Detect locally-sourced gems in bundle_report outdated#189
Open
JuanVqz wants to merge 2 commits into
Open
Conversation
A gem pulled in via `path:` (e.g. a private engine) could share its name with an unrelated public gem on rubygems. `bundle_report outdated` looked up the latest version by name, matched the public gem, and reported a bogus upgrade. Add `GemInfo#sourced_locally?`, which reads the Bundler source type from the lockfile (path source, excluding git which is already reported separately). `outdated` now excludes locally-sourced gems from the out-of-date check and reports them in a separate count, mirroring how git-sourced gems are handled. Closes #29
JuanVqz
force-pushed
the
fix/local-gem-source-detection
branch
from
56bfbd9 to
71eb69d
Compare
Member
Author
|
I used this issue-29-sandbox.zip to QA and confirm this works, sharing it, so, it's easier for you |
arielj
reviewed
Jun 9, 2026
| end | ||
|
|
||
| def sourced_locally? | ||
| return false unless defined?(Bundler::Source::Path) |
There was a problem hiding this comment.
how can this happen that this class does not exist?
is this some Bundler version thing that it didn't exist in some older versions? it would be good to either add a comment explaining that (it would mean this works only for some minimum bundler version) or find an alternative to this for when Bundler::Source::Path is not defined
| Gem::Specification.new do |s| | ||
| s.date = release_date | ||
| s.version = "1.0.0" | ||
| end.tap { |s| s.source = source } |
There was a problem hiding this comment.
Suggested change
| end.tap { |s| s.source = source } | |
| s.source = source | |
| end |
this doesn't work? that extra tap looks off, is this some limitation of how the let blocks are called?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
bundle_report outdatedlooked up each installed gem's latest version on rubygems by name only. A gem pulled in viapath:(for example a private engine) that happens to share its name with an unrelated public gem was matched against the public one and reported as out-of-date with a bogus upgrade suggestion.This adds
NextRails::GemInfo#sourced_locally?, which reads the Bundler source type from the lockfile. A gem is considered local when its source is aBundler::Source::Paththat is not aBundler::Source::Git(git sources subclass the path source and are already reported separately viasourced_from_git?).BundleReport.outdatednow:sourced_locally_countin the JSON output and a new "N gems are sourced from a local path" line in the human-readable footer).Motivation and Context
Closes #29.
A local private gem named
app_storecollides with the abandoned publicapp_storegem.bundle_reportwould suggest "upgrading" the private engine to the unrelated public version.As discussed in the issue, this does not try to decide whether two same-named gems are the same gem (gemspec metadata is unreliable). It trusts the lockfile source instead: a
path:gem is local, so it is not compared against rubygems at all.How Has This Been Tested?
GemInfo#sourced_locally?covering path, git, and rubygems sources.BundleReport.outdatedspec asserting a locally-sourced gem is excluded from the out-of-date list and counted separately, plus updated the existing JSON/stdout expectations.99 examples, 0 failures).app_storegem viapath::next_rails(buggy):app_store listed: trueapp_store listed: false, footer shows it under "sourced from a local path".Screenshots:
N/A
I will abide by the code of conduct