Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fix #10570] Add new Gemspec/DependencyVersion cop #10572

Merged
merged 1 commit into from Apr 29, 2022
Merged

[Fix #10570] Add new Gemspec/DependencyVersion cop #10572

merged 1 commit into from Apr 29, 2022

Conversation

nobuyo
Copy link
Contributor

@nobuyo nobuyo commented Apr 23, 2022

Resolves #10570.

This cop requires/forbids version specifications or a commit reference for gem dependency in gemspec.

The name for cop suggested in the issue was GemVersion, but I'm renaming it because cop is interested in the version of the dependency, not the gem owning gemspec.

example

# EnforcedStyle: required (default)

# bad
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop'
end

# good
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop', '~> 1.28'
end
# EnforcedStyle: forbidden

# bad
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop', '~> 1.28'
end

# good
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop'
end

Before submitting the PR make sure the following are checked:

  • The PR relates to only one subject with a clear title and description in grammatically correct, complete sentences.
  • Wrote good commit messages.
  • Commit message starts with [Fix #issue-number] (if the related issue exists).
  • Feature branch is up-to-date with master (if not - rebase it).
  • Squashed related commits together.
  • Added tests.
  • Ran bundle exec rake default. It executes all tests and runs RuboCop on its own code.
  • Added an entry (file) to the changelog folder named {change_type}_{change_description}.md if the new code introduces user-observable changes. See changelog entry format for details.

koic
koic reviewed Apr 23, 2022
View reviewed changes
config/default.yml Outdated
@@ -242,6 +242,18 @@ Gemspec/DateAssignment:
Include:
- '**/*.gemspec'

Gemspec/DependencyVersion:
Description: 'Requires or forbids specifying gem dependency versions.'
Enabled: pending
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a similar argument in #7669, I think it should be disabled by default.

Suggested change
Enabled: pending
Enabled: false

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I think .rubocop.yml should be revert back together too, so I'll fix this directly on my local branch.

@nobuyo nobuyo force-pushed the add-gemspec-dependency-version-cop branch from 2c7c849 to 9a98087 Compare April 23, 2022 05:46
@nobuyo nobuyo requested a review from koic April 24, 2022 01:52
@bbatsov
Copy link
Collaborator

bbatsov commented Apr 29, 2022

I think you can enable this for RuboCop itself. I'm a fan of explicit versions everywhere.

@nobuyo
[Fix rubocop#10570] Add new Gemspec/DependencyVersion cop
04b7955 
Resolve: rubocop#10570.

This cop requires/forbids version specifications or a commit reference for gem dependency in gemspec.

## example

```ruby
# EnforcedStyle: required (default)

# bad
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop'
end

# good
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop', '~> 1.28'
end
```

```ruby
# EnforcedStyle: forbidden

# bad
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop', '~> 1.28'
end

# good
Gem::Specification.new do |spec|
  spec.add_dependency 'rubocop'
end
```
@nobuyo nobuyo force-pushed the add-gemspec-dependency-version-cop branch from 9a98087 to 04b7955 Compare April 29, 2022 06:23
@nobuyo
Copy link
Contributor Author

nobuyo commented Apr 29, 2022

Thank you for your review, I've updated PR.

@bbatsov bbatsov merged commit 5f526f7 into rubocop:master Apr 29, 2022
@bbatsov
Copy link
Collaborator

bbatsov commented Apr 29, 2022

Thanks!

@ShockwaveNN
Copy link
Contributor

I'm a fan of explicit versions everywhere.

Just a sidenote from my experience - I've maintain a lot of very simple gems, required for my project and I found out the best experience - to store Gemfile.lock file in git as well (Althrough a lot of guides mention that you should not store Gemfile.lock in gem repos)

This allow fine tuning for dependabot updates and allow to specify dev dependencies for gems more preciese

@koic
Copy link
Member

koic commented Apr 29, 2022

Althrough a lot of guides mention that you should not store Gemfile.lock in gem repos

I also have this idea. Unlike applications, the runtime_dependency of gemspec affects user's library-dependent version management. And I think SCM should not store gem repo's Gemfile.lock. In my maintenance experience, bot updates haven't helped much. Well, it may depend on the developer :-)

koic added a commit that referenced this pull request Apr 29, 2022
@koic
Tweak runtime dependency for REXML
18be0b8 
Follow up #10572.

REXML dependency was introduced in #7701.

It makes sense to specify the latest secure REXML version 3.2.5 or higher:
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/

And it would be clearer to specify `>= X.Y.Z` and `<= X.Y` than to use `~> X.Y` and `>= X.Y.Z`
when it comes to protected semantic MAJOR version with required minimum PATCH version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@koic koic Awaiting requested review from koic

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature idea: Gemspec/GemVersion
4 participants
@nobuyo @bbatsov @ShockwaveNN @koic