Frozen bundle install fails to prevent a memory spike

[janko]

Describe the problem as clearly as you can

Resolving a merge conflict resulted in accidental removal of a platform-specific gem variant from Gemfile.lock. This caused a significant increase in memory usage of our Rails application (+500 MB) when it got booted in production.

It appears that require "bundler/setup" will fetch the RubyGems.org index at runtime if a platform-specific variant is missing from Gemfile.lock and there is no ruby platform fallback (which is the case with rails new today).

I'd normally be OK with that, because we run bundle install in deployment mode (which implies frozen mode), which should error on missing Gemfile.lock entries. But it turns out that bundle install will only print a Cannot write a changed lockfile while frozen. warning in this case, but still exit with 0 code, which doesn't fail CI nor deployment (while discrepancies like missing checksum produce an actual error).

I want to prevent this kind of silent memory regression in the future, but I'm failing to find the necessary guardrails in Bundler.

Did you try upgrading rubygems & bundler?

Yes, I'm running RubyGems & Bundler 4.0.13, on Ruby 3.4.5.

Post steps to reproduce the problem

# app.rb
require "bundler/setup"

rss_kb = `ps -o rss= -p #{Process.pid}`.to_i
puts format("Memory usage: %.2f MB", rss_kb / 1024.0)

# Gemfile
source "https://rubygems.org"
gem "ffi", "1.17.3"

# Gemfile.lock
GEM
  remote: https://rubygems.org/
  specs:
    ffi (1.17.3-aarch64-linux-gnu)
    ffi (1.17.3-arm64-darwin)
    ffi (1.17.3-x86_64-linux-gnu)

PLATFORMS
  aarch64-linux
  arm64-darwin-24
  x86_64-linux

DEPENDENCIES
  ffi (= 1.17.3)

CHECKSUMS
  bundler (4.0.13) sha256=19f08be7f27022cf0b89f27da0b044ae075e8270a9ef44ad248a932614e1ca3b
  ffi (1.17.3-aarch64-linux-gnu) sha256=28ad573df26560f0aedd8a90c3371279a0b2bd0b4e834b16a2baa10bd7a97068
  ffi (1.17.3-arm64-darwin) sha256=0c690555d4cee17a7f07c04d59df39b2fba74ec440b19da1f685c6579bb0717f
  ffi (1.17.3-x86_64-linux-gnu) sha256=3746b01f677aae7b16dc1acb7cb3cc17b3e35bdae7676a3f568153fb0e2c887f

BUNDLED WITH
  4.0.13

When I run the app with complete lockfile, memory usage is small:

$ ruby app.rb
Memory usage: 27.59 MB

However, if I were to remove a precompiled binary:

     ffi (1.17.3-aarch64-linux-gnu)
-    ffi (1.17.3-arm64-darwin)
     ffi (1.17.3-x86_64-linux-gnu)

memory usage gets elevated (in proportion to the Gemfile.lock size):

$ ruby app.rb
Memory usage: 168.75 MB

Running Bundler in frozen mode produces a warning but returns 0 exit code:

$ BUNDLE_FROZEN=true bundle install
Fetching gem metadata from https://rubygems.org/..
Resolving dependencies...
Cannot write a changed lockfile while frozen.
Bundle complete! 1 Gemfile dependency, 1 gem now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

$ echo $?
0

Which command did you run?

Explained above.

What were you expecting to happen?

I expected bundle install in frozen/deployment mode to error when Gemfile.lock is missing items.

What happened instead?

Running bundle install just printed out a Cannot write a changed lockfile while frozen. warning and returned 0 exit code.

If not included with the output of your command, run bundle env and paste the output below

Bundler       4.0.13
  Platforms   ruby, arm64-darwin-24
Ruby          3.4.5p51 (2025-07-16 revision 20cda200d3ce092571d0b5d342dadca69636cb0f) [arm64-darwin-24]
  Full Path   /Users/janko/.rbenv/versions/3.4.5/bin/ruby
  Config Dir  /Users/janko/.rbenv/versions/3.4.5/etc
RubyGems      4.0.13
  Gem Home    /Users/janko/.rbenv/versions/3.4.5/lib/ruby/gems/3.4.0
  Gem Path    /Users/janko/.gem/ruby/3.4.0:/Users/janko/.rbenv/versions/3.4.5/lib/ruby/gems/3.4.0
  User Home   /Users/janko
  User Path   /Users/janko/.gem/ruby/3.4.0
  Bin Dir     /Users/janko/.rbenv/versions/3.4.5/bin
Tools         
  Git         2.54.0
  RVM         not installed
  rbenv       rbenv 1.3.2
  chruby      not installed