Bundler 4.0.4 leaks incorrect source into gems

[ngan]

Describe the problem as clearly as you can

Bundler 4.0.4 includes a change to how the source is determined for a gem:

• Fix dependency source bug in bundler #9213

I think this change introduced a bug. Here's a copy-paste of what I'm seeing in terminal with some gem names and URLs redacted:

$ bundle update kt-paperclip

Fetching gem metadata from https://gemstash.my-private-gemstash.com/private/.....
Fetching gem metadata from https://gems.karafka.io/.
Fetching gem metadata from https://enterprise.contribsys.com/..
Fetching gem metadata from https://gems.graphql.pro/..
Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...
Could not find compatible versions

Because my_custom_gem >= 2.3.0 depends on aws-sdk-elasticache ~> 1
  and aws-sdk-elasticache ~> 1 could not be found in rubygems repository https://gemstash.my-private-gemstash.com/private/,
  gusto-my_custom_gem >= 2.3.0 cannot be used.
So, because Gemfile depends on my_custom_gem = 2.4.7,
  version solving has failed.

I'm trying to bump the kt-paperclip gem and it's saying the aws-sdk-elasticache gem couldn't be found in my private gemstash--which makes sense. But, it shouldn't be looking for aws-sdk-elasticache there in the first place. My my_custom_gem is in my private gemstash. My guess is that the source for my gem is bleeding into aws-sdk-elasticache somehow.

I removed my_custom_gem from my gemfile and another, similar, problem surfaced where it was looking for a public gem inside a pathed source.

One piece of information that might be relevant is that my Gemfile does not declare a direct dependency on aws-sdk-elasticache. It is a dependency of my custom gem. I think the bundler rule is look in the same source as my_custom_gem and if it's not there, fallback to the global source: https://bundler.io/v4.0/man/gemfile.5.html#SOURCE-PRIORITY

Let me know if y'all need more information for reducibility, happy to provide.

👉 Downgrading to bundler 4.0.3 fixes the issue.

Post steps to reproduce the problem

Coming soon...
Just putting this up in case something obvious sticks out from the change.

Which command did you run?

bundle update

What were you expecting to happen?

I expect my gem to be upgraded.

What happened instead?

It wasn't upgrade. See top.

[eileencodes]

Could you make a small gem or codebase that reproduces the problem you're seeing when running bundle?

[mjankowski]

I'm seeing a similar issue. I suspect related to some interaction with sources as well. Here's a small example pulled from larger project:

~/repos/demo-test
❯ cat Gemfile
# frozen_string_literal: true

source "https://rubygems.org"

gem 'rails', '~> 8.0'
gem 'webpush', github: 'mastodon/webpush', ref: '9631ac63045cfabddacc69fc06e919b4c13eb913'

~/repos/demo-test
❯ bundle _4.0.3_ update rails
Fetching gem metadata from https://rubygems.org/.........
Resolving dependencies...
Resolving dependencies...
Bundler attempted to update rails but its version stayed the same
Bundle updated!

~/repos/demo-test
❯ bundle _4.0.4_ update rails
Fetching gem metadata from https://rubygems.org/.........
Resolving dependencies...
Could not find compatible versions

Because every version of webpush depends on jwt ~> 2.0
  and jwt ~> 2.0 could not be found in https://github.com/mastodon/webpush.git (at 9631ac6@9631ac6),
  webpush cannot be used.
So, because Gemfile depends on webpush >= 0,
  version solving has failed.

~/repos/demo-test

Seems like using that GH source is somehow replacing/overriding where to look for some of it's deps?

Happy to provide more info and/or push that repo, etc, if helpful.

Verbose output:

~/repos/demo-test
❯ bundle _4.0.4_ update rails --verbose
Running `bundle update rails --verbose` with bundler 4.0.4
Re-resolving dependencies because bundler is unlocking gems: (rails, actioncable, actionmailbox, actionmailer, actionpack, actiontext, actionview, activejob, activemodel, activerecord, activestorage, activesupport, railties, nio4r, websocket-driver, zeitwerk, mail, rails-dom-testing, nokogiri, rack, rack-session, rack-test, rails-html-sanitizer, useragent, action_text-trix, globalid, builder, erubi, timeout, marcel, base64, bigdecimal, concurrent-ruby, connection_pool, drb, i18n, json, logger, minitest, securerandom, tzinfo, uri, irb, rackup, rake, thor, tsort, websocket-extensions, mini_mime, net-imap, net-pop, net-smtp, racc, loofah, prism, pp, rdoc, reline, date, net-protocol, crass, prettyprint, erb, psych, io-console, stringio)
HTTP GET https://index.rubygems.org/versions
HTTP 304 Not Modified https://index.rubygems.org/versions
Fetching gem metadata from https://rubygems.org/
Looking up gems ["action_text-trix", "actioncable", "actionmailbox", "actionmailer", "actionpack", "actiontext", "actionview", "activejob", "activemodel", "activerecord", "activestorage", "activesupport", "base64", "bigdecimal", "builder", "concurrent-ruby", "connection_pool", "crass", "date", "drb", "erb", "erubi", "globalid", "hkdf", "i18n", "io-console", "irb", "json", "jwt", "logger", "loofah", "mail", "marcel", "mini_mime", "minitest", "net-imap", "net-pop", "net-protocol", "net-smtp", "nio4r", "nokogiri", "pp", "prettyprint", "prism", "psych", "racc", "rack", "rack-session", "rack-test", "rackup", "rails", "rails-dom-testing", "rails-html-sanitizer", "railties", "rake", "rdoc", "reline", "securerandom", "stringio", "thor", "timeout", "tsort", "tzinfo", "uri", "useragent", "websocket-driver", "websocket-extensions", "zeitwerk"]
Looking up gems ["functional-ruby", "ref", "celluloid", "coffee-rails", "em-hiredis", "faye-websocket", "redis", "activemodel-globalid", "mimemagic", "bcrypt-ruby", "erubis", "rails-deprecated_sanitizer", "cgi", "arel", "activerecord-deprecated_finders", "text-format", "memcache-client", "multi_json", "thread_safe", "method_source", "mutex_m", "benchmark", "rack-mount", "rack-cache", "sprockets", "journey", "ruby2_keywords", "mime-types", "treetop", "tlsmail", "digest", "strscan", "io-wait", "jar-dependencies", "webrick", "hoe", "weakling", "mini_portile", "mini_portile2", "pkg-config", "rack-ssl", "activeresource", "actionwebservice", "bundler", "sprockets-rails"]
Looking up gems ["timers", "facter", "celluloid-essentials", "celluloid-extras", "celluloid-fsm", "celluloid-pool", "celluloid-supervision", "dotenv", "nenv", "rspec-logsplit", "coffee-script", "hiredis", "eventmachine", "thin", "rspec", "redis-client", "bcrypt", "abstract", "text-hyphen", "atomic", "ruby_parser", "ZenTest", "RubyInline", "multimap", "hike", "tilt", "mime-types-data", "facets", "polyglot", "ruby-maven", "net-ftp", "rubyforge", "gemcutter", "rails-observers", "activemodel-serializers-xml"]
Looking up gems ["hitimes", "celluloid-gems", "coveralls", "rubocop", "dotenv-deployment", "coffee-script-source", "execjs", "rake-compiler", "daemons", "CFPropertyList", "ffi", "sys-admin", "win32-api", "win32console", "win32-dir", "windows-api", "windows-pr", "win32-security", "hocon", "sys-filesystem", "rspec-core", "rspec-expectations", "rspec-mocks", "ParseTree", "sexp_processor", "maven-tools", "ruby-maven-libs", "time", "json_pure", "net-scp"]
Looking up gems ["configuration", "mkrf", "colorize", "rest-client", "simplecov", "term-ansicolor", "tins", "libxml-ruby", "rexml", "nkf", "test-unit", "rainbow", "parser", "backports", "powerpack", "ruby-progressbar", "astrolabe", "unicode-display_width", "parallel", "jaro_winkler", "rubocop-ast", "regexp_parser", "language_server-protocol", "lint_roller", "ffi-win32-extensions", "mkmf-lite", "rspec-support", "diff-lcs", "SexpProcessor", "virtus", "spruz", "net-ssh"]
Looking up gems ["netrc", "http-cookie", "http-accept", "simplecov-html", "docile", "lockfile", "simplecov_json_formatter", "mize", "sync", "readline", "power_assert", "ast", "slop", "unicode-emoji", "ptools", "memoist", "descendants_tracker", "axiom-types", "coercible", "equalizer", "needle", "jruby-pageant", "bcrypt_pbkdf", "rbnacl", "rbnacl-libsodium"]
Looking up gems ["domain_name", "sqlite3", "protocol", "unicode-version", "win32-file", "pattern-match", "ice_nine", "adamantium"]
Looking up gems ["unf", "win32-file-stat", "memoizable"]
Looking up gems ["unf_ext"]
Resolving dependencies...
Bundler::SolveFailure: Could not find compatible versions

Because every version of webpush depends on jwt ~> 2.0
  and jwt ~> 2.0 could not be found in https://github.com/mastodon/webpush.git (at 9631ac6@9631ac6),
  webpush cannot be used.
So, because Gemfile depends on webpush >= 0,
  version solving has failed.
/Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/resolver.rb:123:in 'Bundler::Resolver#solve_versions'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/resolver.rb:32:in 'Bundler::Resolver#start'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/definition.rb:1205:in 'Bundler::Definition#additional_base_requirements_to_force_updates'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/definition.rb:657:in 'Bundler::Definition#resolution_base'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/definition.rb:637:in 'Bundler::Definition#resolver'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/definition.rb:755:in 'Bundler::Definition#start_resolution'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/definition.rb:350:in 'Bundler::Definition#resolve'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/definition.rb:668:in 'Bundler::Definition#materialize'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/definition.rb:240:in 'Bundler::Definition#specs'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/installer.rb:222:in 'Bundler::Installer#ensure_specs_are_compatible!'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/installer.rb:75:in 'block in Bundler::Installer#run'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/rubygems.rb:884:in 'block in Gem.open_file_with_flock'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/rubygems.rb:872:in 'IO.open'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/rubygems.rb:872:in 'Gem.open_file_with_flock'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/rubygems.rb:858:in 'Gem.open_file_with_lock'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/process_lock.rb:13:in 'block in Bundler::ProcessLock.lock'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/shared_helpers.rb:106:in 'Bundler::SharedHelpers#filesystem_access'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/process_lock.rb:12:in 'Bundler::ProcessLock.lock'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/installer.rb:65:in 'Bundler::Installer#run'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/installer.rb:17:in 'Bundler::Installer.install'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/cli/update.rb:79:in 'Bundler::CLI::Update#run'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/cli.rb:326:in 'block in Bundler::CLI#update'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/settings.rb:143:in 'Bundler::Settings#temporary'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/cli.rb:325:in 'Bundler::CLI#update'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/vendor/thor/lib/thor/command.rb:28:in 'Bundler::Thor::Command#run'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in 'Bundler::Thor::Invocation#invoke_command'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/vendor/thor/lib/thor.rb:538:in 'Bundler::Thor.dispatch'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/cli.rb:35:in 'Bundler::CLI.dispatch'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/vendor/thor/lib/thor/base.rb:584:in 'Bundler::Thor::Base::ClassMethods#start'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/cli.rb:29:in 'Bundler::CLI.start'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/bundler-4.0.4/exe/bundle:28:in 'block in <top (required)>'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/bundler/friendly_errors.rb:118:in 'Bundler.with_friendly_errors'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/bundler-4.0.4/exe/bundle:20:in '<top (required)>'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/rubygems.rb:303:in 'Kernel#load'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/lib/ruby/site_ruby/4.0.0/rubygems.rb:303:in 'Gem.activate_and_load_bin_path'
  /Users/mjankowski/.local/share/mise/installs/ruby/4.0.1/bin/bundle:25:in '<main>'

[gstokkink]

Seeing similar issues here, something breaks when gems are included through path or github. Also bundler 4.0.4.

Example (both i18n-tasks and minitest-junit have custom sources, and for some reason it's looking for the ox gem in the latter source as well):

bundle _4.0.4_ update i18n-tasks
Fetching https://github.com/bookingexperts/i18n-tasks.git
Fetching gem metadata from https://enterprise.contribsys.com/..
Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...
Could not find compatible versions

Because every version of minitest-junit depends on ox >= 2.14.2, < 3.A
  and ox >= 2.14.2, < 3.A could not be found in https://github.com/bookingexperts/minitest-junit.git (at parallel-tests-support@b6c1bb7),
  minitest-junit cannot be used.
So, because Gemfile depends on minitest-junit >= 0,
  version solving has failed.

Works fine with 4.0.3:

bundle _4.0.3_ update i18n-tasks
Fetching https://github.com/bookingexperts/i18n-tasks.git
Fetching gem metadata from https://enterprise.contribsys.com/..
Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...
Resolving dependencies...
Using prism 1.8.0 (was 1.7.0)
Using parser 3.3.10.1 (was 3.3.10.0)
Using rdoc 7.1.0 (was 7.0.3)
Using rails-i18n 8.1.0 (was 8.0.1)
Bundle updated!

[mudge]

We're encountering the same issue when mixing gems from a private GitHub RubyGems registry and ones from https://rubygems.org.

Specifically, we have a private gem with a runtime dependency on omniauth-oauth2 of >= 1.8 and <2. I authenticate with the registry using a Bearer token in ~/.gem/credentials.

With the following minimal Gemfile (where the version of pagy in our Gemfile.lock is outdated at 43.2.6 when 43.2.8 is available):

source "https://rubygems.org"

gem "pagy"

source "https://rubygems.pkg.github.com/REDACTED" do
  gem "REDACTED"
end

Running the following results in an error:

$ bundle update pagy
Fetching gem metadata from https://rubygems.pkg.github.com/REDACTED/..
Fetching gem metadata from https://rubygems.org/............
Resolving dependencies...
Could not find compatible versions

Because every version of REDACTED depends on omniauth-oauth2 >= 1.8, < 2
and omniauth-oauth2 >= 1.8, < 2 could not be found in rubygems repository
https://rubygems.pkg.github.com/REDACTED/,
  REDACTED cannot be used.
So, because Gemfile depends on REDACTED >= 0,
  version solving has failed.

As others have noted above, using Bundler 4.0.3 succeeds:

> bundle _4.0.3_ update pagy
Fetching gem metadata from https://rubygems.pkg.github.com/REDACTED/..
Fetching gem metadata from https://rubygems.org/............
Resolving dependencies...
Resolving dependencies...
Fetching pagy 43.2.8 (was 43.2.6)
Installing pagy 43.2.8 (was 43.2.6)
Bundle updated!

Running a verbose update on 4.0.4 gives the following:

$ bundle update pagy --verbose
Running `bundle update pagy --verbose` with bundler 4.0.4
Re-resolving dependencies because bundler is unlocking gems: (pagy, json, yaml)
HTTP GET https://mudge@rubygems.pkg.github.com/REDACTED/versions
HTTP 304 Not Modified https://mudge@rubygems.pkg.github.com/REDACTED/versions
Fetching gem metadata from https://rubygems.pkg.github.com/REDACTED/
Looking up gems ["REDACTED"]
Looking up gems ["omniauth-oauth2"]
HTTP GET https://index.rubygems.org/versions
HTTP 304 Not Modified https://index.rubygems.org/versions
Fetching gem metadata from https://rubygems.org/
Looking up gems ["base64", "bigdecimal", "faraday", "faraday-net_http", "hashie", "json", "jwt", "logger", "multi_xml", "net-http", "oauth2", "omniauth", "omniauth-oauth2", "pagy", "rack", "rack-protection", "snaky_hash", "uri", "version_gem", "yaml"]
Looking up gems ["multi_json", "net-protocol", "oa-core", "oa-oauth", "oa-openid", "oa-basic", "oa-enterprise", "oa-more", "faraday-middleware", "httpauth", "rash_alt", "addressable", "multipart-post", "ruby2_keywords", "faraday-excon", "faraday-net_http_persistent", "faraday-em_http", "faraday-em_synchrony", "faraday-httpclient", "faraday-patron", "faraday-rack", "faraday-multipart", "faraday-retry", "escape_utils", "activesupport"]
Looking up gems ["io-wait", "timeout", "nokogiri", "oauth", "rack-openid", "ruby-openid-apps-discovery", "restclient", "rest-client", "net-ldap", "rubyntlm", "pyu-ruby-sasl", "uuid", "XMLCanonicalizer", "rake", "rspec", "public_suffix", "hoe", "excon", "em-http-request", "httpclient", "patron", "net-http-persistent", "builder", "i18n", "memcache-client", "tzinfo", "minitest", "thread_safe", "concurrent-ruby", "method_source", "zeitwerk", "connection_pool", "drb", "mutex_m", "securerandom", "benchmark"]
Looking up gems ["ruby-hmac", "oauth-tty", "ruby-openid", "mime-types", "rdoc", "netrc", "ffi", "http-cookie", "http-accept", "ostruct", "macaddr", "weakling", "mini_portile", "mini_portile2", "pkg-config", "racc", "log4r", "eventmachine", "em-socksify", "http_parser.rb", "cookiejar", "cgi", "rspec-core", "rspec-expectations", "rspec-mocks", "rubyforge", "RubyInline", "gemcutter", "ZenTest", "prism", "atomic", "functional-ruby", "ref", "ruby_parser"]
Looking up gems ["mime-types-data", "psych", "erb", "tsort", "ruby-yadis", "domain_name", "sqlite3", "systemu", "net-ftp", "rspec-support", "diff-lcs", "json_pure", "net-scp", "ParseTree", "sexp_processor"]
Looking up gems ["unf", "time", "spruz", "jar-dependencies", "stringio", "date", "net-ssh", "SexpProcessor"]
Looking up gems ["unf_ext", "ruby-maven", "needle", "jruby-pageant", "bcrypt_pbkdf", "rbnacl", "rbnacl-libsodium"]
Looking up gems ["thor", "maven-tools", "ruby-maven-libs"]
Looking up gems ["virtus"]
Looking up gems ["backports", "descendants_tracker", "axiom-types", "coercible", "equalizer"]
Looking up gems ["ice_nine", "adamantium"]
Looking up gems ["memoizable"]
Resolving dependencies...
Bundler::SolveFailure: Could not find compatible versions

Because every version of REDACTED depends on omniauth-oauth2 >= 1.8, < 2
  and omniauth-oauth2 >= 1.8, < 2 could not be found in rubygems repository https://rubygems.pkg.github.com/REDACTED/,
  REDACTED cannot be used.
So, because Gemfile depends on REDACTED >= 0,
  version solving has failed.
/Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/resolver.rb:123:in 'Bundler::Resolver#solve_versions'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/resolver.rb:32:in 'Bundler::Resolver#start'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/definition.rb:1205:in 'Bundler::Definition#additional_base_requirements_to_force_updates'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/definition.rb:657:in 'Bundler::Definition#resolution_base'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/definition.rb:637:in 'Bundler::Definition#resolver'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/definition.rb:755:in 'Bundler::Definition#start_resolution'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/definition.rb:350:in 'Bundler::Definition#resolve'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/definition.rb:668:in 'Bundler::Definition#materialize'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/definition.rb:240:in 'Bundler::Definition#specs'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/installer.rb:222:in 'Bundler::Installer#ensure_specs_are_compatible!'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/installer.rb:75:in 'block in Bundler::Installer#run'
  /Users/mudge/.rubies/ruby-4.0.1/lib/ruby/4.0.0/rubygems.rb:884:in 'block in Gem.open_file_with_flock'
  /Users/mudge/.rubies/ruby-4.0.1/lib/ruby/4.0.0/rubygems.rb:872:in 'IO.open'
  /Users/mudge/.rubies/ruby-4.0.1/lib/ruby/4.0.0/rubygems.rb:872:in 'Gem.open_file_with_flock'
  /Users/mudge/.rubies/ruby-4.0.1/lib/ruby/4.0.0/rubygems.rb:858:in 'Gem.open_file_with_lock'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/process_lock.rb:13:in 'block in Bundler::ProcessLock.lock'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/shared_helpers.rb:106:in 'Bundler::SharedHelpers#filesystem_access'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/process_lock.rb:12:in 'Bundler::ProcessLock.lock'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/installer.rb:65:in 'Bundler::Installer#run'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/installer.rb:17:in 'Bundler::Installer.install'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/cli/update.rb:79:in 'Bundler::CLI::Update#run'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/cli.rb:326:in 'block in Bundler::CLI#update'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/settings.rb:143:in 'Bundler::Settings#temporary'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/cli.rb:325:in 'Bundler::CLI#update'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/vendor/thor/lib/thor/command.rb:28:in 'Bundler::Thor::Command#run'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/vendor/thor/lib/thor/invocation.rb:127:in 'Bundler::Thor::Invocation#invoke_command'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/vendor/thor/lib/thor.rb:538:in 'Bundler::Thor.dispatch'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/cli.rb:35:in 'Bundler::CLI.dispatch'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/vendor/thor/lib/thor/base.rb:584:in 'Bundler::Thor::Base::ClassMethods#start'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/cli.rb:29:in 'Bundler::CLI.start'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/exe/bundle:28:in 'block in <top (required)>'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/lib/bundler/friendly_errors.rb:118:in 'Bundler.with_friendly_errors'
  /Users/mudge/.gem/ruby/4.0.1/gems/bundler-4.0.4/exe/bundle:20:in '<top (required)>'
  /Users/mudge/.rubies/ruby-4.0.1/lib/ruby/4.0.0/rubygems.rb:303:in 'Kernel#load'
  /Users/mudge/.rubies/ruby-4.0.1/lib/ruby/4.0.0/rubygems.rb:303:in 'Gem.activate_and_load_bin_path'
  /Users/mudge/.gem/ruby/4.0.1/bin/bundle:25:in '<main>'

Note that running bundle update without any arguments works as expected:

$ bundle update
[DEPRECATED] Pass --all to `bundle update` to update everything
Fetching gem metadata from https://rubygems.pkg.github.com/REDACTED/..
Fetching gem metadata from https://rubygems.org/.............
Resolving dependencies...
Using pagy 43.2.8 (was 43.2.6)
Bundle updated!

[hsbt]

How about #9269?

Unfotunately, I couldn't reproduce the reported issue because example of #9269 passed without my changes.

Is there something I'm missing?

[gstokkink]

@hsbt I'm wiling to try out your fix in our repository, if you can tell me how I can run bundler from source 😋

[hsbt]

I also couldn't reproduce with #9258 (comment)

❯ cat Gemfile
# frozen_string_literal: true

source "https://rubygems.org"

gem 'rails', '~> 8.0'
gem 'webpush', github: 'mastodon/webpush', ref: '9631ac63045cfabddacc69fc06e919b4c13eb913'
❯ bundle -v
4.0.4
❯ bundle i
Fetching gem metadata from https://rubygems.org/...........
Resolving dependencies...
Bundle complete! 2 Gemfile dependencies, 69 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

[mjankowski]

I also couldn't reproduce with #9258 (comment)

The error for me is only on update.

Running bundle install with this Gemfile works fine on both 4.0.3 and 4.0.4.

Running bundle _4.0.4_ update rails fails, whereas 4.0.3 with same Gemfile succeeds.

[eileencodes]

Yes the error is only on update in my testing as well. I'm working on a fix but I have a deadline this week that is taking precedence. I'm ok with the original being reverted until I can write a fix that takes both problems into account.

It's only reproducible in update because converge_specs is only used when you have a lock file that needs to change.

[hsbt]

@mjankowski Thanks, I could reproduce this at #9269 and confirmed to fix by my simple workaround.

@eileencodes I have a plan to release 4.0.5 with it tomorrow. If you want to fix this with your thought, you can update my workaround until 4.0.6 that will be released at middle of Feb. How about this?