Merge pull request #8491 from rubygems/deivid-rodriguez/fix-unintended-downgrades

Fix regression when running `bundle update <foo>` would sometimes downgrade a top level dependency

(cherry picked from commit 8fe5bae)

Author: deivid-rodriguez

bundler/lib/bundler/definition.rb

@@ -626,7 +626,7 @@ def resolution_packages
         last_resolve = converge_locked_specs
         remove_invalid_platforms!
         packages = Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: @unlocking_all || @gems_to_unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: @new_platforms)
-        packages = additional_base_requirements_to_prevent_downgrades(packages, last_resolve)
+        packages = additional_base_requirements_to_prevent_downgrades(packages)
         packages = additional_base_requirements_to_force_updates(packages)
         packages
       end
@@ -938,7 +938,7 @@ def converge_sources
 
     def converge_dependencies
       @missing_lockfile_dep = nil
-      changes = false
+      @changed_dependencies = []
 
       current_dependencies.each do |dep|
         if dep.source
@@ -960,10 +960,10 @@ def converge_dependencies
           end
         end
 
-        changes ||= dep_changed
+        @changed_dependencies << name if dep_changed
       end
 
-      changes
+      @changed_dependencies.any?
     end
 
     # Remove elements from the locked specs that are expired. This will most
@@ -1093,11 +1093,15 @@ def lockfiles_equal?(current, proposed, preserve_unknown_sections)
       current == proposed
     end
 
-    def additional_base_requirements_to_prevent_downgrades(resolution_packages, last_resolve)
+    def additional_base_requirements_to_prevent_downgrades(resolution_packages)
       return resolution_packages unless @locked_gems && !sources.expired_sources?(@locked_gems.sources)
-      converge_specs(@originally_locked_specs - last_resolve).each do |locked_spec|
+      @originally_locked_specs.each do |locked_spec|
         next if locked_spec.source.is_a?(Source::Path)
-        resolution_packages.base_requirements[locked_spec.name] = Gem::Requirement.new(">= #{locked_spec.version}")
+
+        name = locked_spec.name
+        next if @changed_dependencies.include?(name)
+
+        resolution_packages.base_requirements[name] = Gem::Requirement.new(">= #{locked_spec.version}")
       end
       resolution_packages
     end

bundler/spec/commands/update_spec.rb

@@ -428,6 +428,72 @@
       expect(out).to include("Installing sneakers 2.11.0").and include("Installing rake 13.0.6")
     end
 
+    it "does not downgrade direct dependencies unnecessarily" do
+      build_repo4 do
+        build_gem "redis", "4.8.1"
+        build_gem "redis", "5.3.0"
+
+        build_gem "sidekiq", "6.5.5" do |s|
+          s.add_dependency "redis", ">= 4.5.0"
+        end
+
+        build_gem "sidekiq", "6.5.12" do |s|
+          s.add_dependency "redis", ">= 4.5.0", "< 5"
+        end
+
+        # one version of sidekiq above Gemfile's range is needed to make the
+        # resolver choose `redis` first and trying to upgrade it, reproducing
+        # the accidental sidekiq downgrade as a result
+        build_gem "sidekiq", "7.0.0 " do |s|
+          s.add_dependency "redis", ">= 4.2.0"
+        end
+
+        build_gem "sentry-sidekiq", "5.22.0" do |s|
+          s.add_dependency "sidekiq", ">= 3.0"
+        end
+
+        build_gem "sentry-sidekiq", "5.22.4" do |s|
+          s.add_dependency "sidekiq", ">= 3.0"
+        end
+      end
+
+      gemfile <<~G
+        source "https://gem.repo4"
+
+        gem "redis"
+        gem "sidekiq", "~> 6.5"
+        gem "sentry-sidekiq"
+      G
+
+      original_lockfile = <<~L
+        GEM
+          remote: https://gem.repo4/
+          specs:
+            redis (4.8.1)
+            sentry-sidekiq (5.22.0)
+              sidekiq (>= 3.0)
+            sidekiq (6.5.12)
+              redis (>= 4.5.0, < 5)
+
+        PLATFORMS
+          #{lockfile_platforms}
+
+        DEPENDENCIES
+          redis
+          sentry-sidekiq
+          sidekiq (~> 6.5)
+
+        BUNDLED WITH
+           #{Bundler::VERSION}
+      L
+
+      lockfile original_lockfile
+
+      bundle "lock --update sentry-sidekiq"
+
+      expect(lockfile).to eq(original_lockfile.sub("sentry-sidekiq (5.22.0)", "sentry-sidekiq (5.22.4)"))
+    end
+
     it "does not downgrade indirect dependencies unnecessarily" do
       build_repo4 do
         build_gem "a" do |s|

bundler/spec/install/gems/flex_spec.rb

@@ -295,6 +295,30 @@
 
     it "should work when you update" do
       bundle "update myrack"
+
+      checksums = checksums_section_when_enabled do |c|
+        c.checksum gem_repo1, "myrack", "0.9.1"
+        c.checksum gem_repo1, "myrack-obama", "1.0"
+      end
+
+      expect(lockfile).to eq <<~L
+        GEM
+          remote: https://gem.repo1/
+          specs:
+            myrack (0.9.1)
+            myrack-obama (1.0)
+              myrack
+
+        PLATFORMS
+          #{lockfile_platforms}
+
+        DEPENDENCIES
+          myrack (= 0.9.1)
+          myrack-obama
+        #{checksums}
+        BUNDLED WITH
+           #{Bundler::VERSION}
+      L
     end
   end