Changing gemspec unlocks all dependencies

[deivid-rodriguez]

I've seen this issue a lot of times but I was always lazy to report it. The issue is that on the decidim repo, when I change a gemspec requirement and run bundle install, every dependency seem to be unlocked and the command effectively works as bundle update.

In order to reproduce:

• Clone decidim at decidim/decidim@15a0112.
• Change the rectify requirement here to ~> 0.13.0.
• Run bundle install.

Every gem seems to be updated, and not just rectify and its dependencies.

[segiddins]

Is it possible it’s only transitive dependencies of the gemspec being unlocked?

[deivid-rodriguez]

Yes, that's very likely, actually, since that gemspec has a bunch of dependencies: https://github.com/decidim/decidim/blob/15a0112c911c00f9215eff947eff6beabbab9ff9/decidim-core/decidim-core.gemspec#L21-L66.

[Ferdy89]

I ran through @deivid-rodriguez's steps and got the same result. One of the dependencies updated is valid_email2, which is not a transitive dependency, it's only required from that same gemspec

[deivid-rodriguez]

@Ferdy89 Yeah, I think that's what @segiddins meant by "transitive dependencies of the gemspec", and I think it's unexpected (even if the updated dependencies come from the same gemspec).

[ElenaKalinin]

I ran into the very similar issue today - only I don't even need to change the .gemspec file.
Pretend I have in the .gemspec:
spec.add_runtime_dependency 'my-wonder-gem', '~> 6.0', '>= 6.0.19'
(i ran my own stickler server to keep proprietary gems there)
then bundle install and I see:
$ gem list | grep my-wonder-gem
my-wonder-gem (6.1.1)
$
Problem is that I'd like to follow major/minor/patch version increments for breaking/potentially breaking/non breaking changes. So I created and pushed to stickler the potentially breaking version 6.1.1 which jumped to all dependent gems that were subscribed to 6.0.x making a havoc and creating grief.
Any suggestions what can be done to workaround the problem? - I don't feel confident enough to try to fix bundler L-:
Tried bundler 1.16.x and 1.17.x.

[deivid-rodriguez]

Closing in favor of #6967!