bundler 4.0.14 → 4.0.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c7cfeed01a046a9b186ddcdb1039e59c4605673529e12fb08b3fb32f424650f
-  data.tar.gz: 375e9b2540c5493fb90cb4e2004372c4fdbac9ed67d09a680bc23fdb71e04c58
+  metadata.gz: b500418ab2bb689238b11172e7713d90513adbeeea8b4a27e3e9e12e1ac61cdb
+  data.tar.gz: 5c6463f83fcec1c3310af6cf30fdbe50774e8016a6ac8c277a65fcb14ca52c0a
 SHA512:
-  metadata.gz: 55a5604bfb508d0c3b509702ce84a42bd4811f3f42222176133942fed42ff0f224ed64fcf68873e163cfe63d8cc183f11b67f4ec915814d3e121bb70f575296d
-  data.tar.gz: 4178ca638dd4f4ede2977526c4edba39cb6ae21f9d7d0ba6cab55d47235556d9ea41bfc4353b2349a1085746af76825c84e5597deba5130d874150f8ae1f91ef
+  metadata.gz: e36d0b9bc29b9ca34a12ccb44ec995e774f55348d2181ea220ed70d68232d65f89c338ac799f35ea3a97cddbc73db10ef584756cfa1e480cc0c1be8b97c454ce
+  data.tar.gz: f5dfd925657ea59c8fde6a4c5bf658e7e3b5b9357a1ccd9d03167dc7cfbcd40db826d3b909a65101e24bd15d15287d4e6505884a6117e152feb516e0597ca2ab

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 4.0.15 / 2026-06-24
+
+### Enhancements:
+
+* Resolve Git LFS files in git sources from the real remote. Pull request [#9632](https://github.com/ruby/rubygems/pull/9632) by hsbt
+* Suggest access issues, not only yanking, for missing locked gems. Pull request [#9631](https://github.com/ruby/rubygems/pull/9631) by hsbt
+* Implement a make jobserver (continuation of #9210). Pull request [#9625](https://github.com/ruby/rubygems/pull/9625) by hsbt
+* Reduce peak memory usage of full index loading and bundle install. Pull request [#9618](https://github.com/ruby/rubygems/pull/9618) by hsbt
+* Bump up to rb-sys 0.9.128. Pull request [#9569](https://github.com/ruby/rubygems/pull/9569) by hsbt
+
+### Bug fixes:
+
+* Skip the make jobserver on Windows. Pull request [#9630](https://github.com/ruby/rubygems/pull/9630) by hsbt
+* Don't require source plugins to be installed to parse a lockfile: 4.0.x. Pull request [#9621](https://github.com/ruby/rubygems/pull/9621) by hsbt
+* Exempt lockfile versions from cooldown on every resolution path. Pull request [#9619](https://github.com/ruby/rubygems/pull/9619) by hsbt
+* Set `Bundler.settings[:ssl_ca_cert]` to download gems. Pull request [#9610](https://github.com/ruby/rubygems/pull/9610) by junaruga
+
 ## 4.0.14 / 2026-06-10
 
 ### Bug fixes:

data/lib/bundler/build_metadata.rb

@@ -5,7 +5,7 @@ module Bundler
   module BuildMetadata
     # begin ivars
     @built_at = nil
-    @git_commit_sha = "265babb801".freeze
+    @git_commit_sha = "12ba1f437b".freeze
     # end ivars
 
     # A hash representation of the build metadata.

data/lib/bundler/definition.rb

@@ -230,6 +230,16 @@ module Bundler
       sources.prefer_local!
     end
 
+    # Releases memory only needed during resolution, such as remote spec
+    # indexes and resolver state. Only safe to call once resolution is
+    # complete and the result has been materialized, since any further
+    # resolution will need to refetch remote specs.
+    def release_resolution_memory!
+      @resolver = nil
+      @resolution_base = nil
+      sources.release_resolution_memory!
+    end
+
     # For given dependency list returns a SpecSet with Gemspec of all the required
     # dependencies.
     #  1. The method first resolves the dependencies specified in Gemfile
@@ -688,9 +698,10 @@ module Bundler
             "available locally before rerunning Bundler."
           else
             "Your bundle is locked to #{locked_gem} from #{locked_gem.source}, but that version can " \
-            "no longer be found in that source. That means the author of #{locked_gem} has removed it. " \
-            "You'll need to update your bundle to a version other than #{locked_gem} that hasn't been " \
-            "removed in order to install."
+            "no longer be found in that source. That means either the author of #{locked_gem} has removed it, " \
+            "or you no longer have access to that source. You'll need to update your bundle to a version other " \
+            "than #{locked_gem} that hasn't been removed, or check your credentials and access rights for " \
+            "#{locked_gem.source}, in order to install."
           end
 
           raise GemNotFound, message
@@ -1283,7 +1294,7 @@ module Bundler
 
     def new_resolution_base(last_resolve:, unlock:)
       new_resolution_platforms = @current_platform_missing ? @new_platforms + [Bundler.local_platform] : @new_platforms
-      Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: new_resolution_platforms)
+      Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: new_resolution_platforms, explicit_unlocks: @explicit_unlocks)
     end
 
     def new_resolver(base)

data/lib/bundler/fetcher/base.rb

@@ -38,6 +38,9 @@ module Bundler
         false
       end
 
+      def release_resolution_memory!
+      end
+
       private
 
       def log_specs(&block)

data/lib/bundler/fetcher/compact_index.rb

@@ -63,6 +63,13 @@ module Bundler
         true
       end
 
+      # The client holds the parsed checksums of all info files in the
+      # index. Dropping it is always safe because it is rebuilt from the
+      # local cache on demand.
+      def release_resolution_memory!
+        @compact_index_client = nil
+      end
+
       private
 
       def compact_index_client
@@ -73,6 +80,12 @@ module Bundler
       end
 
       def fetch_gem_infos(names)
+        # Create the client and update the versions file on this thread.
+        # Otherwise the workers race to lazily create the client and update
+        # the versions file concurrently, e.g. when the client was released
+        # after resolution and is being rebuilt for `bundle cache`.
+        compact_index_client.available?
+
         in_parallel(names) {|name| compact_index_client.info(name) }
       rescue TooManyRequestsError # rubygems.org is rate limiting us, slow down.
         @bundle_worker&.stop

data/lib/bundler/fetcher/gem_remote_fetcher.rb

@@ -9,6 +9,8 @@ module Bundler
         super
 
         @pool_size = Bundler.settings.installation_parallelization
+        ssl_ca_cert = Bundler.settings[:ssl_ca_cert]
+        @cert_files << ssl_ca_cert if ssl_ca_cert
       end
 
       def request(*args)

data/lib/bundler/fetcher.rb

@@ -243,6 +243,10 @@ module Bundler
       fetchers.first.api_fetcher?
     end
 
+    def release_resolution_memory!
+      @fetchers&.each(&:release_resolution_memory!)
+    end
+
     def gem_remote_fetcher
       @gem_remote_fetcher ||= begin
         require_relative "fetcher/gem_remote_fetcher"

data/lib/bundler/installer/parallel_installer.rb

@@ -110,10 +110,49 @@ module Bundler
     end
 
     def install_with_worker
-      installed_specs = {}
-      enqueue_specs(installed_specs)
+      with_jobserver do
+        installed_specs = {}
+        enqueue_specs(installed_specs)
 
-      process_specs(installed_specs) until finished_installing?
+        process_specs(installed_specs) until finished_installing?
+      end
+    end
+
+    def with_jobserver
+      # The jobserver hands tokens to child `make` processes through MAKEFLAGS
+      # using the GNU make `--jobserver-auth` protocol. nmake, the default make
+      # on mswin, instead reads MAKEFLAGS as bare option letters and aborts
+      # every native extension build with `fatal error U1065: invalid option
+      # '-'`. Skip the jobserver when nmake is in use. Other Windows toolchains
+      # such as mingw use GNU make and keep working through the inherited pipe.
+      return yield if nmake?
+
+      begin
+        r, w = IO.pipe
+        r.close_on_exec = false
+        w.close_on_exec = false
+        w.write("*" * @size)
+
+        old_makeflags = ENV["MAKEFLAGS"]
+        ENV["MAKEFLAGS"] = [old_makeflags, "--jobserver-auth=#{r.fileno},#{w.fileno}"].compact.join(" ")
+
+        yield
+      ensure
+        # Restore MAKEFLAGS before closing the pipe so a close failure can't
+        # leave the process with descriptors that point at a closed pipe.
+        old_makeflags ? ENV["MAKEFLAGS"] = old_makeflags : ENV.delete("MAKEFLAGS")
+
+        r&.close
+        w&.close
+      end
+    end
+
+    # Mirror how RubyGems' extension builder picks the make program so the
+    # jobserver is only set up when a GNU-compatible make will consume it.
+    def nmake?
+      make = ENV["MAKE"] || ENV["make"]
+      make ||= "nmake" if RUBY_PLATFORM.include?("mswin")
+      /\bnmake/i.match?(make.to_s)
     end
 
     def install_serially

data/lib/bundler/installer.rb

@@ -195,7 +195,13 @@ module Bundler
       force = options[:force]
       local = options[:local] || options[:"prefer-local"]
       jobs = Bundler.settings.installation_parallelization
-      spec_installations = ParallelInstaller.call(self, @definition.specs, jobs, standalone, force, local: local)
+      specs = @definition.specs
+      # Installing default gems may need the remote index again to cache
+      # their .gem files, so keep resolution memory around in that case.
+      # The bundler spec itself is excluded because it comes from the
+      # metadata source and never goes through that path.
+      @definition.release_resolution_memory! if specs.none? {|s| s.default_gem? && s.source.is_a?(Source::Rubygems) }
+      spec_installations = ParallelInstaller.call(self, specs, jobs, standalone, force, local: local)
       spec_installations.each do |installation|
         post_install_messages[installation.name] = installation.post_install_message if installation.has_post_install_message?
       end

data/lib/bundler/mirror.rb

@@ -160,18 +160,18 @@ module Bundler
 
       def wait_for_writtable_socket(socket, address, timeout)
         if IO.select(nil, [socket], nil, timeout)
-          probe_writtable_socket(socket, address)
+          probe_writtable_socket(socket)
         else # TCP Handshake timed out, or there is something dropping packets
           false
         end
       end
 
-      def probe_writtable_socket(socket, address)
-        socket.connect_nonblock(address)
-      rescue Errno::EISCONN
-        true
-      rescue StandardError # Connection failed
-        false
+      def probe_writtable_socket(socket)
+        # Check the pending error on the socket rather than calling
+        # +connect_nonblock+ a second time. On BSD-based systems such as macOS a
+        # second connect returns +EISCONN+ even when the asynchronous connect
+        # failed, which would make a down mirror look reachable.
+        socket.getsockopt(Socket::SOL_SOCKET, Socket::SO_ERROR).int == 0
       end
     end
   end

data/lib/bundler/plugin/unloaded_source.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Plugin
+    # Stands in for a source handled by a plugin that is not loaded yet, so
+    # that the lockfile can still be parsed during the plugin install pass,
+    # and by external tools reading a lockfile without the plugin installed.
+    class UnloadedSource
+      include API::Source
+
+      # Unlike real plugin sources, where the handling class encodes the
+      # source type, all unloaded sources share this class, so the type must
+      # be compared explicitly.
+      def ==(other)
+        super && options["type"] == other.options["type"]
+      end
+
+      alias_method :eql?, :==
+
+      def hash
+        [super, options["type"]].hash
+      end
+    end
+  end
+end

data/lib/bundler/plugin.rb

@@ -4,11 +4,12 @@ require_relative "plugin/api"
 
 module Bundler
   module Plugin
-    autoload :DSL,        File.expand_path("plugin/dsl", __dir__)
-    autoload :Events,     File.expand_path("plugin/events", __dir__)
-    autoload :Index,      File.expand_path("plugin/index", __dir__)
-    autoload :Installer,  File.expand_path("plugin/installer", __dir__)
-    autoload :SourceList, File.expand_path("plugin/source_list", __dir__)
+    autoload :DSL,            File.expand_path("plugin/dsl", __dir__)
+    autoload :Events,         File.expand_path("plugin/events", __dir__)
+    autoload :Index,          File.expand_path("plugin/index", __dir__)
+    autoload :Installer,      File.expand_path("plugin/installer", __dir__)
+    autoload :SourceList,     File.expand_path("plugin/source_list", __dir__)
+    autoload :UnloadedSource, File.expand_path("plugin/unloaded_source", __dir__)
 
     class MalformattedPlugin < PluginError; end
     class UndefinedCommandError < PluginError; end
@@ -199,9 +200,14 @@ module Bundler
     # @return [API::Source] the instance of the class that handles the source
     #                       type passed in locked_opts
     def from_lock(locked_opts)
+      opts = locked_opts.merge("uri" => locked_opts["remote"])
+      # use an inert placeholder when the plugin handling this source is not
+      # installed, so that the lockfile can still be parsed
+      return UnloadedSource.new(opts) unless source?(locked_opts["type"])
+
       src = source(locked_opts["type"])
 
-      src.new(locked_opts.merge("uri" => locked_opts["remote"]))
+      src.new(opts)
     end
 
     # To be called via the API to register a hooks and corresponding block that

data/lib/bundler/resolver/base.rb

@@ -8,6 +8,7 @@ module Bundler
       attr_reader :packages, :requirements, :source_requirements, :locked_specs
 
       def initialize(source_requirements, dependencies, base, platforms, options)
+        @explicit_unlocks = options.delete(:explicit_unlocks) || []
         @source_requirements = source_requirements
         @locked_specs = options[:locked_specs]
 
@@ -43,6 +44,14 @@ module Bundler
         @packages[name]
       end
 
+      # Gems the user named on a `bundle update GEM` / `bundle lock --update GEM`
+      # command line. These are the only ones meant to move off their locked
+      # version, so cooldown keeps applying to them while every other locked gem
+      # stays exempt.
+      def explicitly_unlocked?(name)
+        @explicit_unlocks.include?(name)
+      end
+
       def base_requirements
         @base_requirements ||= build_base_requirements
       end

data/lib/bundler/resolver.rb

@@ -437,25 +437,29 @@ module Bundler
     def cooldown_excluded?(spec)
       return false unless spec.respond_to?(:created_at) && spec.created_at
       return false unless spec.respond_to?(:remote) && spec.remote
-      return false if pinned_by_lockfile_floor?(spec)
+      return false if locked_by_lockfile?(spec)
       days = spec.remote.effective_cooldown
       return false if days.nil? || days <= 0
       (cooldown_now - spec.created_at) < (days * 86_400)
     end
 
-    # A spec sitting exactly at a `>= locked_version` prevent-downgrade floor is
-    # the version the lockfile currently pins. `bundle update` and `bundle
-    # outdated` install that floor so resolution never moves a gem backwards.
-    # Filtering it out for cooldown would then make resolution impossible
-    # whenever the locked version is itself inside the cooldown window, which is
-    # exactly what happens to a lockfile written before cooldown was enabled.
-    # Keep it eligible; gems being explicitly updated carry an exact `=`
-    # requirement instead and stay subject to the cooldown filter.
-    def pinned_by_lockfile_floor?(spec)
+    # A version already written to the lockfile has been adopted, and cooldown
+    # only governs the adoption of *new* versions, so it must never retract one
+    # the lockfile already pins. Keying this off the locked specs rather than the
+    # prevent-downgrade floor matters because that floor is absent on resolutions
+    # that re-pick a gem from scratch: the auxiliary full update run to compute
+    # `--update` targets, and the from-scratch retries after a conflict unlocks a
+    # gem. In those passes the locked version is the only candidate, so filtering
+    # it out makes an unrelated operation impossible whenever every published
+    # version matching the requirement sits inside the cooldown window.
+    #
+    # Gems named on a `bundle update GEM` command are the exception: the user
+    # asked to move them, so they stay subject to cooldown and a locked-but-fresh
+    # release is pushed back to an older one (or fails loudly when none exists).
+    def locked_by_lockfile?(spec)
       return false unless defined?(@base) && @base
-      requirement = base_requirements[spec.name]
-      return false unless requirement && !requirement.exact?
-      requirement.requirements.any? {|op, version| op == ">=" && version == spec.version }
+      return false if @base.explicitly_unlocked?(spec.name)
+      @base.locked_specs[spec.name].any? {|locked| locked.version == spec.version }
     end
 
     def cooldown_now

data/lib/bundler/rubygems_gem_installer.rb

@@ -4,6 +4,11 @@ require "rubygems/installer"
 
 module Bundler
   class RubyGemsGemInstaller < Gem::Installer
+    # Cap how many jobserver slots a single gem's `make` may grab so that one
+    # gem with many recipes doesn't starve the others sharing the pool. Beyond
+    # a handful of jobs the extra parallelism rarely pays off in practice.
+    MAX_JOBS_PER_GEM = 3
+
     def check_executable_overwrite(filename)
       # Bundler needs to install gems regardless of binstub overwriting
     end
@@ -101,10 +106,18 @@ module Bundler
     end
 
     def build_jobs
-      Bundler.settings[:jobs] || super
+      @jobserver_read_io&.read_nonblock(MAX_JOBS_PER_GEM, @jobserver_tokens)
+      acquired_jobs = @jobserver_tokens.empty? ? nil : @jobserver_tokens.size
+
+      acquired_jobs || Bundler.settings[:jobs] || super
+    rescue IO::WaitReadable, EOFError
+      1
     end
 
     def build_extensions
+      @jobserver_tokens = +""
+      @jobserver_read_io, @jobserver_write_io = connect_to_jobserver
+
       extension_cache_path = options[:bundler_extension_cache_path]
       extension_dir = spec.extension_dir
       unless extension_cache_path && extension_dir
@@ -128,6 +141,11 @@ module Bundler
           FileUtils.cp_r extension_dir, extension_cache_path
         end
       end
+    ensure
+      unless @jobserver_tokens.empty?
+        @jobserver_write_io.write(@jobserver_tokens)
+        @jobserver_write_io.flush
+      end
     end
 
     def spec
@@ -144,6 +162,21 @@ module Bundler
 
     private
 
+    def connect_to_jobserver
+      return unless ENV["MAKEFLAGS"]
+      # We append our own --jobserver-auth, so read the last one. Otherwise a
+      # parent jobserver's descriptors (e.g. `bundle install` run under
+      # `make -j`) would be picked up instead of the pool ParallelInstaller created.
+      read_fd, write_fd = ENV["MAKEFLAGS"].scan(/--jobserver-auth=(\d+),(\d+)/).last
+
+      return unless read_fd && write_fd
+
+      # Pass explicit modes. On POSIX, IO.new detects the descriptor's access
+      # mode, but on Windows it can't, so the write end would default to read
+      # mode and raise "IOError: not opened for writing" when releasing slots.
+      [IO.new(read_fd.to_i, "r", autoclose: false), IO.new(write_fd.to_i, "w", autoclose: false)]
+    end
+
     def prepare_extension_build(extension_dir)
       SharedHelpers.filesystem_access(extension_dir, :create) do
         FileUtils.mkdir_p extension_dir

data/lib/bundler/source/git/git_proxy.rb

@@ -144,6 +144,12 @@ module Bundler
                 FileUtils.rm_rf(p)
               end
               git "clone", "--no-checkout", "--quiet", path.to_s, destination.to_s
+              # The copy is cloned from the local bare cache, which holds no Git LFS
+              # objects, so point origin back at the real remote and let git-lfs derive
+              # its endpoint from there when checking out. Use the credential-filtered
+              # URI to avoid persisting secrets in the copy's .git/config; auth is left
+              # to git's credential helper.
+              git "remote", "set-url", "origin", credential_filtered_uri, dir: destination
               File.chmod((File.stat(destination).mode | 0o777) & ~File.umask, destination)
             rescue Errno::EEXIST => e
               file_path = e.message[%r{.*?((?:[a-zA-Z]:)?/.*)}, 1]

data/lib/bundler/source/rubygems.rb

@@ -25,6 +25,7 @@ module Bundler
         @checksum_store = Checksum::Store.new
         @gem_installers = {}
         @gem_installers_mutex = Mutex.new
+        @remote_specs_mutex = Mutex.new
 
         cooldown = options["cooldown"]
         Array(options["remotes"]).reverse_each {|r| add_remote(r, cooldown: cooldown) }
@@ -243,7 +244,7 @@ module Bundler
       def cached_built_in_gem(spec, local: false)
         cached_path = cached_gem(spec)
         if cached_path.nil? && !local
-          remote_spec = remote_specs.search(spec).first
+          remote_spec = remote_spec_for(spec)
           if remote_spec
             cached_path = fetch_gem(remote_spec)
             spec.remote = remote_spec.remote
@@ -337,6 +338,12 @@ module Bundler
         @cached_specs = nil
       end
 
+      def release_resolution_memory!
+        @specs = nil
+        @remote_specs_mutex.synchronize { @remote_specs = nil }
+        @fetchers&.each(&:release_resolution_memory!)
+      end
+
       protected
 
       def remote_names
@@ -414,17 +421,30 @@ module Bundler
       end
 
       def remote_specs
-        @remote_specs ||= Index.build do |idx|
-          index_fetchers = fetchers - api_fetchers
+        @remote_specs ||= @remote_specs_mutex.synchronize do
+          @remote_specs ||= Index.build do |idx|
+            index_fetchers = fetchers - api_fetchers
 
-          if index_fetchers.empty?
-            fetch_names(api_fetchers, dependency_names, idx)
-          else
-            fetch_names(fetchers, nil, idx)
+            if index_fetchers.empty?
+              fetch_names(api_fetchers, dependency_names, idx)
+            else
+              fetch_names(fetchers, nil, idx)
+            end
           end
         end
       end
 
+      # Looks up a single spec in the remote sources, fetching only its own
+      # name when the full remote index is not already materialized.
+      def remote_spec_for(spec)
+        return remote_specs.search(spec).first if @remote_specs || api_fetchers.empty?
+
+        index = Index.build do |idx|
+          fetch_names(api_fetchers, [spec.name], idx)
+        end
+        index.search(spec).first
+      end
+
       def fetch_names(fetchers, dependency_names, index)
         fetchers.each do |f|
           if dependency_names

data/lib/bundler/source_list.rb

@@ -140,6 +140,10 @@ module Bundler
       rubygems_sources.each(&:clear_cache)
     end
 
+    def release_resolution_memory!
+      rubygems_sources.each(&:release_resolution_memory!)
+    end
+
     private
 
     def map_sources(replacement_sources)

data/lib/bundler/templates/newgem/newgem.gemspec.tt

@@ -47,7 +47,7 @@ Gem::Specification.new do |spec|
   # Uncomment to register a new dependency of your gem
   # spec.add_dependency "example-gem", "~> 1.0"
 <%- if config[:ext] == 'rust' -%>
-  spec.add_dependency "rb_sys", "~> 0.9.91"
+  spec.add_dependency "rb_sys", "~> 0.9.128"
 <%- end -%>
 <%- if config[:ext] == 'go' -%>
   spec.add_dependency "go_gem", "~> 0.2"

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "4.0.14".freeze
+  VERSION = "4.0.15".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= gem_version.segments.first

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 4.0.14
+  version: 4.0.15
 platform: ruby
 authors:
 - André Arko
@@ -194,6 +194,7 @@ files:
 - lib/bundler/plugin/installer/path.rb
 - lib/bundler/plugin/installer/rubygems.rb
 - lib/bundler/plugin/source_list.rb
+- lib/bundler/plugin/unloaded_source.rb
 - lib/bundler/process_lock.rb
 - lib/bundler/remote_specification.rb
 - lib/bundler/resolver.rb