[rubygems/rubygems] Remove specs with bad sources when converging dependenciesHEAD master

https://github.com/rubygems/rubygems/commit/a0f7851451
author: David Rodríguez <deivid.rodriguez@riseup.net> 2025-03-19 20:39:57 +0100
committer: Hiroshi SHIBATA <hsbt@ruby-lang.org> 2025-03-25 10:36:33 +0900
commit: 1427629a5ff6e74518d25447ad19ce45c8338032 (patch)
tree: 2c13e013b7d9571d7c05a4ca78ae88aaeeb84e66
parent: fd43aca13b004b978103a836a7caad2a6fa6bba0 (diff)
2 files changed, 66 insertions, 3 deletions
diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index a318550094..a5ec2d64c7 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -955,9 +955,15 @@ module Bundler
 
           if locked_specs.empty?
             @missing_lockfile_dep = name if dep_changed == false
-          elsif !dep.matches_spec?(locked_specs.first)
-            @gems_to_unlock << name
-            dep_changed = true
+          else
+            if locked_specs.map(&:source).uniq.size > 1
+              @locked_specs.delete(locked_specs.select {|s| s.source != dep.source })
+            end
+
+            unless dep.matches_spec?(locked_specs.first)
+              @gems_to_unlock << name
+              dep_changed = true
+            end
           end
         end
 
diff --git a/spec/bundler/lock/lockfile_spec.rb b/spec/bundler/lock/lockfile_spec.rb
index eb644c93b1..d43d926798 100644
--- a/spec/bundler/lock/lockfile_spec.rb
+++ b/spec/bundler/lock/lockfile_spec.rb
@@ -1908,6 +1908,63 @@ RSpec.describe "the lockfile format" do
     L
   end
 
+  it "automatically fixes the lockfile when it includes a gem under the correct GIT section, but also under an incorrect GEM section, with a higher version, and with no explicit Gemfile requirement" do
+    git = build_git "foo"
+
+    gemfile <<~G
+      source "https://gem.repo1/"
+      gem "foo", git: "#{lib_path("foo-1.0")}"
+    G
+
+    # If the lockfile erroneously lists platform versions of the gem
+    # that don't match the locked version of the git repo we should remove them.
+
+    lockfile <<~L
+      GIT
+        remote: #{lib_path("foo-1.0")}
+        revision: #{git.ref_for("main")}
+        specs:
+          foo (1.0)
+
+      GEM
+        remote: https://gem.repo1/
+        specs:
+          foo (1.1-x86_64-linux-gnu)
+
+      PLATFORMS
+        #{lockfile_platforms}
+
+      DEPENDENCIES
+        foo!
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+
+    bundle "install"
+
+    expect(lockfile).to eq <<~L
+      GIT
+        remote: #{lib_path("foo-1.0")}
+        revision: #{git.ref_for("main")}
+        specs:
+          foo (1.0)
+
+      GEM
+        remote: https://gem.repo1/
+        specs:
+
+      PLATFORMS
+        #{lockfile_platforms}
+
+      DEPENDENCIES
+        foo!
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+  end
+
   it "automatically fixes the lockfile when it includes a gem under the correct GIT section, but also under an incorrect GEM section, with a higher version" do
     git = build_git "foo"
author	David Rodríguez <deivid.rodriguez@riseup.net>	2025-03-19 20:39:57 +0100
committer	Hiroshi SHIBATA <hsbt@ruby-lang.org>	2025-03-25 10:36:33 +0900
commit	1427629a5ff6e74518d25447ad19ce45c8338032 (patch)
tree	2c13e013b7d9571d7c05a4ca78ae88aaeeb84e66
parent	fd43aca13b004b978103a836a7caad2a6fa6bba0 (diff)