bundler 2.2.9 → 2.2.10

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of bundler might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c062fbdfa8bcfdfde2356db8e25d771f26a63ce52bd1e91d38bfee9fda101fca
4
- data.tar.gz: 8f2bb42b3a04e2a24facdc2a859e30ab36d21607b75b828fc46f610a8da3b1fd
3
+ metadata.gz: fb87c09a270f3caca4d4719878b6c807b173016a786dbf5b067b44cf3e61b37d
4
+ data.tar.gz: 9c31e5c7673789aedd7515d6f54479095da5ecdc0e6fba3b4c2a6f636c21b30f
5
5
  SHA512:
6
- metadata.gz: 6db82f66c50024072fbc6fd5bebcca674790cf62108b6f914a6515e77526af70a71c95546e7286f7dd78919bf2f2ef100a3ef6fb07a0bcc5e94a43211bfbbf10
7
- data.tar.gz: a6a7a66879e0998817aaba8ee923c4aed56db5f3393fc94d6d607015f8bf2b752b1d07f0ba1b2a42cba066781e1a013fb8642a890388663566a3eb83d55b51b4
6
+ metadata.gz: 218d6753e8980cfd447332d0c19c1ef0d07ba25b9ee0260cf6290d493063c24ea377d9241d52a145737ee8ac6ee4cd127351b4356076d114778f3a8c8fb5987b
7
+ data.tar.gz: 858d23190b365f75b923b4f5608bea65206e9aadc842cfaa04190d6d9d452212da5f857f0474f35a474448de246ef3d34a70de8d6d476ad095457148ceeb3bd2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ # 2.2.10 (February 15, 2021)
2
+
3
+ ## Security fixes:
4
+
5
+ - Fix source priority for transitive dependencies and split lockfile rubygems source sections [#3655](https://github.com/rubygems/rubygems/pull/3655)
6
+
7
+ ## Bug fixes:
8
+
9
+ - Fix adding platforms to lockfile sometimes conflicting on ruby requirements [#4371](https://github.com/rubygems/rubygems/pull/4371)
10
+ - Fix bundler sometimes choosing ruby variants over java ones [#4367](https://github.com/rubygems/rubygems/pull/4367)
11
+
12
+ ## Documentation:
13
+
14
+ - Update man pages to reflect to new default for bundle install jobs [#4188](https://github.com/rubygems/rubygems/pull/4188)
15
+
1
16
  # 2.2.9 (February 8, 2021)
2
17
 
3
18
  ## Enhancements:
@@ -4,8 +4,8 @@ module Bundler
4
4
  # Represents metadata from when the Bundler gem was built.
5
5
  module BuildMetadata
6
6
  # begin ivars
7
- @built_at = "2021-02-08".freeze
8
- @git_commit_sha = "30e740c073".freeze
7
+ @built_at = "2021-02-15".freeze
8
+ @git_commit_sha = "cc7c333721".freeze
9
9
  @release = true
10
10
  # end ivars
11
11
 
@@ -106,6 +106,19 @@ module Bundler
106
106
  @locked_platforms = []
107
107
  end
108
108
 
109
+ @locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
110
+ @disable_multisource = !Bundler.frozen_bundle? || @locked_gem_sources.none? {|s| s.remotes.size > 1 }
111
+
112
+ unless @disable_multisource
113
+ msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. " \
114
+ "You should regenerate your lockfile in a non frozen environment."
115
+
116
+ Bundler::SharedHelpers.major_deprecation 2, msg
117
+
118
+ @sources.allow_multisource!
119
+ @locked_gem_sources.each(&:allow_multisource!)
120
+ end
121
+
109
122
  @unlock[:gems] ||= []
110
123
  @unlock[:sources] ||= []
111
124
  @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
@@ -145,6 +158,14 @@ module Bundler
145
158
  end
146
159
  end
147
160
 
161
+ def disable_multisource?
162
+ @disable_multisource
163
+ end
164
+
165
+ def allow_multisource!
166
+ @disable_multisource = false
167
+ end
168
+
148
169
  def resolve_with_cache!
149
170
  raise "Specs already loaded" if @specs
150
171
  sources.cached!
@@ -264,7 +285,7 @@ module Bundler
264
285
  # Run a resolve against the locally available gems
265
286
  Bundler.ui.debug("Found changes from the lockfile, re-resolving dependencies because #{change_reason}")
266
287
  expanded_dependencies = expand_dependencies(dependencies + metadata_dependencies, @remote)
267
- Resolver.resolve(expanded_dependencies, index, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
288
+ Resolver.resolve(expanded_dependencies, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
268
289
  end
269
290
  end
270
291
  end
@@ -530,6 +551,9 @@ module Bundler
530
551
  attr_reader :sources
531
552
  private :sources
532
553
 
554
+ attr_reader :locked_gem_sources
555
+ private :locked_gem_sources
556
+
533
557
  def nothing_changed?
534
558
  !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@locked_specs_incomplete_for_platform
535
559
  end
@@ -654,21 +678,20 @@ module Bundler
654
678
  end
655
679
 
656
680
  def converge_rubygems_sources
657
- return false if Bundler.feature_flag.disable_multisource?
681
+ return false if disable_multisource?
658
682
 
659
- changes = false
683
+ return false if locked_gem_sources.empty?
660
684
 
661
- # Get the RubyGems sources from the Gemfile.lock
662
- locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
663
685
  # Get the RubyGems remotes from the Gemfile
664
686
  actual_remotes = sources.rubygems_remotes
687
+ return false if actual_remotes.empty?
688
+
689
+ changes = false
665
690
 
666
691
  # If there is a RubyGems source in both
667
- if !locked_gem_sources.empty? && !actual_remotes.empty?
668
- locked_gem_sources.each do |locked_gem|
669
- # Merge the remotes from the Gemfile into the Gemfile.lock
670
- changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
671
- end
692
+ locked_gem_sources.each do |locked_gem|
693
+ # Merge the remotes from the Gemfile into the Gemfile.lock
694
+ changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
672
695
  end
673
696
 
674
697
  changes
@@ -893,30 +916,18 @@ module Bundler
893
916
  # Record the specs available in each gem's source, so that those
894
917
  # specs will be available later when the resolver knows where to
895
918
  # look for that gemspec (or its dependencies)
896
- default = sources.default_source
897
- source_requirements = { :default => default }
898
- default = nil unless Bundler.feature_flag.disable_multisource?
899
- dependencies.each do |dep|
900
- next unless source = dep.source || default
901
- source_requirements[dep.name] = source
902
- end
919
+ source_requirements = { :default => sources.default_source }.merge(dependency_source_requirements)
903
920
  metadata_dependencies.each do |dep|
904
921
  source_requirements[dep.name] = sources.metadata_source
905
922
  end
923
+ source_requirements[:global] = index unless disable_multisource?
906
924
  source_requirements[:default_bundler] = source_requirements["bundler"] || source_requirements[:default]
907
925
  source_requirements["bundler"] = sources.metadata_source # needs to come last to override
908
926
  source_requirements
909
927
  end
910
928
 
911
929
  def pinned_spec_names(skip = nil)
912
- pinned_names = []
913
- default = Bundler.feature_flag.disable_multisource? && sources.default_source
914
- @dependencies.each do |dep|
915
- next unless dep_source = dep.source || default
916
- next if dep_source == skip
917
- pinned_names << dep.name
918
- end
919
- pinned_names
930
+ dependency_source_requirements.reject {|_, source| source == skip }.keys
920
931
  end
921
932
 
922
933
  def requested_groups
@@ -973,5 +984,18 @@ module Bundler
973
984
 
974
985
  Bundler.settings[:allow_deployment_source_credential_changes] && source.equivalent_remotes?(sources.rubygems_remotes)
975
986
  end
987
+
988
+ def dependency_source_requirements
989
+ @dependency_source_requirements ||= begin
990
+ source_requirements = {}
991
+ default = disable_multisource? && sources.default_source
992
+ dependencies.each do |dep|
993
+ dep_source = dep.source || default
994
+ next unless dep_source
995
+ source_requirements[dep.name] = dep_source
996
+ end
997
+ source_requirements
998
+ end
999
+ end
976
1000
  end
977
1001
  end
data/lib/bundler/dsl.rb CHANGED
@@ -24,6 +24,9 @@ module Bundler
24
24
  def initialize
25
25
  @source = nil
26
26
  @sources = SourceList.new
27
+
28
+ @global_rubygems_sources = []
29
+
27
30
  @git_sources = {}
28
31
  @dependencies = []
29
32
  @groups = []
@@ -45,6 +48,7 @@ module Bundler
45
48
  @gemfiles << expanded_gemfile_path
46
49
  contents ||= Bundler.read_file(@gemfile.to_s)
47
50
  instance_eval(contents.dup.tap{|x| x.untaint if RUBY_VERSION < "2.7" }, gemfile.to_s, 1)
51
+ check_primary_source_safety
48
52
  rescue Exception => e # rubocop:disable Lint/RescueException
49
53
  message = "There was an error " \
50
54
  "#{e.is_a?(GemfileEvalError) ? "evaluating" : "parsing"} " \
@@ -164,8 +168,7 @@ module Bundler
164
168
  elsif block_given?
165
169
  with_source(@sources.add_rubygems_source("remotes" => source), &blk)
166
170
  else
167
- check_primary_source_safety(@sources)
168
- @sources.global_rubygems_source = source
171
+ @global_rubygems_sources << source
169
172
  end
170
173
  end
171
174
 
@@ -183,24 +186,14 @@ module Bundler
183
186
  end
184
187
 
185
188
  def path(path, options = {}, &blk)
186
- unless block_given?
187
- msg = "You can no longer specify a path source by itself. Instead, \n" \
188
- "either use the :path option on a gem, or specify the gems that \n" \
189
- "bundler should find in the path source by passing a block to \n" \
190
- "the path method, like: \n\n" \
191
- " path 'dir/containing/rails' do\n" \
192
- " gem 'rails'\n" \
193
- " end\n\n"
194
-
195
- raise DeprecatedError, msg if Bundler.feature_flag.disable_multisource?
196
- SharedHelpers.major_deprecation(2, msg.strip)
197
- end
198
-
199
189
  source_options = normalize_hash(options).merge(
200
190
  "path" => Pathname.new(path),
201
191
  "root_path" => gemfile_root,
202
192
  "gemspec" => gemspecs.find {|g| g.name == options["name"] }
203
193
  )
194
+
195
+ source_options["global"] = true unless block_given?
196
+
204
197
  source = @sources.add_path_source(source_options)
205
198
  with_source(source, &blk)
206
199
  end
@@ -279,6 +272,11 @@ module Bundler
279
272
  raise GemfileError, "Undefined local variable or method `#{name}' for Gemfile"
280
273
  end
281
274
 
275
+ def check_primary_source_safety
276
+ check_path_source_safety
277
+ check_rubygems_source_safety
278
+ end
279
+
282
280
  private
283
281
 
284
282
  def add_git_sources
@@ -440,25 +438,40 @@ repo_name ||= user_name
440
438
  end
441
439
  end
442
440
 
443
- def check_primary_source_safety(source_list)
444
- return if source_list.rubygems_primary_remotes.empty? && source_list.global_rubygems_source.nil?
441
+ def check_path_source_safety
442
+ return if @sources.global_path_source.nil?
443
+
444
+ msg = "You can no longer specify a path source by itself. Instead, \n" \
445
+ "either use the :path option on a gem, or specify the gems that \n" \
446
+ "bundler should find in the path source by passing a block to \n" \
447
+ "the path method, like: \n\n" \
448
+ " path 'dir/containing/rails' do\n" \
449
+ " gem 'rails'\n" \
450
+ " end\n\n"
445
451
 
446
- if Bundler.feature_flag.disable_multisource?
452
+ SharedHelpers.major_deprecation(2, msg.strip)
453
+ end
454
+
455
+ def check_rubygems_source_safety
456
+ if @global_rubygems_sources.size <= 1
457
+ @sources.global_rubygems_source = @global_rubygems_sources.first
458
+ return
459
+ end
460
+
461
+ @global_rubygems_sources.each do |source|
462
+ @sources.add_rubygems_remote(source)
463
+ end
464
+
465
+ if Bundler.feature_flag.bundler_3_mode?
447
466
  msg = "This Gemfile contains multiple primary sources. " \
448
467
  "Each source after the first must include a block to indicate which gems " \
449
468
  "should come from that source"
450
- unless Bundler.feature_flag.bundler_2_mode?
451
- msg += ". To downgrade this error to a warning, run " \
452
- "`bundle config unset disable_multisource`"
453
- end
454
469
  raise GemfileEvalError, msg
455
470
  else
456
471
  Bundler::SharedHelpers.major_deprecation 2, "Your Gemfile contains multiple primary sources. " \
457
472
  "Using `source` more than once without a block is a security risk, and " \
458
473
  "may result in installing unexpected gems. To resolve this warning, use " \
459
- "a block to indicate which gems should come from the secondary source. " \
460
- "To upgrade this warning to an error, run `bundle config set --local " \
461
- "disable_multisource true`."
474
+ "a block to indicate which gems should come from the secondary source."
462
475
  end
463
476
  end
464
477
 
@@ -32,7 +32,6 @@ module Bundler
32
32
  settings_flag(:cache_all) { bundler_3_mode? }
33
33
  settings_flag(:default_install_uses_path) { bundler_3_mode? }
34
34
  settings_flag(:deployment_means_frozen) { bundler_3_mode? }
35
- settings_flag(:disable_multisource) { bundler_3_mode? }
36
35
  settings_flag(:forget_cli_options) { bundler_3_mode? }
37
36
  settings_flag(:global_gem_cache) { bundler_3_mode? }
38
37
  settings_flag(:only_update_to_newer_versions) { bundler_3_mode? }
@@ -50,6 +50,7 @@ def gemfile(install = false, options = {}, &gemfile)
50
50
  Bundler::Plugin.gemfile_install(&gemfile) if Bundler.feature_flag.plugins?
51
51
  builder = Bundler::Dsl.new
52
52
  builder.instance_eval(&gemfile)
53
+ builder.check_primary_source_safety
53
54
 
54
55
  Bundler.settings.temporary(:frozen => false) do
55
56
  definition = builder.to_definition(nil, true)
@@ -64,8 +64,6 @@ module Bundler
64
64
  @state = nil
65
65
  @specs = {}
66
66
 
67
- @rubygems_aggregate = Source::Rubygems.new
68
-
69
67
  if lockfile.match(/<<<<<<<|=======|>>>>>>>|\|\|\|\|\|\|\|/)
70
68
  raise LockfileError, "Your #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)} contains merge conflicts.\n" \
71
69
  "Run `git checkout HEAD -- #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)}` first to get a clean lock."
@@ -89,7 +87,6 @@ module Bundler
89
87
  send("parse_#{@state}", line)
90
88
  end
91
89
  end
92
- @sources << @rubygems_aggregate unless Bundler.feature_flag.disable_multisource?
93
90
  @specs = @specs.values.sort_by(&:identifier)
94
91
  warn_for_outdated_bundler_version
95
92
  rescue ArgumentError => e
@@ -134,16 +131,19 @@ module Bundler
134
131
  @sources << @current_source
135
132
  end
136
133
  when GEM
137
- if Bundler.feature_flag.disable_multisource?
134
+ source_remotes = Array(@opts["remote"])
135
+
136
+ if source_remotes.size == 1
138
137
  @opts["remotes"] = @opts.delete("remote")
139
138
  @current_source = TYPES[@type].from_lock(@opts)
140
- @sources << @current_source
141
139
  else
142
- Array(@opts["remote"]).each do |url|
143
- @rubygems_aggregate.add_remote(url)
140
+ source_remotes.each do |url|
141
+ rubygems_aggregate.add_remote(url)
144
142
  end
145
- @current_source = @rubygems_aggregate
143
+ @current_source = rubygems_aggregate
146
144
  end
145
+
146
+ @sources << @current_source
147
147
  when PLUGIN
148
148
  @current_source = Plugin.source_from_lock(@opts)
149
149
  @sources << @current_source
@@ -245,5 +245,9 @@ module Bundler
245
245
  def parse_ruby(line)
246
246
  @ruby_version = line.strip
247
247
  end
248
+
249
+ def rubygems_aggregate
250
+ @rubygems_aggregate ||= Source::Rubygems.new
251
+ end
248
252
  end
249
253
  end
@@ -56,9 +56,6 @@ Executing \fBbundle config unset \-\-local <name> <value>\fR will delete the con
56
56
  .P
57
57
  Executing bundle with the \fBBUNDLE_IGNORE_CONFIG\fR environment variable set will cause it to ignore all configuration\.
58
58
  .
59
- .P
60
- Executing \fBbundle config set \-\-local disable_multisource true\fR upgrades the warning about the Gemfile containing multiple primary sources to an error\. Executing \fBbundle config unset disable_multisource\fR downgrades this error to a warning\.
61
- .
62
59
  .SH "REMEMBERING OPTIONS"
63
60
  Flags passed to \fBbundle install\fR or the Bundler runtime, such as \fB\-\-path foo\fR or \fB\-\-without production\fR, are remembered between commands and saved to your local application\'s configuration (normally, \fB\./\.bundle/config\fR)\.
64
61
  .
@@ -184,9 +181,6 @@ The following is a list of all configuration keys and their purpose\. You can le
184
181
  \fBdisable_local_revision_check\fR (\fBBUNDLE_DISABLE_LOCAL_REVISION_CHECK\fR): Allow Bundler to use a local git override without checking if the revision present in the lockfile is present in the repository\.
185
182
  .
186
183
  .IP "\(bu" 4
187
- \fBdisable_multisource\fR (\fBBUNDLE_DISABLE_MULTISOURCE\fR): When set, Gemfiles containing multiple sources will produce errors instead of warnings\. Use \fBbundle config unset disable_multisource\fR to unset\.
188
- .
189
- .IP "\(bu" 4
190
184
  \fBdisable_shared_gems\fR (\fBBUNDLE_DISABLE_SHARED_GEMS\fR): Stop Bundler from accessing gems installed to RubyGems\' normal location\.
191
185
  .
192
186
  .IP "\(bu" 4
@@ -211,10 +205,10 @@ The following is a list of all configuration keys and their purpose\. You can le
211
205
  \fBignore_messages\fR (\fBBUNDLE_IGNORE_MESSAGES\fR): When set, no post install messages will be printed\. To silence a single gem, use dot notation like \fBignore_messages\.httparty true\fR\.
212
206
  .
213
207
  .IP "\(bu" 4
214
- \fBinit_gems_rb\fR (\fBBUNDLE_INIT_GEMS_RB\fR) Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init\fR\.
208
+ \fBinit_gems_rb\fR (\fBBUNDLE_INIT_GEMS_RB\fR): Generate a \fBgems\.rb\fR instead of a \fBGemfile\fR when running \fBbundle init\fR\.
215
209
  .
216
210
  .IP "\(bu" 4
217
- \fBjobs\fR (\fBBUNDLE_JOBS\fR): The number of gems Bundler can install in parallel\. Defaults to 1\.
211
+ \fBjobs\fR (\fBBUNDLE_JOBS\fR): The number of gems Bundler can install in parallel\. Defaults to 1 on Windows, and to the the number of processors on other platforms\.
218
212
  .
219
213
  .IP "\(bu" 4
220
214
  \fBno_install\fR (\fBBUNDLE_NO_INSTALL\fR): Whether \fBbundle package\fR should skip installing gems\.
@@ -241,7 +235,7 @@ The following is a list of all configuration keys and their purpose\. You can le
241
235
  \fBprefer_patch\fR (BUNDLE_PREFER_PATCH): Prefer updating only to next patch version during updates\. Makes \fBbundle update\fR calls equivalent to \fBbundler update \-\-patch\fR\.
242
236
  .
243
237
  .IP "\(bu" 4
244
- \fBprint_only_version_number\fR (\fBBUNDLE_PRINT_ONLY_VERSION_NUMBER\fR) Print only version number from \fBbundler \-\-version\fR\.
238
+ \fBprint_only_version_number\fR (\fBBUNDLE_PRINT_ONLY_VERSION_NUMBER\fR): Print only version number from \fBbundler \-\-version\fR\.
245
239
  .
246
240
  .IP "\(bu" 4
247
241
  \fBredirect\fR (\fBBUNDLE_REDIRECT\fR): The number of redirects allowed for network requests\. Defaults to \fB5\fR\.
@@ -283,7 +277,7 @@ The following is a list of all configuration keys and their purpose\. You can le
283
277
  \fBunlock_source_unlocks_spec\fR (\fBBUNDLE_UNLOCK_SOURCE_UNLOCKS_SPEC\fR): Whether running \fBbundle update \-\-source NAME\fR unlocks a gem with the given name\. Defaults to \fBtrue\fR\.
284
278
  .
285
279
  .IP "\(bu" 4
286
- \fBupdate_requires_all_flag\fR (\fBBUNDLE_UPDATE_REQUIRES_ALL_FLAG\fR) Require passing \fB\-\-all\fR to \fBbundle update\fR when everything should be updated, and disallow passing no options to \fBbundle update\fR\.
280
+ \fBupdate_requires_all_flag\fR (\fBBUNDLE_UPDATE_REQUIRES_ALL_FLAG\fR): Require passing \fB\-\-all\fR to \fBbundle update\fR when everything should be updated, and disallow passing no options to \fBbundle update\fR\.
287
281
  .
288
282
  .IP "\(bu" 4
289
283
  \fBuser_agent\fR (\fBBUNDLE_USER_AGENT\fR): The custom user agent fragment Bundler includes in API requests\.
@@ -47,10 +47,6 @@ configuration only from the local application.
47
47
  Executing bundle with the `BUNDLE_IGNORE_CONFIG` environment variable set will
48
48
  cause it to ignore all configuration.
49
49
 
50
- Executing `bundle config set --local disable_multisource true` upgrades the warning about
51
- the Gemfile containing multiple primary sources to an error. Executing `bundle
52
- config unset disable_multisource` downgrades this error to a warning.
53
-
54
50
  ## REMEMBERING OPTIONS
55
51
 
56
52
  Flags passed to `bundle install` or the Bundler runtime, such as `--path foo` or
@@ -178,10 +174,6 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
178
174
  * `disable_local_revision_check` (`BUNDLE_DISABLE_LOCAL_REVISION_CHECK`):
179
175
  Allow Bundler to use a local git override without checking if the revision
180
176
  present in the lockfile is present in the repository.
181
- * `disable_multisource` (`BUNDLE_DISABLE_MULTISOURCE`):
182
- When set, Gemfiles containing multiple sources will produce errors
183
- instead of warnings.
184
- Use `bundle config unset disable_multisource` to unset.
185
177
  * `disable_shared_gems` (`BUNDLE_DISABLE_SHARED_GEMS`):
186
178
  Stop Bundler from accessing gems installed to RubyGems' normal location.
187
179
  * `disable_version_check` (`BUNDLE_DISABLE_VERSION_CHECK`):
@@ -206,13 +198,14 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
206
198
  * `global_gem_cache` (`BUNDLE_GLOBAL_GEM_CACHE`):
207
199
  Whether Bundler should cache all gems globally, rather than locally to the
208
200
  installing Ruby installation.
209
- * `ignore_messages` (`BUNDLE_IGNORE_MESSAGES`): When set, no post install
210
- messages will be printed. To silence a single gem, use dot notation like
211
- `ignore_messages.httparty true`.
212
- * `init_gems_rb` (`BUNDLE_INIT_GEMS_RB`)
201
+ * `ignore_messages` (`BUNDLE_IGNORE_MESSAGES`):
202
+ When set, no post install messages will be printed. To silence a single gem,
203
+ use dot notation like `ignore_messages.httparty true`.
204
+ * `init_gems_rb` (`BUNDLE_INIT_GEMS_RB`):
213
205
  Generate a `gems.rb` instead of a `Gemfile` when running `bundle init`.
214
206
  * `jobs` (`BUNDLE_JOBS`):
215
- The number of gems Bundler can install in parallel. Defaults to 1.
207
+ The number of gems Bundler can install in parallel. Defaults to 1 on Windows,
208
+ and to the the number of processors on other platforms.
216
209
  * `no_install` (`BUNDLE_NO_INSTALL`):
217
210
  Whether `bundle package` should skip installing gems.
218
211
  * `no_prune` (`BUNDLE_NO_PRUNE`):
@@ -233,7 +226,7 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
233
226
  Enable Bundler's experimental plugin system.
234
227
  * `prefer_patch` (BUNDLE_PREFER_PATCH):
235
228
  Prefer updating only to next patch version during updates. Makes `bundle update` calls equivalent to `bundler update --patch`.
236
- * `print_only_version_number` (`BUNDLE_PRINT_ONLY_VERSION_NUMBER`)
229
+ * `print_only_version_number` (`BUNDLE_PRINT_ONLY_VERSION_NUMBER`):
237
230
  Print only version number from `bundler --version`.
238
231
  * `redirect` (`BUNDLE_REDIRECT`):
239
232
  The number of redirects allowed for network requests. Defaults to `5`.
@@ -269,7 +262,7 @@ learn more about their operation in [bundle install(1)](bundle-install.1.html).
269
262
  * `unlock_source_unlocks_spec` (`BUNDLE_UNLOCK_SOURCE_UNLOCKS_SPEC`):
270
263
  Whether running `bundle update --source NAME` unlocks a gem with the given
271
264
  name. Defaults to `true`.
272
- * `update_requires_all_flag` (`BUNDLE_UPDATE_REQUIRES_ALL_FLAG`)
265
+ * `update_requires_all_flag` (`BUNDLE_UPDATE_REQUIRES_ALL_FLAG`):
273
266
  Require passing `--all` to `bundle update` when everything should be updated,
274
267
  and disallow passing no options to `bundle update`.
275
268
  * `user_agent` (`BUNDLE_USER_AGENT`):
@@ -105,6 +105,7 @@ module Bundler
105
105
  else
106
106
  builder.eval_gemfile(gemfile)
107
107
  end
108
+ builder.check_primary_source_safety
108
109
  definition = builder.to_definition(nil, true)
109
110
 
110
111
  return if definition.dependencies.empty?
@@ -16,15 +16,13 @@ module Bundler
16
16
 
17
17
  version = options[:version] || [">= 0"]
18
18
 
19
- Bundler.settings.temporary(:disable_multisource => false) do
20
- if options[:git]
21
- install_git(names, version, options)
22
- elsif options[:local_git]
23
- install_local_git(names, version, options)
24
- else
25
- sources = options[:source] || Bundler.rubygems.sources
26
- install_rubygems(names, version, sources)
27
- end
19
+ if options[:git]
20
+ install_git(names, version, options)
21
+ elsif options[:local_git]
22
+ install_local_git(names, version, options)
23
+ else
24
+ sources = options[:source] || Bundler.rubygems.sources
25
+ install_rubygems(names, version, sources)
28
26
  end
29
27
  end
30
28
 
@@ -84,6 +82,7 @@ module Bundler
84
82
  deps = names.map {|name| Dependency.new name, version }
85
83
 
86
84
  definition = Definition.new(nil, deps, source_list, true)
85
+ definition.allow_multisource!
87
86
  install_definition(definition)
88
87
  end
89
88
 
@@ -17,15 +17,14 @@ module Bundler
17
17
  # ==== Returns
18
18
  # <GemBundle>,nil:: If the list of dependencies can be resolved, a
19
19
  # collection of gemspecs is returned. Otherwise, nil is returned.
20
- def self.resolve(requirements, index, source_requirements = {}, base = [], gem_version_promoter = GemVersionPromoter.new, additional_base_requirements = [], platforms = nil)
20
+ def self.resolve(requirements, source_requirements = {}, base = [], gem_version_promoter = GemVersionPromoter.new, additional_base_requirements = [], platforms = nil)
21
21
  base = SpecSet.new(base) unless base.is_a?(SpecSet)
22
- resolver = new(index, source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
22
+ resolver = new(source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
23
23
  result = resolver.start(requirements)
24
24
  SpecSet.new(result)
25
25
  end
26
26
 
27
- def initialize(index, source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
28
- @index = index
27
+ def initialize(source_requirements, base, gem_version_promoter, additional_base_requirements, platforms)
29
28
  @source_requirements = source_requirements
30
29
  @base = base
31
30
  @resolver = Molinillo::Resolver.new(self, self)
@@ -36,14 +35,14 @@ module Bundler
36
35
  @base_dg.add_vertex(ls.name, DepProxy.get_proxy(dep, ls.platform), true)
37
36
  end
38
37
  additional_base_requirements.each {|d| @base_dg.add_vertex(d.name, d) }
39
- @platforms = platforms
38
+ @platforms = platforms.reject {|p| p != Gem::Platform::RUBY && (platforms - [p]).any? {|pl| generic(pl) == p } }
40
39
  @resolving_only_for_ruby = platforms == [Gem::Platform::RUBY]
41
40
  @gem_version_promoter = gem_version_promoter
42
41
  @use_gvp = Bundler.feature_flag.use_gem_version_promoter_for_major_updates? || !@gem_version_promoter.major?
43
- @lockfile_uses_separate_rubygems_sources = Bundler.feature_flag.disable_multisource?
42
+ @no_aggregate_global_source = @source_requirements[:global].nil?
44
43
 
45
44
  @variant_specific_names = []
46
- @generic_names = []
45
+ @generic_names = ["Ruby\0", "RubyGems\0"]
47
46
  end
48
47
 
49
48
  def start(requirements)
@@ -125,8 +124,7 @@ module Bundler
125
124
  dependency = dependency_proxy.dep
126
125
  name = dependency.name
127
126
  search_result = @search_for[dependency_proxy] ||= begin
128
- index = index_for(dependency)
129
- results = index.search(dependency, @base[name])
127
+ results = results_for(dependency, @base[name])
130
128
 
131
129
  if vertex = @base_dg.vertex_named(name)
132
130
  locked_requirement = vertex.payload.requirement
@@ -195,23 +193,26 @@ module Bundler
195
193
  search_result
196
194
  end
197
195
 
198
- def index_for(dependency)
196
+ def index_for(dependency, base)
199
197
  source = @source_requirements[dependency.name]
200
198
  if source
201
199
  source.specs
202
- elsif @lockfile_uses_separate_rubygems_sources
203
- Index.build do |idx|
204
- if dependency.all_sources
205
- dependency.all_sources.each {|s| idx.add_source(s.specs) if s }
206
- else
207
- idx.add_source @source_requirements[:default].specs
208
- end
200
+ elsif @no_aggregate_global_source
201
+ dependency.all_sources.find(-> { Index.new }) do |s|
202
+ idx = s.specs
203
+ results = idx.search(dependency, base)
204
+ next if results.empty? || results == base
205
+ return idx
209
206
  end
210
207
  else
211
- @index
208
+ @source_requirements[:global]
212
209
  end
213
210
  end
214
211
 
212
+ def results_for(dependency, base)
213
+ index_for(dependency, base).search(dependency, base)
214
+ end
215
+
215
216
  def name_for(dependency)
216
217
  dependency.name
217
218
  end
@@ -238,11 +239,13 @@ module Bundler
238
239
 
239
240
  def relevant_sources_for_vertex(vertex)
240
241
  if vertex.root?
241
- [@source_requirements[vertex.name]]
242
- elsif @lockfile_uses_separate_rubygems_sources
242
+ [@source_requirements[vertex.name]].compact
243
+ elsif @no_aggregate_global_source
243
244
  vertex.recursive_predecessors.map do |v|
244
245
  @source_requirements[v.name]
245
- end << @source_requirements[:default]
246
+ end.compact << @source_requirements[:default]
247
+ else
248
+ []
246
249
  end
247
250
  end
248
251
 
@@ -283,7 +286,7 @@ module Bundler
283
286
  if (base = @base[dependency.name]) && !base.empty?
284
287
  dependency.requirement.satisfied_by?(base.first.version) ? 0 : 1
285
288
  else
286
- all = index_for(dependency).search(dependency.name).size
289
+ all = index_for(dependency, base).search(dependency.name).size
287
290
 
288
291
  if all <= 1
289
292
  all - 1_000_000
@@ -326,7 +329,7 @@ module Bundler
326
329
  "The source does not contain any versions of '#{name}'"
327
330
  end
328
331
  else
329
- message = "Could not find gem '#{requirement}' in any of the gem sources " \
332
+ message = "Could not find gem '#{SharedHelpers.pretty_dependency(requirement)}' in any of the gem sources " \
330
333
  "listed in your Gemfile#{cache_message}."
331
334
  end
332
335
  raise GemNotFound, message
@@ -411,14 +414,8 @@ module Bundler
411
414
 
412
415
  relevant_sources = if conflict.requirement.source
413
416
  [conflict.requirement.source]
414
- elsif conflict.requirement.all_sources
415
- conflict.requirement.all_sources
416
- elsif @lockfile_uses_separate_rubygems_sources
417
- # every conflict should have an explicit group of sources when we
418
- # enforce strict pinning
419
- raise "no source set for #{conflict}"
420
417
  else
421
- []
418
+ conflict.requirement.all_sources
422
419
  end.compact.map(&:to_s).uniq.sort
423
420
 
424
421
  metadata_requirement = name.end_with?("\0")
@@ -455,7 +452,8 @@ module Bundler
455
452
  def validate_resolved_specs!(resolved_specs)
456
453
  resolved_specs.each do |v|
457
454
  name = v.name
458
- next unless sources = relevant_sources_for_vertex(v)
455
+ sources = relevant_sources_for_vertex(v)
456
+ next unless sources.any?
459
457
  sources.compact!
460
458
  if default_index = sources.index(@source_requirements[:default])
461
459
  sources.delete_at(default_index)
@@ -464,14 +462,12 @@ module Bundler
464
462
  sources.uniq!
465
463
  next if sources.size <= 1
466
464
 
467
- multisource_disabled = Bundler.feature_flag.disable_multisource?
468
-
469
465
  msg = ["The gem '#{name}' was found in multiple relevant sources."]
470
466
  msg.concat sources.map {|s| " * #{s}" }.sort
471
- msg << "You #{multisource_disabled ? :must : :should} add this gem to the source block for the source you wish it to be installed from."
467
+ msg << "You #{@no_aggregate_global_source ? :must : :should} add this gem to the source block for the source you wish it to be installed from."
472
468
  msg = msg.join("\n")
473
469
 
474
- raise SecurityError, msg if multisource_disabled
470
+ raise SecurityError, msg if @no_aggregate_global_source
475
471
  Bundler.ui.warn "Warning: #{msg}"
476
472
  end
477
473
  end
@@ -20,7 +20,6 @@ module Bundler
20
20
  disable_exec_load
21
21
  disable_local_branch_check
22
22
  disable_local_revision_check
23
- disable_multisource
24
23
  disable_shared_gems
25
24
  disable_version_check
26
25
  force_ruby_platform
@@ -21,6 +21,7 @@ module Bundler
21
21
  @allow_remote = false
22
22
  @allow_cached = false
23
23
  @caches = [cache_path, *Bundler.rubygems.gem_cache]
24
+ @disable_multisource = true
24
25
 
25
26
  Array(options["remotes"] || []).reverse_each {|r| add_remote(r) }
26
27
  end
@@ -49,8 +50,16 @@ module Bundler
49
50
  o.is_a?(Rubygems) && (o.credless_remotes - credless_remotes).empty?
50
51
  end
51
52
 
53
+ def disable_multisource?
54
+ @disable_multisource
55
+ end
56
+
57
+ def allow_multisource!
58
+ @disable_multisource = false
59
+ end
60
+
52
61
  def can_lock?(spec)
53
- return super if Bundler.feature_flag.disable_multisource?
62
+ return super if disable_multisource?
54
63
  spec.source.is_a?(Rubygems)
55
64
  end
56
65
 
@@ -5,24 +5,41 @@ module Bundler
5
5
  attr_reader :path_sources,
6
6
  :git_sources,
7
7
  :plugin_sources,
8
- :global_rubygems_source,
9
- :metadata_source
8
+ :global_path_source,
9
+ :metadata_source,
10
+ :disable_multisource
11
+
12
+ def global_rubygems_source
13
+ @global_rubygems_source ||= rubygems_aggregate_class.new
14
+ end
10
15
 
11
16
  def initialize
12
17
  @path_sources = []
13
18
  @git_sources = []
14
19
  @plugin_sources = []
15
20
  @global_rubygems_source = nil
16
- @rubygems_aggregate = rubygems_aggregate_class.new
21
+ @global_path_source = nil
17
22
  @rubygems_sources = []
18
23
  @metadata_source = Source::Metadata.new
24
+ @disable_multisource = true
25
+ end
26
+
27
+ def disable_multisource?
28
+ @disable_multisource
29
+ end
30
+
31
+ def allow_multisource!
32
+ rubygems_sources.map(&:allow_multisource!)
33
+ @disable_multisource = false
19
34
  end
20
35
 
21
36
  def add_path_source(options = {})
22
37
  if options["gemspec"]
23
38
  add_source_to_list Source::Gemspec.new(options), path_sources
24
39
  else
25
- add_source_to_list Source::Path.new(options), path_sources
40
+ path_source = add_source_to_list Source::Path.new(options), path_sources
41
+ @global_path_source ||= path_source if options["global"]
42
+ path_source
26
43
  end
27
44
  end
28
45
 
@@ -41,24 +58,20 @@ module Bundler
41
58
  end
42
59
 
43
60
  def global_rubygems_source=(uri)
44
- if Bundler.feature_flag.disable_multisource?
45
- @global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri)
46
- end
47
- add_rubygems_remote(uri)
61
+ @global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri)
48
62
  end
49
63
 
50
64
  def add_rubygems_remote(uri)
51
- return if Bundler.feature_flag.disable_multisource?
52
- @rubygems_aggregate.add_remote(uri)
53
- @rubygems_aggregate
65
+ global_rubygems_source.add_remote(uri)
66
+ global_rubygems_source
54
67
  end
55
68
 
56
69
  def default_source
57
- global_rubygems_source || @rubygems_aggregate
70
+ global_path_source || global_rubygems_source
58
71
  end
59
72
 
60
73
  def rubygems_sources
61
- @rubygems_sources + [default_source]
74
+ @rubygems_sources + [global_rubygems_source]
62
75
  end
63
76
 
64
77
  def rubygems_remotes
@@ -75,7 +88,7 @@ module Bundler
75
88
 
76
89
  def lock_sources
77
90
  lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
78
- if Bundler.feature_flag.disable_multisource?
91
+ if disable_multisource?
79
92
  lock_sources + rubygems_sources.sort_by(&:to_s)
80
93
  else
81
94
  lock_sources << combine_rubygems_sources
@@ -92,9 +105,9 @@ module Bundler
92
105
  end
93
106
  end
94
107
 
95
- replacement_rubygems = !Bundler.feature_flag.disable_multisource? &&
108
+ replacement_rubygems = !disable_multisource? &&
96
109
  replacement_sources.detect {|s| s.is_a?(Source::Rubygems) }
97
- @rubygems_aggregate = replacement_rubygems if replacement_rubygems
110
+ @global_rubygems_source = replacement_rubygems if replacement_rubygems
98
111
 
99
112
  return true if !equal_sources?(lock_sources, replacement_sources) && !equivalent_sources?(lock_sources, replacement_sources)
100
113
  return true if replacement_rubygems && rubygems_remotes.sort_by(&:to_s) != replacement_rubygems.remotes.sort_by(&:to_s)
@@ -110,10 +123,6 @@ module Bundler
110
123
  all_sources.each(&:remote!)
111
124
  end
112
125
 
113
- def rubygems_primary_remotes
114
- @rubygems_aggregate.remotes
115
- end
116
-
117
126
  private
118
127
 
119
128
  def rubygems_aggregate_class
@@ -136,7 +145,9 @@ module Bundler
136
145
  end
137
146
 
138
147
  def combine_rubygems_sources
139
- Source::Rubygems.new("remotes" => rubygems_remotes)
148
+ aggregate_source = Source::Rubygems.new("remotes" => rubygems_remotes)
149
+ aggregate_source.allow_multisource! unless disable_multisource?
150
+ aggregate_source
140
151
  end
141
152
 
142
153
  def warn_on_git_protocol(source)
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: false
2
2
 
3
3
  module Bundler
4
- VERSION = "2.2.9".freeze
4
+ VERSION = "2.2.10".freeze
5
5
 
6
6
  def self.bundler_major_version
7
7
  @bundler_major_version ||= VERSION.split(".").first.to_i
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bundler
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.9
4
+ version: 2.2.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - André Arko
@@ -22,7 +22,7 @@ authors:
22
22
  autorequire:
23
23
  bindir: exe
24
24
  cert_chain: []
25
- date: 2021-02-08 00:00:00.000000000 Z
25
+ date: 2021-02-15 00:00:00.000000000 Z
26
26
  dependencies: []
27
27
  description: Bundler manages an application's dependencies through its entire life,
28
28
  across many machines, systematically and repeatably
@@ -352,7 +352,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
352
352
  - !ruby/object:Gem::Version
353
353
  version: 2.5.2
354
354
  requirements: []
355
- rubygems_version: 3.2.9
355
+ rubygems_version: 3.2.10
356
356
  signing_key:
357
357
  specification_version: 4
358
358
  summary: The best way to manage your application's dependencies