Will It Vibe logoWill It Vibe?
SCA-014Medium severity-8 points

Gemfile with no Gemfile.lock

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A Gemfile exists with no Gemfile.lock in the same directory, so bundle install can resolve different gem versions on different machines.

Why it matters

A Gemfile with no Gemfile.lock means bundle install resolves gem versions fresh every time within whatever the Gemfile allows, so two installs can end up running different gem versions. Rails and most Ruby tooling assume Gemfile.lock is committed; its absence is unusual enough that it is almost always an oversight rather than a deliberate choice.

How to fix it

Run bundle install once and commit the generated Gemfile.lock. CI and deploys should use bundle install --deployment (or the equivalent frozen mode for the Bundler version in use) so a stale lock fails loudly instead of silently resolving different gems.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks