bundler-multilock 1.1.2 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67b3efef0037c3c22b0b8fccee25a6388b3cc3aa38b92dc2dfdc956b2eca01e8
-  data.tar.gz: e12da2edaeacc80d5d5b90108a333c1d195be6d0784618ab40ebe5d5807981fc
+  metadata.gz: c84016021b1c7595a4e796a80de94d7df2160f016c4bdc286f1616c61bb09170
+  data.tar.gz: 8b8ed6c345db6beb1fdf681e603ffee395d39459fc5a81982f1457876bea4037
 SHA512:
-  metadata.gz: 64f62f4d2d35d55cacb8d751be9708d56f4d60348c69faa61f8ea8c48a0ff273fd355238fe71175e0d36c2ad7cbe6f55e225fb6ea56be8361d258d5cb6ae45d8
-  data.tar.gz: 393ca25f67035f032b83442e7dd7bf5a4cec5002f72c94eb1f42a3d962117f79a39e029e1280c845520af398fc7b68d4cbd5d2dd60ab9d6181891a1ee10ab36b
+  metadata.gz: 4eb1334a6a9860cea9fbb7ece25741bc35f9dd3e44ab6a17bbf041998116445acf53173a7372f6c1f19dedf1538f1bccc0db859123493b5addae86d134f81146
+  data.tar.gz: 6bc840a4f41344443609f00447e87c95a89eab942446b5dd2598e55bcd15a79a7fcdb3952a4e417ce7664e50316073defdb627bba2da1b886323c0d92292d345

data/lib/bundler/multilock/check.rb

@@ -58,7 +58,7 @@ module Bundler
 
       # this is mostly equivalent to the built in checks in `bundle check`, but even
       # more conservative, and returns false instead of exiting on failure
-      def base_check(lockfile_definition, log_missing: false, return_missing: false)
+      def base_check(lockfile_definition, log_missing: false, return_missing: false, check_missing_deps: false)
         return return_missing ? [] : false unless lockfile_definition[:lockfile].file?
 
         Multilock.prepare_block = lockfile_definition[:prepare]
@@ -83,14 +83,17 @@ module Bundler
 
         return not_installed if return_missing
 
-        not_installed.empty? && definition.no_resolve_needed?
+        return false unless not_installed.empty? && definition.no_resolve_needed?
+        return true unless check_missing_deps
+
+        (definition.locked_gems.dependencies.values - definition.dependencies).empty?
       ensure
         Multilock.prepare_block = nil
       end
 
       # this checks for mismatches between the parent lockfile and the given lockfile,
       # and for pinned dependencies in lockfiles requiring them
-      def check(lockfile_definition, allow_mismatched_dependencies: true)
+      def check(lockfile_definition)
         success = true
         proven_pinned = Set.new
         needs_pin_check = []
@@ -109,36 +112,8 @@ module Bundler
           success = false
         end
 
-        specs = lockfile.specs.group_by(&:name)
-        if allow_mismatched_dependencies
-          allow_mismatched_dependencies = lockfile_definition[:allow_mismatched_dependencies]
-        end
-
-        # build list of top-level dependencies that differ from the parent lockfile,
-        # and all _their_ transitive dependencies
-        if allow_mismatched_dependencies
-          transitive_dependencies = Set.new
-          # only dependencies that differ from the parent lockfile
-          pending_transitive_dependencies = lockfile.dependencies.reject do |name, dep|
-            parent_lockfile.dependencies[name] == dep
-          end.map(&:first)
-
-          until pending_transitive_dependencies.empty?
-            dep = pending_transitive_dependencies.shift
-            next if transitive_dependencies.include?(dep)
-
-            transitive_dependencies << dep
-            platform_specs = specs[dep]
-            unless platform_specs
-              # should only be bundler that's missing a spec
-              raise "Could not find spec for dependency #{dep}" unless dep == "bundler"
-
-              next
-            end
-
-            pending_transitive_dependencies.concat(platform_specs.flat_map(&:dependencies).map(&:name).uniq)
-          end
-        end
+        reverse_dependencies = cache_reverse_dependencies(lockfile)
+        parent_reverse_dependencies = cache_reverse_dependencies(parent_lockfile)
 
         # look through top-level explicit dependencies for pinned requirements
         if lockfile_definition[:enforce_pinned_additional_dependencies]
@@ -146,7 +121,7 @@ module Bundler
         end
 
         # check for conflicting requirements (and build list of pins, in the same loop)
-        specs.values.flatten.each do |spec|
+        lockfile.specs.each do |spec|
           parent_spec = lockfile_specs[parent][[spec.name, spec.platform]]
 
           if lockfile_definition[:enforce_pinned_additional_dependencies]
@@ -170,7 +145,15 @@ module Bundler
                         end
 
           next if parent_spec.version == spec.version && same_source
-          next if allow_mismatched_dependencies && transitive_dependencies.include?(spec.name)
+
+          # the version in the parent lockfile cannot possibly satisfy the requirements
+          # in this lockfile, and vice versa, so we assume it's intentional and allow it
+          unless reverse_dependencies[spec.name].satisfied_by?(parent_spec.version) ||
+                 parent_reverse_dependencies[spec.name].satisfied_by?(spec.version)
+            # we're allowing it to differ from the parent, so pin check requirement comes into play
+            needs_pin_check << spec if lockfile_definition[:enforce_pinned_additional_dependencies]
+            next
+          end
 
           Bundler.ui.error("#{spec}#{spec.git_version} in #{lockfile_path} " \
                            "does not match the parent lockfile's version " \
@@ -206,6 +189,21 @@ module Bundler
 
       private
 
+      def cache_reverse_dependencies(lockfile)
+        reverse_dependencies = Hash.new { |h, k| h[k] = Gem::Requirement.default_prerelease }
+
+        lockfile.dependencies.each_value do |spec|
+          reverse_dependencies[spec.name].requirements.concat(spec.requirement.requirements)
+        end
+        lockfile.specs.each do |spec|
+          spec.dependencies.each do |dependency|
+            reverse_dependencies[dependency.name].requirements.concat(dependency.requirement.requirements)
+          end
+        end
+
+        reverse_dependencies
+      end
+
       def find_pinned_dependencies(proven_pinned, dependencies)
         dependencies.each do |dependency|
           dependency.requirement.requirements.each do |requirement|

data/lib/bundler/multilock/version.rb

@@ -2,6 +2,6 @@
 
 module Bundler
   module Multilock
-    VERSION = "1.1.2"
+    VERSION = "1.2.0"
   end
 end

data/lib/bundler/multilock.rb

@@ -27,11 +27,6 @@ module Bundler
       #   BUNDLE_LOCKFILE will still override a lockfile tagged as active
       # @param parent [String] The parent lockfile to sync dependencies from.
       #   Also used for comparing enforce_pinned_additional_dependencies against.
-      # @param allow_mismatched_dependencies [true, false]
-      #   Allows version differences in dependencies between this lockfile and
-      #   the default lockfile. Note that even with this option, only top-level
-      #   dependencies that differ from the default lockfile, and their transitive
-      #   depedencies, are allowed to mismatch.
       # @param enforce_pinned_additional_dependencies [true, false]
       #   If dependencies are present in this lockfile that are not present in the
       #   default lockfile, enforce that they are pinned.
@@ -44,12 +39,15 @@ module Bundler
                        active: nil,
                        default: nil,
                        parent: nil,
-                       allow_mismatched_dependencies: true,
+                       allow_mismatched_dependencies: nil,
                        enforce_pinned_additional_dependencies: false,
                        &block)
         # backcompat
         active = default if active.nil?
         Bundler.ui.warn("lockfile(default:) is deprecated. Use lockfile(active:) instead.") if default
+        unless allow_mismatched_dependencies.nil?
+          Bundler.ui.warn("lockfile(allow_mismatched_dependencies:) is deprecated.")
+        end
 
         active = true if active.nil? && lockfile_definitions.empty? && lockfile.nil? && gemfile.nil?
 
@@ -81,7 +79,6 @@ module Bundler
           active: active,
           prepare: block,
           parent: parent,
-          allow_mismatched_dependencies: allow_mismatched_dependencies,
           enforce_pinned_additional_dependencies: enforce_pinned_additional_dependencies
         })
 
@@ -149,7 +146,6 @@ module Bundler
         require_relative "multilock/lockfile_generator"
 
         Bundler.ui.debug("Syncing to alternate lockfiles")
-        Bundler.ui.info ""
 
         attempts = 1
 
@@ -171,8 +167,8 @@ module Bundler
             up_to_date = false
             Bundler.settings.temporary(frozen: true) do
               Bundler.ui.silence do
-                up_to_date = checker.base_check(lockfile_definition) &&
-                             checker.check(lockfile_definition, allow_mismatched_dependencies: false)
+                up_to_date = checker.base_check(lockfile_definition, check_missing_deps: true) &&
+                             checker.check(lockfile_definition)
               end
             end
             if up_to_date
@@ -426,9 +422,16 @@ module Bundler
 
         orig_definition = definition.dup # we might need it twice
 
+        # install gems for the exact current version of the lockfile
+        # this ensures it doesn't re-resolve with only (different)
+        # local gems after you've pulled down an update to the lockfile
+        # from someone else
         if current_lockfile.exist? && install
           Bundler.settings.temporary(frozen: true) do
             current_definition = builder.to_definition(current_lockfile, {})
+            # if something has changed, we skip this step; it's unlocking anyway
+            next unless current_definition.no_resolve_needed?
+
             current_definition.resolve_with_cache!
             if current_definition.missing_specs.any?
               Bundler.with_default_lockfile(current_lockfile) do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-multilock
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.2.0
 platform: ruby
 authors:
 - Instructure
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-06 00:00:00.000000000 Z
+date: 2023-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler