bundler 4.0.7 → 4.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a885222998dfbe801692cb3fde27432339068b6273f33d0104e25509d18682d
-  data.tar.gz: 5ec66951013a0e8b87db477eae402b15b3f37f768d846515f1b6101e0e47b388
+  metadata.gz: ff315eb3319300026b3ab3422e82399e6b0ce63ef727f94e125a226623101c27
+  data.tar.gz: 00bb903a5564f2565ebcbc350837283f724d1ef42d4f586b37a972fe568015da
 SHA512:
-  metadata.gz: 20bdb8aab69b64c68f6bed37bbf1912113ab452b0fd4f6ffe1bb4455556c28df301287dea1cc0faeb45efbf37426300eada625efb34d57b4ab9929d3c05ffade
-  data.tar.gz: 9a4019d82dd530eac1ac0c6724cad21f6136a78df3ec0a03c63251764ef9190a056a851675550ce3bd4f9965f6040ae9125517ca1038cdbe04a7b97c0c853053
+  metadata.gz: c6a4c93541bd76ee07370d4995487fe663f10d8aa021f1d9104d6adfeb373a36bbc47fd3498094da011c561702d7a84ebb1854c80c99176578b0fbc666e2dba2
+  data.tar.gz: 29943339931f1e5b37c836346171c51f2a00a2cadbd7d7b5f30da5dd5bacb1f1024b7601ded1e1d895a3da4e11cf1d6ea35768a7196b351e237179d63759cd13

data/CHANGELOG.md

@@ -1,5 +1,30 @@
 # Changelog
 
+## 4.0.9 / 2026-03-25
+
+### Enhancements:
+
+* Check the git version only **once** per `bundle install`. Pull request [#9406](https://github.com/ruby/rubygems/pull/9406) by Edouard-chin
+* Normalize the number of workers when performing parallel operations. Pull request [#9400](https://github.com/ruby/rubygems/pull/9400) by Edouard-chin
+* Add exponential backoff to bundler retries. Pull request [#9163](https://github.com/ruby/rubygems/pull/9163) by ChrisBr
+* Introduce a priority queue. Pull request [#9389](https://github.com/ruby/rubygems/pull/9389) by Edouard-chin
+* Split the download and install process of a gem. Pull request [#9381](https://github.com/ruby/rubygems/pull/9381) by Edouard-chin
+
+### Bug fixes:
+
+* Retry git fetch without --depth for dumb HTTP transport. Pull request [#9405](https://github.com/ruby/rubygems/pull/9405) by hsbt
+
+## 4.0.8 (2026-03-11)
+
+### Enhancements:
+
+  - Add a new Bundler config to control how many specs are fetched [#9363](https://github.com/ruby/rubygems/pull/9363)
+  - Restrict GitHub Actions workflow permissions for newgem [#9361](https://github.com/ruby/rubygems/pull/9361)
+
+### Bug fixes:
+
+  - Fix plugin new version not registering [#9355](https://github.com/ruby/rubygems/pull/9355)
+
 ## 4.0.7 (2026-02-25)
 
 ### Enhancements:

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2026-02-25".freeze
-    @git_commit_sha = "049c458564".freeze
+    @built_at = nil
+    @git_commit_sha = "3ce4a32411".freeze
     # end ivars
 
     # A hash representation of the build metadata.

data/lib/bundler/cli/pristine.rb

@@ -53,7 +53,7 @@ module Bundler
           true
         end.map(&:name)
 
-        jobs = installer.send(:installation_parallelization)
+        jobs = Bundler.settings.installation_parallelization
         pristine_count = definition.specs.count - installed_specs.count
         # allow a pristining a single gem to skip the parallel worker
         jobs = [jobs, pristine_count].min

data/lib/bundler/definition.rb

@@ -1122,7 +1122,9 @@ module Bundler
     end
 
     def preload_git_source_worker
-      @preload_git_source_worker ||= Bundler::Worker.new(5, "Git source preloading", ->(source, _) { source.specs })
+      workers = Bundler.settings.installation_parallelization
+
+      @preload_git_source_worker ||= Bundler::Worker.new(workers, "Git source preloading", ->(source, _) { source.specs })
     end
 
     def preload_git_sources

data/lib/bundler/fetcher/dependency.rb

@@ -50,7 +50,7 @@ module Bundler
 
       def unmarshalled_dep_gems(gem_names)
         gem_list = []
-        gem_names.each_slice(Source::Rubygems::API_REQUEST_SIZE) do |names|
+        gem_names.each_slice(api_request_size) do |names|
           marshalled_deps = downloader.fetch(dependency_api_uri(names)).body
           gem_list.concat(Bundler.safe_load_marshal(marshalled_deps))
         end
@@ -74,6 +74,12 @@ module Bundler
         uri.query = "gems=#{CGI.escape(gem_names.sort.join(","))}" if gem_names.any?
         uri
       end
+
+      private
+
+      def api_request_size
+        Bundler.settings[:api_request_size]&.to_i || Source::Rubygems::API_REQUEST_SIZE
+      end
     end
   end
 end

data/lib/bundler/fetcher/gem_remote_fetcher.rb

@@ -8,7 +8,7 @@ module Bundler
       def initialize(*)
         super
 
-        @pool_size = 5
+        @pool_size = Bundler.settings.installation_parallelization
       end
 
       def request(*args)

data/lib/bundler/installer/gem_installer.rb

@@ -25,6 +25,20 @@ module Bundler
       [false, specific_failure_message(e)]
     end
 
+    def download
+      spec.source.download(
+        spec,
+        force: force,
+        local: local,
+        build_args: Array(spec_settings),
+        previous_spec: previous_spec,
+      )
+
+      [true, nil]
+    rescue Bundler::BundlerError => e
+      [false, specific_failure_message(e)]
+    end
+
     private
 
     def specific_failure_message(e)

data/lib/bundler/installer/parallel_installer.rb

@@ -24,6 +24,10 @@ module Bundler
         state == :enqueued
       end
 
+      def enqueue_with_priority?
+        state == :installable && spec.extensions.any?
+      end
+
       def failed?
         state == :failed
       end
@@ -32,6 +36,12 @@ module Bundler
         state == :none
       end
 
+      def ready_to_install?(installed_specs)
+        return false unless state == :downloaded
+
+        spec.extensions.none? || dependencies_installed?(installed_specs)
+      end
+
       def has_post_install_message?
         !post_install_message.empty?
       end
@@ -84,6 +94,7 @@ module Bundler
 
     def call
       if @rake
+        do_download(@rake, 0)
         do_install(@rake, 0)
         Gem::Specification.reset
       end
@@ -107,26 +118,54 @@ module Bundler
     end
 
     def install_with_worker
-      enqueue_specs
-      process_specs until finished_installing?
+      installed_specs = {}
+      enqueue_specs(installed_specs)
+
+      process_specs(installed_specs) until finished_installing?
     end
 
     def install_serially
       until finished_installing?
         raise "failed to find a spec to enqueue while installing serially" unless spec_install = @specs.find(&:ready_to_enqueue?)
         spec_install.state = :enqueued
+        do_download(spec_install, 0)
         do_install(spec_install, 0)
       end
     end
 
     def worker_pool
       @worker_pool ||= Bundler::Worker.new @size, "Parallel Installer", lambda {|spec_install, worker_num|
-        do_install(spec_install, worker_num)
+        case spec_install.state
+        when :enqueued
+          do_download(spec_install, worker_num)
+        when :installable
+          do_install(spec_install, worker_num)
+        else
+          spec_install
+        end
       }
     end
 
-    def do_install(spec_install, worker_num)
+    def do_download(spec_install, worker_num)
       Plugin.hook(Plugin::Events::GEM_BEFORE_INSTALL, spec_install)
+
+      gem_installer = Bundler::GemInstaller.new(
+        spec_install.spec, @installer, @standalone, worker_num, @force, @local
+      )
+
+      success, message = gem_installer.download
+
+      if success
+        spec_install.state = :downloaded
+      else
+        spec_install.error = "#{message}\n\n#{require_tree_for_spec(spec_install.spec)}"
+        spec_install.state = :failed
+      end
+
+      spec_install
+    end
+
+    def do_install(spec_install, worker_num)
       gem_installer = Bundler::GemInstaller.new(
         spec_install.spec, @installer, @standalone, worker_num, @force, @local
       )
@@ -147,9 +186,19 @@ module Bundler
     # Some specs might've had to wait til this spec was installed to be
     # processed so the call to `enqueue_specs` is important after every
     # dequeue.
-    def process_specs
-      worker_pool.deq
-      enqueue_specs
+    def process_specs(installed_specs)
+      spec = worker_pool.deq
+
+      if spec.installed?
+        installed_specs[spec.name] = true
+        return
+      elsif spec.failed?
+        return
+      elsif spec.ready_to_install?(installed_specs)
+        spec.state = :installable
+      end
+
+      worker_pool.enq(spec, priority: spec.enqueue_with_priority?)
     end
 
     def finished_installing?
@@ -185,18 +234,15 @@ module Bundler
     # Later we call this lambda again to install specs that depended on
     # previously installed specifications. We continue until all specs
     # are installed.
-    def enqueue_specs
-      installed_specs = {}
-      @specs.each do |spec|
-        next unless spec.installed?
-        installed_specs[spec.name] = true
-      end
-
+    def enqueue_specs(installed_specs)
       @specs.each do |spec|
-        if spec.ready_to_enqueue? && spec.dependencies_installed?(installed_specs)
-          spec.state = :enqueued
-          worker_pool.enq spec
+        if spec.installed?
+          installed_specs[spec.name] = true
+          next
         end
+
+        spec.state = :enqueued
+        worker_pool.enq spec
       end
     end
   end

data/lib/bundler/installer.rb

@@ -189,21 +189,13 @@ module Bundler
       standalone = options[:standalone]
       force = options[:force]
       local = options[:local] || options[:"prefer-local"]
-      jobs = installation_parallelization
+      jobs = Bundler.settings.installation_parallelization
       spec_installations = ParallelInstaller.call(self, @definition.specs, jobs, standalone, force, local: local)
       spec_installations.each do |installation|
         post_install_messages[installation.name] = installation.post_install_message if installation.has_post_install_message?
       end
     end
 
-    def installation_parallelization
-      if jobs = Bundler.settings[:jobs]
-        return jobs
-      end
-
-      Bundler.settings.processor_count
-    end
-
     def load_plugins
       Gem.load_plugins
 

data/lib/bundler/man/bundle-add.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-ADD" "1" "February 2026" ""
+.TH "BUNDLE\-ADD" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-add\fR \- Add gem to the Gemfile and run bundle install
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-binstubs.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-BINSTUBS" "1" "February 2026" ""
+.TH "BUNDLE\-BINSTUBS" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-binstubs\fR \- Install the binstubs of the listed gems
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-cache.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-CACHE" "1" "February 2026" ""
+.TH "BUNDLE\-CACHE" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-cache\fR \- Package your needed \fB\.gem\fR files into your application
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-check.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-CHECK" "1" "February 2026" ""
+.TH "BUNDLE\-CHECK" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-check\fR \- Verifies if dependencies are satisfied by installed gems
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-clean.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-CLEAN" "1" "February 2026" ""
+.TH "BUNDLE\-CLEAN" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-clean\fR \- Cleans up unused gems in your bundler directory
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-config.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-CONFIG" "1" "February 2026" ""
+.TH "BUNDLE\-CONFIG" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-config\fR \- Set bundler configuration options
 .SH "SYNOPSIS"
@@ -70,6 +70,9 @@ Any periods in the configuration keys must be replaced with two underscores when
 .SH "LIST OF AVAILABLE KEYS"
 The following is a list of all configuration keys and their purpose\. You can learn more about their operation in bundle install(1) \fIbundle\-install\.1\.html\fR\.
 .TP
+\fBapi_request_size\fR (\fBBUNDLE_API_REQUEST_SIZE\fR)
+Configure how many dependencies to fetch when resolving the specifications\. This configuration is only used when fetchig specifications from RubyGems servers that didn't implement the Compact Index API\. Defaults to 100\.
+.TP
 \fBauto_install\fR (\fBBUNDLE_AUTO_INSTALL\fR)
 Automatically run \fBbundle install\fR when gems are missing\.
 .TP
@@ -143,7 +146,7 @@ When set, no post install messages will be printed\. To silence a single gem, us
 Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init\fR\.
 .TP
 \fBjobs\fR (\fBBUNDLE_JOBS\fR)
-The number of gems Bundler can install in parallel\. Defaults to the number of available processors\.
+The number of gems Bundler can download and install in parallel\. Defaults to the number of available processors\.
 .TP
 \fBlockfile\fR (\fBBUNDLE_LOCKFILE\fR)
 The path to the lockfile that bundler should use\. By default, Bundler adds \fB\.lock\fR to the end of the \fBgemfile\fR entry\. Can be set to \fBfalse\fR in the Gemfile to disable lockfile creation entirely (see gemfile(5))\.

data/lib/bundler/man/bundle-config.1.ronn

@@ -106,6 +106,11 @@ the environment variable `BUNDLE_LOCAL__RACK`.
 The following is a list of all configuration keys and their purpose. You can
 learn more about their operation in [bundle install(1)](bundle-install.1.html).
 
+* `api_request_size` (`BUNDLE_API_REQUEST_SIZE`):
+   Configure how many dependencies to fetch when resolving the specifications.
+   This configuration is only used when fetchig specifications from RubyGems
+   servers that didn't implement the Compact Index API.
+   Defaults to 100.
 * `auto_install` (`BUNDLE_AUTO_INSTALL`):
    Automatically run `bundle install` when gems are missing.
 * `bin` (`BUNDLE_BIN`):
@@ -187,8 +192,8 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
 * `init_gems_rb` (`BUNDLE_INIT_GEMS_RB`):
    Generate a `gems.rb` instead of a `Gemfile` when running `bundle init`.
 * `jobs` (`BUNDLE_JOBS`):
-   The number of gems Bundler can install in parallel. Defaults to the number of
-   available processors.
+   The number of gems Bundler can download and install in parallel.
+   Defaults to the number of available processors.
 * `lockfile` (`BUNDLE_LOCKFILE`):
    The path to the lockfile that bundler should use. By default, Bundler adds
    `.lock` to the end of the `gemfile` entry. Can be set to `false` in the

data/lib/bundler/man/bundle-console.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-CONSOLE" "1" "February 2026" ""
+.TH "BUNDLE\-CONSOLE" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-console\fR \- Open an IRB session with the bundle pre\-loaded
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-doctor.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-DOCTOR" "1" "February 2026" ""
+.TH "BUNDLE\-DOCTOR" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-doctor\fR \- Checks the bundle for common problems
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-env.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-ENV" "1" "February 2026" ""
+.TH "BUNDLE\-ENV" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-env\fR \- Print information about the environment Bundler is running under
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-exec.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-EXEC" "1" "February 2026" ""
+.TH "BUNDLE\-EXEC" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-exec\fR \- Execute a command in the context of the bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-fund.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-FUND" "1" "February 2026" ""
+.TH "BUNDLE\-FUND" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-fund\fR \- Lists information about gems seeking funding assistance
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-gem.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-GEM" "1" "February 2026" ""
+.TH "BUNDLE\-GEM" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-gem\fR \- Generate a project skeleton for creating a rubygem
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-help.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-HELP" "1" "February 2026" ""
+.TH "BUNDLE\-HELP" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-help\fR \- Displays detailed help for each subcommand
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-info.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-INFO" "1" "February 2026" ""
+.TH "BUNDLE\-INFO" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-info\fR \- Show information for the given gem in your bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-init.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-INIT" "1" "February 2026" ""
+.TH "BUNDLE\-INIT" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-init\fR \- Generates a Gemfile into the current working directory
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-install.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-INSTALL" "1" "February 2026" ""
+.TH "BUNDLE\-INSTALL" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-install\fR \- Install the dependencies specified in your Gemfile
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-issue.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-ISSUE" "1" "February 2026" ""
+.TH "BUNDLE\-ISSUE" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-issue\fR \- Get help reporting Bundler issues
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-licenses.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-LICENSES" "1" "February 2026" ""
+.TH "BUNDLE\-LICENSES" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-licenses\fR \- Print the license of all gems in the bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-list.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-LIST" "1" "February 2026" ""
+.TH "BUNDLE\-LIST" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-list\fR \- List all the gems in the bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-lock.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-LOCK" "1" "February 2026" ""
+.TH "BUNDLE\-LOCK" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-lock\fR \- Creates / Updates a lockfile without installing
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-open.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-OPEN" "1" "February 2026" ""
+.TH "BUNDLE\-OPEN" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-open\fR \- Opens the source directory for a gem in your bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-outdated.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-OUTDATED" "1" "February 2026" ""
+.TH "BUNDLE\-OUTDATED" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-outdated\fR \- List installed gems with newer versions available
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-platform.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-PLATFORM" "1" "February 2026" ""
+.TH "BUNDLE\-PLATFORM" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-platform\fR \- Displays platform compatibility information
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-plugin.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-PLUGIN" "1" "February 2026" ""
+.TH "BUNDLE\-PLUGIN" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-plugin\fR \- Manage Bundler plugins
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-pristine.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-PRISTINE" "1" "February 2026" ""
+.TH "BUNDLE\-PRISTINE" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-pristine\fR \- Restores installed gems to their pristine condition
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-remove.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-REMOVE" "1" "February 2026" ""
+.TH "BUNDLE\-REMOVE" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-remove\fR \- Removes gems from the Gemfile
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-show.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-SHOW" "1" "February 2026" ""
+.TH "BUNDLE\-SHOW" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-show\fR \- Shows all the gems in your bundle, or the path to a gem
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-update.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-UPDATE" "1" "February 2026" ""
+.TH "BUNDLE\-UPDATE" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-update\fR \- Update your gems to the latest available versions
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-version.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE\-VERSION" "1" "February 2026" ""
+.TH "BUNDLE\-VERSION" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\-version\fR \- Prints Bundler version information
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "BUNDLE" "1" "February 2026" ""
+.TH "BUNDLE" "1" "March 2026" ""
 .SH "NAME"
 \fBbundle\fR \- Ruby Dependency Management
 .SH "SYNOPSIS"

data/lib/bundler/man/gemfile.5

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.10.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.10.1
-.TH "GEMFILE" "5" "February 2026" ""
+.TH "GEMFILE" "5" "March 2026" ""
 .SH "NAME"
 \fBGemfile\fR \- A format for describing gem dependencies for Ruby programs
 .SH "SYNOPSIS"

data/lib/bundler/plugin/api/source.rb

@@ -74,6 +74,14 @@ module Bundler
           {}
         end
 
+        # Download the gem specified by the spec at appropriate path.
+        #
+        # A source plugin can implement this method to split the download and the
+        # installation of a gem.
+        #
+        # @return [Boolean] Whether the download of the gem succeeded.
+        def download(spec, opts); end
+
         # Install the gem specified by the spec at appropriate path.
         # `install_path` provides a sufficient default, if the source can only
         # satisfy one gem,  but is not binding.

data/lib/bundler/plugin/index.rb

@@ -119,6 +119,12 @@ module Bundler
         @plugin_paths[name]
       end
 
+      def up_to_date?(spec)
+        path = installed?(spec.name)
+
+        path == spec.full_gem_path
+      end
+
       def installed_plugins
         @plugin_paths.keys
       end

data/lib/bundler/plugin/installer.rb

@@ -110,7 +110,8 @@ module Bundler
         paths = {}
 
         specs.each do |spec|
-          spec.source.install spec
+          spec.source.download(spec)
+          spec.source.install(spec)
 
           paths[spec.name] = spec
         end

data/lib/bundler/plugin.rb

@@ -113,7 +113,7 @@ module Bundler
 
         return if definition.dependencies.empty?
 
-        plugins = definition.dependencies.map(&:name).reject {|p| index.installed? p }
+        plugins = definition.dependencies.map(&:name)
         installed_specs = Installer.new.install_definition(definition)
 
         save_plugins plugins, installed_specs, builder.inferred_plugins
@@ -258,7 +258,7 @@ module Bundler
         # It's possible that the `plugin` found in the Gemfile don't appear in the specs. For instance when
         # calling `BUNDLE_WITHOUT=default bundle install`, the plugins will not get installed.
         next if spec.nil?
-        next if index.installed?(name)
+        next if index.up_to_date?(spec)
 
         save_plugin(name, spec, optional_plugins.include?(name))
       end

data/lib/bundler/retry.rb

@@ -6,6 +6,8 @@ module Bundler
     attr_accessor :name, :total_runs, :current_run
 
     class << self
+      attr_accessor :default_base_delay
+
       def default_attempts
         default_retries + 1
       end
@@ -16,11 +18,17 @@ module Bundler
       end
     end
 
-    def initialize(name, exceptions = nil, retries = self.class.default_retries)
+    # Set default base delay for exponential backoff
+    self.default_base_delay = 1.0
+
+    def initialize(name, exceptions = nil, retries = self.class.default_retries, opts = {})
       @name = name
       @retries = retries
       @exceptions = Array(exceptions) || []
       @total_runs = @retries + 1 # will run once, then upto attempts.times
+      @base_delay = opts[:base_delay] || self.class.default_base_delay
+      @max_delay = opts[:max_delay] || 60.0
+      @jitter = opts[:jitter] || 0.5
     end
 
     def attempt(&block)
@@ -48,9 +56,27 @@ module Bundler
         Bundler.ui.info "" unless Bundler.ui.debug?
         raise e
       end
-      return true unless name
-      Bundler.ui.info "" unless Bundler.ui.debug? # Add new line in case dots preceded this
-      Bundler.ui.warn "Retrying #{name} due to error (#{current_run.next}/#{total_runs}): #{e.class} #{e.message}", true
+      if name
+        Bundler.ui.info "" unless Bundler.ui.debug? # Add new line in case dots preceded this
+        Bundler.ui.warn "Retrying #{name} due to error (#{current_run.next}/#{total_runs}): #{e.class} #{e.message}", true
+      end
+      backoff_sleep if @base_delay > 0
+      true
+    end
+
+    def backoff_sleep
+      # Exponential backoff: delay = base_delay * 2^(attempt - 1)
+      # Add jitter to prevent thundering herd: random value between 0 and jitter seconds
+      delay = @base_delay * (2**(@current_run - 1))
+      delay = [@max_delay, delay].min
+      jitter_amount = rand * @jitter
+      total_delay = delay + jitter_amount
+      Bundler.ui.debug "Sleeping for #{total_delay.round(2)} seconds before retry"
+      sleep(total_delay)
+    end
+
+    def sleep(duration)
+      Kernel.sleep(duration)
     end
 
     def keep_trying?

data/lib/bundler/self_manager.rb

@@ -63,6 +63,7 @@ module Bundler
     end
 
     def install(spec)
+      spec.source.download(spec)
       spec.source.install(spec)
     end
 

data/lib/bundler/settings.rb

@@ -303,6 +303,10 @@ module Bundler
       @app_cache_path ||= self[:cache_path] || "vendor/cache"
     end
 
+    def installation_parallelization
+      self[:jobs] || processor_count
+    end
+
     def validate!
       all.each do |raw_key|
         [@local_config, @env_config, @global_config].each do |settings|

data/lib/bundler/source/git/git_proxy.rb

@@ -57,6 +57,29 @@ module Bundler
         attr_accessor :path, :uri, :branch, :tag, :ref, :explicit_ref
         attr_writer :revision
 
+        def self.version
+          @version ||= full_version[/((\.?\d+)+).*/, 1]
+        end
+
+        def self.full_version
+          @full_version ||= begin
+            raise GitNotInstalledError.new unless Bundler.git_present?
+
+            require "open3"
+            out, err, status = Open3.capture3("git", "--version")
+
+            raise GitCommandError.new("--version", SharedHelpers.pwd, err) unless status.success?
+            Bundler.ui.warn err unless err.empty?
+
+            out.sub(/git version\s*/, "").strip
+          end
+        end
+
+        def self.reset
+          @version = nil
+          @full_version = nil
+        end
+
         def initialize(path, uri, options = {}, revision = nil, git = nil)
           @path     = path
           @uri      = uri
@@ -92,11 +115,11 @@ module Bundler
         end
 
         def version
-          @version ||= full_version.match(/((\.?\d+)+).*/)[1]
+          self.class.version
         end
 
         def full_version
-          @full_version ||= git_local("--version").sub(/git version\s*/, "").strip
+          self.class.full_version
         end
 
         def checkout
@@ -156,7 +179,7 @@ module Bundler
         private
 
         def git_remote_fetch(args)
-          command = ["fetch", "--force", "--quiet", "--no-tags", *args, "--", configured_uri, refspec].compact
+          command = fetch_command(args)
           command_with_no_credentials = check_allowed(command)
 
           Bundler::Retry.new("`#{command_with_no_credentials}` at #{path}", [MissingGitRevisionError]).attempts do
@@ -166,6 +189,11 @@ module Bundler
             if err.include?("couldn't find remote ref") || err.include?("not our ref")
               raise MissingGitRevisionError.new(command_with_no_credentials, path, commit || explicit_ref, credential_filtered_uri)
             else
+              if shallow?
+                args -= depth_args
+                command = fetch_command(args)
+                command_with_no_credentials = check_allowed(command)
+              end
               raise GitCommandError.new(command_with_no_credentials, path, err)
             end
           end
@@ -178,7 +206,8 @@ module Bundler
             FileUtils.mkdir_p(p)
           end
 
-          command = ["clone", "--bare", "--no-hardlinks", "--quiet", *extra_clone_args, "--", configured_uri, path.to_s]
+          clone_args = extra_clone_args
+          command = clone_command(clone_args)
           command_with_no_credentials = check_allowed(command)
 
           Bundler::Retry.new("`#{command_with_no_credentials}`", [MissingGitRevisionError]).attempts do
@@ -189,13 +218,10 @@ module Bundler
                err.include?("Remote branch #{branch_option} not found") # git 2.49 or higher
               raise MissingGitRevisionError.new(command_with_no_credentials, nil, explicit_ref, credential_filtered_uri)
             else
-              idx = command.index("--depth")
-              if idx
-                command.delete_at(idx)
-                command.delete_at(idx)
+              if shallow?
+                clone_args -= depth_args
+                command = clone_command(clone_args)
                 command_with_no_credentials = check_allowed(command)
-
-                err += "Retrying without --depth argument."
               end
               raise GitCommandError.new(command_with_no_credentials, path, err)
             end
@@ -204,14 +230,14 @@ module Bundler
 
         def clone_needs_unshallow?
           return false unless path.join("shallow").exist?
-          return true if full_clone?
+          return true unless shallow?
 
           @revision && @revision != head_revision
         end
 
         def extra_ref
           return false if not_pinned?
-          return true unless full_clone?
+          return true if shallow?
 
           ref.start_with?("refs/")
         end
@@ -427,8 +453,16 @@ module Bundler
           args
         end
 
+        def fetch_command(args)
+          ["fetch", "--force", "--quiet", "--no-tags", *args, "--", configured_uri, refspec].compact
+        end
+
+        def clone_command(args)
+          ["clone", "--bare", "--no-hardlinks", "--quiet", *args, "--", configured_uri, path.to_s]
+        end
+
         def depth_args
-          return [] if full_clone?
+          return [] unless shallow?
 
           ["--depth", depth.to_s]
         end
@@ -443,8 +477,8 @@ module Bundler
           branch || tag
         end
 
-        def full_clone?
-          depth.nil?
+        def shallow?
+          !depth.nil?
         end
 
         def needs_allow_any_sha1_in_want?

data/lib/bundler/source/rubygems.rb

@@ -9,6 +9,7 @@ module Bundler
 
       # Ask for X gems per API request
       API_REQUEST_SIZE = 100
+      REQUIRE_MUTEX = Mutex.new
 
       attr_accessor :remotes
 
@@ -21,6 +22,8 @@ module Bundler
         @allow_local = options["allow_local"] || false
         @prefer_local = false
         @checksum_store = Checksum::Store.new
+        @gem_installers = {}
+        @gem_installers_mutex = Mutex.new
 
         Array(options["remotes"]).reverse_each {|r| add_remote(r) }
 
@@ -162,49 +165,40 @@ module Bundler
         end
       end
 
-      def install(spec, options = {})
+      def download(spec, options = {})
         if (spec.default_gem? && !cached_built_in_gem(spec, local: options[:local])) || (installed?(spec) && !options[:force])
-          print_using_message "Using #{version_message(spec, options[:previous_spec])}"
-          return nil # no post-install message
+          return true
         end
 
-        path = fetch_gem_if_possible(spec, options[:previous_spec])
-        raise GemNotFound, "Could not find #{spec.file_name} for installation" unless path
-
-        return if Bundler.settings[:no_install]
-
-        install_path = rubygems_dir
-        bin_path     = Bundler.system_bindir
-
-        require_relative "../rubygems_gem_installer"
-
-        installer = Bundler::RubyGemsGemInstaller.at(
-          path,
-          security_policy: Bundler.rubygems.security_policies[Bundler.settings["trust-policy"]],
-          install_dir: install_path.to_s,
-          bin_dir: bin_path.to_s,
-          ignore_dependencies: true,
-          wrappers: true,
-          env_shebang: true,
-          build_args: options[:build_args],
-          bundler_extension_cache_path: extension_cache_path(spec)
-        )
+        installer = rubygems_gem_installer(spec, options)
 
         if spec.remote
           s = begin
             installer.spec
           rescue Gem::Package::FormatError
-            Bundler.rm_rf(path)
+            Bundler.rm_rf(installer.gem)
             raise
           rescue Gem::Security::Exception => e
             raise SecurityError,
-             "The gem #{File.basename(path, ".gem")} can't be installed because " \
+             "The gem #{installer.gem} can't be installed because " \
              "the security policy didn't allow it, with the message: #{e.message}"
           end
 
           spec.__swap__(s)
         end
 
+        spec
+      end
+
+      def install(spec, options = {})
+        if (spec.default_gem? && !cached_built_in_gem(spec, local: options[:local])) || (installed?(spec) && !options[:force])
+          print_using_message "Using #{version_message(spec, options[:previous_spec])}"
+          return nil # no post-install message
+        end
+
+        return if Bundler.settings[:no_install]
+
+        installer = rubygems_gem_installer(spec, options)
         spec.source.checksum_store.register(spec, installer.gem_checksum)
 
         message = "Installing #{version_message(spec, options[:previous_spec])}"
@@ -511,6 +505,34 @@ module Bundler
         return unless remote = spec.remote
         remote.cache_slug
       end
+
+      # We are using a mutex to reaed and write from/to the hash.
+      # The reason this double synchronization was added is for performance
+      # and lock the mutex for the shortest possible amount of time. Otherwise,
+      # all threads are fighting over this mutex and when it gets acquired it gets locked
+      # until a threads finishes downloading a gem, leaving the other threads waiting
+      # doing nothing.
+      def rubygems_gem_installer(spec, options)
+        @gem_installers_mutex.synchronize { @gem_installers[spec.name] } || begin
+          path = fetch_gem_if_possible(spec, options[:previous_spec])
+          raise GemNotFound, "Could not find #{spec.file_name} for installation" unless path
+
+          REQUIRE_MUTEX.synchronize { require_relative "../rubygems_gem_installer" }
+
+          installer = Bundler::RubyGemsGemInstaller.at(
+            path,
+            security_policy: Bundler.rubygems.security_policies[Bundler.settings["trust-policy"]],
+            install_dir: rubygems_dir.to_s,
+            bin_dir: Bundler.system_bindir.to_s,
+            ignore_dependencies: true,
+            wrappers: true,
+            env_shebang: true,
+            build_args: options[:build_args],
+            bundler_extension_cache_path: extension_cache_path(spec)
+          )
+          @gem_installers_mutex.synchronize { @gem_installers[spec.name] ||= installer }
+        end
+      end
     end
   end
 end

data/lib/bundler/source.rb

@@ -31,6 +31,8 @@ module Bundler
       message
     end
 
+    def download(*); end
+
     def can_lock?(spec)
       spec.source == self
     end

data/lib/bundler/templates/newgem/github/workflows/build-gems.yml.tt

@@ -8,6 +8,10 @@ on:
       - "cross-gem/*"
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   ci-data:
     runs-on: ubuntu-latest
@@ -25,7 +29,7 @@ jobs:
   source-gem:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: ruby/setup-ruby@v1
         with:
@@ -34,7 +38,7 @@ jobs:
       - name: Build gem
         run: bundle exec rake build
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v7
         with:
           name: source-gem
           path: pkg/*.gem
@@ -47,7 +51,7 @@ jobs:
       matrix:
         platform: ${{ fromJSON(needs.ci-data.outputs.result).supported-ruby-platforms }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: ruby/setup-ruby@v1
         with:
@@ -59,7 +63,7 @@ jobs:
           platform: ${{ matrix.platform }}
           ruby-versions: ${{ join(fromJSON(needs.ci-data.outputs.result).stable-ruby-versions, ',') }}
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v7
         with:
           name: cross-gem
           path: ${{ steps.cross-gem.outputs.gem-path }}

data/lib/bundler/templates/newgem/github/workflows/main.yml.tt

@@ -7,6 +7,9 @@ on:
 
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -17,7 +20,7 @@ jobs:
           - '<%= RUBY_VERSION %>'
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
 <%- if config[:ext] == 'rust' -%>

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "4.0.7".freeze
+  VERSION = "4.0.9".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= gem_version.segments.first

data/lib/bundler/worker.rb

@@ -22,6 +22,7 @@ module Bundler
     def initialize(size, name, func)
       @name = name
       @request_queue = Thread::Queue.new
+      @request_queue_with_priority = Thread::Queue.new
       @response_queue = Thread::Queue.new
       @func = func
       @size = size
@@ -32,9 +33,10 @@ module Bundler
     # Enqueue a request to be executed in the worker pool
     #
     # @param obj [String] mostly it is name of spec that should be downloaded
-    def enq(obj)
+    def enq(obj, priority: false)
+      queue = priority ? @request_queue_with_priority : @request_queue
       create_threads unless @threads
-      @request_queue.enq obj
+      queue.enq obj
     end
 
     # Retrieves results of job function being executed in worker pool
@@ -52,7 +54,13 @@ module Bundler
 
     def process_queue(i)
       loop do
-        obj = @request_queue.deq
+        obj = begin
+          @request_queue_with_priority.deq(true)
+        rescue ThreadError
+          @request_queue.deq(false, timeout: 0.05)
+        end
+
+        next if obj.nil?
         break if obj.equal? POISON
         @response_queue.enq apply_func(obj, i)
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 4.0.7
+  version: 4.0.9
 platform: ruby
 authors:
 - André Arko
@@ -402,7 +402,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.4.1
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: The best way to manage your application's dependencies
 test_files: []