RubyGems - bundler - Versions diffs - 2.2.17 → 2.2.18 - Mend

bundler 2.2.17 → 2.2.18

Potentially problematic release.

This version of bundler might be problematic. Click here for more details.

Files changed (50) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -0
data/bundler.gemspec +2 -3
data/lib/bundler.rb +1 -0
data/lib/bundler/build_metadata.rb +2 -2
data/lib/bundler/cli.rb +13 -33
data/lib/bundler/cli/outdated.rb +7 -10
data/lib/bundler/definition.rb +14 -75
data/lib/bundler/feature_flag.rb +0 -1
data/lib/bundler/friendly_errors.rb +1 -1
data/lib/bundler/index.rb +1 -2
data/lib/bundler/man/bundle-add.1 +1 -1
data/lib/bundler/man/bundle-binstubs.1 +1 -1
data/lib/bundler/man/bundle-cache.1 +1 -1
data/lib/bundler/man/bundle-check.1 +1 -1
data/lib/bundler/man/bundle-clean.1 +1 -1
data/lib/bundler/man/bundle-config.1 +1 -7
data/lib/bundler/man/bundle-config.1.ronn +0 -8
data/lib/bundler/man/bundle-doctor.1 +1 -1
data/lib/bundler/man/bundle-exec.1 +1 -1
data/lib/bundler/man/bundle-gem.1 +1 -1
data/lib/bundler/man/bundle-info.1 +1 -1
data/lib/bundler/man/bundle-init.1 +1 -1
data/lib/bundler/man/bundle-inject.1 +1 -1
data/lib/bundler/man/bundle-install.1 +1 -1
data/lib/bundler/man/bundle-list.1 +1 -1
data/lib/bundler/man/bundle-lock.1 +1 -1
data/lib/bundler/man/bundle-open.1 +1 -1
data/lib/bundler/man/bundle-outdated.1 +1 -1
data/lib/bundler/man/bundle-platform.1 +1 -1
data/lib/bundler/man/bundle-pristine.1 +1 -1
data/lib/bundler/man/bundle-remove.1 +1 -1
data/lib/bundler/man/bundle-show.1 +1 -1
data/lib/bundler/man/bundle-update.1 +1 -1
data/lib/bundler/man/bundle-viz.1 +1 -1
data/lib/bundler/man/bundle.1 +1 -1
data/lib/bundler/man/gemfile.5 +1 -1
data/lib/bundler/plugin/api/source.rb +14 -0
data/lib/bundler/resolver.rb +13 -96
data/lib/bundler/resolver/spec_group.rb +0 -24
data/lib/bundler/rubygems_ext.rb +2 -2
data/lib/bundler/settings.rb +0 -1
data/lib/bundler/source.rb +9 -0
data/lib/bundler/source/rubygems.rb +15 -4
data/lib/bundler/source/rubygems_aggregate.rb +64 -0
data/lib/bundler/source_list.rb +29 -10
data/lib/bundler/source_map.rb +58 -0
data/lib/bundler/templates/newgem/newgem.gemspec.tt +1 -1
data/lib/bundler/version.rb +1 -1
metadata +9 -4

data/lib/bundler/settings.rb CHANGED Viewed

@@ -21,7 +21,6 @@ module Bundler
       disable_exec_load
       disable_local_branch_check
       disable_local_revision_check
-      disable_multisource
       disable_shared_gems
       disable_version_check
       force_ruby_platform

data/lib/bundler/source.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module Bundler
     autoload :Metadata, File.expand_path("source/metadata", __dir__)
     autoload :Path,     File.expand_path("source/path", __dir__)
     autoload :Rubygems, File.expand_path("source/rubygems", __dir__)
+    autoload :RubygemsAggregate, File.expand_path("source/rubygems_aggregate", __dir__)
     attr_accessor :dependency_names
@@ -39,6 +40,10 @@ module Bundler
     def remote!; end
+    def add_dependency_names(names)
+      @dependency_names = Array(dependency_names) | Array(names)
+    end
     # it's possible that gems from one source depend on gems from some
     # other source, so now we download gemspecs and iterate over those
     # dependencies, looking for gems we don't have info on yet.
@@ -48,6 +53,10 @@ module Bundler
       specs.dependency_names
     end
+    def spec_names
+      specs.spec_names
+    end
     def include?(other)
       other == self
     end

data/lib/bundler/source/rubygems.rb CHANGED Viewed

@@ -259,8 +259,16 @@ module Bundler
         !equivalent
       end
+      def spec_names
+        if @allow_remote && dependency_api_available?
+          remote_specs.spec_names
+        else
+          []
+        end
+      end
       def unmet_deps
-        if @allow_remote && api_fetchers.any?
+        if @allow_remote && dependency_api_available?
           remote_specs.unmet_dependency_names
         else
           []
@@ -276,7 +284,7 @@ module Bundler
       def double_check_for(unmet_dependency_names)
         return unless @allow_remote
-        return unless api_fetchers.any?
+        return unless dependency_api_available?
         unmet_dependency_names = unmet_dependency_names.call
         unless unmet_dependency_names.nil?
@@ -298,17 +306,20 @@ module Bundler
         remote_specs.each do |spec|
           case spec
           when EndpointSpecification, Gem::Specification, StubSpecification, LazySpecification
-            names.concat(spec.runtime_dependencies)
+            names.concat(spec.runtime_dependencies.map(&:name))
           when RemoteSpecification # from the full index
             return nil
           else
             raise "unhandled spec type (#{spec.inspect})"
           end
         end
-        names.map!(&:name) if names
         names
       end
+      def dependency_api_available?
+        api_fetchers.any?
+      end
       protected
       def credless_remotes

data/lib/bundler/source/rubygems_aggregate.rb ADDED Viewed

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+module Bundler
+  class Source
+    class RubygemsAggregate
+      attr_reader :source_map, :sources
+      def initialize(sources, source_map)
+        @sources = sources
+        @source_map = source_map
+        @index = build_index
+      end
+      def specs
+        @index
+      end
+      def to_s
+        "any of the sources"
+      end
+      private
+      def build_index
+        Index.build do |idx|
+          dependency_names = source_map.pinned_spec_names
+          sources.all_sources.each do |source|
+            source.dependency_names = dependency_names - source_map.pinned_spec_names(source)
+            idx.add_source source.specs
+            dependency_names.concat(source.unmet_deps).uniq!
+          end
+          double_check_for_index(idx, dependency_names)
+        end
+      end
+      # Suppose the gem Foo depends on the gem Bar.  Foo exists in Source A.  Bar has some versions that exist in both
+      # sources A and B.  At this point, the API request will have found all the versions of Bar in source A,
+      # but will not have found any versions of Bar from source B, which is a problem if the requested version
+      # of Foo specifically depends on a version of Bar that is only found in source B. This ensures that for
+      # each spec we found, we add all possible versions from all sources to the index.
+      def double_check_for_index(idx, dependency_names)
+        pinned_names = source_map.pinned_spec_names
+        names = :names # do this so we only have to traverse to get dependency_names from the index once
+        unmet_dependency_names = lambda do
+          return names unless names == :names
+          new_names = sources.all_sources.map(&:dependency_names_to_double_check)
+          return names = nil if new_names.compact!
+          names = new_names.flatten(1).concat(dependency_names)
+          names.uniq!
+          names -= pinned_names
+          names
+        end
+        sources.all_sources.each do |source|
+          source.double_check_for(unmet_dependency_names)
+        end
+      end
+    end
+  end
+end

data/lib/bundler/source_list.rb CHANGED Viewed

@@ -21,15 +21,19 @@ module Bundler
       @rubygems_sources       = []
       @metadata_source        = Source::Metadata.new
-      @disable_multisource = true
+      @merged_gem_lockfile_sections = false
     end
-    def disable_multisource?
-      @disable_multisource
+    def merged_gem_lockfile_sections?
+      @merged_gem_lockfile_sections
     end
     def merged_gem_lockfile_sections!
-      @disable_multisource = false
+      @merged_gem_lockfile_sections = true
+    end
+    def no_aggregate_global_source?
+      global_rubygems_source.remotes.size <= 1
     end
     def add_path_source(options = {})
@@ -70,7 +74,11 @@ module Bundler
     end
     def rubygems_sources
-      @rubygems_sources + [global_rubygems_source]
+      non_global_rubygems_sources + [global_rubygems_source]
+    end
+    def non_global_rubygems_sources
+      @rubygems_sources
     end
     def rubygems_remotes
@@ -81,16 +89,27 @@ module Bundler
       path_sources + git_sources + plugin_sources + rubygems_sources + [metadata_source]
     end
+    def non_default_explicit_sources
+      all_sources - [default_source, metadata_source]
+    end
     def get(source)
       source_list_for(source).find {|s| equal_source?(source, s) || equivalent_source?(source, s) }
     end
     def lock_sources
-      lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
-      if disable_multisource?
-        lock_sources + rubygems_sources.sort_by(&:to_s).uniq
+      lock_other_sources + lock_rubygems_sources
+    end
+    def lock_other_sources
+      (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
+    end
+    def lock_rubygems_sources
+      if merged_gem_lockfile_sections?
+        [combine_rubygems_sources]
       else
-        lock_sources << combine_rubygems_sources
+        rubygems_sources.sort_by(&:to_s).uniq
       end
     end
@@ -104,7 +123,7 @@ module Bundler
         end
       end
-      replacement_rubygems = !disable_multisource? &&
+      replacement_rubygems = merged_gem_lockfile_sections? &&
         replacement_sources.detect {|s| s.is_a?(Source::Rubygems) }
       @global_rubygems_source = replacement_rubygems if replacement_rubygems

data/lib/bundler/source_map.rb ADDED Viewed

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+module Bundler
+  class SourceMap
+    attr_reader :sources, :dependencies
+    def initialize(sources, dependencies)
+      @sources = sources
+      @dependencies = dependencies
+    end
+    def pinned_spec_names(skip = nil)
+      direct_requirements.reject {|_, source| source == skip }.keys
+    end
+    def all_requirements
+      requirements = direct_requirements.dup
+      unmet_deps = sources.non_default_explicit_sources.map do |source|
+        (source.spec_names - pinned_spec_names).each do |indirect_dependency_name|
+          previous_source = requirements[indirect_dependency_name]
+          if previous_source.nil?
+            requirements[indirect_dependency_name] = source
+          else
+            no_ambiguous_sources = Bundler.feature_flag.bundler_3_mode?
+            msg = ["The gem '#{indirect_dependency_name}' was found in multiple relevant sources."]
+            msg.concat [previous_source, source].map {|s| "  * #{s}" }.sort
+            msg << "You #{no_ambiguous_sources ? :must : :should} add this gem to the source block for the source you wish it to be installed from."
+            msg = msg.join("\n")
+            raise SecurityError, msg if no_ambiguous_sources
+            Bundler.ui.warn "Warning: #{msg}"
+          end
+        end
+        source.unmet_deps
+      end
+      sources.default_source.add_dependency_names(unmet_deps.flatten - requirements.keys)
+      requirements
+    end
+    def direct_requirements
+      @direct_requirements ||= begin
+        requirements = {}
+        default = sources.default_source
+        dependencies.each do |dep|
+          dep_source = dep.source || default
+          dep_source.add_dependency_names(dep.name)
+          requirements[dep.name] = dep_source
+        end
+        requirements
+      end
+    end
+  end
+end

data/lib/bundler/templates/newgem/newgem.gemspec.tt CHANGED Viewed

@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
 <%- if config[:mit] -%>
   spec.license       = "MIT"
 <%- end -%>
-  spec.required_ruby_version = Gem::Requirement.new(">= <%= config[:required_ruby_version] %>")
+  spec.required_ruby_version = ">= <%= config[:required_ruby_version] %>"
   spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"

data/lib/bundler/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 module Bundler
-  VERSION = "2.2.17".freeze
+  VERSION = "2.2.18".freeze
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 2.2.17
+  version: 2.2.18
 platform: ruby
 authors:
 - André Arko
@@ -22,7 +22,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-05-05 00:00:00.000000000 Z
+date: 2021-05-25 00:00:00.000000000 Z
 dependencies: []
 description: Bundler manages an application's dependencies through its entire life,
   across many machines, systematically and repeatably
@@ -32,7 +32,10 @@ executables:
 - bundle
 - bundler
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- CHANGELOG.md
+- LICENSE.md
+- README.md
 files:
 - CHANGELOG.md
 - LICENSE.md
@@ -202,7 +205,9 @@ files:
 - lib/bundler/source/path/installer.rb
 - lib/bundler/source/rubygems.rb
 - lib/bundler/source/rubygems/remote.rb
+- lib/bundler/source/rubygems_aggregate.rb
 - lib/bundler/source_list.rb
+- lib/bundler/source_map.rb
 - lib/bundler/spec_set.rb
 - lib/bundler/stub_specification.rb
 - lib/bundler/templates/.document
@@ -352,7 +357,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.5.2
 requirements: []
-rubygems_version: 3.2.17
+rubygems_version: 3.2.18
 signing_key:
 specification_version: 4
 summary: The best way to manage your application's dependencies