Use inferred flutter version

[sigurdm]

This reorganizes the pub integration somewhat:

• The pub integration dependency_services now is a dart package as a helper inside dependabot (with a git dependency on the pub client)
• These helpers are compiled in the Dockerfile by a build script.
• The version of flutter/dart to use is inferred by another helper.
• Flutter is no longer installed by the dockerfile, but dynamically checked out into /tmp/flutter, where the correct flutter version is checked out.

Also the dart sdk is updated (this is less important, as the sdk version used for analysis is will be the one associated with the flutter version).

fixes: #5084

[sigurdm]

@mctofu does this approach make sense to you?
cc @jonasfj

[jonasfj]

The actual dependency-services is still implemented in the pub repository, we just moved the bin/dependency_services.dart file that exports it in here. That makes it more clear that this is really reaching into the pub repository for internal stuff.

But that's fine, one day when dependency-services is more formalized maybe we can expose it properly and document it as part of a Dart SDK. For now, the dependency-services logic we have in pub is only intended for use by dependabot.

off-topic: or maybe dependency-services should be an LSP extension of sorts)

[jeffwidman]

cc @mattt in case this impacts #5024 related stuff.

[mctofu]

@mctofu does this approach make sense to you?

This does make sense to me. I'm going to find some time to give this a test run this week to get a better idea of how it's working.

There are some CI tasks failing on this branch. You can fix the npm CI errors by updating with the latest changes on main. The pub errors look to be from the linter which you can fix by running rubocop -A

[mctofu]

minor: it'd be best to remove this if we won't use it

[sigurdm]

Removed

[sigurdm]

PTAL

[passsy]

does "first" mean: oldest or newest Flutter version?

[sigurdm]

It is the first in the list passed to this function.

I tried to rephrase a bit.

[passsy]

Inferring is a good start, but dependabot should allow pointing to an exact git-ref (tag, sha1).

[sigurdm]

Hmm - do you have an idea for a good place to put this configuration?

What are scenarios where you would need this?

[passsy]

Scenario: We use flutterw to pin the flutter version. Others use fvm or custom solutions.

Tree options pop into my mind:

• Lookup: dependabot checks the version of those pinning solutions (i.e. check git submodule sha1 or a configuration file)
• Add a flutter version to .github/dependabot.yaml
• Define a new dependabot.flutter_version property to pubspec.yaml of each package and read it

[sigurdm]

cc @jonasfj what do you think?

[jonasfj]

I think that it sufficient that we allow pinning the Flutter SDK constraint in environment.flutter.

Generally, the dart pub client will ignore the upper-bound in environment.flutter, as a result of a decision made in Flutter 2 that Flutter wouldn't break backwards compatibility.

But in dependabot, I think we made it respect the upper-bound, thus, the environment.flutter constraint can be used to pin a Flutter version. You can't pin to arbitrary sha or tag, but you can pin to stable and beta releases of Flutter.

My two cents is that this is a reasonable compromise.

[passsy]

Using the lower bound of environment.flutter would work for us. But it could prevent dependabot from adding the latest versions.

Using the upper bound wouldn't be practical. We'd have to change it every time we upgrade in all packages of our mono repo.

[mctofu]

@sigurdm: I'm trying to run this locally and running into an error. Do you get the same thing or have I done something wrong?

[dependabot-core-dev] ~/dependabot-core $ bin/dry-run.rb pub passsy/flutter_dependabot_example
warning: parser/current is loading parser/ruby27, which recognizes2.7.6-compliant syntax, but you are running 2.7.5.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
=> cloning into /home/dependabot/dependabot-core/tmp/passsy/flutter_dependabot_example
=> parsing dependency files
=> updating 5 dependencies: cupertino_icons, flutter, flutter_lints, flutter_test, go_router

=== cupertino_icons (1.0.4)
 => checking for updates 1/5
Traceback (most recent call last):
	15: from bin/dry-run.rb:635:in `<main>'
	14: from bin/dry-run.rb:635:in `each'
	13: from bin/dry-run.rb:643:in `block in <main>'
	12: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/update_checker.rb:13:in `latest_version'
	11: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/update_checker.rb:101:in `current_report'
	10: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/update_checker.rb:97:in `report'
	 9: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/helpers.rb:44:in `dependency_services_report'
	 8: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/helpers.rb:150:in `run_dependency_services'
	 7: from /home/dependabot/dependabot-core/common/lib/dependabot/shared_helpers.rb:49:in `in_a_temporary_directory'
	 6: from /home/dependabot/dependabot-core/common/lib/dependabot/shared_helpers.rb:49:in `chdir'
	 5: from /home/dependabot/dependabot-core/common/lib/dependabot/shared_helpers.rb:49:in `block in in_a_temporary_directory'
	 4: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/helpers.rb:157:in `block in run_dependency_services'
	 3: from /home/dependabot/dependabot-core/common/lib/dependabot/shared_helpers.rb:168:in `with_git_configured'
	 2: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/helpers.rb:167:in `block (2 levels) in run_dependency_services'
	 1: from /home/dependabot/dependabot-core/pub/lib/dependabot/pub/helpers.rb:167:in `chdir'
/home/dependabot/dependabot-core/pub/lib/dependabot/pub/helpers.rb:174:in `block (3 levels) in run_dependency_services': dependency_services failed: Package not available (the Flutter SDK is not available). (Dependabot::DependabotError)

[sigurdm]

@mctofu sorry - I had not tested this thoroughly. I was downloading the flutter sdk, but never using it from the resolution.

Now I've added a test of update-checking a package actually using flutter. PTAL

[sigurdm]

Now we get:

$ ../bin/dry-run.rb pub passsy/flutter_dependabot_example
warning: parser/current is loading parser/ruby27, which recognizes2.7.6-compliant syntax, but you are running 2.7.5.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
=> cloning into /home/dependabot/dependabot-core/pub/tmp/passsy/flutter_dependabot_example
=> parsing dependency files
=> updating 5 dependencies: cupertino_icons, flutter, flutter_lints, flutter_test, go_router

=== cupertino_icons (1.0.4)
 => checking for updates 1/5
 => latest available version is 1.0.5
 => latest allowed version is 1.0.5
 => requirements to unlock: own
 => requirements update strategy: 
 => updating cupertino_icons from 1.0.4 to 1.0.5

    ± pubspec.yaml
    ~~~
    12c12
    <   cupertino_icons: ^1.0.2
    ---
    >   cupertino_icons: ^1.0.5
    ~~~

    ± pubspec.lock
    ~~~
    45c45
    <     version: "1.15.0"
    ---
    >     version: "1.16.0"
    52c52
    <     version: "1.0.4"
    ---
    >     version: "1.0.5"
    59c59
    <     version: "1.2.0"
    ---
    >     version: "1.3.0"
    123c123
    <     version: "0.1.3"
    ---
    >     version: "0.1.4"
    149c149
    <     version: "1.8.1"
    ---
    >     version: "1.8.2"
    185,191d184
    <   typed_data:
    <     dependency: transitive
    <     description:
    <       name: typed_data
    <       url: "https://pub.dartlang.org"
    <     source: hosted
    <     version: "1.3.0"
    198c191
    <     version: "2.1.1"
    ---
    >     version: "2.1.2"
    200c193
    <   dart: ">=2.16.2 <3.0.0"
    ---
    >   dart: ">=2.17.0-0 <3.0.0"
    ~~~

=== flutter (0.0.0)
 => checking for updates 2/5
 => latest available version is 0.0.0
 => latest allowed version is 0.0.0
    (no update needed as it's already up-to-date)

=== flutter_lints (1.0.4)
 => checking for updates 3/5
 => latest available version is 2.0.1
 => latest allowed version is 2.0.1
 => requirements to unlock: own
 => requirements update strategy: 
 => updating flutter_lints from 1.0.4 to 2.0.1

    ± pubspec.yaml
    ~~~
    18c18
    <   flutter_lints: ^1.0.0
    ---
    >   flutter_lints: ^2.0.1
    ~~~

    ± pubspec.lock
    ~~~
    45c45
    <     version: "1.15.0"
    ---
    >     version: "1.16.0"
    59c59
    <     version: "1.2.0"
    ---
    >     version: "1.3.0"
    71c71
    <     version: "1.0.4"
    ---
    >     version: "2.0.1"
    102c102
    <     version: "1.0.1"
    ---
    >     version: "2.0.0"
    123c123
    <     version: "0.1.3"
    ---
    >     version: "0.1.4"
    149c149
    <     version: "1.8.1"
    ---
    >     version: "1.8.2"
    185,191d184
    <   typed_data:
    <     dependency: transitive
    <     description:
    <       name: typed_data
    <       url: "https://pub.dartlang.org"
    <     source: hosted
    <     version: "1.3.0"
    198c191
    <     version: "2.1.1"
    ---
    >     version: "2.1.2"
    200c193
    <   dart: ">=2.16.2 <3.0.0"
    ---
    >   dart: ">=2.17.0-206.0.dev <3.0.0"
    ~~~

=== flutter_test (0.0.0)
 => checking for updates 4/5
 => latest available version is 0.0.0
 => latest allowed version is 0.0.0
    (no update needed as it's already up-to-date)

=== go_router (3.0.5)
 => checking for updates 5/5
 => latest available version is 3.1.1
 => latest allowed version is 3.1.1
 => requirements to unlock: own
 => requirements update strategy: 
 => updating go_router from 3.0.5 to 3.1.1

    ± pubspec.yaml
    ~~~
    13c13
    <   go_router: 3.0.5
    ---
    >   go_router: ^3.1.1
    ~~~

    ± pubspec.lock
    ~~~
    45c45
    <     version: "1.15.0"
    ---
    >     version: "1.16.0"
    59c59
    <     version: "1.2.0"
    ---
    >     version: "1.3.0"
    88c88
    <     version: "3.0.5"
    ---
    >     version: "3.1.1"
    123c123
    <     version: "0.1.3"
    ---
    >     version: "0.1.4"
    149c149
    <     version: "1.8.1"
    ---
    >     version: "1.8.2"
    185,191d184
    <   typed_data:
    <     dependency: transitive
    <     description:
    <       name: typed_data
    <       url: "https://pub.dartlang.org"
    <     source: hosted
    <     version: "1.3.0"
    198c191
    <     version: "2.1.1"
    ---
    >     version: "2.1.2"
    200c193
    <   dart: ">=2.16.2 <3.0.0"
    ---
    >   dart: ">=2.17.0-0 <3.0.0"
    ~~~
🌍 Total requests made: '0'

[mctofu]

@sigurdm: Thanks, it's working locally for me now! There are a few tests failing now in pub/spec/dependabot/pub/infer_sdk_versions_spec.rb but overall it looks good!

[mctofu]

Thanks! I think this looks good to merge but let me know if you'd want to make any other changes first.

[jonasfj]

LGTM

[sigurdm]

@mctofu I think I'm happy now.