bundler-resolutions 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25173fc2b7df9fe3efd07150e315f38c6584199627bef4ea1ec44ec44e3fbb2d
-  data.tar.gz: 7728a62a42e3c9244932cb568e6a918d745a2bf9003f61d62bfb6402061610df
+  metadata.gz: a4f090d8833033fef1949501d9b8876333cfbc8797c954306f4ee57d963981dc
+  data.tar.gz: 0400ae342a0e9b8c50f7644daf99b7642954fda1d2758e68b8b06041472244b6
 SHA512:
-  metadata.gz: dc87f9b2c8feea662f00ef0a7340aae3355c7b3e10864fb70214c970d600d7602e19745eb6882886b5fd84726371ce9caf2ef67ee5e8ff5e9b0f451ee3c4a2fc
-  data.tar.gz: 741b9f3f5b10ad0a896b0776a0d4807f6eef446e5941554f6b95c6530f0df99e4cfc50223f848f4371639abc1e0912b9c7f8ef9b440b22b1841e12fd6c8a7f59
+  metadata.gz: cc78cd3cfacb3b56a160fe9a59acffb848360f082a2e326a647f2c547ddd31a692198fdcb13faf1ac50a224b6595c00cf11aa725f98cbfc98a0cd5453f95d263
+  data.tar.gz: 77cdeadf7f8fda11a215e8ab50d9c1506e400991a087b07e5edceef0d796c2faad2681979a2bbd41324ae5d99820377e8c710467895b21932b91990396756721

data/README.md

@@ -33,7 +33,7 @@ gems:
 
 `Gemfile`:
 ```ruby
-gem 'bundler-resolutions'
+gem "bundler-resolutions", path: "../", install_if: -> { require Gem::Specification.find_by_name('bundler-resolutions').gem_dir + "/lib/bundler/resolutions"; true }
 gem "rails"
 ```
 
@@ -53,6 +53,24 @@ gem 'bundler-resolutions'
 gem "thor"
 ```
 
+## Config file
+
+The config file is a YAML file with a `gems` key that contains a mapping of gem names to version
+requirements. The version requirements are the same as those used in the `Gemfile`.
+
+Example:
+
+```yaml
+gems:
+  nokogiri: ">= 1.16.5" # CVE-2024-34459
+  thor: ">= 1.0.1, < 2.0"
+```
+
+By default, `bundler-resolutions` will look for a file named `.bundler-resolutions.yml` in the
+current directory, or the parent, and continue looking up to the root dir.
+
+You can also specify a file location by setting the `BUNDLER_RESOLUTIONS_CONFIG` ENV var.
+
 ## Detail
 
 `bundler-resolutions` allows you to specify version requirements in a config file 

data/lib/bundler/resolutions/config.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+module Bundler
+  class Resolutions
+    class Config
+      CONFIG_FILE_NAME = ".bundler-resolutions.yml"
+
+      class << self
+        def load_config(config = nil)
+          raw_hash = if config.is_a?(Hash)
+                       config
+                     else
+                       YAML.safe_load_file(find_config(config))
+                     end
+          gems = raw_hash.fetch("gems")
+          gems.transform_values { |reqs| Array(reqs).map { |req| Gem::Requirement.new(req) } }
+        end
+
+        private def find_config(config = nil)
+          return config if config # If present, assume it is a location
+
+          # Use the ENV if present
+          env_file = ENV["BUNDLER_RESOLUTIONS_CONFIG"]
+          return env_file if env_file
+
+          # Otherwise find it above where `BUNDLE_GEMFILE` is located, or pwd if not set
+          dir = ENV["BUNDLE_GEMFILE"] ? File.dirname(ENV["BUNDLE_GEMFILE"]) : Dir.pwd
+          until File.exist?(File.join(dir, CONFIG_FILE_NAME))
+            dir = File.dirname(dir)
+            raise "Could not find #{CONFIG_FILE_NAME}" if dir == "/"
+          end
+          File.join(dir, CONFIG_FILE_NAME)
+        end
+      end
+    end
+  end
+end

data/lib/bundler/resolutions/version.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
-require_relative "../resolutions"
-
 module Bundler
   class Resolutions
-    VERSION = "0.2.0"
+    VERSION = "0.4.0"
   end
 end
+
+require_relative "../resolutions"

data/lib/bundler/resolutions.rb

@@ -1,20 +1,34 @@
 # frozen_string_literal: true
 
 require "yaml"
+require_relative "resolutions/config"
+require_relative "resolutions/version"
 
 module Bundler
   class Resolutions
-    CONFIG_FILE_NAME = ".bundler-resolutions.yml"
+    DEFAULT_GEM_REQUIREMENT = Gem::Requirement.default
 
-    attr_reader :resolutions
+    attr_reader :config
 
     def initialize(config = nil)
-      load_config(config)
+      @config = Bundler::Resolutions::Config.load_config(config)
     end
 
     class << self
       def instance
-        @instance ||= new
+        @instance ||= new # rubocop:disable ThreadSafety/ClassInstanceVariable
+      end
+
+      # You can debug with BUNDLER_RESOLUTIONS_DEBUG=gem_name or BUNDLER_RESOLUTIONS_DEBUG=true
+      # to see all messages.
+      def log(message, gem = nil)
+        return if ENV["BUNDLER_RESOLUTIONS_DEBUG"].nil?
+        unless ENV["BUNDLER_RESOLUTIONS_DEBUG"] == "true" ||
+               ENV["BUNDLER_RESOLUTIONS_DEBUG"].split(",").include?(gem)
+          return
+        end
+
+        puts "bundler-resolutions: #{message}"
       end
     end
 
@@ -28,48 +42,66 @@ module Bundler
     end
 
     def constrain_versions_for(results, package)
+      log("Constraining versions for #{package} with results: #{results.map(&:to_s)}")
       results.select do |pkg|
-        req = resolutions[package.name]
-        if req
-          if ENV["BUNDLER_RESOLUTIONS_DEBUG"] == "true"
-            puts "bundler-resolutions making sure #{package} is satisfied by #{req}"
-          end
-          req.satisfied_by?(pkg.version)
-        else
+        reqs = resolutions_for(package.name)
+        if reqs.nil?
           true
+        else
+          log("making sure #{package} / #{pkg} is satisfied by #{reqs.map(&:to_s)}")
+          reqs.all? { |req| req.satisfied_by?(pkg.version) }
         end
       end
     end
 
-    private def load_config(config = nil)
-      # Safe load yaml file whose location is given by an argument, an ENV, and if no
-      # env given then work up dir hierarchy until found.
-      # The file should be called .bundler-resolutions.yml
-      raw_hash = if config.is_a?(Hash)
-                   config
-                 else
-                   YAML.safe_load_file(find_config(config))
-                 end
-      gems = raw_hash.fetch("gems")
-      @resolutions = gems.transform_values { |version| Gem::Requirement.new(version.split(",")) }
+    def resolutions_for(package_name)
+      config[package_name]
     end
 
-    private def find_config(config = nil)
-      return config if config # If present, assume it is a location
+    def log(message, gem = nil) = self.class.log(message, gem)
 
-      # Use the ENV if present
-      env_file = ENV["BUNDLER_RESOLUTIONS_CONFIG"]
-      return env_file if env_file
+    module Definition
+      def check_lockfile
+        super
+        invalids = @locked_specs.to_a.select { |lazy_specification|
+          reqs = Bundler::Resolutions.instance.resolutions_for(lazy_specification.name)
+          next if reqs.nil?
 
-      # Otherwise find it in the file tree
-      dir = Dir.pwd
-      until File.exist?(File.join(dir, CONFIG_FILE_NAME))
-        dir = File.dirname(dir)
-        raise "Could not find #{CONFIG_FILE_NAME}" if dir == "/"
+          # rubocop:disable Layout/LineLength
+          if reqs.all? { |req| req.satisfied_by?(lazy_specification.version) }
+            Bundler::Resolutions.log "#{lazy_specification.name} (#{lazy_specification.version}) is satisfied by the current lockfile version."
+            nil
+          else
+            Bundler::Resolutions.log "#{lazy_specification.name} (#{lazy_specification.version}) is NOT satisfied by the current lockfile version."
+            lazy_specification
+          end
+          # rubocop:enable Layout/LineLength
+        }
+        @locked_specs.delete(invalids)
       end
-      File.join(dir, CONFIG_FILE_NAME)
     end
   end
 end
 
+# Check if the methods exists before we prepend them, to avoid issues with Bundler versions
+# that do not have this method.
+{
+  Bundler::Resolver => :filtered_versions_for,
+  Bundler::Definition => :nothing_changed?,
+}.each do |klass, method|
+  next if klass.instance_methods.include?(method) || klass.private_instance_methods.include?(method)
+
+  raise <<~ERR
+        Bundler version #{Bundler::VERSION} is not compatible with bundler-resolutions #{Bundler::Resolutions::VERSION}
+    The method '#{method}' is not defined in '#{klass}'. This is likely due to a refactoring of a new
+    Bundler version. Please check the bundler-resolutions changelog and the Bundler changelog
+    to see if this is a known issue, or submit a bug report to bundler-resolutions.
+  ERR
+end
+
+# This is needed so we can trigger a rebuild of the lock file if just the yaml has changed.
+Bundler::Definition.prepend(Bundler::Resolutions::Definition)
+# This removes the transitive dependency versions that do not satisfy the yaml config.
 Bundler::Resolver.prepend(Bundler::Resolutions::Resolver)
+
+Bundler::Resolutions.log("bundler-resolutions #{Bundler::Resolutions::VERSION} loaded")

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-resolutions
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Harry Lascelles
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-23 00:00:00.000000000 Z
+date: 2025-06-03 00:00:00.000000000 Z
 dependencies: []
 description: A bundler plugin to enforce resolutions without specifying a concrete
   dependency
@@ -19,6 +20,7 @@ extra_rdoc_files: []
 files:
 - README.md
 - lib/bundler/resolutions.rb
+- lib/bundler/resolutions/config.rb
 - lib/bundler/resolutions/version.rb
 - plugins.rb
 homepage: https://github.com/hlascelles/bundler-resolutions
@@ -31,6 +33,7 @@ metadata:
   source_code_uri: https://github.com/hlascelles/bundler-resolutions/
   bug_tracker_uri: https://github.com/hlascelles/bundler-resolutions/issues
   rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -38,14 +41,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.6
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: A bundler plugin to enforce resolutions without specifying a concrete dependency
 test_files: []