bundler install updates gems when it shouldn't

[pschambacher]

Tested on

• 1.8.3
• 1.8.5
• 1.9.0
• 1.9.1

Happening with: Gemfile with 2 sources (can't provide a working example because the second source is private)

Setup

source 'https://rubygems.org'
gem 'rails'
gem 'private_gem1', '~> 0.1', source: 'source 'https://private_gems.org''
gem 'private_gem2', '~> 0.1', source: 'source 'https://private_gems.org''

At this point, both gems are installed with version 0.1.

Reproduction

Now I change the Gemfile like so

source 'https://rubygems.org'
gem 'rails'
gem 'private_gem1', '~> 0.2', source: 'source 'https://private_gems.org''
gem 'private_gem2', '~> 0.1', source: 'source 'https://private_gems.org''

Gems available on the private server:

• private_gem1 0.1
• private_gem1 0.2
• private_gem2 0.1
• private_gem2 0.2
• private_gem2 0.3

bundle install

Expected result
private_gem1 is updated to version 0.2
private_gem2 is unaffected

Actual result
private_gem1 is updated to version 0.2
private_gem2 is updated to version 0.3

[indirect]

Thank you for the detailed report! I was able to reproduce and fix this bug, as well as add a test to prevent it from happening again. I'll be releasing Bundler 1.7, 1.8, and 1.9 to resolve this regression.

[pschambacher]

Thank you 👏
That should be 1.9.2 right?

[indirect]

Yup, just waiting for green specs!

[indirect]

Released fixes for this in 1.7.14 and 1.8.6. The fix will also be released in 1.9.2 as soon as the Travis build finishes. Thanks for the bug report!

[pschambacher]

No problem, thanks for the quick fix

[hodak]

Thank you! 🙇

[axlekb]

I'm still having an issue with bundle install on 1.9.2 ignoring Gemfile.lock gem versions for secondary sources.

Simplified setup (not actually tested, but as an example)

source 'https://rubygems.org'
gem 'bugsnag'
gem 'rails-assets-datatables', source: 'https://rails-assets.org'

If a more recent version of the gem is available, when I bundle install with no version set for rails-assets-datatables, it is updated to the latest version in Gemfile.lock.

Additionally, with no version in the Gemfile, all of the secondary source gems are updated on a bundle update.

[jeroenj]

Actualy it is partially fixed right now. If you define a source to a gem it will update the gem the first time you run bundle install after defining the source. When you would run bundle install again (after reverting the version changes in Gemfile.lock) it wo'nt update those gems and leave the versions defined in Gemfile.lock.

[indirect]

@axlekb @jeroenj the bug reported in this issue is fixed. if you're seeing a new bug, please follow ISSUES and report it with reproduction steps so that we can fix it.