Why do we need the Gemfile.lock in Ruby?

Question

Isn't the Gemfile.lock a hack used to perpetuate bad practices in dependency version control?

I.e. Shouldn't developers set the dependency version ranges strictly in the Gemfile?

For example if my Gemfile says that I depend on gem A version 1.0.1 or versions [1.0-2.0), why would I need the .lock?

Answer 1

why would I need the .lock?

to install exactly the same versions as all the other guys in the team. Or install in production the same versions that you use in development.

It might happen that a new version of some gem is released while you were collecting sign-offs for your release. You better be sure you install/load exactly the versions that you developed/tested with.

Answer 2

No, Gemfile.lock makes a lot of sense and is crucial to the concept of automatically picking gem versions. As a developer, you do not need to bother about exact version numbers. You can say "give me whatever version of gem X fits all other versions of all other gems" (by just saying gem 'xyz' without any further information). Or you can tell it to stay within the bugfixing line of an older version of a gem (gem 'xyz', '~> 2.3.0') or whatever.

By adding the exact version in Gemfile.lock you then make sure that the versions stay consistent for all developers (and environments). You make the act of upgrading to a newer version of a gem a conscious (and well-documented) choice instead of a random part of your build/deploy process.