Unrelated libraries are updated with bundler #5926
Comments
|
Thanks for reporting. I guess related to the upgrade of Bundler at #5509. Can you share a public repository that reproduces this? |
|
Thank you for quick response.
Sorry, this case is inside private repository at my work 🙇 |
|
No problem. Could you try to extract just the manifest files (or at least the subset of dependencies giving you trouble) to a public repository, and see if it reproduces there. Alternatively, can you try reproducing this using https://github.com/dependabot/cli? |
|
I made a public repository that extracts a subset of libraries. As a result, dependabot works as expected. After I created a PR, I found other repositories in the company don't have the same problem. |
|
That's too bad. One question, was the PR created with unrelated dependencies up to date with your default branch? |
|
Sorry for the late response.
Yes, it is. Currently, I'm trying to find the condition how to reproduce by increasing/decreasing libraries in Gemfile.. |
|
I also have an example of this behavior (it's in a private repo too…) PR title: "Build(deps-dev): Bump rspec-rails from 6.0.0 to 6.0.1" PR content: diff --git a/Gemfile.lock b/Gemfile.lock
index 95a1cc9..1e444d8 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -240,9 +240,9 @@ GEM
net-smtp (0.3.2)
net-protocol
nio4r (2.5.8)
- nokogiri (1.13.8-arm64-darwin)
+ nokogiri (1.13.9-arm64-darwin)
racc (~> 1.4)
- nokogiri (1.13.8-x86_64-linux)
+ nokogiri (1.13.9-x86_64-linux)
racc (~> 1.4)
parallel (1.22.1)
parser (3.1.2.1)
@@ -309,7 +309,7 @@ GEM
rspec-mocks (3.11.1)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.11.0)
- rspec-rails (6.0.0)
+ rspec-rails (6.0.1)
actionpack (>= 6.1)
activesupport (>= 6.1)
railties (>= 6.1)The Here's the full Gemfile and Gemfile.lock # frozen_string_literal: true
source 'https://rubygems.org'
git_source(:github) { |repo| "https://github.com/#{repo}.git" }
gem 'rails', '~> 7.0.1'
gem 'sprockets-rails'
gem 'pg'
gem 'puma', '~> 5.0'
gem 'jbuilder'
gem 'redis', '< 4.6'
gem 'mini_racer'
gem 'terser'
gem 'sassc-rails'
gem 'sidekiq'
gem 'mini_scheduler'
gem 'logster'
gem 'listen', '~> 3.0.5'
gem 'prometheus_exporter'
gem 'active_model_serializers', '~> 0.8.3'
gem 'acts_as_paranoid'
gem 'kaminari'
gem 'addressable'
gem 'httparty'
gem 'carrierwave'
gem 'fog-aws'
gem 'eye', require: false
gem 'droplet_kit'
gem 'bootstrap', '~> 5.2.0'
gem 'jquery-rails'
gem 'chartjs-ror'
gem 'rack-mini-profiler', require: false
group :development, :test do
gem 'byebug'
gem 'pry-rails'
end
group :development do
gem 'better_errors'
gem 'binding_of_caller'
gem 'memory_profiler'
gem 'rubocop-discourse', require: false
gem 'stackprof'
end
group :test do
gem 'fabrication'
gem 'rspec-rails'
gem 'webmock'
end |
|
Actually I think this is expected. Dependabot's default behavior is "non conservative", namely, when updating a dependency, it also updates indirect dependencies of it. And I believe The above behavior is intentional, see #2246. However, I do agree that:
|
|
I'm having a similar issue, but I'm getting a downgrades from unrelated libraries. I can't share the repository, but the PR is updating aws-sdk-core from 3.160.0 to 3.164.0. As part of this, it's downgrading an unrelated kubeclient library along with others.
|
|
That seems unexpected. Like @t-tiger is trying to do, if you can reduce this to a Gemfile and Gemfile.lock file that you can share and reproduces the issue, that would go a long way with fixing this. |
|
mloberg/dependabot-bundler-downgrade-issue#2 matches the issue I mentioned exactly. The other PRs that were created also match the PRs that were generated and have the same issue where a bunch of unrelated libraries are being changed |
|
Thank you! I'll have a look! |
|
@deivid-rodriguez any luck with figuring this out? We too have the same issue. |
|
Hei @ashkulz, I didn't have time yet, hope to look at this tomorrow. |
|
I pushed a fix for this issue. Commenting |
|
@deivid-rodriguez Things are looking good. Thanks! |
|
Same here, dependabot was timing out for us for one repo which seems to have been fixed by this as well 🎉 |
|
@deivid-rodriguez Thank you so much for the effort!! |
|
No problem! :) |
Is there an existing issue for this?
Package ecosystem
Bundler
Package manager version
bundler
2.2.32Language version
Ruby
2.7.2Manifest location and content before the Dependabot update
/Gemfile
dependabot.yml content
Updated dependency
When updating warning from 1.2.1 to 1.3.0, the followings are also updated while only warning should be updated.
Above libraries are not related to the original gem, they should be updated with other PRs.
What you expected to see, versus what you actually saw
Expected
Only warning is updated from 1.2.1 to 1.3.0, which is the result when I manually execute
bundle update warning.Actual
Other libraries are also updated as
Updated dependencysection shows.It seems to start last week. Our team has been using dependabot for a long time.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: