Dependabot-core: Support Bundler v2

Created on 20 Feb 2020  路  6Comments  路  Source: dependabot/dependabot-core

For the past month or so, Dependepot has been opening and closing issues on our repo with the following issue:

Bundler::VersionConflict with message: Bundler could not find compatible versions for gem "bundler":
  In Gemfile:
    license_finder was resolved to 0.0.1, which depends on
      bundler (~> 2.1.0)

  Current Bundler version:
    bundler (1.17.3)
This Gemfile requires a different version of Bundler.
Perhaps you need to update Bundler by running `gem install bundler`?

Could not find gem 'bundler (~> 2.1.0)', which is required by gem 'license_finder', in any of the sources.

Bundler could not find compatible versions for gem "rack":
  In Gemfile:
    rack (> 1.6, ~> 2.0.7)

    capybara (~> 3.15.0) was resolved to 3.15.1, which depends on
      rack (>= 1.6.0)

    rack-test (> 0.7, ~> 1.1.0) was resolved to 1.1.0, which depends on
      rack (>= 1.0, < 3)

This aligns with our recent changes to lock our bundler version to ~> 2.1.0 in our gemspec file. However, it appears that Dependebot Docker image only has Bundler 1.17.3 installed.

It should be updated to also support Bundler 2.x

picture xtreme-jason-smith
👍6

Most helpful comment

I'm having the same issue, pretty frustrating since I don't think I can do anything about it. We have no way to specify a bundler version.

picture hadees on 12 Mar 2020
👍3

All 6 comments

I'm having the same issue, pretty frustrating since I don't think I can do anything about it. We have no way to specify a bundler version.

hadees picture hadees on 12 Mar 2020
👍3

Sorry about this, Dependabot currently doesn't support bundler v2. We have it on our backlog and will get to it but we're currently focusing on integrating Dependabot natively within GitHub so we've slowed down on package ecosystem support while we do this.

feelepxyz picture feelepxyz on 15 Apr 2020

@feelepxyz Bundler 1.x are prone to injection attack via gem name collisions. Shouldn't we prioritize moving to 2.x?

GiriB picture GiriB on 26 Jun 2020

Hey @feelepxyz Dependabot is a wonderful tool, and when combined with GitHub Actions, truly is a match made in heaven! Any update on when support for bundler 2.x might be added? Thanks.

jamesbebbington picture jamesbebbington on 8 Jan 2021

@jamesbebbington thanks for the kind words! Soon! We're currently working on ecosystem upgrades (npm 7, bundler 2, pipenv) and hoping to get to bundler 2 in the next month or so. Dependabot currently has partial bundler 2 support but won't work for projects that depend on gems that require bundler 2 to be installed.

feelepxyz picture feelepxyz on 8 Jan 2021

That's great news! Many thanks!

jamesbebbington picture jamesbebbington on 8 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bennycode picture bennycode  路  3Comments
glenn-jocher picture glenn-jocher  路  3Comments
rebelagentm picture rebelagentm  路  3Comments
jbreitbart picture jbreitbart  路  3Comments
kubawerlos picture kubawerlos  路  3Comments