Why doesn't rails lock certain gems to a particular version?

Question

When I generate a new Rails 4 project, the Gemfile looks like this:

source 'https://rubygems.org'

# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
gem 'rails', '4.0.2'

# Use postgresql as the database for Active Record
gem 'pg'

# Use SCSS for stylesheets
gem 'sass-rails', '~> 4.0.0'

# Use Uglifier as compressor for JavaScript assets
gem 'uglifier', '>= 1.3.0'

# Use CoffeeScript for .js.coffee assets and views
gem 'coffee-rails', '~> 4.0.0'

# Use jquery as the JavaScript library
gem 'jquery-rails'

# Turbolinks makes following links in your web application faster. Read more: https://github.com/rails/turbolinks
gem 'turbolinks'

# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
gem 'jbuilder', '~> 1.2'

group :doc do
  # bundle exec rake doc:rails generates the API under doc/api.
  gem 'sdoc', require: false
end

Why doesn't Rails lock the versions for pg, jquery-rails and turbolinks?

Answer 1

I think this comment from a github issue about rails_app_composer might be part of the reasoning behind this:

If the gemfiles were to use Absolute Version Constraint (the equals operator), anyone who cloned or generated an example app could be certain that the application would always run as built. But we wouldn't learn about problems as quickly. With the Optimistic Version Constraints, we learn about problems with gems soon after incompatible gem versions are released.

For example, recently Devise version 2.2.0 changed the default password length. All the example applications broke because the example passwords in database initialization files and tests were too short. Within a day (or two) after the Devise 2.2.0 release I was aware of the issue because several GitHub issues were opened.

Now consider if I'd locked the gemfiles to Devise 2.1.0 with Absolute Version Constraint or Devise 2.1.x with Pessimistic Version Constraint. Eventually I'd get the bug reports, but only when someone got curious and decided to try newer versions of Devise. The bug reports would arrive, but slowly, and not as a swarm. When I see an isolated bug report, it's difficult to know if it is someone's idiosyncratic issue or an application failure. When I see a swarm of related issues, it's easy to guess that something is wrong.

This makes sense especially in the case of Turbolinks as it's a new feature. The author goes on to say, however, that in the end he "removed version numbers from the Gemfile," so make of that what you will.