New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump Ruby to 3.3.1 #9597
Bump Ruby to 3.3.1 #9597
Conversation
52b3b8b
to
45b7f7c
Compare
50a8b2a
to
835c861
Compare
FYI Ruby 3.3.1 was recently released: https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-3-1-released/ |
I opened an issue upstream about the new Sorbet warning with |
Thanks, yeah we should go straight to that, I started this work locally before it was released 😄 I assume it'll be an easy lift once we're on 3.3.0 though 👍 There's a few failures in the native helper specs, which are down to the Rubygems version changing with the Ruby version. Addressing those now. |
Something slightly concerning that I found while working through these test failures: Our tests for the helpers in The reason this happens is because we call I verified this by setting a debugger in this environment and grabbing I've verified that this happens both before and after the Ruby upgrade, so it's not being introduced in this PR, this has been the case for a long time, probably since the beginning or when we reshuffled how bundler is loaded in this setup. |
I believe the native tests are failing because WebMock is no longer able to stub the requests because of rubygems/rubygems#6793 and so the tests are making real network requests now. |
835c861
to
be507fc
Compare
998801c
to
4533928
Compare
This WebMock adapter is mostly a direct copy from WebMock itself, just replaces `Net::HTTP` with `::Gem::Net:HTTP`, would like to keep them as similar as possible if we ever need to keep changes in sync
4533928
to
c8f9fc1
Compare
@@ -54,7 +54,7 @@ COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME | |||
|
|||
# Install Ruby from official Docker image | |||
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb` | |||
COPY --from=docker.io/library/ruby:3.1.4-bookworm --chown=dependabot:dependabot /usr/local /usr/local | |||
COPY --from=docker.io/library/ruby:3.3.1-bookworm --chown=dependabot:dependabot /usr/local /usr/local |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jurre I think you also need to add some versions to a Bundler monkeypatch as explained in the comment above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a small comment.
Nice work on this upgrade, it seems very tricky, and I love that you managed to keep Bundler v1 support, allowing the decision to drop that to not block this upgrade! 💪
Is YJIT enabled by default in Ruby 3.3? The release notes only mention that it is enabled by default for Rails 7.2. |
The docs suggest it's disabled by default. I'll try to get this PR out this week, then once we're sure of its stability, we can enable YJIT 😄 |
@landongrindheim I created #9633 to track it. |
This is being done for two reasons: 1. We're upgrading to Ruby 3.3 (so we need to list previous versions) 2. Several CVEs were resolved in Ruby 3+ releases. We should use these Co-authored-by: Bryan Dragon <25506+bdragon@users.noreply.github.com>
Co-authored-by: Bryan Dragon <25506+bdragon@users.noreply.github.com>
@@ -26,7 +26,7 @@ def source_requirements | |||
Gem::Specification.new("Ruby\0", requested_version) | |||
end | |||
|
|||
%w(2.5.3 2.6.10 2.7.7 3.0.5 3.2.1).each do |version| | |||
%w(2.5.3 2.6.10 2.7.8 3.0.7 3.1.5 3.2.4).each do |version| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deivid-rodriguez We upgraded this list to include the latest Rubies. I think this is what we're supposed to do, but I'm not 100% confident that I understand the monkey patch. Can you give a 👍/👎 re: whether this lines up with the intent?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it seems correct to me, the list needs to complete the list of "supported rubies". Since Dependabot now uses Ruby 3.3, it seems correct 👍.
I think basically this is needed so that Dependabot also works even in situations where the application being updated is not compatible with the Ruby version Dependabot is using internally. I'd like to support this upstream, and we have an issue tracking it but not sure when/if it will happen.
@@ -12,7 +12,7 @@ def index | |||
Gem::Specification.new("ruby\0", requested_version) | |||
end | |||
|
|||
%w(2.5.3p105 2.6.10p210 2.7.6p219 3.0.4p208).each do |version| | |||
%w(2.5.3p105 2.6.10p210 2.7.6p219 3.0.4p208 3.1.4p223).each do |version| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deivid-rodriguez I've included the current Ruby in this (Bundler v1) list. There's a more recent release (Ruby 3.1.5), but we're not running it yet. Does this list seem reasonable to you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say you can add 3.1.5 and 3.2.4 too? I don't think the specific patch level is super important sice normally gems with set their requirements with something like required_ruby_version = ">= 2.6.0"
, so all patch levels should have the same result. But best to use latest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if the patch part (p105
for 2.5.3, etc) is needed or not. I suspect it was some Bundler 1 thing that made that necessary so just in case I'd keep them. Unfortunately I don't know of a good way of figuring out the patchlevel other than installing each ruby and checking the value of RUBY_PATCHLEVEL
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've had this out for about four hours now without issues. I'm going to merge it. I'll have to do a followup PR to add the patch part 😄 Thanks for all your input 🙇
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've opened #9645 to add the patch levels 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 🎉
Per review feedback: > I'd say you can add 3.1.5 and 3.2.4 too? I don't think the specific patch level is super important sice normally gems with set their requirements with something like required_ruby_version = ">= 2.6.0", so all patch levels should have the same result. But best to use latest. I've updated the Ruby versions to those which have received security patches recently.
This PR upgrades Ruby from 3.1.4 to 3.3.1 and Rubygems from 2.3.1 to 2.5.9.
Changelogs:
These releases bring a lot of exciting performance improvements, including the ability to enable Ruby's YJIT, which seems promising, even for the relatively short lifetime of our jobs.
Bundler v1
We’d been blocked on adopting Ruby 3.2+ for quite some time, so let me address what I’ve done to unblock us from that.
In Ruby 3.2, support for
Object#untaint
was removed. Here is some context on that, but the important bit for this PR is, that method has been a no-op since Ruby 2.7. It hasn’t done anything for years.The initial versions of Bundler 2 would ship with a special case to omit the method on newer versions of Ruby.
So, it seems safe to say that we do not care about
untaint
in the context of bundler.What I’ve done here to make it work is include a patch onto
Object
to stub out#untaint
and load it into Bundler v1, both in our native helpers and when we runbundle install
, by wrapping the command in a new script.Native helper specs
In rubygems/rubygems#6793
Net::HTTP
was vendored and the namespace changed to::Gem::Net::HTTP
. This caused our native helpers to no longer have network requests intercepted by WebMock. I've added a copy of WebMock'sNet::HTTP
adapter for the new namespace.One thing of note is I've found our bundler v1 specs run against the latest Bundler version. Production code and tests from dependabot-core do use Bundler 1.17 in that context, since
bundler/helpers/v1/run.rb
loads it viagem "bundler", "~> 1.17"
. Our native helper specs are loaded viaBUNDLER_VERSION=1.17.3 bundle exec rspec
and this seems to not load that version of bundler. This is surprising to me and something we might address, but maybe we'll remove support for Bundler 1 before we care about this.