Incorrect path determined for some dependencies resulting in invalid cached licenses

[cpruitt]

When caching dependencies for our app, several dependencies are resulting in warnings related to incorrect dependency paths. Those incorrect paths cause failures in license caching if the license needs to be updated and dependencies are cached with a license of "none".

I haven't looked into this too deeply so far but I did notice that Licensed::Dependency is initialized multiple times for activerecord (the one I was picking out). The first time, the path given was correct. The second time it was not.

[jonabc]

Chatted with @cpruitt and looked into this - the problem is that the bundler source is surfacing multiple versions of the same dependency from Gemfile.lock, while only a single version of the dependency is present. When multiple versions of the same dependency are present, and the path of the cached file isn't keyed on the dependency version, results are dependent on the order of evaluation.

As an example, both activerecord 5.x and 6.x were listed in Gemfile.lock but only 6.x was installed. Since the 5.x dependency version was evaluated last, it is overwriting what's cached for the valid 6.x dependency.

I'm going to look into a fix for the bundler source that handles multiple versions of the same dependency, similar to how the npm source works.

• this workaround to find the right gem_dir is only needed when if ruby_packer? is true.
• add version requirement info to this call
• allow multiple versions of a dependency to be cached separately, e.g. in this case activerecord-6.x... would be cached properly while activerecord-5.x... would continue to raise an error. This at least allows you to ignore the missing activerecord-5.x... dependency while still have a valid 6.x file.

[jonabc]

What's increasingly confusing to me is why bundle install is not reporting any errors. It seems like gem specs are requiring dependencies that aren't installed, but everything is expected to still work alright?