bundler 2.4.19 → 2.4.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9e1ac32a1ea746c717048bdfc433edc9d61cd2184f6d07b24e6addb565c1693
-  data.tar.gz: 95ab89a536022f9c642dd02683640819134441441dd0c4ae7b1cb0e9dd561a68
+  metadata.gz: 3f18e076341154326f22050b2bf57d7aa5f82278331f38079b4cb9ea53a13350
+  data.tar.gz: 5edcf31c166b6e65530b57c535c9e593a1cc24be7234a74b07eedbe448d775bf
 SHA512:
-  metadata.gz: 1cda1a2dfbdf88aaf7627304dc8fc740d3e4343b6d4f0e97a6473dc168b3b78c1128973251625beeee479a0418c25972f7dedb0cbcc9e107666fcdad32c991c8
-  data.tar.gz: e4589afe5650d8a937a2c56196221db8ce72d8cb91539ca0fceb9ad742d542ab4415b5253e6ffa3c8b03ccaac3dc6e8fe3b25d61cb17cd9155cc50d16dc44d4c
+  metadata.gz: 19f1201ce7d6a27379d5782373671a1fecfa6482bc699bdb89aa15ef9482f33659913874a5f22e8e3dece848350f411ebe96eb14f3fd3d6dc624455d85ba19de
+  data.tar.gz: 113401cf222bcf13bcda4424492b103f9bd9563c38f6dbdd7b7a7c4465e3971819a5ae77e1153987178d8353cf8d7aa79332484324bad00858a6f526b7f4a1b7

data/CHANGELOG.md

@@ -1,3 +1,84 @@
+# 2.4.22 (November 9, 2023)
+
+## Enhancements:
+
+  - Add Bundler::Plugin.loaded? helper [#6964](https://github.com/rubygems/rubygems/pull/6964)
+  - Give better error when previous installation folder is insecure to remove [#7030](https://github.com/rubygems/rubygems/pull/7030)
+  - Set file path when eval-ing local specification in EndpointSpecification [#7106](https://github.com/rubygems/rubygems/pull/7106)
+  - Git ignore the proper files for the CI service selected for `bundle gem` [#7101](https://github.com/rubygems/rubygems/pull/7101)
+  - Update vendored thor to v1.3.0 [#7078](https://github.com/rubygems/rubygems/pull/7078)
+  - Restore using old way of passing Ruby version to resolver [#7066](https://github.com/rubygems/rubygems/pull/7066)
+  - Bump vendored net-http-persistent to 4.0.2 [#6787](https://github.com/rubygems/rubygems/pull/6787)
+
+## Bug fixes:
+
+  - Fix regression when installing native extensions on universal rubies [#7077](https://github.com/rubygems/rubygems/pull/7077)
+  - Only remove bundler plugin gem when it's inside the cache [#7001](https://github.com/rubygems/rubygems/pull/7001)
+  - Don't show bug report template when GEM_HOME has no writable bit [#7113](https://github.com/rubygems/rubygems/pull/7113)
+  - Fix regression in old git versions [#7114](https://github.com/rubygems/rubygems/pull/7114)
+  - Handle empty array at built-in YAML serializer [#7099](https://github.com/rubygems/rubygems/pull/7099)
+  - Fix force_ruby_platform: when the lockfile only locks the ruby platform [#6936](https://github.com/rubygems/rubygems/pull/6936)
+
+# 2.4.21 (October 17, 2023)
+
+## Enhancements:
+
+  - Avoid duplicates -rbundler/setup in RUBYOPT with Ruby preview [#7002](https://github.com/rubygems/rubygems/pull/7002)
+  - Prevent gem activation in standalone mode [#6925](https://github.com/rubygems/rubygems/pull/6925)
+  - Support Ruby's preview version format (Ex: 3.3.0-preview2) in Gemfile [#7016](https://github.com/rubygems/rubygems/pull/7016)
+  - Fix `bundle install` when older revisions of git source [#6980](https://github.com/rubygems/rubygems/pull/6980)
+  - Remove usage of Dir.chdir that only execute a subprocess [#6930](https://github.com/rubygems/rubygems/pull/6930)
+
+## Bug fixes:
+
+  - Don't delete the release version from pre-release string more than once [#7054](https://github.com/rubygems/rubygems/pull/7054)
+  - Make the `lock` command not be affected by the `frozen` setting [#7034](https://github.com/rubygems/rubygems/pull/7034)
+  - Raise an error when adding a gem incompatible with some locked platform [#7035](https://github.com/rubygems/rubygems/pull/7035)
+  - Re-resolve when lockfile is invalid [#7020](https://github.com/rubygems/rubygems/pull/7020)
+  - Don't re-resolve with prereleases if unlocked gem has no prereleases [#7021](https://github.com/rubygems/rubygems/pull/7021)
+  - Include gemspec in ExtensionTask for native gem tasks [#7015](https://github.com/rubygems/rubygems/pull/7015)
+  - Avoid error reporting relative path when validating frozen [#5128](https://github.com/rubygems/rubygems/pull/5128)
+  - Fix `bundle lock --minor --update <dep>` edge case [#6992](https://github.com/rubygems/rubygems/pull/6992)
+  - Stop bundler eagerly loading all specs with exts [#6945](https://github.com/rubygems/rubygems/pull/6945)
+
+## Performance:
+
+  - Reduce allocations when parsing lockfile [#6976](https://github.com/rubygems/rubygems/pull/6976)
+  - Stop allocating the same settings keys repeatedly [#6963](https://github.com/rubygems/rubygems/pull/6963)
+
+## Documentation:
+
+  - Improve formatting and global source information in `bundle plugin` man page [#7045](https://github.com/rubygems/rubygems/pull/7045)
+  - Update man page of `bundle exec` to reflect default true of flag `--keep-file-descriptors` [#7033](https://github.com/rubygems/rubygems/pull/7033)
+
+# 2.4.20 (September 27, 2023)
+
+## Enhancements:
+
+  - Bump actions/checkout to v4 in bundler gem template [#6966](https://github.com/rubygems/rubygems/pull/6966)
+  - Add support for the `ruby-3.2.2` format in the `ruby file:` Gemfile directive, and explicitly test the `3.2.2@gemset` format as rejected [#6954](https://github.com/rubygems/rubygems/pull/6954)
+  - Support `ruby file: ".tool-versions"` in Gemfile [#6898](https://github.com/rubygems/rubygems/pull/6898)
+  - Unify LockfileParser loading of SPECS section [#6933](https://github.com/rubygems/rubygems/pull/6933)
+  - Only check circular deps when dependency api is available, not on full index sources [#6919](https://github.com/rubygems/rubygems/pull/6919)
+
+## Bug fixes:
+
+  - Allow standalone mode to work on a Windows edge case [#6989](https://github.com/rubygems/rubygems/pull/6989)
+  - Fix `bundle outdated` crashing when both `ref` and `branch` specified for a git gem in Gemfile [#6959](https://github.com/rubygems/rubygems/pull/6959)
+  - Fix `bundle update --redownload` [#6924](https://github.com/rubygems/rubygems/pull/6924)
+  - Fixed malformed bundler version in lockfile making Bundler crash [#6920](https://github.com/rubygems/rubygems/pull/6920)
+  - Fix standalone install crashing when using legacy gemfiles with multiple global sources [#6918](https://github.com/rubygems/rubygems/pull/6918)
+  - Resolve ruby version file relative to bundle root [#6892](https://github.com/rubygems/rubygems/pull/6892)
+
+## Performance:
+
+  - Lazily construct fetcher debug messages [#6973](https://github.com/rubygems/rubygems/pull/6973)
+  - Avoid allocating empty hashes in Index [#6962](https://github.com/rubygems/rubygems/pull/6962)
+  - Improve `Bundler::Index` efficiency by removing unnecessary creation and dups [#6931](https://github.com/rubygems/rubygems/pull/6931)
+  - (Further) Improve Bundler::Settings#[] performance and memory usage [#6923](https://github.com/rubygems/rubygems/pull/6923)
+  - Don't use full indexes unnecessarily on legacy Gemfiles [#6916](https://github.com/rubygems/rubygems/pull/6916)
+  - Improve memory usage in Bundler::Settings, and thus improve boot time [#6884](https://github.com/rubygems/rubygems/pull/6884)
+
 # 2.4.19 (August 17, 2023)
 
 ## Enhancements:
@@ -2153,7 +2234,7 @@ Changes
 
   - retry gem downloads ([#4846](https://github.com/rubygems/bundler/issues/4846), @jkeiser)
   - improve the CompactIndex to handle capitalized legacy gems ([#4867](https://github.com/rubygems/bundler/issues/4867), @segiddins)
-  - re-use persistent HTTP connections for CompactIndex (@NickLaMuro)
+  - reuse persistent HTTP connections for CompactIndex (@NickLaMuro)
   - respect `required_ruby_version` when Gemfile contains `ruby` version (@indirect)
   - allow `rake release` to sign git tags ([#4743](https://github.com/rubygems/bundler/issues/4743), @eagletmt)
   - set process titles when using `#load` during `exec` (@yob)
@@ -3349,7 +3430,7 @@ Changes
   - `gem` option --test can generate rspec stubs (@MafcoCinco)
   - `gem` option --test can generate minitest stubs (@kcurtin)
   - `gem` command generates MIT license (@BrentWheeldon)
-  - gem rake task 'release' resuses existing tags (@shtirlic)
+  - gem rake task 'release' reuses existing tags (@shtirlic)
 
 ## Bug fixes:
 

data/README.md

@@ -1,5 +1,4 @@
 [![Version ](https://img.shields.io/gem/v/bundler.svg?style=flat)](https://rubygems.org/gems/bundler)
-[![Slack   ](https://bundler-slackin.herokuapp.com/badge.svg)](https://bundler-slackin.herokuapp.com)
 
 # Bundler: a gem to bundle gems
 
@@ -38,7 +37,7 @@ Still stuck? Try [filing an issue](https://github.com/rubygems/rubygems/issues/n
 
 To see what has changed in recent versions of Bundler, see the [CHANGELOG](CHANGELOG.md).
 
-To get in touch with the Bundler core team and other Bundler users, please join [the Bundler slack](https://slack.bundler.io).
+To get in touch with the Bundler core team and other Bundler users, please join [the Bundler slack](https://join.slack.com/t/bundler/shared_invite/zt-1rrsuuv3m-OmXKWQf8K6iSla4~F1DBjQ).
 
 ### Contributing
 

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2023-08-17".freeze
-    @git_commit_sha = "86f98098e3".freeze
+    @built_at = "2023-11-09".freeze
+    @git_commit_sha = "ec2089640".freeze
     @release = true
     # end ivars
 
@@ -31,7 +31,7 @@ module Bundler
       # commit instance variable then we can't determine its commits SHA.
       git_dir = File.expand_path("../../../.git", __dir__)
       if File.directory?(git_dir)
-        return @git_commit_sha = Dir.chdir(git_dir) { `git rev-parse --short HEAD`.strip.freeze }
+        return @git_commit_sha = IO.popen(%w[git rev-parse --short HEAD], { :chdir => git_dir }, &:read).strip.freeze
       end
 
       @git_commit_sha ||= "unknown"

data/lib/bundler/cli/check.rb

@@ -29,7 +29,7 @@ module Bundler
         Bundler.ui.warn "Install missing gems with `bundle install`"
         exit 1
       elsif !Bundler.default_lockfile.file? && Bundler.frozen_bundle?
-        Bundler.ui.error "This bundle has been frozen, but there is no #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)} present"
+        Bundler.ui.error "This bundle has been frozen, but there is no #{SharedHelpers.relative_lockfile_path} present"
         exit 1
       else
         Bundler.load.lock(:preserve_unknown_sections => true) unless options[:"dry-run"]

data/lib/bundler/cli/gem.rb

@@ -137,10 +137,13 @@ module Bundler
       case config[:ci]
       when "github"
         templates.merge!("github/workflows/main.yml.tt" => ".github/workflows/main.yml")
+        config[:ci_config_path] = ".github "
       when "gitlab"
         templates.merge!("gitlab-ci.yml.tt" => ".gitlab-ci.yml")
+        config[:ci_config_path] = ".gitlab-ci.yml "
       when "circle"
         templates.merge!("circleci/config.yml.tt" => ".circleci/config.yml")
+        config[:ci_config_path] = ".circleci "
       end
 
       if ask_and_set(:mit, "Do you want to license your code permissively under the MIT license?",
@@ -233,9 +236,7 @@ module Bundler
       end
 
       if use_git
-        Dir.chdir(target) do
-          `git add .`
-        end
+        IO.popen(%w[git add .], { :chdir => target }, &:read)
       end
 
       # Open gemspec in editor

data/lib/bundler/cli/info.rb

@@ -33,7 +33,7 @@ module Bundler
     def default_gem_spec(gem_name)
       return unless Gem::Specification.respond_to?(:find_all_by_name)
       gem_spec = Gem::Specification.find_all_by_name(gem_name).last
-      return gem_spec if gem_spec&.default_gem?
+      gem_spec if gem_spec&.default_gem?
     end
 
     def spec_not_found(gem_name)

data/lib/bundler/cli/install.rb

@@ -28,8 +28,8 @@ module Bundler
           flag   = "--deployment flag" if options[:deployment]
           flag ||= "--frozen flag"     if options[:frozen]
           flag ||= "deployment setting"
-          raise ProductionError, "The #{flag} requires a #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)}. Please make " \
-                                 "sure you have checked your #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)} into version control " \
+          raise ProductionError, "The #{flag} requires a lockfile. Please make " \
+                                 "sure you have checked your #{SharedHelpers.relative_lockfile_path} into version control " \
                                  "before deploying."
         end
 

data/lib/bundler/cli/lock.rb

@@ -32,36 +32,39 @@ module Bundler
       elsif update && bundler
         update = { :bundler => bundler }
       end
-      definition = Bundler.definition(update)
 
-      Bundler::CLI::Common.configure_gem_version_promoter(Bundler.definition, options) if options[:update]
+      Bundler.settings.temporary(:frozen => false) do
+        definition = Bundler.definition(update)
 
-      options["remove-platform"].each do |platform|
-        definition.remove_platform(platform)
-      end
+        Bundler::CLI::Common.configure_gem_version_promoter(definition, options) if options[:update]
 
-      options["add-platform"].each do |platform_string|
-        platform = Gem::Platform.new(platform_string)
-        if platform.to_s == "unknown"
-          Bundler.ui.warn "The platform `#{platform_string}` is unknown to RubyGems " \
-            "and adding it will likely lead to resolution errors"
+        options["remove-platform"].each do |platform|
+          definition.remove_platform(platform)
         end
-        definition.add_platform(platform)
-      end
 
-      if definition.platforms.empty?
-        raise InvalidOption, "Removing all platforms from the bundle is not allowed"
-      end
+        options["add-platform"].each do |platform_string|
+          platform = Gem::Platform.new(platform_string)
+          if platform.to_s == "unknown"
+            Bundler.ui.warn "The platform `#{platform_string}` is unknown to RubyGems " \
+              "and adding it will likely lead to resolution errors"
+          end
+          definition.add_platform(platform)
+        end
 
-      definition.resolve_remotely! unless options[:local]
+        if definition.platforms.empty?
+          raise InvalidOption, "Removing all platforms from the bundle is not allowed"
+        end
+
+        definition.resolve_remotely! unless options[:local]
 
-      if print
-        puts definition.to_lock
-      else
-        file = options[:lockfile]
-        file = file ? File.expand_path(file) : Bundler.default_lockfile
-        puts "Writing lockfile to #{file}"
-        definition.lock(file)
+        if print
+          puts definition.to_lock
+        else
+          file = options[:lockfile]
+          file = file ? File.expand_path(file) : Bundler.default_lockfile
+          puts "Writing lockfile to #{file}"
+          definition.lock(file)
+        end
       end
 
       Bundler.ui.level = previous_ui_level

data/lib/bundler/cli/open.rb

@@ -18,13 +18,11 @@ module Bundler
         Bundler.ui.info "Unable to open #{name} because it's a default gem, so the directory it would normally be installed to does not exist."
       else
         root_path = spec.full_gem_path
-        Dir.chdir(root_path) do
-          require "shellwords"
-          command = Shellwords.split(editor) << File.join([root_path, path].compact)
-          Bundler.with_original_env do
-            system(*command)
-          end || Bundler.ui.info("Could not run '#{command.join(" ")}'")
-        end
+        require "shellwords"
+        command = Shellwords.split(editor) << File.join([root_path, path].compact)
+        Bundler.with_original_env do
+          system(*command, { :chdir => root_path })
+        end || Bundler.ui.info("Could not run '#{command.join(" ")}'")
       end
     end
   end

data/lib/bundler/cli/update.rb

@@ -63,6 +63,7 @@ module Bundler
       opts = options.dup
       opts["update"] = true
       opts["local"] = options[:local]
+      opts["force"] = options[:redownload]
 
       Bundler.settings.set_command_option_if_given :jobs, opts["jobs"]
 

data/lib/bundler/definition.rb

@@ -149,7 +149,7 @@ module Bundler
       @dependency_changes = converge_dependencies
       @local_changes = converge_locals
 
-      @missing_lockfile_dep = check_missing_lockfile_dep
+      check_lockfile
     end
 
     def gem_version_promoter
@@ -405,13 +405,13 @@ module Bundler
       msg << "\n\nYou have added to the Gemfile:\n" << added.join("\n") if added.any?
       msg << "\n\nYou have deleted from the Gemfile:\n" << deleted.join("\n") if deleted.any?
       msg << "\n\nYou have changed in the Gemfile:\n" << changed.join("\n") if changed.any?
-      msg << "\n\nRun `bundle install` elsewhere and add the updated #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)} to version control.\n"
+      msg << "\n\nRun `bundle install` elsewhere and add the updated #{SharedHelpers.relative_gemfile_path} to version control.\n"
 
       unless explicit_flag
         suggested_command = unless Bundler.settings.locations("frozen").keys.include?(:env)
           "bundle config set frozen false"
         end
-        msg << "If this is a development machine, remove the #{Bundler.default_gemfile.relative_path_from(SharedHelpers.pwd)} " \
+        msg << "If this is a development machine, remove the #{SharedHelpers.relative_lockfile_path} " \
                "freeze by running `#{suggested_command}`." if suggested_command
       end
 
@@ -452,8 +452,8 @@ module Bundler
       return if current_platform_locked?
 
       raise ProductionError, "Your bundle only supports platforms #{@platforms.map(&:to_s)} " \
-        "but your local platform is #{Bundler.local_platform}. " \
-        "Add the current platform to the lockfile with\n`bundle lock --add-platform #{Bundler.local_platform}` and try again."
+        "but your local platform is #{local_platform}. " \
+        "Add the current platform to the lockfile with\n`bundle lock --add-platform #{local_platform}` and try again."
     end
 
     def add_platform(platform)
@@ -478,7 +478,7 @@ module Bundler
     private :sources
 
     def nothing_changed?
-      !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@missing_lockfile_dep && !@unlocking_bundler
+      !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@missing_lockfile_dep && !@unlocking_bundler && !@invalid_lockfile_dep
     end
 
     def no_resolve_needed?
@@ -509,7 +509,7 @@ module Bundler
     def resolution_packages
       @resolution_packages ||= begin
         last_resolve = converge_locked_specs
-        remove_ruby_from_platforms_if_necessary!(current_dependencies)
+        remove_invalid_platforms!(current_dependencies)
         packages = Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, :locked_specs => @originally_locked_specs, :unlock => @unlock[:gems], :prerelease => gem_version_promoter.pre?)
         additional_base_requirements_for_resolve(packages, last_resolve)
       end
@@ -600,7 +600,7 @@ module Bundler
 
     def current_platform_locked?
       @platforms.any? do |bundle_platform|
-        MatchPlatform.platforms_match?(bundle_platform, Bundler.local_platform)
+        MatchPlatform.platforms_match?(bundle_platform, local_platform)
       end
     end
 
@@ -630,6 +630,7 @@ module Bundler
         [@local_changes, "the gemspecs for git local gems changed"],
         [@missing_lockfile_dep, "your lock file is missing \"#{@missing_lockfile_dep}\""],
         [@unlocking_bundler, "an update to the version of Bundler itself was requested"],
+        [@invalid_lockfile_dep, "your lock file has an invalid dependency \"#{@invalid_lockfile_dep}\""],
       ].select(&:first).map(&:last).join(", ")
     end
 
@@ -684,24 +685,38 @@ module Bundler
       !sources_with_changes.each {|source| @unlock[:sources] << source.name }.empty?
     end
 
-    def check_missing_lockfile_dep
-      all_locked_specs = @locked_specs.map(&:name) << "bundler"
+    def check_lockfile
+      @invalid_lockfile_dep = nil
+      @missing_lockfile_dep = nil
 
-      missing = @locked_specs.select do |s|
-        s.dependencies.any? {|dep| !all_locked_specs.include?(dep.name) }
+      locked_names = @locked_specs.map(&:name)
+      missing = []
+      invalid = []
+
+      @locked_specs.each do |s|
+        s.dependencies.each do |dep|
+          next if dep.name == "bundler"
+
+          missing << s unless locked_names.include?(dep.name)
+          invalid << s if @locked_specs.none? {|spec| dep.matches_spec?(spec) }
+        end
       end
 
       if missing.any?
         @locked_specs.delete(missing)
 
-        return missing.first.name
+        @missing_lockfile_dep = missing.first.name
+      elsif !@dependency_changes
+        @missing_lockfile_dep = current_dependencies.find do |d|
+          @locked_specs[d.name].empty? && d.name != "bundler"
+        end&.name
       end
 
-      return if @dependency_changes
+      if invalid.any?
+        @locked_specs.delete(invalid)
 
-      current_dependencies.find do |d|
-        @locked_specs[d.name].empty? && d.name != "bundler"
-      end&.name
+        @invalid_lockfile_dep = invalid.first.name
+      end
     end
 
     def converge_paths
@@ -866,7 +881,7 @@ module Bundler
 
     def metadata_dependencies
       @metadata_dependencies ||= [
-        Dependency.new("Ruby\0", Gem.ruby_version),
+        Dependency.new("Ruby\0", Bundler::RubyVersion.system.gem_version),
         Dependency.new("RubyGems\0", Gem::VERSION),
       ]
     end
@@ -941,17 +956,19 @@ module Bundler
       resolution_packages
     end
 
-    def remove_ruby_from_platforms_if_necessary!(dependencies)
-      return if Bundler.frozen_bundle? ||
-                Bundler.local_platform == Gem::Platform::RUBY ||
-                !platforms.include?(Gem::Platform::RUBY) ||
-                (@new_platform && platforms.last == Gem::Platform::RUBY) ||
+    def remove_invalid_platforms!(dependencies)
+      return if Bundler.frozen_bundle?
+
+      platforms.each do |platform|
+        next if local_platform == platform ||
+                (@new_platform && platforms.last == platform) ||
                 @path_changes ||
                 @dependency_changes ||
-                !@originally_locked_specs.incomplete_ruby_specs?(dependencies)
+                !@originally_locked_specs.incomplete_for_platform?(dependencies, platform)
 
-      remove_platform(Gem::Platform::RUBY)
-      add_current_platform
+        remove_platform(platform)
+        add_current_platform if platform == Gem::Platform::RUBY
+      end
     end
 
     def source_map

data/lib/bundler/endpoint_specification.rb

@@ -94,7 +94,7 @@ module Bundler
 
     def _local_specification
       return unless @loaded_from && File.exist?(local_specification_path)
-      eval(File.read(local_specification_path)).tap do |spec|
+      eval(File.read(local_specification_path), nil, local_specification_path).tap do |spec|
         spec.loaded_from = @loaded_from
       end
     end

data/lib/bundler/env.rb

@@ -40,11 +40,11 @@ module Bundler
 
         out << "\n## Gemfile\n"
         gemfiles.each do |gemfile|
-          out << "\n### #{Pathname.new(gemfile).relative_path_from(SharedHelpers.pwd)}\n\n"
+          out << "\n### #{SharedHelpers.relative_path_to(gemfile)}\n\n"
           out << "```ruby\n" << read_file(gemfile).chomp << "\n```\n"
         end
 
-        out << "\n### #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)}\n\n"
+        out << "\n### #{SharedHelpers.relative_path_to(Bundler.default_lockfile)}\n\n"
         out << "```\n" << read_file(Bundler.default_lockfile).chomp << "\n```\n"
       end
 

data/lib/bundler/errors.rb

@@ -172,4 +172,19 @@ module Bundler
 
     status_code(36)
   end
+
+  class InsecureInstallPathError < BundlerError
+    def initialize(path)
+      @path = path
+    end
+
+    def message
+      "The installation path is insecure. Bundler cannot continue.\n" \
+      "#{@path} is world-writable (without sticky bit).\n" \
+      "Bundler cannot safely replace gems in world-writeable directories due to potential vulnerabilities.\n" \
+      "Please change the permissions of this directory or choose a different install path."
+    end
+
+    status_code(38)
+  end
 end

data/lib/bundler/fetcher/base.rb

@@ -38,9 +38,9 @@ module Bundler
 
       private
 
-      def log_specs(debug_msg)
+      def log_specs(&block)
         if Bundler.ui.debug?
-          Bundler.ui.debug debug_msg
+          Bundler.ui.debug yield
         else
           Bundler.ui.info ".", false
         end

data/lib/bundler/fetcher/compact_index.rb

@@ -35,7 +35,7 @@ module Bundler
         remaining_gems = gem_names.dup
 
         until remaining_gems.empty?
-          log_specs "Looking up gems #{remaining_gems.inspect}"
+          log_specs { "Looking up gems #{remaining_gems.inspect}" }
 
           deps = begin
                    parallel_compact_index_client.dependencies(remaining_gems)
@@ -60,10 +60,6 @@ module Bundler
           Bundler.ui.debug("FIPS mode is enabled, bundler can't use the CompactIndex API")
           return nil
         end
-        if fetch_uri.scheme == "file"
-          Bundler.ui.debug("Using a local server, bundler won't use the CompactIndex API")
-          return false
-        end
         # Read info file checksums out of /versions, so we can know if gems are up to date
         compact_index_client.update_and_parse_checksums!
       rescue CompactIndexClient::Updater::MisMatchedChecksumError => e

data/lib/bundler/fetcher/dependency.rb

@@ -24,7 +24,7 @@ module Bundler
       def specs(gem_names, full_dependency_list = [], last_spec_list = [])
         query_list = gem_names.uniq - full_dependency_list
 
-        log_specs "Query List: #{query_list.inspect}"
+        log_specs { "Query List: #{query_list.inspect}" }
 
         return last_spec_list if query_list.empty?
 

data/lib/bundler/fetcher.rb

@@ -9,6 +9,7 @@ require "rubygems/request"
 module Bundler
   # Handles all the fetching with the rubygems server
   class Fetcher
+    autoload :Base, File.expand_path("fetcher/base", __dir__)
     autoload :CompactIndex, File.expand_path("fetcher/compact_index", __dir__)
     autoload :Downloader, File.expand_path("fetcher/downloader", __dir__)
     autoload :Dependency, File.expand_path("fetcher/dependency", __dir__)
@@ -134,18 +135,7 @@ module Bundler
     def specs(gem_names, source)
       index = Bundler::Index.new
 
-      if Bundler::Fetcher.disable_endpoint
-        @use_api = false
-        specs = fetchers.last.specs(gem_names)
-      else
-        specs = []
-        @fetchers = fetchers.drop_while do |f|
-          !f.available? || (f.api_fetcher? && !gem_names) || !specs = f.specs(gem_names)
-        end
-        @use_api = false if fetchers.none?(&:api_fetcher?)
-      end
-
-      specs.each do |name, version, platform, dependencies, metadata|
+      fetch_specs(gem_names).each do |name, version, platform, dependencies, metadata|
         spec = if dependencies
           EndpointSpecification.new(name, version, platform, self, dependencies, metadata)
         else
@@ -158,22 +148,10 @@ module Bundler
 
       index
     rescue CertificateFailureError
-      Bundler.ui.info "" if gem_names && use_api # newline after dots
+      Bundler.ui.info "" if gem_names && api_fetcher? # newline after dots
       raise
     end
 
-    def use_api
-      return @use_api if defined?(@use_api)
-
-      fetchers.shift until fetchers.first.available?
-
-      @use_api = if remote_uri.scheme == "file" || Bundler::Fetcher.disable_endpoint
-        false
-      else
-        fetchers.first.api_fetcher?
-      end
-    end
-
     def user_agent
       @user_agent ||= begin
         ruby = Bundler::RubyVersion.system
@@ -209,10 +187,6 @@ module Bundler
       end
     end
 
-    def fetchers
-      @fetchers ||= FETCHERS.map {|f| f.new(downloader, @remote, uri) }
-    end
-
     def http_proxy
       return unless uri = connection.proxy_uri
       uri.to_s
@@ -222,9 +196,36 @@ module Bundler
       "#<#{self.class}:0x#{object_id} uri=#{uri}>"
     end
 
+    def api_fetcher?
+      fetchers.first.api_fetcher?
+    end
+
     private
 
-    FETCHERS = [CompactIndex, Dependency, Index].freeze
+    def available_fetchers
+      if Bundler::Fetcher.disable_endpoint
+        [Index]
+      elsif remote_uri.scheme == "file"
+        Bundler.ui.debug("Using a local server, bundler won't use the CompactIndex API")
+        [Index]
+      else
+        [CompactIndex, Dependency, Index]
+      end
+    end
+
+    def fetchers
+      @fetchers ||= available_fetchers.map {|f| f.new(downloader, @remote, uri) }.drop_while {|f| !f.available? }
+    end
+
+    def fetch_specs(gem_names)
+      fetchers.reject!(&:api_fetcher?) unless gem_names
+      fetchers.reject! do |f|
+        specs = f.specs(gem_names)
+        return specs if specs
+        true
+      end
+      []
+    end
 
     def cis
       env_cis = {