Dependabot removes registry credentials from `Gemfile.lock`

Question

Dependabot removes registry credentials from `Gemfile.lock`

lucasmazza opened this issue 2 months ago · comments

Lucas Mazza commented 2 months ago

Is there an existing issue for this?

I have searched the existing issues

Package ecosystem

Bundler

Package manager version

Bundler 2.5.x

Language version

Ruby 3.3.1

Manifest location and content before the Dependabot update

Gemfile

source "https://rubygems.org"

source "https://USERNAME:PASSWORD@rubygems.org/" do
  gem "activesupport"
end

dependabot.yml content

version: 2
registries:
  secret-registry:
    type: rubygems-server
    url: https://rubygems.org
    username: USERNAME
    password: PASSWORD

updates:
  - package-ecosystem: "bundler"
    directory: "/"
    insecure-external-code-execution: "allow"
    versioning-strategy: "increase-if-necessary"
    schedule:
      interval: "daily"
    registries:
      - "secret-registry"

Updated dependency

No response

What you expected to see, versus what you actually saw

The Pull Request opened by Dependabot (lucasmazza/dependabot-registry-bug#1) shouldn't remove the USERNAME and PASSWORD from the Gemfile.lock.

We noticed this on a private repository with real credentials to a private RubyGems server, but the public repo mentioned here has the same behavior as our private app.

Native package manager behavior

bundle update activesupport produces the following diff:

diff --git a/Gemfile.lock b/Gemfile.lock
index 6b32d74..c580f09 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 GEM
   remote: https://USERNAME:PASSWORD@rubygems.org/
   specs:
-    activesupport (7.1.3.3)
+    activesupport (7.1.3.4)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)

Images of the diff or a link to the PR, issue, or logs

lucasmazza/dependabot-registry-bug#1

Smallest manifest that reproduces the issue

No response

Lucas Mazza · Answer 1 · Wed Jun 05 2024 23:10:12 GMT+0800 (China Standard Time)

I found rubygems/rubygems#7560, and seeing that Dependabot was recently updated to use Bundler 2.5.11 I believe the issue here might be the mismatch with our local env/CI setup, just like the Heroku buildpack scenario described on the linked PR

broksonic21 · Answer 2 · Thu Jun 06 2024 21:35:02 GMT+0800 (China Standard Time)

Just chiming in that we use bundler 2.5.11 right now, so we want/depend on the behavior that dependabot is currently doing to use 2.5.11 as well and make sure the lockfile doesn't churn when it updates (before that update, it kept adding creds back in and flip-flopping the lock file whenever local devs ran bundle install using 2.5.11 (or 2.5.10)).

Until dependabot updated this week, we had to lock our bundler into an older version, but bumped it once dependabot did.

Ultimately, I think the real solution is that dependabot should use the version of bundler found in the Gemfile.lock file so it's consistent with how folks are setup (and perhaps offer PRs to update bundler itself as well). All of the scenarios I've seen in issues in dependabot-core and rubygems repo have been folks using older bundler versions against a 2.5.11+ created lockfile.

Lucas Mazza · Answer 3 · Fri Jun 07 2024 00:34:09 GMT+0800 (China Standard Time)

We fixed this on our setup by updating Bundler on all of our envs and ensuring everyone was on 2.5.11

Ultimately, I think the real solution is that dependabot should use the version of bundler found in the Gemfile.lock file so it's consistent with how folks are setup

This would be great but I suspect very hard to achieve. In the meantime, any visibility on the package manager versioning and updates that Dependabot used would be helpful - not everyone knows that they can dig into this repo's history and try to troubleshoot their Pull Requests.

David Rodríguez · Answer 4 · Fri Jun 07 2024 19:37:27 GMT+0800 (China Standard Time)

Hei! Sorry for the mess here 🙏, I didn't know so many people put credentials in their Gemfiles 😅.

I agree that ideally Dependabot should eventually respect the version of Bundler used by each application. But of course that needs to be implemented and it's not so easy. For example, Dependabot includes several monkeypatches to Bundler, so they should be functional in all Bundler versions, which seems ... hard, and hard to maintain. I hope to gradually support Dependabot use case better upstream, so that these monkeypatches can be removed and Dependabot can eventually respect the version of Bundler used by each application.

That all said, this change was too disruptive so I'm working on partially rolling it back in the next release.

I recommend that you fix this by "accepting the change", letting those credentials be removed and ensuring a modern enough Bundler version in all your environments that keeps "credential-less lockfiles". But if for whatever reason you can't do that at the moment, next Bundler version will keep the lockfile credentials if they are already there.