I'm seeing an unexpected undefined method match? for nil error on a gem that is missing a checksum.
I'm not sure of the desired behavior, but the current state isn't helpful to end users.
I asked AI to summarize what I found.
Bundler should tolerate empty compact-index checksum metadata without crashing
Summary
Bundler/RubyGems can crash while parsing compact-index metadata when a gem version line contains an empty checksum value.
Observed error:
There was an error parsing the metadata for the gem <name> (<version>): NoMethodError
undefined method `match?' for nil
The metadata was [["checksum", []]]
I understand this originates from malformed registry metadata. The request here is for parser hardening: malformed empty/value-less checksum metadata should not raise an internal NoMethodError that aborts resolution.
Why this matters
A single malformed historical version in a source can block unrelated updates, because dependency resolution may inspect historical compact-index metadata even when the project depends on a newer version.
Environment
- Ruby: 3.3.10
- Bundler: 2.5.22
- RubyGems: 4.0.15
- Source type: compact index (
/versions + /info/<gem>)
Reproduced locally with both Bundler 2 and Bundler 4
I created a minimal Gemfile that only references packageX 3.4.0 from a compact-index source and ran bundle lock --verbose with explicit versions.
bundle _2.5.22_ lock --verbose -> reproduces undefined method match? for nil while parsing packageX (2.0.1) metadata.
bundle _4.0.15_ lock --verbose -> reproduces the same error.
So this is reproducible in both Bundler 2.5.22 and Bundler 4.0.15 in this environment.
Problematic metadata shapes
These shapes should be treated defensively:
And parser-emitted tuples equivalent to:
[["checksum", []]]
[["checksum"]]
[["checksum", nil]]
Expected behavior (tentative)
I am not fully sure what the ideal resolver behavior should be for malformed compact-index metadata.
That said, an internal error like undefined method match? for nil is not very actionable for end users.
At minimum, one of these would be much easier to work with:
- Treat empty/value-less checksum metadata as absent and continue resolution.
- Raise a clear, user-facing parse/validation error that points to invalid compact-index checksum metadata for a specific gem/version.
- Keep strict behavior for malformed non-empty checksum values (i.e., still raise a normal explicit error there).
Actual behavior
Resolver raises internal NoMethodError during metadata parsing, wrapped as Bundler::GemspecError, and update resolution aborts.
High-level repro
- Use a compact-index source with at least one version line containing an empty checksum.
- Run a dependency resolution command that touches metadata for that gem.
- Observe parse failure with
undefined method match? for nil.
Notes from downstream workaround
Dependabot implemented a defensive workaround for Bundler 4 helper paths by filtering nil/empty metadata entries before Bundler parses them, while preserving failures for malformed non-empty checksums.
Public reference:
That workaround includes tests for:
- empty array checksum
- value-less checksum entry
- nil/blank metadata values
- malformed non-empty checksum still raising
Those test cases may be useful as upstream acceptance criteria.
Known status checked before filing
- I did not find an obvious matching open issue in
rubygems/rubygems via repository issue search for combinations of:
- checksum + compact index
- Bundler::GemspecError + checksum
- match? for nil
- I also reviewed recent RubyGems changelog entries and did not find an explicit fix note for this empty-checksum compact-index parsing case.
If this is already fixed on main or tracked elsewhere, I am happy to link and close.
I'm seeing an unexpected
undefined method match? for nilerror on a gem that is missing a checksum.I'm not sure of the desired behavior, but the current state isn't helpful to end users.
I asked AI to summarize what I found.
Bundler should tolerate empty compact-index checksum metadata without crashing
Summary
Bundler/RubyGems can crash while parsing compact-index metadata when a gem version line contains an empty checksum value.
Observed error:
I understand this originates from malformed registry metadata. The request here is for parser hardening: malformed empty/value-less checksum metadata should not raise an internal
NoMethodErrorthat aborts resolution.Why this matters
A single malformed historical version in a source can block unrelated updates, because dependency resolution may inspect historical compact-index metadata even when the project depends on a newer version.
Environment
/versions+/info/<gem>)Reproduced locally with both Bundler 2 and Bundler 4
I created a minimal Gemfile that only references
packageX 3.4.0from a compact-index source and ranbundle lock --verbosewith explicit versions.bundle _2.5.22_ lock --verbose-> reproducesundefined method match? for nilwhile parsingpackageX (2.0.1)metadata.bundle _4.0.15_ lock --verbose-> reproduces the same error.So this is reproducible in both Bundler 2.5.22 and Bundler 4.0.15 in this environment.
Problematic metadata shapes
These shapes should be treated defensively:
And parser-emitted tuples equivalent to:
Expected behavior (tentative)
I am not fully sure what the ideal resolver behavior should be for malformed compact-index metadata.
That said, an internal error like
undefined method match? for nilis not very actionable for end users.At minimum, one of these would be much easier to work with:
Actual behavior
Resolver raises internal
NoMethodErrorduring metadata parsing, wrapped asBundler::GemspecError, and update resolution aborts.High-level repro
undefined method match? for nil.Notes from downstream workaround
Dependabot implemented a defensive workaround for Bundler 4 helper paths by filtering nil/empty metadata entries before Bundler parses them, while preserving failures for malformed non-empty checksums.
Public reference:
That workaround includes tests for:
Those test cases may be useful as upstream acceptance criteria.
Known status checked before filing
rubygems/rubygemsvia repository issue search for combinations of:If this is already fixed on main or tracked elsewhere, I am happy to link and close.