bundler 2.4.7 → 2.4.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a65f84ced002f9c1ab71db372d85d37f9578c02a5dc1e454ca62c895e7a4d247
-  data.tar.gz: f5e1e1f51f2eaa82029c2129a4c703c75a6e8950370be93cc7bd802d89155bda
+  metadata.gz: bea219e989f6693457e01025c959a3ece35ee46c5c07df07cd06e56f475c06dd
+  data.tar.gz: 389b2a53b46bb41a4c95d1ed70e6d4cc3f422de3e8f73ef70067c1e6477da277
 SHA512:
-  metadata.gz: 458454313b85996243c7c77ba6ad6fba40ec2185bf657def24c8bce61595c2bd86f973f465dfcebec1ef01130c5c784dc820710437f62de9701bb6317236b3fb
-  data.tar.gz: e35d6b4c930214928c4480df520ef5b342107d1d25da2dbc9596591eab94e115b53c2c4432ff5513630f3d60d18c8935b415bdb2b2bbd60e40d04228b8e2d292
+  metadata.gz: 7f9d947e46ea956603b8893d024e6833da24b8684416b9d25376cac3279a641d6bf18bf156b67af1fa2c490020064e09eac1ae04ff759bf0945bc189298a24cb
+  data.tar.gz: f78b90fb696e544268cb590af87b7e6ab4d22c9918222d7d494dde6bc28c91b555af93afa0b61f8ae863a1c48f5151e0370d3443285ae45c7418745e8225f592

data/CHANGELOG.md

@@ -1,3 +1,51 @@
+# 2.4.9 (March 20, 2023)
+
+## Security:
+
+  - Don't recommend `--full-index` on errors [#6493](https://github.com/rubygems/rubygems/pull/6493)
+
+## Enhancements:
+
+  - Fix duplicated specs in some error messages [#6475](https://github.com/rubygems/rubygems/pull/6475)
+  - When running `bundle lock --update <name>`, checkout locked revision of unrelated git sources directly [#6459](https://github.com/rubygems/rubygems/pull/6459)
+  - Avoid expiring git sources when unnecessary [#6458](https://github.com/rubygems/rubygems/pull/6458)
+  - Use `RbSys::ExtensionTask` when creating new rust gems [#6352](https://github.com/rubygems/rubygems/pull/6352)
+  - Don't ignore pre-releases when there's only one candidate [#6441](https://github.com/rubygems/rubygems/pull/6441)
+
+## Bug fixes:
+
+  - Fix incorrect removal of ruby platform when auto-healing corrupted lockfiles [#6495](https://github.com/rubygems/rubygems/pull/6495)
+  - Don't consider platform specific candidates when `force_ruby_platform` set [#6442](https://github.com/rubygems/rubygems/pull/6442)
+  - Better deal with circular dependencies [#6330](https://github.com/rubygems/rubygems/pull/6330)
+
+## Documentation:
+
+  - Add debugging docs [#6387](https://github.com/rubygems/rubygems/pull/6387)
+  - Document our current release policy [#6450](https://github.com/rubygems/rubygems/pull/6450)
+
+# 2.4.8 (March 8, 2023)
+
+## Security:
+
+  - Safe load all marshaled data [#6384](https://github.com/rubygems/rubygems/pull/6384)
+
+## Enhancements:
+
+  - Better suggestion when `bundler/setup` fails due to missing gems and Gemfile is not the default [#6428](https://github.com/rubygems/rubygems/pull/6428)
+  - Simplify the gem package file filter in the gemspec template [#6344](https://github.com/rubygems/rubygems/pull/6344)
+  - Auto-heal corrupted `Gemfile.lock` with no specs [#6423](https://github.com/rubygems/rubygems/pull/6423)
+  - Auto-heal on corrupted lockfile with missing deps [#6400](https://github.com/rubygems/rubygems/pull/6400)
+  - Give a better message when Gemfile branch does not exist [#6383](https://github.com/rubygems/rubygems/pull/6383)
+
+## Bug fixes:
+
+  - Respect --no-install option for git: sources [#6088](https://github.com/rubygems/rubygems/pull/6088)
+  - Fix `gems.rb` lockfile for bundler version lookup in template [#6413](https://github.com/rubygems/rubygems/pull/6413)
+
+## Documentation:
+
+  - Switch supporting explanations to all Ruby Central [#6419](https://github.com/rubygems/rubygems/pull/6419)
+
 # 2.4.7 (February 15, 2023)
 
 ## Enhancements:

data/README.md

@@ -46,12 +46,9 @@ If you'd like to contribute to Bundler, that's awesome, and we <3 you. We've put
 
 If you'd like to request a substantial change to Bundler or its documentation, refer to the [Bundler RFC process](https://github.com/rubygems/rfcs) for more information.
 
-While some Bundler contributors are compensated by Ruby Together, the project maintainers make decisions independent of Ruby Together. As a project, we welcome contributions regardless of the author's affiliation with Ruby Together.
-
 ### Supporting
 
-<a href="https://rubytogether.org/"><img src="https://rubytogether.org/images/rubies.svg" width="150"></a><br>
-<a href="https://rubytogether.org/">Ruby Together</a> pays some Bundler maintainers for their ongoing work. As a grassroots initiative committed to supporting the critical Ruby infrastructure you rely on, Ruby Together is funded entirely by the Ruby community. Contribute today <a href="https://rubytogether.org/developers">as an individual</a> or (better yet) <a href="https://rubytogether.org/companies">as a company</a> to ensure that Bundler, RubyGems, and other shared tooling is around for years to come.
+RubyGems is managed by [Ruby Central](https://rubycentral.org), a non-profit organization that supports the Ruby community through projects like this one, as well as [RubyConf](https://rubyconf.org), [RailsConf](https://railsconf.org), and [RubyGems.org](https://rubygems.org). You can support Ruby Central by attending or [sponsoring](sponsors@rubycentral.org) a conference, or by [joining as a supporting member](https://rubycentral.org/#/portal/signup).
 
 ### Code of Conduct
 

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2023-02-15".freeze
-    @git_commit_sha = "5d717a27e0".freeze
+    @built_at = "2023-03-20".freeze
+    @git_commit_sha = "6f8e92bcc6".freeze
     @release = true
     # end ivars
 

data/lib/bundler/endpoint_specification.rb

@@ -26,10 +26,6 @@ module Bundler
       @platform
     end
 
-    def identifier
-      @__identifier ||= [name, version, platform.to_s]
-    end
-
     # needed for standalone, load required_paths from local gemspec
     # after the gem is installed
     def require_paths

data/lib/bundler/environment_preserver.rb

@@ -2,7 +2,7 @@
 
 module Bundler
   class EnvironmentPreserver
-    INTENTIONALLY_NIL = "BUNDLER_ENVIRONMENT_PRESERVER_INTENTIONALLY_NIL".freeze
+    INTENTIONALLY_NIL = "BUNDLER_ENVIRONMENT_PRESERVER_INTENTIONALLY_NIL"
     BUNDLER_KEYS = %w[
       BUNDLE_BIN_PATH
       BUNDLE_GEMFILE
@@ -16,7 +16,7 @@ module Bundler
       RUBYLIB
       RUBYOPT
     ].map(&:freeze).freeze
-    BUNDLER_PREFIX = "BUNDLER_ORIG_".freeze
+    BUNDLER_PREFIX = "BUNDLER_ORIG_"
 
     def self.from_env
       new(env_to_hash(ENV), BUNDLER_KEYS)

data/lib/bundler/fetcher/dependency.rb

@@ -34,14 +34,10 @@ module Bundler
 
         returned_gems = spec_list.map(&:first).uniq
         specs(deps_list, full_dependency_list + returned_gems, spec_list + last_spec_list)
-      rescue MarshalError
+      rescue MarshalError, HTTPError, GemspecError
         Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
         Bundler.ui.debug "could not fetch from the dependency API, trying the full index"
         nil
-      rescue HTTPError, GemspecError
-        Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
-        Bundler.ui.debug "could not fetch from the dependency API\nit's suggested to retry using the full index via `bundle install --full-index`"
-        nil
       end
 
       def dependency_specs(gem_names)

data/lib/bundler/fetcher.rb

@@ -102,11 +102,11 @@ module Bundler
       uri = Bundler::URI.parse("#{remote_uri}#{Gem::MARSHAL_SPEC_DIR}#{spec_file_name}.rz")
       if uri.scheme == "file"
         path = Bundler.rubygems.correct_for_windows_path(uri.path)
-        Bundler.load_marshal Bundler.rubygems.inflate(Gem.read_binary(path))
+        Bundler.safe_load_marshal Bundler.rubygems.inflate(Gem.read_binary(path))
       elsif cached_spec_path = gemspec_cached_path(spec_file_name)
         Bundler.load_gemspec(cached_spec_path)
       else
-        Bundler.load_marshal Bundler.rubygems.inflate(downloader.fetch(uri).body)
+        Bundler.safe_load_marshal Bundler.rubygems.inflate(downloader.fetch(uri).body)
       end
     rescue MarshalError
       raise HTTPError, "Gemspec #{spec} contained invalid data.\n" \

data/lib/bundler/incomplete_specification.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Bundler
+  #
+  # Represents a package name that was found to be incomplete when trying to
+  # materialize a fresh resolution or the lockfile.
+  #
+  # Holds the actual partially complete set of specifications for the name.
+  # These are used so that they can be unlocked in a future resolution, and fix
+  # the situation.
+  #
+  class IncompleteSpecification
+    attr_reader :name, :partially_complete_specs
+
+    def initialize(name, partially_complete_specs = [])
+      @name = name
+      @partially_complete_specs = partially_complete_specs
+    end
+
+    def ==(other)
+      partially_complete_specs == other.partially_complete_specs
+    end
+  end
+end

data/lib/bundler/index.rb

@@ -13,8 +13,8 @@ module Bundler
     attr_reader :specs, :all_specs, :sources
     protected :specs, :all_specs
 
-    RUBY = "ruby".freeze
-    NULL = "\0".freeze
+    RUBY = "ruby"
+    NULL = "\0"
 
     def initialize
       @sources = []

data/lib/bundler/injector.rb

@@ -2,7 +2,7 @@
 
 module Bundler
   class Injector
-    INJECTED_GEMS = "injected gems".freeze
+    INJECTED_GEMS = "injected gems"
 
     def self.inject(new_deps, options = {})
       injector = new(new_deps, options)

data/lib/bundler/installer/parallel_installer.rb

@@ -47,13 +47,6 @@ module Bundler
         dependencies.all? {|d| installed_specs.include? d.name }
       end
 
-      # Check whether spec's dependencies are missing, which can indicate a
-      # corrupted lockfile
-      def dependencies_missing?(all_specs)
-        spec_names = all_specs.map(&:name)
-        dependencies.any? {|d| !spec_names.include? d.name }
-      end
-
       # Represents only the non-development dependencies, the ones that are
       # itself and are in the total list.
       def dependencies
@@ -123,11 +116,7 @@ module Bundler
       unmet_dependencies.each do |spec, unmet_spec_dependencies|
         unmet_spec_dependencies.each do |unmet_spec_dependency|
           found = @specs.find {|s| s.name == unmet_spec_dependency.name && !unmet_spec_dependency.matches_spec?(s.spec) }
-          if found
-            warning << "* #{unmet_spec_dependency}, dependency of #{spec.full_name}, unsatisfied by #{found.full_name}"
-          else
-            warning << "* #{unmet_spec_dependency}, dependency of #{spec.full_name} but missing from lockfile"
-          end
+          warning << "* #{unmet_spec_dependency}, dependency of #{spec.full_name}, unsatisfied by #{found.full_name}"
         end
       end
 
@@ -224,8 +213,6 @@ module Bundler
         if spec.dependencies_installed? @specs
           spec.state = :enqueued
           worker_pool.enq spec
-        elsif spec.dependencies_missing? @specs
-          spec.state = :failed
         end
       end
     end

data/lib/bundler/lazy_specification.rb

@@ -20,7 +20,7 @@ module Bundler
     end
 
     def full_name
-      if platform == Gem::Platform::RUBY
+      @full_name ||= if platform == Gem::Platform::RUBY
         "#{@name}-#{@version}"
       else
         "#{@name}-#{@version}-#{platform}"
@@ -28,15 +28,15 @@ module Bundler
     end
 
     def ==(other)
-      identifier == other.identifier
+      full_name == other.full_name
     end
 
     def eql?(other)
-      identifier.eql?(other.identifier)
+      full_name.eql?(other.full_name)
     end
 
     def hash
-      identifier.hash
+      full_name.hash
     end
 
     ##
@@ -129,10 +129,6 @@ module Bundler
       end
     end
 
-    def identifier
-      @__identifier ||= [name, version, platform.to_s]
-    end
-
     def git_version
       return unless source.is_a?(Bundler::Source::Git)
       " #{source.revision[0..6]}"

data/lib/bundler/lockfile_generator.rb

@@ -45,7 +45,7 @@ module Bundler
       # gems with the same name, but different platform
       # are ordered consistently
       specs.sort_by(&:full_name).each do |spec|
-        next if spec.name == "bundler".freeze
+        next if spec.name == "bundler"
         out << spec.to_lock
       end
     end

data/lib/bundler/lockfile_parser.rb

@@ -4,15 +4,15 @@ module Bundler
   class LockfileParser
     attr_reader :sources, :dependencies, :specs, :platforms, :bundler_version, :ruby_version
 
-    BUNDLED      = "BUNDLED WITH".freeze
-    DEPENDENCIES = "DEPENDENCIES".freeze
-    PLATFORMS    = "PLATFORMS".freeze
-    RUBY         = "RUBY VERSION".freeze
-    GIT          = "GIT".freeze
-    GEM          = "GEM".freeze
-    PATH         = "PATH".freeze
-    PLUGIN       = "PLUGIN SOURCE".freeze
-    SPECS        = "  specs:".freeze
+    BUNDLED      = "BUNDLED WITH"
+    DEPENDENCIES = "DEPENDENCIES"
+    PLATFORMS    = "PLATFORMS"
+    RUBY         = "RUBY VERSION"
+    GIT          = "GIT"
+    GEM          = "GEM"
+    PATH         = "PATH"
+    PLUGIN       = "PLUGIN SOURCE"
+    SPECS        = "  specs:"
     OPTIONS      = /^  ([a-z]+): (.*)$/i.freeze
     SOURCE       = [GIT, GEM, PATH, PLUGIN].freeze
 
@@ -86,7 +86,7 @@ module Bundler
           send("parse_#{@state}", line)
         end
       end
-      @specs = @specs.values.sort_by(&:identifier)
+      @specs = @specs.values.sort_by(&:full_name)
     rescue ArgumentError => e
       Bundler.ui.debug(e)
       raise LockfileError, "Your lockfile is unreadable. Run `rm #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)}` " \
@@ -199,7 +199,7 @@ module Bundler
         @current_spec.source = @current_source
         @current_source.add_dependency_names(name)
 
-        @specs[@current_spec.identifier] = @current_spec
+        @specs[@current_spec.full_name] = @current_spec
       elsif spaces.size == 6
         version = version.split(",").map(&:strip) if version
         dep = Gem::Dependency.new(name, version)

data/lib/bundler/plugin.rb

@@ -15,7 +15,7 @@ module Bundler
     class UnknownSourceError < PluginError; end
     class PluginInstallError < PluginError; end
 
-    PLUGIN_FILE_NAME = "plugins.rb".freeze
+    PLUGIN_FILE_NAME = "plugins.rb"
 
     module_function
 

data/lib/bundler/remote_specification.rb

@@ -29,12 +29,8 @@ module Bundler
       @platform = _remote_specification.platform
     end
 
-    def identifier
-      @__identifier ||= [name, version, @platform.to_s]
-    end
-
     def full_name
-      if @platform == Gem::Platform::RUBY
+      @full_name ||= if @platform == Gem::Platform::RUBY
         "#{@name}-#{@version}"
       else
         "#{@name}-#{@version}-#{@platform}"
@@ -106,7 +102,7 @@ module Bundler
     def _remote_specification
       @_remote_specification ||= @spec_fetcher.fetch_spec([@name, @version, @original_platform])
       @_remote_specification || raise(GemspecError, "Gemspec data for #{full_name} was" \
-        " missing from the server! Try installing with `--full-index` as a workaround.")
+        " missing from the server!")
     end
 
     def method_missing(method, *args, &blk)

data/lib/bundler/resolver/base.rb

@@ -34,9 +34,11 @@ module Bundler
         @base[name]
       end
 
-      def delete(specs)
-        specs.each do |spec|
-          @base.delete(spec)
+      def delete(incomplete_specs)
+        incomplete_specs.each do |incomplete_spec|
+          incomplete_spec.partially_complete_specs.each do |spec|
+            @base.delete(spec)
+          end
         end
       end
 

data/lib/bundler/resolver.rb

@@ -37,7 +37,9 @@ module Bundler
       root_version = Resolver::Candidate.new(0)
 
       @all_specs = Hash.new do |specs, name|
-        specs[name] = source_for(name).specs.search(name).sort_by {|s| [s.version, s.platform.to_s] }
+        specs[name] = source_for(name).specs.search(name).reject do |s|
+          s.dependencies.any? {|d| d.name == name && !d.requirement.satisfied_by?(s.version) } # ignore versions that depend on themselves incorrectly
+        end.sort_by {|s| [s.version, s.platform.to_s] }
       end
 
       @sorted_versions = Hash.new do |candidates, package|
@@ -55,7 +57,7 @@ module Bundler
           { root_version => root_dependencies }
         else
           Hash.new do |versions, version|
-            versions[version] = to_dependency_hash(version.dependencies, @packages)
+            versions[version] = to_dependency_hash(version.dependencies.reject {|d| d.name == package.name }, @packages)
           end
         end
       end
@@ -186,11 +188,6 @@ module Bundler
       package_deps = @cached_dependencies[package]
       sorted_versions = @sorted_versions[package]
       package_deps[version].map do |dep_package, dep_constraint|
-        if package == dep_package
-          cause = PubGrub::Incompatibility::CircularDependency.new(dep_package, dep_constraint.constraint_string)
-          return [PubGrub::Incompatibility.new([PubGrub::Term.new(dep_constraint, true)], :cause => cause)]
-        end
-
         low = high = sorted_versions.index(version)
 
         # find version low such that all >= low share the same dep
@@ -243,7 +240,7 @@ module Bundler
         ruby_specs = select_best_platform_match(specs, Gem::Platform::RUBY)
         groups << Resolver::Candidate.new(version, :specs => ruby_specs) if ruby_specs.any?
 
-        next groups if platform_specs == ruby_specs
+        next groups if platform_specs == ruby_specs || package.force_ruby_platform?
 
         groups << Resolver::Candidate.new(version, :specs => platform_specs)
 
@@ -302,7 +299,7 @@ module Bundler
     end
 
     def filter_prereleases(specs, package)
-      return specs unless package.ignores_prereleases?
+      return specs unless package.ignores_prereleases? && specs.size > 1
 
       specs.reject {|s| s.version.prerelease? }
     end

data/lib/bundler/rubygems_integration.rb

@@ -453,7 +453,7 @@ module Bundler
       fetcher = gem_remote_fetcher
       fetcher.headers = { "X-Gemfile-Source" => remote.original_uri.to_s } if remote.original_uri
       string = fetcher.fetch_path(path)
-      Bundler.load_marshal(string)
+      Bundler.safe_load_marshal(string)
     rescue Gem::RemoteFetcher::FetchError
       # it's okay for prerelease to fail
       raise unless name == "prerelease_specs"

data/lib/bundler/settings.rb

@@ -495,7 +495,7 @@ module Bundler
         uri = $2
         suffix = $3
       end
-      uri = "#{uri}/" unless uri.end_with?("/")
+      uri = URINormalizer.normalize_suffix(uri)
       require_relative "vendored_uri"
       uri = Bundler::URI(uri)
       unless uri.absolute?

data/lib/bundler/setup.rb

@@ -12,7 +12,10 @@ if Bundler::SharedHelpers.in_bundle?
       Bundler.ui.error e.message
       Bundler.ui.warn e.backtrace.join("\n") if ENV["DEBUG"]
       if e.is_a?(Bundler::GemNotFound)
-        Bundler.ui.warn "Run `bundle install` to install missing gems."
+        suggested_cmd = "bundle install"
+        original_gemfile = Bundler.original_env["BUNDLE_GEMFILE"]
+        suggested_cmd += " --gemfile #{original_gemfile}" if original_gemfile
+        Bundler.ui.warn "Run `#{suggested_cmd}` to install missing gems."
       end
       exit e.status_code
     end

data/lib/bundler/shared_helpers.rb

@@ -160,7 +160,7 @@ module Bundler
         " (was expecting #{old_deps.map(&:to_s)}, but the real spec has #{new_deps.map(&:to_s)})"
       raise APIResponseMismatchError,
         "Downloading #{spec.full_name} revealed dependencies not in the API or the lockfile (#{extra_deps.join(", ")})." \
-        "\nEither installing with `--full-index` or running `bundle update #{spec.name}` should fix the problem."
+        "\nRunning `bundle update #{spec.name}` should fix the problem."
     end
 
     def pretty_dependency(dep)

data/lib/bundler/source/git/git_proxy.rb

@@ -28,8 +28,9 @@ module Bundler
         def initialize(command, path, extra_info = nil)
           @command = command
 
-          msg = String.new
-          msg << "Git error: command `#{command}` in directory #{path} has failed."
+          msg = String.new("Git error: command `#{command}`")
+          msg << " in directory #{path}" if path
+          msg << " has failed."
           msg << "\n#{extra_info}" if extra_info
           super msg
         end
@@ -153,9 +154,20 @@ module Bundler
           SharedHelpers.filesystem_access(path.dirname) do |p|
             FileUtils.mkdir_p(p)
           end
-          git_retry "clone", "--bare", "--no-hardlinks", "--quiet", *extra_clone_args, "--", configured_uri, path.to_s
 
-          extra_ref
+          command = ["clone", "--bare", "--no-hardlinks", "--quiet", *extra_clone_args, "--", configured_uri, path.to_s]
+          command_with_no_credentials = check_allowed(command)
+
+          Bundler::Retry.new("`#{command_with_no_credentials}`", [MissingGitRevisionError]).attempts do
+            _, err, status = capture(command, nil)
+            return extra_ref if status.success?
+
+            if err.include?("Could not find remote branch")
+              raise MissingGitRevisionError.new(command_with_no_credentials, nil, explicit_ref, credential_filtered_uri)
+            else
+              raise GitCommandError.new(command_with_no_credentials, path, err)
+            end
+          end
         end
 
         def clone_needs_unshallow?
@@ -354,6 +366,11 @@ module Bundler
           args += ["--single-branch"]
           args.unshift("--no-tags") if supports_cloning_with_no_tags?
 
+          # If there's a locked revision, no need to clone any specific branch
+          # or tag, since we will end up checking out that locked revision
+          # anyways.
+          return args if @revision
+
           args += ["--branch", branch || tag] if branch || tag
           args
         end

data/lib/bundler/source/git.rb

@@ -19,7 +19,7 @@ module Bundler
         # Stringify options that could be set as symbols
         %w[ref branch tag revision].each {|k| options[k] = options[k].to_s if options[k] }
 
-        @uri        = options["uri"] || ""
+        @uri        = URINormalizer.normalize_suffix(options["uri"] || "", :trailing_slash => false)
         @safe_uri   = URICredentialsFilter.credential_filtered_uri(@uri)
         @branch     = options["branch"]
         @ref        = options["ref"] || options["branch"] || options["tag"]
@@ -173,6 +173,7 @@ module Bundler
       end
 
       def install(spec, options = {})
+        return if Bundler.settings[:no_install]
         force = options[:force]
 
         print_using_message "Using #{version_message(spec, options[:previous_spec])} from #{self}"

data/lib/bundler/source/path.rb

@@ -11,7 +11,7 @@ module Bundler
 
       protected :original_path
 
-      DEFAULT_GLOB = "{,*,*/*}.gemspec".freeze
+      DEFAULT_GLOB = "{,*,*/*}.gemspec"
 
       def initialize(options)
         @options = options.dup

data/lib/bundler/source/rubygems.rb

@@ -337,8 +337,7 @@ module Bundler
       end
 
       def normalize_uri(uri)
-        uri = uri.to_s
-        uri = "#{uri}/" unless %r{/$}.match?(uri)
+        uri = URINormalizer.normalize_suffix(uri.to_s)
         require_relative "../vendored_uri"
         uri = Bundler::URI(uri)
         raise ArgumentError, "The source must be an absolute URI. For example:\n" \

data/lib/bundler/spec_set.rb

@@ -7,11 +7,8 @@ module Bundler
     include Enumerable
     include TSort
 
-    attr_reader :incomplete_specs
-
-    def initialize(specs, incomplete_specs = [])
+    def initialize(specs)
       @specs = specs
-      @incomplete_specs = incomplete_specs
     end
 
     def for(dependencies, check = false, platforms = [nil])
@@ -24,6 +21,7 @@ module Bundler
 
         name = dep[0].name
         platform = dep[1]
+        incomplete = false
 
         key = [name, platform]
         next if handled.key?(key)
@@ -36,14 +34,19 @@ module Bundler
 
           specs_for_dep.first.dependencies.each do |d|
             next if d.type == :development
+            incomplete = true if d.name != "bundler" && lookup[d.name].empty?
             deps << [d, dep[1]]
           end
-        elsif check
-          @incomplete_specs += lookup[name]
+        else
+          incomplete = true
+        end
+
+        if incomplete && check
+          specs << IncompleteSpecification.new(name, lookup[name])
         end
       end
 
-      specs
+      specs.uniq
     end
 
     def [](key)
@@ -75,10 +78,10 @@ module Bundler
       lookup.dup
     end
 
-    def materialize(deps)
-      materialized = self.for(deps, true)
+    def materialize(deps, platforms = [nil])
+      materialized = self.for(deps, true, platforms)
 
-      SpecSet.new(materialized, incomplete_specs)
+      SpecSet.new(materialized)
     end
 
     # Materialize for all the specs in the spec set, regardless of what platform they're for
@@ -95,15 +98,19 @@ module Bundler
     end
 
     def incomplete_ruby_specs?(deps)
-      self.for(deps, true, [Gem::Platform::RUBY])
+      return false if @specs.empty?
 
-      @incomplete_specs.any?
+      materialize(deps, [Gem::Platform::RUBY]).incomplete_specs.any?
     end
 
     def missing_specs
       @specs.select {|s| s.is_a?(LazySpecification) }
     end
 
+    def incomplete_specs
+      @specs.select {|s| s.is_a?(IncompleteSpecification) }
+    end
+
     def merge(set)
       arr = sorted.dup
       set.each do |set_spec|

data/lib/bundler/templates/Executable.bundler

@@ -47,7 +47,7 @@ m = Module.new do
   def lockfile
     lockfile =
       case File.basename(gemfile)
-      when "gems.rb" then gemfile.sub(/\.rb$/, gemfile)
+      when "gems.rb" then gemfile.sub(/\.rb$/, ".locked")
       else "#{gemfile}.lock"
       end
     File.expand_path(lockfile)

data/lib/bundler/templates/newgem/Gemfile.tt

@@ -10,7 +10,7 @@ gem "rake", "~> 13.0"
 
 gem "rake-compiler"
 <%- if config[:ext] == 'rust' -%>
-gem "rb_sys"
+gem "rb_sys", "~> 0.9.63"
 <%- end -%>
 <%- end -%>
 <%- if config[:test] -%>

data/lib/bundler/templates/newgem/Rakefile.tt

@@ -41,6 +41,15 @@ require "standard/rake"
 <% if config[:ext] -%>
 <% default_task_names.unshift(:compile) -%>
 <% default_task_names.unshift(:clobber) unless config[:ext] == 'rust' -%>
+<% if config[:ext] == 'rust' -%>
+require "rb_sys/extensiontask"
+
+task build: :compile
+
+RbSys::ExtensionTask.new(<%= config[:name].inspect %>) do |ext|
+  ext.lib_dir = "lib/<%= config[:namespaced_path] %>"
+end
+<% else -%>
 require "rake/extensiontask"
 
 task build: :compile
@@ -48,6 +57,7 @@ task build: :compile
 Rake::ExtensionTask.new("<%= config[:underscored_name] %>") do |ext|
   ext.lib_dir = "lib/<%= config[:namespaced_path] %>"
 end
+<% end -%>
 
 <% end -%>
 <% if default_task_names.size == 1 -%>

data/lib/bundler/templates/newgem/github/workflows/main.yml.tt

@@ -20,7 +20,7 @@ jobs:
     - uses: actions/checkout@v3
 <%- if config[:ext] == 'rust' -%>
     - name: Set up Ruby & Rust
-      uses: oxidize-rb/actions/setup-ruby-and-rust@main
+      uses: oxidize-rb/actions/setup-ruby-and-rust@v1
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true

data/lib/bundler/templates/newgem/newgem.gemspec.tt

@@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
   spec.files = Dir.chdir(__dir__) do
     `git ls-files -z`.split("\x0").reject do |f|
-      (File.expand_path(f) == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|circleci)|appveyor)})
+      (File.expand_path(f) == __FILE__) || f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor])
     end
   end
   spec.bindir = "exe"

data/lib/bundler/uri_normalizer.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Bundler
+  module URINormalizer
+    module_function
+
+    # Normalizes uri to a consistent version, either with or without trailing
+    # slash.
+    #
+    # TODO: Currently gem sources are locked with a trailing slash, while git
+    # sources are locked without a trailing slash. This should be normalized but
+    # the inconsistency is there for now to avoid changing all lockfiles
+    # including GIT sources. We could normalize this on the next major.
+    #
+    def normalize_suffix(uri, trailing_slash: true)
+      if trailing_slash
+        uri.end_with?("/") ? uri : "#{uri}/"
+      else
+        uri.end_with?("/") ? uri.delete_suffix("/") : uri
+      end
+    end
+  end
+end

data/lib/bundler/vendor/pub_grub/lib/pub_grub/incompatibility.rb

@@ -8,9 +8,6 @@ module Bundler::PubGrub
     InvalidDependency = Struct.new(:package, :constraint) do
     end
 
-    CircularDependency = Struct.new(:package, :constraint) do
-    end
-
     NoVersions = Struct.new(:constraint) do
     end
 
@@ -66,8 +63,6 @@ module Bundler::PubGrub
         "#{terms[0].to_s(allow_every: true)} depends on #{terms[1].invert}"
       when Bundler::PubGrub::Incompatibility::InvalidDependency
         "#{terms[0].to_s(allow_every: true)} depends on unknown package #{cause.package}"
-      when Bundler::PubGrub::Incompatibility::CircularDependency
-        "#{terms[0].to_s(allow_every: true)} depends on itself"
       when Bundler::PubGrub::Incompatibility::NoVersions
         "no versions satisfy #{cause.constraint}"
       when Bundler::PubGrub::Incompatibility::ConflictCause

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.4.7".freeze
+  VERSION = "2.4.9".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/lib/bundler.rb

@@ -39,8 +39,8 @@ module Bundler
   environment_preserver.replace_with_backup
   SUDO_MUTEX = Thread::Mutex.new
 
-  SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash].freeze
-  SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed.".freeze
+  SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version, Gem::Specification].freeze
+  SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
   SAFE_MARSHAL_PROC = proc do |object|
     object.tap do
       unless SAFE_MARSHAL_CLASSES.include?(object.class)
@@ -62,6 +62,7 @@ module Bundler
   autoload :GemHelpers,             File.expand_path("bundler/gem_helpers", __dir__)
   autoload :GemVersionPromoter,     File.expand_path("bundler/gem_version_promoter", __dir__)
   autoload :Graph,                  File.expand_path("bundler/graph", __dir__)
+  autoload :IncompleteSpecification, File.expand_path("bundler/incomplete_specification", __dir__)
   autoload :Index,                  File.expand_path("bundler/index", __dir__)
   autoload :Injector,               File.expand_path("bundler/injector", __dir__)
   autoload :Installer,              File.expand_path("bundler/installer", __dir__)
@@ -85,6 +86,7 @@ module Bundler
   autoload :StubSpecification,      File.expand_path("bundler/stub_specification", __dir__)
   autoload :UI,                     File.expand_path("bundler/ui", __dir__)
   autoload :URICredentialsFilter,   File.expand_path("bundler/uri_credentials_filter", __dir__)
+  autoload :URINormalizer,          File.expand_path("bundler/uri_normalizer", __dir__)
 
   class << self
     def configure
@@ -506,7 +508,7 @@ EOF
       if File.file?(executable) && File.executable?(executable)
         executable
       elsif paths = ENV["PATH"]
-        quote = '"'.freeze
+        quote = '"'
         paths.split(File::PATH_SEPARATOR).find do |path|
           path = path[1..-2] if path.start_with?(quote) && path.end_with?(quote)
           executable_path = File.expand_path(executable, path)
@@ -525,12 +527,6 @@ EOF
       load_marshal(data, :marshal_proc => SAFE_MARSHAL_PROC)
     end
 
-    def load_marshal(data, marshal_proc: nil)
-      Marshal.load(data, marshal_proc)
-    rescue TypeError => e
-      raise MarshalError, "#{e.class}: #{e.message}"
-    end
-
     def load_gemspec(file, validate = false)
       @gemspec_cache ||= {}
       key = File.expand_path(file)
@@ -619,6 +615,12 @@ EOF
 
     private
 
+    def load_marshal(data, marshal_proc: nil)
+      Marshal.load(data, marshal_proc)
+    rescue TypeError => e
+      raise MarshalError, "#{e.class}: #{e.message}"
+    end
+
     def eval_yaml_gemspec(path, contents)
       Kernel.require "psych"
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 2.4.7
+  version: 2.4.9
 platform: ruby
 authors:
 - André Arko
@@ -22,7 +22,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-02-15 00:00:00.000000000 Z
+date: 2023-03-20 00:00:00.000000000 Z
 dependencies: []
 description: Bundler manages an application's dependencies through its entire life,
   across many machines, systematically and repeatably
@@ -103,6 +103,7 @@ files:
 - lib/bundler/gem_tasks.rb
 - lib/bundler/gem_version_promoter.rb
 - lib/bundler/graph.rb
+- lib/bundler/incomplete_specification.rb
 - lib/bundler/index.rb
 - lib/bundler/injector.rb
 - lib/bundler/inline.rb
@@ -266,6 +267,7 @@ files:
 - lib/bundler/ui/shell.rb
 - lib/bundler/ui/silent.rb
 - lib/bundler/uri_credentials_filter.rb
+- lib/bundler/uri_normalizer.rb
 - lib/bundler/vendor/.document
 - lib/bundler/vendor/connection_pool/LICENSE
 - lib/bundler/vendor/connection_pool/lib/connection_pool.rb
@@ -379,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.0.1
 requirements: []
-rubygems_version: 3.4.7
+rubygems_version: 3.4.9
 signing_key:
 specification_version: 4
 summary: The best way to manage your application's dependencies