Skip to content

Security Update PRs no longer succeed for Bundler subdependencies #10251

New issue
New issue
Closed
#10249
Closed
Security Update PRs no longer succeed for Bundler subdependencies#10251
#10249
Labels
L: git:submodulesGit submodulesL: github:actionsGitHub ActionsL: ruby:bundlerRubyGems via bundlerT: bug 🐞Something isn't working
@deivid-rodriguez

Description

@deivid-rodriguez
deivid-rodriguez
opened on Jul 19, 2024

I verified that this is a regression from #9923, and I think Dependabot can no longer create security update PRs for Bundler subdependencies since that PR was deployed.

I also created a fix for it at #10249.

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

Bundler

Package manager version

Bundler 2.5.7

Language version

Ruby 3.3

Manifest location and content before the Dependabot update

/Gemfile, /Gemfile.lock

dependabot.yml content

No config file.

Updated dependency

Rexml stays at vulnerable 3.2.8

What you expected to see, versus what you actually saw

A PR upgrading rexml to 3.3.2.

Native package manager behavior

bundle lock --update rexml properly updates rexml.

Images of the diff or a link to the PR, issue, or logs

Security Update logs:

2024-07-18T21:32:16.2853726Z Current runner version: '2.317.0'
2024-07-18T21:32:16.2877083Z ##[group]Operating System
2024-07-18T21:32:16.2877716Z Ubuntu
2024-07-18T21:32:16.2878088Z 22.04.4
2024-07-18T21:32:16.2878505Z LTS
2024-07-18T21:32:16.2878856Z ##[endgroup]
2024-07-18T21:32:16.2879257Z ##[group]Runner Image
2024-07-18T21:32:16.2879768Z Image: ubuntu-22.04
2024-07-18T21:32:16.2880192Z Version: 20240714.1.0
2024-07-18T21:32:16.2881263Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240714.1/images/ubuntu/Ubuntu2204-Readme.md
2024-07-18T21:32:16.2882722Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240714.1
2024-07-18T21:32:16.2883591Z ##[endgroup]
2024-07-18T21:32:16.2884081Z ##[group]Runner Image Provisioner
2024-07-18T21:32:16.2884577Z 2.0.370.1
2024-07-18T21:32:16.2884941Z ##[endgroup]
2024-07-18T21:32:16.2885964Z ##[group]GITHUB_TOKEN Permissions
2024-07-18T21:32:16.2887515Z Contents: read
2024-07-18T21:32:16.2888048Z Metadata: read
2024-07-18T21:32:16.2888637Z Packages: read
2024-07-18T21:32:16.2889161Z ##[endgroup]
2024-07-18T21:32:16.2892062Z Secret source: None
2024-07-18T21:32:16.2892661Z Prepare workflow directory
2024-07-18T21:32:16.3500365Z Prepare all required actions
2024-07-18T21:32:16.3658552Z Getting action download info
2024-07-18T21:32:16.5700098Z Download action repository 'github/dependabot-action@main' (SHA:a44f4547f8981075745258c2bc4e7d2422aed61d)
2024-07-18T21:32:17.2917569Z Complete job name: Dependabot
2024-07-18T21:32:17.3841014Z ##[group]Run mkdir -p  ./dependabot-job-857728684-1721338327
2024-07-18T21:32:17.3842100Z �[36;1mmkdir -p  ./dependabot-job-857728684-1721338327�[0m
2024-07-18T21:32:17.3884340Z shell: /usr/bin/bash -e {0}
2024-07-18T21:32:17.3885004Z ##[endgroup]
2024-07-18T21:32:17.4484298Z ##[group]Run github/dependabot-action@main
2024-07-18T21:32:17.4484931Z env:
2024-07-18T21:32:17.4485351Z   DEPENDABOT_DISABLE_CLEANUP: 1
2024-07-18T21:32:17.4486019Z   DEPENDABOT_ENABLE_CONNECTIVITY_CHECK: 0
2024-07-18T21:32:17.4486901Z   GITHUB_TOKEN: ***
2024-07-18T21:32:17.4487793Z   GITHUB_DEPENDABOT_JOB_TOKEN: ***
2024-07-18T21:32:17.4488854Z   GITHUB_DEPENDABOT_CRED_TOKEN: ***
2024-07-18T21:32:17.4489400Z ##[endgroup]
2024-07-18T21:32:17.6679209Z 🤖 ~ starting update ~
2024-07-18T21:32:17.6724688Z Fetching job details
2024-07-18T21:32:18.3455529Z ##[group]Pulling updater images
2024-07-18T21:32:18.3525158Z Pulling image ghcr.io/dependabot/dependabot-updater-bundler:62b13807df5b488ea66a5aacae07247d6e300659...
2024-07-18T21:32:30.3228145Z Pulled image ghcr.io/dependabot/dependabot-updater-bundler:62b13807df5b488ea66a5aacae07247d6e300659
2024-07-18T21:32:30.3241503Z Pulling image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240715162325@sha256:bc3dab8b491c78ff5cf95358d95d14a21cfefbb0990be1137b1bccaf87102194...
2024-07-18T21:32:31.1507241Z Pulled image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240715162325@sha256:bc3dab8b491c78ff5cf95358d95d14a21cfefbb0990be1137b1bccaf87102194
2024-07-18T21:32:31.1510400Z ##[endgroup]
2024-07-18T21:32:31.1510849Z Starting update process
2024-07-18T21:32:31.5308471Z Created proxy container: 7cab30fc67398854579132ade8c6c9dd92109a42e22ed8e279e98b74e096cd0f
2024-07-18T21:32:31.8259960Z Created container: 84e98f18b4a9058bee52f875f85cac6afdfb755b32c8c3b4f029e1cf360739d0
2024-07-18T21:32:31.8646385Z   proxy | 2024/07/18 21:32:31 proxy starting, commit: f375444b32b70ee41e6084e7b6ffc09599dcc194
2024-07-18T21:32:31.8647674Z   proxy | 2024/07/18 21:32:31 Listening (:1080)
2024-07-18T21:32:32.0104507Z updater | Updating certificates in /etc/ssl/certs...
2024-07-18T21:32:32.7563154Z updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
2024-07-18T21:32:32.7782239Z updater | 1 added, 0 removed; done.
2024-07-18T21:32:32.7783284Z Running hooks in /etc/ca-certificates/update.d...
2024-07-18T21:32:32.7796970Z updater | done.
2024-07-18T21:32:35.0139032Z updater | warning: parser/current is loading parser/ruby33, which recognizes 3.3.4-compliant syntax, but you are running 3.3.1.
2024-07-18T21:32:35.0141826Z Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
2024-07-18T21:32:35.4309744Z updater | 2024/07/18 21:32:35 INFO <job_857728684> Starting job processing
2024-07-18T21:32:35.4324804Z 2024/07/18 21:32:35 INFO <job_857728684> Job definition: {"job":{"allowed-updates":[{"dependency-type":"direct","update-type":"all"},{"dependency-type":"indirect","update-type":"security"}],"commit-message-options":{"prefix":null,"prefix-development":null,"include-scope":null},"credentials-metadata":[{"type":"git_source","host":"github.com"}],"debug":null,"dependencies":["rexml"],"dependency-groups":[],"dependency-group-to-refresh":null,"existing-pull-requests":[[{"dependency-name":"nokogiri","dependency-version":"1.10.4"}],[{"dependency-name":"rack","dependency-version":"3.0.4.1"}]],"existing-group-pull-requests":[],"experiments":{"record-ecosystem-versions":true,"record-update-job-unknown-error":true,"proxy-cached":true,"dependency-change-validation":true},"ignore-conditions":[],"lockfile-only":false,"max-updater-run-time":2700,"package-manager":"bundler","proxy-log-response-body-on-auth-failure":true,"requirements-update-strategy":null,"reject-external-code":false,"security-advisories":[{"dependency-name":"rexml","patched-versions":[],"unaffected-versions":[],"affected-versions":["< 3.2.5"]},{"dependency-name":"rexml","patched-versions":[],"unaffected-versions":[],"affected-versions":["< 3.2.7"]},{"dependency-name":"rexml","patched-versions":[],"unaffected-versions":[],"affected-versions":["< 3.3.2"]}],"security-updates-only":true,"source":{"provider":"github","repo":"rubygems/rubygems.github.io","branch":null,"directory":"/.","api-endpoint":"https://api.github.com/","hostname":"github.com"},"updating-a-pull-request":false,"update-subdependencies":false,"vendor-dependencies":false,"repo-private":false}}
2024-07-18T21:32:35.8332061Z   proxy | 2024/07/18 21:32:35 [002] GET https://github.com:443/rubygems/rubygems.github.io/info/refs?service=git-upload-pack
2024-07-18T21:32:35.8333989Z 2024/07/18 21:32:35 [002] * authenticating git server request (host: github.com)
2024-07-18T21:32:36.0136129Z   proxy | 2024/07/18 21:32:36 [002] 200 https://github.com:443/rubygems/rubygems.github.io/info/refs?service=git-upload-pack
2024-07-18T21:32:36.0438450Z   proxy | 2024/07/18 21:32:36 [004] POST https://github.com:443/rubygems/rubygems.github.io/git-upload-pack
2024-07-18T21:32:36.0439441Z 2024/07/18 21:32:36 [004] * authenticating git server request (host: github.com)
2024-07-18T21:32:36.1908027Z   proxy | 2024/07/18 21:32:36 [004] 200 https://github.com:443/rubygems/rubygems.github.io/git-upload-pack
2024-07-18T21:32:36.2215318Z   proxy | 2024/07/18 21:32:36 [006] POST https://github.com:443/rubygems/rubygems.github.io/git-upload-pack
2024-07-18T21:32:36.2217004Z 2024/07/18 21:32:36 [006] * authenticating git server request (host: github.com)
2024-07-18T21:32:36.4153354Z   proxy | 2024/07/18 21:32:36 [006] 200 https://github.com:443/rubygems/rubygems.github.io/git-upload-pack
2024-07-18T21:32:36.9282685Z   proxy | 2024/07/18 21:32:36 [008] POST /update_jobs/857728684/record_ecosystem_versions
2024-07-18T21:32:37.1776176Z   proxy | 2024/07/18 21:32:37 [008] 204 /update_jobs/857728684/record_ecosystem_versions
2024-07-18T21:32:37.1804009Z updater | 2024/07/18 21:32:37 INFO <job_857728684> Base commit SHA: 1b16fa3a79ac6e69f039f1786c964c1256b30b0c
2024-07-18T21:32:37.1810909Z updater | 2024/07/18 21:32:37 INFO <job_857728684> Finished job processing
2024-07-18T21:32:39.3588559Z updater | warning: parser/current is loading parser/ruby33, which recognizes 3.3.4-compliant syntax, but you are running 3.3.1.
2024-07-18T21:32:39.3590899Z Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
2024-07-18T21:32:39.7772723Z updater | 2024/07/18 21:32:39 INFO <job_857728684> Starting job processing
2024-07-18T21:32:40.1838286Z   proxy | 2024/07/18 21:32:40 [011] POST /update_jobs/857728684/update_dependency_list
2024-07-18T21:32:40.2995506Z   proxy | 2024/07/18 21:32:40 [011] 204 /update_jobs/857728684/update_dependency_list
2024-07-18T21:32:40.3479074Z   proxy | 2024/07/18 21:32:40 [013] POST /update_jobs/857728684/increment_metric
2024-07-18T21:32:40.4402479Z   proxy | 2024/07/18 21:32:40 [013] 204 /update_jobs/857728684/increment_metric
2024-07-18T21:32:40.4424433Z updater | 2024/07/18 21:32:40 INFO <job_857728684> Starting security update job for rubygems/rubygems.github.io
2024-07-18T21:32:40.4529372Z updater | 2024/07/18 21:32:40 INFO <job_857728684> Checking if rexml 3.2.8 needs updating
2024-07-18T21:32:40.7362527Z   proxy | 2024/07/18 21:32:40 [015] GET https://rubygems.org:443/api/v1/versions/rexml.json
2024-07-18T21:32:40.7641268Z   proxy | 2024/07/18 21:32:40 [015] 200 https://rubygems.org:443/api/v1/versions/rexml.json
2024-07-18T21:32:40.7911142Z updater | 2024/07/18 21:32:40 INFO <job_857728684> Latest version is 3.3.2
2024-07-18T21:32:41.1335901Z updater | 2024/07/18 21:32:41 INFO <job_857728684> Requirements to unlock update_not_possible
2024-07-18T21:32:41.1337072Z 2024/07/18 21:32:41 INFO <job_857728684> Requirements update strategy bump_versions
2024-07-18T21:32:41.2885110Z updater | 2024/07/18 21:32:41 INFO <job_857728684> The latest possible version of rexml that can be installed is 3.2.8
2024-07-18T21:32:41.2886094Z 2024/07/18 21:32:41 INFO <job_857728684> The earliest fixed version is 3.3.2.
2024-07-18T21:32:41.3398646Z   proxy | 2024/07/18 21:32:41 [019] POST /update_jobs/857728684/record_update_job_error
2024-07-18T21:32:41.4435541Z   proxy | 2024/07/18 21:32:41 [019] 204 /update_jobs/857728684/record_update_job_error
2024-07-18T21:32:41.4920222Z   proxy | 2024/07/18 21:32:41 [021] PATCH /update_jobs/857728684/mark_as_processed
2024-07-18T21:32:41.6267034Z   proxy | 2024/07/18 21:32:41 [021] 204 /update_jobs/857728684/mark_as_processed
2024-07-18T21:32:41.6276106Z updater | 2024/07/18 21:32:41 INFO <job_857728684> Finished job processing
2024-07-18T21:32:41.6294453Z updater | 2024/07/18 21:32:41 INFO Results:
2024-07-18T21:32:41.6296161Z Dependabot encountered '1' error(s) during execution, please check the logs for more details.
2024-07-18T21:32:41.6297319Z +------------------------------+
2024-07-18T21:32:41.6298048Z |            Errors            |
2024-07-18T21:32:41.6300628Z +------------------------------+
2024-07-18T21:32:41.6301473Z | security_update_not_possible |
2024-07-18T21:32:41.6302177Z +------------------------------+
2024-07-18T21:32:41.7870505Z Failure running container 84e98f18b4a9058bee52f875f85cac6afdfb755b32c8c3b4f029e1cf360739d0
2024-07-18T21:32:41.8073048Z Cleaned up container 84e98f18b4a9058bee52f875f85cac6afdfb755b32c8c3b4f029e1cf360739d0
2024-07-18T21:32:41.8158748Z   proxy | 2024/07/18 21:32:41 0/9 calls cached (0%)
2024-07-18T21:32:41.8166663Z   proxy | 2024/07/18 21:32:41 Posting metrics to remote API endpoint
2024-07-18T21:32:42.9654142Z ##[error]Dependabot encountered an error performing the update

Error: The updater encountered one or more errors.

For more information see: https://github.com/rubygems/rubygems.github.io/network/updates/857728684 (write access to the repository is required to view the log)
2024-07-18T21:32:42.9662930Z 🤖 ~ finished: error reported to Dependabot ~
2024-07-18T21:32:42.9742935Z Post job cleanup.
2024-07-18T21:32:43.1065757Z Cleaning up orphan processes

Smallest manifest that reproduces the issue

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    L: git:submodulesGit submodulesL: github:actionsGitHub ActionsL: ruby:bundlerRubyGems via bundlerT: bug 🐞Something isn't working

    Type

    No type

    Projects

    Dependabot

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions