bundler 2.2.9 → 2.2.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c062fbdfa8bcfdfde2356db8e25d771f26a63ce52bd1e91d38bfee9fda101fca
-  data.tar.gz: 8f2bb42b3a04e2a24facdc2a859e30ab36d21607b75b828fc46f610a8da3b1fd
+  metadata.gz: fb87c09a270f3caca4d4719878b6c807b173016a786dbf5b067b44cf3e61b37d
+  data.tar.gz: 9c31e5c7673789aedd7515d6f54479095da5ecdc0e6fba3b4c2a6f636c21b30f
 SHA512:
-  metadata.gz: 6db82f66c50024072fbc6fd5bebcca674790cf62108b6f914a6515e77526af70a71c95546e7286f7dd78919bf2f2ef100a3ef6fb07a0bcc5e94a43211bfbbf10
-  data.tar.gz: a6a7a66879e0998817aaba8ee923c4aed56db5f3393fc94d6d607015f8bf2b752b1d07f0ba1b2a42cba066781e1a013fb8642a890388663566a3eb83d55b51b4
+  metadata.gz: 218d6753e8980cfd447332d0c19c1ef0d07ba25b9ee0260cf6290d493063c24ea377d9241d52a145737ee8ac6ee4cd127351b4356076d114778f3a8c8fb5987b
+  data.tar.gz: 858d23190b365f75b923b4f5608bea65206e9aadc842cfaa04190d6d9d452212da5f857f0474f35a474448de246ef3d34a70de8d6d476ad095457148ceeb3bd2

data/CHANGELOG.md

@@ -1,3 +1,18 @@
+# 2.2.10 (February 15, 2021)
+
+## Security fixes:
+
+  - Fix source priority for transitive dependencies and split lockfile rubygems source sections [#3655](https://github.com/rubygems/rubygems/pull/3655)
+
+## Bug fixes:
+
+  - Fix adding platforms to lockfile sometimes conflicting on ruby requirements [#4371](https://github.com/rubygems/rubygems/pull/4371)
+  - Fix bundler sometimes choosing ruby variants over java ones [#4367](https://github.com/rubygems/rubygems/pull/4367)
+
+## Documentation:
+
+  - Update man pages to reflect to new default for bundle install jobs [#4188](https://github.com/rubygems/rubygems/pull/4188)
+
 # 2.2.9 (February 8, 2021)
 
 ## Enhancements:

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2021-02-08".freeze
-    @git_commit_sha = "30e740c073".freeze
+    @built_at = "2021-02-15".freeze
+    @git_commit_sha = "cc7c333721".freeze
     @release = true
     # end ivars
 

data/lib/bundler/definition.rb

@@ -106,6 +106,19 @@ module Bundler
         @locked_platforms = []
       end
 
+      @locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
+      @disable_multisource = !Bundler.frozen_bundle? || @locked_gem_sources.none? {|s| s.remotes.size > 1 }
+
+      unless @disable_multisource
+        msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. " \
+          "You should regenerate your lockfile in a non frozen environment."
+
+        Bundler::SharedHelpers.major_deprecation 2, msg
+
+        @sources.allow_multisource!
+        @locked_gem_sources.each(&:allow_multisource!)
+      end
+
       @unlock[:gems] ||= []
       @unlock[:sources] ||= []
       @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
@@ -145,6 +158,14 @@ module Bundler
       end
     end
 
+    def disable_multisource?
+      @disable_multisource
+    end
+
+    def allow_multisource!
+      @disable_multisource = false
+    end
+
     def resolve_with_cache!
       raise "Specs already loaded" if @specs
       sources.cached!
@@ -264,7 +285,7 @@ module Bundler
           # Run a resolve against the locally available gems
           Bundler.ui.debug("Found changes from the lockfile, re-resolving dependencies because #{change_reason}")
           expanded_dependencies = expand_dependencies(dependencies + metadata_dependencies, @remote)
-          Resolver.resolve(expanded_dependencies, index, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
+          Resolver.resolve(expanded_dependencies, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
         end
       end
     end
@@ -530,6 +551,9 @@ module Bundler
     attr_reader :sources
     private :sources
 
+    attr_reader :locked_gem_sources
+    private :locked_gem_sources
+
     def nothing_changed?
       !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@locked_specs_incomplete_for_platform
     end
@@ -654,21 +678,20 @@ module Bundler
     end
 
     def converge_rubygems_sources
-      return false if Bundler.feature_flag.disable_multisource?
+      return false if disable_multisource?
 
-      changes = false
+      return false if locked_gem_sources.empty?
 
-      # Get the RubyGems sources from the Gemfile.lock
-      locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
       # Get the RubyGems remotes from the Gemfile
       actual_remotes = sources.rubygems_remotes
+      return false if actual_remotes.empty?
+
+      changes = false
 
       # If there is a RubyGems source in both
-      if !locked_gem_sources.empty? && !actual_remotes.empty?
-        locked_gem_sources.each do |locked_gem|
-          # Merge the remotes from the Gemfile into the Gemfile.lock
-          changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
-        end
+      locked_gem_sources.each do |locked_gem|
+        # Merge the remotes from the Gemfile into the Gemfile.lock
+        changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
       end
 
       changes
@@ -893,30 +916,18 @@ module Bundler
       # Record the specs available in each gem's source, so that those
       # specs will be available later when the resolver knows where to
       # look for that gemspec (or its dependencies)
-      default = sources.default_source
-      source_requirements = { :default => default }
-      default = nil unless Bundler.feature_flag.disable_multisource?
-      dependencies.each do |dep|
-        next unless source = dep.source || default
-        source_requirements[dep.name] = source
-      end
+      source_requirements = { :default => sources.default_source }.merge(dependency_source_requirements)
       metadata_dependencies.each do |dep|
         source_requirements[dep.name] = sources.metadata_source
       end
+      source_requirements[:global] = index unless disable_multisource?
       source_requirements[:default_bundler] = source_requirements["bundler"] || source_requirements[:default]
       source_requirements["bundler"] = sources.metadata_source # needs to come last to override
       source_requirements
     end
 
     def pinned_spec_names(skip = nil)
-      pinned_names = []
-      default = Bundler.feature_flag.disable_multisource? && sources.default_source
-      @dependencies.each do |dep|
-        next unless dep_source = dep.source || default
-        next if dep_source == skip
-        pinned_names << dep.name
-      end
-      pinned_names
+      dependency_source_requirements.reject {|_, source| source == skip }.keys
     end
 
     def requested_groups
@@ -973,5 +984,18 @@ module Bundler
 
       Bundler.settings[:allow_deployment_source_credential_changes] && source.equivalent_remotes?(sources.rubygems_remotes)
     end
+
+    def dependency_source_requirements
+      @dependency_source_requirements ||= begin
+        source_requirements = {}
+        default = disable_multisource? && sources.default_source
+        dependencies.each do |dep|
+          dep_source = dep.source || default
+          next unless dep_source
+          source_requirements[dep.name] = dep_source
+        end
+        source_requirements
+      end
+    end
   end
 end

data/lib/bundler/dsl.rb

@@ -24,6 +24,9 @@ module Bundler
     def initialize
       @source               = nil
       @sources              = SourceList.new
+
+      @global_rubygems_sources = []
+
       @git_sources          = {}
       @dependencies         = []
       @groups               = []
@@ -45,6 +48,7 @@ module Bundler
       @gemfiles << expanded_gemfile_path
       contents ||= Bundler.read_file(@gemfile.to_s)
       instance_eval(contents.dup.tap{|x| x.untaint if RUBY_VERSION < "2.7" }, gemfile.to_s, 1)
+      check_primary_source_safety
     rescue Exception => e # rubocop:disable Lint/RescueException
       message = "There was an error " \
         "#{e.is_a?(GemfileEvalError) ? "evaluating" : "parsing"} " \
@@ -164,8 +168,7 @@ module Bundler
       elsif block_given?
         with_source(@sources.add_rubygems_source("remotes" => source), &blk)
       else
-        check_primary_source_safety(@sources)
-        @sources.global_rubygems_source = source
+        @global_rubygems_sources << source
       end
     end
 
@@ -183,24 +186,14 @@ module Bundler
     end
 
     def path(path, options = {}, &blk)
-      unless block_given?
-        msg = "You can no longer specify a path source by itself. Instead, \n" \
-              "either use the :path option on a gem, or specify the gems that \n" \
-              "bundler should find in the path source by passing a block to \n" \
-              "the path method, like: \n\n" \
-              "    path 'dir/containing/rails' do\n" \
-              "      gem 'rails'\n" \
-              "    end\n\n"
-
-        raise DeprecatedError, msg if Bundler.feature_flag.disable_multisource?
-        SharedHelpers.major_deprecation(2, msg.strip)
-      end
-
       source_options = normalize_hash(options).merge(
         "path" => Pathname.new(path),
         "root_path" => gemfile_root,
         "gemspec" => gemspecs.find {|g| g.name == options["name"] }
       )
+
+      source_options["global"] = true unless block_given?
+
       source = @sources.add_path_source(source_options)
       with_source(source, &blk)
     end
@@ -279,6 +272,11 @@ module Bundler
       raise GemfileError, "Undefined local variable or method `#{name}' for Gemfile"
     end
 
+    def check_primary_source_safety
+      check_path_source_safety
+      check_rubygems_source_safety
+    end
+
     private
 
     def add_git_sources
@@ -440,25 +438,40 @@ repo_name ||= user_name
       end
     end
 
-    def check_primary_source_safety(source_list)
-      return if source_list.rubygems_primary_remotes.empty? && source_list.global_rubygems_source.nil?
+    def check_path_source_safety
+      return if @sources.global_path_source.nil?
+
+      msg = "You can no longer specify a path source by itself. Instead, \n" \
+              "either use the :path option on a gem, or specify the gems that \n" \
+              "bundler should find in the path source by passing a block to \n" \
+              "the path method, like: \n\n" \
+              "    path 'dir/containing/rails' do\n" \
+              "      gem 'rails'\n" \
+              "    end\n\n"
 
-      if Bundler.feature_flag.disable_multisource?
+      SharedHelpers.major_deprecation(2, msg.strip)
+    end
+
+    def check_rubygems_source_safety
+      if @global_rubygems_sources.size <= 1
+        @sources.global_rubygems_source = @global_rubygems_sources.first
+        return
+      end
+
+      @global_rubygems_sources.each do |source|
+        @sources.add_rubygems_remote(source)
+      end
+
+      if Bundler.feature_flag.bundler_3_mode?
         msg = "This Gemfile contains multiple primary sources. " \
           "Each source after the first must include a block to indicate which gems " \
           "should come from that source"
-        unless Bundler.feature_flag.bundler_2_mode?
-          msg += ". To downgrade this error to a warning, run " \
-            "`bundle config unset disable_multisource`"
-        end
         raise GemfileEvalError, msg
       else
         Bundler::SharedHelpers.major_deprecation 2, "Your Gemfile contains multiple primary sources. " \
           "Using `source` more than once without a block is a security risk, and " \
           "may result in installing unexpected gems. To resolve this warning, use " \
-          "a block to indicate which gems should come from the secondary source. " \
-          "To upgrade this warning to an error, run `bundle config set --local " \
-          "disable_multisource true`."
+          "a block to indicate which gems should come from the secondary source."
       end
     end
 

data/lib/bundler/feature_flag.rb

@@ -32,7 +32,6 @@ module Bundler
     settings_flag(:cache_all) { bundler_3_mode? }
     settings_flag(:default_install_uses_path) { bundler_3_mode? }
     settings_flag(:deployment_means_frozen) { bundler_3_mode? }
-    settings_flag(:disable_multisource) { bundler_3_mode? }
     settings_flag(:forget_cli_options) { bundler_3_mode? }
     settings_flag(:global_gem_cache) { bundler_3_mode? }
     settings_flag(:only_update_to_newer_versions) { bundler_3_mode? }

data/lib/bundler/inline.rb

@@ -50,6 +50,7 @@ def gemfile(install = false, options = {}, &gemfile)
     Bundler::Plugin.gemfile_install(&gemfile) if Bundler.feature_flag.plugins?
     builder = Bundler::Dsl.new
     builder.instance_eval(&gemfile)
+    builder.check_primary_source_safety
 
     Bundler.settings.temporary(:frozen => false) do
       definition = builder.to_definition(nil, true)

data/lib/bundler/lockfile_parser.rb

@@ -64,8 +64,6 @@ module Bundler
       @state        = nil
       @specs        = {}
 
-      @rubygems_aggregate = Source::Rubygems.new
-
       if lockfile.match(/<<<<<<<|=======|>>>>>>>|\|\|\|\|\|\|\|/)
         raise LockfileError, "Your #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)} contains merge conflicts.\n" \
           "Run `git checkout HEAD -- #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)}` first to get a clean lock."
@@ -89,7 +87,6 @@ module Bundler
           send("parse_#{@state}", line)
         end
       end
-      @sources << @rubygems_aggregate unless Bundler.feature_flag.disable_multisource?
       @specs = @specs.values.sort_by(&:identifier)
       warn_for_outdated_bundler_version
     rescue ArgumentError => e
@@ -134,16 +131,19 @@ module Bundler
             @sources << @current_source
           end
         when GEM
-          if Bundler.feature_flag.disable_multisource?
+          source_remotes = Array(@opts["remote"])
+
+          if source_remotes.size == 1
             @opts["remotes"] = @opts.delete("remote")
             @current_source = TYPES[@type].from_lock(@opts)
-            @sources << @current_source
           else
-            Array(@opts["remote"]).each do |url|
-              @rubygems_aggregate.add_remote(url)
+            source_remotes.each do |url|
+              rubygems_aggregate.add_remote(url)
             end
-            @current_source = @rubygems_aggregate
+            @current_source = rubygems_aggregate
           end
+
+          @sources << @current_source
         when PLUGIN
           @current_source = Plugin.source_from_lock(@opts)
           @sources << @current_source
@@ -245,5 +245,9 @@ module Bundler
     def parse_ruby(line)
       @ruby_version = line.strip
     end
+
+    def rubygems_aggregate
+      @rubygems_aggregate ||= Source::Rubygems.new
+    end
   end
 end

data/lib/bundler/man/bundle-config.1

@@ -56,9 +56,6 @@ Executing \fBbundle config unset \-\-local <name> <value>\fR will delete the con
 .P
 Executing bundle with the \fBBUNDLE_IGNORE_CONFIG\fR environment variable set will cause it to ignore all configuration\.
 .
-.P
-Executing \fBbundle config set \-\-local disable_multisource true\fR upgrades the warning about the Gemfile containing multiple primary sources to an error\. Executing \fBbundle config unset disable_multisource\fR downgrades this error to a warning\.
-.
 .SH "REMEMBERING OPTIONS"
 Flags passed to \fBbundle install\fR or the Bundler runtime, such as \fB\-\-path foo\fR or \fB\-\-without production\fR, are remembered between commands and saved to your local application\'s configuration (normally, \fB\./\.bundle/config\fR)\.
 .
@@ -184,9 +181,6 @@ The following is a list of all configuration keys and their purpose\. You can le
 \fBdisable_local_revision_check\fR (\fBBUNDLE_DISABLE_LOCAL_REVISION_CHECK\fR): Allow Bundler to use a local git override without checking if the revision present in the lockfile is present in the repository\.
 .
 .IP "\(bu" 4
-\fBdisable_multisource\fR (\fBBUNDLE_DISABLE_MULTISOURCE\fR): When set, Gemfiles containing multiple sources will produce errors instead of warnings\. Use \fBbundle config unset disable_multisource\fR to unset\.
-.
-.IP "\(bu" 4
 \fBdisable_shared_gems\fR (\fBBUNDLE_DISABLE_SHARED_GEMS\fR): Stop Bundler from accessing gems installed to RubyGems\' normal location\.
 .
 .IP "\(bu" 4
@@ -211,10 +205,10 @@ The following is a list of all configuration keys and their purpose\. You can le
 \fBignore_messages\fR (\fBBUNDLE_IGNORE_MESSAGES\fR): When set, no post install messages will be printed\. To silence a single gem, use dot notation like \fBignore_messages\.httparty true\fR\.
 .
 .IP "\(bu" 4
-\fBinit_gems_rb\fR (\fBBUNDLE_INIT_GEMS_RB\fR) Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init\fR\.
+\fBinit_gems_rb\fR (\fBBUNDLE_INIT_GEMS_RB\fR): Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init\fR\.
 .
 .IP "\(bu" 4
-\fBjobs\fR (\fBBUNDLE_JOBS\fR): The number of gems Bundler can install in parallel\. Defaults to 1\.
+\fBjobs\fR (\fBBUNDLE_JOBS\fR): The number of gems Bundler can install in parallel\. Defaults to 1 on Windows, and to the the number of processors on other platforms\.
 .
 .IP "\(bu" 4
 \fBno_install\fR (\fBBUNDLE_NO_INSTALL\fR): Whether \fBbundle package\fR should skip installing gems\.
@@ -241,7 +235,7 @@ The following is a list of all configuration keys and their purpose\. You can le
 \fBprefer_patch\fR (BUNDLE_PREFER_PATCH): Prefer updating only to next patch version during updates\. Makes \fBbundle update\fR calls equivalent to \fBbundler update \-\-patch\fR\.
 .
 .IP "\(bu" 4
-\fBprint_only_version_number\fR (\fBBUNDLE_PRINT_ONLY_VERSION_NUMBER\fR) Print only version number from \fBbundler \-\-version\fR\.
+\fBprint_only_version_number\fR (\fBBUNDLE_PRINT_ONLY_VERSION_NUMBER\fR): Print only version number from \fBbundler \-\-version\fR\.
 .
 .IP "\(bu" 4
 \fBredirect\fR (\fBBUNDLE_REDIRECT\fR): The number of redirects allowed for network requests\. Defaults to \fB5\fR\.
@@ -283,7 +277,7 @@ The following is a list of all configuration keys and their purpose\. You can le
 \fBunlock_source_unlocks_spec\fR (\fBBUNDLE_UNLOCK_SOURCE_UNLOCKS_SPEC\fR): Whether running \fBbundle update \-\-source NAME\fR unlocks a gem with the given name\. Defaults to \fBtrue\fR\.
 .
 .IP "\(bu" 4
-\fBupdate_requires_all_flag\fR (\fBBUNDLE_UPDATE_REQUIRES_ALL_FLAG\fR) Require passing \fB\-\-all\fR to \fBbundle update\fR when everything should be updated, and disallow passing no options to \fBbundle update\fR\.
+\fBupdate_requires_all_flag\fR (\fBBUNDLE_UPDATE_REQUIRES_ALL_FLAG\fR): Require passing \fB\-\-all\fR to \fBbundle update\fR when everything should be updated, and disallow passing no options to \fBbundle update\fR\.
 .
 .IP "\(bu" 4
 \fBuser_agent\fR (\fBBUNDLE_USER_AGENT\fR): The custom user agent fragment Bundler includes in API requests\.

data/lib/bundler/man/bundle-config.1.ronn

@@ -47,10 +47,6 @@ configuration only from the local application.
 Executing bundle with the `BUNDLE_IGNORE_CONFIG` environment variable set will
 cause it to ignore all configuration.
 
-Executing `bundle config set --local disable_multisource true` upgrades the warning about
-the Gemfile containing multiple primary sources to an error. Executing `bundle
-config unset disable_multisource` downgrades this error to a warning.
-
 ## REMEMBERING OPTIONS
 
 Flags passed to `bundle install` or the Bundler runtime, such as `--path foo` or
@@ -178,10 +174,6 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
 * `disable_local_revision_check` (`BUNDLE_DISABLE_LOCAL_REVISION_CHECK`):
    Allow Bundler to use a local git override without checking if the revision
    present in the lockfile is present in the repository.
-* `disable_multisource` (`BUNDLE_DISABLE_MULTISOURCE`):
-   When set, Gemfiles containing multiple sources will produce errors
-   instead of warnings.
-   Use `bundle config unset disable_multisource` to unset.
 * `disable_shared_gems` (`BUNDLE_DISABLE_SHARED_GEMS`):
    Stop Bundler from accessing gems installed to RubyGems' normal location.
 * `disable_version_check` (`BUNDLE_DISABLE_VERSION_CHECK`):
@@ -206,13 +198,14 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
 * `global_gem_cache` (`BUNDLE_GLOBAL_GEM_CACHE`):
    Whether Bundler should cache all gems globally, rather than locally to the
    installing Ruby installation.
-* `ignore_messages` (`BUNDLE_IGNORE_MESSAGES`): When set, no post install
-   messages will be printed. To silence a single gem, use dot notation like
-   `ignore_messages.httparty true`.
-* `init_gems_rb` (`BUNDLE_INIT_GEMS_RB`)
+* `ignore_messages` (`BUNDLE_IGNORE_MESSAGES`):
+   When set, no post install messages will be printed. To silence a single gem,
+   use dot notation like `ignore_messages.httparty true`.
+* `init_gems_rb` (`BUNDLE_INIT_GEMS_RB`):
    Generate a `gems.rb` instead of a `Gemfile` when running `bundle init`.
 * `jobs` (`BUNDLE_JOBS`):
-   The number of gems Bundler can install in parallel. Defaults to 1.
+   The number of gems Bundler can install in parallel. Defaults to 1 on Windows,
+   and to the the number of processors on other platforms.
 * `no_install` (`BUNDLE_NO_INSTALL`):
    Whether `bundle package` should skip installing gems.
 * `no_prune` (`BUNDLE_NO_PRUNE`):
@@ -233,7 +226,7 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
    Enable Bundler's experimental plugin system.
 * `prefer_patch` (BUNDLE_PREFER_PATCH):
    Prefer updating only to next patch version during updates. Makes `bundle update` calls equivalent to `bundler update --patch`.
-* `print_only_version_number` (`BUNDLE_PRINT_ONLY_VERSION_NUMBER`)
+* `print_only_version_number` (`BUNDLE_PRINT_ONLY_VERSION_NUMBER`):
    Print only version number from `bundler --version`.
 * `redirect` (`BUNDLE_REDIRECT`):
    The number of redirects allowed for network requests. Defaults to `5`.
@@ -269,7 +262,7 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
 * `unlock_source_unlocks_spec` (`BUNDLE_UNLOCK_SOURCE_UNLOCKS_SPEC`):
    Whether running `bundle update --source NAME` unlocks a gem with the given
    name. Defaults to `true`.
-* `update_requires_all_flag` (`BUNDLE_UPDATE_REQUIRES_ALL_FLAG`)
+* `update_requires_all_flag` (`BUNDLE_UPDATE_REQUIRES_ALL_FLAG`):
    Require passing `--all` to `bundle update` when everything should be updated,
    and disallow passing no options to `bundle update`.
 * `user_agent` (`BUNDLE_USER_AGENT`):

data/lib/bundler/plugin.rb

@@ -105,6 +105,7 @@ module Bundler
         else
           builder.eval_gemfile(gemfile)
         end
+        builder.check_primary_source_safety
         definition = builder.to_definition(nil, true)
 
         return if definition.dependencies.empty?

data/lib/bundler/plugin/installer.rb

@@ -16,15 +16,13 @@ module Bundler
 
         version = options[:version] || [">= 0"]
 
-        Bundler.settings.temporary(:disable_multisource => false) do
-          if options[:git]
-            install_git(names, version, options)
-          elsif options[:local_git]
-            install_local_git(names, version, options)
-          else
-            sources = options[:source] || Bundler.rubygems.sources
-            install_rubygems(names, version, sources)
-          end
+        if options[:git]
+          install_git(names, version, options)
+        elsif options[:local_git]
+          install_local_git(names, version, options)
+        else
+          sources = options[:source] || Bundler.rubygems.sources
+          install_rubygems(names, version, sources)
         end
       end
 
@@ -84,6 +82,7 @@ module Bundler
         deps = names.map {|name| Dependency.new name, version }
 
         definition = Definition.new(nil, deps, source_list, true)
+        definition.allow_multisource!
         install_definition(definition)
       end
 

data/lib/bundler/resolver.rb

@@ -17,15 +17,14 @@ module Bundler
     # ==== Returns
     # <GemBundle>,nil:: If the list of dependencies can be resolved, a
     #   collection of gemspecs is returned. Otherwise, nil is returned.
-    def self.resolve(requirements, index, source_requirements = {}, base = [], gem_version_promoter = GemVersionPromoter.new, additional_base_requirements = [], platforms = nil)
+    def self.resolve(requirements, source_requirements = {}, base = [], gem_version_promoter = GemVersionPromoter.new, additional_base_requirements = [], platforms = nil)
       base = SpecSet.new(base) unless base.is_a?(SpecSet)
-      resolver = new(index, source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
+      resolver = new(source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
       result = resolver.start(requirements)
       SpecSet.new(result)
     end
 
-    def initialize(index, source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
-      @index = index
+    def initialize(source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
       @source_requirements = source_requirements
       @base = base
       @resolver = Molinillo::Resolver.new(self, self)
@@ -36,14 +35,14 @@ module Bundler
         @base_dg.add_vertex(ls.name, DepProxy.get_proxy(dep, ls.platform), true)
       end
       additional_base_requirements.each {|d| @base_dg.add_vertex(d.name, d) }
-      @platforms = platforms
+      @platforms = platforms.reject {|p| p != Gem::Platform::RUBY && (platforms - [p]).any? {|pl| generic(pl) == p } }
       @resolving_only_for_ruby = platforms == [Gem::Platform::RUBY]
       @gem_version_promoter = gem_version_promoter
       @use_gvp = Bundler.feature_flag.use_gem_version_promoter_for_major_updates? || !@gem_version_promoter.major?
-      @lockfile_uses_separate_rubygems_sources = Bundler.feature_flag.disable_multisource?
+      @no_aggregate_global_source = @source_requirements[:global].nil?
 
       @variant_specific_names = []
-      @generic_names = []
+      @generic_names = ["Ruby\0", "RubyGems\0"]
     end
 
     def start(requirements)
@@ -125,8 +124,7 @@ module Bundler
       dependency = dependency_proxy.dep
       name = dependency.name
       search_result = @search_for[dependency_proxy] ||= begin
-        index = index_for(dependency)
-        results = index.search(dependency, @base[name])
+        results = results_for(dependency, @base[name])
 
         if vertex = @base_dg.vertex_named(name)
           locked_requirement = vertex.payload.requirement
@@ -195,23 +193,26 @@ module Bundler
       search_result
     end
 
-    def index_for(dependency)
+    def index_for(dependency, base)
       source = @source_requirements[dependency.name]
       if source
         source.specs
-      elsif @lockfile_uses_separate_rubygems_sources
-        Index.build do |idx|
-          if dependency.all_sources
-            dependency.all_sources.each {|s| idx.add_source(s.specs) if s }
-          else
-            idx.add_source @source_requirements[:default].specs
-          end
+      elsif @no_aggregate_global_source
+        dependency.all_sources.find(-> { Index.new }) do |s|
+          idx = s.specs
+          results = idx.search(dependency, base)
+          next if results.empty? || results == base
+          return idx
         end
       else
-        @index
+        @source_requirements[:global]
       end
     end
 
+    def results_for(dependency, base)
+      index_for(dependency, base).search(dependency, base)
+    end
+
     def name_for(dependency)
       dependency.name
     end
@@ -238,11 +239,13 @@ module Bundler
 
     def relevant_sources_for_vertex(vertex)
       if vertex.root?
-        [@source_requirements[vertex.name]]
-      elsif @lockfile_uses_separate_rubygems_sources
+        [@source_requirements[vertex.name]].compact
+      elsif @no_aggregate_global_source
         vertex.recursive_predecessors.map do |v|
           @source_requirements[v.name]
-        end << @source_requirements[:default]
+        end.compact << @source_requirements[:default]
+      else
+        []
       end
     end
 
@@ -283,7 +286,7 @@ module Bundler
         if (base = @base[dependency.name]) && !base.empty?
           dependency.requirement.satisfied_by?(base.first.version) ? 0 : 1
         else
-          all = index_for(dependency).search(dependency.name).size
+          all = index_for(dependency, base).search(dependency.name).size
 
           if all <= 1
             all - 1_000_000
@@ -326,7 +329,7 @@ module Bundler
             "The source does not contain any versions of '#{name}'"
           end
         else
-          message = "Could not find gem '#{requirement}' in any of the gem sources " \
+          message = "Could not find gem '#{SharedHelpers.pretty_dependency(requirement)}' in any of the gem sources " \
             "listed in your Gemfile#{cache_message}."
         end
         raise GemNotFound, message
@@ -411,14 +414,8 @@ module Bundler
 
             relevant_sources = if conflict.requirement.source
               [conflict.requirement.source]
-            elsif conflict.requirement.all_sources
-              conflict.requirement.all_sources
-            elsif @lockfile_uses_separate_rubygems_sources
-              # every conflict should have an explicit group of sources when we
-              # enforce strict pinning
-              raise "no source set for #{conflict}"
             else
-              []
+              conflict.requirement.all_sources
             end.compact.map(&:to_s).uniq.sort
 
             metadata_requirement = name.end_with?("\0")
@@ -455,7 +452,8 @@ module Bundler
     def validate_resolved_specs!(resolved_specs)
       resolved_specs.each do |v|
         name = v.name
-        next unless sources = relevant_sources_for_vertex(v)
+        sources = relevant_sources_for_vertex(v)
+        next unless sources.any?
         sources.compact!
         if default_index = sources.index(@source_requirements[:default])
           sources.delete_at(default_index)
@@ -464,14 +462,12 @@ module Bundler
         sources.uniq!
         next if sources.size <= 1
 
-        multisource_disabled = Bundler.feature_flag.disable_multisource?
-
         msg = ["The gem '#{name}' was found in multiple relevant sources."]
         msg.concat sources.map {|s| "  * #{s}" }.sort
-        msg << "You #{multisource_disabled ? :must : :should} add this gem to the source block for the source you wish it to be installed from."
+        msg << "You #{@no_aggregate_global_source ? :must : :should} add this gem to the source block for the source you wish it to be installed from."
         msg = msg.join("\n")
 
-        raise SecurityError, msg if multisource_disabled
+        raise SecurityError, msg if @no_aggregate_global_source
         Bundler.ui.warn "Warning: #{msg}"
       end
     end

data/lib/bundler/settings.rb

@@ -20,7 +20,6 @@ module Bundler
       disable_exec_load
       disable_local_branch_check
       disable_local_revision_check
-      disable_multisource
       disable_shared_gems
       disable_version_check
       force_ruby_platform

data/lib/bundler/source/rubygems.rb

@@ -21,6 +21,7 @@ module Bundler
         @allow_remote = false
         @allow_cached = false
         @caches = [cache_path, *Bundler.rubygems.gem_cache]
+        @disable_multisource = true
 
         Array(options["remotes"] || []).reverse_each {|r| add_remote(r) }
       end
@@ -49,8 +50,16 @@ module Bundler
         o.is_a?(Rubygems) && (o.credless_remotes - credless_remotes).empty?
       end
 
+      def disable_multisource?
+        @disable_multisource
+      end
+
+      def allow_multisource!
+        @disable_multisource = false
+      end
+
       def can_lock?(spec)
-        return super if Bundler.feature_flag.disable_multisource?
+        return super if disable_multisource?
         spec.source.is_a?(Rubygems)
       end
 

data/lib/bundler/source_list.rb

@@ -5,24 +5,41 @@ module Bundler
     attr_reader :path_sources,
       :git_sources,
       :plugin_sources,
-      :global_rubygems_source,
-      :metadata_source
+      :global_path_source,
+      :metadata_source,
+      :disable_multisource
+
+    def global_rubygems_source
+      @global_rubygems_source ||= rubygems_aggregate_class.new
+    end
 
     def initialize
       @path_sources           = []
       @git_sources            = []
       @plugin_sources         = []
       @global_rubygems_source = nil
-      @rubygems_aggregate     = rubygems_aggregate_class.new
+      @global_path_source     = nil
       @rubygems_sources       = []
       @metadata_source        = Source::Metadata.new
+      @disable_multisource    = true
+    end
+
+    def disable_multisource?
+      @disable_multisource
+    end
+
+    def allow_multisource!
+      rubygems_sources.map(&:allow_multisource!)
+      @disable_multisource = false
     end
 
     def add_path_source(options = {})
       if options["gemspec"]
         add_source_to_list Source::Gemspec.new(options), path_sources
       else
-        add_source_to_list Source::Path.new(options), path_sources
+        path_source = add_source_to_list Source::Path.new(options), path_sources
+        @global_path_source ||= path_source if options["global"]
+        path_source
       end
     end
 
@@ -41,24 +58,20 @@ module Bundler
     end
 
     def global_rubygems_source=(uri)
-      if Bundler.feature_flag.disable_multisource?
-        @global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri)
-      end
-      add_rubygems_remote(uri)
+      @global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri)
     end
 
     def add_rubygems_remote(uri)
-      return if Bundler.feature_flag.disable_multisource?
-      @rubygems_aggregate.add_remote(uri)
-      @rubygems_aggregate
+      global_rubygems_source.add_remote(uri)
+      global_rubygems_source
     end
 
     def default_source
-      global_rubygems_source || @rubygems_aggregate
+      global_path_source || global_rubygems_source
     end
 
     def rubygems_sources
-      @rubygems_sources + [default_source]
+      @rubygems_sources + [global_rubygems_source]
     end
 
     def rubygems_remotes
@@ -75,7 +88,7 @@ module Bundler
 
     def lock_sources
       lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
-      if Bundler.feature_flag.disable_multisource?
+      if disable_multisource?
         lock_sources + rubygems_sources.sort_by(&:to_s)
       else
         lock_sources << combine_rubygems_sources
@@ -92,9 +105,9 @@ module Bundler
         end
       end
 
-      replacement_rubygems = !Bundler.feature_flag.disable_multisource? &&
+      replacement_rubygems = !disable_multisource? &&
         replacement_sources.detect {|s| s.is_a?(Source::Rubygems) }
-      @rubygems_aggregate = replacement_rubygems if replacement_rubygems
+      @global_rubygems_source = replacement_rubygems if replacement_rubygems
 
       return true if !equal_sources?(lock_sources, replacement_sources) && !equivalent_sources?(lock_sources, replacement_sources)
       return true if replacement_rubygems && rubygems_remotes.sort_by(&:to_s) != replacement_rubygems.remotes.sort_by(&:to_s)
@@ -110,10 +123,6 @@ module Bundler
       all_sources.each(&:remote!)
     end
 
-    def rubygems_primary_remotes
-      @rubygems_aggregate.remotes
-    end
-
     private
 
     def rubygems_aggregate_class
@@ -136,7 +145,9 @@ module Bundler
     end
 
     def combine_rubygems_sources
-      Source::Rubygems.new("remotes" => rubygems_remotes)
+      aggregate_source = Source::Rubygems.new("remotes" => rubygems_remotes)
+      aggregate_source.allow_multisource! unless disable_multisource?
+      aggregate_source
     end
 
     def warn_on_git_protocol(source)

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.2.9".freeze
+  VERSION = "2.2.10".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 2.2.9
+  version: 2.2.10
 platform: ruby
 authors:
 - André Arko
@@ -22,7 +22,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-02-08 00:00:00.000000000 Z
+date: 2021-02-15 00:00:00.000000000 Z
 dependencies: []
 description: Bundler manages an application's dependencies through its entire life,
   across many machines, systematically and repeatably
@@ -352,7 +352,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.5.2
 requirements: []
-rubygems_version: 3.2.9
+rubygems_version: 3.2.10
 signing_key: 
 specification_version: 4
 summary: The best way to manage your application's dependencies