RubyGems - bundler - Versions diffs - 2.2.17 → 2.2.22 - Mend

bundler 2.2.17 → 2.2.22

Potentially problematic release.

This version of bundler might be problematic. Click here for more details.

Files changed (66) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +70 -0
data/bundler.gemspec +2 -3
data/lib/bundler.rb +2 -1
data/lib/bundler/build_metadata.rb +2 -2
data/lib/bundler/cli.rb +13 -33
data/lib/bundler/cli/check.rb +4 -2
data/lib/bundler/cli/doctor.rb +11 -1
data/lib/bundler/cli/install.rb +7 -8
data/lib/bundler/cli/lock.rb +5 -1
data/lib/bundler/cli/outdated.rb +9 -10
data/lib/bundler/cli/update.rb +8 -3
data/lib/bundler/current_ruby.rb +4 -4
data/lib/bundler/definition.rb +38 -127
data/lib/bundler/dsl.rb +3 -11
data/lib/bundler/feature_flag.rb +0 -3
data/lib/bundler/fetcher/compact_index.rb +1 -1
data/lib/bundler/fetcher/downloader.rb +1 -2
data/lib/bundler/fetcher/index.rb +0 -1
data/lib/bundler/friendly_errors.rb +2 -4
data/lib/bundler/index.rb +1 -2
data/lib/bundler/installer.rb +5 -12
data/lib/bundler/lockfile_parser.rb +2 -20
data/lib/bundler/man/bundle-add.1 +1 -1
data/lib/bundler/man/bundle-binstubs.1 +1 -1
data/lib/bundler/man/bundle-cache.1 +1 -1
data/lib/bundler/man/bundle-check.1 +1 -1
data/lib/bundler/man/bundle-clean.1 +1 -1
data/lib/bundler/man/bundle-config.1 +1 -10
data/lib/bundler/man/bundle-config.1.ronn +0 -11
data/lib/bundler/man/bundle-doctor.1 +1 -1
data/lib/bundler/man/bundle-exec.1 +1 -1
data/lib/bundler/man/bundle-gem.1 +1 -1
data/lib/bundler/man/bundle-info.1 +1 -1
data/lib/bundler/man/bundle-init.1 +1 -1
data/lib/bundler/man/bundle-inject.1 +1 -1
data/lib/bundler/man/bundle-install.1 +1 -1
data/lib/bundler/man/bundle-list.1 +1 -1
data/lib/bundler/man/bundle-lock.1 +1 -1
data/lib/bundler/man/bundle-open.1 +1 -1
data/lib/bundler/man/bundle-outdated.1 +1 -1
data/lib/bundler/man/bundle-platform.1 +1 -1
data/lib/bundler/man/bundle-pristine.1 +1 -1
data/lib/bundler/man/bundle-remove.1 +1 -1
data/lib/bundler/man/bundle-show.1 +1 -1
data/lib/bundler/man/bundle-update.1 +4 -4
data/lib/bundler/man/bundle-update.1.ronn +3 -3
data/lib/bundler/man/bundle-viz.1 +1 -1
data/lib/bundler/man/bundle.1 +1 -1
data/lib/bundler/man/gemfile.5 +1 -1
data/lib/bundler/plugin/api/source.rb +14 -0
data/lib/bundler/plugin/installer.rb +1 -1
data/lib/bundler/resolver.rb +15 -96
data/lib/bundler/resolver/spec_group.rb +0 -24
data/lib/bundler/rubygems_ext.rb +2 -2
data/lib/bundler/rubygems_integration.rb +4 -3
data/lib/bundler/settings.rb +21 -4
data/lib/bundler/source.rb +11 -0
data/lib/bundler/source/rubygems.rb +22 -22
data/lib/bundler/source/rubygems_aggregate.rb +64 -0
data/lib/bundler/source_list.rb +69 -27
data/lib/bundler/source_map.rb +58 -0
data/lib/bundler/spec_set.rb +2 -6
data/lib/bundler/templates/newgem/newgem.gemspec.tt +2 -2
data/lib/bundler/version.rb +1 -1
metadata +5 -3

data/lib/bundler/rubygems_integration.rb CHANGED Viewed

@@ -526,13 +526,14 @@ module Bundler
       Bundler::Retry.new("download gem from #{uri}").attempts do
         fetcher.download(spec, uri, path)
       end
+    rescue Gem::RemoteFetcher::FetchError => e
+      raise Bundler::HTTPError, "Could not download gem from #{uri} due to underlying error <#{e.message}>"
     end
     def gem_remote_fetcher
-      require "resolv"
+      require "rubygems/remote_fetcher"
       proxy = configuration[:http_proxy]
-      dns = Resolv::DNS.new
-      Gem::RemoteFetcher.new(proxy, dns)
+      Gem::RemoteFetcher.new(proxy)
     end
     def gem_from_path(path, policy = nil)

data/lib/bundler/settings.rb CHANGED Viewed

@@ -16,12 +16,10 @@ module Bundler
       clean
       default_install_uses_path
       deployment
-      deployment_means_frozen
       disable_checksum_validation
       disable_exec_load
       disable_local_branch_check
       disable_local_revision_check
-      disable_multisource
       disable_shared_gems
       disable_version_check
       force_ruby_platform
@@ -46,7 +44,6 @@ module Bundler
       silence_deprecations
       silence_root_warning
       suppress_install_using_messages
-      unlock_source_unlocks_spec
       update_requires_all_flag
       use_gem_version_promoter_for_major_updates
     ].freeze
@@ -211,6 +208,13 @@ module Bundler
       locations
     end
+    def processor_count
+      require "etc"
+      Etc.nprocessors
+    rescue StandardError
+      1
+    end
     # for legacy reasons, in Bundler 2, we do not respect :disable_shared_gems
     def path
       configs.each do |_level, settings|
@@ -443,7 +447,20 @@ module Bundler
         valid_file = file.exist? && !file.size.zero?
         return {} unless valid_file
         require_relative "yaml_serializer"
-        YAMLSerializer.load file.read
+        YAMLSerializer.load(file.read).inject({}) do |config, (k, v)|
+          new_k = k
+          if k.include?("-")
+            Bundler.ui.warn "Your #{file} config includes `#{k}`, which contains the dash character (`-`).\n" \
+              "This is deprecated, because configuration through `ENV` should be possible, but `ENV` keys cannot include dashes.\n" \
+              "Please edit #{file} and replace any dashes in configuration keys with a triple underscore (`___`)."
+            new_k = k.gsub("-", "___")
+          end
+          config[new_k] = v
+          config
+        end
       end
     end

data/lib/bundler/source.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module Bundler
     autoload :Metadata, File.expand_path("source/metadata", __dir__)
     autoload :Path,     File.expand_path("source/path", __dir__)
     autoload :Rubygems, File.expand_path("source/rubygems", __dir__)
+    autoload :RubygemsAggregate, File.expand_path("source/rubygems_aggregate", __dir__)
     attr_accessor :dependency_names
@@ -35,10 +36,16 @@ module Bundler
     def local!; end
+    def local_only!; end
     def cached!; end
     def remote!; end
+    def add_dependency_names(names)
+      @dependency_names = Array(dependency_names) | Array(names)
+    end
     # it's possible that gems from one source depend on gems from some
     # other source, so now we download gemspecs and iterate over those
     # dependencies, looking for gems we don't have info on yet.
@@ -48,6 +55,10 @@ module Bundler
       specs.dependency_names
     end
+    def spec_names
+      specs.spec_names
+    end
     def include?(other)
       other == self
     end

data/lib/bundler/source/rubygems.rb CHANGED Viewed

@@ -26,6 +26,12 @@ module Bundler
         Array(options["remotes"]).reverse_each {|r| add_remote(r) }
       end
+      def local_only!
+        @specs = nil
+        @allow_local = true
+        @allow_remote = false
+      end
       def local!
         return if @allow_local
@@ -61,13 +67,13 @@ module Bundler
         o.is_a?(Rubygems) && (o.credless_remotes - credless_remotes).empty?
       end
-      def disable_multisource?
-        @remotes.size <= 1
+      def multiple_remotes?
+        @remotes.size > 1
       end
       def can_lock?(spec)
-        return super if disable_multisource?
-        spec.source.is_a?(Rubygems)
+        return super unless multiple_remotes?
+        include?(spec.source)
       end
       def options
@@ -246,21 +252,16 @@ module Bundler
         other_remotes.map(&method(:remove_auth)) == @remotes.map(&method(:remove_auth))
       end
-      def replace_remotes(other_remotes, allow_equivalent = false)
-        return false if other_remotes == @remotes
-        equivalent = allow_equivalent && equivalent_remotes?(other_remotes)
-        @remotes = []
-        other_remotes.reverse_each do |r|
-          add_remote r.to_s
+      def spec_names
+        if @allow_remote && dependency_api_available?
+          remote_specs.spec_names
+        else
+          []
         end
-        !equivalent
       end
       def unmet_deps
-        if @allow_remote && api_fetchers.any?
+        if @allow_remote && dependency_api_available?
           remote_specs.unmet_dependency_names
         else
           []
@@ -276,7 +277,7 @@ module Bundler
       def double_check_for(unmet_dependency_names)
         return unless @allow_remote
-        return unless api_fetchers.any?
+        return unless dependency_api_available?
         unmet_dependency_names = unmet_dependency_names.call
         unless unmet_dependency_names.nil?
@@ -298,17 +299,20 @@ module Bundler
         remote_specs.each do |spec|
           case spec
           when EndpointSpecification, Gem::Specification, StubSpecification, LazySpecification
-            names.concat(spec.runtime_dependencies)
+            names.concat(spec.runtime_dependencies.map(&:name))
           when RemoteSpecification # from the full index
             return nil
           else
             raise "unhandled spec type (#{spec.inspect})"
           end
         end
-        names.map!(&:name) if names
         names
       end
+      def dependency_api_available?
+        api_fetchers.any?
+      end
       protected
       def credless_remotes
@@ -387,10 +391,6 @@ module Bundler
             next if gemfile =~ /^bundler\-[\d\.]+?\.gem/
             s ||= Bundler.rubygems.spec_from_gem(gemfile)
             s.source = self
-            if Bundler.rubygems.spec_missing_extensions?(s, false)
-              Bundler.ui.debug "Source #{self} is ignoring #{s} because it is missing extensions"
-              next
-            end
             idx << s
           end

data/lib/bundler/source/rubygems_aggregate.rb ADDED Viewed

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+module Bundler
+  class Source
+    class RubygemsAggregate
+      attr_reader :source_map, :sources
+      def initialize(sources, source_map)
+        @sources = sources
+        @source_map = source_map
+        @index = build_index
+      end
+      def specs
+        @index
+      end
+      def to_s
+        "any of the sources"
+      end
+      private
+      def build_index
+        Index.build do |idx|
+          dependency_names = source_map.pinned_spec_names
+          sources.all_sources.each do |source|
+            source.dependency_names = dependency_names - source_map.pinned_spec_names(source)
+            idx.add_source source.specs
+            dependency_names.concat(source.unmet_deps).uniq!
+          end
+          double_check_for_index(idx, dependency_names)
+        end
+      end
+      # Suppose the gem Foo depends on the gem Bar.  Foo exists in Source A.  Bar has some versions that exist in both
+      # sources A and B.  At this point, the API request will have found all the versions of Bar in source A,
+      # but will not have found any versions of Bar from source B, which is a problem if the requested version
+      # of Foo specifically depends on a version of Bar that is only found in source B. This ensures that for
+      # each spec we found, we add all possible versions from all sources to the index.
+      def double_check_for_index(idx, dependency_names)
+        pinned_names = source_map.pinned_spec_names
+        names = :names # do this so we only have to traverse to get dependency_names from the index once
+        unmet_dependency_names = lambda do
+          return names unless names == :names
+          new_names = sources.all_sources.map(&:dependency_names_to_double_check)
+          return names = nil if new_names.compact!
+          names = new_names.flatten(1).concat(dependency_names)
+          names.uniq!
+          names -= pinned_names
+          names
+        end
+        sources.all_sources.each do |source|
+          source.double_check_for(unmet_dependency_names)
+        end
+      end
+    end
+  end
+end

data/lib/bundler/source_list.rb CHANGED Viewed

@@ -21,15 +21,20 @@ module Bundler
       @rubygems_sources       = []
       @metadata_source        = Source::Metadata.new
-      @disable_multisource = true
+      @merged_gem_lockfile_sections = false
     end
-    def disable_multisource?
-      @disable_multisource
+    def merged_gem_lockfile_sections?
+      @merged_gem_lockfile_sections
     end
-    def merged_gem_lockfile_sections!
-      @disable_multisource = false
+    def merged_gem_lockfile_sections!(replacement_source)
+      @merged_gem_lockfile_sections = true
+      @global_rubygems_source = replacement_source
+    end
+    def aggregate_global_source?
+      global_rubygems_source.multiple_remotes?
     end
     def add_path_source(options = {})
@@ -49,18 +54,17 @@ module Bundler
     end
     def add_rubygems_source(options = {})
-      add_source_to_list Source::Rubygems.new(options), @rubygems_sources
+      new_source = Source::Rubygems.new(options)
+      return @global_rubygems_source if @global_rubygems_source == new_source
+      add_source_to_list new_source, @rubygems_sources
     end
     def add_plugin_source(source, options = {})
       add_source_to_list Plugin.source(source).new(options), @plugin_sources
     end
-    def global_rubygems_source=(uri)
-      @global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri, "allow_local" => true)
-    end
-    def add_rubygems_remote(uri)
+    def add_global_rubygems_remote(uri)
       global_rubygems_source.add_remote(uri)
       global_rubygems_source
     end
@@ -70,7 +74,11 @@ module Bundler
     end
     def rubygems_sources
-      @rubygems_sources + [global_rubygems_source]
+      non_global_rubygems_sources + [global_rubygems_source]
+    end
+    def non_global_rubygems_sources
+      @rubygems_sources
     end
     def rubygems_remotes
@@ -81,36 +89,50 @@ module Bundler
       path_sources + git_sources + plugin_sources + rubygems_sources + [metadata_source]
     end
+    def non_default_explicit_sources
+      all_sources - [default_source, metadata_source]
+    end
     def get(source)
       source_list_for(source).find {|s| equal_source?(source, s) || equivalent_source?(source, s) }
     end
     def lock_sources
-      lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
-      if disable_multisource?
-        lock_sources + rubygems_sources.sort_by(&:to_s).uniq
+      lock_other_sources + lock_rubygems_sources
+    end
+    def lock_other_sources
+      (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
+    end
+    def lock_rubygems_sources
+      if merged_gem_lockfile_sections?
+        [combine_rubygems_sources]
       else
-        lock_sources << combine_rubygems_sources
+        rubygems_sources.sort_by(&:to_s)
       end
     end
     # Returns true if there are changes
     def replace_sources!(replacement_sources)
-      return true if replacement_sources.empty?
+      return false if replacement_sources.empty?
-      [path_sources, git_sources, plugin_sources].each do |source_list|
-        source_list.map! do |source|
-          replacement_sources.find {|s| s == source } || source
-        end
-      end
+      @path_sources, @git_sources, @plugin_sources = map_sources(replacement_sources)
-      replacement_rubygems = !disable_multisource? &&
-        replacement_sources.detect {|s| s.is_a?(Source::Rubygems) }
-      @global_rubygems_source = replacement_rubygems if replacement_rubygems
+      different_sources?(lock_sources, replacement_sources)
+    end
+    # Returns true if there are changes
+    def expired_sources?(replacement_sources)
+      return false if replacement_sources.empty?
+      lock_sources = dup_with_replaced_sources(replacement_sources).lock_sources
-      return true if !equal_sources?(lock_sources, replacement_sources) && !equivalent_sources?(lock_sources, replacement_sources)
+      different_sources?(lock_sources, replacement_sources)
+    end
-      false
+    def local_only!
+      all_sources.each(&:local_only!)
     end
     def cached!
@@ -123,6 +145,24 @@ module Bundler
     private
+    def dup_with_replaced_sources(replacement_sources)
+      new_source_list = dup
+      new_source_list.replace_sources!(replacement_sources)
+      new_source_list
+    end
+    def map_sources(replacement_sources)
+      [path_sources, git_sources, plugin_sources].map do |sources|
+        sources.map do |source|
+          replacement_sources.find {|s| s == source } || source
+        end
+      end
+    end
+    def different_sources?(lock_sources, replacement_sources)
+      !equal_sources?(lock_sources, replacement_sources) && !equivalent_sources?(lock_sources, replacement_sources)
+    end
     def rubygems_aggregate_class
       Source::Rubygems
     end
@@ -162,6 +202,8 @@ module Bundler
     end
     def equal_source?(source, other_source)
+      return source.include?(other_source) if source.is_a?(Source::Rubygems) && other_source.is_a?(Source::Rubygems) && !merged_gem_lockfile_sections?
       source == other_source
     end

data/lib/bundler/source_map.rb ADDED Viewed

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+module Bundler
+  class SourceMap
+    attr_reader :sources, :dependencies
+    def initialize(sources, dependencies)
+      @sources = sources
+      @dependencies = dependencies
+    end
+    def pinned_spec_names(skip = nil)
+      direct_requirements.reject {|_, source| source == skip }.keys
+    end
+    def all_requirements
+      requirements = direct_requirements.dup
+      unmet_deps = sources.non_default_explicit_sources.map do |source|
+        (source.spec_names - pinned_spec_names).each do |indirect_dependency_name|
+          previous_source = requirements[indirect_dependency_name]
+          if previous_source.nil?
+            requirements[indirect_dependency_name] = source
+          else
+            no_ambiguous_sources = Bundler.feature_flag.bundler_3_mode?
+            msg = ["The gem '#{indirect_dependency_name}' was found in multiple relevant sources."]
+            msg.concat [previous_source, source].map {|s| "  * #{s}" }.sort
+            msg << "You #{no_ambiguous_sources ? :must : :should} add this gem to the source block for the source you wish it to be installed from."
+            msg = msg.join("\n")
+            raise SecurityError, msg if no_ambiguous_sources
+            Bundler.ui.warn "Warning: #{msg}"
+          end
+        end
+        source.unmet_deps
+      end
+      sources.default_source.add_dependency_names(unmet_deps.flatten - requirements.keys)
+      requirements
+    end
+    def direct_requirements
+      @direct_requirements ||= begin
+        requirements = {}
+        default = sources.default_source
+        dependencies.each do |dep|
+          dep_source = dep.source || default
+          dep_source.add_dependency_names(dep.name)
+          requirements[dep.name] = dep_source
+        end
+        requirements
+      end
+    end
+  end
+end