bundler 1.8.0.pre → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 479faa1691c86039ec5e869bad6dcce4d5ccf4fc
-  data.tar.gz: 5292b6135750e581aeb3007b8a8675f7530b3e2a
+  metadata.gz: ef2d9111a116f5375fcbbc9fcf791173f17f8191
+  data.tar.gz: 4aa9735c3b3e22247ea7586c0afb4461d98c1f53
 SHA512:
-  metadata.gz: cb0d50e7108d2175c806dc8e3057243ba7f69ca53d17d7c7acb23da574339eaba836811a7287060c83f4143edeeee461b27fa5bc868b8c623391a88dc0a91d48
-  data.tar.gz: d90bbeeca48a52828aa24304b71a3f68e4ced97001a13ea404262b4ae2c28ca99af70f3c2bfa62330090fd562b40a98d9da673768d5f37360ebc3824972b1426
+  metadata.gz: 68568a8e2ac0307a22e2ca03813f85c4669e0387fdb404810a82db19bb547f907e5cb180db076e481a24367e8428285503a6f14e00629ae1a09e86d1b864fb30
+  data.tar.gz: 74c1ab0165a4cf9281eec6745019eb7ec5ab0f2544e44148deb3ac722709b078ebbe408820c37e2b9596c0d496566ccd6214823f7be5df3b9eac65e567769569

data/CHANGELOG.md

@@ -1,3 +1,29 @@
+## 1.8.0 (2015-02-10)
+
+Bugfixes:
+
+  - Gemfile `github` blocks now work (#3379, @indirect)
+
+Bugfixes from v1.7.13:
+
+  - Look up installed gems in remote sources (#3300, #3368, #3377, #3380, #3381, @indirect)
+  - Look up gems across all sources to satisfy dependencies (#3365, @keiths-osc)
+  - Request dependencies for no more than 100 gems at a time (#3367, @segiddins)
+
+## 1.8.0.rc (2015-01-26)
+
+Features:
+
+  - add `config disable_multisource` option to ensure sources can't compete (@indirect)
+
+Bugfixes:
+
+  - don't add extra quotes around long, quoted config values (@aroben, #3338)
+
+Security:
+
+  - warn when more than one top-level source is present (@indirect)
+
 ## 1.8.0.pre (2015-01-26)
 
 Features:
@@ -32,6 +58,14 @@ Documentation:
 
   - add missing Gemfile global `path` explanation (@agenteo)
 
+## 1.7.13 (2015-02-07)
+
+Bugfixes:
+
+  - Look up installed gems in remote sources (#3300, #3368, #3377, #3380, #3381, @indirect)
+  - Look up gems across all sources to satisfy dependencies (#3365, @keiths-osc)
+  - Request dependencies for no more than 100 gems at a time (#3367, @segiddins)
+
 ## 1.7.12 (2015-01-08)
 
 Bugfixes:

data/lib/bundler/cli/gem.rb

@@ -20,7 +20,7 @@ module Bundler
 
       underscored_name = name.tr('-', '_')
       namespaced_path = name.tr('-', '/')
-      constant_name = name.split('_').map{|p| p[0..0].upcase + p[1..-1] }.join
+      constant_name = name.split('_').map{|p| p[0..0].upcase + p[1..-1] unless p.empty?}.join
       constant_name = constant_name.split('-').map{|q| q[0..0].upcase + q[1..-1] }.join('::') if constant_name =~ /-/
       constant_array = constant_name.split('::')
       git_user_name = `git config user.name`.chomp

data/lib/bundler/definition.rb

@@ -199,11 +199,11 @@ module Bundler
       @index ||= Index.build do |idx|
         dependency_names = @dependencies.map { |d| d.name }
 
-        sources.all_sources.each do |s|
-          s.dependency_names = dependency_names.dup
-          idx.add_source s.specs
-          s.specs.each { |spec| dependency_names.delete(spec.name) }
-          dependency_names.push(*s.unmet_deps).uniq!
+        sources.all_sources.each do |source|
+          source.dependency_names = dependency_names.dup
+          idx.add_source source.specs
+          dependency_names -= pinned_spec_names(source.specs)
+          dependency_names.push(*source.unmet_deps).uniq!
         end
       end
     end
@@ -599,5 +599,19 @@ module Bundler
       source_requirements
     end
 
+    def pinned_spec_names(specs)
+      names = []
+      specs.each do |s|
+        # TODO when two sources without blocks is an error, we can change
+        # this check to !s.source.is_a?(Source::LocalRubygems). For now,
+        # we need to ask every Rubygems for every gem name.
+        if s.source.is_a?(Source::Git) || s.source.is_a?(Source::Path)
+          names << s.name
+        end
+      end
+      names.uniq!
+      names
+    end
+
   end
 end

data/lib/bundler/dsl.rb

@@ -112,6 +112,7 @@ module Bundler
       if block_given?
         with_source(@sources.add_rubygems_source("remotes" => source), &blk)
       else
+        check_primary_source_safety(@sources)
         @sources.add_rubygems_remote(source)
       end
     end
@@ -148,8 +149,12 @@ module Bundler
       with_source(@sources.add_git_source(normalize_hash(options).merge("uri" => uri)), &blk)
     end
 
-    def github(repo, options = {}, &blk)
-      with_source(@sources.add_git_source(normalize_hash(options).merge("github" => repo)), &blk)
+    def github(repo, options = {})
+      raise ArgumentError, "Github sources require a block" unless block_given?
+      github_uri  = @git_sources["github"].call(repo)
+      git_options = normalize_hash(options).merge("uri" => github_uri)
+      git_source  = @sources.add_git_source(git_options)
+      with_source(git_source) { yield }
     end
 
     def to_definition(lockfile, unlock)
@@ -303,5 +308,24 @@ module Bundler
         raise GemfileError, "Unknown source '#{source}'"
       end
     end
+
+    def check_primary_source_safety(source)
+      return unless source.rubygems_primary_remotes.any?
+
+      if Bundler.settings[:disable_multisource]
+        raise GemspecError, "Warning: this Gemfile contains multiple primary sources. " \
+          "Each source after the first must include a block to indicate which gems " \
+          "should come from that source. To downgrade this error to a warning, run " \
+          "`bundle config --delete disable_multisource`."
+      else
+        Bundler.ui.warn "Warning: this Gemfile contains multiple primary sources. " \
+          "Using `source` more than once without a block is a security risk, and " \
+          "may result in installing unexpected gems. To resolve this warning, use " \
+          "a block to indicate which gems should come from the secondary source. " \
+          "To upgrade this warning to an error, run `bundle config " \
+          "disable_multisource true`."
+      end
+    end
+
   end
 end

data/lib/bundler/fetcher.rb

@@ -320,10 +320,14 @@ module Bundler
     # fetch from Gemcutter Dependency Endpoint API
     def fetch_dependency_remote_specs(gem_names)
       Bundler.ui.debug "Query Gemcutter Dependency Endpoint API: #{gem_names.join(',')}"
-      marshalled_deps = fetch dependency_api_uri(gem_names)
-      gem_list = Bundler.load_marshal(marshalled_deps)
+      gem_list = []
       deps_list = []
 
+      gem_names.each_slice(Source::Rubygems::API_REQUEST_LIMIT) do |names|
+        marshalled_deps = fetch dependency_api_uri(names)
+        gem_list += Bundler.load_marshal(marshalled_deps)
+      end
+
       spec_list = gem_list.map do |s|
         dependencies = s[:dependencies].map do |name, requirement|
           dep = well_formed_dependency(name, requirement.split(", "))

data/lib/bundler/index.rb

@@ -101,13 +101,17 @@ module Bundler
 
     # returns a list of the dependencies
     def unmet_dependency_names
-      names = []
-      each{|s| names.push(*s.dependencies.map{|d| d.name }) }
-      names.uniq!
+      names = dependency_names
       names.delete_if{|n| n == "bundler" }
       names.select{|n| search(n).empty? }
     end
 
+    def dependency_names
+      names = []
+      each{|s| names.push(*s.dependencies.map{|d| d.name }) }
+      names.uniq
+    end
+
     def use(other, override_dupes = false)
       return unless other
       other.each do |s|

data/lib/bundler/lockfile_parser.rb

@@ -29,7 +29,7 @@ module Bundler
       @state        = :source
       @specs        = {}
 
-      @rubygems_aggregate = Source::Rubygems.new
+      @rubygems_aggregate = Source::LocalRubygems.new
 
       if lockfile.match(/<<<<<<<|=======|>>>>>>>|\|\|\|\|\|\|\|/)
         raise LockfileError, "Your Gemfile.lock contains merge conflicts.\n" \

data/lib/bundler/settings.rb

@@ -165,9 +165,10 @@ module Bundler
     def load_config(config_file)
       valid_file = config_file && config_file.exist? && !config_file.size.zero?
       if !ignore_config? && valid_file
-        config_regex = /^(BUNDLE_.+): (?:['"](.*)['"]|(.+(?:\n(?!BUNDLE).+))|(.+))$/
+        config_regex = /^(BUNDLE_.+): (['"]?)(.*(?:\n(?!BUNDLE).+)?)\2$/
         config_pairs = config_file.read.scan(config_regex).map do |m|
-          m.compact.map { |n| n.gsub(/\s+/, " ").tr('"', "'") }
+          key, _, value = m
+          [key, value.gsub(/\s+/, " ").tr('"', "'")]
         end
         Hash[config_pairs]
       else

data/lib/bundler/source.rb

@@ -1,8 +1,9 @@
 module Bundler
   class Source
-    autoload :Rubygems, 'bundler/source/rubygems'
-    autoload :Path,     'bundler/source/path'
-    autoload :Git,      'bundler/source/git'
+    autoload :Rubygems,      'bundler/source/rubygems'
+    autoload :LocalRubygems, 'bundler/source/local_rubygems'
+    autoload :Path,          'bundler/source/path'
+    autoload :Git,           'bundler/source/git'
 
     def self.mirror_for(uri)
       uri = URI(uri.to_s) unless uri.is_a?(URI)

data/lib/bundler/source/local_rubygems.rb

@@ -0,0 +1,16 @@
+module Bundler
+  class Source
+    class LocalRubygems < Rubygems
+
+      def specs
+        @specs ||= begin
+          idx = super
+          idx.use(cached_specs, :override_dupes) if @allow_cached || @allow_remote
+          idx.use(installed_specs, :override_dupes)
+          idx
+        end
+      end
+
+    end
+  end
+end

data/lib/bundler/source/rubygems.rb

@@ -5,7 +5,8 @@ require 'rubygems/spec_fetcher'
 module Bundler
   class Source
     class Rubygems < Source
-      API_REQUEST_LIMIT = 100 # threshold for switching back to the modern index instead of fetching every spec
+      # threshold for switching back to the modern index instead of fetching every spec
+      API_REQUEST_LIMIT = 100
 
       attr_reader :remotes, :caches
 
@@ -65,15 +66,10 @@ module Bundler
       alias_method :name, :to_s
 
       def specs
-        @specs ||= begin
-          # remote_specs usually generates a way larger Index than the other
-          # sources, and large_idx.use small_idx is way faster than
-          # small_idx.use large_idx.
-          idx = @allow_remote ? remote_specs.dup : Index.new
-          idx.use(cached_specs, :override_dupes) if @allow_cached || @allow_remote
-          idx.use(installed_specs, :override_dupes)
-          idx
-        end
+        # remote_specs usually generates a way larger Index than the other
+        # sources, and large_idx.use small_idx is way faster than
+        # small_idx.use large_idx.
+        @specs ||= @allow_remote ? remote_specs.dup : Index.new
       end
 
       def install(spec)
@@ -309,6 +305,20 @@ module Bundler
               Bundler.ui.info "" if !Bundler.ui.debug? # new line now that the dots are over
             end
 
+            # Suppose the gem Foo depends on the gem Bar.  Foo exists in Source A.  Bar has some versions that exist in both
+            # sources A and B.  At this point, the API request will have found all the versions of Bar in source A,
+            # but will not have found any versions of Bar from source B, which is a problem if the requested version
+            # of Foo specifically depends on a version of Bar that is only found in source B. This ensures that for
+            # each spec we found, we add all possible versions from all sources to the index.
+            begin
+              idxcount = idx.size
+              api_fetchers.each do |f|
+                Bundler.ui.info "Fetching version metadata from #{f.uri}", Bundler.ui.debug?
+                idx.use f.specs(idx.dependency_names, self), true
+                Bundler.ui.info "" if !Bundler.ui.debug? # new line now that the dots are over
+              end
+            end until idxcount == idx.size
+
             if api_fetchers.any? && api_fetchers.all?{|f| f.use_api }
               # it's possible that gems from one source depend on gems from some
               # other source, so now we download gemspecs and iterate over those
@@ -317,7 +327,7 @@ module Bundler
 
               # if there are any cross-site gems we missed, get them now
               api_fetchers.each do |f|
-                Bundler.ui.info "Fetching additional metadata from #{f.uri}", Bundler.ui.debug?
+                Bundler.ui.info "Fetching dependency metadata from #{f.uri}", Bundler.ui.debug?
                 idx.use f.specs(unmet, self)
                 Bundler.ui.info "" if !Bundler.ui.debug? # new line now that the dots are over
               end if unmet.any?

data/lib/bundler/source_list.rb

@@ -6,7 +6,7 @@ module Bundler
     def initialize
       @path_sources       = []
       @git_sources        = []
-      @rubygems_aggregate = Source::Rubygems.new
+      @rubygems_aggregate = Source::LocalRubygems.new
       @rubygems_sources   = []
     end
 
@@ -57,8 +57,7 @@ module Bundler
         end
       end
 
-      replacement_rubygems =
-        replacement_sources.detect { |s| s.is_a?(Source::Rubygems) }
+      replacement_rubygems = replacement_sources.detect { |s| s.is_a?(Source::LocalRubygems) }
       @rubygems_aggregate = replacement_rubygems if replacement_rubygems
 
       # Return true if there were changes
@@ -74,6 +73,10 @@ module Bundler
       all_sources.each(&:remote!)
     end
 
+    def rubygems_primary_remotes
+      @rubygems_aggregate.remotes
+    end
+
   private
 
     def add_source_to_list(source, list)

data/lib/bundler/version.rb

@@ -2,5 +2,5 @@ module Bundler
   # We're doing this because we might write tests that deal
   # with other versions of bundler and we are unsure how to
   # handle this better.
-  VERSION = "1.8.0.pre" unless defined?(::Bundler::VERSION)
+  VERSION = "1.8.0" unless defined?(::Bundler::VERSION)
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 1.8.0.pre
+  version: 1.8.0
 platform: ruby
 authors:
 - André Arko
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-26 00:00:00.000000000 Z
+date: 2015-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mustache
@@ -175,6 +175,7 @@ files:
 - lib/bundler/source.rb
 - lib/bundler/source/git.rb
 - lib/bundler/source/git/git_proxy.rb
+- lib/bundler/source/local_rubygems.rb
 - lib/bundler/source/path.rb
 - lib/bundler/source/path/installer.rb
 - lib/bundler/source/rubygems.rb