bundle check issue causes ruby-lsp Gemfile dependencies to attach to wrong gem source in Gemfile.lock

[taylorthurlow]

Sorry for skipping the bug templates here, but this is not a problem specific to an editor, I can replicate this just by starting the LSP by hand in the appropriate project directory.

The LSP runs correctly but I cannot perform a ruby-lsp bundle update (BUNDLE_GEMFILE=.ruby-lsp/Gemfile bundle update ruby-lsp) because the contents of the generated .ruby-lsp/Gemfile.lock are not valid, as dependencies of ruby-lsp are being assigned to a gemserver which does not contain those gems.

My reproduction for the bundler issue is here:
rubygems/rubygems#5339 (comment)

The bottom line is that bundle check, in whatever specific scenario ruby-lsp is using it (or at least as it occurs on my machine) is resulting in a change to Gemfile.lock which moves the transitive dependencies of ruby-lsp into the wrong rubygems source, rendering the Gemfile.lock invalid (from a dependency resolution perspective) and not able to update.

This issue impacts Bundler versions 2.2.26 to (currently, the latest) 2.5.21.

I think it's worth opening an issue here (even if it's closed immediately) as it's pretty hard to tell where the issue is coming from. I was investigating ruby-lsp source for a while before I went up to the bundler level to see if the issue was there.

[andyw8]

Thanks for the report. I was also surprised to discover that bundle check can modify the lockfile:

rubygems/rubygems#7613

[taylorthurlow]

Looks like they aren't able to reproduce so I'm going to have to try to write an appropriate bundler spec.

[vinistock]

Is there anything we can do from our side or is this a Bundler bug?

The Ruby LSP invokes BUNDLE_GEMFILE=.ruby-lsp/Gemfile bundle check so that we can verify if we need to install gems before booting. I'm surprised that bundle check would modify the lockfile though. Could we pass the --frozen option to bundle check or is that only for install?

[andyw8]

% bundle check --frozen
Unknown switches "--frozen"

[taylorthurlow]

Is there anything we can do from our side or is this a Bundler bug?

Given the fact that I am able to reproduce the rubygems issue I linked in the OP using the exact same suspect bundler versions (issue originally introduced in 2.2.26), without using ruby-lsp, it is definitely a bundler bug.

I also tried using the --dry-run option for bundle check:

       --dry-run
              Locks the [Gemfile(5)][Gemfile(5)] before running the command.

But it still modifies Gemfile.lock.

[taylorthurlow]

I managed to sloppily put together a failing spec for bundler. rubygems/rubygems#5339 (comment)

[taylorthurlow]

A bundler maintainer identified the issue and opened a PR: rubygems/rubygems#8148

[vinistock]

Since the PR was merged, I'll close this issue. Thanks for reporting it!