How can I avoid bundlers warning about multiple sources when I have all gems in my .gemspec?

Asked 10/3, 2015 at 12:52 Answered 25/4, 2017 at 16:23

In my own gem, I have a Gemfile that looks basically like this:

source 'https://my.gemserver.com'
source 'https://rubygems.org'

gemspec

My .gemspec has all dependencies listed as add_dependency and add_development_dependency.

As of Bundler 1.8, I get the warning:

Warning: this Gemfile contains multiple primary sources. Using `source` more than
once without a block is a security risk, and may result in installing unexpected gems.
To resolve this warning, use a block to indicate which gems should come from the
secondary source. To upgrade this warning to an error,
run `bundle config disable_multisource true`.

Is there a way to resolve this warning (without muting via bundle config)? I cannot find anything about a source option in the Rubygems specification.

Nocturne answered 10/3, 2015 at 12:52 Comment(4)

Have you tried using a source block like this example? – Ankus 10/3, 2015 at 13:28

The thing is, I don't list my gem dependencies in the Gemfile. They are all listed in the .gemspec. Do I have to duplicate them in the Gemfile? Then what's the point of referring to the gemspec? – Nocturne 10/3, 2015 at 14:8

@ChristophPetschnig Here is a nice article on roles that Gemfile and .gemspec hold. – Maite 10/3, 2015 at 14:41

@Maite Thank you. Still, it talks about avoiding duplication. Using the source block (which makes a lot of sense) means duplication. Also, I am getting more and more doubts on add_development_dependency in the .gemspec. I believe this comes from a pre-bundler era and gems there should belong to the Gemfile. – Nocturne 10/3, 2015 at 15:59

No, you'll either need to mute the warning or add the source block to your Gemfile with the specific gems you want to come from your private server. There isn't a need to duplicate the ones that come from rubygems.org (or you could do it the other way around, if you depend on more private gems than public ones, and your private gems do not themselves depend on public ones).

The problem is that the gemspec format has no support for specifying the source for each gem, so without duplicating them into the Gemfile, there is no way to specify which gems come from each source.

Putnam answered 11/3, 2015 at 5:13 Comment(2)

Which is a bug that should be addressed! (imho) – Registered 17/4, 2015 at 10:40

FYI, further discussion about the reason for this is in this issue: github.com/bundler/bundler/issues/3576 – Amazement 3/9, 2015 at 18:10

Kind of sad, but one has to move it out to Gemfile :-(

Gemfile:

source 'https://my.gemserver.com' do
  your_gem1
  your_gem2
  #...
end

source 'https://rubygems.org'

gemspec

but then, if some of your gems should be included in :development or :test group, following could be used

Gemfile:

your_gem1, :source => 'https://my.gemserver.com'
#...
group :development do
  your_gem2, :source => 'https://my.gemserver.com'
  #...
end

source 'https://rubygems.org'

gemspec

Comeaux answered 10/2, 2016 at 11:32 Comment(1)

But what about gem compilation? This gems will be included in the release? – Quad 30/3, 2016 at 18:39

To elaborate on the discussion on the bundler issue, as previous answers have stated, you must include the gem in you Gemfile. However, you only need to specify the version of the gem in your .gemspec. If you change versions more often than private dependencies this isn't a terrible solution.

Reference the gem without version in Gemfile:

# Gemfile
source 'https://rubygems.org'

source 'https://[email protected]/me/' do
  gem 'my-private-dependency'
end

gemspec

Reference the gem with version specification in the .gemspec:

# my-gem.gemspec
lib = File.expand_path('../lib', __FILE__)
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)

Gem::Specification.new do |spec|
  spec.add_dependency 'my-private-dependency', '~> 0.1.5'
end

Amazement answered 25/4, 2017 at 16:23 Comment(0)

Recommended topics

Hot tags