RubyGems - bundler - Versions diffs - 4.0.12 → 4.0.14 - Mend

bundler 4.0.12 → 4.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +23 -0
data/lib/bundler/build_metadata.rb +1 -1
data/lib/bundler/cli/add.rb +3 -0
data/lib/bundler/cli/common.rb +6 -0
data/lib/bundler/cli/install.rb +3 -0
data/lib/bundler/cli/outdated.rb +42 -2
data/lib/bundler/cli/update.rb +2 -0
data/lib/bundler/cli.rb +4 -0
data/lib/bundler/dsl.rb +6 -2
data/lib/bundler/endpoint_specification.rb +11 -1
data/lib/bundler/installer.rb +5 -0
data/lib/bundler/man/bundle-add.1 +4 -1
data/lib/bundler/man/bundle-add.1.ronn +6 -1
data/lib/bundler/man/bundle-config.1 +120 -156
data/lib/bundler/man/bundle-config.1.ronn +30 -0
data/lib/bundler/man/bundle-install.1 +4 -1
data/lib/bundler/man/bundle-install.1.ronn +9 -1
data/lib/bundler/man/bundle-outdated.1 +16 -13
data/lib/bundler/man/bundle-outdated.1.ronn +19 -12
data/lib/bundler/man/bundle-update.1 +4 -1
data/lib/bundler/man/bundle-update.1.ronn +8 -0
data/lib/bundler/remote_specification.rb +1 -1
data/lib/bundler/resolver.rb +58 -1
data/lib/bundler/rubygems_ext.rb +22 -0
data/lib/bundler/rubygems_gem_installer.rb +1 -1
data/lib/bundler/settings.rb +1 -0
data/lib/bundler/source/git/git_proxy.rb +7 -2
data/lib/bundler/source/rubygems/remote.rb +12 -2
data/lib/bundler/source/rubygems.rb +52 -4
data/lib/bundler/source_list.rb +10 -2
data/lib/bundler/version.rb +1 -1
metadata +2 -2

data/lib/bundler/resolver.rb CHANGED Viewed

@@ -184,6 +184,9 @@ module Bundler
         platforms_explanation = specs_matching_other_platforms.any? ? " for any resolution platforms (#{package.platforms.join(", ")})" : ""
         custom_explanation = "#{constraint} could not be found in #{repository_for(package)}#{platforms_explanation}"
+        if hint = cooldown_hint(specs_matching_other_platforms)
+          custom_explanation += " (#{hint})"
+        end
         label = "#{name} (#{constraint_string})"
         extended_explanation = other_specs_matching_message(specs_matching_other_platforms, label) if specs_matching_other_platforms.any?
@@ -353,6 +356,10 @@ module Bundler
         message << "\n#{other_specs_matching_message(specs, matching_part)}"
       end
+      if hint = cooldown_hint(specs_matching_requirement)
+        message << "\n\n#{hint}."
+      end
       if specs_matching_requirement.any? && (hint = platform_mismatch_hint)
         message << "\n\n#{hint}"
       end
@@ -396,7 +403,7 @@ module Bundler
     end
     def filter_specs(specs, package)
-      filter_remote_specs(filter_prereleases(specs, package), package)
+      filter_remote_specs(filter_cooldown(filter_prereleases(specs, package)), package)
     end
     def filter_prereleases(specs, package)
@@ -405,6 +412,56 @@ module Bundler
       specs.reject {|s| s.version.prerelease? }
     end
+    def filter_cooldown(specs)
+      return specs if specs.empty?
+      excluded_versions = cooldown_excluded_versions(specs)
+      return specs if excluded_versions.empty?
+      specs.reject {|s| excluded_versions.include?([s.name, s.version]) }
+    end
+    def cooldown_excluded_versions(specs)
+      excluded = {}
+      specs.each do |spec|
+        next unless cooldown_excluded?(spec)
+        excluded[[spec.name, spec.version]] = true
+      end
+      excluded
+    end
+    def cooldown_hint(specs)
+      excluded_versions = cooldown_excluded_versions(specs)
+      return nil if excluded_versions.empty?
+      "#{excluded_versions.size} version#{"s" if excluded_versions.size > 1} excluded by the cooldown setting; pass `--cooldown 0` to bypass"
+    end
+    def cooldown_excluded?(spec)
+      return false unless spec.respond_to?(:created_at) && spec.created_at
+      return false unless spec.respond_to?(:remote) && spec.remote
+      return false if pinned_by_lockfile_floor?(spec)
+      days = spec.remote.effective_cooldown
+      return false if days.nil? || days <= 0
+      (cooldown_now - spec.created_at) < (days * 86_400)
+    end
+    # A spec sitting exactly at a `>= locked_version` prevent-downgrade floor is
+    # the version the lockfile currently pins. `bundle update` and `bundle
+    # outdated` install that floor so resolution never moves a gem backwards.
+    # Filtering it out for cooldown would then make resolution impossible
+    # whenever the locked version is itself inside the cooldown window, which is
+    # exactly what happens to a lockfile written before cooldown was enabled.
+    # Keep it eligible; gems being explicitly updated carry an exact `=`
+    # requirement instead and stay subject to the cooldown filter.
+    def pinned_by_lockfile_floor?(spec)
+      return false unless defined?(@base) && @base
+      requirement = base_requirements[spec.name]
+      return false unless requirement && !requirement.exact?
+      requirement.requirements.any? {|op, version| op == ">=" && version == spec.version }
+    end
+    def cooldown_now
+      @cooldown_now ||= Time.now
+    end
     def filter_remote_specs(specs, package)
       if package.prefer_local?
         local_specs = specs.select {|s| s.is_a?(StubSpecification) }

data/lib/bundler/rubygems_ext.rb CHANGED Viewed

@@ -465,6 +465,28 @@ module Gem
     Resolver::APISet::GemParser.prepend(UnfreezeCompactIndexParsedResponse)
   end
+  # RubyGems before 4.0.13 split compact index dependency/requirement entries
+  # on every colon, which mangles metadata values that contain colons such as
+  # the `created_at` timestamps the cooldown feature relies on. Split only on
+  # the first colon so those values survive on older RubyGems.
+  #
+  # The module is defined unconditionally so it stays testable on any RubyGems,
+  # but only prepended when the host RubyGems still has the buggy behavior.
+  module SplitCompactIndexEntryOnFirstColon
+    private
+    def parse_dependency(string)
+      dependency = string.split(":", 2)
+      dependency[-1] = dependency[-1].split("&") if dependency.size > 1
+      dependency[0] = -dependency[0]
+      dependency
+    end
+  end
+  unless Gem.rubygems_version >= Gem::Version.new("4.0.13")
+    Resolver::APISet::GemParser.prepend(SplitCompactIndexEntryOnFirstColon)
+  end
   if Gem.rubygems_version < Gem::Version.new("3.6.0")
     class Package; end
     require "rubygems/package/tar_reader"

data/lib/bundler/rubygems_gem_installer.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Bundler
       strict_rm_rf spec.extension_dir
       SharedHelpers.filesystem_access(gem_dir, :create) do
-        FileUtils.mkdir_p gem_dir, mode: 0o755
+        FileUtils.mkdir_p gem_dir
       end
       SharedHelpers.filesystem_access(gem_dir, :write) do

data/lib/bundler/settings.rb CHANGED Viewed

@@ -42,6 +42,7 @@ module Bundler
     ].freeze
     NUMBER_KEYS = %w[
+      cooldown
       jobs
       redirect
       retry

data/lib/bundler/source/git/git_proxy.rb CHANGED Viewed

@@ -432,9 +432,14 @@ module Bundler
         end
         def capture3_args_for(cmd, dir)
-          return ["git", *cmd] unless dir
+          # Disable automatic maintenance so a background commit-graph write in
+          # the source repo can't race the hardlinking local clone and fail with
+          # "hardlink different from source".
+          opts = ["-c", "gc.auto=0", "-c", "maintenance.auto=false"]
-          ["git", "-C", dir.to_s, *cmd]
+          return ["git", *opts, *cmd] unless dir
+          ["git", "-C", dir.to_s, *opts, *cmd]
         end
         def extra_clone_args

data/lib/bundler/source/rubygems/remote.rb CHANGED Viewed

@@ -4,9 +4,9 @@ module Bundler
   class Source
     class Rubygems
       class Remote
-        attr_reader :uri, :anonymized_uri, :original_uri
+        attr_reader :uri, :anonymized_uri, :original_uri, :cooldown
-        def initialize(uri)
+        def initialize(uri, cooldown: nil)
           orig_uri = uri
           uri = Bundler.settings.mirror_for(uri)
           @original_uri = orig_uri if orig_uri != uri
@@ -14,6 +14,16 @@ module Bundler
           @uri = apply_auth(uri, fallback_auth).freeze
           @anonymized_uri = remove_auth(@uri).freeze
+          @cooldown = cooldown
+        end
+        # Returns the cooldown days that apply to this remote, resolving the
+        # precedence CLI > config > Gemfile per-source. Returns nil if no
+        # cooldown applies.
+        def effective_cooldown
+          override = Bundler.settings[:cooldown]
+          return override if override
+          @cooldown
         end
         MAX_CACHE_SLUG_HOST_SIZE = 255 - 1 - 32 # 255 minus dot minus MD5 length

data/lib/bundler/source/rubygems.rb CHANGED Viewed

@@ -11,11 +11,12 @@ module Bundler
       API_REQUEST_SIZE = 100
       REQUIRE_MUTEX = Mutex.new
-      attr_accessor :remotes
+      attr_accessor :remotes, :remote_cooldowns
       def initialize(options = {})
         @options = options
         @remotes = []
+        @remote_cooldowns = {}
         @dependency_names = []
         @allow_remote = false
         @allow_cached = false
@@ -25,7 +26,8 @@ module Bundler
         @gem_installers = {}
         @gem_installers_mutex = Mutex.new
-        Array(options["remotes"]).reverse_each {|r| add_remote(r) }
+        cooldown = options["cooldown"]
+        Array(options["remotes"]).reverse_each {|r| add_remote(r, cooldown: cooldown) }
         @lockfile_remotes = @remotes if options["from_lockfile"]
       end
@@ -148,6 +150,13 @@ module Bundler
           # sources, and large_idx.merge! small_idx is way faster than
           # small_idx.merge! large_idx.
           index = @allow_remote ? remote_specs.dup : Index.new
+          # Snapshot per-version `created_at` from the remote info before installed
+          # / cached specs overwrite the EndpointSpecification objects that carry
+          # it. The cooldown filter consults `created_at` on every candidate, so
+          # local stubs need the published date back-filled to participate.
+          remote_created_at = collect_remote_created_at(index)
           index.merge!(cached_specs) if @allow_cached
           index.merge!(installed_specs) if @allow_local
@@ -161,6 +170,8 @@ module Bundler
             end
           end
+          backfill_created_at(index, remote_created_at) unless remote_created_at.empty?
           index
         end
       end
@@ -243,9 +254,14 @@ module Bundler
         cached_path
       end
-      def add_remote(source)
+      def add_remote(source, cooldown: nil)
         uri = normalize_uri(source)
         @remotes.unshift(uri) unless @remotes.include?(uri)
+        @remote_cooldowns[uri] = cooldown if cooldown
+      end
+      def cooldown_for(uri)
+        @remote_cooldowns[uri]
       end
       def spec_names
@@ -266,7 +282,7 @@ module Bundler
       def remote_fetchers
         @remote_fetchers ||= remotes.to_h do |uri|
-          remote = Source::Rubygems::Remote.new(uri)
+          remote = Source::Rubygems::Remote.new(uri, cooldown: cooldown_for(uri))
           [remote, Bundler::Fetcher.new(remote)]
         end.freeze
       end
@@ -314,6 +330,13 @@ module Bundler
         @allow_remote && api_fetchers.any?
       end
+      def clear_cache
+        @specs = nil
+        @installed_specs = nil
+        @default_specs = nil
+        @cached_specs = nil
+      end
       protected
       def remote_names
@@ -456,6 +479,31 @@ module Bundler
       private
+      def collect_remote_created_at(index)
+        return {} unless @allow_remote
+        snapshot = {}
+        index.each do |spec|
+          next unless spec.respond_to?(:created_at) && spec.created_at
+          # Remember the remote that supplied the date too: when a source has
+          # several remotes with different per-URI cooldown settings we must
+          # restore the same one during backfill so `effective_cooldown` agrees.
+          snapshot[[spec.name, spec.version]] = [spec.created_at, spec.remote]
+        end
+        snapshot
+      end
+      def backfill_created_at(index, snapshot)
+        index.each do |spec|
+          next unless spec.respond_to?(:created_at=)
+          next if spec.created_at
+          remote_created_at, remote = snapshot[[spec.name, spec.version]]
+          next unless remote_created_at
+          spec.created_at = remote_created_at
+          spec.remote ||= remote if remote && spec.respond_to?(:remote=)
+        end
+      end
       def lockfile_remotes
         @lockfile_remotes || credless_remotes
       end

data/lib/bundler/source_list.rb CHANGED Viewed

@@ -59,8 +59,8 @@ module Bundler
       add_source_to_list Plugin.source(source).new(options), @plugin_sources
     end
-    def add_global_rubygems_remote(uri)
-      global_rubygems_source.add_remote(uri)
+    def add_global_rubygems_remote(uri, cooldown: nil)
+      global_rubygems_source.add_remote(uri, cooldown: cooldown)
       global_rubygems_source
     end
@@ -136,6 +136,10 @@ module Bundler
       all_sources.each(&:remote!)
     end
+    def clear_cache
+      rubygems_sources.each(&:clear_cache)
+    end
     private
     def map_sources(replacement_sources)
@@ -165,6 +169,10 @@ module Bundler
         # locked sources never include credentials so always prefer remotes from the gemfile
         replacement_source.remotes = gemfile_source.remotes
+        # cooldowns are only ever declared in the Gemfile, so carry them over
+        # along with the remotes they apply to
+        replacement_source.remote_cooldowns = gemfile_source.remote_cooldowns
         yield replacement_source if block_given?
         replacement_source

data/lib/bundler/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 module Bundler
-  VERSION = "4.0.12".freeze
+  VERSION = "4.0.14".freeze
   def self.bundler_major_version
     @bundler_major_version ||= gem_version.segments.first

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 4.0.12
+  version: 4.0.14
 platform: ruby
 authors:
 - André Arko
@@ -402,7 +402,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.4.1
 requirements: []
-rubygems_version: 4.0.10
+rubygems_version: 4.0.13
 specification_version: 4
 summary: The best way to manage your application's dependencies
 test_files: []