2

Isn't the Gemfile.lock a hack used to perpetuate bad practices in dependency version control?

I.e. Shouldn't developers set the dependency version ranges strictly in the Gemfile?

For example if my Gemfile says that I depend on gem A version 1.0.1 or versions [1.0-2.0), why would I need the .lock?

PedroD
  • 5,670
  • 12
  • 46
  • 84

2 Answers2

5

No, Gemfile.lock makes a lot of sense and is crucial to the concept of automatically picking gem versions. As a developer, you do not need to bother about exact version numbers. You can say "give me whatever version of gem X fits all other versions of all other gems" (by just saying gem 'xyz' without any further information). Or you can tell it to stay within the bugfixing line of an older version of a gem (gem 'xyz', '~> 2.3.0') or whatever.

By adding the exact version in Gemfile.lock you then make sure that the versions stay consistent for all developers (and environments). You make the act of upgrading to a newer version of a gem a conscious (and well-documented) choice instead of a random part of your build/deploy process.

AnoE
  • 8,048
  • 1
  • 21
  • 36
  • If it is crucial, how come systems such as npm, bower, maven, OSGi, etc. do not use it? Wouldn't it make sense for the deploy system to use the most compatible dependency version among all gems, according to their Gemfile's version ranges? – PedroD Jul 26 '16 at 17:07
  • @PedroD For npm, there's [shrinkwrap](https://docs.npmjs.com/cli/shrinkwrap) which does something very similar. Others probably have not implemented it because people use the respective eco-system differently or because it's just too hard to implement (which it definitely is, esp. with recursive and circular dependencies) – Holger Just Jul 26 '16 at 18:45
  • @PedroD, I don't see what those other systems have to do with it. I believe I gave a two very clear reasons why it is useful and important. If you do not feel convinced or my explanation was bad, I'm more than happy to explain more. If you want another positive example, consider `carton` from the Perl world, which does it exactly like `bundler` in ruby. – AnoE Jul 26 '16 at 20:53
2

why would I need the .lock?

to install exactly the same versions as all the other guys in the team. Or install in production the same versions that you use in development.

It might happen that a new version of some gem is released while you were collecting sign-offs for your release. You better be sure you install/load exactly the versions that you developed/tested with.

Sergio Tulentsev
  • 226,338
  • 43
  • 373
  • 367
  • The final sentence, "You better be sure you install/load exactly the versions that you developed/tested with," resonates with me and thus earns my upvote. – pjd Oct 27 '16 at 13:41