Dependabot not able to find updates

[DesignyourCode]

Hi. We are seeing issues in which Dependabot is unable to find updates for plugins.

We have raised a support issue with them, but from what I can see the issue would lie at Wpackagists end.

updater | INFO <job_111530500> Checking if wpackagist-plugin/redirection 4.8 needs updating
  proxy | 2021/04/20 19:02:37 [012] GET https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:38 [012] 200 https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:38 [014] GET https://packagist.org:443/p/wpackagist-plugin/redirection.json
  proxy | 2021/04/20 19:02:38 [014] 404 https://packagist.org:443/p/wpackagist-plugin/redirection.json
  proxy | 2021/04/20 19:02:41 [016] GET https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:41 [016] 200 https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:41 [018] GET https://wpackagist.org:443/p/providers-2011%24bed0e4befefc8b173203cc178a41dbd755a0a4adb42ad07dbb27adbcd71eca57.json
  proxy | 2021/04/20 19:02:42 [018] 200 https://wpackagist.org:443/p/providers-2011%24bed0e4befefc8b173203cc178a41dbd755a0a4adb42ad07dbb27adbcd71eca57.json
  proxy | 2021/04/20 19:02:42 [020] GET https://wpackagist.org:443/p/providers-2012%246be9de89258922af8c7f4b3284023b2f6db28ea99c59cfc2080ff40fc1f12d80.json
  proxy | 2021/04/20 19:02:42 [020] 200 https://wpackagist.org:443/p/providers-2012%246be9de89258922af8c7f4b3284023b2f6db28ea99c59cfc2080ff40fc1f12d80.json
  proxy | 2021/04/20 19:02:42 [022] GET https://wpackagist.org:443/p/providers-2013%2473c2f0f1d92c3b4842a0c35e09c50fcf8941f012d2a13e5662ab375d8e0fce76.json
  proxy | 2021/04/20 19:02:42 [022] 200 https://wpackagist.org:443/p/providers-2013%2473c2f0f1d92c3b4842a0c35e09c50fcf8941f012d2a13e5662ab375d8e0fce76.json
  proxy | 2021/04/20 19:02:42 [024] GET https://wpackagist.org:443/p/providers-2014%2498d77f36c8c8d521eed4c02b61e8faedf1f360c3dfb151a90d8154c79e258bb4.json
  proxy | 2021/04/20 19:02:42 [024] 200 https://wpackagist.org:443/p/providers-2014%2498d77f36c8c8d521eed4c02b61e8faedf1f360c3dfb151a90d8154c79e258bb4.json
  proxy | 2021/04/20 19:02:43 [026] GET https://wpackagist.org:443/p/providers-2015%2462e65531f98be8233e8cd4f7206fc6189c06138a3c07d43ab840089f6ae7be17.json
  proxy | 2021/04/20 19:02:43 [026] 200 https://wpackagist.org:443/p/providers-2015%2462e65531f98be8233e8cd4f7206fc6189c06138a3c07d43ab840089f6ae7be17.json
  proxy | 2021/04/20 19:02:43 [028] GET https://wpackagist.org:443/p/providers-2016%241f33e360ff02a815fd4413c59b9a1c3e66f3dddae0a90c4d05f6d019835f4264.json
  proxy | 2021/04/20 19:02:43 [028] 200 https://wpackagist.org:443/p/providers-2016%241f33e360ff02a815fd4413c59b9a1c3e66f3dddae0a90c4d05f6d019835f4264.json
  proxy | 2021/04/20 19:02:43 [030] GET https://wpackagist.org:443/p/providers-2017%241ef504bc74d43a31e9725aced3281886fea5297d182337d49545962dae176817.json
  proxy | 2021/04/20 19:02:43 [030] 200 https://wpackagist.org:443/p/providers-2017%241ef504bc74d43a31e9725aced3281886fea5297d182337d49545962dae176817.json
  proxy | 2021/04/20 19:02:43 [032] GET https://wpackagist.org:443/p/providers-2018%241bd517738d520e5a1b68f10b607e4a98d4e9107fbecf80ed77c8b39acc0efa12.json
  proxy | 2021/04/20 19:02:44 [032] 200 https://wpackagist.org:443/p/providers-2018%241bd517738d520e5a1b68f10b607e4a98d4e9107fbecf80ed77c8b39acc0efa12.json
  proxy | 2021/04/20 19:02:44 [034] GET https://wpackagist.org:443/p/providers-2019%24819e95e472cf89688b963ca9fe0e9763b6c96e0f7a147ac38594fa645840525b.json
  proxy | 2021/04/20 19:02:44 [034] 200 https://wpackagist.org:443/p/providers-2019%24819e95e472cf89688b963ca9fe0e9763b6c96e0f7a147ac38594fa645840525b.json
  proxy | 2021/04/20 19:02:44 [036] GET https://wpackagist.org:443/p/providers-2020%24c38c701fb8dd86817e3e12d6579eeca519244a7e89580fdd2822553ed0727bd8.json
  proxy | 2021/04/20 19:02:44 [036] 200 https://wpackagist.org:443/p/providers-2020%24c38c701fb8dd86817e3e12d6579eeca519244a7e89580fdd2822553ed0727bd8.json
  proxy | 2021/04/20 19:02:45 [038] GET https://wpackagist.org:443/p/providers-2021-03%24d3a138cfe88d91287b78bf8fdbf956b0c226525ee5c0844d37b66b94fdd600c5.json
  proxy | 2021/04/20 19:02:45 [038] 200 https://wpackagist.org:443/p/providers-2021-03%24d3a138cfe88d91287b78bf8fdbf956b0c226525ee5c0844d37b66b94fdd600c5.json
  proxy | 2021/04/20 19:02:45 [040] GET https://wpackagist.org:443/p/providers-2021-06%24ecebd86b570c3bdb2e8ab3b2ccf77f658eee1beba1e916034ab602a912decaa5.json
  proxy | 2021/04/20 19:02:45 [040] 200 https://wpackagist.org:443/p/providers-2021-06%24ecebd86b570c3bdb2e8ab3b2ccf77f658eee1beba1e916034ab602a912decaa5.json
  proxy | 2021/04/20 19:02:45 [042] GET https://wpackagist.org:443/p/providers-old%24be38917dcd0e873e75d46cbe459242cdda55b2ea81e4f4bf2d2916d0ea4133cd.json
  proxy | 2021/04/20 19:02:45 [042] 200 https://wpackagist.org:443/p/providers-old%24be38917dcd0e873e75d46cbe459242cdda55b2ea81e4f4bf2d2916d0ea4133cd.json
  proxy | 2021/04/20 19:02:45 [044] GET https://wpackagist.org:443/p/providers-this-week%247cac30a6ec11a43ff577d93fba9028fd294d24c40b67ff9c60c8009bdaec3739.json
  proxy | 2021/04/20 19:02:46 [044] 200 https://wpackagist.org:443/p/providers-this-week%247cac30a6ec11a43ff577d93fba9028fd294d24c40b67ff9c60c8009bdaec3739.json
  proxy | 2021/04/20 19:02:46 [046] GET https://wpackagist.org:443/p/wpackagist-plugin/redirection%24b3fa69177ef1241dedcb25b3ced7e4fd900fccf30a95898e7c43d4dc11b39b78.json
  proxy | 2021/04/20 19:02:46 [046] 200 https://wpackagist.org:443/p/wpackagist-plugin/redirection%24b3fa69177ef1241dedcb25b3ced7e4fd900fccf30a95898e7c43d4dc11b39b78.json
  proxy | 2021/04/20 19:02:46 [048] GET https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:46 [048] 200 https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:46 [050] GET https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:46 [050] 200 https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:46 [053] GET https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:46 [054] GET https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:46 [053] 404 https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:46 [054] 200 https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:46 [056] GET https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:46 [056] 200 https://repo.packagist.org:443/p2/composer/semver.json
updater | INFO <job_111530500> Latest version is 
  proxy | 2021/04/20 19:02:47 [058] GET https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:47 [058] 200 https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:48 [060] GET https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:48 [060] 200 https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:48 [062] GET https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:48 [062] 304 https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:48 [065] GET https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:48 [066] GET https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:48 [065] 304 https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:48 [066] 404 https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:48 [068] GET https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:48 [068] 304 https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:49 [070] GET https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:49 [070] 200 https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:50 [072] GET https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:50 [072] 200 https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:50 [074] GET https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:50 [074] 304 https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:50 [077] GET https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:50 [078] GET https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:50 [077] 404 https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:50 [078] 304 https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:50 [080] GET https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:50 [080] 304 https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:52 [082] GET https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:52 [082] 200 https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:53 [084] GET https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:53 [084] 200 https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:53 [086] GET https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:53 [086] 304 https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:53 [089] GET https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:53 [090] GET https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:53 [089] 404 https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:53 [090] 304 https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:53 [092] GET https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:53 [092] 304 https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:54 [094] GET https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:55 [094] 200 https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:56 [096] GET https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:56 [096] 200 https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:56 [098] GET https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:56 [098] 304 https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:56 [101] GET https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:56 [102] GET https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:56 [101] 404 https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:56 [102] 304 https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:56 [104] GET https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:56 [104] 304 https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:57 [106] GET https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:57 [106] 200 https://wpackagist.org:443/packages.json
  proxy | 2021/04/20 19:02:59 [108] GET https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:59 [108] 200 https://repo.packagist.org:443/packages.json
  proxy | 2021/04/20 19:02:59 [110] GET https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:59 [110] 304 https://repo.packagist.org:443/p2/composer/installers.json
  proxy | 2021/04/20 19:02:59 [113] GET https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:59 [114] GET https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:59 [113] 404 https://repo.packagist.org:443/p2/shama/baton.json
  proxy | 2021/04/20 19:02:59 [114] 304 https://repo.packagist.org:443/p2/roundcube/plugin-installer.json
  proxy | 2021/04/20 19:02:59 [116] GET https://repo.packagist.org:443/p2/composer/semver.json
  proxy | 2021/04/20 19:02:59 [116] 304 https://repo.packagist.org:443/p2/composer/semver.json
updater | INFO <job_111530500> Requirements to unlock update_not_possible
updater | INFO <job_111530500> Requirements update strategy bump_versions
updater | INFO <job_111530500> No update possible for wpackagist-plugin/redirection 4.8

As you can see above, "Latest version is " returns blank, instead of returning a version number, which is what other packages return.

[NoelLH]

Hey @DesignyourCode, I'm not really sure what to do about this or what Wpackagist could be doing wrong.

Do you have a bit more background about how the process works, steps to replicate, etc.?

As a quick initial check I loaded one of the Wpackagist URLs in your output. It includes a valid response with a valid version "4.8", normalised by Composer (v1)'s utility library as expected. And none of the 404s seem to be coming from Wpackagist itself.

So: what is Dependabot expecting that it's not getting? And what exactly should Wpackagist be doing differently here?

[DesignyourCode]

I have spoken with Github support about this issue. Dependabot is running on Composer 2. So the issue is that Wpackagist isn't supporting composer 2 yet. Or if it doesn't, it isn't fully supported.

I have been given a line of code to add to the composer.lock which should solve this, but because the composer.lock is auto-generate the solution is really not great. I am currently trying to write a Github action to inject that line of code "plugin-api-version": "1.0.0" to the lock file. But realistically, the best option would be for Wpackagist to fully support Composer 2. I am guessing I am not the only person to experience this, and it will become a more common issue.

[DesignyourCode]

I can confirm that the above is the case. Wpackagist should support Composer 2. But as this is down to individual packages, it should look at heavily encouraging all packages to upgrade and support Composer 2.

[NoelLH]

Hey @DesignyourCode – while addressing some more pressing security updates late last year, I upgraded Wpackagist to use Composer v2 internally.

This promptly broke the service for all devs on Composer v1 who promptly let me know.

After sorting this out (see #372, #373) we have the repository working, to my knowledge, fully on both v1 and v2.

So we need to be pretty careful about the sense in which we are upgrading and how we go about it, and clear about what would have to change for this use of Dependabot to work. https://getcomposer.org/upgrade/UPGRADE-2.0.md lists a bunch of things we could add manually (presumably while maintaining v1 normalisation behaviour) but they all seem to be optional, and I'm still not clear which one(s) would help with this use case. Do you have any more details on what data would change and why to make this work?

[DesignyourCode]

Hi @NoelLH thank you for your reply. I am still in discussions with Dependabot/Github Support regarding this. I am going to begin tests with Composer 2 to try and narrow down which settings or configuration options would be needed. I will feedback here with my conclusions and hopefully be able to provide some more detail.

[aaronware]

If you have any additional details here. That would be awesome. We've been working on our automation and this is something I investigated a while ago but haven't checked into it in a while.

[aingham]

Hi @NoelLH thank you for your reply. I am still in discussions with Dependabot/Github Support regarding this. I am going to begin tests with Composer 2 to try and narrow down which settings or configuration options would be needed. I will feedback here with my conclusions and hopefully be able to provide some more detail.

Hi @DesignyourCode - did you ever manage to get Dependabot working with wpackagist packages? I'd be really interested to hear the latest on this. Many thanks.

[jeffwidman]

👋 Hi from Dependabot.

If there's anything we need to do from our side to support composer v2 use of wpackagist.org, please file an issue on https://github.com/dependabot/dependabot-core/issues to let us know.

Re: composer v1 - Although we're still happy to review/merge community PR's if you want to land a quick fix/improvement, I doubt we'll invest any more time into composer v1 support given that we plan to eventually sunset it:

• Drop support for PHP Composer v1 dependabot/dependabot-core#6298

There's no ETA as of now, and we're not in a hurry, but we will do it at some point. So if anyone watching this ticket will be impacted, please comment on ☝️ explaining what prevents you from updating to Composer v2.