Comments (12)
I'd like to also advocate for this support. We are currently large paid users of Dependabot, and are looking to improve our build/CI/deployment times significantly by vendoring our .gem
packages into the Git repo.
I'm happy to do what I can to support this initiative @greysteil!
from dependabot-core.
I think this issue should be kept open.
from dependabot-core.
Why not make it a feature of a paid tier?
from dependabot-core.
I don't work on Dependabot any more (I'm focussed on GitHub's code scanning product these days), but @feelepxyz, @jurre and @hmarr should be able to help.
I do know that adding support for vendoring is quite a big project on the Dependabot side, and that they've been flat out on the work to integrate Dependabot into GitHub with only a small team!
from dependabot-core.
@greysteil Because of this, we are trying to ignore a vendored gem using the new config file option, but the updater job on Github tries to fetch the gem regardless, which makes the entire update job fail.
It seems the ignore should happen prior to the attempt at fetching the gems.
@LQkkeN yeah this is a known limitation with how we run updates. When you ignore a dependency we only ignore it when checking for new versions but as soon as we try to update some other package we try to resolve all dependencies in your manifest/lockfile which cause the update to fail if there are vendored gems that can't be fetched.
Would love to figure out a workaround to this where we keep the guarantees of not-breaking your manifest but also handle cases where we can't fetch the dependency. This and actually supporting vendoring are both big projects so they are a while out. We're focusing on integrating Dependabot natively with GitHub for the next few months and after that, we're probably going to focus on making Dependabot less noisy with the amount of PRs it generates. Vendoring will hopefully follow after that.
from dependabot-core.
I think this issue is solved! https://github.blog/changelog/2020-09-23-dependabot-supports-vendoring-for-ruby-bundler/ (and it is the same as #2152)
from dependabot-core.
Yep, this is now supported π
from dependabot-core.
Hmmm, at the moment Dependabot doesn't support vendoring. It would be nice to add it, but I think it's going to be hard to do so performantly - downloading all those dependencies using bundle package
would take a lot of time on our end. We currently avoid actually doing any installs for Ruby, which keeps things fast (take a look at dependabot/dependabot-core for all the gory details), and whilst Dependabot is free that's essential.
One hacky solution would be to append something to your CI run that does the vendoring and commits the change, but that's pretty grim...
from dependabot-core.
Thinking about this one a bit more, I'm going to revise what I said about about why this is hard. The below isn't a particularly "good" reason, but it's what's making this more than a few hours work.
Dependabot has to evaluate code it gets from the internet (your Gemfile, for example), so the creation of each PR works as follows:
- Dependabot's main backend kicks off an update run by sending a job to the isolated environment
- The isolated environment evaluates the Gemfile, checks for possible updates, and generates the required code for any PRs
- The isolated environment passes that generated code back to the backend
- The backend checks if any PRs already exist, whether the user has asked to ignore them for this version, etc.. If everything is OK, it creates the PR with the generated code
For Dependabot to support vendoring, we'd need to change 3. and 4. slightly, since there's no way the isolated environment could pass around the (large) files involved in updating vendored packages. Instead, the isolated environment should pass back a list of vendored dependencies that need to be updated in step 3., and the main backend should fetch and update them in step 4., assuming this can be done without evaluating any arbitrary code (which rules out running bundle pack
).
My hunch is that the first step here is to change the UpdateChecker
for Ruby or some other languages to return details of any subdependencies that are being updated in the updated_dependencies
method (probably changing the return signature of that method to be a hash, rather than an array).
TL;DR - this is possible, the work required is almost all in this repo, but there's quite a bit of it!
from dependabot-core.
Thanks @agrobbin. We're a small team so can't work on too many things at once, but @hmarr is planning to look at vendoring for Go in the near future, which will translate quickly to vendoring for all other languages.
from dependabot-core.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.
from dependabot-core.
@greysteil Because of this, we are trying to ignore a vendored gem using the new config file option, but the updater job on Github tries to fetch the gem regardless, which makes the entire update job fail.
It seems the ignore should happen prior to the attempt at fetching the gems.
from dependabot-core.
Related Issues (20)
- Dependabot ignores maven exclusions HOT 5
- Dependabot corrupts gitmodules while trying to update nugets
- Private Maven Repo (GitHub Packages): PR contains no GitHub release notes
- pip with increase-if-necessary strategy fails with TypeError
- NuGet Package With wildcard version throws error HOT 1
- Dependabot doesn't update NuGet version in all projects HOT 3
- Switch out `@octokit/webhooks-types` for `@octokit/openapi-webhooks-types` on upgrade of `@octokit/webhooks` to v13+
- Support for nested terraform code and directories
- dependabot create wrong PR for actions HOT 2
- Regression: Grouped update includes no details about upgrades HOT 11
- dependabot creates pr for sub directory for file in root of module
- ArgumentError: blank strings must not be provided as requirements HOT 1
- "Conversation" tab for commenting on alerts
- Migrate from Ubuntu 22.04 to 24.04
- The process '/usr/bin/docker' failed with exit code 1 HOT 1
- dependabot's security updates remove path prefixes from
- Dependabot not working with repo that does not persist package-lock.json file
- Always run "Get-Project βAll | Add-BindingRedirect"
- Unhandled exception: System.ArgumentException: An item with the same key has already been added. HOT 1
- Docker group updates don't ignore unstable versions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.