bundler 1.6.9 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 416e8ee36efa63219a479a3f0b05a2e9c3cbff1c
-  data.tar.gz: bcdb1aba2bddb5787e77a692f2f3c1ad80960029
+  metadata.gz: 155503cb2801c3408a1a6290488e86d95fc44377
+  data.tar.gz: 155ff56ba76e00285762682095374af6978dc701
 SHA512:
-  metadata.gz: 2b128dcdbe2c790eb2304554b23a17abee78f6cb23d3abcda0acf65e2dd1cecc6d1d3aadc3c8bb16cddc3e1bca7c76fef15e52bd4b9b3251493d0b4f910d4bad
-  data.tar.gz: afcf5192a0252af39937b528f008d59e133631fb6eb31ebe42c1aee7dfac673e7a6aa305b914d000968bd1b8cc1f227d5feb5b85f201ead3be145ebdceee6134
+  metadata.gz: 79b16bf6b319c496e5dd80d74582217e9def1ca17f937c7173e20b973066064406d0a21f092e175a504ad1743ee86ff17b56639c336b3c78ea621485b790cea8
+  data.tar.gz: c61d725503a3ac4d74a1708ee30ce80bea1b075118df1bc054c0339fd538809284f2dcda20057bba1950ae1414297118dc869cf1d6752f3fa0d09001522d0b83

data/.travis.yml

@@ -4,6 +4,7 @@ before_script: travis_retry rake spec:travis:deps
 branches:
   only:
     - master
+    - 1-7-stable
     - 1-6-stable
     - 1-5-stable
     - 1-3-stable

data/CHANGELOG.md

@@ -1,30 +1,17 @@
-## 1.6.9 (2014-11-11)
+## 1.7.0 (2014-08-13)
 
-Features:
-
-  - alternate certificates that work with all OpenSSLs (@luislavena, @indirect)
-
-## 1.6.8 (2014-11-10)
-
-Features:
-
-  - vendor new certificates to validate HTTPS with rubygems.org (@indirect)
+Security:
 
-## 1.6.7 (2014-10-19)
+  - Fix for CVE-2013-0334, installing gems from an unexpected source
 
 Features:
 
-  - warn to upgrade when using useless source blocks (@danfinnie)
-
-Documentation:
-
-  - explain how to use gem server credentials via ENV (@hwartig)
-
-## 1.6.6 (2014-08-23)
+  - Gemfile `source` calls now take a block containing gems from that source (@tmoore)
+  - added the `:source` option to `gem` to specify a source (@tmoore)
 
 Bugfixes:
 
-  - restore Gemfile credentials to Gemfile.lock (@indirect)
+  - warn on ambiguous gems available from more than one source (@tmoore)
 
 ## 1.6.5 (2014-07-23)
 

data/Rakefile

@@ -41,7 +41,7 @@ namespace :spec do
       deps.delete("rdiscount")
     end
 
-    deps.sort_by{|name, _| name }.each do |name, version|
+    deps.each do |name, version|
       sh "#{Gem.ruby} -S gem list -i '^#{name}$' -v '#{version}' || " \
          "#{Gem.ruby} -S gem install #{name} -v '#{version}' --no-ri --no-rdoc"
     end
@@ -129,7 +129,7 @@ begin
         end
 
         task "clone_rubygems_#{rg}" do
-          unless File.directory?(RUBYGEMS_REPO)
+          unless File.directory?("tmp/rubygems")
             system("git clone https://github.com/rubygems/rubygems.git tmp/rubygems")
           end
           hash = nil

data/bundler.gemspec

@@ -16,7 +16,6 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version     = '>= 1.8.7'
   spec.required_rubygems_version = '>= 1.3.6'
 
-  spec.add_development_dependency 'mustache', '0.99.6'
   spec.add_development_dependency 'rdiscount', '~> 1.6'
   spec.add_development_dependency 'ronn', '~> 0.7.3'
   spec.add_development_dependency 'rspec', '~> 3.0.0.beta1'

data/lib/bundler.rb

@@ -41,6 +41,7 @@ module Bundler
   autoload :SharedHelpers,         'bundler/shared_helpers'
   autoload :SpecSet,               'bundler/spec_set'
   autoload :Source,                'bundler/source'
+  autoload :SourceList,            'bundler/source_list'
   autoload :Specification,         'bundler/shared_helpers'
   autoload :SystemRubyVersion,     'bundler/ruby_version'
   autoload :UI,                    'bundler/ui'

data/lib/bundler/cli/cache.rb

@@ -23,7 +23,7 @@ module Bundler
     def setup_cache_all
       Bundler.settings[:cache_all] = options[:all] if options.key?("all")
 
-      if Bundler.definition.sources.any? { |s| !s.is_a?(Source::Rubygems) } && !Bundler.settings[:cache_all]
+      if Bundler.definition.has_local_dependencies? && !Bundler.settings[:cache_all]
         Bundler.ui.warn "Your Gemfile contains path and git dependencies. If you want "    \
           "to package them as well, please pass the --all flag. This will be the default " \
           "on Bundler 2.0."

data/lib/bundler/cli/install.rb

@@ -93,6 +93,15 @@ module Bundler
         Bundler.ui.confirm "Post-install message from #{name}:"
         Bundler.ui.info msg
       end
+      Installer.ambiguous_gems.to_a.each do |name, installed_from_uri, *also_found_in_uris|
+        Bundler.ui.error "Warning: the gem '#{name}' was found in multiple sources."
+        Bundler.ui.error "Installed from: #{installed_from_uri}"
+        Bundler.ui.error "Also found in:"
+        also_found_in_uris.each { |uri| Bundler.ui.error "  * #{uri}" }
+        Bundler.ui.error "You should add a source requirement to restrict this gem to your preferred source."
+        Bundler.ui.error "For example:"
+        Bundler.ui.error "    gem '#{name}', :source => '#{installed_from_uri}'"
+      end
 
       if Bundler.settings[:clean] && Bundler.settings[:path]
         require "bundler/cli/clean"
@@ -103,7 +112,7 @@ module Bundler
         Bundler.ui.warn "Some gems seem to be missing from your vendor/cache directory."
       end
 
-      if Bundler.definition.rubygems_remotes.empty?
+      unless Bundler.definition.has_rubygems_remotes?
         Bundler.ui.warn <<-WARN, :wrap => true
           Your Gemfile has no gem server sources. If you need gems that are \
           not already on your machine, add a line like this to your Gemfile:

data/lib/bundler/cli/package.rb

@@ -26,7 +26,7 @@ module Bundler
     def setup_cache_all
       Bundler.settings[:cache_all] = options[:all] if options.key?("all")
 
-      if Bundler.definition.sources.any? { |s| !s.is_a?(Source::Rubygems) } && !Bundler.settings[:cache_all]
+      if Bundler.definition.has_local_dependencies? && !Bundler.settings[:cache_all]
         Bundler.ui.warn "Your Gemfile contains path and git dependencies. If you want "    \
           "to package them as well, please pass the --all flag. This will be the default " \
           "on Bundler 2.0."

data/lib/bundler/definition.rb

@@ -5,8 +5,7 @@ module Bundler
   class Definition
     include GemHelpers
 
-    attr_reader :dependencies, :platforms, :sources, :ruby_version,
-      :locked_deps
+    attr_reader :dependencies, :platforms, :ruby_version, :locked_deps
 
     # Given a gemfile and lockfile creates a Bundler definition
     #
@@ -40,7 +39,7 @@ module Bundler
     #
     # @param lockfile [Pathname] Path to Gemfile.lock
     # @param dependencies [Array(Bundler::Dependency)] array of dependencies from Gemfile
-    # @param sources [Array(Bundler::Source::Rubygems)]
+    # @param sources [Bundler::SourceList]
     # @param unlock [Hash, Boolean, nil] Gems that have been requested
     #   to be updated or true if all gems should be updated
     # @param ruby_version [Bundler::RubyVersion, nil] Requested Ruby Version
@@ -111,14 +110,14 @@ module Bundler
 
     def resolve_with_cache!
       raise "Specs already loaded" if @specs
-      @sources.each { |s| s.cached! }
+      sources.cached!
       specs
     end
 
     def resolve_remotely!
       raise "Specs already loaded" if @specs
       @remote = true
-      @sources.each { |s| s.remote! }
+      sources.remote!
       specs
     end
 
@@ -210,7 +209,7 @@ module Bundler
         dependency_names = @dependencies.dup || []
         dependency_names.map! {|d| d.name }
 
-        @sources.each do |s|
+        sources.all_sources.each do |s|
           if s.is_a?(Bundler::Source::Rubygems)
             s.dependency_names = dependency_names.uniq
             idx.add_source s.specs
@@ -227,13 +226,22 @@ module Bundler
     # spec, even if (say) a git gem is not checked out.
     def rubygems_index
       @rubygems_index ||= Index.build do |idx|
-        rubygems = @sources.find{|s| s.is_a?(Source::Rubygems) }
-        idx.add_source rubygems.specs
+        sources.rubygems_sources.each do |rubygems|
+          idx.add_source rubygems.specs
+        end
       end
     end
 
-    def rubygems_remotes
-      @sources.select{|s| s.is_a?(Source::Rubygems) }.map{|s| s.remotes }.flatten
+    def has_rubygems_remotes?
+      sources.rubygems_sources.any? {|s| s.remotes.any? }
+    end
+
+    def has_local_dependencies?
+      !sources.path_sources.empty? || !sources.git_sources.empty?
+    end
+
+    def spec_git_paths
+      sources.git_sources.map {|s| s.path.to_s }
     end
 
     def groups
@@ -265,12 +273,12 @@ module Bundler
     def to_lock
       out = ""
 
-      sorted_sources.each do |source|
+      sources.lock_sources.each do |source|
         # Add the source header
         out << source.to_lock
         # Find all specs for this source
         resolve.
-          select  { |s| s.source == source }.
+          select { |s| source.can_lock?(s) }.
           # This needs to be sorted by full name so that
           # gems with the same name, but different platform
           # are ordered consistently
@@ -319,9 +327,10 @@ module Bundler
       deleted = []
       changed = []
 
-      if @locked_sources != @sources
-        new_sources = @sources - @locked_sources
-        deleted_sources = @locked_sources - @sources
+      gemfile_sources = sources.all_sources
+      if @locked_sources != gemfile_sources
+        new_sources = gemfile_sources - @locked_sources
+        deleted_sources = @locked_sources - gemfile_sources
 
         if new_sources.any?
           added.concat new_sources.map { |source| "* source: #{source}" }
@@ -393,6 +402,8 @@ module Bundler
 
   private
 
+    attr_reader :sources
+
     def nothing_changed?
       !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes
     end
@@ -441,8 +452,7 @@ module Bundler
     end
 
     def converge_paths
-      @sources.any? do |source|
-        next unless source.instance_of?(Source::Path)
+      sources.path_sources.any? do |source|
         specs_changed?(source) do |ls|
           ls.class == source.class && ls.path == source.path
         end
@@ -453,26 +463,16 @@ module Bundler
       changes = false
 
       # Get the Rubygems source from the Gemfile.lock
-      locked_gem = @locked_sources.find { |s| s.kind_of?(Source::Rubygems) }
-
-      # Get the Rubygems source from the Gemfile
-      actual_gem = @sources.find { |s| s.kind_of?(Source::Rubygems) }
-
-      # If there is a Rubygems source in both
-      if locked_gem && actual_gem
-        # Merge the remotes from the Gemfile into the Gemfile.lock
-        changes = changes | locked_gem.replace_remotes(actual_gem)
-      end
+      locked_gem = @locked_sources.select { |s| s.kind_of?(Source::Rubygems) }
 
       # Replace the sources from the Gemfile with the sources from the Gemfile.lock,
       # if they exist in the Gemfile.lock and are `==`. If you can't find an equivalent
       # source in the Gemfile.lock, use the one from the Gemfile.
-      @sources.map! do |source|
-        @locked_sources.find { |s| s == source } || source
-      end
-      changes = changes | (Set.new(@sources) != Set.new(@locked_sources))
+      sources.replace_sources!(@locked_sources)
+      gemfile_sources = sources.all_sources
+      changes = changes | (Set.new(gemfile_sources) != Set.new(@locked_sources))
 
-      @sources.each do |source|
+      gemfile_sources.each do |source|
         # If the source is unlockable and the current command allows an unlock of
         # the source (for example, you are doing a `bundle update <foo>` of a git-pinned
         # gem), unlock it. For git sources, this means to unlock the revision, which
@@ -490,7 +490,7 @@ module Bundler
     def converge_dependencies
       (@dependencies + @locked_deps).each do |dep|
         if dep.source
-          dep.source = @sources.find { |s| dep.source == s }
+          dep.source = sources.get(dep.source)
         end
       end
       Set.new(@dependencies) != Set.new(@locked_deps)
@@ -524,7 +524,7 @@ module Bundler
 
       converged = []
       @locked_specs.each do |s|
-        s.source = @sources.find { |src| s.source == src }
+        s.source = sources.get(s.source)
 
         # Don't add a spec to the list if its source is expired. For example,
         # if you change a Git gem to Rubygems.
@@ -553,7 +553,7 @@ module Bundler
       diff    = @locked_specs.to_a - resolve.to_a
 
       # Now, we unlock any sources that do not have anymore gems pinned to it
-      @sources.each do |source|
+      sources.all_sources.each do |source|
         next unless source.respond_to?(:unlock!)
 
         unless resolve.any? { |s| s.source == source }
@@ -588,13 +588,6 @@ module Bundler
       deps
     end
 
-    def sorted_sources
-      @sources.sort_by do |s|
-        # Place GEM at the top
-        [ s.is_a?(Source::Rubygems) ? 1 : 0, s.to_s ]
-      end
-    end
-
     def requested_dependencies
       groups = self.groups - Bundler.settings.without
       groups.map! { |g| g.to_sym }

data/lib/bundler/dsl.rb

@@ -17,7 +17,7 @@ module Bundler
 
     def initialize
       @source          = nil
-      @sources         = []
+      @sources         = SourceList.new
       @git_sources     = {}
       @dependencies    = []
       @groups          = []
@@ -27,10 +27,6 @@ module Bundler
       add_github_sources
     end
 
-    def rubygems_source
-      @rubygems_source ||= Source::Rubygems.new
-    end
-
     def eval_gemfile(gemfile, contents = nil)
       contents ||= Bundler.read_file(gemfile.to_s)
       instance_eval(contents, gemfile.to_s, 1)
@@ -70,12 +66,8 @@ module Bundler
     end
 
     def gem(name, *args)
-      if name.is_a?(Symbol)
-        raise GemfileError, %{You need to specify gem names as Strings. Use 'gem "#{name.to_s}"' instead.}
-      end
-
       options = args.last.is_a?(Hash) ? args.pop.dup : {}
-      version = args
+      version = args || [">= 0"]
 
       normalize_options(name, version, options)
 
@@ -115,37 +107,13 @@ module Bundler
       @dependencies << dep
     end
 
-    def source(source, options = {})
-      case source
-      when :gemcutter, :rubygems, :rubyforge then
-        Bundler.ui.warn "The source :#{source} is deprecated because HTTP " \
-          "requests are insecure.\nPlease change your source to 'https://" \
-          "rubygems.org' if possible, or 'http://rubygems.org' if not."
-        rubygems_source.add_remote "http://rubygems.org"
-        return
-      when String
-        rubygems_source.add_remote source
-
-        if block_given?
-          Bundler.ui.warn "A block was passed to `source`, but Bundler versions " \
-            "prior to 1.7 ignore the block.  Please upgrade Bundler to 1.7 or " \
-            "specify your dependencies outside of the block passed to `source`."
-        end
-
-        return
+    def source(source, &blk)
+      source = normalize_source(source)
+      if block_given?
+        with_source(@sources.add_rubygems_source("remotes" => source), &blk)
       else
-        @source = source
-        if options[:prepend]
-          @sources = [@source] | @sources
-        else
-          @sources = @sources | [@source]
-        end
-
-        yield if block_given?
-        return @source
+        @sources.add_rubygems_remote(source)
       end
-    ensure
-      @source = nil
     end
 
     def git_source(name, &block)
@@ -161,11 +129,11 @@ module Bundler
       @git_sources[name.to_s] = block
     end
 
-    def path(path, options = {}, source_options = {}, &blk)
-      source Source::Path.new(normalize_hash(options).merge("path" => Pathname.new(path))), source_options, &blk
+    def path(path, options = {}, &blk)
+      with_source(@sources.add_path_source(normalize_hash(options).merge("path" => Pathname.new(path))), &blk)
     end
 
-    def git(uri, options = {}, source_options = {}, &blk)
+    def git(uri, options = {}, &blk)
       unless block_given?
         msg = "You can no longer specify a git source by itself. Instead, \n" \
               "either use the :git option on a gem, or specify the gems that \n" \
@@ -177,11 +145,10 @@ module Bundler
         raise DeprecatedError, msg
       end
 
-      source Source::Git.new(normalize_hash(options).merge("uri" => uri)), source_options, &blk
+      with_source(@sources.add_git_source(normalize_hash(options).merge("uri" => uri)), &blk)
     end
 
     def to_definition(lockfile, unlock)
-      @sources << rubygems_source unless @sources.include?(rubygems_source)
       Definition.new(lockfile, @dependencies, @sources, unlock, @ruby_version)
     end
 
@@ -224,6 +191,16 @@ module Bundler
       git_source(:gist){ |repo_name| "https://gist.github.com/#{repo_name}.git" }
     end
 
+    def with_source(source)
+      if block_given?
+        @source = source
+        yield
+      end
+      source
+    ensure
+      @source = nil
+    end
+
     def normalize_hash(opts)
       opts.keys.each do |k|
         opts[k.to_s] = opts.delete(k) unless k.is_a?(String)
@@ -232,10 +209,14 @@ module Bundler
     end
 
     def valid_keys
-      @valid_keys ||= %w(group groups git path name branch ref tag require submodules platform platforms type)
+      @valid_keys ||= %w(group groups git path name branch ref tag require submodules platform platforms type source)
     end
 
     def normalize_options(name, version, opts)
+      if name.is_a?(Symbol)
+        raise GemfileError, %{You need to specify gem names as Strings. Use 'gem "#{name.to_s}"' instead.}
+      end
+
       normalize_hash(opts)
 
       git_names = @git_sources.keys.map(&:to_s)
@@ -267,6 +248,12 @@ module Bundler
         raise GemfileError, "`#{p}` is not a valid platform. The available options are: #{VALID_PLATFORMS.inspect}"
       end
 
+      # Save sources passed in a key
+      if opts.has_key?("source")
+        source = normalize_source(opts["source"])
+        opts["source"] = @sources.add_rubygems_source("remotes" => source)
+      end
+
       git_name = (git_names & opts.keys).last
       if @git_sources[git_name]
         opts["git"] = @git_sources[git_name].call(opts[git_name])
@@ -279,7 +266,7 @@ module Bundler
           else
             options = opts.dup
           end
-          source = send(type, param, options, :prepend => true) {}
+          source = send(type, param, options) {}
           opts["source"] = source
         end
       end
@@ -290,5 +277,18 @@ module Bundler
       opts["group"]     = groups
     end
 
+    def normalize_source(source)
+      case source
+      when :gemcutter, :rubygems, :rubyforge
+        Bundler.ui.warn "The source :#{source} is deprecated because HTTP " \
+          "requests are insecure.\nPlease change your source to 'https://" \
+          "rubygems.org' if possible, or 'http://rubygems.org' if not."
+        "http://rubygems.org"
+      when String
+        source
+      else
+        raise GemfileError, "Unknown source '#{source}'"
+      end
+    end
   end
 end