Dependabot-core: Dependabot removing platform specific gems from Gemfile.lock

Created on 29 Dec 2020  路  6Comments  路  Source: dependabot/dependabot-core

Package manager/ecosystem
ruby:bundler 2.2.3

Manifest contents prior to update
Gemfile

gem 'sorbet'
gem 'sorbet-runtime'

Gemfile.lock (snippet)

    sorbet (0.5.6034)
      sorbet-static (= 0.5.6034)
    sorbet-runtime (0.5.6034)
    sorbet-static (0.5.6034-universal-darwin-14)
    sorbet-static (0.5.6034-universal-darwin-15)
    sorbet-static (0.5.6034-universal-darwin-16)
    sorbet-static (0.5.6034-universal-darwin-17)
    sorbet-static (0.5.6034-universal-darwin-18)
    sorbet-static (0.5.6034-universal-darwin-19)
    sorbet-static (0.5.6034-universal-darwin-20)
    sorbet-static (0.5.6034-x86_64-linux)

Updated dependency
n/a

What you expected to see, versus what you actually saw

Dependabot is removing the dependencies, which were added as part of Bundler 2.2.3 (see rubygems/rubygems#4180). It should be left untouched, as the PR is for a different dependency and it works fine when using bundler 2.2.3 via the CLI.

Images of the diff or a link to the PR, issue or logs

Screenshot

bug 馃悶
Source
picture ashkulz
👍5

All 6 comments

I'm running into the same thing.

connorshea picture connorshea on 31 Dec 2020

You can see this with nokogiri 1.11.0.rc4 as well, since it's now shipping as a pre-compiled gem.

connorshea picture connorshea on 31 Dec 2020

It would be really great if you could specify platforms in the Ruby dependabot config. In our project we bundle ruby, x64-mingw32, and x86-mingw32 into a single Gemfile.lock we use to build our project on Linux/Mac/Windows. Dependabot just can't handle that kind of non-ruby platform situation.

tas50 picture tas50 on 1 Jan 2021

@connorshea it didn't make a difference for us, as nokogiri doesn't ship with gems for each version of macOS.

ashkulz picture ashkulz on 4 Jan 2021

Hey, yeah I think this happens because we don't fully support bundler v2 yet :( We're currently planning this work though, and hope to add support relatively soon.

jurre picture jurre on 5 Jan 2021
👍1

In the meantime, we downgraded back to bundler 2.2.1 and added the platforms we use via bundle lock --add-platform -- Dependabot is too useful :slightly_smiling_face:

ashkulz picture ashkulz on 6 Jan 2021
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Tapchicoma picture Tapchicoma  路  3Comments
rebelagentm picture rebelagentm  路  3Comments
cscherrer picture cscherrer  路  4Comments
kubawerlos picture kubawerlos  路  3Comments
christoferolaison picture christoferolaison  路  3Comments