-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundler 2: [Prerelease] Add version resolver #3319
Changes from all commits
55460c7
ffa5288
02e27c6
eff6206
6a68837
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
module Functions | ||
class VersionResolver | ||
GEM_NOT_FOUND_ERROR_REGEX = /locked to (?<name>[^\s]+) \(/.freeze | ||
|
||
attr_reader :dependency_name, :dependency_requirements, | ||
:gemfile_name, :lockfile_name | ||
|
||
def initialize(dependency_name:, dependency_requirements:, | ||
gemfile_name:, lockfile_name:) | ||
@dependency_name = dependency_name | ||
@dependency_requirements = dependency_requirements | ||
@gemfile_name = gemfile_name | ||
@lockfile_name = lockfile_name | ||
end | ||
|
||
def version_details | ||
dep = dependency_from_definition | ||
|
||
# If the dependency wasn't found in the definition, but *is* | ||
# included in a gemspec, it's because the Gemfile didn't import | ||
# the gemspec. This is unusual, but the correct behaviour if/when | ||
# it happens is to behave as if the repo was gemspec-only. | ||
if dep.nil? && dependency_requirements.any? | ||
return "latest" | ||
end | ||
|
||
# Otherwise, if the dependency wasn't found it's because it is a | ||
# subdependency that was removed when attempting to update it. | ||
return nil if dep.nil? | ||
|
||
# If the dependency is Bundler itself then we can't trust the | ||
# version that has been returned (it's the version Dependabot is | ||
# running on, rather than the true latest resolvable version). | ||
return nil if dep.name == "bundler" | ||
|
||
details = { | ||
version: dep.version, | ||
ruby_version: ruby_version, | ||
fetcher: fetcher_class(dep) | ||
} | ||
if dep.source.instance_of?(::Bundler::Source::Git) | ||
details[:commit_sha] = dep.source.revision | ||
end | ||
details | ||
end | ||
|
||
private | ||
|
||
# rubocop:disable Metrics/PerceivedComplexity | ||
def dependency_from_definition(unlock_subdependencies: true) | ||
dependencies_to_unlock = [dependency_name] | ||
dependencies_to_unlock += subdependencies if unlock_subdependencies | ||
begin | ||
definition = build_definition(dependencies_to_unlock) | ||
definition.resolve_remotely! | ||
rescue ::Bundler::GemNotFound => e | ||
unlock_yanked_gem(dependencies_to_unlock, e) && retry | ||
rescue ::Bundler::HTTPError => e | ||
# Retry network errors | ||
# Note: in_a_native_bundler_context will also retry `Bundler::HTTPError` errors | ||
# up to three times meaning we'll end up retrying this error up to six times | ||
# TODO: Could we get rid of this retry logic and only rely on | ||
# SharedBundlerHelpers.in_a_native_bundler_context | ||
attempt ||= 1 | ||
attempt += 1 | ||
raise if attempt > 3 || !e.message.include?("Network error") | ||
|
||
retry | ||
end | ||
|
||
dep = definition.resolve.find { |d| d.name == dependency_name } | ||
return dep if dep | ||
return if dependency_requirements.any? || !unlock_subdependencies | ||
|
||
# If no definition was found and we're updating a sub-dependency, | ||
# try again but without unlocking any other sub-dependencies | ||
dependency_from_definition(unlock_subdependencies: false) | ||
end | ||
# rubocop:enable Metrics/PerceivedComplexity | ||
|
||
def subdependencies | ||
# If there's no lockfile we don't need to worry about | ||
# subdependencies | ||
return [] unless lockfile | ||
|
||
all_deps = ::Bundler::LockfileParser.new(lockfile). | ||
specs.map(&:name).map(&:to_s).uniq | ||
top_level = build_definition([]).dependencies. | ||
map(&:name).map(&:to_s) | ||
|
||
all_deps - top_level | ||
end | ||
|
||
def build_definition(dependencies_to_unlock) | ||
# Note: we lock shared dependencies to avoid any top-level | ||
# dependencies getting unlocked (which would happen if they were | ||
# also subdependencies of the dependency being unlocked) | ||
::Bundler::Definition.build( | ||
gemfile_name, | ||
lockfile_name, | ||
gems: dependencies_to_unlock, | ||
lock_shared_dependencies: true | ||
) | ||
end | ||
|
||
def unlock_yanked_gem(dependencies_to_unlock, error) | ||
raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX) | ||
|
||
gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX). | ||
named_captures["name"] | ||
raise if dependencies_to_unlock.include?(gem_name) | ||
|
||
dependencies_to_unlock << gem_name | ||
end | ||
|
||
def lockfile | ||
return @lockfile if defined?(@lockfile) | ||
|
||
@lockfile = | ||
begin | ||
return unless lockfile_name | ||
return unless File.exist?(lockfile_name) | ||
|
||
File.read(lockfile_name) | ||
end | ||
end | ||
|
||
def fetcher_class(dep) | ||
return unless dep.source.is_a?(::Bundler::Source::Rubygems) | ||
|
||
dep.source.fetchers.first.fetchers.first.class.to_s | ||
end | ||
|
||
def ruby_version | ||
return nil unless gemfile_name | ||
|
||
@ruby_version ||= build_definition([]).ruby_version&.gem_version | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
# frozen_string_literal: true | ||
|
||
require "native_spec_helper" | ||
require "shared_contexts" | ||
|
||
RSpec.describe Functions::VersionResolver do | ||
include_context "in a temporary bundler directory" | ||
include_context "stub rubygems compact index" | ||
|
||
let(:version_resolver) do | ||
described_class.new( | ||
dependency_name: dependency_name, | ||
dependency_requirements: dependency_requirements, | ||
gemfile_name: "Gemfile", | ||
lockfile_name: "Gemfile.lock" | ||
) | ||
end | ||
|
||
let(:dependency_name) { "business" } | ||
let(:dependency_requirements) do | ||
[{ | ||
file: "Gemfile", | ||
requirement: requirement_string, | ||
groups: [], | ||
source: source | ||
}] | ||
end | ||
let(:source) { nil } | ||
|
||
let(:rubygems_url) { "https://index.rubygems.org/api/v1/" } | ||
let(:old_index_url) { rubygems_url + "dependencies" } | ||
|
||
describe "#version_details" do | ||
subject do | ||
in_tmp_folder { version_resolver.version_details } | ||
end | ||
|
||
let(:project_name) { "gemfile" } | ||
let(:requirement_string) { " >= 0" } | ||
|
||
its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) } | ||
its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::CompactIndex") } | ||
|
||
context "with a private gemserver source" do | ||
include_context "stub rubygems compact index" | ||
|
||
let(:project_name) { "specified_source" } | ||
let(:requirement_string) { ">= 0" } | ||
|
||
before do | ||
gemfury_url = "https://repo.fury.io/greysteil/" | ||
gemfury_deps_url = gemfury_url + "api/v1/dependencies" | ||
|
||
stub_request(:get, gemfury_url + "versions"). | ||
to_return(status: 200, body: fixture("ruby", "gemfury-index")) | ||
stub_request(:get, gemfury_url + "info/business").to_return(status: 404) | ||
stub_request(:get, gemfury_deps_url).to_return(status: 200) | ||
stub_request(:get, gemfury_deps_url + "?gems=business,statesman"). | ||
to_return(status: 200, body: fixture("ruby", "gemfury_response")) | ||
stub_request(:get, gemfury_deps_url + "?gems=business"). | ||
to_return(status: 200, body: fixture("ruby", "gemfury_response")) | ||
stub_request(:get, gemfury_deps_url + "?gems=statesman"). | ||
to_return(status: 200, body: fixture("ruby", "gemfury_response")) | ||
end | ||
|
||
its([:version]) { is_expected.to eq(Gem::Version.new("1.9.0")) } | ||
its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") } | ||
end | ||
|
||
context "with a git source" do | ||
let(:project_name) { "git_source" } | ||
|
||
its([:version]) { is_expected.to eq(Gem::Version.new("1.6.0")) } | ||
its([:fetcher]) { is_expected.to be_nil } | ||
end | ||
|
||
context "when Bundler's compact index is down" do | ||
before do | ||
stub_request(:get, "https://index.rubygems.org/versions"). | ||
to_return(status: 500, body: "We'll be back soon") | ||
stub_request(:get, "https://index.rubygems.org/info/public_suffix"). | ||
to_return(status: 500, body: "We'll be back soon") | ||
stub_request(:get, old_index_url).to_return(status: 200) | ||
stub_request(:get, old_index_url + "?gems=business,statesman"). | ||
to_return( | ||
status: 200, | ||
body: fixture("ruby", | ||
"rubygems_responses", | ||
"dependencies-default-gemfile") | ||
) | ||
end | ||
|
||
its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) } | ||
its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") } | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,7 +20,7 @@ | |
}], | ||
unlock_requirement: unlock_requirement, | ||
latest_allowable_version: latest_allowable_version, | ||
options: {} | ||
options: { bundler_2_available: bundler_2_available? } | ||
) | ||
end | ||
let(:ignored_versions) { [] } | ||
|
@@ -98,7 +98,7 @@ | |
# end | ||
end | ||
|
||
context "with a Bundler version specified" do | ||
context "with a Bundler v1 version specified", :bundler_v1_only do | ||
let(:requirement_string) { "~> 1.4.0" } | ||
|
||
let(:dependency_files) { project_dependency_files("bundler1/bundler_specified") } | ||
|
@@ -130,6 +130,67 @@ | |
end | ||
end | ||
|
||
context "with a Bundler v2 version specified", :bundler_v2_only do | ||
let(:requirement_string) { "~> 1.4.0" } | ||
|
||
let(:dependency_files) { project_dependency_files("bundler2/bundler_specified") } | ||
its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) } | ||
|
||
context "attempting to update Bundler" do | ||
let(:dependency_name) { "bundler" } | ||
let(:requirement_string) { "~> 2.2.0" } | ||
|
||
let(:dependency_files) { project_dependency_files("bundler2/bundler_specified") } | ||
|
||
it "returns nil as resolution returns the bundler version installed by core" do | ||
expect(subject).to be_nil | ||
end | ||
end | ||
end | ||
|
||
context "with a dependency that requiers bundler v1", :bundler_v1_only do | ||
let(:dependency_name) { "guard-bundler" } | ||
let(:requirement_string) { "2.2.1" } | ||
|
||
let(:dependency_files) { project_dependency_files("bundler1/requires_bundler") } | ||
its([:version]) { is_expected.to eq(Gem::Version.new("2.2.1")) } | ||
end | ||
|
||
context "when bundled with v1 and requesting a version that requires bundler v2", :bundler_v1_only do | ||
let(:dependency_name) { "guard-bundler" } | ||
let(:requirement_string) { "~> 3.0.0" } | ||
|
||
let(:dependency_files) { project_dependency_files("bundler1/requires_bundler") } | ||
|
||
it "raises a DependencyFileNotResolvable error" do | ||
expect { subject }. | ||
to raise_error(Dependabot::DependencyFileNotResolvable) | ||
end | ||
end | ||
|
||
context "with a dependency that requiers bundler v2", :bundler_v2_only do | ||
let(:dependency_name) { "guard-bundler" } | ||
let(:requirement_string) { "3.0.0" } | ||
|
||
let(:dependency_files) { project_dependency_files("bundler2/requires_bundler") } | ||
|
||
pending "resolves version" do | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These specs require the LatestVersionFinder and all the dependency source native helpers to be added so left these as pending until we have that merged in. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should be able to remove There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll do this downstream in a separate PR 👍 |
||
expect(subject.version).to eq(Gem::Version.new("3.0.0")) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Cheers 👍 |
||
end | ||
end | ||
|
||
context "when bundled with v2 and requesting a version that requires bundler v1", :bundler_v2_only do | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jurre looks like this spec is not actually raising, not sure there's anything wrong with that though so probably just a bogus test case that can be removed. |
||
let(:dependency_name) { "guard-bundler" } | ||
let(:requirement_string) { "~> 2.2.0" } | ||
|
||
let(:dependency_files) { project_dependency_files("bundler2/requires_bundler") } | ||
|
||
pending "raises a DependencyFileNotResolvable error" do | ||
expect { subject }. | ||
to raise_error(Dependabot::DependencyFileNotResolvable) | ||
end | ||
end | ||
|
||
context "with a default gem specified" do | ||
let(:requirement_string) { "~> 1.4" } | ||
|
||
|
@@ -192,7 +253,7 @@ | |
allow(Dependabot::Bundler::NativeHelpers). | ||
to receive(:run_bundler_subprocess). | ||
with({ | ||
bundler_version: "1", | ||
bundler_version: bundler_2_available? ? "2" : "1", | ||
function: "resolve_version", | ||
args: anything | ||
}). | ||
|
@@ -384,18 +445,29 @@ | |
to eq(Gem::Version.new("2.0.1")) | ||
end | ||
|
||
context "that isn't satisfied by the dependencies" do | ||
context "that isn't satisfied by the dependencies", :bundler_v1_only do | ||
let(:dependency_files) do | ||
project_dependency_files("bundler1/imports_gemspec_version_clash_old_required_ruby_no_lockfile") | ||
end | ||
let(:gemfile_fixture_name) { "imports_gemspec_version_clash" } | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Unused |
||
let(:current_version) { "3.0.1" } | ||
|
||
it "ignores the minimum ruby version in the gemspec" do | ||
expect(resolver.latest_resolvable_version_details[:version]). | ||
to eq(Gem::Version.new("7.2.0")) | ||
end | ||
end | ||
|
||
context "that isn't satisfied by the dependencies", :bundler_v2_only do | ||
let(:dependency_files) do | ||
project_dependency_files("bundler2/imports_gemspec_version_clash_old_required_ruby_no_lockfile") | ||
end | ||
let(:current_version) { "3.0.1" } | ||
|
||
it "raises a DependencyFileNotResolvable error" do | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Previously it looked like bundler v1 |
||
expect { subject }. | ||
to raise_error(Dependabot::DependencyFileNotResolvable) | ||
end | ||
end | ||
end | ||
end | ||
end | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ref: https://github.com/dependabot/dependabot-core/pull/3319/files#diff-8619130a1efd74403d2096bc77c13c862073216cecadb1ae2e00ec4a62070675R34
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bummer, it doesn't seem like we can currently update bundler at all.
When running a dry-run to update a gemfile with bundler v1 it tries to go to v2 even though the project has been bundled with v1, it looks like it falls through here atm: https://github.com/dependabot/dependabot-core/blob/main/bundler/helpers/v1/lib/functions/version_resolver.rb#L24 because
bundler
isn't listed as one of the gems in the definition.When running the v2 helpers,
bundler
is listed as a gem but we return nil if the gem name isbundler
, I think this is the best thing for now as the "resolved version" is core's bundler version, not the latest resolvable version.