Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix accidental downgrades in Bundler PRs #6030

Merged
merged 1 commit into from Nov 3, 2022
Merged

Fix accidental downgrades in Bundler PRs #6030

merged 1 commit into from Nov 3, 2022

Conversation

deivid-rodriguez
Copy link
Contributor

Dependabot monkeypatches Bundler to allow resolving for arbitrary rubies, not just for the running Ruby. However, when no Ruby information is provided via either gemspec files or ruby Gemfile directive, Dependabot was only allowing to resolve either to Ruby 2.5, or to the running Ruby 3.1.

In some situations, it can happen that resolving on Ruby 3.1 is not possible, while resolving on Ruby 2.5 is possible but requires downgrading some lock file dependencies.

To avoid this problem, let's add the missing rubies to our list of rubies Dependabot can resolve to.

NOTE: I spent some time trying to write specs for this, but it turned out pretty tricky. In the end, I added a note in the Dockerfile to avoid falling out of sync again here. Also, I will look into porting this functionality to Bundler so that Dependabot does not need to monkey patch it, and thus leads to more consistent results.

Fixes #5926.

@deivid-rodriguez
Fix accidental downgrades in Bundler PRs
b54e9ee 
Dependabot monkeypatches Bundler to allow resolving for arbitrary
rubies, not just for the running Ruby. However, when no Ruby information
is provided via either `gemspec` files or `ruby` Gemfile directive,
Dependabot was only allowing to resolve either to Ruby 2.5, or to the
running Ruby 3.1.

In some situations, it can happen that resolving on Ruby 3.1 is not
possible, while resolving on Ruby 2.5 is possible but requires
downgrading some lock file dependencies.

To avoid this problem, let's add the missing rubies to our list of
rubies Dependabot can resolve to.
@deivid-rodriguez deivid-rodriguez requested a review from a team as a code owner November 3, 2022 12:46
@deivid-rodriguez
Copy link
Contributor Author

Thanks for having a look @jurre!

@deivid-rodriguez deivid-rodriguez merged commit 22876fb into main Nov 3, 2022
@deivid-rodriguez deivid-rodriguez deleted the fix-bundler-downgrades branch November 3, 2022 14:57
@pavera pavera mentioned this pull request Nov 30, 2022
Merged
@etiennebarrie
Copy link
Contributor

etiennebarrie commented Jan 17, 2024
edited

Also, I will look into porting this functionality to Bundler so that Dependabot does not need to monkey patch it, and thus leads to more consistent results.

Is there any issue I can track about this feature? I'd love Bundler to be able to bundle for other Ruby versions than the one it's currently running in.

@deivid-rodriguez
Copy link
Contributor Author

No, sorry, I never opened an upstream issue about it!

@etiennebarrie etiennebarrie mentioned this pull request Jan 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jurre jurre jurre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unrelated libraries are updated with bundler
3 participants
@deivid-rodriguez @etiennebarrie @jurre