Merge pull request #8629 from rubygems/deivid-rodriguez/false-positive-warning

deivid-rodriguez · deivid-rodriguez · commit 6daacd09a429 · 2025-05-08T21:03:47.000+02:00
Fix false positive warning about insecure materialization in frozen mode (cherry picked from commit a72b4d4)
diff --git a/bundler/lib/bundler/lazy_specification.rb b/bundler/lib/bundler/lazy_specification.rb
@@ -213,22 +213,31 @@ def choose_compatible(candidates, fallback_to_non_installable: Bundler.frozen_bu
       end
       if search.nil? && fallback_to_non_installable
         search = candidates.last
-      elsif search && search.full_name == full_name
-        # We don't validate locally installed dependencies but accept what's in
-        # the lockfile instead for performance, since loading locally installed
-        # dependencies would mean evaluating all gemspecs, which would affect
-        # `bundler/setup` performance
-        if search.is_a?(StubSpecification)
-          search.dependencies = dependencies
-        else
-          if !source.is_a?(Source::Path) && search.runtime_dependencies.sort != dependencies.sort
-            raise IncorrectLockfileDependencies.new(self)
-          end
+      end
 
-          search.locked_platform = platform if search.instance_of?(RemoteSpecification) || search.instance_of?(EndpointSpecification)
-        end
+      if search
+        validate_dependencies(search) if search.platform == platform
+
+        search.locked_platform = platform if search.instance_of?(RemoteSpecification) || search.instance_of?(EndpointSpecification)
       end
       search
     end
+
+    # Validate dependencies of this locked spec are consistent with dependencies
+    # of the actual spec that was materialized.
+    #
+    # Note that we don't validate dependencies of locally installed gems but
+    # accept what's in the lockfile instead for performance, since loading
+    # dependencies of locally installed gems would mean evaluating all gemspecs,
+    # which would affect `bundler/setup` performance.
+    def validate_dependencies(spec)
+      if spec.is_a?(StubSpecification)
+        spec.dependencies = dependencies
+      else
+        if !source.is_a?(Source::Path) && spec.runtime_dependencies.sort != dependencies.sort
+          raise IncorrectLockfileDependencies.new(self)
+        end
+      end
+    end
   end
 end
diff --git a/bundler/spec/install/gems/resolving_spec.rb b/bundler/spec/install/gems/resolving_spec.rb
@@ -305,11 +305,10 @@
 
         it "gives a meaningful error if we're in frozen mode" do
           expect do
-            bundle "install --verbose", env: { "BUNDLE_FROZEN" => "true" }, raise_on_error: false
+            bundle "install", env: { "BUNDLE_FROZEN" => "true" }, raise_on_error: false
           end.not_to change { lockfile }
 
-          expect(err).to include("parallel_tests-3.8.0 requires ruby version >= #{next_ruby_minor}")
-          expect(err).not_to include("That means the author of parallel_tests (3.8.0) has removed it.")
+          expect(err).to eq("parallel_tests-3.8.0 requires ruby version >= #{next_ruby_minor}, which is incompatible with the current version, #{Gem.ruby_version}")
         end
       end
 
