bundler 2.4.19 → 2.4.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9e1ac32a1ea746c717048bdfc433edc9d61cd2184f6d07b24e6addb565c1693
-  data.tar.gz: 95ab89a536022f9c642dd02683640819134441441dd0c4ae7b1cb0e9dd561a68
+  metadata.gz: 6276990d50143a594e7e8625034add1d1168df511587dd82c74f7b93a7e66bdc
+  data.tar.gz: cca71ac6a7840814e8a7178ca795ed379684658b25c320e8bb67f2c022d3f2e8
 SHA512:
-  metadata.gz: 1cda1a2dfbdf88aaf7627304dc8fc740d3e4343b6d4f0e97a6473dc168b3b78c1128973251625beeee479a0418c25972f7dedb0cbcc9e107666fcdad32c991c8
-  data.tar.gz: e4589afe5650d8a937a2c56196221db8ce72d8cb91539ca0fceb9ad742d542ab4415b5253e6ffa3c8b03ccaac3dc6e8fe3b25d61cb17cd9155cc50d16dc44d4c
+  metadata.gz: 5162fc140937170d6c3a58e7f9097cbffbcda5fa8edc96a22a14fa5c1ed548cebb8d45fc9ae9901078f4dd1ff99e6f9892f832c2b6a1f598cd34f5163e80b282
+  data.tar.gz: 0aea59def565fa9dc8172659891fe2e6ce7b20a033f5197e1679536c91d1102a170a3784d7a05da0255662d6d342b2d1972a437fcad919756f50321b0a6801df

data/CHANGELOG.md

@@ -1,3 +1,32 @@
+# 2.4.20 (September 27, 2023)
+
+## Enhancements:
+
+  - Bump actions/checkout to v4 in bundler gem template [#6966](https://github.com/rubygems/rubygems/pull/6966)
+  - Add support for the `ruby-3.2.2` format in the `ruby file:` Gemfile directive, and explicitly test the `3.2.2@gemset` format as rejected [#6954](https://github.com/rubygems/rubygems/pull/6954)
+  - Support `ruby file: ".tool-versions"` in Gemfile [#6898](https://github.com/rubygems/rubygems/pull/6898)
+  - Unify LockfileParser loading of SPECS section [#6933](https://github.com/rubygems/rubygems/pull/6933)
+  - Only check circular deps when dependency api is available, not on full index sources [#6919](https://github.com/rubygems/rubygems/pull/6919)
+
+## Bug fixes:
+
+  - Allow standalone mode to work on a Windows edge case [#6989](https://github.com/rubygems/rubygems/pull/6989)
+  - Fix `bundle outdated` crashing when both `ref` and `branch` specified for a git gem in Gemfile [#6959](https://github.com/rubygems/rubygems/pull/6959)
+  - Fix `bundle update --redownload` [#6924](https://github.com/rubygems/rubygems/pull/6924)
+  - Fixed malformed bundler version in lockfile making Bundler crash [#6920](https://github.com/rubygems/rubygems/pull/6920)
+  - Fix standalone install crashing when using legacy gemfiles with multiple global sources [#6918](https://github.com/rubygems/rubygems/pull/6918)
+  - Resolve ruby version file relative to bundle root [#6892](https://github.com/rubygems/rubygems/pull/6892)
+
+## Performance:
+
+  - Lazily construct fetcher debug messages [#6973](https://github.com/rubygems/rubygems/pull/6973)
+  - Avoid allocating empty hashes in Index [#6962](https://github.com/rubygems/rubygems/pull/6962)
+  - Stop allocating the same settings keys repeatedly [#6963](https://github.com/rubygems/rubygems/pull/6963)
+  - Improve `Bundler::Index` efficiency by removing unnecessary creation and dups [#6931](https://github.com/rubygems/rubygems/pull/6931)
+  - (Further) Improve Bundler::Settings#[] performance and memory usage [#6923](https://github.com/rubygems/rubygems/pull/6923)
+  - Don't use full indexes unnecessarily on legacy Gemfiles [#6916](https://github.com/rubygems/rubygems/pull/6916)
+  - Improve memory usage in Bundler::Settings, and thus improve boot time [#6884](https://github.com/rubygems/rubygems/pull/6884)
+
 # 2.4.19 (August 17, 2023)
 
 ## Enhancements:

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2023-08-17".freeze
-    @git_commit_sha = "86f98098e3".freeze
+    @built_at = "2023-09-27".freeze
+    @git_commit_sha = "de20c7e7b".freeze
     @release = true
     # end ivars
 

data/lib/bundler/cli/info.rb

@@ -33,7 +33,7 @@ module Bundler
     def default_gem_spec(gem_name)
       return unless Gem::Specification.respond_to?(:find_all_by_name)
       gem_spec = Gem::Specification.find_all_by_name(gem_name).last
-      return gem_spec if gem_spec&.default_gem?
+      gem_spec if gem_spec&.default_gem?
     end
 
     def spec_not_found(gem_name)

data/lib/bundler/cli/update.rb

@@ -63,6 +63,7 @@ module Bundler
       opts = options.dup
       opts["update"] = true
       opts["local"] = options[:local]
+      opts["force"] = options[:redownload]
 
       Bundler.settings.set_command_option_if_given :jobs, opts["jobs"]
 

data/lib/bundler/fetcher/base.rb

@@ -38,9 +38,9 @@ module Bundler
 
       private
 
-      def log_specs(debug_msg)
+      def log_specs(&block)
         if Bundler.ui.debug?
-          Bundler.ui.debug debug_msg
+          Bundler.ui.debug yield
         else
           Bundler.ui.info ".", false
         end

data/lib/bundler/fetcher/compact_index.rb

@@ -35,7 +35,7 @@ module Bundler
         remaining_gems = gem_names.dup
 
         until remaining_gems.empty?
-          log_specs "Looking up gems #{remaining_gems.inspect}"
+          log_specs { "Looking up gems #{remaining_gems.inspect}" }
 
           deps = begin
                    parallel_compact_index_client.dependencies(remaining_gems)
@@ -60,10 +60,6 @@ module Bundler
           Bundler.ui.debug("FIPS mode is enabled, bundler can't use the CompactIndex API")
           return nil
         end
-        if fetch_uri.scheme == "file"
-          Bundler.ui.debug("Using a local server, bundler won't use the CompactIndex API")
-          return false
-        end
         # Read info file checksums out of /versions, so we can know if gems are up to date
         compact_index_client.update_and_parse_checksums!
       rescue CompactIndexClient::Updater::MisMatchedChecksumError => e

data/lib/bundler/fetcher/dependency.rb

@@ -24,7 +24,7 @@ module Bundler
       def specs(gem_names, full_dependency_list = [], last_spec_list = [])
         query_list = gem_names.uniq - full_dependency_list
 
-        log_specs "Query List: #{query_list.inspect}"
+        log_specs { "Query List: #{query_list.inspect}" }
 
         return last_spec_list if query_list.empty?
 

data/lib/bundler/fetcher.rb

@@ -9,6 +9,7 @@ require "rubygems/request"
 module Bundler
   # Handles all the fetching with the rubygems server
   class Fetcher
+    autoload :Base, File.expand_path("fetcher/base", __dir__)
     autoload :CompactIndex, File.expand_path("fetcher/compact_index", __dir__)
     autoload :Downloader, File.expand_path("fetcher/downloader", __dir__)
     autoload :Dependency, File.expand_path("fetcher/dependency", __dir__)
@@ -134,18 +135,7 @@ module Bundler
     def specs(gem_names, source)
       index = Bundler::Index.new
 
-      if Bundler::Fetcher.disable_endpoint
-        @use_api = false
-        specs = fetchers.last.specs(gem_names)
-      else
-        specs = []
-        @fetchers = fetchers.drop_while do |f|
-          !f.available? || (f.api_fetcher? && !gem_names) || !specs = f.specs(gem_names)
-        end
-        @use_api = false if fetchers.none?(&:api_fetcher?)
-      end
-
-      specs.each do |name, version, platform, dependencies, metadata|
+      fetch_specs(gem_names).each do |name, version, platform, dependencies, metadata|
         spec = if dependencies
           EndpointSpecification.new(name, version, platform, self, dependencies, metadata)
         else
@@ -158,22 +148,10 @@ module Bundler
 
       index
     rescue CertificateFailureError
-      Bundler.ui.info "" if gem_names && use_api # newline after dots
+      Bundler.ui.info "" if gem_names && api_fetcher? # newline after dots
       raise
     end
 
-    def use_api
-      return @use_api if defined?(@use_api)
-
-      fetchers.shift until fetchers.first.available?
-
-      @use_api = if remote_uri.scheme == "file" || Bundler::Fetcher.disable_endpoint
-        false
-      else
-        fetchers.first.api_fetcher?
-      end
-    end
-
     def user_agent
       @user_agent ||= begin
         ruby = Bundler::RubyVersion.system
@@ -209,10 +187,6 @@ module Bundler
       end
     end
 
-    def fetchers
-      @fetchers ||= FETCHERS.map {|f| f.new(downloader, @remote, uri) }
-    end
-
     def http_proxy
       return unless uri = connection.proxy_uri
       uri.to_s
@@ -222,9 +196,36 @@ module Bundler
       "#<#{self.class}:0x#{object_id} uri=#{uri}>"
     end
 
+    def api_fetcher?
+      fetchers.first.api_fetcher?
+    end
+
     private
 
-    FETCHERS = [CompactIndex, Dependency, Index].freeze
+    def available_fetchers
+      if Bundler::Fetcher.disable_endpoint
+        [Index]
+      elsif remote_uri.scheme == "file"
+        Bundler.ui.debug("Using a local server, bundler won't use the CompactIndex API")
+        [Index]
+      else
+        [CompactIndex, Dependency, Index]
+      end
+    end
+
+    def fetchers
+      @fetchers ||= available_fetchers.map {|f| f.new(downloader, @remote, uri) }.drop_while {|f| !f.available? }
+    end
+
+    def fetch_specs(gem_names)
+      fetchers.reject!(&:api_fetcher?) unless gem_names
+      fetchers.reject! do |f|
+        specs = f.specs(gem_names)
+        return specs if specs
+        true
+      end
+      []
+    end
 
     def cis
       env_cis = {

data/lib/bundler/index.rb

@@ -10,8 +10,8 @@ module Bundler
       i
     end
 
-    attr_reader :specs, :all_specs, :sources
-    protected :specs, :all_specs
+    attr_reader :specs, :duplicates, :sources
+    protected :specs, :duplicates
 
     RUBY = "ruby"
     NULL = "\0"
@@ -19,21 +19,21 @@ module Bundler
     def initialize
       @sources = []
       @cache = {}
-      @specs = Hash.new {|h, k| h[k] = {} }
-      @all_specs = Hash.new {|h, k| h[k] = EMPTY_SEARCH }
+      @specs = {}
+      @duplicates = {}
     end
 
     def initialize_copy(o)
       @sources = o.sources.dup
       @cache = {}
-      @specs = Hash.new {|h, k| h[k] = {} }
-      @all_specs = Hash.new {|h, k| h[k] = EMPTY_SEARCH }
+      @specs = {}
+      @duplicates = {}
 
       o.specs.each do |name, hash|
         @specs[name] = hash.dup
       end
-      o.all_specs.each do |name, array|
-        @all_specs[name] = array.dup
+      o.duplicates.each do |name, array|
+        @duplicates[name] = array.dup
       end
     end
 
@@ -46,12 +46,11 @@ module Bundler
       true
     end
 
-    def search_all(name)
-      all_matches = local_search(name) + @all_specs[name]
-      @sources.each do |source|
-        all_matches.concat(source.search_all(name))
-      end
-      all_matches
+    def search_all(name, &blk)
+      return enum_for(:search_all, name) unless blk
+      specs_by_name(name).each(&blk)
+      @duplicates[name]&.each(&blk)
+      @sources.each {|source| source.search_all(name, &blk) }
     end
 
     # Search this index's specs, and any source indexes that this index knows
@@ -61,11 +60,14 @@ module Bundler
       return results unless @sources.any?
 
       @sources.each do |source|
-        results.concat(source.search(query))
+        results = safe_concat(results, source.search(query))
       end
-      results.uniq(&:full_name)
+      results.uniq!(&:full_name) unless results.empty? # avoid modifying frozen EMPTY_SEARCH
+      results
     end
 
+    alias_method :[], :search
+
     def local_search(query)
       case query
       when Gem::Specification, RemoteSpecification, LazySpecification, EndpointSpecification then search_by_spec(query)
@@ -76,12 +78,10 @@ module Bundler
       end
     end
 
-    alias_method :[], :search
-
-    def <<(spec)
-      @specs[spec.name][spec.full_name] = spec
-      spec
+    def add(spec)
+      (@specs[spec.name] ||= {}).store(spec.full_name, spec)
     end
+    alias_method :<<, :add
 
     def each(&blk)
       return enum_for(:each) unless blk
@@ -115,15 +115,25 @@ module Bundler
       names.uniq
     end
 
-    def use(other, override_dupes = false)
+    # Combines indexes proritizing existing specs, like `Hash#reverse_merge!`
+    # Duplicate specs found in `other` are stored in `@duplicates`.
+    def use(other)
       return unless other
-      other.each do |s|
-        if (dupes = search_by_spec(s)) && !dupes.empty?
-          # safe to << since it's a new array when it has contents
-          @all_specs[s.name] = dupes << s
-          next unless override_dupes
+      other.each do |spec|
+        exist?(spec) ? add_duplicate(spec) : add(spec)
+      end
+      self
+    end
+
+    # Combines indexes proritizing specs from `other`, like `Hash#merge!`
+    # Duplicate specs found in `self` are saved in `@duplicates`.
+    def merge!(other)
+      return unless other
+      other.each do |spec|
+        if existing = find_by_spec(spec)
+          add_duplicate(existing)
         end
-        self << s
+        add spec
       end
       self
     end
@@ -157,19 +167,40 @@ module Bundler
 
     private
 
+    def safe_concat(a, b)
+      return a if b.empty?
+      return b if a.empty?
+      a.concat(b)
+    end
+
+    def add_duplicate(spec)
+      (@duplicates[spec.name] ||= []) << spec
+    end
+
     def specs_by_name_and_version(name, version)
-      specs_by_name(name).select {|spec| spec.version == version }
+      results = @specs[name]&.values
+      return EMPTY_SEARCH unless results
+      results.select! {|spec| spec.version == version }
+      results
     end
 
     def specs_by_name(name)
-      @specs[name].values
+      @specs[name]&.values || EMPTY_SEARCH
     end
 
     EMPTY_SEARCH = [].freeze
 
     def search_by_spec(spec)
-      spec = @specs[spec.name][spec.full_name]
+      spec = find_by_spec(spec)
       spec ? [spec] : EMPTY_SEARCH
     end
+
+    def find_by_spec(spec)
+      @specs[spec.name]&.fetch(spec.full_name, nil)
+    end
+
+    def exist?(spec)
+      @specs[spec.name]&.key?(spec.full_name)
+    end
   end
 end

data/lib/bundler/installer/standalone.rb

@@ -55,13 +55,20 @@ module Bundler
       if spec.source.instance_of?(Source::Path) && spec.source.path.absolute?
         full_path
       else
-        Pathname.new(full_path).relative_path_from(Bundler.root.join(bundler_path)).to_s
+        relative_path_from(Bundler.root.join(bundler_path), :to => full_path) || full_path
       end
     rescue TypeError
       error_message = "#{spec.name} #{spec.version} has an invalid gemspec"
       raise Gem::InvalidSpecificationException.new(error_message)
     end
 
+    def relative_path_from(source, to:)
+      Pathname.new(to).relative_path_from(source).to_s
+    rescue ArgumentError
+      # on Windows, if source and destination are on different drivers, there's no relative path from one to the other
+      nil
+    end
+
     def define_path_helpers
       <<~'END'
         unless defined?(Gem)

data/lib/bundler/lockfile_parser.rb

@@ -110,21 +110,9 @@ module Bundler
     def parse_source(line)
       case line
       when SPECS
-        case @type
-        when PATH
-          @current_source = TYPES[@type].from_lock(@opts)
-          @sources << @current_source
-        when GIT
-          @current_source = TYPES[@type].from_lock(@opts)
-          @sources << @current_source
-        when GEM
-          @opts["remotes"] = Array(@opts.delete("remote")).reverse
-          @current_source = TYPES[@type].from_lock(@opts)
-          @sources << @current_source
-        when PLUGIN
-          @current_source = Plugin.source_from_lock(@opts)
-          @sources << @current_source
-        end
+        return unless TYPES.key?(@type)
+        @current_source = TYPES[@type].from_lock(@opts)
+        @sources << @current_source
       when OPTIONS
         value = $2
         value = true if value == "true"

data/lib/bundler/man/gemfile.5

@@ -98,6 +98,17 @@ ruby file: "\.ruby\-version"
 .
 .IP "" 0
 .
+.P
+The version file should conform to any of the following formats:
+.
+.IP "\(bu" 4
+\fB3\.1\.2\fR (\.ruby\-version)
+.
+.IP "\(bu" 4
+\fBruby 3\.1\.2\fR (\.tool\-versions, read: https://asdf\-vm\.com/manage/configuration\.html#tool\-versions)
+.
+.IP "" 0
+.
 .SS "ENGINE"
 Each application \fImay\fR specify a Ruby engine\. If an engine is specified, an engine version \fImust\fR also be specified\.
 .

data/lib/bundler/man/gemfile.5.ronn

@@ -74,6 +74,11 @@ you can use the `file` option instead.
 
     ruby file: ".ruby-version"
 
+The version file should conform to any of the following formats:
+
+  - `3.1.2` (.ruby-version)
+  - `ruby 3.1.2` (.tool-versions, read: https://asdf-vm.com/manage/configuration.html#tool-versions)
+
 ### ENGINE
 
 Each application _may_ specify a Ruby engine. If an engine is specified, an

data/lib/bundler/plugin.rb

@@ -197,7 +197,7 @@ module Bundler
     # @param [Hash] The options that are present in the lock file
     # @return [API::Source] the instance of the class that handles the source
     #                       type passed in locked_opts
-    def source_from_lock(locked_opts)
+    def from_lock(locked_opts)
       src = source(locked_opts["type"])
 
       src.new(locked_opts.merge("uri" => locked_opts["remote"]))

data/lib/bundler/resolver.rb

@@ -37,9 +37,17 @@ module Bundler
       root_version = Resolver::Candidate.new(0)
 
       @all_specs = Hash.new do |specs, name|
-        specs[name] = source_for(name).specs.search(name).reject do |s|
-          s.dependencies.any? {|d| d.name == name && !d.requirement.satisfied_by?(s.version) } # ignore versions that depend on themselves incorrectly
-        end.sort_by {|s| [s.version, s.platform.to_s] }
+        source = source_for(name)
+        matches = source.specs.search(name)
+
+        # Don't bother to check for circular deps when no dependency API are
+        # available, since it's too slow to be usable. That edge case won't work
+        # but resolution other than that should work fine and reasonably fast.
+        if source.respond_to?(:dependency_api_available?) && source.dependency_api_available?
+          matches = filter_invalid_self_dependencies(matches, name)
+        end
+
+        specs[name] = matches.sort_by {|s| [s.version, s.platform.to_s] }
       end
 
       @sorted_versions = Hash.new do |candidates, package|
@@ -318,6 +326,13 @@ module Bundler
       specs.reject {|s| s.version.prerelease? }
     end
 
+    # Ignore versions that depend on themselves incorrectly
+    def filter_invalid_self_dependencies(specs, name)
+      specs.reject do |s|
+        s.dependencies.any? {|d| d.name == name && !d.requirement.satisfied_by?(s.version) }
+      end
+    end
+
     def requirement_satisfied_by?(requirement, spec)
       requirement.satisfied_by?(spec.version) || spec.source.is_a?(Source::Gemspec)
     end

data/lib/bundler/retry.rb

@@ -56,7 +56,7 @@ module Bundler
     def keep_trying?
       return true  if current_run.zero?
       return false if last_attempt?
-      return true  if @failed
+      true if @failed
     end
 
     def last_attempt?

data/lib/bundler/ruby_dsl.rb

@@ -10,8 +10,8 @@ module Bundler
       raise GemfileError, "Please define :engine" if options[:engine_version] && options[:engine].nil?
 
       if options[:file]
-        raise GemfileError, "Cannot specify version when using the file option" if ruby_version.any?
-        ruby_version << Bundler.read_file(options[:file]).strip
+        raise GemfileError, "Do not pass version argument when using :file option" unless ruby_version.empty?
+        ruby_version << normalize_ruby_file(options[:file])
       end
 
       if options[:engine] == "ruby" && options[:engine_version] &&
@@ -20,5 +20,26 @@ module Bundler
       end
       @ruby_version = RubyVersion.new(ruby_version, options[:patchlevel], options[:engine], options[:engine_version])
     end
+
+    # Support the various file formats found in .ruby-version files.
+    #
+    #     3.2.2
+    #     ruby-3.2.2
+    #
+    # Also supports .tool-versions files for asdf. Lines not starting with "ruby" are ignored.
+    #
+    #     ruby 2.5.1 # comment is ignored
+    #     ruby   2.5.1# close comment and extra spaces doesn't confuse
+    #
+    # Intentionally does not support `3.2.1@gemset` since rvm recommends using .ruby-gemset instead
+    def normalize_ruby_file(filename)
+      file_content = Bundler.read_file(Bundler.root.join(filename))
+      # match "ruby-3.2.2" or "ruby   3.2.2" capturing version string up to the first space or comment
+      if /^ruby(-|\s+)([^\s#]+)/.match(file_content)
+        $2
+      else
+        file_content.strip
+      end
+    end
   end
 end

data/lib/bundler/self_manager.rb

@@ -163,6 +163,8 @@ module Bundler
 
       parsed_version = Bundler::LockfileParser.bundled_with
       @lockfile_version = parsed_version ? Gem::Version.new(parsed_version) : nil
+    rescue ArgumentError
+      @lockfile_version = nil
     end
   end
 end

data/lib/bundler/settings.rb

@@ -88,14 +88,24 @@ module Bundler
     def initialize(root = nil)
       @root            = root
       @local_config    = load_config(local_config_file)
-      @env_config      = ENV.to_h.select {|key, _value| key =~ /\ABUNDLE_.+/ }
+
+      @env_config      = ENV.to_h
+      @env_config.select! {|key, _value| key.start_with?("BUNDLE_") }
+      @env_config.delete("BUNDLE_")
+
       @global_config   = load_config(global_config_file)
       @temporary       = {}
     end
 
     def [](name)
       key = key_for(name)
-      value = configs.values.map {|config| config[key] }.compact.first
+
+      value = nil
+      configs.each do |_, config|
+        value = config[key]
+        next if value.nil?
+        break
+      end
 
       converted_value(value, name)
     end
@@ -138,17 +148,22 @@ module Bundler
     end
 
     def all
-      keys = @temporary.keys | @global_config.keys | @local_config.keys | @env_config.keys
+      keys = @temporary.keys.union(@global_config.keys, @local_config.keys, @env_config.keys)
 
-      keys.map do |key|
-        key.sub(/^BUNDLE_/, "").gsub(/___/, "-").gsub(/__/, ".").downcase
-      end.sort
+      keys.map! do |key|
+        key = key.delete_prefix("BUNDLE_")
+        key.gsub!("___", "-")
+        key.gsub!("__", ".")
+        key.downcase!
+        key
+      end.sort!
+      keys
     end
 
     def local_overrides
       repos = {}
       all.each do |k|
-        repos[$'] = self[k] if k =~ /^local\./
+        repos[k.delete_prefix("local.")] = self[k] if k.start_with?("local.")
       end
       repos
     end
@@ -301,7 +316,7 @@ module Bundler
     private
 
     def configs
-      {
+      @configs ||= {
         :temporary => @temporary,
         :local => @local_config,
         :env => @env_config,
@@ -327,16 +342,20 @@ module Bundler
     end
 
     def is_bool(name)
-      BOOL_KEYS.include?(name.to_s) || BOOL_KEYS.include?(parent_setting_for(name.to_s))
+      name = name.to_s
+      BOOL_KEYS.include?(name) || BOOL_KEYS.include?(parent_setting_for(name))
     end
 
     def is_string(name)
-      STRING_KEYS.include?(name.to_s) || name.to_s.start_with?("local.") || name.to_s.start_with?("mirror.") || name.to_s.start_with?("build.")
+      name = name.to_s
+      STRING_KEYS.include?(name) || name.start_with?("local.") || name.start_with?("mirror.") || name.start_with?("build.")
     end
 
     def to_bool(value)
       case value
-      when nil, /\A(false|f|no|n|0|)\z/i, false
+      when String
+        value.match?(/\A(false|f|no|n|0|)\z/i) ? false : true
+      when nil, false
         false
       else
         true
@@ -392,6 +411,8 @@ module Bundler
     end
 
     def converted_value(value, key)
+      key = key.to_s
+
       if is_array(key)
         to_array(value)
       elsif value.nil?
@@ -482,8 +503,11 @@ module Bundler
 
     def self.key_for(key)
       key = normalize_uri(key).to_s if key.is_a?(String) && key.start_with?("http", "mirror.http")
-      key = key.to_s.gsub(".", "__").gsub("-", "___").upcase
-      "BUNDLE_#{key}"
+      key = key.to_s.gsub(".", "__")
+      key.gsub!("-", "___")
+      key.upcase!
+
+      key.prepend("BUNDLE_")
     end
 
     # TODO: duplicates Rubygems#normalize_uri

data/lib/bundler/source/git/git_proxy.rb

@@ -43,6 +43,13 @@ module Bundler
         end
       end
 
+      class AmbiguousGitReference < GitError
+        def initialize(options)
+          msg = "Specification of branch or ref with tag is ambiguous. You specified #{options.inspect}"
+          super msg
+        end
+      end
+
       # The GitProxy is responsible to interact with git repositories.
       # All actions required by the Git source is encapsulated in this
       # object.
@@ -53,10 +60,15 @@ module Bundler
         def initialize(path, uri, options = {}, revision = nil, git = nil)
           @path     = path
           @uri      = uri
-          @branch   = options["branch"]
           @tag      = options["tag"]
+          @branch   = options["branch"]
           @ref      = options["ref"]
-          @explicit_ref = branch || tag || ref
+          if @tag
+            raise AmbiguousGitReference.new(options) if @branch || @ref
+            @explicit_ref = @tag
+          else
+            @explicit_ref = @ref || @branch
+          end
           @revision = revision
           @git      = git
           @commit_ref = nil

data/lib/bundler/source/rubygems.rb

@@ -88,6 +88,7 @@ module Bundler
       end
 
       def self.from_lock(options)
+        options["remotes"] = Array(options.delete("remote")).reverse
         new(options)
       end
 
@@ -128,12 +129,12 @@ module Bundler
       def specs
         @specs ||= begin
           # remote_specs usually generates a way larger Index than the other
-          # sources, and large_idx.use small_idx is way faster than
-          # small_idx.use large_idx.
-          idx = @allow_remote ? remote_specs.dup : Index.new
-          idx.use(cached_specs, :override_dupes) if @allow_cached || @allow_remote
-          idx.use(installed_specs, :override_dupes) if @allow_local
-          idx
+          # sources, and large_idx.merge! small_idx is way faster than
+          # small_idx.merge! large_idx.
+          index = @allow_remote ? remote_specs.dup : Index.new
+          index.merge!(cached_specs) if @allow_cached || @allow_remote
+          index.merge!(installed_specs) if @allow_local
+          index
         end
       end
 
@@ -237,7 +238,7 @@ module Bundler
       end
 
       def spec_names
-        if @allow_remote && dependency_api_available?
+        if dependency_api_available?
           remote_specs.spec_names
         else
           []
@@ -245,7 +246,7 @@ module Bundler
       end
 
       def unmet_deps
-        if @allow_remote && dependency_api_available?
+        if dependency_api_available?
           remote_specs.unmet_dependency_names
         else
           []
@@ -260,7 +261,6 @@ module Bundler
       end
 
       def double_check_for(unmet_dependency_names)
-        return unless @allow_remote
         return unless dependency_api_available?
 
         unmet_dependency_names = unmet_dependency_names.call
@@ -275,7 +275,9 @@ module Bundler
 
         Bundler.ui.debug "Double checking for #{unmet_dependency_names || "all specs (due to the size of the request)"} in #{self}"
 
-        fetch_names(api_fetchers, unmet_dependency_names, specs, false)
+        fetch_names(api_fetchers, unmet_dependency_names, remote_specs)
+
+        specs.use remote_specs
       end
 
       def dependency_names_to_double_check
@@ -379,7 +381,7 @@ module Bundler
 
       def cached_specs
         @cached_specs ||= begin
-          idx = @allow_local ? installed_specs.dup : Index.new
+          idx = Index.new
 
           Dir["#{cache_path}/*.gem"].each do |gemfile|
             s ||= Bundler.rubygems.spec_from_gem(gemfile)
@@ -392,35 +394,30 @@ module Bundler
       end
 
       def api_fetchers
-        fetchers.select {|f| f.use_api && f.fetchers.first.api_fetcher? }
+        fetchers.select(&:api_fetcher?)
       end
 
       def remote_specs
         @remote_specs ||= Index.build do |idx|
           index_fetchers = fetchers - api_fetchers
 
-          # gather lists from non-api sites
-          fetch_names(index_fetchers, nil, idx, false)
-
-          # legacy multi-remote sources need special logic to figure out
-          # dependency names and that logic can be very costly if one remote
-          # uses the dependency API but others don't. So use full indexes
-          # consistently in that particular case.
-          allow_api = !multiple_remotes?
-
-          fetch_names(api_fetchers, allow_api && dependency_names, idx, false)
+          if index_fetchers.empty?
+            fetch_names(api_fetchers, dependency_names, idx)
+          else
+            fetch_names(fetchers, nil, idx)
+          end
         end
       end
 
-      def fetch_names(fetchers, dependency_names, index, override_dupes)
+      def fetch_names(fetchers, dependency_names, index)
         fetchers.each do |f|
           if dependency_names
             Bundler.ui.info "Fetching gem metadata from #{URICredentialsFilter.credential_filtered_uri(f.uri)}", Bundler.ui.debug?
-            index.use f.specs_with_retry(dependency_names, self), override_dupes
+            index.use f.specs_with_retry(dependency_names, self)
             Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
           else
             Bundler.ui.info "Fetching source index from #{URICredentialsFilter.credential_filtered_uri(f.uri)}"
-            index.use f.specs_with_retry(nil, self), override_dupes
+            index.use f.specs_with_retry(nil, self)
           end
         end
       end

data/lib/bundler/templates/newgem/github/workflows/main.yml.tt

@@ -17,7 +17,7 @@ jobs:
           - '<%= RUBY_VERSION %>'
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 <%- if config[:ext] == 'rust' -%>
     - name: Set up Ruby & Rust
       uses: oxidize-rb/actions/setup-ruby-and-rust@v1

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.4.19".freeze
+  VERSION = "2.4.20".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 2.4.19
+  version: 2.4.20
 platform: ruby
 authors:
 - André Arko
@@ -22,7 +22,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-08-17 00:00:00.000000000 Z
+date: 2023-09-27 00:00:00.000000000 Z
 dependencies: []
 description: Bundler manages an application's dependencies through its entire life,
   across many machines, systematically and repeatably
@@ -381,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.0.1
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.4.20
 signing_key:
 specification_version: 4
 summary: The best way to manage your application's dependencies