bundler-resolutions 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5a9bc7c0b4191b262edcc52111b78fb8c67b74b0c9642ddec0036142d46c2989
+  data.tar.gz: bb5c955b6db7a14e56e8d5048c98709a36f634f25364a14cbe22d6606d3faeab
+SHA512:
+  metadata.gz: 2d0f016d3a21dd98fe3d175d015fd4e526a514f32acf8283205db330ac9e52df4444e59a12e761882580790c8bccc1599739d3375291f598b810b4e7800b0705
+  data.tar.gz: cf1c8bee485fa053ec3de1ac094638381d9153796de7e77f5add4ee31953f41889f3563f6413830a5351633cb2f7960d5557447f66d52aca69ac175293696646

data/README.md

@@ -0,0 +1,93 @@
+bundler-resolutions
+===================
+
+[![Gem Version](https://img.shields.io/gem/v/bundler-resolutions?color=green)](https://rubygems.org/gems/bundler-resolutions)
+[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+[bundler-resolutions](https://github.com/hlascelles/bundler-resolutions) is a [bundler](https://bundler.io/)
+plugin that allows you to specify gem version requirements in your `Gemfile` without explicitly declaring
+a concrete dependency on those gems. It acts much like the
+[resolutions](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) feature in
+[Yarn](https://yarnpkg.com/).
+
+> [!WARNING]  
+> This is an experimental project and neither its API stability nor correctness should be assumed
+
+## Usage
+
+Add `bundler-resolutions` to your Gemfile, and add a `resolutions` group to specify the gems you
+want to specify versions requirements for.
+
+The resulting `Gemfile.lock` in this example will have nokogiri locked to `1.16.5` or above.
+
+```ruby
+plugin 'bundler-resolutions'
+
+gem "rails"
+
+group :resolutions do
+  gem "nokogiri", ">= 1.16.5" # CVE-2024-34459
+end
+```
+
+However the `Gemfile.lock` from this example will not have nokogiri at all, as it is neither
+explicitly declared, nor brought in as a transitive dependency.
+
+```ruby
+plugin 'bundler-resolutions'
+
+group :resolutions do
+  gem "nokogiri", ">= 1.16.5" # CVE-2024-34459
+end
+```
+
+## Detail
+
+`bundler-resolutions` allows you to specify version requirements using standard gem syntax in your
+Gemfile to indicate that you have version requirements for those gems *if* they were to be brought
+in as transitive dependencies, but that you don't depend on them yourself directly.
+
+An example use case is in the Gemfile given below. Here we are saying that although we do not use nokogiri
+specifically ourselves, we want to ensure that if it is pulled in by other gems then it will
+always be above the know version with a CVE.
+
+```ruby
+source "https://rubygems.org"
+
+plugin 'bundler-resolutions'
+
+gem "rails"
+
+group :resolutions do
+  gem "nokogiri", ">= 1.16.5" # CVE-2024-34459
+end
+```
+
+The big difference between doing this and just declaring it in your Gemfile is that it will only 
+be used in resolutions (and be written to your lock file) if the gems you do directly depend on
+continue to use it. If they stop using it, then your resolutions will take no part in the
+bundler lock resolution.
+
+The other difference is that even if it does take part in the resolutions, it will not be
+present in the `DEPENDENCIES` section of the lock file, as it is not a direct dependency.
+
+## Use cases
+
+There are a number of reasons you may want to prevent the usage of some gem versions, without
+direct use, such as:
+
+1. You have learnt of a CVE of a gem.
+2. You have internal processes that mandate the usage of certain gem versions for legal or sign off reasons.
+3. You know of gem incompatibilities in later versions.
+4. You know that different OS architectures do not work with some versions.
+
+## How it works
+
+`bundler-resolutions` works by patching the Gemfile DSL to allow for special processing
+of the `resolutions` group. It also patches the bundler `filtered_versions_for` method to
+allow for the resolution restrictions from the versions specified in the `resolutions` group.
+
+This is a very early version, and it should be considered experimental.
+
+Future work may include relating this to bundler-audit, and other security tools, so you
+will automatically gain version restrictions against known CVEs.

data/lib/bundler/resolutions/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require_relative "../resolutions"
+
+module Bundler
+  class Resolutions
+    VERSION = "0.1.0"
+  end
+end

data/lib/bundler/resolutions.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Bundler
+  class Resolutions
+    GROUP_NAME = :resolutions
+
+    attr_reader :resolutions
+
+    def initialize
+      @resolutions = {}
+    end
+
+    # This method is called by the DSL to set the resolution for a given gem. It is effectively
+    # an override of the normal gem method.
+    def gem(name, requirements)
+      resolutions[name.to_sym] = requirements
+    end
+
+    class << self
+      def instance = @instance ||= new
+    end
+
+    # A module we prepend to Bundler::Resolutions::Resolver
+    module Resolver
+      # This overrides the default behaviour of the resolver to filter out versions that don't
+      # satisfy the requirements specified in RESOLVER_RESOLUTIONS.
+      def filtered_versions_for(package)
+        super.select do |pkg|
+          req = Bundler::Resolutions.instance.resolutions[package.name.to_sym]
+          req ? Gem::Requirement.new(*req.split(",")).satisfied_by?(pkg.version) : true
+        end
+      end
+    end
+
+    # A module we prepend to Bundler::Dsl
+    module Dsl
+      # Here we override the normal group function to capture the resolutions, and ensure any
+      # gem calls are effectively a no-op as regards to adding them to dependencies.
+      def group(*args, &blk)
+        args.first == GROUP_NAME ? Bundler::Resolutions.instance.instance_eval(&blk) : super
+      end
+    end
+  end
+end
+
+Bundler::Resolver.prepend(Bundler::Resolutions::Resolver)
+Bundler::Dsl.prepend(Bundler::Resolutions::Dsl)

data/plugins.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "bundler/resolutions"

metadata

@@ -0,0 +1,54 @@
+--- !ruby/object:Gem::Specification
+name: bundler-resolutions
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Harry Lascelles
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2024-10-02 00:00:00.000000000 Z
+dependencies: []
+description: A bundler plugin to enforce resolutions without specifying a concrete
+  dependency
+email:
+- harry@harrylascelles.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/bundler/resolutions.rb
+- lib/bundler/resolutions/version.rb
+- plugins.rb
+homepage: https://github.com/hlascelles/bundler-resolutions
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/hlascelles/bundler-resolutions
+  documentation_uri: https://github.com/hlascelles/bundler-resolutions
+  changelog_uri: https://github.com/hlascelles/bundler-resolutions/blob/master/CHANGELOG.md
+  source_code_uri: https://github.com/hlascelles/bundler-resolutions/
+  bug_tracker_uri: https://github.com/hlascelles/bundler-resolutions/issues
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.11
+signing_key:
+specification_version: 4
+summary: A bundler plugin to enforce resolutions without specifying a concrete dependency
+test_files: []