Dependabot has stopped opening PRs - breaks with sorbet dependencies

[vseguin]

Package ecosystem
bundler
Package manager version
unapplicable
Language version
Ruby 3.1.2
Manifest location and content before the Dependabot update
Relevant section in our Gemfile:

# Type checking
gem 'sorbet', '~> 0.5', group: :development
gem 'sorbet-runtime', '~> 0.5'

Resulting in the following in the Gemfile.lock:

    sorbet (0.5.10206)
      sorbet-static (= 0.5.10206)
    sorbet-runtime (0.5.10206)
    sorbet-static (0.5.10206-universal-darwin-14)
    sorbet-static (0.5.10206-universal-darwin-15)
    sorbet-static (0.5.10206-universal-darwin-16)
    sorbet-static (0.5.10206-universal-darwin-17)
    sorbet-static (0.5.10206-universal-darwin-18)
    sorbet-static (0.5.10206-universal-darwin-19)
    sorbet-static (0.5.10206-universal-darwin-20)
    sorbet-static (0.5.10206-universal-darwin-21)
    sorbet-static (0.5.10206-universal-darwin-22)
    sorbet-static (0.5.10206-x86_64-linux)
    sorbet-static-and-runtime (0.5.10206)
      sorbet (= 0.5.10206)
      sorbet-runtime (= 0.5.10206)

dependabot.yml content

version: 2
registries:
  capdesk-ruby:
    type: rubygems-server
    url: https://rubygems.pkg.github.com/capdesk
    token: ${{ secrets.DEPENDABOT_WORKFLOW_TOKEN }}
updates:
  - package-ecosystem: bundler
    directory: "/"
    schedule:
      interval: weekly
    insecure-external-code-execution: allow
    open-pull-requests-limit: 10
    labels:
      - ruby
    registries:
      - capdesk-ruby
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: weekly
    open-pull-requests-limit: 10
    labels:
      - javascript
    ignore:
      - dependency-name: ng-table
      - dependency-name: webui-popover

Updated dependency
sorbet + sorbet_static
What you expected to see, versus what you actually saw
Best here is to see the error link at the bottom of this report - would expect it to work.
Native package manager behavior
Works well ✅
Images of the diff or a link to the PR, issue, or logs

Relevant part of update Logs:

updater | INFO <job_427634604> Handled error whilst updating address: dependency_file_not_resolvable {:message=>"Bundler::VersionConflict with message: Bundler could not find compatible versions for gem \"sorbet-static\":\n  In Gemfile:\n    sorbet (~> 0.5) was resolved to 0.5.10206, which depends on\n      sorbet-static (= 0.5.10206)\n\nCould not find gem 'sorbet-static (= 0.5.10206)' with platform 'ruby', which is required by gem 'sorbet (~> 0.5)', in rubygems repository https://rubygems.org/ or installed locally.\n\nThe source contains the following gems matching 'sorbet-static (= 0.5.10206)':\n  * sorbet-static-0.5.10206-java\n  * sorbet-static-0.5.10206-universal-darwin-14\n  * sorbet-static-0.5.10206-universal-darwin-15\n  * sorbet-static-0.5.10206-universal-darwin-16\n  * sorbet-static-0.5.10206-universal-darwin-17\n  * sorbet-static-0.5.10206-universal-darwin-18\n  * sorbet-static-0.5.10206-universal-darwin-19\n  * sorbet-static-0.5.10206-universal-darwin-20\n  * sorbet-static-0.5.10206-universal-darwin-21\n  * sorbet-static-0.5.10206-universal-darwin-22\n  * sorbet-static-0.5.10206-x86_64-linux"}

[deivid-rodriguez]

I'm really sorry, this is again upstream fault 😞. See rubygems/rubygems#5743. I have good ideas on how to fix it and will get to it soon. Also there's an easy workaround for you: remove the "ruby" platform from the lockfile (which is what I expect the fix will do automatically).

[vseguin]

@deivid-rodriguez thank you for the comment! I suspect we cannot remove the ruby platform on our side because of our dependencies on (https://github.com/sqreen/ruby-agent) which ends up depending on libv8-node... but I will try it right away.

[vseguin]

Update - it does seem to work adequately by removing ruby as a platform on our side 🙌 . Again, thank you @deivid-rodriguez for the suggestion.

@jurre should I close this issue, or do you want to keep it opened for tracking purpose?

[deivid-rodriguez]

No problem, I'm glad it worked!

[jurre]

Update - it does seem to work adequately by removing ruby as a platform on our side 🙌 . Again, thank you @deivid-rodriguez for the suggestion.

@jurre should I close this issue, or do you want to keep it opened for tracking purpose?

Happy that resolved it! Since it's already tracked upstream I'm fine with closing this one here, we'll pull in those changes as they're released

[kbarrette]

Removing the ruby platform doesn't do me any good since it's the only platform in my lockfile - this basically means that dependabot doesn't work for me at all. Is there some way for me to force dependabot to use a working version of bundler?

I'm guessing there a bunch of people in my situation, who haven't had any dependabot pulls in a couple of weeks, and still just think things have been quiet vs broken.

[jurre]

I've opened #5465 which bumps us to the latest version of bundler, but I don't think a version with a fix for this issue has been released yet, so unfortunately there is not much we can do other than wait.

The silent failing is definitely annoying and I wish we had a better answer for this, the errors for this are buried fairly deeply in the UI. We're thinking about possible solutions for this, but unfortunately I can't offer much in terms of a solution for it right now.

[kbarrette]

I've opened #5465 which bumps us to the latest version of bundler, but I don't think a version with a fix for this issue has been released yet, so unfortunately there is not much we can do other than wait.

The silent failing is definitely annoying and I wish we had a better answer for this, the errors for this are buried fairly deeply in the UI. We're thinking about possible solutions for this, but unfortunately I can't offer much in terms of a solution for it right now.

Thanks!

edit: I do wonder if you might consider downgrading bundler to the previously-working version until it's fixed?

[deivid-rodriguez]

Just some heads up here.

I think @kbarrette was having a different issue due to having the force_ruby_platform set locally, so although he hasn't confirmed, I believe he has a workaround.

In addition to that, I proposed a fix in Bundler, so that it should stop raising this error for these lockfiles: rubygems/rubygems#5807, so hopefully dependabot should work again for these lockfiles once the fix is merged and released and dependabot upgrades Bundler.

[jurre]

edit: I do wonder if you might consider downgrading bundler to the previously-working version until it's fixed?

@kbarrette yeah, I'm open to it

@deivid-rodriguez do you happen to know what the latest version of bundler is that doesn't have this regression? And any sense of when it could be forward-fixed in a new version?

[deivid-rodriguez]

Yes, last working version is 2.3.16. And the fix for this is rubygems/rubygems#5807, which should be released in about a week.

[jurre]

Thanks so much 🙇 I'll downgrade to 2.3.16 for now as we've also gotten some reports of this via our customer support, and once a new version is released with a fix we'll pull that in

[deivid-rodriguez]

Thanks, and sorry for too many regressions lately :(

[jurre]

Thanks, and sorry for too many regressions lately :(

No need to apologize, so many different configurations out in the world that it's really hard to always spot all the edge cases, and making these changes is the only way to improve bundler, your work is appreciated!

[jurre]

#5479 should resolve things for now

[deivid-rodriguez]

Although this keeps giving trouble upstream, dependabot-core is now locked to a version without issues, and we don't plan to change that 😅. So closing!