/dependabot/python/file_updater.rb:126:in `pip_compile_index_urls'
    from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.260.0/lib/dependabot/python/file_updater.rb:118:in `updated_requirement_based_files'
    from /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/dependabot-python-0.260.0/lib/dependabot/python/file_updater.rb:36:in `updated_dependency_files'
    from bin/update_script.rb:671:in `block in <main>'
    from bin/update_script.rb:549:in `each'
    from bin/update_script.rb:549:in `<main>'

Categorization

To Reproduce Steps to reproduce the behavior:

  1. Update Dependabot for Azure to 1.29.1
  2. Try running it against a Python, requirements.txt-based repository in DevOps.

Expected behavior Successful update of Python dependencies in an environment based on a requirement file.

Extension (please complete the following information):

Server (please complete the following information):

Additional context Looking at the stack trace pasted above, it seems that the issue is caused by changes in Dependabot Core:

  1. Two months ago, on May the 1st, a change was introduced to Dependabot Core for Python, that injects index URLs to requirements file updater: https://github.com/dependabot/dependabot-core/blame/663bc8e8e51f1820697252da7a336283e7b07577/python/lib/dependabot/python/file_updater.rb#L117
  2. However, credentials constructed in the updater script of Dependabot for Azure DevOps do not contain the "index-url" string: https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/updater/bin/update_script.rb#L144, making them nil by default: https://github.com/dependabot/dependabot-core/blob/663bc8e8e51f1820697252da7a336283e7b07577/python/lib/dependabot/python/authed_url_builder.rb#L9
  3. This causes the issue from the stack trace.

I will be happy to provide more context if needed.

wssbck commented 2 weeks ago

I have also proposed a PR do Dependabot Core that would hopefully fix the issue generally and make the issue I opened here irrelevant: https://github.com/dependabot/dependabot-core/pull/10035