RubyGems - bundler - Versions diffs - 2.2.3 → 2.3.5 - Mend

bundler 2.2.3 → 2.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (183) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +503 -7
data/README.md +1 -1
data/bundler.gemspec +2 -3
data/exe/bundle +7 -8
data/lib/bundler/.document +1 -0
data/lib/bundler/build_metadata.rb +2 -2
data/lib/bundler/cli/cache.rb +2 -1
data/lib/bundler/cli/check.rb +4 -2
data/lib/bundler/cli/common.rb +15 -2
data/lib/bundler/cli/doctor.rb +15 -4
data/lib/bundler/cli/exec.rb +1 -6
data/lib/bundler/cli/gem.rb +132 -24
data/lib/bundler/cli/info.rb +16 -4
data/lib/bundler/cli/install.rb +12 -27
data/lib/bundler/cli/issue.rb +4 -3
data/lib/bundler/cli/list.rb +7 -1
data/lib/bundler/cli/lock.rb +5 -1
data/lib/bundler/cli/open.rb +1 -2
data/lib/bundler/cli/outdated.rb +10 -11
data/lib/bundler/cli/remove.rb +1 -2
data/lib/bundler/cli/update.rb +17 -8
data/lib/bundler/cli.rb +44 -60
data/lib/bundler/compact_index_client/cache.rb +0 -9
data/lib/bundler/compact_index_client/updater.rb +10 -19
data/lib/bundler/compact_index_client.rb +2 -8
data/lib/bundler/current_ruby.rb +5 -4
data/lib/bundler/definition.rb +158 -316
data/lib/bundler/dep_proxy.rb +15 -8
data/lib/bundler/dependency.rb +5 -7
data/lib/bundler/digest.rb +71 -0
data/lib/bundler/dsl.rb +67 -66
data/lib/bundler/endpoint_specification.rb +21 -11
data/lib/bundler/environment_preserver.rb +4 -1
data/lib/bundler/errors.rb +19 -3
data/lib/bundler/feature_flag.rb +0 -5
data/lib/bundler/fetcher/compact_index.rb +10 -15
data/lib/bundler/fetcher/downloader.rb +9 -6
data/lib/bundler/fetcher/index.rb +0 -27
data/lib/bundler/fetcher.rb +10 -17
data/lib/bundler/friendly_errors.rb +5 -32
data/lib/bundler/gem_helper.rb +28 -21
data/lib/bundler/gem_version_promoter.rb +2 -2
data/lib/bundler/index.rb +8 -12
data/lib/bundler/injector.rb +12 -3
data/lib/bundler/inline.rb +2 -1
data/lib/bundler/installer/gem_installer.rb +4 -22
data/lib/bundler/installer/parallel_installer.rb +36 -15
data/lib/bundler/installer/standalone.rb +29 -9
data/lib/bundler/installer.rb +8 -34
data/lib/bundler/lazy_specification.rb +32 -20
data/lib/bundler/lockfile_generator.rb +1 -1
data/lib/bundler/lockfile_parser.rb +16 -45
data/{man → lib/bundler/man}/bundle-add.1 +10 -2
data/lib/bundler/man/bundle-add.1.ronn +7 -1
data/{man → lib/bundler/man}/bundle-binstubs.1 +1 -1
data/{man → lib/bundler/man}/bundle-cache.1 +1 -1
data/{man → lib/bundler/man}/bundle-check.1 +1 -1
data/{man → lib/bundler/man}/bundle-clean.1 +1 -1
data/{man → lib/bundler/man}/bundle-config.1 +27 -19
data/lib/bundler/man/bundle-config.1.ronn +33 -25
data/{man → lib/bundler/man}/bundle-doctor.1 +1 -1
data/{man → lib/bundler/man}/bundle-exec.1 +1 -1
data/{man → lib/bundler/man}/bundle-gem.1 +14 -1
data/lib/bundler/man/bundle-gem.1.ronn +16 -0
data/{man → lib/bundler/man}/bundle-info.1 +1 -1
data/{man → lib/bundler/man}/bundle-init.1 +1 -1
data/{man → lib/bundler/man}/bundle-inject.1 +1 -1
data/{man → lib/bundler/man}/bundle-install.1 +2 -2
data/lib/bundler/man/bundle-install.1.ronn +2 -2
data/{man → lib/bundler/man}/bundle-list.1 +1 -1
data/{man → lib/bundler/man}/bundle-lock.1 +1 -1
data/{man → lib/bundler/man}/bundle-open.1 +1 -1
data/{man → lib/bundler/man}/bundle-outdated.1 +1 -1
data/{man → lib/bundler/man}/bundle-platform.1 +1 -1
data/{man → lib/bundler/man}/bundle-pristine.1 +1 -1
data/{man → lib/bundler/man}/bundle-remove.1 +1 -1
data/{man → lib/bundler/man}/bundle-show.1 +1 -1
data/{man → lib/bundler/man}/bundle-update.1 +5 -5
data/lib/bundler/man/bundle-update.1.ronn +5 -4
data/{man → lib/bundler/man}/bundle-viz.1 +1 -1
data/{man → lib/bundler/man}/bundle.1 +1 -1
data/{man → lib/bundler/man}/gemfile.5 +28 -2
data/lib/bundler/man/gemfile.5.ronn +9 -1
data/{man → lib/bundler/man}/index.txt +0 -0
data/lib/bundler/plugin/api/source.rb +22 -0
data/lib/bundler/plugin/index.rb +4 -1
data/lib/bundler/plugin/installer.rb +10 -10
data/lib/bundler/plugin/source_list.rb +4 -0
data/lib/bundler/plugin.rb +28 -8
data/lib/bundler/process_lock.rb +1 -1
data/lib/bundler/psyched_yaml.rb +1 -13
data/lib/bundler/resolver/spec_group.rb +36 -48
data/lib/bundler/resolver.rb +97 -151
data/lib/bundler/retry.rb +1 -1
data/lib/bundler/ruby_version.rb +1 -1
data/lib/bundler/rubygems_ext.rb +46 -8
data/lib/bundler/rubygems_gem_installer.rb +68 -1
data/lib/bundler/rubygems_integration.rb +43 -60
data/lib/bundler/runtime.rb +18 -11
data/lib/bundler/self_manager.rb +168 -0
data/lib/bundler/settings.rb +97 -21
data/lib/bundler/setup.rb +2 -2
data/lib/bundler/shared_helpers.rb +6 -21
data/lib/bundler/source/git/git_proxy.rb +60 -53
data/lib/bundler/source/git.rb +38 -18
data/lib/bundler/source/metadata.rb +1 -5
data/lib/bundler/source/path/installer.rb +3 -1
data/lib/bundler/source/path.rb +3 -1
data/lib/bundler/source/rubygems.rb +113 -100
data/lib/bundler/source/rubygems_aggregate.rb +68 -0
data/lib/bundler/source.rb +21 -0
data/lib/bundler/source_list.rb +100 -62
data/lib/bundler/source_map.rb +58 -0
data/lib/bundler/spec_set.rb +21 -34
data/lib/bundler/stub_specification.rb +8 -0
data/lib/bundler/templates/Executable.bundler +7 -7
data/lib/bundler/templates/Gemfile +0 -2
data/lib/bundler/templates/gems.rb +0 -3
data/lib/bundler/templates/newgem/CHANGELOG.md.tt +5 -0
data/lib/bundler/templates/newgem/Gemfile.tt +5 -2
data/lib/bundler/templates/newgem/README.md.tt +5 -3
data/lib/bundler/templates/newgem/Rakefile.tt +15 -2
data/lib/bundler/templates/newgem/github/workflows/main.yml.tt +15 -6
data/lib/bundler/templates/newgem/newgem.gemspec.tt +18 -16
data/lib/bundler/templates/newgem/rubocop.yml.tt +3 -0
data/lib/bundler/templates/newgem/sig/newgem.rbs.tt +8 -0
data/lib/bundler/templates/newgem/standard.yml.tt +2 -0
data/lib/bundler/templates/newgem/test/minitest/{newgem_test.rb.tt → test_newgem.rb.tt} +1 -1
data/lib/bundler/ui/shell.rb +1 -1
data/lib/bundler/vendor/.document +1 -0
data/lib/bundler/vendor/connection_pool/LICENSE +20 -0
data/lib/bundler/vendor/connection_pool/lib/connection_pool/timed_stack.rb +19 -21
data/lib/bundler/vendor/connection_pool/lib/connection_pool/version.rb +1 -1
data/lib/bundler/vendor/connection_pool/lib/connection_pool/wrapper.rb +57 -0
data/lib/bundler/vendor/connection_pool/lib/connection_pool.rb +39 -74
data/lib/bundler/vendor/fileutils/LICENSE.txt +22 -0
data/lib/bundler/vendor/molinillo/LICENSE +9 -0
data/lib/bundler/vendor/molinillo/lib/molinillo/delegates/specification_provider.rb +7 -0
data/lib/bundler/vendor/molinillo/lib/molinillo/dependency_graph/vertex.rb +11 -5
data/lib/bundler/vendor/molinillo/lib/molinillo/dependency_graph.rb +2 -3
data/lib/bundler/vendor/molinillo/lib/molinillo/errors.rb +2 -2
data/lib/bundler/vendor/molinillo/lib/molinillo/modules/specification_provider.rb +12 -1
data/lib/bundler/vendor/molinillo/lib/molinillo/resolution.rb +11 -7
data/lib/bundler/vendor/net-http-persistent/README.rdoc +82 -0
data/lib/bundler/vendor/thor/LICENSE.md +20 -0
data/lib/bundler/vendor/thor/lib/thor/actions/file_manipulation.rb +9 -7
data/lib/bundler/vendor/thor/lib/thor/actions/inject_into_file.rb +1 -2
data/lib/bundler/vendor/thor/lib/thor/actions.rb +7 -3
data/lib/bundler/vendor/thor/lib/thor/core_ext/hash_with_indifferent_access.rb +6 -0
data/lib/bundler/vendor/thor/lib/thor/error.rb +10 -5
data/lib/bundler/vendor/thor/lib/thor/parser/arguments.rb +5 -1
data/lib/bundler/vendor/thor/lib/thor/parser/options.rb +28 -9
data/lib/bundler/vendor/thor/lib/thor/shell/basic.rb +27 -6
data/lib/bundler/vendor/thor/lib/thor/shell/color.rb +5 -1
data/lib/bundler/vendor/thor/lib/thor/shell.rb +1 -1
data/lib/bundler/vendor/thor/lib/thor/util.rb +1 -1
data/lib/bundler/vendor/thor/lib/thor/version.rb +1 -1
data/lib/bundler/vendor/thor/lib/thor.rb +5 -6
data/lib/bundler/vendor/tmpdir/lib/tmpdir.rb +1 -1
data/lib/bundler/vendor/tsort/LICENSE.txt +22 -0
data/lib/bundler/vendor/tsort/lib/tsort.rb +453 -0
data/lib/bundler/vendor/uri/LICENSE.txt +22 -0
data/lib/bundler/vendor/uri/lib/uri/common.rb +17 -80
data/lib/bundler/vendor/uri/lib/uri/ftp.rb +0 -1
data/lib/bundler/vendor/uri/lib/uri/generic.rb +5 -6
data/lib/bundler/vendor/uri/lib/uri/http.rb +0 -1
data/lib/bundler/vendor/uri/lib/uri/https.rb +0 -1
data/lib/bundler/vendor/uri/lib/uri/ldap.rb +1 -1
data/lib/bundler/vendor/uri/lib/uri/mailto.rb +0 -1
data/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb +1 -14
data/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +1 -12
data/lib/bundler/vendor/uri/lib/uri/version.rb +1 -1
data/lib/bundler/vendor/uri/lib/uri/ws.rb +84 -0
data/lib/bundler/vendor/uri/lib/uri/wss.rb +22 -0
data/lib/bundler/vendor/uri/lib/uri.rb +0 -1
data/lib/bundler/vendored_tsort.rb +4 -0
data/lib/bundler/version.rb +1 -1
data/lib/bundler/worker.rb +19 -4
data/lib/bundler.rb +29 -33
metadata +54 -35
data/lib/bundler/gemdeps.rb +0 -29
data/lib/bundler/vendor/connection_pool/lib/connection_pool/monotonic_time.rb +0 -66

data/lib/bundler/definition.rb CHANGED Viewed

@@ -1,12 +1,16 @@
 # frozen_string_literal: true
 require_relative "lockfile_parser"
-require "set"
 module Bundler
   class Definition
     include GemHelpers
+    class << self
+      # Do not create or modify a lockfile (Makes #lock a noop)
+      attr_accessor :no_lock
+    end
     attr_reader(
       :dependencies,
       :locked_deps,
@@ -57,10 +61,8 @@ module Bundler
         @unlocking_bundler = false
         @unlocking = unlock
       else
-        unlock = unlock.dup
         @unlocking_bundler = unlock.delete(:bundler)
-        unlock.delete_if {|_k, v| Array(v).empty? }
-        @unlocking = !unlock.empty?
+        @unlocking = unlock.any? {|_k, v| !Array(v).empty? }
       end
       @dependencies    = dependencies
@@ -76,18 +78,13 @@ module Bundler
       @lockfile_contents      = String.new
       @locked_bundler_version = nil
       @locked_ruby_version    = nil
-      @locked_specs_incomplete_for_platform = false
       @new_platform = nil
       if lockfile && File.exist?(lockfile)
         @lockfile_contents = Bundler.read_file(lockfile)
         @locked_gems = LockfileParser.new(@lockfile_contents)
         @locked_platforms = @locked_gems.platforms
-        if Bundler.settings[:force_ruby_platform]
-          @platforms = [Gem::Platform::RUBY]
-        else
-          @platforms = @locked_platforms.dup
-        end
+        @platforms = @locked_platforms.dup
         @locked_bundler_version = @locked_gems.bundler_version
         @locked_ruby_version = @locked_gems.ruby_version
@@ -111,7 +108,19 @@ module Bundler
         @locked_platforms = []
       end
-      @unlock[:gems] ||= []
+      locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
+      @multisource_allowed = locked_gem_sources.size == 1 && locked_gem_sources.first.multiple_remotes? && Bundler.frozen_bundle?
+      if @multisource_allowed
+        unless sources.aggregate_global_source?
+          msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. Make sure you run `bundle install` in non frozen mode and commit the result to make your lockfile secure."
+          Bundler::SharedHelpers.major_deprecation 2, msg
+        end
+        @sources.merged_gem_lockfile_sections!(locked_gem_sources.first)
+      end
       @unlock[:sources] ||= []
       @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
         @ruby_version.diff(locked_ruby_version_object)
@@ -124,14 +133,18 @@ module Bundler
       @path_changes = converge_paths
       @source_changes = converge_sources
-      unless @unlock[:lock_shared_dependencies]
-        eager_unlock = expand_dependencies(@unlock[:gems], true)
-        @unlock[:gems] = @locked_specs.for(eager_unlock, [], false, false, false).map(&:name)
+      if @unlock[:conservative]
+        @unlock[:gems] ||= @dependencies.map(&:name)
+      else
+        eager_unlock = expand_dependencies(@unlock[:gems] || [], true)
+        @unlock[:gems] = @locked_specs.for(eager_unlock, false, false).map(&:name)
       end
       @dependency_changes = converge_dependencies
       @local_changes = converge_locals
+      @locked_specs_incomplete_for_platform = !@locked_specs.for(requested_dependencies & expand_dependencies(locked_dependencies), true, true)
       @requires = compute_requires
     end
@@ -150,17 +163,21 @@ module Bundler
       end
     end
+    def resolve_only_locally!
+      @remote = false
+      sources.local_only!
+      resolve
+    end
     def resolve_with_cache!
-      raise "Specs already loaded" if @specs
       sources.cached!
-      specs
+      resolve
     end
     def resolve_remotely!
-      return if @specs
       @remote = true
       sources.remote!
-      specs
+      resolve
     end
     # For given dependency list returns a SpecSet with Gemspec of all the required
@@ -170,25 +187,7 @@ module Bundler
     #
     # @return [Bundler::SpecSet]
     def specs
-      @specs ||= begin
-        begin
-          specs = resolve.materialize(requested_dependencies)
-        rescue GemNotFound => e # Handle yanked gem
-          gem_name, gem_version = extract_gem_info(e)
-          locked_gem = @locked_specs[gem_name].last
-          raise if locked_gem.nil? || locked_gem.version.to_s != gem_version || !@remote
-          raise GemNotFound, "Your bundle is locked to #{locked_gem}, but that version could not " \
-                             "be found in any of the sources listed in your Gemfile. If you haven't changed sources, " \
-                             "that means the author of #{locked_gem} has removed it. You'll need to update your bundle " \
-                             "to a version other than #{locked_gem} that hasn't been removed in order to install."
-        end
-        unless specs["bundler"].any?
-          bundler = sources.metadata_source.specs.search(Gem::Dependency.new("bundler", VERSION)).last
-          specs["bundler"] = bundler
-        end
-        specs
-      end
+      @specs ||= materialize(requested_dependencies)
     end
     def new_specs
@@ -200,9 +199,7 @@ module Bundler
     end
     def missing_specs
-      missing = []
-      resolve.materialize(requested_dependencies, missing)
-      missing
+      resolve.materialize(requested_dependencies).missing_specs
     end
     def missing_specs?
@@ -211,7 +208,6 @@ module Bundler
       Bundler.ui.debug "The definition is missing #{missing.map(&:full_name)}"
       true
     rescue BundlerError => e
-      @index = nil
       @resolve = nil
       @specs = nil
       @gem_version_promoter = nil
@@ -221,17 +217,11 @@ module Bundler
     end
     def requested_specs
-      @requested_specs ||= begin
-        groups = requested_groups
-        groups.map!(&:to_sym)
-        specs_for(groups)
-      end
+      specs_for(requested_groups)
     end
     def requested_dependencies
-      groups = requested_groups
-      groups.map!(&:to_sym)
-      dependencies_for(groups)
+      dependencies_for(requested_groups)
     end
     def current_dependencies
@@ -240,15 +230,22 @@ module Bundler
       end
     end
+    def locked_dependencies
+      @locked_deps.values
+    end
     def specs_for(groups)
+      return specs if groups.empty?
       deps = dependencies_for(groups)
-      specs.for(expand_dependencies(deps))
+      materialize(deps)
     end
     def dependencies_for(groups)
-      current_dependencies.reject do |d|
+      groups.map!(&:to_sym)
+      deps = current_dependencies.reject do |d|
         (d.groups & groups).empty?
       end
+      expand_dependencies(deps)
     end
     # Resolve all the dependencies specified in Gemfile. It ensures that
@@ -259,73 +256,20 @@ module Bundler
     def resolve
       @resolve ||= begin
         last_resolve = converge_locked_specs
-        resolve =
-          if Bundler.frozen_bundle?
-            Bundler.ui.debug "Frozen, using resolution from the lockfile"
-            last_resolve
-          elsif !unlocking? && nothing_changed?
-            Bundler.ui.debug("Found no changes, using resolution from the lockfile")
-            last_resolve
-          else
-            # Run a resolve against the locally available gems
-            Bundler.ui.debug("Found changes from the lockfile, re-resolving dependencies because #{change_reason}")
-            expanded_dependencies = expand_dependencies(dependencies + metadata_dependencies, @remote)
-            last_resolve.merge Resolver.resolve(expanded_dependencies, index, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
-          end
-        # filter out gems that _can_ be installed on multiple platforms, but don't need
-        # to be
-        resolve.for(expand_dependencies(dependencies, true), [], false, false, false)
-      end
-    end
-    def index
-      @index ||= Index.build do |idx|
-        dependency_names = @dependencies.map(&:name)
-        sources.all_sources.each do |source|
-          source.dependency_names = dependency_names - pinned_spec_names(source)
-          idx.add_source source.specs
-          dependency_names.concat(source.unmet_deps).uniq!
-        end
-        double_check_for_index(idx, dependency_names)
-      end
-    end
-    # Suppose the gem Foo depends on the gem Bar.  Foo exists in Source A.  Bar has some versions that exist in both
-    # sources A and B.  At this point, the API request will have found all the versions of Bar in source A,
-    # but will not have found any versions of Bar from source B, which is a problem if the requested version
-    # of Foo specifically depends on a version of Bar that is only found in source B. This ensures that for
-    # each spec we found, we add all possible versions from all sources to the index.
-    def double_check_for_index(idx, dependency_names)
-      pinned_names = pinned_spec_names
-      loop do
-        idxcount = idx.size
-        names = :names # do this so we only have to traverse to get dependency_names from the index once
-        unmet_dependency_names = lambda do
-          return names unless names == :names
-          new_names = sources.all_sources.map(&:dependency_names_to_double_check)
-          return names = nil if new_names.compact!
-          names = new_names.flatten(1).concat(dependency_names)
-          names.uniq!
-          names -= pinned_names
-          names
-        end
-        sources.all_sources.each do |source|
-          source.double_check_for(unmet_dependency_names)
+        if Bundler.frozen_bundle?
+          Bundler.ui.debug "Frozen, using resolution from the lockfile"
+          last_resolve
+        elsif !unlocking? && nothing_changed?
+          Bundler.ui.debug("Found no changes, using resolution from the lockfile")
+          last_resolve
+        else
+          # Run a resolve against the locally available gems
+          Bundler.ui.debug("Found changes from the lockfile, re-resolving dependencies because #{change_reason}")
+          expanded_dependencies = expand_dependencies(dependencies + metadata_dependencies, @remote)
+          Resolver.resolve(expanded_dependencies, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
         end
-        break if idxcount == idx.size
       end
     end
-    private :double_check_for_index
-    def has_rubygems_remotes?
-      sources.rubygems_sources.any? {|s| s.remotes.any? }
-    end
     def spec_git_paths
       sources.git_sources.map {|s| File.realpath(s.path) if File.exist?(s.path) }.compact
@@ -336,6 +280,8 @@ module Bundler
     end
     def lock(file, preserve_unknown_sections = false)
+      return if Definition.no_lock
       contents = to_lock
       # Convert to \r\n if the existing lock has them
@@ -346,10 +292,7 @@ module Bundler
         locked_major = @locked_bundler_version.segments.first
         current_major = Gem::Version.create(Bundler::VERSION).segments.first
-        if updating_major = locked_major < current_major
-          Bundler.ui.warn "Warning: the lockfile is being updated to Bundler #{current_major}, " \
-                          "after which you will be unable to return to Bundler #{@locked_bundler_version.segments.first}."
-        end
+        updating_major = locked_major < current_major
       end
       preserve_unknown_sections ||= !updating_major && (Bundler.frozen_bundle? || !(unlocking? || @unlocking_bundler))
@@ -366,14 +309,6 @@ module Bundler
       end
     end
-    def locked_bundler_version
-      if @locked_bundler_version && @locked_bundler_version < Gem::Version.new(Bundler::VERSION)
-        new_version = Bundler::VERSION
-      end
-      new_version || @locked_bundler_version || Bundler::VERSION
-    end
     def locked_ruby_version
       return unless ruby_version
       if @unlock[:ruby] || !@locked_ruby_version
@@ -425,44 +360,31 @@ module Bundler
       added.concat new_platforms.map {|p| "* platform: #{p}" }
       deleted.concat deleted_platforms.map {|p| "* platform: #{p}" }
-      gemfile_sources = sources.lock_sources
+      new_deps = @dependencies - locked_dependencies
+      deleted_deps = locked_dependencies - @dependencies
-      new_sources = gemfile_sources - @locked_sources
-      deleted_sources = @locked_sources - gemfile_sources
-      new_deps = @dependencies - @locked_deps.values
-      deleted_deps = @locked_deps.values - @dependencies
+      added.concat new_deps.map {|d| "* #{pretty_dep(d)}" } if new_deps.any?
+      deleted.concat deleted_deps.map {|d| "* #{pretty_dep(d)}" } if deleted_deps.any?
-      # Check if it is possible that the source is only changed thing
-      if (new_deps.empty? && deleted_deps.empty?) && (!new_sources.empty? && !deleted_sources.empty?)
-        new_sources.reject! {|source| (source.path? && source.path.exist?) || equivalent_rubygems_remotes?(source) }
-        deleted_sources.reject! {|source| (source.path? && source.path.exist?) || equivalent_rubygems_remotes?(source) }
-      end
+      both_sources = Hash.new {|h, k| h[k] = [] }
+      @dependencies.each {|d| both_sources[d.name][0] = d }
-      if @locked_sources != gemfile_sources
-        if new_sources.any?
-          added.concat new_sources.map {|source| "* source: #{source}" }
-        end
+      locked_dependencies.each do |d|
+        next if !Bundler.feature_flag.bundler_3_mode? && @locked_specs[d.name].empty?
-        if deleted_sources.any?
-          deleted.concat deleted_sources.map {|source| "* source: #{source}" }
-        end
+        both_sources[d.name][1] = d
       end
-      added.concat new_deps.map {|d| "* #{pretty_dep(d)}" } if new_deps.any?
-      if deleted_deps.any?
-        deleted.concat deleted_deps.map {|d| "* #{pretty_dep(d)}" }
-      end
+      both_sources.each do |name, (dep, lock_dep)|
+        next if dep.nil? || lock_dep.nil?
-      both_sources = Hash.new {|h, k| h[k] = [] }
-      @dependencies.each {|d| both_sources[d.name][0] = d }
-      @locked_deps.each  {|name, d| both_sources[name][1] = d.source }
+        gemfile_source = dep.source || sources.default_source
+        lock_source = lock_dep.source || sources.default_source
+        next if lock_source.include?(gemfile_source)
-      both_sources.each do |name, (dep, lock_source)|
-        next if lock_source.nil? || (dep && lock_source.can_lock?(dep))
-        gemfile_source_name = (dep && dep.source) || "no specified source"
-        lockfile_source_name = lock_source
-        changed << "* #{name} from `#{gemfile_source_name}` to `#{lockfile_source_name}`"
+        gemfile_source_name = dep.source ? gemfile_source.identifier : "no specified source"
+        lockfile_source_name = lock_dep.source ? lock_source.identifier : "no specified source"
+        changed << "* #{name} from `#{lockfile_source_name}` to `#{gemfile_source_name}`"
       end
       reason = change_reason
@@ -529,14 +451,6 @@ module Bundler
       end
     end
-    def find_resolved_spec(current_spec)
-      specs.find_by_name_and_platform(current_spec.name, current_spec.platform)
-    end
-    def find_indexed_specs(current_spec)
-      index[current_spec.name].select {|spec| spec.match_platform(current_spec.platform) }.sort_by(&:version)
-    end
     attr_reader :sources
     private :sources
@@ -550,6 +464,35 @@ module Bundler
     private
+    def materialize(dependencies)
+      specs = resolve.materialize(dependencies)
+      missing_specs = specs.missing_specs
+      if missing_specs.any?
+        missing_specs.each do |s|
+          locked_gem = @locked_specs[s.name].last
+          next if locked_gem.nil? || locked_gem.version != s.version || !@remote
+          raise GemNotFound, "Your bundle is locked to #{locked_gem} from #{locked_gem.source}, but that version can " \
+                             "no longer be found in that source. That means the author of #{locked_gem} has removed it. " \
+                             "You'll need to update your bundle to a version other than #{locked_gem} that hasn't been " \
+                             "removed in order to install."
+        end
+        raise GemNotFound, "Could not find #{missing_specs.map(&:full_name).join(", ")} in any of the sources"
+      end
+      unless specs["bundler"].any?
+        bundler = sources.metadata_source.specs.search(Gem::Dependency.new("bundler", VERSION)).last
+        specs["bundler"] = bundler
+      end
+      specs
+    end
+    def precompute_source_requirements_for_indirect_dependencies?
+      @remote && sources.non_global_rubygems_sources.all?(&:dependency_api_available?) && !sources.aggregate_global_source?
+    end
     def current_ruby_platform_locked?
       return false unless generic_local_platform == Gem::Platform::RUBY
@@ -602,9 +545,9 @@ module Bundler
     def dependencies_for_source_changed?(source, locked_source = source)
       deps_for_source = @dependencies.select {|s| s.source == source }
-      locked_deps_for_source = @locked_deps.values.select {|dep| dep.source == locked_source }
+      locked_deps_for_source = locked_dependencies.select {|dep| dep.source == locked_source }
-      Set.new(deps_for_source) != Set.new(locked_deps_for_source)
+      deps_for_source.uniq.sort != locked_deps_for_source.sort
     end
     def specs_for_source_changed?(source)
@@ -663,36 +606,11 @@ module Bundler
       end
     end
-    def converge_rubygems_sources
-      return false if Bundler.feature_flag.disable_multisource?
-      changes = false
-      # Get the RubyGems sources from the Gemfile.lock
-      locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
-      # Get the RubyGems remotes from the Gemfile
-      actual_remotes = sources.rubygems_remotes
-      # If there is a RubyGems source in both
-      if !locked_gem_sources.empty? && !actual_remotes.empty?
-        locked_gem_sources.each do |locked_gem|
-          # Merge the remotes from the Gemfile into the Gemfile.lock
-          changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
-        end
-      end
-      changes
-    end
     def converge_sources
-      changes = false
-      changes |= converge_rubygems_sources
       # Replace the sources from the Gemfile with the sources from the Gemfile.lock,
       # if they exist in the Gemfile.lock and are `==`. If you can't find an equivalent
       # source in the Gemfile.lock, use the one from the Gemfile.
-      changes |= sources.replace_sources!(@locked_sources)
+      changes = sources.replace_sources!(@locked_sources)
       sources.all_sources.each do |source|
         # If the source is unlockable and the current command allows an unlock of
@@ -710,25 +628,14 @@ module Bundler
     end
     def converge_dependencies
-      frozen = Bundler.frozen_bundle?
-      (@dependencies + @locked_deps.values).each do |dep|
-        locked_source = @locked_deps[dep.name]
-        # This is to make sure that if bundler is installing in deployment mode and
-        # after locked_source and sources don't match, we still use locked_source.
-        if frozen && !locked_source.nil? &&
-            locked_source.respond_to?(:source) && locked_source.source.instance_of?(Source::Path) && locked_source.source.path.exist?
-          dep.source = locked_source.source
-        elsif dep.source
+      changes = false
+      @dependencies.each do |dep|
+        if dep.source
           dep.source = sources.get(dep.source)
         end
-      end
-      changes = false
-      # We want to know if all match, but don't want to check all entries
-      # This means we need to return false if any dependency doesn't match
-      # the lock or doesn't exist in the lock.
-      @dependencies.each do |dependency|
-        unless locked_dep = @locked_deps[dependency.name]
+        unless locked_dep = @locked_deps[dep.name]
           changes = true
           next
         end
@@ -739,11 +646,11 @@ module Bundler
         # directive, the lockfile dependencies and resolved dependencies end up
         # with a mismatch on #type. Work around that by setting the type on the
         # dep from the lockfile.
-        locked_dep.instance_variable_set(:@type, dependency.type)
+        locked_dep.instance_variable_set(:@type, dep.type)
         # We already know the name matches from the hash lookup
         # so we only need to check the requirement now
-        changes ||= dependency.requirement != locked_dep.requirement
+        changes ||= dep.requirement != locked_dep.requirement
       end
       changes
@@ -753,47 +660,37 @@ module Bundler
     # commonly happen if the Gemfile has changed since the lockfile was last
     # generated
     def converge_locked_specs
-      deps = []
+      resolve = converge_specs(@locked_specs)
-      # Build a list of dependencies that are the same in the Gemfile
-      # and Gemfile.lock. If the Gemfile modified a dependency, but
-      # the gem in the Gemfile.lock still satisfies it, this is fine
-      # too.
-      @dependencies.each do |dep|
-        locked_dep = @locked_deps[dep.name]
-        # If the locked_dep doesn't match the dependency we're looking for then we ignore the locked_dep
-        locked_dep = nil unless locked_dep == dep
+      diff = nil
-        if in_locked_deps?(dep, locked_dep) || satisfies_locked_spec?(dep)
-          deps << dep
-        elsif dep.source.is_a?(Source::Path) && dep.current_platform? && (!locked_dep || dep.source != locked_dep.source)
-          @locked_specs.each do |s|
-            @unlock[:gems] << s.name if s.source == dep.source
-          end
+      # Now, we unlock any sources that do not have anymore gems pinned to it
+      sources.all_sources.each do |source|
+        next unless source.respond_to?(:unlock!)
-          dep.source.unlock! if dep.source.respond_to?(:unlock!)
-          dep.source.specs.each {|s| @unlock[:gems] << s.name }
+        unless resolve.any? {|s| s.source == source }
+          diff ||= @locked_specs.to_a - resolve.to_a
+          source.unlock! if diff.any? {|s| s.source == source }
         end
       end
-      unlock_source_unlocks_spec = Bundler.feature_flag.unlock_source_unlocks_spec?
+      resolve
+    end
+    def converge_specs(specs)
+      deps = []
       converged = []
-      @locked_specs.each do |s|
+      specs.each do |s|
         # Replace the locked dependency's source with the equivalent source from the Gemfile
         dep = @dependencies.find {|d| s.satisfies?(d) }
-        s.source = (dep && dep.source) || sources.get(s.source)
-        # Don't add a spec to the list if its source is expired. For example,
-        # if you change a Git gem to RubyGems.
-        next if s.source.nil?
-        next if @unlock[:sources].include?(s.source.name)
+        if dep && (!dep.source || s.source.include?(dep.source))
+          deps << dep
+        end
-        # XXX This is a backwards-compatibility fix to preserve the ability to
-        # unlock a single gem by passing its name via `--source`. See issue #3759
-        # TODO: delete in Bundler 2
-        next if unlock_source_unlocks_spec && @unlock[:sources].include?(s.name)
+        s.source = (dep && dep.source) || sources.get(s.source) || sources.default_source unless Bundler.frozen_bundle?
+        next if @unlock[:sources].include?(s.source.name)
         # If the spec is from a path source and it doesn't exist anymore
         # then we unlock it.
@@ -805,8 +702,8 @@ module Bundler
           rescue PathError, GitError
             # if we won't need the source (according to the lockfile),
             # don't error if the path/git source isn't available
-            next if @locked_specs.
-                    for(requested_dependencies, [], false, true, false).
+            next if specs.
+                    for(requested_dependencies, false, true).
                     none? {|locked_spec| locked_spec.source == s.source }
             raise
@@ -818,44 +715,18 @@ module Bundler
           # commonly happens if the version changed in the gemspec
           next unless new_spec
-          new_runtime_deps = new_spec.dependencies.select {|d| d.type != :development }
-          old_runtime_deps = s.dependencies.select {|d| d.type != :development }
-          # If the dependencies of the path source have changed and locked spec can't satisfy new dependencies, unlock it
-          next unless new_runtime_deps.sort == old_runtime_deps.sort || new_runtime_deps.all? {|d| satisfies_locked_spec?(d) }
           s.dependencies.replace(new_spec.dependencies)
         end
-        converged << s
-      end
-      resolve = SpecSet.new(converged)
-      @locked_specs_incomplete_for_platform = !resolve.for(expand_dependencies(requested_dependencies & deps), @unlock[:gems], true, true)
-      resolve = resolve.for(expand_dependencies(deps, true), @unlock[:gems], false, false, false)
-      diff    = nil
-      # Now, we unlock any sources that do not have anymore gems pinned to it
-      sources.all_sources.each do |source|
-        next unless source.respond_to?(:unlock!)
-        unless resolve.any? {|s| s.source == source }
-          diff ||= @locked_specs.to_a - resolve.to_a
-          source.unlock! if diff.any? {|s| s.source == source }
+        if dep.nil? && requested_dependencies.find {|d| s.name == d.name }
+          @unlock[:gems] << s.name
+        else
+          converged << s
         end
       end
-      resolve
-    end
-    def in_locked_deps?(dep, locked_dep)
-      # Because the lockfile can't link a dep to a specific remote, we need to
-      # treat sources as equivalent anytime the locked dep has all the remotes
-      # that the Gemfile dep does.
-      locked_dep && locked_dep.source && dep.source && locked_dep.source.include?(dep.source)
-    end
-    def satisfies_locked_spec?(dep)
-      @locked_specs[dep].any? {|s| s.satisfies?(dep) && (!dep.source || s.source.include?(dep.source)) }
+      resolve = SpecSet.new(converged)
+      SpecSet.new(resolve.for(expand_dependencies(deps, true), false, false).reject{|s| @unlock[:gems].include?(s.name) })
     end
     def metadata_dependencies
@@ -889,7 +760,7 @@ module Bundler
       dependencies.each do |dep|
         dep = Dependency.new(dep, ">= 0") unless dep.respond_to?(:name)
         next unless remote || dep.current_platform?
-        target_platforms = dep.gem_platforms(remote ? Resolver.sort_platforms(@platforms) : [generic_local_platform])
+        target_platforms = dep.gem_platforms(remote ? @platforms : [generic_local_platform])
         deps += expand_dependency_with_platforms(dep, target_platforms)
       end
       deps
@@ -897,42 +768,27 @@ module Bundler
     def expand_dependency_with_platforms(dep, platforms)
       platforms.map do |p|
-        DepProxy.new(dep, p)
+        DepProxy.get_proxy(dep, p)
       end
     end
     def source_requirements
-      # Load all specs from remote sources
-      index
       # Record the specs available in each gem's source, so that those
       # specs will be available later when the resolver knows where to
       # look for that gemspec (or its dependencies)
-      default = sources.default_source
-      source_requirements = { :default => default }
-      default = nil unless Bundler.feature_flag.disable_multisource?
-      dependencies.each do |dep|
-        next unless source = dep.source || default
-        source_requirements[dep.name] = source
+      source_requirements = if precompute_source_requirements_for_indirect_dependencies?
+        { :default => sources.default_source }.merge(source_map.all_requirements)
+      else
+        { :default => Source::RubygemsAggregate.new(sources, source_map) }.merge(source_map.direct_requirements)
       end
       metadata_dependencies.each do |dep|
         source_requirements[dep.name] = sources.metadata_source
       end
+      source_requirements[:default_bundler] = source_requirements["bundler"] || sources.default_source
       source_requirements["bundler"] = sources.metadata_source # needs to come last to override
       source_requirements
     end
-    def pinned_spec_names(skip = nil)
-      pinned_names = []
-      default = Bundler.feature_flag.disable_multisource? && sources.default_source
-      @dependencies.each do |dep|
-        next unless dep_source = dep.source || default
-        next if dep_source == skip
-        pinned_names << dep.name
-      end
-      pinned_names
-    end
     def requested_groups
       groups - Bundler.settings[:without] - @optional_groups + Bundler.settings[:with]
     end
@@ -950,12 +806,6 @@ module Bundler
       current == proposed
     end
-    def extract_gem_info(error)
-      # This method will extract the error message like "Could not find foo-1.2.3 in any of the sources"
-      # to an array. The first element will be the gem name (e.g. foo), the second will be the version number.
-      error.message.scan(/Could not find (\w+)-(\d+(?:\.\d+)+)/).flatten
-    end
     def compute_requires
       dependencies.reduce({}) do |requires, dep|
         next requires unless dep.should_include?
@@ -968,24 +818,16 @@ module Bundler
     end
     def additional_base_requirements_for_resolve
-      return [] unless @locked_gems && Bundler.feature_flag.only_update_to_newer_versions?
-      dependencies_by_name = dependencies.inject({}) {|memo, dep| memo.update(dep.name => dep) }
-      @locked_gems.specs.reduce({}) do |requirements, locked_spec|
+      return [] unless @locked_gems && unlocking? && !sources.expired_sources?(@locked_gems.sources)
+      converge_specs(@locked_gems.specs).map do |locked_spec|
         name = locked_spec.name
-        dependency = dependencies_by_name[name]
-        next requirements unless dependency
-        next requirements if @locked_gems.dependencies[name] != dependency
-        next requirements if dependency.source.is_a?(Source::Path)
         dep = Gem::Dependency.new(name, ">= #{locked_spec.version}")
-        requirements[name] = DepProxy.new(dep, locked_spec.platform)
-        requirements
-      end.values
+        DepProxy.get_proxy(dep, locked_spec.platform)
+      end
     end
-    def equivalent_rubygems_remotes?(source)
-      return false unless source.is_a?(Source::Rubygems)
-      Bundler.settings[:allow_deployment_source_credential_changes] && source.equivalent_remotes?(sources.rubygems_remotes)
+    def source_map
+      @source_map ||= SourceMap.new(sources, dependencies)
     end
   end
 end