Bundler: Honor Gemspec Version Requirements

[pboling]

When a gem server must be specified, it is currently impossible for gem version requirements to follow the "dry"-paradigm, which can result in some confusing issues.

If I have published a private gem called "my_gem" on a private gemserver, and I have released versions: 1.0.0, 2.0.0, and 3.0.0, each with breaking changes.

If I have an old gem that depends on the older API of 1.0.0, and my Gemspec strictly enforces this:

spec.add_dependency("my_gem", "1.0.0")

I have to specify the source in my Gemfile:

source "https://rubygems.org"

# Specify your gem's dependencies in vc_gem.gemspec
gemspec

source "https://gem.fury.io/private/" do
  gem "my_gem"
end

I will end up with a Gemfile.lock like this, which is not entirely expected:

GEM
  remote: https://gem.fury.io/private/
  specs:
    my_gem (3.0.0) # <============================ WRONG!!!!!!!!!!

DEPENDENCIES
  my_gem!

Note that the placement of the gemspec directive makes no difference, whether before or after the source block.

The only way to get the correct source, and the correct version is to (re)specify the version when specifying the source as follows in the Gemfile:

source "https://gem.fury.io/private/" do
  gem "my_gem", "1.0.0"
end

The duplicate declaration of the version is problematic, because, if we add two layers to this cake, I have gem, called "llama" that depends on "my_gem" version 1.0.0, and it will have to reduplicate the version in both its gemspec and its Gemfile.

Then, I have an app that depends on "llama", and it will also have to specify each of these gems as coming from the private server. It will have to duplicate, again, the version requirement of the sub-dependencies that are already explicitly set by each gem, but cannot help but be overridden.

Now make this stack of gems, apps, apps mounted inside other apps, many, many more layers deep, and it is a pain.

[deivid-rodriguez]

I have the same expectation you have 🤔

I tried writing a spec to represent your situation and it worked as we both expect. Does this sounds like the kind of setup you have?

+    context "when a top-level gem has an indirect dependency present in the default source, but with a higher version from the one resolved" do
+      before do
+        build_lib "vc_gem", "1.0.0", :path => bundled_app do |s|
+          s.add_dependency "my_gem", "1.0.0"
+        end
+
+        build_repo gem_repo4 do
+          build_gem "my_gem", "1.0.0"
+          build_gem "my_gem", "3.0.0"
+        end
+
+        gemfile <<-G
+          source "https://gem.repo2"
+
+          gemspec
+
+          source "https://gem.repo4" do
+            gem "my_gem"
+          end
+        G
+      end
+
+      it "installs all gems without warning" do
+        bundle :install, :artifice => "compact_index"
+        expect(the_bundle).to include_gem("my_gem 1.0.0")
+      end
+    end
+

[pboling]

It gets weirder.

If I change the gemspec requirement to use a version of "~> 8.1.1", and run bundle install, there are no changes,
Run bundle update, and again no change at all.
Delete Gemfile.lock, and run bundle install, still no change.
Delete Gemfile.lock, and run bundle update, still no change.

OK, that's all consistent with the apparent bug evidenced above.

Repeat with "~> 8.0.0", same, Gemfile.lock is still consistent with the evidenced bug.
Repeat with "~> 8.0", same, Gemfile.lock is still consistent with the evidenced bug.

Remove the source block, same, Gemfile.lock is still consistent with the evidenced bug! Apparently this may not be relevant?!

That final state is the second commit, still with the unexpected version in the Gemfile.lock.

Here's the bundle env which shows the issue clearly.

Environment

Bundler       2.4.13
  Platforms   ruby, arm64-darwin-22
Ruby          3.2.2p53 (2023-03-30 revision e51014f9c05aa65cbf203442d37fef7c12390015) [arm64-darwin-22]
  Full Path   /Users/pboling/.asdf/installs/ruby/3.2.2/bin/ruby
  Config Dir  /Users/pboling/.asdf/installs/ruby/3.2.2/etc
RubyGems      3.4.13
  Gem Home    /Users/pboling/.asdf/installs/ruby/3.2.2/lib/ruby/gems/3.2.0
  Gem Path    /Users/pboling/.gem/ruby/3.2.0:/Users/pboling/.asdf/installs/ruby/3.2.2/lib/ruby/gems/3.2.0
  User Home   /Users/pboling
  User Path   /Users/pboling/.gem/ruby/3.2.0
  Bin Dir     /Users/pboling/.asdf/installs/ruby/3.2.2/bin
Tools         
  Git         2.40.1
  RVM         not installed
  rbenv       not installed
  chruby      not installed

Bundler Build Metadata

Built At          2023-05-10
Git SHA           26eb456c6c
Released Version  true

Bundler settings

build.nokogiri
  Set for the current user (/Users/pboling/.bundle/config): "--use-system-libraries"
gem.changelog
  Set for the current user (/Users/pboling/.bundle/config): true
gem.ci
  Set for the current user (/Users/pboling/.bundle/config): "gitlab"
gem.coc
  Set for the current user (/Users/pboling/.bundle/config): false
gem.fury.io
  Set via BUNDLE_GEM__FURY__IO: "CaPoUaqANxuSid4F8XJT"
gem.linter
  Set for the current user (/Users/pboling/.bundle/config): "rubocop"
gem.mit
  Set for the current user (/Users/pboling/.bundle/config): true
gem.test
  Set for the current user (/Users/pboling/.bundle/config): "rspec"

Gemfile

Gemfile

# frozen_string_literal: true

source "https://rubygems.org"

# Specify your gem's dependencies in bundler-dry_version.gemspec
gemspec

gem "rubocop-lts"

Gemfile.lock

PATH
  remote: .
  specs:
    bundler-dry_version (0.1.0)

GEM
  remote: https://rubygems.org/
  specs:
    ast (2.4.2)
    diff-lcs (1.5.0)
    diffy (3.4.2)
    json (2.6.3)
    language_server-protocol (3.17.0.3)
    lint_roller (1.0.0)
    parallel (1.23.0)
    parser (3.2.2.3)
      ast (~> 2.4.1)
      racc
    racc (1.7.0)
    rainbow (3.1.1)
    regexp_parser (2.8.0)
    rexml (3.2.5)
    rubocop (1.52.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.2.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.28.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.29.0)
      parser (>= 3.2.1.0)
    rubocop-gradual (0.3.1)
      diff-lcs (>= 1.2.0, < 2.0)
      diffy (~> 3.0)
      parallel (~> 1.10)
      rainbow (>= 2.2.2, < 4.0)
      rubocop (~> 1.0)
    rubocop-lts (24.0.2)
      rubocop-ruby3_2 (>= 2.0.5, < 3)
      standard-rubocop-lts (>= 1.0.3, < 3)
      version_gem (>= 1.1.2, < 3)
    rubocop-md (1.2.0)
      rubocop (>= 1.0)
    rubocop-performance (1.18.0)
      rubocop (>= 1.7.0, < 2.0)
      rubocop-ast (>= 0.4.0)
    rubocop-rake (0.6.0)
      rubocop (~> 1.0)
    rubocop-ruby3_2 (2.0.6)
      rubocop-gradual (~> 0.3)
      rubocop-md (~> 1.2)
      rubocop-rake (~> 0.6)
      rubocop-shopify (~> 2.13)
      rubocop-thread_safety (~> 0.5)
      standard-rubocop-lts (>= 1.0.6, < 2)
      version_gem (>= 1.1.2, < 3)
    rubocop-shopify (2.13.0)
      rubocop (~> 1.50)
    rubocop-thread_safety (0.5.1)
      rubocop (>= 0.90.0)
    ruby-progressbar (1.13.0)
    standard (1.29.0)
      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.0)
      rubocop (~> 1.52.0)
      standard-custom (~> 1.0.0)
      standard-performance (~> 1.1.0)
    standard-custom (1.0.1)
      lint_roller (~> 1.0)
    standard-performance (1.1.0)
      lint_roller (~> 1.0)
      rubocop-performance (~> 1.18.0)
    standard-rubocop-lts (1.0.7)
      standard (>= 1.29, < 2)
      standard-custom (>= 1.0.1, < 2)
      standard-performance (~> 1.1, < 2)
      version_gem (>= 1.1.3, < 4)
    unicode-display_width (2.4.2)
    version_gem (1.1.3)

PLATFORMS
  arm64-darwin-22

DEPENDENCIES
  bundler-dry_version!
  rubocop-lts

BUNDLED WITH
   2.4.13

Gemspecs

bundler-dry_version.gemspec

# frozen_string_literal: true

require_relative "lib/bundler/dry_version/version"

Gem::Specification.new do |spec|
  spec.name = "bundler-dry_version"
  spec.version = Bundler::DryVersion::VERSION
  spec.authors = ["Peter Boling"]
  spec.email = ["[email protected]"]

  spec.summary = "Bundler + gemspec behavior example"
  spec.description = "Demonstrates some confusing behavior of bundler + gemspec
  https://github.com/rubygems/rubygems/discussions/6726#discussioncomment-6130139"
  spec.homepage = "https://github.com/rubygems/rubygems/discussions/6726#discussioncomment-6130139"
  spec.license = "MIT"
  spec.required_ruby_version = ">= 2.6.0"

  spec.metadata["homepage_uri"] = spec.homepage
  spec.metadata["source_code_uri"] = "https://github.com/rubocop-lts/bundler-dry_version"

  # Specify which files should be added to the gem when it is released.
  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
  spec.files = Dir.chdir(__dir__) do
    `git ls-files -z`.split("\x0").reject do |f|
      (File.expand_path(f) == __FILE__) || f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor])
    end
  end
  spec.bindir = "exe"
  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
  spec.require_paths = ["lib"]

  # The version here will be constrained to a much lower version that the latest release, which is v24.
  # See Gemfile, and Gemfile.lock for the interplay.
  spec.add_development_dependency "rubocop-lts", "~> 8.0"

  # For more information and examples about making a new gem, check out our
  # guide at: https://bundler.io/guides/creating_gem.html
end

[pboling]

Bottom line is I can't get it to work at all... so I'm thinking/hoping maybe your example spec was failing rather than that your spec env is not working. 😄

[deivid-rodriguez]

Nope, the spec I wrote is passing.

From your initial report, you have now changed things to use add_development_dependency, instead of add_dependency. In that case, it is expected that the development dependency of the gemspec is ignored in a Gemfile context.

In that case, I need to have another look. It may be related to #6014. For now you can workaround this by removing add_development_dependency and put the dependency under the :development group in your Gemfile directly.

[pboling]

I didn't even realize I made that switch. 🤦 I'll see if I can repro it the way I originally reported. Perhaps that was the entire source of my issue.

[pboling]

My confusion definitely came from an expectation I had that the gemspec / Gemfile version specification behavior was the same between runtime and development dependencies, but that is apparently not the case. It works as expected for runtime dependencies, and it works as designed for development dependencies.

From now on I will put development dependencies in the Gemfile only, and remove them from all my gemspecs. :)