[rubygems/rubygems] Fix locking of incorrect version of git gem in an edge case

In particular, when a gem registry transitive dependency is changed to a git source direct dependency. https://github.com/rubygems/rubygems/commit/bcdc7660d9
2024-11-19 21:21:20 +01:00 · 2024-11-19 21:21:20 +01:00 · ac5661db7b
commit ac5661db7b
parent 486485a535
2 changed files with 63 additions and 2 deletions
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@ -950,7 +950,7 @@ module Bundler
        if dep
          gemfile_source = dep.source || default_source

-          deps << dep if !dep.source || lockfile_source.include?(dep.source)
+          deps << dep if !dep.source || lockfile_source.include?(dep.source) || new_deps.include?(dep)

          # Replace the locked dependency's source with the equivalent source from the Gemfile
          s.source = gemfile_source
--- a/spec/bundler/lock/git_spec.rb
+++ b/spec/bundler/lock/git_spec.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: true

 RSpec.describe "bundle lock with git gems" do
-  before :each do
+  let(:install_gemfile_with_foo_as_a_git_dependency) do
    build_git "foo"

    install_gemfile <<-G
@ -11,10 +11,14 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "doesn't break right after running lock" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    expect(the_bundle).to include_gems "foo 1.0.0"
  end

  it "doesn't print errors even if running lock after removing the cache" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    FileUtils.rm_rf(Dir[default_cache_path("git/foo-1.0-*")].first)

    bundle "lock --verbose"
@ -23,6 +27,8 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "prints a proper error when changing a locked Gemfile to point to a bad branch" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    gemfile <<-G
      source "https://gem.repo1"
      gem 'foo', :git => "#{lib_path("foo-1.0")}", :branch => "bad"
@ -34,6 +40,8 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "prints a proper error when installing a Gemfile with a locked ref that does not exist" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    lockfile <<~L
      GIT
        remote: #{lib_path("foo-1.0")}
@ -61,6 +69,8 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "locks a git source to the current ref" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    update_git "foo"
    bundle :install

@ -73,6 +83,8 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "properly clones a git source locked to an out of date ref" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    update_git "foo"

    bundle :install, env: { "BUNDLE_PATH" => "foo" }
@ -80,6 +92,8 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "properly fetches a git source locked to an unreachable ref" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    # Create a commit and make it unreachable
    git "checkout -b foo ", lib_path("foo-1.0")
    unreachable_sha = update_git("foo").ref_for("HEAD")
@ -118,6 +132,8 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "properly fetches a git source locked to an annotated tag" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    # Create an annotated tag
    git("tag -a v1.0 -m 'Annotated v1.0'", lib_path("foo-1.0"))
    annotated_tag = git("rev-parse v1.0", lib_path("foo-1.0"))
@ -154,9 +170,54 @@ RSpec.describe "bundle lock with git gems" do
  end

  it "provides correct #full_gem_path" do
+    install_gemfile_with_foo_as_a_git_dependency
+
    run <<-RUBY
      puts Bundler.rubygems.find_name('foo').first.full_gem_path
    RUBY
    expect(out).to eq(bundle("info foo --path"))
  end
+
+  it "does not lock versions that don't exist in the repository when changing a GEM transitive dep to a GIT direct dep" do
+    build_repo4 do
+      build_gem "activesupport", "8.0.0" do |s|
+        s.add_dependency "securerandom"
+      end
+
+      build_gem "securerandom", "0.3.1"
+    end
+
+    path = lib_path("securerandom")
+
+    build_git "securerandom", "0.3.2", path: path
+
+    lockfile <<~L
+      GEM
+        remote: https://gem.repo4/
+        specs:
+          activesupport (8.0.0)
+            securerandom
+          securerandom (0.3.1)
+
+      PLATFORMS
+        #{lockfile_platforms}
+
+      DEPENDENCIES
+        activesupport
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+
+    gemfile <<~G
+      source "https://gem.repo4"
+
+      gem "activesupport"
+      gem "securerandom", git: "#{path}"
+    G
+
+    bundle "lock"
+
+    expect(lockfile).to include("securerandom (0.3.2)")
+  end
 end