rubygems icon indicating copy to clipboard operation
rubygems copied to clipboard
verified publisher icon rubygems

bundle install is not conservative

Open joe-sharp opened this issue 1 year ago • 1 comments

Describe the problem as clearly as you can

According to the help (bundle help install), "In development, you can modify your Gemfile(5) and re-run bundle install to conservatively update your Gemfile.lock snapshot."

In practice this doesn't work and will update indirect dependencies to their latest releases. This makes it impossible to use Bundler to update only one major release without also updating dependencies, when multiple major releases exist. (See https://github.com/rubygems/rubygems/issues/8090)

I actually think both behaviors could be useful. It might be best to leave bundle install non-conservative, correct the docs to reflect that, but additionally add a --conservative flag to use.

Did you try upgrading rubygems & bundler?

Yes, running the latest of both:

/private/tmp/gem 🔮❯❯❯ bundler -v
Bundler version 2.5.20
/private/tmp/gem 🔮❯❯❯ gem -v
3.5.20

Post steps to reproduce the problem

Start with the following Gemfile and Gemfile.lock 

/private/tmp/gem 🔮❯❯❯ cat Gemfile
# frozen_string_literal: true

source "https://rubygems.org"

gem 'psych', '~> 4.0'
/private/tmp/gem 🔮❯❯❯ cat Gemfile.lock
GEM
  remote: https://rubygems.org/
  specs:
    psych (4.0.6)
      stringio
    stringio (3.1.0)

PLATFORMS
  arm64-darwin-22
  ruby

DEPENDENCIES
  psych (~> 4.0)

BUNDLED WITH
   2.5.20

Then proceed with the following:

/private/tmp/gem 🔮❯❯❯ cat Gemfile
# frozen_string_literal: true

source "https://rubygems.org"

gem 'psych', '~> 4.0'

/private/tmp/gem 🔮❯❯❯ sed -i '' 's/4.0/5.0/g' Gemfile
/private/tmp/gem 🔮❯❯❯ cat Gemfile
# frozen_string_literal: true

source "https://rubygems.org"

gem 'psych', '~> 5.0'

/private/tmp/gem 🔮❯❯❯ bundle install
Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...
Using stringio 3.1.1 (was 3.1.0)
Using psych 5.1.2 (was 4.0.6)
Bundle complete! 1 Gemfile dependency, 3 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

Which command did you run?

bundle install

What were you expecting to happen?

Only psych should have updated.

What actually happened?

stringio was also updated.

If not included with the output of your command, run bundle env and paste the output below

/private/tmp/gem 🔮❯❯❯ bundle env

Environment

Bundler       2.5.20
  Platforms   ruby, arm64-darwin-22
Ruby          3.3.4p94 (2024-07-09 revision be1089c8ec5ba40e09b1553e36b3174bf4014d9d) [arm64-darwin-22]
  Full Path   /Users/joesharp/.asdf/installs/ruby/3.3.4/bin/ruby
  Config Dir  /Users/joesharp/.asdf/installs/ruby/3.3.4/etc
RubyGems      3.5.20
  Gem Home    /Users/joesharp/.asdf/installs/ruby/3.3.4/lib/ruby/gems/3.3.0
  Gem Path    /Users/joesharp/.gem/ruby/3.3.0:/Users/joesharp/.asdf/installs/ruby/3.3.4/lib/ruby/gems/3.3.0
  User Home   /Users/joesharp
  User Path   /Users/joesharp/.gem/ruby/3.3.0
  Bin Dir     /Users/joesharp/.asdf/installs/ruby/3.3.4/bin
Tools
  Git         2.39.2 (Apple Git-143)
  RVM         not installed
  rbenv       not installed
  chruby      not installed

Bundler Build Metadata

Built At          2024-09-24
Git SHA           a0fc99594a
Released Version  true

Bundler settings

auto_install
  Set for the current user (/Users/joesharp/.bundle/config): true
jobs
  Set for the current user (/Users/joesharp/.bundle/config): 9

Gemfile

Gemfile

# frozen_string_literal: true

source "https://rubygems.org"

gem 'psych', '~> 4.0'

Gemfile.lock

GEM
  remote: https://rubygems.org/
  specs:
    psych (4.0.6)
      stringio
    stringio (3.1.0)

PLATFORMS
  arm64-darwin-22
  ruby

DEPENDENCIES
  psych (~> 4.0)

BUNDLED WITH
   2.5.20

joe-sharp avatar Oct 02 '24 01:10 joe-sharp

Hello 👋!

bundle install is expected to always be conservative, and I don't think we should change that. So I'd consider this just as a bug. If you don't want the conservative behavior, you could always run bundle update psych, which is expected to update the gem and their dependencies, unless run with --conservative.

In other words, I don't think we need an extra flag, but I think we should fix this.

deivid-rodriguez avatar Oct 02 '24 10:10 deivid-rodriguez

Confirmed that all you need is the provided Gemfile and Gemfile.lock.

Demonstration using the testcase 
~/test/rgtest$ ls -a
./  ../  Gemfile  Gemfile.lock
~/test/rgtest$ cat Gemfile
source "https://rubygems.org"
gem "psych", "~> 4.0"
~/test/rgtest$ cat Gemfile.lock 
GEM
  remote: https://rubygems.org/
  specs:
    psych (4.0.6)
      stringio
    stringio (3.1.0)

PLATFORMS
  ruby
  x86_64-linux

DEPENDENCIES
  psych (~> 4.0)

BUNDLED WITH
   2.6.0.dev
~/test/rgtest$ bundle install
Fetching gem metadata from https://rubygems.org/........
Fetching stringio 3.1.0
Installing stringio 3.1.0 with native extensions
Fetching psych 4.0.6
Installing psych 4.0.6 with native extensions
Bundle complete! 1 Gemfile dependency, 3 gems now installed.
Bundled gems are installed into `./.bundle/gems`
~/test/rgtest$ sed -i '' 's/4.0/5.0/g' Gemfile
sed: can't read s/4.0/5.0/g: No such file or directory
~/test/rgtest$ sed -i'' 's/4.0/5.0/g' Gemfile                                                                                                                                            [2]
~/test/rgtest$ cat Gemfile
source "https://rubygems.org"
gem "psych", "~> 5.0"
~/test/rgtest$ bundle install
Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...
Fetching stringio 3.1.1 (was 3.1.0)
Installing stringio 3.1.1 (was 3.1.0) with native extensions
Fetching psych 5.1.2 (was 4.0.6)
Installing psych 5.1.2 (was 4.0.6) with native extensions
Bundle complete! 1 Gemfile dependency, 3 gems now installed.
Bundled gems are installed into `./.bundle/gems`
~/test/rgtest$

duckinator avatar Nov 01 '24 00:11 duckinator

I proposed a fix for this at #8281.

deivid-rodriguez avatar Nov 21 '24 12:11 deivid-rodriguez