[rubygems/rubygems] Fix outdated lockfile during bundle lock when source changes

When the source used to be git and switches back to rubygems, it is possible that the git source contains a version that ruybgems doesn't know about yet. So don't add the locked spec to the base resolve, and also don't add a lower bound requirement on the version, since the version in the new source may actually be lower. https://github.com/rubygems/rubygems/commit/85514e3a1e
2026-01-27 04:24:23 +00:00 · 2025-09-10 13:18:36 +02:00 · 2025-09-10 13:18:36 +02:00 · 98beabd666
commit 98beabd666
parent 92bddb4529
2 changed files with 37 additions and 1 deletions
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@ -1051,6 +1051,7 @@ module Bundler

        # Replace the locked dependency's source with the equivalent source from the Gemfile
        s.source = replacement_source || default_source
+        next if s.source_changed?

        source = s.source
        next if @sources_to_unlock.include?(source.name)
@ -1138,7 +1139,7 @@ module Bundler
    def additional_base_requirements_to_prevent_downgrades(resolution_base)
      return resolution_base unless @locked_gems && !sources.expired_sources?(@locked_gems.sources)
      @originally_locked_specs.each do |locked_spec|
-        next if locked_spec.source.is_a?(Source::Path)
+        next if locked_spec.source.is_a?(Source::Path) || locked_spec.source_changed?

        name = locked_spec.name
        next if @changed_dependencies.include?(name)
--- a/spec/bundler/lock/git_spec.rb
+++ b/spec/bundler/lock/git_spec.rb
@ -220,4 +220,39 @@ RSpec.describe "bundle lock with git gems" do

    expect(lockfile).to include("securerandom (0.3.2)")
  end
+
+  it "does not lock versions that don't exist in the repository when changing a GIT direct dep to a GEM direct dep" do
+    build_repo4 do
+      build_gem "ruby-lsp", "0.16.1"
+    end
+
+    path = lib_path("ruby-lsp")
+    revision = build_git("ruby-lsp", "0.16.2", path: path).ref_for("HEAD")
+
+    lockfile <<~L
+      GIT
+        remote: #{path}
+        revision: #{revision}
+        specs:
+          ruby-lsp (0.16.2)
+
+      PLATFORMS
+        #{lockfile_platforms}
+
+      DEPENDENCIES
+        ruby-lsp!
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+
+    gemfile <<~G
+      source "https://gem.repo4"
+      gem "ruby-lsp"
+    G
+
+    bundle "lock"
+
+    expect(lockfile).to include("ruby-lsp (0.16.1)")
+  end
 end