bundler 2.2.13 → 2.2.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4227db15ba56c781814845c3e7c2811def8bba66c074098d04496cf3f7ce3ed
-  data.tar.gz: '0295d490ed0dcf0989468a1a25b3b233c618006882757cbbf5a99e179b009568'
+  metadata.gz: 2c654f563fcfd784d65d2441b1cf8b5384f9e90ff8d7107de070e33dba2ee729
+  data.tar.gz: 4554510c934d22551680c26ff77f0b1a1073f7d35c0b21030d103fd40ade6baf
 SHA512:
-  metadata.gz: fa78e4e46d7b7fe666950c26fd47df524d7af57612c4e584e088a7a10aa140db5eb243b0688f993dc3586a7b5c4cb2357488a237715b618891747b328d94d01a
-  data.tar.gz: f1baab0b6a8b0c9ccf1c9bdafb7e6068252ba8fac05f96f50540320f47d4da8fa42ecae264e7b082fc1c50d4c0ff7cb456a928b2ffb07d0ca79e84d6272d1b54
+  metadata.gz: c4c62c6eb0c7fc78acc3317de4dbaed2d26de9859bffd8930a08e7368829a4acb9f1bea24ad290a57124983bab8ac372da21573b742f50f4d36fa6a054406189
+  data.tar.gz: 1862e00690b660a6d872324c6e2819c29a48ee9e9d7d97bd0cf35a92f0ea7d008fd4f7921c3f917564a3fc3279ead82bf24a360f80ad63205b37e50975b232c9

data/CHANGELOG.md

@@ -1,3 +1,67 @@
+# 2.2.17 (May 5, 2021)
+
+## Enhancements:
+
+  - Improve authentication required error message to include an alternative using `ENV` [#4565](https://github.com/rubygems/rubygems/pull/4565)
+  - Discard partial range responses without etag [#4563](https://github.com/rubygems/rubygems/pull/4563)
+  - Fix configuring ENV for a gem server with a name including dashes [#4571](https://github.com/rubygems/rubygems/pull/4571)
+  - Redact credentials from `bundle env` and `bundle config` [#4566](https://github.com/rubygems/rubygems/pull/4566)
+  - Redact all sources in verbose mode [#4564](https://github.com/rubygems/rubygems/pull/4564)
+  - Improve `bundle pristine` error if `BUNDLE_GEMFILE` does not exist [#4536](https://github.com/rubygems/rubygems/pull/4536)
+  - [CurrentRuby] Add 3.0 as a known minor [#4535](https://github.com/rubygems/rubygems/pull/4535)
+  - Prefer File.read instead of IO.read [#4530](https://github.com/rubygems/rubygems/pull/4530)
+  - Add space after open curly bracket in Gemfile and gems.rb template [#4518](https://github.com/rubygems/rubygems/pull/4518)
+
+## Bug fixes:
+
+  - Make sure specs are fetched from the right source when materializing [#4562](https://github.com/rubygems/rubygems/pull/4562)
+  - Fix `bundle cache` with an up-to-date lockfile and specs not already installed [#4554](https://github.com/rubygems/rubygems/pull/4554)
+  - Ignore `deployment` setting in inline mode [#4523](https://github.com/rubygems/rubygems/pull/4523)
+
+## Performance:
+
+  - Don't materialize resolutions when not necessary [#4556](https://github.com/rubygems/rubygems/pull/4556)
+
+# 2.2.16 (April 8, 2021)
+
+## Enhancements:
+
+  - Add `--github-username` option and config to `bundle gem` [#3687](https://github.com/rubygems/rubygems/pull/3687)
+  - Bump vendored `tmpdir` library copy [#4506](https://github.com/rubygems/rubygems/pull/4506)
+  - Add `rake build:checksum` task to build checksums for a gem package [#4156](https://github.com/rubygems/rubygems/pull/4156)
+  - Enable bundler-cache for GitHub Actions template [#4498](https://github.com/rubygems/rubygems/pull/4498)
+  - Improve `bundle info` error when gem is on a "disabled" group [#4492](https://github.com/rubygems/rubygems/pull/4492)
+  - Small tweak to yank message [#4494](https://github.com/rubygems/rubygems/pull/4494)
+  - Don't show duplicate entries in `bundle outdated` output [#4474](https://github.com/rubygems/rubygems/pull/4474)
+  - Never downgrade top level gems when running `bundle update` [#4473](https://github.com/rubygems/rubygems/pull/4473)
+
+## Bug fixes:
+
+  - Fix incorrect logic for filtering metadata matching candidates [#4497](https://github.com/rubygems/rubygems/pull/4497)
+
+# 2.2.15 (March 19, 2021)
+
+## Enhancements:
+
+  - Add a hint about bundler installing executables for path gems [#4461](https://github.com/rubygems/rubygems/pull/4461)
+  - Warn lockfiles with incorrect resolutions [#4459](https://github.com/rubygems/rubygems/pull/4459)
+  - Don't generate duplicate redundant sources in the lockfile [#4456](https://github.com/rubygems/rubygems/pull/4456)
+
+## Bug fixes:
+
+  - Respect running ruby when resolving platforms [#4449](https://github.com/rubygems/rubygems/pull/4449)
+
+# 2.2.14 (March 8, 2021)
+
+## Security fixes:
+
+  - Lock GEM sources separately and fix locally installed specs confusing bundler [#4381](https://github.com/rubygems/rubygems/pull/4381)
+
+## Bug fixes:
+
+  - Make `rake` available to other gems' installers right after it's installed [#4428](https://github.com/rubygems/rubygems/pull/4428)
+  - Fix encoding issue on compact index updater [#4362](https://github.com/rubygems/rubygems/pull/4362)
+
 # 2.2.13 (March 3, 2021)
 
 ## Enhancements:
@@ -432,7 +496,7 @@
   - Ignore `frozen` setting in inline mode ([#7125](https://github.com/rubygems/bundler/pull/7125))
   - Fix incorrect "bundler attempted to update GEM but version stayed the same" message when updating git sourced gems ([#6325](https://github.com/rubygems/bundler/pull/6325))
   - Don't check for existence of a writable home directory if `BUNDLE_USER_HOME` is set ([#6885](https://github.com/rubygems/bundler/pull/6885))
-  - Fix error message when server would respond to a bad username/password requiest with a 401 ([#6928](https://github.com/rubygems/bundler/pull/6928))
+  - Fix error message when server would respond to a bad username/password request with a 401 ([#6928](https://github.com/rubygems/bundler/pull/6928))
   - Fix `bundle outdated` pluralization when multiple groups are requested ([#7063](https://github.com/rubygems/bundler/pull/7063))
   - Fix `bundle install` not updating conservatively when gemspec is changed ([#7143](https://github.com/rubygems/bundler/pull/7143))
   - Fix `bundle exec` not respecting custom process titles inside scripts ([#7140](https://github.com/rubygems/bundler/pull/7140))
@@ -2077,7 +2141,7 @@ Changes
   - fix Bundler.which for directories ([#2697](https://github.com/rubygems/bundler/issues/2697), @rhysd)
   - properly require `Capistrano::Version` ([#2690](https://github.com/rubygems/bundler/issues/2690), @steveklabnik)
   - search for git.exe and git
-  - fix the bug that downloads every spec when API fetcher encouters an error
+  - fix the bug that downloads every spec when API fetcher encounters an error
   - only retry network requests
 
 # 1.4.0.rc.1 (September 29, 2013)
@@ -2701,7 +2765,7 @@ Changes
 
   - Implement `to_ary` to avoid calls to method_missing (@tenderlove, [#1274](https://github.com/rubygems/bundler/issues/1274))
   - bundle clean removes old .gem files (@cldwalker, [#1293](https://github.com/rubygems/bundler/issues/1293))
-  - Correcly identify missing child dependency in error message
+  - Correctly identify missing child dependency in error message
   - Run pre-install, post-build, and post-install gem hooks for git gems (@warhammerkid, [#1120](https://github.com/rubygems/bundler/issues/1120))
   - create Gemfile.lock for empty Gemfile ([#1218](https://github.com/rubygems/bundler/issues/1218))
 
@@ -2852,7 +2916,7 @@ Changes
 
   - Performance fix for MRI 1.9 (@efficientcloud, [#1288](https://github.com/rubygems/bundler/issues/1288))
   - Shortcuts (like `bundle i`) for all commands (@amatsuda)
-  - Correcly identify missing child dependency in error message
+  - Correctly identify missing child dependency in error message
 
 ## Bug fixes:
 
@@ -3088,7 +3152,7 @@ Changes
 
   - Various bugfixes to the built-in rake helpers
   - Fix a bug where shortrefs weren't unique enough and were
-    therfore colliding
+    therefore colliding
   - Fix a small bug involving checking whether a local git
     clone is up to date
   - Correctly handle explicit '=' dependencies with gems

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2021-03-03".freeze
-    @git_commit_sha = "9b15ab18c4".freeze
+    @built_at = "2021-05-05".freeze
+    @git_commit_sha = "69cbd6e10e".freeze
     @release = true
     # end ivars
 

data/lib/bundler/cli/common.rb

@@ -36,10 +36,15 @@ module Bundler
     def self.without_groups_message(command)
       command_in_past_tense = command == :install ? "installed" : "updated"
       groups = Bundler.settings[:without]
+      "Gems in the #{verbalize_groups(groups)} were not #{command_in_past_tense}."
+    end
+
+    def self.verbalize_groups(groups)
+      groups.map!{|g| "'#{g}'" }
       group_list = [groups[0...-1].join(", "), groups[-1..-1]].
         reject {|s| s.to_s.empty? }.join(" and ")
       group_str = groups.size == 1 ? "group" : "groups"
-      "Gems in the #{group_str} #{group_list} were not #{command_in_past_tense}."
+      "#{group_str} #{group_list}"
     end
 
     def self.select_spec(name, regex_match = nil)
@@ -53,7 +58,13 @@ module Bundler
 
       case specs.count
       when 0
-        raise GemNotFound, gem_not_found_message(name, Bundler.definition.dependencies)
+        dep_in_other_group = Bundler.definition.current_dependencies.find {|dep|dep.name == name }
+
+        if dep_in_other_group
+          raise GemNotFound, "Could not find gem '#{name}', because it's in the #{verbalize_groups(dep_in_other_group.groups)}, configured to be ignored."
+        else
+          raise GemNotFound, gem_not_found_message(name, Bundler.definition.dependencies)
+        end
       when 1
         specs.first
       else
@@ -83,6 +94,8 @@ module Bundler
     end
 
     def self.ensure_all_gems_in_lockfile!(names, locked_gems = Bundler.locked_gems)
+      return unless locked_gems
+
       locked_names = locked_gems.specs.map(&:name).uniq
       names.-(locked_names).each do |g|
         raise GemNotFound, gem_not_found_message(g, locked_names)

data/lib/bundler/cli/gem.rb

@@ -42,9 +42,17 @@ module Bundler
       use_git = Bundler.git_present? && options[:git]
 
       git_author_name = use_git ? `git config user.name`.chomp : ""
-      github_username = use_git ? `git config github.user`.chomp : ""
+      git_username = use_git ? `git config github.user`.chomp : ""
       git_user_email = use_git ? `git config user.email`.chomp : ""
 
+      github_username = if options[:github_username].nil?
+        git_username
+      elsif options[:github_username] == false
+        ""
+      else
+        options[:github_username]
+      end
+
       config = {
         :name             => name,
         :underscored_name => underscored_name,

data/lib/bundler/cli/outdated.rb

@@ -72,7 +72,7 @@ module Bundler
         gemfile_specs + dependency_specs
       end
 
-      specs.sort_by(&:name).each do |current_spec|
+      specs.sort_by(&:name).uniq(&:name).each do |current_spec|
         next unless gems.empty? || gems.include?(current_spec.name)
 
         active_spec = retrieve_active_spec(definition, current_spec)

data/lib/bundler/cli.rb

@@ -504,8 +504,8 @@ module Bundler
       By default, setting a configuration value sets it for all projects
       on the machine.
 
-      If a global setting is superceded by local configuration, this command
-      will show the current value, as well as any superceded values and
+      If a global setting is superseded by local configuration, this command
+      will show the current value, as well as any superseded values and
       where they were specified.
     D
     require_relative "cli/config"
@@ -591,6 +591,7 @@ module Bundler
                          :desc => "Generate a test directory for your library, either rspec, minitest or test-unit. Set a default with `bundle config set --global gem.test (rspec|minitest|test-unit)`."
     method_option :ci, :type => :string, :lazy_default => Bundler.settings["gem.ci"] || "",
                        :desc => "Generate CI configuration, either GitHub Actions, Travis CI, GitLab CI or CircleCI. Set a default with `bundle config set --global gem.ci (github|travis|gitlab|circle)`"
+    method_option :github_username, :type => :string, :default => Bundler.settings["gem.github_username"], :banner => "Set your username on GitHub", :desc => "Fill in GitHub username on README so that you don't have to do it manually. Set a default with `bundle config set --global gem.github_username <your_username>`."
 
     def gem(name)
     end

data/lib/bundler/compact_index_client/updater.rb

@@ -50,16 +50,20 @@ module Bundler
 
           content = response.body
 
-          SharedHelpers.filesystem_access(local_temp_path) do
+          etag = (response["ETag"] || "").gsub(%r{\AW/}, "")
+          correct_response = SharedHelpers.filesystem_access(local_temp_path) do
             if response.is_a?(Net::HTTPPartialContent) && local_temp_path.size.nonzero?
               local_temp_path.open("a") {|f| f << slice_body(content, 1..-1) }
+
+              etag_for(local_temp_path) == etag
             else
-              local_temp_path.open("w") {|f| f << content }
+              local_temp_path.open("wb") {|f| f << content }
+
+              etag.length.zero? || etag_for(local_temp_path) == etag
             end
           end
 
-          etag = (response["ETag"] || "").gsub(%r{\AW/}, "")
-          if etag.length.zero? || etag_for(local_temp_path) == etag
+          if correct_response
             SharedHelpers.filesystem_access(local_path) do
               FileUtils.mv(local_temp_path, local_path)
             end
@@ -92,11 +96,11 @@ module Bundler
 
       def checksum_for_file(path)
         return nil unless path.file?
-        # This must use IO.read instead of Digest.file().hexdigest
+        # This must use File.read instead of Digest.file().hexdigest
         # because we need to preserve \n line endings on windows when calculating
         # the checksum
         SharedHelpers.filesystem_access(path, :read) do
-          SharedHelpers.digest(:MD5).hexdigest(IO.read(path))
+          SharedHelpers.digest(:MD5).hexdigest(File.read(path))
         end
       end
     end

data/lib/bundler/current_ruby.rb

@@ -20,6 +20,7 @@ module Bundler
       2.5
       2.6
       2.7
+      3.0
     ].freeze
 
     KNOWN_MAJOR_VERSIONS = KNOWN_MINOR_VERSIONS.map {|v| v.split(".", 2).first }.uniq.freeze

data/lib/bundler/definition.rb

@@ -106,6 +106,17 @@ module Bundler
         @locked_platforms = []
       end
 
+      @locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
+      @disable_multisource = @locked_gem_sources.all?(&:disable_multisource?)
+
+      unless @disable_multisource
+        msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. You should run `bundle update` or generate your lockfile from scratch."
+
+        Bundler::SharedHelpers.major_deprecation 2, msg
+
+        @sources.merged_gem_lockfile_sections!
+      end
+
       @unlock[:gems] ||= []
       @unlock[:sources] ||= []
       @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
@@ -145,17 +156,19 @@ module Bundler
       end
     end
 
+    def disable_multisource?
+      @disable_multisource
+    end
+
     def resolve_with_cache!
-      raise "Specs already loaded" if @specs
       sources.cached!
-      specs
+      resolve
     end
 
     def resolve_remotely!
-      return if @specs
       @remote = true
       sources.remote!
-      specs
+      resolve
     end
 
     # For given dependency list returns a SpecSet with Gemspec of all the required
@@ -172,10 +185,10 @@ module Bundler
           gem_name, gem_version = extract_gem_info(e)
           locked_gem = @locked_specs[gem_name].last
           raise if locked_gem.nil? || locked_gem.version.to_s != gem_version || !@remote
-          raise GemNotFound, "Your bundle is locked to #{locked_gem}, but that version could not " \
-                             "be found in any of the sources listed in your Gemfile. If you haven't changed sources, " \
-                             "that means the author of #{locked_gem} has removed it. You'll need to update your bundle " \
-                             "to a version other than #{locked_gem} that hasn't been removed in order to install."
+          raise GemNotFound, "Your bundle is locked to #{locked_gem} from #{locked_gem.source}, but that version can " \
+                             "no longer be found in that source. That means the author of #{locked_gem} has removed it. " \
+                             "You'll need to update your bundle to a version other than #{locked_gem} that hasn't been " \
+                             "removed in order to install."
         end
         unless specs["bundler"].any?
           bundler = sources.metadata_source.specs.search(Gem::Dependency.new("bundler", VERSION)).last
@@ -530,6 +543,9 @@ module Bundler
     attr_reader :sources
     private :sources
 
+    attr_reader :locked_gem_sources
+    private :locked_gem_sources
+
     def nothing_changed?
       !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@locked_specs_incomplete_for_platform
     end
@@ -654,10 +670,8 @@ module Bundler
     end
 
     def converge_rubygems_sources
-      return false if Bundler.feature_flag.disable_multisource?
+      return false if disable_multisource?
 
-      # Get the RubyGems sources from the Gemfile.lock
-      locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
       return false if locked_gem_sources.empty?
 
       # Get the RubyGems remotes from the Gemfile
@@ -943,7 +957,7 @@ module Bundler
     end
 
     def additional_base_requirements_for_resolve
-      return [] unless @locked_gems && Bundler.feature_flag.only_update_to_newer_versions?
+      return [] unless @locked_gems
       dependencies_by_name = dependencies.inject({}) {|memo, dep| memo.update(dep.name => dep) }
       @locked_gems.specs.reduce({}) do |requirements, locked_spec|
         name = locked_spec.name

data/lib/bundler/dsl.rb

@@ -460,19 +460,16 @@ repo_name ||= user_name
         @sources.add_rubygems_remote(source)
       end
 
-      if Bundler.feature_flag.disable_multisource?
+      if Bundler.feature_flag.bundler_3_mode?
         msg = "This Gemfile contains multiple primary sources. " \
           "Each source after the first must include a block to indicate which gems " \
-          "should come from that source. To downgrade this error to a warning, run " \
-          "`bundle config unset disable_multisource`"
+          "should come from that source"
         raise GemfileEvalError, msg
       else
         Bundler::SharedHelpers.major_deprecation 2, "Your Gemfile contains multiple primary sources. " \
           "Using `source` more than once without a block is a security risk, and " \
           "may result in installing unexpected gems. To resolve this warning, use " \
-          "a block to indicate which gems should come from the secondary source. " \
-          "To upgrade this warning to an error, run `bundle config set --local " \
-          "disable_multisource true`."
+          "a block to indicate which gems should come from the secondary source."
       end
     end
 

data/lib/bundler/feature_flag.rb

@@ -35,7 +35,6 @@ module Bundler
     settings_flag(:disable_multisource) { bundler_3_mode? }
     settings_flag(:forget_cli_options) { bundler_3_mode? }
     settings_flag(:global_gem_cache) { bundler_3_mode? }
-    settings_flag(:only_update_to_newer_versions) { bundler_3_mode? }
     settings_flag(:path_relative_to_cwd) { bundler_3_mode? }
     settings_flag(:plugins) { @bundler_version >= Gem::Version.new("1.14") }
     settings_flag(:print_only_version_number) { bundler_3_mode? }

data/lib/bundler/fetcher/downloader.rb

@@ -14,8 +14,10 @@ module Bundler
       def fetch(uri, headers = {}, counter = 0)
         raise HTTPError, "Too many redirects" if counter >= redirect_limit
 
+        filtered_uri = URICredentialsFilter.credential_filtered_uri(uri)
+
         response = request(uri, headers)
-        Bundler.ui.debug("HTTP #{response.code} #{response.message} #{uri}")
+        Bundler.ui.debug("HTTP #{response.code} #{response.message} #{filtered_uri}")
 
         case response
         when Net::HTTPSuccess, Net::HTTPNotModified
@@ -40,7 +42,7 @@ module Bundler
           raise BadAuthenticationError, uri.host if uri.userinfo
           raise AuthenticationRequiredError, uri.host
         when Net::HTTPNotFound
-          raise FallbackError, "Net::HTTPNotFound: #{URICredentialsFilter.credential_filtered_uri(uri)}"
+          raise FallbackError, "Net::HTTPNotFound: #{filtered_uri}"
         else
           raise HTTPError, "#{response.class}#{": #{response.body}" unless response.body.empty?}"
         end
@@ -49,7 +51,9 @@ module Bundler
       def request(uri, headers)
         validate_uri_scheme!(uri)
 
-        Bundler.ui.debug "HTTP GET #{uri}"
+        filtered_uri = URICredentialsFilter.credential_filtered_uri(uri)
+
+        Bundler.ui.debug "HTTP GET #{filtered_uri}"
         req = Net::HTTP::Get.new uri.request_uri, headers
         if uri.user
           user = CGI.unescape(uri.user)
@@ -69,7 +73,7 @@ module Bundler
           raise NetworkDownError, "Could not reach host #{uri.host}. Check your network " \
             "connection and try again."
         else
-          raise HTTPError, "Network error while fetching #{URICredentialsFilter.credential_filtered_uri(uri)}" \
+          raise HTTPError, "Network error while fetching #{filtered_uri}" \
             " (#{e})"
         end
       end

data/lib/bundler/fetcher.rb

@@ -47,7 +47,8 @@ module Bundler
         remote_uri = filter_uri(remote_uri)
         super "Authentication is required for #{remote_uri}.\n" \
           "Please supply credentials for this source. You can do this by running:\n" \
-          " bundle config set --global #{remote_uri} username:password"
+          "`bundle config set --global #{remote_uri} username:password`\n" \
+          "or by storing the credentials in the `#{Settings.key_for(remote_uri)}` environment variable"
       end
     end
     # This error is raised if HTTP authentication is provided, but incorrect.

data/lib/bundler/gem_helper.rb

@@ -47,6 +47,11 @@ module Bundler
         built_gem_path = build_gem
       end
 
+      desc "Generate SHA512 checksum if #{name}-#{version}.gem into the checksums directory."
+      task "build:checksum" => "build" do
+        build_checksum(built_gem_path)
+      end
+
       desc "Build and install #{name}-#{version}.gem into system gems."
       task "install" => "build" do
         install_gem(built_gem_path)
@@ -100,6 +105,17 @@ module Bundler
       Bundler.ui.confirm "#{name} (#{version}) installed."
     end
 
+    def build_checksum(built_gem_path = nil)
+      built_gem_path ||= build_gem
+      SharedHelpers.filesystem_access(File.join(base, "checksums")) {|p| FileUtils.mkdir_p(p) }
+      file_name = "#{File.basename(built_gem_path)}.sha512"
+      require "digest/sha2"
+      checksum = Digest::SHA512.new.hexdigest(built_gem_path.to_s)
+      target = File.join(base, "checksums", file_name)
+      File.write(target, checksum)
+      Bundler.ui.confirm "#{name} #{version} checksum written to checksums/#{file_name}."
+    end
+
     protected
 
     def rubygem_push(path)