We should be able to update minor versions of stable libs without breaking
gitlab Gemfile

--- a/Gemfile
+++ b/Gemfile
@@ -2,59 +2,59 @@
 
 source 'https://rubygems.org'
 
-gem 'rails', '~> 6.1.4.1'
+gem 'rails', '~> 6.1.4', '>= 6.1.4.1'
 
-gem 'bootsnap', '~> 1.9.1', require: false
+gem 'bootsnap', '~> 1.9', '>= 1.9.1', require: false
 
 # Responders respond_to and respond_with
 gem 'responders', '~> 3.0'
 
-gem 'sprockets', '~> 3.7.0'
+gem 'sprockets', '~> 3.7'
 
 # Default values for AR models
-gem 'default_value_for', '~> 3.4.0'
+gem 'default_value_for', '~> 3.4'
 
 # Supported DBs
 gem 'pg', '~> 1.1'
 
 gem 'rugged', '~> 1.2'
-gem 'grape-path-helpers', '~> 1.7.0'
+gem 'grape-path-helpers', '~> 1.7'
 
 gem 'faraday', '~> 1.0'
-gem 'marginalia', '~> 1.10.0'
+gem 'marginalia', '~> 1.10'
 
 # Authorization
-gem 'declarative_policy', '~> 1.1.0'
+gem 'declarative_policy', '~> 1.1'
 
 # Authentication libraries
-gem 'devise', '~> 4.7.2'
+gem 'devise', '~> 4.7','>= 4.7.2'
 gem 'bcrypt', '~> 3.1', '>= 3.1.14'
-gem 'doorkeeper', '~> 5.5.0.rc2'
-gem 'doorkeeper-openid_connect', '~> 1.7.5'
-gem 'rexml', '~> 3.2.5'
-gem 'ruby-saml', '~> 1.13.0'
+gem 'doorkeeper', '~> 5.5'
+gem 'doorkeeper-openid_connect', '~> 1.7','>= 1.7.5'
+gem 'rexml', '~> 3.2','>= 3.2.5'
+gem 'ruby-saml', '~> 1.13'
 gem 'omniauth', '~> 1.8'
-gem 'omniauth-auth0', '~> 2.0.0'
+gem 'omniauth-auth0', '~> 2.0'
 gem 'omniauth-azure-activedirectory-v2', '~> 1.0'
 gem 'omniauth-azure-oauth2', '~> 0.0.9' # Deprecated v1 version
-gem 'omniauth-cas3', '~> 1.1.4'
+gem 'omniauth-cas3', '~> 1.1','>= 1.1.4'
 gem 'omniauth-dingtalk-oauth2', '~> 1.0'
-gem 'omniauth-facebook', '~> 4.0.0'
+gem 'omniauth-facebook', '~> 4.0'
 gem 'omniauth-github', '~> 1.4'
-gem 'omniauth-gitlab', '~> 1.0.2'
+gem 'omniauth-gitlab', '~> 1.0','>= 1.0.2'
 gem 'omniauth-google-oauth2', '~> 0.6.0'
 gem 'omniauth-kerberos', '~> 0.3.0', group: :kerberos
 gem 'omniauth-oauth2-generic', '~> 0.2.2'
 gem 'omniauth-saml', '~> 1.10'
-gem 'omniauth-shibboleth', '~> 1.3.0'
+gem 'omniauth-shibboleth', '~> 1.3'
 gem 'omniauth-twitter', '~> 1.4'
-gem 'omniauth_crowd', '~> 2.4.0'
+gem 'omniauth_crowd', '~> 2.4'
 gem 'omniauth-authentiq', '~> 0.3.3'
 gem 'gitlab-omniauth-openid-connect', '~> 0.8.0', require: 'omniauth_openid_connect'
-gem 'omniauth-salesforce', '~> 1.0.5'
+gem 'omniauth-salesforce', '~> 1.0','>= 1.0.5'
 gem 'omniauth-atlassian-oauth2', '~> 0.2.0'
-gem 'rack-oauth2', '~> 1.16.0'
-gem 'jwt', '~> 2.1.0'
+gem 'rack-oauth2', '~> 1.16'
+gem 'jwt', '~> 2.1'
 
 # Kerberos authentication. EE-only
 gem 'gssapi', group: :kerberos
@@ -62,17 +62,17 @@
 # Spam and anti-bot protection
 gem 'recaptcha', '~> 4.11', require: 'recaptcha/rails'
 gem 'akismet', '~> 3.0'
-gem 'invisible_captcha', '~> 1.1.0'
+gem 'invisible_captcha', '~> 1.1'
 
 # Two-factor authentication
-gem 'devise-two-factor', '~> 4.0.0'
+gem 'devise-two-factor', '~> 4.0'
 gem 'rqrcode-rails3', '~> 0.1.7'
-gem 'attr_encrypted', '~> 3.1.0'
+gem 'attr_encrypted', '~> 3.1'
 gem 'u2f', '~> 0.2.1'
 
 # GitLab Pages
-gem 'validates_hostname', '~> 1.0.11'
-gem 'rubyzip', '~> 2.0.0', require: 'zip'
+gem 'validates_hostname', '~> 1.0', '>= 1.0.11'
+gem 'rubyzip', '~> 2.0', require: 'zip'
 # GitLab Pages letsencrypt support
 gem 'acme-client', '~> 2.0', '>= 2.0.6'
 
@@ -83,7 +83,7 @@
 gem 'ohai', '~> 16.10'
 
 # GPG
-gem 'gpgme', '~> 2.0.19'
+gem 'gpgme', '~> 2.0','>= 2.0.19'
 
 # LDAP Auth
 # GitLab fork with several improvements to original library. For full list of changes
@@ -92,17 +92,17 @@
 gem 'net-ldap', '~> 0.16.3'
 
 # API
-gem 'grape', '~> 1.5.2'
+gem 'grape', '~> 1.5','>= 1.5.2'
 gem 'grape-entity', '~> 0.10.0'
-gem 'rack-cors', '~> 1.0.6', require: 'rack/cors'
+gem 'rack-cors', '~> 1.0','>= 1.0.6', require: 'rack/cors'
 
 # GraphQL API
-gem 'graphql', '~> 1.11.10'
+gem 'graphql', '~> 1.11', '>= 1.11.10'
 # NOTE: graphiql-rails v1.5+ doesn't work: https://gitlab.com/gitlab-org/gitlab/issues/31771
 # TODO: remove app/views/graphiql/rails/editors/show.html.erb when https://github.com/rmosolgo/graphiql-rails/pull/71 is released:
 # https://gitlab.com/gitlab-org/gitlab/issues/31747
-gem 'graphiql-rails', '~> 1.4.10'
-gem 'apollo_upload_server', '~> 2.1.0'
+gem 'graphiql-rails', '~> 1.4', '>= 1.4.10'
+gem 'apollo_upload_server', '~> 2.1'
 gem 'graphql-docs', '~> 1.6.0', group: [:development, :test]
 gem 'graphlient', '~> 0.4.0' # Used by BulkImport feature (group::import)
 
@@ -114,23 +114,23 @@
 gem 'kaminari', '~> 1.0'
 
 # HAML
-gem 'hamlit', '~> 2.15.0'
+gem 'hamlit', '~> 2.15'
 
 # Files attachments
 gem 'carrierwave', '~> 1.3'
-gem 'mini_magick', '~> 4.10.1'
+gem 'mini_magick', '~> 4.10','>= 4.10.1'
 
 # for backups
 gem 'fog-aws', '~> 3.12'
 # Locked until fog-google resolves https://github.com/fog/fog-google/issues/421.
 # Also see config/initializers/fog_core_patch.rb.
-gem 'fog-core', '= 2.1.0'
+gem 'fog-core', '= 2.1'
 gem 'fog-google', '~> 1.15', require: 'fog/google'
 gem 'fog-local', '~> 0.6'
 gem 'fog-openstack', '~> 1.0'
 gem 'fog-rackspace', '~> 0.1.1'
 gem 'fog-aliyun', '~> 0.3'
-gem 'gitlab-fog-azure-rm', '~> 1.2.0', require: 'fog/azurerm'
+gem 'gitlab-fog-azure-rm', '~> 1.2', require: 'fog/azurerm'
 
 # for Google storage
 gem 'google-api-client', '~> 0.33'
@@ -139,37 +139,37 @@
 gem 'unf', '~> 0.1.4'
 
 # Seed data
-gem 'seed-fu', '~> 2.3.7'
+gem 'seed-fu', '~> 2.3','>= 2.3.7'
 
 # Search
 gem 'elasticsearch-model', '~> 6.1'
 gem 'elasticsearch-rails', '~> 6.1', require: 'elasticsearch/rails/instrumentation'
-gem 'elasticsearch-api',   '~> 6.8.2'
+gem 'elasticsearch-api',   '~> 6.8','>= 6.8.2'
 gem 'aws-sdk-core', '~> 3'
 gem 'aws-sdk-cloudformation', '~> 1'
 gem 'aws-sdk-s3', '~> 1'
 gem 'faraday_middleware-aws-sigv4', '~>0.3.0'
 
 # Markdown and HTML processing
-gem 'html-pipeline', '~> 2.13.2'
-gem 'deckar01-task_list', '2.3.1'
-gem 'gitlab-markup', '~> 1.8.0'
-gem 'github-markup', '~> 1.7.0', require: 'github/markup'
+gem 'html-pipeline', '~> 2.13','>= 2.13.2'
+gem 'deckar01-task_list', '~> 2.3','>= 2.3.1'
+gem 'gitlab-markup', '~> 1.8'
+gem 'github-markup', '~> 1.7', require: 'github/markup'
 gem 'commonmarker', '~> 0.23.2'
-gem 'kramdown', '~> 2.3.1'
-gem 'RedCloth', '~> 4.3.2'
-gem 'rdoc', '~> 6.3.2'
+gem 'kramdown', '~> 2.3','>= 2.3.1'
+gem 'RedCloth', '~> 4.3','>= 4.3.2'
+gem 'rdoc', '~> 6.3','>= 6.3.2'
 gem 'org-ruby', '~> 0.9.12'
 gem 'creole', '~> 0.5.0'
-gem 'wikicloth', '0.8.1'
-gem 'asciidoctor', '~> 2.0.10'
+gem 'wikicloth', '~> 0.8.1'
+gem 'asciidoctor', '~> 2.0','>= 2.0.10'
 gem 'asciidoctor-include-ext', '~> 0.3.1', require: false
 gem 'asciidoctor-plantuml', '~> 0.0.12'
 gem 'asciidoctor-kroki', '~> 0.5.0', require: false
-gem 'rouge', '~> 3.27.0'
+gem 'rouge', '~> 3.27'
 gem 'truncato', '~> 0.7.11'
-gem 'bootstrap_form', '~> 4.2.0'
-gem 'nokogiri', '~> 1.11.4'
+gem 'bootstrap_form', '~> 4.2'
+gem 'nokogiri', '~> 1.11','>= 1.11.4'
 gem 'escape_utils', '~> 1.1'
 
 # Calendar rendering
@@ -180,12 +180,12 @@
 gem 'diff_match_patch', '~> 0.1.0'
 
 # Application server
-gem 'rack', '~> 2.2.3'
+gem 'rack', '~> 2.2', '>= 2.2.3'
 # https://github.com/sharpstone/rack-timeout/blob/master/README.md#rails-apps-manually
 gem 'rack-timeout', '~> 0.5.1', require: 'rack/timeout/base'
 
 group :puma do
-  gem 'puma', '~> 5.5.2', require: false
+  gem 'puma', '~> 5.5', '>= 5.5.2', require: false
   gem 'puma_worker_killer', '~> 0.3.1', require: false
   gem 'sd_notify', '~> 0.1.0', require: false
 end
@@ -199,11 +199,11 @@
 # Background jobs
 gem 'sidekiq', '~> 6.3'
 gem 'sidekiq-cron', '~> 1.0'
-gem 'redis-namespace', '~> 1.8.1'
+gem 'redis-namespace', '~> 1.8','>= 1.8.1'
 gem 'gitlab-sidekiq-fetcher', '0.8.0', require: 'sidekiq-reliable-fetch'
 
 # Cron Parser
-gem 'fugit', '~> 1.2.1'
+gem 'fugit', '~> 1.2','>= 1.2.1'
 
 # HTTP requests
 gem 'httparty', '~> 0.16.4'
@@ -215,14 +215,14 @@
 gem 'ruby-progressbar', '~> 1.10'
 
 # GitLab settings
-gem 'settingslogic', '~> 2.0.9'
+gem 'settingslogic', '~> 2.0', '>= 2.0.9'
 
 # Linear-time regex library for untrusted regular expressions
-gem 're2', '~> 1.2.0'
+gem 're2', '~> 1.2'
 
 # Misc
 
-gem 'version_sorter', '~> 2.2.4'
+gem 'version_sorter', '~> 2.2', '>= 2.2.4'
 
 # Export Ruby Regex to Javascript
 gem 'js_regex', '~> 3.7'
@@ -231,24 +231,24 @@
 gem 'device_detector'
 
 # Redis
-gem 'redis', '~> 4.4.0'
+gem 'redis', '~> 4.4'
 gem 'connection_pool', '~> 2.0'
 
 # Redis session store
-gem 'redis-actionpack', '~> 5.2.0'
+gem 'redis-actionpack', '~> 5.2'
 
 # Discord integration
 gem 'discordrb-webhooks', '~> 3.4', require: false
 
 # Jira integration
-gem 'jira-ruby', '~> 2.1.4'
+gem 'jira-ruby', '~> 2.1', '>= 2.1.4'
 gem 'atlassian-jwt', '~> 0.2.0'
 
 # Flowdock integration
 gem 'flowdock', '~> 0.7'
 
 # Slack integration
-gem 'slack-messenger', '~> 2.3.4'
+gem 'slack-messenger', '~> 2.3', '>= 2.3.4'
 
 # Hangouts Chat integration
 gem 'hangouts-chat', '~> 0.0.5', require: 'hangouts_chat'
@@ -260,17 +260,17 @@
 gem 'ruby-fogbugz', '~> 0.2.1'
 
 # Kubernetes integration
-gem 'kubeclient', '~> 4.9.2'
+gem 'kubeclient', '~> 4.9','>= 4.9.2'
 
 # Sanitize user input
-gem 'sanitize', '~> 5.2.1'
-gem 'babosa', '~> 1.0.4'
+gem 'sanitize', '~> 5.2','>= 5.2.1'
+gem 'babosa', '~> 1.0','>= 1.0.4'
 
 # Sanitizes SVG input
 gem 'loofah', '~> 2.2'
 
 # Working with license
-gem 'licensee', '~> 9.14.1'
+gem 'licensee', '~> 9.14','>= 9.14.1'
 
 # Detect and convert string character encoding
 gem 'charlock_holmes', '~> 0.7.7'
@@ -287,20 +287,20 @@
 
 gem 'rack-proxy', '~> 0.6.0'
 
-gem 'sassc-rails', '~> 2.1.0'
-gem 'autoprefixer-rails', '10.2.5.1'
-gem 'terser', '1.0.2'
+gem 'sassc-rails', '~> 2.1'
+gem 'autoprefixer-rails', '~> 10.2', '>= 10.2.5.1'
+gem 'terser', '~> 1.0','>= 1.0.2'
 
 gem 'addressable', '~> 2.8'
 gem 'tanuki_emoji', '~> 0.5'
-gem 'gon', '~> 6.4.0'
+gem 'gon', '~> 6.4'
 gem 'request_store', '~> 1.5'
 gem 'base32', '~> 0.3.0'
 
 gem 'gitlab-license', '~> 2.0'
 
 # Protect against bruteforcing
-gem 'rack-attack', '~> 6.3.0'
+gem 'rack-attack', '~> 6.3'
 
 # Sentry integration
 gem 'sentry-raven', '~> 3.1'
@@ -309,7 +309,7 @@
 #
 gem 'pg_query', '~> 2.1'
 
-gem 'premailer-rails', '~> 1.10.3'
+gem 'premailer-rails', '~> 1.10','>=  1.10.3'
 
 # LabKit: Tracing and Correlation
 gem 'gitlab-labkit', '~> 0.21.1'
@@ -320,11 +320,11 @@
 # I18n
 gem 'ruby_parser', '~> 3.15', require: false
 gem 'rails-i18n', '~> 6.0'
-gem 'gettext_i18n_rails', '~> 1.8.0'
+gem 'gettext_i18n_rails', '~> 1.8'
 gem 'gettext_i18n_rails_js', '~> 1.3'
 gem 'gettext', '~> 3.3', require: false, group: :development
 
-gem 'batch-loader', '~> 2.0.1'
+gem 'batch-loader', '~> 2.0', '>= 2.0.1'
 
 # Perf bar
 gem 'peek', '~> 1.1'
@@ -334,10 +334,10 @@
 
 # Metrics
 gem 'method_source', '~> 1.0', require: false
-gem 'webrick', '~> 1.6.1', require: false
+gem 'webrick', '~> 1.6', '>= 1.6.1', require: false
 gem 'prometheus-client-mmap', '~> 0.15.0', require: 'prometheus/client'
 
-gem 'warning', '~> 1.2.0'
+gem 'warning', '~> 1.2'
 
 group :development do
   gem 'lefthook', '~> 0.7.0', require: false
@@ -419,18 +419,18 @@
 end
 
 group :test do
-  gem 'fuubar', '~> 2.2.0'
+  gem 'fuubar', '~> 2.2'
   gem 'rspec-retry', '~> 0.6.1'
   gem 'rspec_profiling', '~> 0.0.6'
   gem 'rspec-parameterized', require: false
 
-  gem 'capybara', '~> 3.35.3'
-  gem 'capybara-screenshot', '~> 1.0.22'
-  gem 'selenium-webdriver', '~> 3.142'
-
-  gem 'shoulda-matchers', '~> 4.0.1', require: false
-  gem 'email_spec', '~> 2.2.0'
-  gem 'webmock', '~> 3.9.1'
+  gem 'capybara', '~> 3.35', '~> 3.35.3'
+  gem 'capybara-screenshot', '~> 1.0', '>= 1.0.22'
+  gem 'selenium-webdriver', '~> 3.1','>= 3.142'
+
+  gem 'shoulda-matchers', '~> 4.0', '>= 4.0.1', require: false
+  gem 'email_spec', '~> 2.2'
+  gem 'webmock', '~> 3.9', '>= 3.9.1'
   gem 'rails-controller-testing'
   gem 'concurrent-ruby', '~> 1.1'
   gem 'test-prof', '~> 1.0.7'
@@ -449,7 +449,7 @@
 gem 'email_reply_trimmer', '~> 0.1'
 gem 'html2text'
 
-gem 'ruby-prof', '~> 1.3.0'
+gem 'ruby-prof', '~> 1.3'
 gem 'stackprof', '~> 0.2.15', require: false
 gem 'rbtrace', '~> 0.4', require: false
 gem 'memory_profiler', '~> 0.9', require: false
@@ -463,8 +463,8 @@
 gem 'health_check', '~> 3.0'
 
 # System information
-gem 'vmstat', '~> 2.3.0'
-gem 'sys-filesystem', '~> 1.4.3'
+gem 'vmstat', '~> 2.3'
+gem 'sys-filesystem', '~> 1.4', '>= 1.4.3'
 
 # NTP client
 gem 'net-ntp'
@@ -483,14 +483,14 @@
 gem 'spamcheck', '~> 0.1.0'
 
 # Gitaly GRPC protocol definitions
-gem 'gitaly', '~> 14.4.0.pre.rc43'
+gem 'gitaly', '~> 14.4'
 
 # KAS GRPC protocol definitions
 gem 'kas-grpc', '~> 0.0.2'
 
-gem 'grpc', '~> 1.30.2'
+gem 'grpc', '~> 1.30', '>= 1.30.2'
 
-gem 'google-protobuf', '~> 3.17.1'
+gem 'google-protobuf', '~> 3.17', '>= 3.17.1'
 
 gem 'toml-rb', '~> 2.0'
 
@@ -498,7 +498,7 @@
 gem 'flipper', '~> 0.21.0'
 gem 'flipper-active_record', '~> 0.21.0'
 gem 'flipper-active_support_cache_store', '~> 0.21.0'
-gem 'unleash', '~> 3.2.2'
+gem 'unleash', '~> 3.2', '>= 3.2.2'
 gem 'gitlab-experiment', '~> 0.6.5'
 
 # Structured logging
@@ -511,12 +511,12 @@
 # Countries list
 gem 'countries', '~> 3.0'
 
-gem 'retriable', '~> 3.1.2'
+gem 'retriable', '~> 3.1', '>= 3.1.2'
 
 # LRU cache
 gem 'lru_redux'
 
-gem 'erubi', '~> 1.9.0'
+gem 'erubi', '~> 1.9'
 
 # Locked as long as quoted-printable encoding issues are not resolved
 # Monkey-patched in `config/initializers/mail_encoding_patch.rb`
@@ -531,11 +531,11 @@
 gem 'valid_email', '~> 0.1'
 
 # JSON
-gem 'json', '~> 2.5.1'
+gem 'json', '~> 2.5', '>= 2.5.1'
 gem 'json_schemer', '~> 0.2.18'
-gem 'oj', '~> 3.10.6'
-gem 'multi_json', '~> 1.14.1'
-gem 'yajl-ruby', '~> 1.4.1', require: 'yajl'
+gem 'oj', '~> 3.10', '>= 3.10.6'
+gem 'multi_json', '~> 1.14', '>= 1.14.1'
+gem 'yajl-ruby', '~> 1.4', '>= 1.4.1', require: 'yajl'
 
 gem 'webauthn', '~> 2.3'