fix(terraform): update less-than/less-than/equals version constraints
#8983
Conversation
8c3126d to
1f77f08
Compare
|
Hello @caspermeijn @bdragon @sachin-sandhu, If I could get a reviewer set on this PR or comments on how to move forward with this fix please. It is similar to the versioning issue with cargo in #9828 |
less-than/less-than/equals constraintsless-than/less-than/equals version constraints
|
Thanks @bryan-bar , can you please resolve the conflicts and we can get this merged. Thanks for fixing this. |
terraform/spec/dependabot/terraform/requirements_updater_spec.rb
Outdated
Show resolved
Hide resolved
terraform/spec/dependabot/terraform/requirements_updater_spec.rb
Outdated
Show resolved
Hide resolved
| else | ||
| 0 | ||
| end | ||
| version_to_be_permitted.segments[index] |
There was a problem hiding this comment.
I believe the original implementation of update_greatest_version was correct for "<" requirements, but "<=" requirements need to be handles differently.
This is what I did for cargo:
I think you need to focus on update_range for handling "<" and "<=" differently.
There was a problem hiding this comment.
@caspermeijn
The less-than operator should still be incremented. I updated the PR to handle both < and <=.
The issue with the function is that < also returned an inconsistent version so I chose to update it.
For example, < 0.3.0 with a latest version of 0.3.7 would return as < 0.4.0
Change the initial version to < 0.3.2 with a latest version of 0.3.7 and the returned version changed to < 0.3.8
It seems index_to_update is setting the wrong index to be incremented and then anything after is set to 0 or skipped over.
Another issue is that terraform does not have wild cards and it also did not expand the version when it has less than 3 segments like it does for some of cargos operators.
For less-than/equals, that would mean incrementing the version and then restricting it (example assuming current version <= 1.6, new version 1.6.5 -> <=1.7, !=1.7) or expanding the version as is ( <= 1.6.5). Another option would be to set a really high version <= 1.6.9999 or converting it to less than < 1.7.
There was a problem hiding this comment.
@caspermeijn @abdulapopoola
Also note that Terraform treats non-semantic versions as being expanded out internally. 0.2 == 0.2.0 | 1 == 1.0.0
I added this comment in the code as well.
|
@bryan-bar are you working on this PR? |
18d3ec2 to
5c1b922
Compare
Yes, thanks for the reminder. I just updated the PR. |
bb6c535 to
556aa41
Compare
556aa41 to
b946d23
Compare
| # When 'less than'/'<', | ||
| # increment the last available segment only so that the new version is within the constraint | ||
| if op == "<" | ||
| new_segments = version.segments.map.with_index do |_, index| |
There was a problem hiding this comment.
I don't fully understand why the old code was not sufficient. Does the old code fail the new tests?
The new code is simpler and seems to do the trick.
There was a problem hiding this comment.
Yes, when removing b946d23 the test that fails in relation to the less-than/< operator is this test since it jumps a minor version to 0.4.0 instead of incrementing the patch version when a patch is set to 0, ">= 0.2.1, < 0.3.0, <= 0.3.0":
context "when not satisfied, 0 patch version" do
let(:requirement) { ">= 0.2.1, < 0.3.0, <= 0.3.0" }
let(:latest_version) { "0.3.7" }
its([:requirement]) { is_expected.to eq(">= 0.2.1, < 0.3.8, <= 0.3.7") }
end
Error:
17) Dependabot::Terraform::RequirementsUpdater#updated_requirements when there is a latest version when a =>,<,<= requirement was previously specified when not satisfied, 0 patch version [:requirement] is expected to eq ">= 0.2.1, < 0.3.8, <= 0.3.7"
Failure/Error: its([:requirement]) { is_expected.to eq(">= 0.2.1, < 0.3.8, <= 0.3.7") }
expected: ">= 0.2.1, < 0.3.8, <= 0.3.7"
got: ">= 0.2.1, < 0.4.0, <= 0.4.0"
(compared using ==)
# ./spec/dependabot/terraform/requirements_updater_spec.rb:134:in `block (6 levels) in <top (required)>'
# /home/dependabot/common/spec/spec_helper.rb:66:in `block (2 levels) in <top (required)>'
# /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/webmock-3.23.1/lib/webmock/rspec.rb:39:in `block (2 levels) in <top (required)>'
This revealed a second issue where a non-zero patch would be incremented as expected, ">= 0.2.1, < 0.3.2, <= 0.3.2", besides the original <= issue, unlike the zero-patch version:
context "when not satisfied, non-0 patch version" do
let(:requirement) { ">= 0.2.1, < 0.3.2, <= 0.3.2" }
let(:latest_version) { "0.3.7" }
its([:requirement]) { is_expected.to eq(">= 0.2.1, < 0.3.8, <= 0.3.7") }
end
Error:
16) Dependabot::Terraform::RequirementsUpdater#updated_requirements when there is a latest version when a =>,<,<= requirement was previously specified when not satisfied, non-0 patch version [:requirement] is expected to eq ">= 0.2.1, < 0.3.8, <= 0.3.7"
Failure/Error: its([:requirement]) { is_expected.to eq(">= 0.2.1, < 0.3.8, <= 0.3.7") }
expected: ">= 0.2.1, < 0.3.8, <= 0.3.7"
got: ">= 0.2.1, < 0.3.8, <= 0.3.8"
(compared using ==)
# ./spec/dependabot/terraform/requirements_updater_spec.rb:141:in `block (6 levels) in <top (required)>'
# /home/dependabot/common/spec/spec_helper.rb:66:in `block (2 levels) in <top (required)>'
# /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/webmock-3.23.1/lib/webmock/rspec.rb:39:in `block (2 levels) in <top (required)>'
b946d23 to
61159b5
Compare
@caspermeijn @abdulapopoola |
|
Thanks @bryan-bar , I'm tagging @randhircs so we can review this week and deploy it if it meets the bar. |
… than, '<' constraint
…ndle both less than and less-than/equal operators - 'index_to_update' would sometimes pick the middle or first segement instead of the last segment leading to the wrong version segment being incremented - less-than/equals would always get incremented instead of taking the version as-is - minor or patch version would sometimes get set to 0 once the 'index_to_update' was set
61159b5 to
f682f15
Compare
Issue:
When using the terraform dependency constraints
less-thanorless-than/equalsto set a max version, only the largest semvar version number is updated. This allows the provider version to be set to a non-existent version.example:
Latest provider version:
0.7.0Provider version suggested changed:
0.6.1->0.7.1fixes #8959
Fix:
Update each version index to tighten the constraints:
less-than/equalsallows provider versions up to the latest version or latest requirementless-thanallows for a provider version up the latest minus 1 against the smallest defined semvar number.