bundler-resolutions 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca66a89bbd900f1f8c14ff704e6e4155fd4dc768f05d3c16f1d3eb18a0a57d19
-  data.tar.gz: 77aa2e3521124d04f3c6cb4422fef1e417b0c6c705a840f728696bddefa35aa8
+  metadata.gz: 77ebf87d3236f7c7d81a4e3daba2c8cb4cd78b284221ae6447092b0351a31fa1
+  data.tar.gz: ac7ef028df610a46f008d7e82467a5f5327cfafc1582f4e0ef9e00ff2669f9ac
 SHA512:
-  metadata.gz: e453be51627d50ffa3186b27c2ee4926805e4f1d11c26a061cdfd94960f83286513b036f228e0ad2029730308cfbcd08a663b62c6faead45fa26291c78e13c21
-  data.tar.gz: 1c0681c2f8b334f3c85073d693900f3898d87343ed912f50f7fd1823a0986ac546979bf8dba447e7d39bbe5bd06765476aefeb6a703152a3befd09316b7f5577
+  metadata.gz: e5ed756652c94a05540e6c0e7928355f9e959d1f5dd832a4cc72787828b76e63d9ff6ba6daad249e46dba5aebe4b36894f32589cbe264fc03f6cc2bd7684d983
+  data.tar.gz: 6ee1730a6c0dbf5ed27a1247375785beeb13aabbef1678798f07f69b323e65593de17e588e1e701476b310933d432a1b0732ed6189ef3c218a71a85131a43474

data/README.md

@@ -15,15 +15,17 @@ a concrete dependency on those gems. It acts much like the
 
 ## Usage
 
-Add `bundler-resolutions` to your Gemfile, and add a `.bundler-resolutions.yml` file to
-specify the gems you want to specify versions requirements for.
+Add `bundler-resolutions` to your Gemfile. Note, it must come before all other gems, and be followed
+by `require "bundler/resolutions"`. This is because it patches the `bundler` resolver. This means
+the first time you run `bundle install` it will not work, as the gem has not been installed yet.
 
-### Example 1
+`Gemfile`:
+```ruby
+gem "bundler-resolutions"
+require "bundler/resolutions" if Gem::Specification.find_all_by_name('bundler-resolutions').any?
+```
 
-In this example the resulting `Gemfile.lock` will have nokogiri locked to `1.16.5` or above, but
-nokogiri will not be present in the `DEPENDENCIES` section of the lock file. Also, if `rails` were
-to change to a version that did not depend on nokogiri, then the resolution would not be used or
-appear in the lock file at all.
+Then, and add a `.bundler-resolutions.yml` file to specify the gems you want to specify versions requirements for.
 
 `.bundler-resolutions.yml`:
 ```yaml
@@ -31,28 +33,43 @@ gems:
   nokogiri: ">= 1.16.5" # CVE-2024-34459
 ```
 
+### Example 1
+
+In this example the resulting `Gemfile.lock` will have nokogiri locked to `1.16.5` or above, but
+nokogiri will not be present in the `DEPENDENCIES` section of the lock file. Also, if `rails` were
+to change to a version that did not depend on nokogiri, then the resolution would not be used or
+appear in the lock file at all.
+
 `Gemfile`:
 ```ruby
-gem "bundler-resolutions", path: "../", install_if: -> { require Gem::Specification.find_by_name('bundler-resolutions').gem_dir + "/lib/bundler/resolutions"; true }
+gem "bundler-resolutions"
+require "bundler/resolutions" if Gem::Specification.find_all_by_name('bundler-resolutions').any?
 gem "rails"
 ```
 
-### Example 2
-
-Here, the `Gemfile.lock` from this example will not have nokogiri at all, as it is neither
-explicitly declared in the Gemfile, nor brought in as a transitive dependency.
-
 `.bundler-resolutions.yml`:
 ```yaml
 gems:
   nokogiri: ">= 1.16.5" # CVE-2024-34459
 ```
 
+### Example 2
+
+Here, the `Gemfile.lock` from this example will not have nokogiri at all, as it is neither
+explicitly declared in the Gemfile, nor brought in as a transitive dependency.
+
 ```ruby
 gem 'bundler-resolutions'
+require "bundler/resolutions" if Gem::Specification.find_all_by_name('bundler-resolutions').any?
 gem "thor"
 ```
 
+`.bundler-resolutions.yml`:
+```yaml
+gems:
+  nokogiri: ">= 1.16.5" # CVE-2024-34459
+```
+
 ## Config file
 
 The config file is a YAML file with a `gems` key that contains a mapping of gem names to version
@@ -85,6 +102,22 @@ bundler lock resolution.
 The other difference is that even if it does take part in the resolutions, it will not be
 present in the `DEPENDENCIES` section of the lock file, as it is not a direct dependency.
 
+## The Gemfile require
+
+You will see that the `Gemfile` requires `bundler/resolutions` to make it work fully. This is
+because it patches the `bundler` resolver to allow for the resolution restrictions. Unfortunately,
+if the `Gemfile.lock` file is already present, and all the gems are already resolved and installed then no
+patching will take place, and the bundler-resolutions code will never be run.
+
+The bundler-resolutions code will only run without the extra require if:
+
+1. The `Gemfile.lock` file is not present.
+2. Any of the locked gems are not installed.
+3. `bundle update` is run.
+
+The one scenario where the require line is needed is when `bundle install` is run with a valid,
+preinstalled `Gemfile.lock`.
+
 ## Use cases
 
 There are a number of reasons you may want to prevent the usage of some gem versions, but without

data/lib/bundler/resolutions/version.rb

@@ -2,7 +2,7 @@
 
 module Bundler
   class Resolutions
-    VERSION = "0.5.0"
+    VERSION = "0.6.0"
   end
 end
 

data/lib/bundler/resolutions.rb

@@ -63,21 +63,28 @@ module Bundler
     module Definition
       def check_lockfile
         super
-        invalids = @locked_specs.to_a.select { |lazy_specification|
-          reqs = Bundler::Resolutions.instance.resolutions_for(lazy_specification.name)
-          next if reqs.nil?
-
-          # rubocop:disable Layout/LineLength
-          if reqs.all? { |req| req.satisfied_by?(lazy_specification.version) }
-            Bundler::Resolutions.log "#{lazy_specification.name} (#{lazy_specification.version}) is satisfied by the current lockfile version."
-            nil
-          else
-            Bundler::Resolutions.log "#{lazy_specification.name} (#{lazy_specification.version}) is NOT satisfied by the current lockfile version."
-            lazy_specification
-          end
-          # rubocop:enable Layout/LineLength
-        }
+        invalids = @locked_specs.to_a.select { |s| spec_invalid?(s) }
+        return if invalids.empty?
+
         @locked_specs.delete(invalids)
+        # Signal to Bundler that re-resolution is needed due to invalid transitive dependencies.
+        # This prevents confusing "Could not find gems valid for all resolution platforms" errors.
+        @locked_spec_with_invalid_deps = invalids.first.name if @locked_spec_with_invalid_deps.nil?
+      end
+
+      private def spec_invalid?(lazy_specification)
+        reqs = Bundler::Resolutions.instance.resolutions_for(lazy_specification.name)
+        return false if reqs.nil?
+
+        # rubocop:disable Layout/LineLength
+        if reqs.all? { |req| req.satisfied_by?(lazy_specification.version) }
+          Bundler::Resolutions.log "#{lazy_specification.name} (#{lazy_specification.version}) is satisfied by the current lockfile version."
+          false
+        else
+          Bundler::Resolutions.log "#{lazy_specification.name} (#{lazy_specification.version}) is NOT satisfied by the current lockfile version."
+          true
+        end
+        # rubocop:enable Layout/LineLength
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-resolutions
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Harry Lascelles
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-07-15 00:00:00.000000000 Z
+date: 2026-02-06 00:00:00.000000000 Z
 dependencies: []
 description: A bundler plugin to enforce resolutions without specifying a concrete
   dependency