Skip to content

Pin gem dependencies

Matthias Käppler requested to merge 82-pin-dependencies into master

Closes #82 (closed)

It was suggested in this MR that because we do not test gitlab-exporter outside of unit tests, we should pin dependencies to their declared versions so that we do not accidentally break it via a bundle install.

While working on this, I noticed that the currently defined versions weren't even internally consistent; bundler broke with the following errors:

Bundler could not find compatible versions for gem "connection_pool":
  In Gemfile:
    gitlab-exporter was resolved to 10.2.0, which depends on
      connection_pool (= 2.2.1)

    gitlab-exporter was resolved to 10.2.0, which depends on
      sidekiq (= 5.2.1) was resolved to 5.2.1, which depends on
        connection_pool (>= 2.2.2, ~> 2.2)

Bundler could not find compatible versions for gem "redis":
  In Gemfile:
    gitlab-exporter was resolved to 10.2.0, which depends on
      redis (= 4.1.2)

    gitlab-exporter was resolved to 10.2.0, which depends on
      redis-namespace (= 1.6.0) was resolved to 1.6.0, which depends on
        redis (>= 3.0.4)

    gitlab-exporter was resolved to 10.2.0, which depends on
      sidekiq (= 5.2.1) was resolved to 5.2.1, which depends on
        redis (< 5, >= 3.3.5)

I fixed this by bumping the required version of connection_pool to 2.2.2.

However, I am very skeptical of this change, since it appears that due to a lack of pinning in the past, the tests we actually ran were running newer versions of those gems:

[9:43:28] work/gitlab-exporter::82-pin-dependencies ✗ bundle install
Fetching gem metadata from https://rubygems.org/..........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Using ast 2.4.1
Using bundler 2.1.4
Using connection_pool 2.2.2
Using diff-lcs 1.3
Fetching pg 1.1.0 (was 1.2.2)
Installing pg 1.1.0 (was 1.2.2) with native extensions
Using nio4r 2.5.7 (was 2.5.4)
Using puma 5.3.2 (was 5.1.1)
Fetching quantile 0.2.0 (was 0.2.1)
Installing quantile 0.2.0 (was 0.2.1)
Fetching redis 4.1.2 (was 4.1.3)
Installing redis 4.1.2 (was 4.1.3)
Using redis-namespace 1.6.0
Using rack 2.2.3 (was 2.0.7)
Fetching rack-protection 2.0.4 (was 2.0.7)
Installing rack-protection 2.0.4 (was 2.0.7)
Fetching sidekiq 5.2.1 (was 5.2.7)
Installing sidekiq 5.2.1 (was 5.2.7)
Using ruby2_keywords 0.0.4
Using mustermann 1.1.1 (was 1.0.3)
Using tilt 2.0.10 (was 2.0.9)
Fetching sinatra 2.0.4 (was 2.0.7)
Installing sinatra 2.0.4 (was 2.0.7)
Using gitlab-exporter 10.2.0 from source at `.`
Using parallel 1.20.1
Using parser 3.0.0.0
Using rainbow 3.0.0
Using regexp_parser 2.0.3
Using rexml 3.2.4
Using rspec-support 3.7.1
Using rspec-core 3.7.1
Using rspec-expectations 3.7.0
Using rspec-mocks 3.7.0
Using rspec 3.7.0
Using rubocop-ast 1.4.0
Using ruby-progressbar 1.11.0
Using unicode-display_width 1.7.0
Using rubocop 0.93.1
Bundle complete! 4 Gemfile dependencies, 32 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

As you can see, all of these changes are downgrades, and some downgrade not just the patch version but also the minor version. Another option could be to YOLO this and start pinning dependencies now to whatever their versions were that used to be pulled in today using specifiers such as ~> (i.e. everything that is mentioned in the brackets in the output above.)

Edited by Matthias Käppler

Merge request reports