RubyGems - bundler - Versions diffs - 2.2.14 → 2.2.19 - Mend

bundler 2.2.14 → 2.2.19

Potentially problematic release.

This version of bundler might be problematic. Click here for more details.

Files changed (72) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +81 -5
data/bundler.gemspec +2 -3
data/lib/bundler.rb +1 -0
data/lib/bundler/build_metadata.rb +2 -2
data/lib/bundler/cli.rb +16 -35
data/lib/bundler/cli/common.rb +15 -2
data/lib/bundler/cli/gem.rb +9 -1
data/lib/bundler/cli/outdated.rb +8 -11
data/lib/bundler/compact_index_client/updater.rb +9 -5
data/lib/bundler/current_ruby.rb +1 -0
data/lib/bundler/definition.rb +21 -84
data/lib/bundler/feature_flag.rb +0 -2
data/lib/bundler/fetcher.rb +2 -1
data/lib/bundler/fetcher/downloader.rb +8 -4
data/lib/bundler/friendly_errors.rb +1 -1
data/lib/bundler/gem_helper.rb +16 -0
data/lib/bundler/index.rb +1 -2
data/lib/bundler/injector.rb +2 -2
data/lib/bundler/inline.rb +1 -1
data/lib/bundler/installer/parallel_installer.rb +30 -7
data/lib/bundler/lazy_specification.rb +6 -1
data/lib/bundler/man/bundle-add.1 +1 -1
data/lib/bundler/man/bundle-binstubs.1 +1 -1
data/lib/bundler/man/bundle-cache.1 +1 -1
data/lib/bundler/man/bundle-check.1 +1 -1
data/lib/bundler/man/bundle-clean.1 +1 -1
data/lib/bundler/man/bundle-config.1 +21 -10
data/lib/bundler/man/bundle-config.1.ronn +21 -11
data/lib/bundler/man/bundle-doctor.1 +1 -1
data/lib/bundler/man/bundle-exec.1 +1 -1
data/lib/bundler/man/bundle-gem.1 +1 -1
data/lib/bundler/man/bundle-info.1 +1 -1
data/lib/bundler/man/bundle-init.1 +1 -1
data/lib/bundler/man/bundle-inject.1 +1 -1
data/lib/bundler/man/bundle-install.1 +1 -1
data/lib/bundler/man/bundle-list.1 +1 -1
data/lib/bundler/man/bundle-lock.1 +1 -1
data/lib/bundler/man/bundle-open.1 +1 -1
data/lib/bundler/man/bundle-outdated.1 +1 -1
data/lib/bundler/man/bundle-platform.1 +1 -1
data/lib/bundler/man/bundle-pristine.1 +1 -1
data/lib/bundler/man/bundle-remove.1 +1 -1
data/lib/bundler/man/bundle-show.1 +1 -1
data/lib/bundler/man/bundle-update.1 +1 -1
data/lib/bundler/man/bundle-viz.1 +1 -1
data/lib/bundler/man/bundle.1 +1 -1
data/lib/bundler/man/gemfile.5 +1 -1
data/lib/bundler/plugin.rb +2 -2
data/lib/bundler/plugin/api/source.rb +14 -0
data/lib/bundler/resolver.rb +13 -96
data/lib/bundler/resolver/spec_group.rb +0 -24
data/lib/bundler/retry.rb +1 -1
data/lib/bundler/rubygems_ext.rb +2 -2
data/lib/bundler/settings.rb +74 -12
data/lib/bundler/source.rb +9 -0
data/lib/bundler/source/path.rb +3 -1
data/lib/bundler/source/path/installer.rb +1 -1
data/lib/bundler/source/rubygems.rb +17 -10
data/lib/bundler/source/rubygems_aggregate.rb +64 -0
data/lib/bundler/source_list.rb +29 -10
data/lib/bundler/source_map.rb +58 -0
data/lib/bundler/spec_set.rb +18 -7
data/lib/bundler/templates/Gemfile +1 -1
data/lib/bundler/templates/gems.rb +1 -1
data/lib/bundler/templates/newgem/github/workflows/main.yml.tt +2 -4
data/lib/bundler/templates/newgem/newgem.gemspec.tt +1 -1
data/lib/bundler/vendor/molinillo/lib/molinillo/modules/specification_provider.rb +1 -1
data/lib/bundler/vendor/thor/lib/thor/actions/file_manipulation.rb +1 -1
data/lib/bundler/vendor/tmpdir/lib/tmpdir.rb +1 -1
data/lib/bundler/version.rb +1 -1
metadata +9 -4

data/lib/bundler/retry.rb CHANGED Viewed

@@ -49,7 +49,7 @@ module Bundler
         raise e
       end
       return true unless name
-      Bundler.ui.info "" unless Bundler.ui.debug? # Add new line incase dots preceded this
+      Bundler.ui.info "" unless Bundler.ui.debug? # Add new line in case dots preceded this
       Bundler.ui.warn "Retrying #{name} due to error (#{current_run.next}/#{total_runs}): #{e.class} #{e.message}", Bundler.ui.debug?
     end

data/lib/bundler/rubygems_ext.rb CHANGED Viewed

@@ -105,7 +105,7 @@ module Gem
   end
   class Dependency
-    attr_accessor :source, :groups, :all_sources
+    attr_accessor :source, :groups
     alias_method :eql?, :==
@@ -116,7 +116,7 @@ module Gem
     end
     def to_yaml_properties
-      instance_variables.reject {|p| ["@source", "@groups", "@all_sources"].include?(p.to_s) }
+      instance_variables.reject {|p| ["@source", "@groups"].include?(p.to_s) }
     end
     def to_lock

data/lib/bundler/settings.rb CHANGED Viewed

@@ -13,6 +13,7 @@ module Bundler
       auto_install
       cache_all
       cache_all_platforms
+      clean
       default_install_uses_path
       deployment
       deployment_means_frozen
@@ -20,20 +21,21 @@ module Bundler
       disable_exec_load
       disable_local_branch_check
       disable_local_revision_check
-      disable_multisource
       disable_shared_gems
       disable_version_check
       force_ruby_platform
       forget_cli_options
       frozen
+      gem.changelog
       gem.coc
       gem.mit
+      git.allow_insecure
       global_gem_cache
       ignore_messages
       init_gems_rb
+      inline
       no_install
       no_prune
-      only_update_to_newer_versions
       path_relative_to_cwd
       path.system
       plugins
@@ -61,6 +63,22 @@ module Bundler
       without
     ].freeze
+    STRING_KEYS = %w[
+      bin
+      cache_path
+      console
+      gem.ci
+      gem.github_username
+      gem.linter
+      gem.rubocop
+      gem.test
+      gemfile
+      path
+      shebang
+      system_bindir
+      trust-policy
+    ].freeze
     DEFAULT_CONFIG = {
       "BUNDLE_SILENCE_DEPRECATIONS" => false,
       "BUNDLE_DISABLE_VERSION_CHECK" => true,
@@ -126,8 +144,8 @@ module Bundler
       keys = @temporary.keys | @global_config.keys | @local_config.keys | @env_config.keys
       keys.map do |key|
-        key.sub(/^BUNDLE_/, "").gsub(/__/, ".").downcase
-      end
+        key.sub(/^BUNDLE_/, "").gsub(/___/, "-").gsub(/__/, ".").downcase
+      end.sort
     end
     def local_overrides
@@ -173,19 +191,19 @@ module Bundler
       locations = []
       if value = @temporary[key]
-        locations << "Set for the current command: #{converted_value(value, exposed_key).inspect}"
+        locations << "Set for the current command: #{printable_value(value, exposed_key).inspect}"
       end
       if value = @local_config[key]
-        locations << "Set for your local app (#{local_config_file}): #{converted_value(value, exposed_key).inspect}"
+        locations << "Set for your local app (#{local_config_file}): #{printable_value(value, exposed_key).inspect}"
       end
       if value = @env_config[key]
-        locations << "Set via #{key}: #{converted_value(value, exposed_key).inspect}"
+        locations << "Set via #{key}: #{printable_value(value, exposed_key).inspect}"
       end
       if value = @global_config[key]
-        locations << "Set for the current user (#{global_config_file}): #{converted_value(value, exposed_key).inspect}"
+        locations << "Set for the current user (#{global_config_file}): #{printable_value(value, exposed_key).inspect}"
       end
       return ["You have not configured a value for `#{exposed_key}`"] if locations.empty?
@@ -277,9 +295,7 @@ module Bundler
     end
     def key_for(key)
-      key = Settings.normalize_uri(key).to_s if key.is_a?(String) && /https?:/ =~ key
-      key = key.to_s.gsub(".", "__").upcase
-      "BUNDLE_#{key}"
+      self.class.key_for(key)
     end
     private
@@ -314,6 +330,10 @@ module Bundler
       BOOL_KEYS.include?(name.to_s) || BOOL_KEYS.include?(parent_setting_for(name.to_s))
     end
+    def is_string(name)
+      STRING_KEYS.include?(name.to_s) || name.to_s.start_with?("local.") || name.to_s.start_with?("mirror.") || name.to_s.start_with?("build.")
+    end
     def to_bool(value)
       case value
       when nil, /\A(false|f|no|n|0|)\z/i, false
@@ -331,6 +351,14 @@ module Bundler
       ARRAY_KEYS.include?(key.to_s)
     end
+    def is_credential(key)
+      key == "gem.push_key"
+    end
+    def is_userinfo(value)
+      value.include?(":")
+    end
     def to_array(value)
       return [] unless value
       value.split(":").map(&:to_sym)
@@ -377,6 +405,21 @@ module Bundler
       end
     end
+    def printable_value(value, key)
+      converted = converted_value(value, key)
+      return converted unless converted.is_a?(String)
+      if is_string(key)
+        converted
+      elsif is_credential(key)
+        "[REDACTED]"
+      elsif is_userinfo(converted)
+        converted.gsub(/:.*$/, ":[REDACTED]")
+      else
+        converted
+      end
+    end
     def global_config_file
       if ENV["BUNDLE_CONFIG"] && !ENV["BUNDLE_CONFIG"].empty?
         Pathname.new(ENV["BUNDLE_CONFIG"])
@@ -399,7 +442,20 @@ module Bundler
         valid_file = file.exist? && !file.size.zero?
         return {} unless valid_file
         require_relative "yaml_serializer"
-        YAMLSerializer.load file.read
+        YAMLSerializer.load(file.read).inject({}) do |config, (k, v)|
+          new_k = k
+          if k.include?("-")
+            Bundler.ui.warn "Your #{file} config includes `#{k}`, which contains the dash character (`-`).\n" \
+              "This is deprecated, because configuration through `ENV` should be possible, but `ENV` keys cannot include dashes.\n" \
+              "Please edit #{file} and replace any dashes in configuration keys with a triple underscore (`___`)."
+            new_k = k.gsub("-", "___")
+          end
+          config[new_k] = v
+          config
+        end
       end
     end
@@ -416,6 +472,12 @@ module Bundler
         \z
       /ix.freeze
+    def self.key_for(key)
+      key = normalize_uri(key).to_s if key.is_a?(String) && /https?:/ =~ key
+      key = key.to_s.gsub(".", "__").gsub("-", "___").upcase
+      "BUNDLE_#{key}"
+    end
     # TODO: duplicates Rubygems#normalize_uri
     # TODO: is this the correct place to validate mirror URIs?
     def self.normalize_uri(uri)

data/lib/bundler/source.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module Bundler
     autoload :Metadata, File.expand_path("source/metadata", __dir__)
     autoload :Path,     File.expand_path("source/path", __dir__)
     autoload :Rubygems, File.expand_path("source/rubygems", __dir__)
+    autoload :RubygemsAggregate, File.expand_path("source/rubygems_aggregate", __dir__)
     attr_accessor :dependency_names
@@ -39,6 +40,10 @@ module Bundler
     def remote!; end
+    def add_dependency_names(names)
+      @dependency_names = Array(dependency_names) | Array(names)
+    end
     # it's possible that gems from one source depend on gems from some
     # other source, so now we download gemspecs and iterate over those
     # dependencies, looking for gems we don't have info on yet.
@@ -48,6 +53,10 @@ module Bundler
       specs.dependency_names
     end
+    def spec_names
+      specs.spec_names
+    end
     def include?(other)
       other == self
     end

data/lib/bundler/source/path.rb CHANGED Viewed

@@ -82,7 +82,9 @@ module Bundler
       end
       def install(spec, options = {})
-        print_using_message "Using #{version_message(spec)} from #{self}"
+        using_message = "Using #{version_message(spec)} from #{self}"
+        using_message += " and installing its executables" unless spec.executables.empty?
+        print_using_message using_message
         generate_bin(spec, :disable_extensions => true)
         nil # no post-install message
       end

data/lib/bundler/source/path/installer.rb CHANGED Viewed

@@ -35,7 +35,7 @@ module Bundler
             run_hooks(:post_build)
           end
-          generate_bin unless spec.executables.nil? || spec.executables.empty?
+          generate_bin unless spec.executables.empty?
           run_hooks(:post_install)
         ensure

data/lib/bundler/source/rubygems.rb CHANGED Viewed

@@ -259,8 +259,16 @@ module Bundler
         !equivalent
       end
+      def spec_names
+        if @allow_remote && dependency_api_available?
+          remote_specs.spec_names
+        else
+          []
+        end
+      end
       def unmet_deps
-        if @allow_remote && api_fetchers.any?
+        if @allow_remote && dependency_api_available?
           remote_specs.unmet_dependency_names
         else
           []
@@ -276,7 +284,7 @@ module Bundler
       def double_check_for(unmet_dependency_names)
         return unless @allow_remote
-        return unless api_fetchers.any?
+        return unless dependency_api_available?
         unmet_dependency_names = unmet_dependency_names.call
         unless unmet_dependency_names.nil?
@@ -298,17 +306,20 @@ module Bundler
         remote_specs.each do |spec|
           case spec
           when EndpointSpecification, Gem::Specification, StubSpecification, LazySpecification
-            names.concat(spec.runtime_dependencies)
+            names.concat(spec.runtime_dependencies.map(&:name))
           when RemoteSpecification # from the full index
             return nil
           else
             raise "unhandled spec type (#{spec.inspect})"
           end
         end
-        names.map!(&:name) if names
         names
       end
+      def dependency_api_available?
+        api_fetchers.any?
+      end
       protected
       def credless_remotes
@@ -387,10 +398,6 @@ module Bundler
             next if gemfile =~ /^bundler\-[\d\.]+?\.gem/
             s ||= Bundler.rubygems.spec_from_gem(gemfile)
             s.source = self
-            if Bundler.rubygems.spec_missing_extensions?(s, false)
-              Bundler.ui.debug "Source #{self} is ignoring #{s} because it is missing extensions"
-              next
-            end
             idx << s
           end
@@ -423,11 +430,11 @@ module Bundler
       def fetch_names(fetchers, dependency_names, index, override_dupes)
         fetchers.each do |f|
           if dependency_names
-            Bundler.ui.info "Fetching gem metadata from #{f.uri}", Bundler.ui.debug?
+            Bundler.ui.info "Fetching gem metadata from #{URICredentialsFilter.credential_filtered_uri(f.uri)}", Bundler.ui.debug?
             index.use f.specs_with_retry(dependency_names, self), override_dupes
             Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
           else
-            Bundler.ui.info "Fetching source index from #{f.uri}"
+            Bundler.ui.info "Fetching source index from #{URICredentialsFilter.credential_filtered_uri(f.uri)}"
             index.use f.specs_with_retry(nil, self), override_dupes
           end
         end

data/lib/bundler/source/rubygems_aggregate.rb ADDED Viewed

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+module Bundler
+  class Source
+    class RubygemsAggregate
+      attr_reader :source_map, :sources
+      def initialize(sources, source_map)
+        @sources = sources
+        @source_map = source_map
+        @index = build_index
+      end
+      def specs
+        @index
+      end
+      def to_s
+        "any of the sources"
+      end
+      private
+      def build_index
+        Index.build do |idx|
+          dependency_names = source_map.pinned_spec_names
+          sources.all_sources.each do |source|
+            source.dependency_names = dependency_names - source_map.pinned_spec_names(source)
+            idx.add_source source.specs
+            dependency_names.concat(source.unmet_deps).uniq!
+          end
+          double_check_for_index(idx, dependency_names)
+        end
+      end
+      # Suppose the gem Foo depends on the gem Bar.  Foo exists in Source A.  Bar has some versions that exist in both
+      # sources A and B.  At this point, the API request will have found all the versions of Bar in source A,
+      # but will not have found any versions of Bar from source B, which is a problem if the requested version
+      # of Foo specifically depends on a version of Bar that is only found in source B. This ensures that for
+      # each spec we found, we add all possible versions from all sources to the index.
+      def double_check_for_index(idx, dependency_names)
+        pinned_names = source_map.pinned_spec_names
+        names = :names # do this so we only have to traverse to get dependency_names from the index once
+        unmet_dependency_names = lambda do
+          return names unless names == :names
+          new_names = sources.all_sources.map(&:dependency_names_to_double_check)
+          return names = nil if new_names.compact!
+          names = new_names.flatten(1).concat(dependency_names)
+          names.uniq!
+          names -= pinned_names
+          names
+        end
+        sources.all_sources.each do |source|
+          source.double_check_for(unmet_dependency_names)
+        end
+      end
+    end
+  end
+end

data/lib/bundler/source_list.rb CHANGED Viewed

@@ -21,15 +21,19 @@ module Bundler
       @rubygems_sources       = []
       @metadata_source        = Source::Metadata.new
-      @disable_multisource = true
+      @merged_gem_lockfile_sections = false
     end
-    def disable_multisource?
-      @disable_multisource
+    def merged_gem_lockfile_sections?
+      @merged_gem_lockfile_sections
     end
     def merged_gem_lockfile_sections!
-      @disable_multisource = false
+      @merged_gem_lockfile_sections = true
+    end
+    def no_aggregate_global_source?
+      global_rubygems_source.remotes.size <= 1
     end
     def add_path_source(options = {})
@@ -70,7 +74,11 @@ module Bundler
     end
     def rubygems_sources
-      @rubygems_sources + [global_rubygems_source]
+      non_global_rubygems_sources + [global_rubygems_source]
+    end
+    def non_global_rubygems_sources
+      @rubygems_sources
     end
     def rubygems_remotes
@@ -81,16 +89,27 @@ module Bundler
       path_sources + git_sources + plugin_sources + rubygems_sources + [metadata_source]
     end
+    def non_default_explicit_sources
+      all_sources - [default_source, metadata_source]
+    end
     def get(source)
       source_list_for(source).find {|s| equal_source?(source, s) || equivalent_source?(source, s) }
     end
     def lock_sources
-      lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
-      if disable_multisource?
-        lock_sources + rubygems_sources.sort_by(&:to_s)
+      lock_other_sources + lock_rubygems_sources
+    end
+    def lock_other_sources
+      (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
+    end
+    def lock_rubygems_sources
+      if merged_gem_lockfile_sections?
+        [combine_rubygems_sources]
       else
-        lock_sources << combine_rubygems_sources
+        rubygems_sources.sort_by(&:to_s).uniq
       end
     end
@@ -104,7 +123,7 @@ module Bundler
         end
       end
-      replacement_rubygems = !disable_multisource? &&
+      replacement_rubygems = merged_gem_lockfile_sections? &&
         replacement_sources.detect {|s| s.is_a?(Source::Rubygems) }
       @global_rubygems_source = replacement_rubygems if replacement_rubygems