Renovate bot misses available patch level updates for Bundler

[blischalk]

What Renovate type, platform and version are you using?

Latest Renovate bot release (23.94.0) in Docker. I have also forked the latest code and replicated this issue with yarn start.

This does not seem to be platform dependent as I have reproduced the issue on GitLab and Github.

Describe the bug

Running Renovate against a Ruby code base that has patch level gem updates available upstream in Rubygems does not create pull requests to update dependencies with available patch level updates.

To Reproduce

I have created a simple sample public repo on Github here

Using a small Gemfile like the following:

source 'https://rubygems.org'

group :dvelopment do
  gem 'rubocop', '~>1.4.2'
  gem 'rubocop-performance', '~>1.9.0'
  gem 'rubocop-rspec', '~>2.0.0'
end

That has the corresponding Gemfile.lock:

GEM
  remote: https://rubygems.org/
  specs:
    ast (2.4.1)
    parallel (1.20.1)
    parser (2.7.2.0)
      ast (~> 2.4.1)
    rainbow (3.0.0)
    regexp_parser (2.0.0)
    rexml (3.2.4)
    rubocop (1.4.2)
      parallel (~> 1.10)
      parser (>= 2.7.1.5)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8)
      rexml
      rubocop-ast (>= 1.1.1)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 2.0)
    rubocop-ast (1.3.0)
      parser (>= 2.7.1.5)
    rubocop-performance (1.9.0)
      rubocop (>= 0.90.0, < 2.0)
      rubocop-ast (>= 0.4.0)
    rubocop-rspec (2.0.0)
      rubocop (~> 1.0)
      rubocop-ast (>= 1.1.0)
    ruby-progressbar (1.10.1)
    unicode-display_width (1.7.0)

PLATFORMS
  ruby

DEPENDENCIES
  rubocop (~> 1.4.2)
  rubocop-performance (~> 1.9.0)
  rubocop-rspec (~> 2.0.0)

BUNDLED WITH
   2.0.1

And a config.js like:

module.exports = {
  autodiscover: false,
  logLevel: "debug",
  platform: "github",
  gitAuthor: "GitHub Bot <no-replay@foobar.com>",
  branchPrefix: "renovate-",
  onboardingBranch: "renovation-onboarding",
  repositories: [
    {repository: 'blischalk/renovate-bundler-test'}
  ]
}

Running yarn start creates a config PR stating it would update Rubocop with a minor level update but no mention of the other 2 dependencies that have patch level updates.

Debug logs also show that there are no available updates for the dependencies that do have upstream patch level updates available:

DEBUG: packageFiles with updates (repository=blischalk/renovate-bundler-test)
       "config": {
         "bundler": [
           {
             "packageFile": "Gemfile",
             "manager": "bundler",
             "registryUrls": ["https://rubygems.org"],
             "deps": [
               {
                 "depName": "rubocop",
                 "managerData": {"lineNumber": 3},
                 "currentValue": "~>1.4.2",
                 "datasource": "rubygems",
                 "depTypes": ["dvelopment"],
                 "lockedVersion": "1.4.2",
                 "depIndex": 0,
                 "updates": [
                   {
                     "fromVersion": "1.4.2",
                     "toVersion": "1.5.1",
                     "newValue": "~>1.5.0",
                     "newMajor": 1,
                     "newMinor": 5,
                     "updateType": "minor",
                     "isSingleVersion": false,
                     "isRange": true
                   }
                 ],
                 "warnings": [],
                 "fixedVersion": "1.4.2"
               },
               {
                 "depName": "rubocop-performance",
                 "managerData": {"lineNumber": 4},
                 "currentValue": "~>1.9.0",
                 "datasource": "rubygems",
                 "depTypes": ["dvelopment"],
                 "lockedVersion": "1.9.0",
                 "depIndex": 1,
                 "updates": [],
                 "warnings": [],
                 "fixedVersion": "1.9.0"
               },
               {
                 "depName": "rubocop-rspec",
                 "managerData": {"lineNumber": 5},
                 "currentValue": "~>2.0.0",
                 "datasource": "rubygems",
                 "depTypes": ["dvelopment"],
                 "lockedVersion": "2.0.0",
                 "depIndex": 2,
                 "updates": [],
                 "warnings": [],
                 "fixedVersion": "2.0.0"
               }
             ],
             "constraints": {"bundler": "2.0.1"}
           }
         ]
       }

What I expect to happen

Merge requests are opened / would be opened upon config MR merge to upgrade:

Rubocop to ~>1.5.0
Rubocop-performance to ~> 1.9.1
Rubocop-rspec to ~> 2.0.1

What actually happens

A merge request to upgrade the minor version of Rubocop to ~> 1.5.0 is opened but no merge request for the patch level upgrades of Rubocop-performance and Rubocop-rspec occur.

[rarkins]

Please take a look at rangeStrategy. By default the bot only sends PRs if a new release doesn't satisfy the existing range.

What you are expecting is referred to as "bumping" in Renovate and won't happen by default because we don't like to narrow ranges unless the user opts into it. e.g. ~> 1.9.0 to ~> 1.9.1.

What's probably a reasonable default though would be to update the lock file by default (leaving the range in-tact) but we didn't do that for historical reasons as people found the quantity of PRs out of the box overwhelming.

[blischalk]

Thank you @rarkins . Adding 'rangeStrategy: update-lockfile' to the config allowed Renovate to pick up the patch level changes. I opened PR renovate/pull/7888 to update the docs for that config to indicate that bundler is also supported.