Add checksum of gems hosted on private servers: #9004
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- ### Problem Running `bundle lock --add-checksums` doesn't add the checksum of gems hosted on server that don't implement the compact index API. This result in a lockfile which is unusable in production as some checksums will be missing and Bundler raising an error. Users can work around this problem by running: `BUNDLE_LOCKFILE_CHECKSUMS=true bundle install --force` But this means redownloading and installing all gems which isn't great and slow on large apps. ### Context Bundler uses the Compact Index API to get the checksum of gems, but most private gem servers don't implement the compact index API (such as cloudsmith or packagecloud). This results in a soft failure on bundler side, and bundler leaving out blank checksum for those gems. ### Solution For gems that are hosted on private servers that don't send back the checksum of the gem, I'd like to fallback to the `bundle install` mechanism, which don't rely on an external API but instead compute the checksum of the package installed on disk. This patch goes through the spec that didn't return a checksum, and compute one if the package exists on disk. This solution makes the `bundle lock --add-checksums` command actually usable in real world scenarios while keeping the `bundle lock` command fast enough.
Edouard-chin
force-pushed
the
ec-checksum-fix
branch
from
f216683 to
8e9abb5
Compare
hsbt
approved these changes
Oct 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What was the end-user or developer problem that led to this PR?
Problem
Running
bundle lock --add-checksumsdoesn't add the checksum of gems hosted on server that don't implement the compact index API.This result in a lockfile which is unusable in production as some checksums will be missing and Bundler raising an error. Users can work around this problem by running:
BUNDLE_LOCKFILE_CHECKSUMS=true bundle install --forceBut this means redownloading and installing all gems which isn't great and slow on large apps.
What is your fix for the problem, implemented in this PR?
Context
Bundler uses the Compact Index API to get the checksum of gems, but most private gem servers don't implement the compact index API (such as cloudsmith or packagecloud). This results in a soft failure on bundler side, and bundler leaving out blank checksum for those gems.
Solution
For gems that are hosted on private servers that don't send back the checksum of the gem, I'd like to fallback to the
bundle installmechanism, which don't rely on an external API but instead compute the checksum of the package installed on disk.This patch goes through the spec that didn't return a checksum, and compute one if the package exists on disk. This solution makes the
bundle lock --add-checksumscommand actually usable in real world scenarios while keeping thebundle lockcommand fast enough.Make sure the following tasks are checked