patrik.codes

Im

Im is an “isolated module autoloader”, a fork of Zeitwerk which autoloads constants under an anonymous namespace.

Read more in Feature #19024 or see the GitHub repo.

19 Feb 2023

Don't trust your dependencies, write tests

I’ve holding off on merging Starkast/wikimum#305, that bumps octokit.rb from 4.20.0 to 4.22.0, because I wanted to add some test coverage around it before merging it.

In 975c31c I added a test covering the use of Octokit when taking care of another bug I had seen. After that, #305 had failing tests:

  1) Error:
AppTest#test_authorize_callback:
WebMock::NetConnectNotAllowedError: Real HTTP connections are disabled. Unregistered request: GET https://api.github.com/user with headers {'Accept'=>'application/vnd.github.v3+json', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Content-Type'=>'application/json', 'User-Agent'=>'Octokit Ruby Gem 4.22.0'}

WebMock reported unregistered requests, which was strange since I did have stubs for all the requests being made – I could see the tests pass in the default branch that was on octokit 4.20.0.

Looking closer I could see that the unregistered request webmock complained about did not have the Authorization header. That was also a strange thing. I began reading the diff between 4.20.0 and 4.22.0. Not many changes, but sure enough, the diff touched on authorisation and even refered to a comment in a pull request:

lib/octokit/middleware/follow_redirects.rb
        --- /var/folders/51/q0d09qds1f78x14h0kb73ppw0000gn/T/d20221127-53471-54qlhn/octokit-4.20.0/lib/octokit/middleware/follow_redirects.rb 2022-11-27 13:33:09.000000000 +0100
        +++ /var/folders/51/q0d09qds1f78x14h0kb73ppw0000gn/T/d20221127-53471-54qlhn/octokit-4.22.0/lib/octokit/middleware/follow_redirects.rb 2022-11-27 13:33:09.000000000 +0100
        @@ -89 +89,4 @@
        -          env[:request_headers].delete("Authorization")
        +          # HACK: Faraday’s Authorization middlewares don’t touch the request if the `Authorization` header is set.
        +          #       This is a workaround to drop authentication info.
        +          #       See https://github.com/octokit/octokit.rb/pull/1359#issuecomment-925609697
        +          env[:request_headers]["Authorization"] = "dummy"

From there I found octokit/octokit.rb#1392 and I understood what was going on: octokit/octokit.rb#1359 had introduced changes that were not compatible with Faraday 0.17.x without updating the gemspec. The gemspec was updated with Ocktokit v4.23.0 when work was done to support Faraday v2.

Thus Dependabot created a pull request for bumping Ocktokit to v4.22.0 but never past that as the project was locked to Faraday < 1 by sentry-raven.

27 Nov 2022