bundler-resolutions 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a9bc7c0b4191b262edcc52111b78fb8c67b74b0c9642ddec0036142d46c2989
-  data.tar.gz: bb5c955b6db7a14e56e8d5048c98709a36f634f25364a14cbe22d6606d3faeab
+  metadata.gz: 25173fc2b7df9fe3efd07150e315f38c6584199627bef4ea1ec44ec44e3fbb2d
+  data.tar.gz: 7728a62a42e3c9244932cb568e6a918d745a2bf9003f61d62bfb6402061610df
 SHA512:
-  metadata.gz: 2d0f016d3a21dd98fe3d175d015fd4e526a514f32acf8283205db330ac9e52df4444e59a12e761882580790c8bccc1599739d3375291f598b810b4e7800b0705
-  data.tar.gz: cf1c8bee485fa053ec3de1ac094638381d9153796de7e77f5add4ee31953f41889f3563f6413830a5351633cb2f7960d5557447f66d52aca69ac175293696646
+  metadata.gz: dc87f9b2c8feea662f00ef0a7340aae3355c7b3e10864fb70214c970d600d7602e19745eb6882886b5fd84726371ce9caf2ef67ee5e8ff5e9b0f451ee3c4a2fc
+  data.tar.gz: 741b9f3f5b10ad0a896b0776a0d4807f6eef446e5941554f6b95c6530f0df99e4cfc50223f848f4371639abc1e0912b9c7f8ef9b440b22b1841e12fd6c8a7f59

data/README.md

@@ -5,7 +5,7 @@ bundler-resolutions
 [![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 [bundler-resolutions](https://github.com/hlascelles/bundler-resolutions) is a [bundler](https://bundler.io/)
-plugin that allows you to specify gem version requirements in your `Gemfile` without explicitly declaring
+plugin that allows you to specify gem version requirements for your `Gemfile` without explicitly declaring
 a concrete dependency on those gems. It acts much like the
 [resolutions](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) feature in
 [Yarn](https://yarnpkg.com/).
@@ -15,53 +15,49 @@ a concrete dependency on those gems. It acts much like the
 
 ## Usage
 
-Add `bundler-resolutions` to your Gemfile, and add a `resolutions` group to specify the gems you
-want to specify versions requirements for.
+Add `bundler-resolutions` to your Gemfile, and add a `.bundler-resolutions.yml` file to
+specify the gems you want to specify versions requirements for.
 
-The resulting `Gemfile.lock` in this example will have nokogiri locked to `1.16.5` or above.
+### Example 1
 
-```ruby
-plugin 'bundler-resolutions'
-
-gem "rails"
+In this example the resulting `Gemfile.lock` will have nokogiri locked to `1.16.5` or above, but
+nokogiri will not be present in the `DEPENDENCIES` section of the lock file. Also, if `rails` were
+to change to a version that did not depend on nokogiri, then the resolution would not be used or
+appear in the lock file at all.
 
-group :resolutions do
-  gem "nokogiri", ">= 1.16.5" # CVE-2024-34459
-end
+`.bundler-resolutions.yml`:
+```yaml
+gems:
+  nokogiri: ">= 1.16.5" # CVE-2024-34459
 ```
 
-However the `Gemfile.lock` from this example will not have nokogiri at all, as it is neither
-explicitly declared, nor brought in as a transitive dependency.
-
+`Gemfile`:
 ```ruby
-plugin 'bundler-resolutions'
-
-group :resolutions do
-  gem "nokogiri", ">= 1.16.5" # CVE-2024-34459
-end
+gem 'bundler-resolutions'
+gem "rails"
 ```
 
-## Detail
+### Example 2
 
-`bundler-resolutions` allows you to specify version requirements using standard gem syntax in your
-Gemfile to indicate that you have version requirements for those gems *if* they were to be brought
-in as transitive dependencies, but that you don't depend on them yourself directly.
+Here, the `Gemfile.lock` from this example will not have nokogiri at all, as it is neither
+explicitly declared in the Gemfile, nor brought in as a transitive dependency.
 
-An example use case is in the Gemfile given below. Here we are saying that although we do not use nokogiri
-specifically ourselves, we want to ensure that if it is pulled in by other gems then it will
-always be above the know version with a CVE.
+`.bundler-resolutions.yml`:
+```yaml
+gems:
+  nokogiri: ">= 1.16.5" # CVE-2024-34459
+```
 
 ```ruby
-source "https://rubygems.org"
-
-plugin 'bundler-resolutions'
+gem 'bundler-resolutions'
+gem "thor"
+```
 
-gem "rails"
+## Detail
 
-group :resolutions do
-  gem "nokogiri", ">= 1.16.5" # CVE-2024-34459
-end
-```
+`bundler-resolutions` allows you to specify version requirements in a config file 
+to indicate that you have version requirements for those gems *if* they were to be brought
+in as transitive dependencies, but that you don't depend on them yourself directly.
 
 The big difference between doing this and just declaring it in your Gemfile is that it will only 
 be used in resolutions (and be written to your lock file) if the gems you do directly depend on
@@ -73,19 +69,24 @@ present in the `DEPENDENCIES` section of the lock file, as it is not a direct de
 
 ## Use cases
 
-There are a number of reasons you may want to prevent the usage of some gem versions, without
-direct use, such as:
+There are a number of reasons you may want to prevent the usage of some gem versions, but without
+declaring their direct use in Gemfiles. Also there are reasons to set versions across a monorepo
+of many Gemfiles, but where not all apps use all blessed versions, such as:
 
 1. You have learnt of a CVE of a gem.
-2. You have internal processes that mandate the usage of certain gem versions for legal or sign off reasons.
-3. You know of gem incompatibilities in later versions.
-4. You know that different OS architectures do not work with some versions.
+1. You have internal processes that mandate the usage of certain gem versions for legal or sign off reasons.
+1. You wish to take a paranoid approach to updating certain high value target gems. eg `devise`.
+1. You want certain gem collections to move in lockstep. eg `sinatra`, `rack` and `rack-protection`, which are relatively tightly coupled.
+1. You know of gems that are very slow to install and you have preinstalled them in internal base images. eg `rugged` or `sorbet`.
+1. You know of gems that are tightly coupled to ruby itself that shouldn't be upgraded. eg `stringio` and `psych`.
+1. You know of gem incompatibilities with your codebase in their later versions.
+1. You know that different OS architectures do not work with some versions.
+1. You wish to prevent unintentional downgrades of dependencies when using `bundle` commands.
 
 ## How it works
 
-`bundler-resolutions` works by patching the Gemfile DSL to allow for special processing
-of the `resolutions` group. It also patches the bundler `filtered_versions_for` method to
-allow for the resolution restrictions from the versions specified in the `resolutions` group.
+`bundler-resolutions` works by patching the `bundler` `Resolver` `filtered_versions_for` method to
+allow for the resolution restrictions from the versions specified in the config file.
 
 This is a very early version, and it should be considered experimental.
 

data/lib/bundler/resolutions/version.rb

@@ -4,6 +4,6 @@ require_relative "../resolutions"
 
 module Bundler
   class Resolutions
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/bundler/resolutions.rb

@@ -1,47 +1,75 @@
 # frozen_string_literal: true
 
+require "yaml"
+
 module Bundler
   class Resolutions
-    GROUP_NAME = :resolutions
+    CONFIG_FILE_NAME = ".bundler-resolutions.yml"
 
     attr_reader :resolutions
 
-    def initialize
-      @resolutions = {}
-    end
-
-    # This method is called by the DSL to set the resolution for a given gem. It is effectively
-    # an override of the normal gem method.
-    def gem(name, requirements)
-      resolutions[name.to_sym] = requirements
+    def initialize(config = nil)
+      load_config(config)
     end
 
     class << self
-      def instance = @instance ||= new
+      def instance
+        @instance ||= new
+      end
     end
 
     # A module we prepend to Bundler::Resolutions::Resolver
     module Resolver
       # This overrides the default behaviour of the resolver to filter out versions that don't
-      # satisfy the requirements specified in RESOLVER_RESOLUTIONS.
+      # satisfy the requirements specified in .bundler-resolutions.yml.
       def filtered_versions_for(package)
-        super.select do |pkg|
-          req = Bundler::Resolutions.instance.resolutions[package.name.to_sym]
-          req ? Gem::Requirement.new(*req.split(",")).satisfied_by?(pkg.version) : true
+        Bundler::Resolutions.instance.constrain_versions_for(super, package)
+      end
+    end
+
+    def constrain_versions_for(results, package)
+      results.select do |pkg|
+        req = resolutions[package.name]
+        if req
+          if ENV["BUNDLER_RESOLUTIONS_DEBUG"] == "true"
+            puts "bundler-resolutions making sure #{package} is satisfied by #{req}"
+          end
+          req.satisfied_by?(pkg.version)
+        else
+          true
         end
       end
     end
 
-    # A module we prepend to Bundler::Dsl
-    module Dsl
-      # Here we override the normal group function to capture the resolutions, and ensure any
-      # gem calls are effectively a no-op as regards to adding them to dependencies.
-      def group(*args, &blk)
-        args.first == GROUP_NAME ? Bundler::Resolutions.instance.instance_eval(&blk) : super
+    private def load_config(config = nil)
+      # Safe load yaml file whose location is given by an argument, an ENV, and if no
+      # env given then work up dir hierarchy until found.
+      # The file should be called .bundler-resolutions.yml
+      raw_hash = if config.is_a?(Hash)
+                   config
+                 else
+                   YAML.safe_load_file(find_config(config))
+                 end
+      gems = raw_hash.fetch("gems")
+      @resolutions = gems.transform_values { |version| Gem::Requirement.new(version.split(",")) }
+    end
+
+    private def find_config(config = nil)
+      return config if config # If present, assume it is a location
+
+      # Use the ENV if present
+      env_file = ENV["BUNDLER_RESOLUTIONS_CONFIG"]
+      return env_file if env_file
+
+      # Otherwise find it in the file tree
+      dir = Dir.pwd
+      until File.exist?(File.join(dir, CONFIG_FILE_NAME))
+        dir = File.dirname(dir)
+        raise "Could not find #{CONFIG_FILE_NAME}" if dir == "/"
       end
+      File.join(dir, CONFIG_FILE_NAME)
     end
   end
 end
 
 Bundler::Resolver.prepend(Bundler::Resolutions::Resolver)
-Bundler::Dsl.prepend(Bundler::Resolutions::Dsl)

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bundler-resolutions
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Harry Lascelles
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-02 00:00:00.000000000 Z
+date: 2025-03-23 00:00:00.000000000 Z
 dependencies: []
 description: A bundler plugin to enforce resolutions without specifying a concrete
   dependency
@@ -32,7 +31,6 @@ metadata:
   source_code_uri: https://github.com/hlascelles/bundler-resolutions/
   bug_tracker_uri: https://github.com/hlascelles/bundler-resolutions/issues
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -47,8 +45,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.6.6
 specification_version: 4
 summary: A bundler plugin to enforce resolutions without specifying a concrete dependency
 test_files: []