Deps: pin sinatra due (2.2.0) incompatibilities

[kares]

Dependency lock.

Release notes

[rn:skip]

What does this PR do?

Locks sinatra dependency due incompatibilities.
Sinatra is used for LS's HTTP API.

This concerns LS 8.0.0 whenever a plugin update is triggered (which updates sinatra).
Report at: #13777

Sample failure (from CI while using sinatra 2.2.0):

ArgumentError: wrong number of arguments (given 3, expected 1..2)
  # /opt/logstash/logstash-core/lib/logstash/api/modules/base.rb:43:in `initialize'
  # /opt/logstash/vendor/bundle/jruby/2.5.0/gems/sinatra-2.2.0/lib/sinatra/base.rb:1537:in `new'
  # /opt/logstash/logstash-core/lib/logstash/api/rack_app.rb:113:in `block in app'
  # /opt/logstash/vendor/bundle/jruby/2.5.0/gems/rack-2.2.3/lib/rack/builder.rb:125:in `initialize'
  # /opt/logstash/logstash-core/lib/logstash/api/rack_app.rb:101:in `app'
  # /opt/logstash/logstash-core/lib/logstash/webserver.rb:123:in `initialize'
  # /opt/logstash/logstash-core/lib/logstash/webserver.rb:74:in `from_settings'
  # /opt/logstash/logstash-core/lib/logstash/agent.rb:69:in `initialize'

LS (>=) 8.0.1 should lock the version until the issue is resolved ...

[robbavey]

LGTM

[kares]

CI 🔴 due (NameError) uninitialized constant Gem::Version (our old friend #12077)

[Kami]

Will this also be cherry picked into v7.x.x branch (aka v7.17.x)? Since it seems to affect that release series as well.

Thanks.

[yaauie]

@Kami yes, it was back-ported to 7.17 (#13788), and will be included in 7.17.1 when that is released.

[mvenukadasula]

We are in the process of upgrading to 7.16.3 since last couple of weeks. I see the same problem in 7.16.3. Is there a plan to include this in 7.16.3 or only option is to upgrade to 7.17.1? If that is the case, when can we expect 7.17.1?

[yaauie]

@mvenukadasula Logstash is released in lock-step with the rest of the Elastic Stack, and there are a number of factors that go into the timing of a release (including extensive cross-product testing of a sequence of build candidates). Historically speaking, patch releases on ${PREVIOUS_MAJOR}.${LAST} have occurred roughly every 5-8 weeks, and we are currently one week since the release of 7.17.0.

The upstream issue #13777 has in-place mitigations in the comments, and a fix is also in-flight for Sinatra (sinatra/sinatra#1750), which will likely result in a 2.2.1 release that the Logstash plugin manager's Bundler will pick up on previously-released Logstashes that do not contain this PR's pin.

[mvenukadasula]

@mvenukadasula Logstash is released in lock-step with the rest of the Elastic Stack, and there are a number of factors that go into the timing of a release (including extensive cross-product testing of a sequence of build candidates). Historically speaking, patch releases on ${PREVIOUS_MAJOR}.${LAST} have occurred roughly every 5-8 weeks, and we are currently one week since the release of 7.17.0.

The upstream issue #13777 has in-place mitigations in the comments, and a fix is also in-flight for Sinatra (sinatra/sinatra#1750), which will likely result in a 2.2.1 release that the Logstash plugin manager's Bundler will pick up on previously-released Logstashes that do not contain this PR's pin.

Thanks @yaauie will use the mitigations in 7.16.3.