Dependabot can never fix Rails vulnerabilities

[JacobEvelyn]

Package ecosystem: bundler
Updated dependency: rails
What you expected to see, versus what you actually saw:
rails is a collection of sub-gems that are all updated in lockstep. Our Gemfile just has gem "rails". Anytime a Rails vulnerability is found, it's reported under the respective sub-gem (like activestorage). We'll get a GitHub security Dependabot alert for it but Dependabot will be unable to make a PR to fix the vulnerability. The security alert (example here) looks something like this:

Dependabot cannot update activestorage to a non-vulnerable version

The latest possible version that can be installed is 6.1.4.6 because of the following conflicting dependencies:

rails (6.1.4.6) requires activestorage (= 6.1.4.6) via actionmailbox (6.1.4.6)
rails (6.1.4.6) requires activestorage (= 6.1.4.6) via actiontext (6.1.4.6)
rails (6.1.4.6) requires activestorage (= 6.1.4.6)

The earliest fixed version is 6.1.4.7.

This happens all the time, since Rails vulnerabilities are unfortunately somewhat common and we have many repos that use Rails as a dependency.

Would it be possible for Dependabot to try updating a dependency's parent when updating the dependency fails for a security fix? (Alternatively, given the popularity of Rails, perhaps a Rails-specific fix would be justified and simpler to implement?)

[jurre]

Yeah this is a really annoying limitation, I do think something like what you're suggesting is possible but it's a little tricky given our current implementation. I hope we can prioritize some work around this soon

[deivid-rodriguez]

I worked on improving this upstream at rubygems/rubygems#5520. I tried the dry-run.rb with a Bundler patched with that PR and it was able to successfully create a security update for actionview 🎉.

Even if it worked, the dry-run.rb script still logged some (now incorrect) dependency conflicts, so Dependabot will require some updates for this feature.

[jeffwidman]

This is specific example of the generic problem described in:

• Support grouping for "must-be-updated-together" dependencies #1296

So closing as a duplicate and let's continue the conversation there.

[deivid-rodriguez]

Hello 👋!

I'm not sure if grouped security updates, or adding explicit groups for all Rails family gems are approaches that work for this issue, I haven't tried.

But I do expect changes in rubygems/rubygems#7558 to make security updates for Rails work by default!

[deivid-rodriguez]

For what it's worth, the fix I mentioned was released with Bundler 2.5.10. I'm hopeful that once Dependabot starts using it, it should be able to create security updates for Rails, but I haven't tried it.