-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundle updates are moving dependencies from global to secondary source #7540
Comments
Does the secondary source include |
Here is a snippet of the secondary source in the
The secondary source does include Let me know if I can provide any other details here to help look into the issue. |
Yeah, I meant if there was a gem called If you could create a dummy github packages source that simulates the situation, replacing your private gems with dummy gems, that would be ideal. |
Hmmm @deivid-rodriguez do you have a recommendation on how to create a dummy GH Packages source that others can access? I wasn't aware that that was possible. |
@deivid-rodriguez I was able to reproduce this by writing a failing test for Bundler, which fails on v2.5.7, but passes on Also notice how it doesn't matter if are any gems within the context "with multiple sources and caching enabled" do
before do
build_repo2 do
build_gem "rack", "1.0.0"
build_gem "request_store", "1.0.0" do |s|
s.add_dependency "rack", "1.0.0"
end
end
build_repo4 do
# set up repo with no gems
end
gemfile <<~G
source "#{file_uri_for(gem_repo2)}"
gem "request_store"
source "#{file_uri_for(gem_repo4)}" do
end
G
lockfile <<~L
GEM
remote: #{file_uri_for(gem_repo2)}/
specs:
rack (1.0.0)
request_store (1.0.0)
rack (= 1.0.0)
GEM
remote: #{file_uri_for(gem_repo4)}/
specs:
PLATFORMS
#{local_platform}
DEPENDENCIES
request_store
BUNDLED WITH
#{Bundler::VERSION}
L
end
it "works" do
bundle :install
bundle :cache
update_repo2 do
build_gem "request_store", "1.1.0" do |s|
s.add_dependency "rack", "1.0.0"
end
end
bundle "update request_store"
expect(out).to include("Bundle updated!")
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo2)}/
specs:
rack (1.0.0)
request_store (1.1.0)
rack (= 1.0.0)
GEM
remote: #{file_uri_for(gem_repo4)}/
specs:
PLATFORMS
#{local_platform}
DEPENDENCIES
request_store
BUNDLED WITH
#{Bundler::VERSION}
L
end
end |
Nice! Well, coincidentally, it seems that #7516 has also fixed this problem 🎉. I will release the fix for that next week. Happy to get your test contributed to avoid regressing here. |
Closing this as fixed by #7516, please do contribute your test case! |
Great, thanks @deivid-rodriguez! I've opened #7544. |
Bundler is moving a bunch of dependencies from our primary source (
https://rubygems.org/
) withinGemfile.lock
to a secondary source, when there is an overlap of sub-dependencies between sources. That secondary source includes a gem that has one of the same sub-dependencies as the dependencies that were moved, which I think is the likely cause.The removals are within the
https://rubygems.org/
source, while the additions are within a private source (in our case, a GItHub Packages RubyGems registry).I originally thought this was a Dependabot-specific issue (dependabot/dependabot-core#9326), but I've now seen it happen when doing gem updates locally, so I think it's actually a Bundler issue.
This has been happening at least since Bundler v2.5.4, and still on v2.5.6.
The text was updated successfully, but these errors were encountered: