Skip to content

Only use parent source with Git and Path sources #9269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hsbt merged 1 commit into from
Jan 28, 2026
Merged

Only use parent source with Git and Path sources #9269

hsbt merged 1 commit into from
Jan 28, 2026
+42 −1

Conversation

@hsbt
Copy link
Member

@hsbt hsbt commented Jan 27, 2026
edited
Loading

What was the end-user or developer problem that led to this PR?

This may fixes #9258

What is your fix for the problem, implemented in this PR?

TBD

Make sure the following tasks are checked

Copilot AI review requested due to automatic review settings January 27, 2026 09:33
@hsbt hsbt mentioned this pull request Jan 27, 2026
Open
Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes issue #9258 where Bundler 4.0.4 incorrectly leaked scoped rubygems sources to transitive dependencies. The fix restricts parent source inheritance to only Path and Git sources, allowing transitive dependencies of gems from scoped rubygems sources to fall back to the default source.

Changes:

  • Modified the source inheritance logic to only use parent source for Path and Git sources
  • Added test case validating that transitive dependencies of gems from scoped rubygems sources fall back to the default source

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
bundler/lib/bundler/definition.rb Added Source::Path type check to restrict source inheritance only to Path/Git sources (Git inherits from Path)
bundler/spec/install/gemfile/sources_spec.rb Added test case verifying transitive dependencies fall back to default source when parent is from scoped rubygems source

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@hsbt
Copy link
Member Author

hsbt commented Jan 28, 2026

The failing example is here:

       Could not find compatible versions

       Because every version of private_parent depends on fallback_dep >= 0
         and fallback_dep >= 0 could not be found in rubygems repository https://gem.repo3/,
         private_parent cannot be used.
       So, because Gemfile depends on private_parent = 1.0.0,
         version solving has failed.
       Fetching gem metadata from https://gem.repo3/..
       Fetching gem metadata from https://gem.repo2/.
       Resolving dependencies...

@hsbt hsbt merged commit 811f2d1 into master Jan 28, 2026
93 checks passed
@hsbt hsbt deleted the fix-gh-9258 branch January 28, 2026 22:36
hsbt added a commit that referenced this pull request Jan 28, 2026
@hsbt
Merge pull request #9269 from ruby/fix-gh-9258
16a4def 
Only use parent source with Git and Path sources

(cherry picked from commit 811f2d1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

bundler: bug fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bundler 4.0.4 leaks incorrect source into gems

2 participants

@hsbt