Fix security updates in Bundler subdependencies #10249
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
deivid-rodriguez
force-pushed
the
deivid-rodriguez/bundler-security-update-subdeps-regression
branch
from
e7d7b68 to
4c76d7d
Compare
deivid-rodriguez
changed the title
1 task
|
Sorry, I should've mentioned that in order to proof that the smoke test passes, I pointed it to my smoke-tests repository fork. The associated smoke tests PR needs to be merged, and then the workflows updated back to point to the main repo and branch. |
deivid-rodriguez
deleted the
deivid-rodriguez/bundler-security-update-subdeps-regression
branch
|
For what it's worth, I retried the security update and it now succeeded 🎉 |
|
Thanks @deivid-rodriguez for handling this in #10253. You shouldn't need to mention this, the PR reviewer should have caught it and coordinated with you on this. |
|
It's ok. I also wanted to mention that I only fixed this for Bundler v2. I did not mess with Bundler v1 since given there's an ongoing discussion about what to do with it, I did not want to implement anything that may be immediately removed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
I noticed that #9923 seems to have caused an issue where security updates in Bundler subdependencies no longer succeed.
The new issue seems much worse than the original enhancement (a better error message in an edge case).
So I'm trying to fix it.
Closes #10251.
Anything you want to highlight for special attention from reviewers?
I think ideally we'd add support in upstream Bundler for things like
bundle lock --update foo=<version>, since right now Bundler only has the capability of updating dependencies to their latest version.But that's a big feature, so for now I used an approach that creates a
Bundler::Definitionfrom the Gemfile but adds an extra top level dependency to force the update.How will you know you've accomplished your goal?
Hopefully the new smoke test I added to cover this passes.
Checklist