New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bundler 2.2.10 installs wrong gem versions #4383
Comments
Thanks for reporting this. Can you share a reproducible example? |
I think I can repro, but I still appreciate an example. |
Gemfile:
Gemfile.lock
with bundler 2.2.10 run: after that the Gemfile.lock looks like this:
diff for better visibility diff --git a/Gemfile.lock b/Gemfile.lock
index 11c6d9f..7075be4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,13 +1,19 @@
GEM
- remote: https://rubygems.org/
remote: https://USER:PASSWORD@enterprise.contribsys.com/
specs:
- activesupport (6.0.3.4)
+ sidekiq-pro (5.2.1)
+ connection_pool (>= 2.2.3)
+ sidekiq (>= 6.1.0)
+
+GEM
+ remote: https://rubygems.org/
+ specs:
+ activesupport (6.1.2.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
- i18n (>= 0.7, < 2)
- minitest (~> 5.1)
- tzinfo (~> 1.1)
- zeitwerk (~> 2.2, >= 2.2.2)
+ i18n (>= 1.6, < 2)
+ minitest (>= 5.1)
+ tzinfo (~> 2.0)
+ zeitwerk (~> 2.3)
concurrent-ruby (1.1.8)
connection_pool (2.2.3)
i18n (1.8.9)
@@ -19,12 +25,8 @@ GEM
connection_pool (>= 2.2.2)
rack (~> 2.0)
redis (>= 4.2.0)
- sidekiq-pro (5.2.1)
- connection_pool (>= 2.2.3)
- sidekiq (>= 6.1.0)
- thread_safe (0.3.6)
- tzinfo (1.2.9)
- thread_safe (~> 0.1)
+ tzinfo (2.0.4)
+ concurrent-ruby (~> 1.0)
zeitwerk (2.4.2)
PLATFORMS
@@ -38,4 +40,4 @@ RUBY VERSION
ruby 2.7.2p137
BUNDLED WITH
- 2.2.8
+ 2.2.10 |
For now I reverted the change that caused this issue and released that as 2.2.11. I'll try to reintroduce the secure mode I wanted to introduce without breaking this in future releases. |
Isn't there a test of like |
There are a lot of cases that test this, have a look at our test suite if you're interested. We just failed to catch this specific situation unfortunately, hopefully we'll cover it better next time.
In my experience yanking ruby gems ends up being more harmful that helpful, so I won't be yanking 2.2.10 as I already stated in #4380 (comment). |
Describe the problem as clearly as you can
bundle install
is installing wrong gem versionsPost steps to reproduce the problem
What were you expecting to happen?
bundle install
should not modify Gemfile.lockbundle install
should install dependencies specified in Gemfile.lockWhat actually happened?
bundle install
updates gems.This behaviour is not happening with
2.2.9
The text was updated successfully, but these errors were encountered: