bundler-patch 0.10.0 → 0.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: db13e486dca6bfc05d93f62cf35c04e8635ba49d
-  data.tar.gz: 9bc70139fc23c0411919e2c14405ee508ca10527
+  metadata.gz: 0bef08487b69dc8e1c916b94ff9521b81a98fc32
+  data.tar.gz: 0f7b9182907bddeed7c3446888768e52f4a3c5f2
 SHA512:
-  metadata.gz: b48d69a664d17906a3f38b2c1b235124e0c52e015e71afec2030a7a5cc88d9171737f33a34244655456aea0798abe95812dc75422b984739a1e1827dae454024
-  data.tar.gz: 848c2620c837d61da57080be7d5a982c068af6c82c35685eb8edd43243dfee1e917ec6941315497285d2e6aa6b95eeeae9835c7e8d33ce745b0cd744b675cf74
+  metadata.gz: cf826e0aea2b3767a36ddbc847dbd81d480375d390629b7c12aa77531fe9ea4f2ef26ad8eec9e0d7762b76dd981ef563f350897c30e6cdbb9a740382a6c3f940
+  data.tar.gz: 2d4abd9a98d399a0dcbb3ed4b9e537b8093a571469e710e11f93f24e022103d18ae536f749f75ceaffaac79d558064a478116cfad2bfb4b4aa777326f0da0184

data/.travis.yml

@@ -22,4 +22,4 @@ matrix:
     - rvm: 2.3.1
       env: BUNDLER_TEST_VERSION=1.12.5
     - rvm: 2.3.1
-      env: BUNDLER_TEST_VERSION=1.13.0.rc.2
+      env: BUNDLER_TEST_VERSION=1.13.3

data/BUNDLER.md

@@ -66,11 +66,11 @@ A list of gem names can be passed to restrict to just those gems.
 
 ### Single Gem
 
-| Requirements| Locked  | Available                        | Option   | Result |
-|-------------|---------|----------------------------------|----------|--------|
-| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1 1.6.0 | --patch  | 1.4.5  |
-| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1 1.6.0 | --minor  | 1.5.1  |
-| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1 1.6.0 | --major  | 1.6.0  |
+| Requirements| Locked  | Available                         | Option   | Result |
+|-------------|---------|-----------------------------------|----------|--------|
+| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1, 2.0.0 | --patch  | 1.4.5  |
+| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1, 2.0.0 | --minor  | 1.5.1  |
+| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1, 2.0.0 | --major  | 2.0.0  |
 
 ### Two Gems
 
@@ -96,7 +96,7 @@ Gemfile.lock:
 | # | Command Line                   | Result                    |
 |---|--------------------------------|---------------------------|
 | 1 | bundle update --patch          | 'foo 1.4.5', 'bar 2.1.1'  |
-| 2 | bundle update --patch foo      | 'foo 1.4.4', 'bar 2.0.3'  |
+| 2 | bundle update --patch foo      | 'foo 1.4.5', 'bar 2.1.1'  |
 | 3 | bundle update --minor          | 'foo 1.5.1', 'bar 3.0.0'  |
 | 4 | bundle update --minor --strict | 'foo 1.5.0', 'bar 2.1.1'  |
 | 5 | bundle update --patch --strict | 'foo 1.4.4', 'bar 2.0.4'  |
@@ -104,8 +104,9 @@ Gemfile.lock:
 In case 1, `bar` is upgraded to 2.1.1, a minor version increase, because the
 dependency from `foo` 1.4.5 required it.
 
-In case 2, only `foo` is unlocked, so `foo` can only go to 1.4.4 to maintain
-the dependency to `bar`.
+In case 2, only `foo` is unlocked, but because no other gem depends on `bar`
+and `bar` is not a declared dependency in the Gemfile, `bar` is free to move, 
+and so the result is the same as case 1. 
 
 In case 3, `bar` goes up a whole major release, because a minor increase is
 preferred now for `foo`, and when it goes to 1.5.1, it requires 3.0.0 of
@@ -119,13 +120,116 @@ In case 5, both `foo` and `bar` have any minor or major increments removed
 from consideration because of the `--strict` flag, so the most they can
 move is up to 1.4.4 and 2.0.4.
 
+### Shared Dependencies
+
+#### Shared Cannot Move
+
+Given the following gem specifications:
+
+- foo 1.4.3, requires: ~> shared 2.0, ~> bar 2.0
+- foo 1.4.4, requires: ~> shared 2.0, ~> bar 2.0
+- foo 1.4.5, requires: ~> shared 2.1, ~> bar 2.1
+- foo 1.5.0, requires: ~> shared 2.1, ~> bar 2.1
+- qux 1.0.0, requires: ~> shared 2.0.0           
+- bar with versions 2.0.3, 2.0.4, 2.1.0, 2.1.1
+- shared with versions 2.0.3, 2.0.4, 2.1.0, 2.1.1
+
+Gemfile: 
+
+    gem 'foo'
+    gem 'qux'
+
+Gemfile.lock: 
+
+    bar (2.0.3)
+    foo (1.4.3)
+      bar (~> 2.0)
+      shared (~> 2.0)
+    qux (1.0.0)
+      shared (~> 2.0.0)
+    shared (2.0.3)
+    
+
+| # | Command Line                   | Result                                    |
+|---|--------------------------------|-------------------------------------------|
+| 1 | bundle update --patch foo      | 'foo 1.4.4', 'bar 2.0.3', 'shared 2.0.3'  |
+| 2 | bundle update --patch foo bar  | 'foo 1.4.4', 'bar 2.0.4', 'shared 2.0.3'  |
+| 3 | bundle update --patch          | 'foo 1.4.4', 'bar 2.0.4', 'shared 2.0.4'  |
+
+In case 1, only `foo` moves. When `foo` 1.4.5 is considered in resolution, it 
+would require `shared` 2.1 which isn't allowed because `qux` is incompatible. 
+Resolution backs up to `foo` 1.4.4, and that is allowed by the `qux` constraint
+on `shared` so `foo` moves. `bar` could legally move, but since it is locked 
+and the current version still satisfies the requirement of `~> 2.0` it stays 
+put.
+
+In case 2, everything is the same, but `bar` is also unlocked, so it is also
+allowed to increment to 2.0.4 which still satisfies `~> 2.0`.
+
+In case 3, everything is unlocked, so `shared` can also bump up a patch version.
+
+#### Shared Can Move
+
+_*This is exactly the same setup as "Shared Cannot Move" except for one change:*_
+The `qux` gem has a looser requirement of `shared`: `~> 2.0` instead of `~> 2.0.0`.
+
+Given the following gem specifications:
+
+- foo 1.4.3, requires: ~> shared 2.0, ~> bar 2.0
+- foo 1.4.4, requires: ~> shared 2.0, ~> bar 2.0
+- foo 1.4.5, requires: ~> shared 2.1, ~> bar 2.1
+- foo 1.5.0, requires: ~> shared 2.1, ~> bar 2.1
+- qux 1.0.0, requires: ~> shared 2.0           
+- bar with versions 2.0.3, 2.0.4, 2.1.0, 2.1.1
+- shared with versions 2.0.3, 2.0.4, 2.1.0, 2.1.1
+
+Gemfile: 
+
+    gem 'foo'
+    gem 'qux'
+
+Gemfile.lock: 
+
+    bar (2.0.3)
+    foo (1.4.3)
+      bar (~> 2.0)
+      shared (~> 2.0)
+    qux (1.0.0)
+      shared (~> 2.0)
+    shared (2.0.3)
+    
+
+| # | Command Line                   | Result                                    |
+|---|--------------------------------|-------------------------------------------|
+| 1 | bundle update --patch foo      | 'foo 1.4.5', 'bar 2.1.1', 'shared 2.1.1'  |
+| 2 | bundle update --patch foo bar  | 'foo 1.4.5', 'bar 2.1.1', 'shared 2.1.1'  |
+| 3 | bundle update --patch          | 'foo 1.4.5', 'bar 2.1.1', 'shared 2.1.1'  |
+
+In all 3 cases, because `foo` 1.4.5 depends on newer versions of `bar` and 
+`shared`, and no requirements from `qux` are restricting those two from moving, 
+then all move as far as allowed here.
+ 
+`foo` can only move to 1.4.5 and not 1.5.0 because of the `--patch` flag. 
+ 
+As previously demonstrated (see Two Cases) `bar` and `shared` move past the 
+`--patch` restriction because `--strict` is not in play, they are not declared 
+dependencies in the Gemfile and they need to move to satisfy the new `foo` 
+requirement.
+
+### Bundle Install Like Conservative Updating
+
+As detailed in [Bundle Install Docs](http://bundler.io/v1.13/man/bundle-install.1.html#CONSERVATIVE-UPDATING)
+there is a way to prevent shared dependencies from moving after (a) changing 
+a requirement in the Gemfile and (b) using `bundle install`. There's currently
+not an equivalent way to do this with `bundler-patch` or `bundle update` but
+this may change in the future.
 
 ### Troubleshooting
 
 First, make sure the current `bundle` command itself runs to completion on its
 own without any problems.
 
-The most frequent problems with this tool involve expectations around what
+The most frequent problems involve expectations around what
 gems should or shouldn't be upgraded. This can quickly get complicated as even
 a small dependency tree can involve many moving parts, and Bundler works hard
 to find a combination that satisfies all of the dependencies and requirements.

data/lib/bundler/patch/cli.rb

@@ -100,7 +100,11 @@ module Bundler::Patch
       end
 
       if all_gem_patches.empty?
-        Bundler.ui.info 'Updating all gems conservatively.'
+        if options[:vulnerable_gems_only]
+          return # nothing to do
+        else
+          Bundler.ui.info 'Updating all gems conservatively.'
+        end
       else
         Bundler.ui.info "Updating '#{all_gem_patches.map(&:gem_name).join(' ')}' conservatively."
       end

data/lib/bundler/patch/version.rb

@@ -1,5 +1,5 @@
 module Bundler
   module Patch
-    VERSION = '0.10.0'
+    VERSION = '0.10.1'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-patch
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.10.1
 platform: ruby
 authors:
 - chrismo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-08-23 00:00:00.000000000 Z
+date: 2016-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-advise
@@ -166,7 +166,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.4
+rubygems_version: 2.6.6
 signing_key: 
 specification_version: 4
 summary: Conservative bundler updates