From 28ff78be0cb0a5b7319dd489c4ab0ac8d4391521 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= Date: Tue, 17 Oct 2023 18:13:45 +0200 Subject: [PATCH 1/6] Fix typo in command to update lockfile --- Dockerfile.updater-core | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core index 2356cc7186..96d90263b0 100644 --- a/Dockerfile.updater-core +++ b/Dockerfile.updater-core @@ -106,7 +106,7 @@ RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuge WORKDIR $DEPENDABOT_HOME/dependabot-updater -# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle update --lock --bundler` +# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle lock --update --bundler` # Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install. # This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions. ARG BUNDLER_V2_VERSION=2.4.17 From 15fd8dad3ee9ec37f91ca4dc0f7e3caaa91e0a7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= Date: Tue, 17 Oct 2023 18:12:33 +0200 Subject: [PATCH 2/6] Bump Bundler to 2.4.18 --- Dockerfile.updater-core | 2 +- updater/Gemfile.lock | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core index 96d90263b0..2539f8392b 100644 --- a/Dockerfile.updater-core +++ b/Dockerfile.updater-core @@ -109,7 +109,7 @@ WORKDIR $DEPENDABOT_HOME/dependabot-updater # When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle lock --update --bundler` # Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install. # This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions. -ARG BUNDLER_V2_VERSION=2.4.17 +ARG BUNDLER_V2_VERSION=2.4.18 RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \ rm -rf /var/lib/gems/*/cache/* && \ diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock index ca4ada8de2..66ff13bf39 100644 --- a/updater/Gemfile.lock +++ b/updater/Gemfile.lock @@ -381,4 +381,4 @@ DEPENDENCIES webmock (~> 3.18) BUNDLED WITH - 2.4.17 + 2.4.18 From a75b336aa0d770932b08327a4e376385c88cb2e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= Date: Tue, 17 Oct 2023 18:56:51 +0200 Subject: [PATCH 3/6] Bump Bundler to 2.4.19 Wording of some errors was changed at https://github.com/rubygems/rubygems/pull/6871, so needed some tweaks. --- Dockerfile.updater-core | 2 +- bundler/helpers/v2/spec/functions/dependency_source_spec.rb | 4 ++-- .../bundler/update_checker/shared_bundler_helpers.rb | 5 +++++ updater/Gemfile.lock | 2 +- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core index 2539f8392b..e398c8bcc1 100644 --- a/Dockerfile.updater-core +++ b/Dockerfile.updater-core @@ -109,7 +109,7 @@ WORKDIR $DEPENDABOT_HOME/dependabot-updater # When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle lock --update --bundler` # Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install. # This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions. -ARG BUNDLER_V2_VERSION=2.4.18 +ARG BUNDLER_V2_VERSION=2.4.19 RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \ rm -rf /var/lib/gems/*/cache/* && \ diff --git a/bundler/helpers/v2/spec/functions/dependency_source_spec.rb b/bundler/helpers/v2/spec/functions/dependency_source_spec.rb index 315a591a28..77abe388ff 100644 --- a/bundler/helpers/v2/spec/functions/dependency_source_spec.rb +++ b/bundler/helpers/v2/spec/functions/dependency_source_spec.rb @@ -96,11 +96,11 @@ end it "blows up with a useful error" do - error_class = Bundler::Fetcher::BadAuthenticationError + error_class = Bundler::Fetcher::AuthenticationForbiddenError expect { private_registry_versions } .to raise_error do |error| expect(error).to be_a(error_class) - expect(error.message).to include("Bad username or password for") + expect(error.message).to include("Access token could not be authenticated for") end end end diff --git a/bundler/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb b/bundler/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb index 3940592f5d..cd8a025623 100644 --- a/bundler/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb +++ b/bundler/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb @@ -24,6 +24,7 @@ module BundlerErrorPatterns MISSING_AUTH_REGEX = /bundle config (?:set --global )?(?.*) username:password/ BAD_AUTH_REGEX = /Bad username or password for (?.*)\.$/ + FORBIDDEN_AUTH_REGEX = /Access token could not be authenticated for (?.*)\.$/ BAD_CERT_REGEX = /verify the SSL certificate for (?.*)\.$/ HTTP_ERR_REGEX = /Could not fetch specs from (?.*)$/ end @@ -133,6 +134,10 @@ def handle_bundler_errors(error) regex = BundlerErrorPatterns::MISSING_AUTH_REGEX source = error.message.match(regex)[:source] raise Dependabot::PrivateSourceAuthenticationFailure, source + when "Bundler::Fetcher::AuthenticationForbiddenError" + regex = BundlerErrorPatterns::FORBIDDEN_AUTH_REGEX + source = error.message.match(regex)[:source] + raise Dependabot::PrivateSourceAuthenticationFailure, source when "Bundler::Fetcher::BadAuthenticationError" regex = BundlerErrorPatterns::BAD_AUTH_REGEX source = error.message.match(regex)[:source] diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock index 66ff13bf39..5ae10555d1 100644 --- a/updater/Gemfile.lock +++ b/updater/Gemfile.lock @@ -381,4 +381,4 @@ DEPENDENCIES webmock (~> 3.18) BUNDLED WITH - 2.4.18 + 2.4.19 From 56d3d1c3ce8d278afeeeab5226b770c14ad3868b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= Date: Wed, 8 Nov 2023 21:10:14 +0100 Subject: [PATCH 4/6] Bump Bundler to 2.4.20 * `Bundler::Fetcher#fetchers` was made private at https://github.com/rubygems/rubygems/pull/6919. * `Bundler::Index#search_all` returns an enumerator since https://github.com/rubygems/rubygems/pull/6962. --- Dockerfile.updater-core | 2 +- bundler/helpers/v2/lib/functions/dependency_source.rb | 3 +-- bundler/helpers/v2/lib/functions/version_resolver.rb | 2 +- updater/Gemfile.lock | 2 +- 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core index e398c8bcc1..11d2909344 100644 --- a/Dockerfile.updater-core +++ b/Dockerfile.updater-core @@ -109,7 +109,7 @@ WORKDIR $DEPENDABOT_HOME/dependabot-updater # When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle lock --update --bundler` # Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install. # This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions. -ARG BUNDLER_V2_VERSION=2.4.19 +ARG BUNDLER_V2_VERSION=2.4.20 RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \ rm -rf /var/lib/gems/*/cache/* && \ diff --git a/bundler/helpers/v2/lib/functions/dependency_source.rb b/bundler/helpers/v2/lib/functions/dependency_source.rb index 68087cb61f..b8634e7953 100644 --- a/bundler/helpers/v2/lib/functions/dependency_source.rb +++ b/bundler/helpers/v2/lib/functions/dependency_source.rb @@ -42,9 +42,8 @@ def private_registry_versions .fetchers.flat_map do |fetcher| fetcher .specs([dependency_name], bundler_source) - .search_all(dependency_name) + .search_all(dependency_name).map(&:version) end - .map(&:version) end private diff --git a/bundler/helpers/v2/lib/functions/version_resolver.rb b/bundler/helpers/v2/lib/functions/version_resolver.rb index 472ad1dc13..8ed56ce166 100644 --- a/bundler/helpers/v2/lib/functions/version_resolver.rb +++ b/bundler/helpers/v2/lib/functions/version_resolver.rb @@ -127,7 +127,7 @@ def lockfile def fetcher_class(dep) return unless dep.source.is_a?(::Bundler::Source::Rubygems) - dep.source.fetchers.first.fetchers.first.class.to_s + dep.source.fetchers.first.send(:fetchers).first.class.to_s end def ruby_version diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock index 5ae10555d1..a46b30cde3 100644 --- a/updater/Gemfile.lock +++ b/updater/Gemfile.lock @@ -381,4 +381,4 @@ DEPENDENCIES webmock (~> 3.18) BUNDLED WITH - 2.4.19 + 2.4.20 From 9ee9e1602b544fb9718802b316172c3608aca438 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= Date: Wed, 8 Nov 2023 22:11:15 +0100 Subject: [PATCH 5/6] Bump Bundler to 2.4.21 --- Dockerfile.updater-core | 2 +- updater/Gemfile.lock | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core index 11d2909344..2c487453f5 100644 --- a/Dockerfile.updater-core +++ b/Dockerfile.updater-core @@ -109,7 +109,7 @@ WORKDIR $DEPENDABOT_HOME/dependabot-updater # When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle lock --update --bundler` # Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install. # This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions. -ARG BUNDLER_V2_VERSION=2.4.20 +ARG BUNDLER_V2_VERSION=2.4.21 RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \ rm -rf /var/lib/gems/*/cache/* && \ diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock index a46b30cde3..fd1f1c8131 100644 --- a/updater/Gemfile.lock +++ b/updater/Gemfile.lock @@ -381,4 +381,4 @@ DEPENDENCIES webmock (~> 3.18) BUNDLED WITH - 2.4.20 + 2.4.21 From 76d17e59fe5ac4068782585b99e4b66e95e8ac75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= Date: Thu, 9 Nov 2023 17:54:29 +0100 Subject: [PATCH 6/6] Bump Bundler to 2.4.22 --- Dockerfile.updater-core | 2 +- updater/Gemfile.lock | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core index 2c487453f5..8ebbcd6130 100644 --- a/Dockerfile.updater-core +++ b/Dockerfile.updater-core @@ -109,7 +109,7 @@ WORKDIR $DEPENDABOT_HOME/dependabot-updater # When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle lock --update --bundler` # Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install. # This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions. -ARG BUNDLER_V2_VERSION=2.4.21 +ARG BUNDLER_V2_VERSION=2.4.22 RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \ rm -rf /var/lib/gems/*/cache/* && \ diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock index fd1f1c8131..13fc198119 100644 --- a/updater/Gemfile.lock +++ b/updater/Gemfile.lock @@ -381,4 +381,4 @@ DEPENDENCIES webmock (~> 3.18) BUNDLED WITH - 2.4.21 + 2.4.22