bundler 2.2.13 → 2.2.14
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of bundler might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -0
- data/lib/bundler/build_metadata.rb +2 -2
- data/lib/bundler/compact_index_client/updater.rb +1 -1
- data/lib/bundler/definition.rb +19 -3
- data/lib/bundler/dsl.rb +3 -6
- data/lib/bundler/installer/parallel_installer.rb +6 -8
- data/lib/bundler/lockfile_parser.rb +2 -16
- data/lib/bundler/plugin/api/source.rb +7 -0
- data/lib/bundler/source.rb +6 -0
- data/lib/bundler/source/metadata.rb +0 -4
- data/lib/bundler/source/rubygems.rb +20 -4
- data/lib/bundler/source_list.rb +14 -4
- data/lib/bundler/spec_set.rb +2 -0
- data/lib/bundler/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 31f2f45fcc46844af7ae85151dd04e9ddd20b8daaee6999b735813bc632b5e28
|
4
|
+
data.tar.gz: 9fe8d309077af1c3d82794d8e020037b788995038c90674885ccb61ff595d4da
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 55a040289f2f69a734b222d30fdd716e1789c8a2d18519dd225d16fa4e418748cab1f850888b290f92305fc8e07b02e30a8816ed756d0877ef7f286e6ec2393b
|
7
|
+
data.tar.gz: c810e53e037eec801da65b145ff9ef34d556df32b128086c5f6242b228dc9a6df3595d23aae8f1513a410e54666adc23be8d152a3790346fa4ca97feb51c394b
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,14 @@
|
|
1
|
+
# 2.2.14 (March 8, 2021)
|
2
|
+
|
3
|
+
## Security fixes:
|
4
|
+
|
5
|
+
- Lock GEM sources separately and fix locally installed specs confusing bundler [#4381](https://github.com/rubygems/rubygems/pull/4381)
|
6
|
+
|
7
|
+
## Bug fixes:
|
8
|
+
|
9
|
+
- Make `rake` available to other gems' installers right after it's installed [#4428](https://github.com/rubygems/rubygems/pull/4428)
|
10
|
+
- Fix encoding issue on compact index updater [#4362](https://github.com/rubygems/rubygems/pull/4362)
|
11
|
+
|
1
12
|
# 2.2.13 (March 3, 2021)
|
2
13
|
|
3
14
|
## Enhancements:
|
@@ -4,8 +4,8 @@ module Bundler
|
|
4
4
|
# Represents metadata from when the Bundler gem was built.
|
5
5
|
module BuildMetadata
|
6
6
|
# begin ivars
|
7
|
-
@built_at = "2021-03-
|
8
|
-
@git_commit_sha = "
|
7
|
+
@built_at = "2021-03-08".freeze
|
8
|
+
@git_commit_sha = "3a169d80c1".freeze
|
9
9
|
@release = true
|
10
10
|
# end ivars
|
11
11
|
|
@@ -54,7 +54,7 @@ module Bundler
|
|
54
54
|
if response.is_a?(Net::HTTPPartialContent) && local_temp_path.size.nonzero?
|
55
55
|
local_temp_path.open("a") {|f| f << slice_body(content, 1..-1) }
|
56
56
|
else
|
57
|
-
local_temp_path.open("
|
57
|
+
local_temp_path.open("wb") {|f| f << content }
|
58
58
|
end
|
59
59
|
end
|
60
60
|
|
data/lib/bundler/definition.rb
CHANGED
@@ -106,6 +106,17 @@ module Bundler
|
|
106
106
|
@locked_platforms = []
|
107
107
|
end
|
108
108
|
|
109
|
+
@locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
|
110
|
+
@disable_multisource = @locked_gem_sources.all?(&:disable_multisource?)
|
111
|
+
|
112
|
+
unless @disable_multisource
|
113
|
+
msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. You should run `bundle update` or generate your lockfile from scratch."
|
114
|
+
|
115
|
+
Bundler::SharedHelpers.major_deprecation 2, msg
|
116
|
+
|
117
|
+
@sources.merged_gem_lockfile_sections!
|
118
|
+
end
|
119
|
+
|
109
120
|
@unlock[:gems] ||= []
|
110
121
|
@unlock[:sources] ||= []
|
111
122
|
@unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
|
@@ -145,6 +156,10 @@ module Bundler
|
|
145
156
|
end
|
146
157
|
end
|
147
158
|
|
159
|
+
def disable_multisource?
|
160
|
+
@disable_multisource
|
161
|
+
end
|
162
|
+
|
148
163
|
def resolve_with_cache!
|
149
164
|
raise "Specs already loaded" if @specs
|
150
165
|
sources.cached!
|
@@ -530,6 +545,9 @@ module Bundler
|
|
530
545
|
attr_reader :sources
|
531
546
|
private :sources
|
532
547
|
|
548
|
+
attr_reader :locked_gem_sources
|
549
|
+
private :locked_gem_sources
|
550
|
+
|
533
551
|
def nothing_changed?
|
534
552
|
!@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@locked_specs_incomplete_for_platform
|
535
553
|
end
|
@@ -654,10 +672,8 @@ module Bundler
|
|
654
672
|
end
|
655
673
|
|
656
674
|
def converge_rubygems_sources
|
657
|
-
return false if
|
675
|
+
return false if disable_multisource?
|
658
676
|
|
659
|
-
# Get the RubyGems sources from the Gemfile.lock
|
660
|
-
locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
|
661
677
|
return false if locked_gem_sources.empty?
|
662
678
|
|
663
679
|
# Get the RubyGems remotes from the Gemfile
|
data/lib/bundler/dsl.rb
CHANGED
@@ -460,19 +460,16 @@ repo_name ||= user_name
|
|
460
460
|
@sources.add_rubygems_remote(source)
|
461
461
|
end
|
462
462
|
|
463
|
-
if Bundler.feature_flag.
|
463
|
+
if Bundler.feature_flag.bundler_3_mode?
|
464
464
|
msg = "This Gemfile contains multiple primary sources. " \
|
465
465
|
"Each source after the first must include a block to indicate which gems " \
|
466
|
-
"should come from that source
|
467
|
-
"`bundle config unset disable_multisource`"
|
466
|
+
"should come from that source"
|
468
467
|
raise GemfileEvalError, msg
|
469
468
|
else
|
470
469
|
Bundler::SharedHelpers.major_deprecation 2, "Your Gemfile contains multiple primary sources. " \
|
471
470
|
"Using `source` more than once without a block is a security risk, and " \
|
472
471
|
"may result in installing unexpected gems. To resolve this warning, use " \
|
473
|
-
"a block to indicate which gems should come from the secondary source.
|
474
|
-
"To upgrade this warning to an error, run `bundle config set --local " \
|
475
|
-
"disable_multisource true`."
|
472
|
+
"a block to indicate which gems should come from the secondary source."
|
476
473
|
end
|
477
474
|
end
|
478
475
|
|
@@ -27,13 +27,8 @@ module Bundler
|
|
27
27
|
state == :failed
|
28
28
|
end
|
29
29
|
|
30
|
-
def installation_attempted?
|
31
|
-
installed? || failed?
|
32
|
-
end
|
33
|
-
|
34
|
-
# Only true when spec in neither installed nor already enqueued
|
35
30
|
def ready_to_enqueue?
|
36
|
-
|
31
|
+
state == :none
|
37
32
|
end
|
38
33
|
|
39
34
|
def has_post_install_message?
|
@@ -93,6 +88,11 @@ module Bundler
|
|
93
88
|
def call
|
94
89
|
check_for_corrupt_lockfile
|
95
90
|
|
91
|
+
if @rake
|
92
|
+
do_install(@rake, 0)
|
93
|
+
Gem::Specification.reset
|
94
|
+
end
|
95
|
+
|
96
96
|
if @size > 1
|
97
97
|
install_with_worker
|
98
98
|
else
|
@@ -217,8 +217,6 @@ module Bundler
|
|
217
217
|
# are installed.
|
218
218
|
def enqueue_specs
|
219
219
|
@specs.select(&:ready_to_enqueue?).each do |spec|
|
220
|
-
next if @rake && !@rake.installed? && spec.name != @rake.name
|
221
|
-
|
222
220
|
if spec.dependencies_installed? @specs
|
223
221
|
spec.state = :enqueued
|
224
222
|
worker_pool.enq spec
|
@@ -131,18 +131,8 @@ module Bundler
|
|
131
131
|
@sources << @current_source
|
132
132
|
end
|
133
133
|
when GEM
|
134
|
-
|
135
|
-
|
136
|
-
if source_remotes.size == 1
|
137
|
-
@opts["remotes"] = @opts.delete("remote")
|
138
|
-
@current_source = TYPES[@type].from_lock(@opts)
|
139
|
-
else
|
140
|
-
source_remotes.each do |url|
|
141
|
-
rubygems_aggregate.add_remote(url)
|
142
|
-
end
|
143
|
-
@current_source = rubygems_aggregate
|
144
|
-
end
|
145
|
-
|
134
|
+
@opts["remotes"] = Array(@opts.delete("remote")).reverse
|
135
|
+
@current_source = TYPES[@type].from_lock(@opts)
|
146
136
|
@sources << @current_source
|
147
137
|
when PLUGIN
|
148
138
|
@current_source = Plugin.source_from_lock(@opts)
|
@@ -245,9 +235,5 @@ module Bundler
|
|
245
235
|
def parse_ruby(line)
|
246
236
|
@ruby_version = line.strip
|
247
237
|
end
|
248
|
-
|
249
|
-
def rubygems_aggregate
|
250
|
-
@rubygems_aggregate ||= Source::Rubygems.new
|
251
|
-
end
|
252
238
|
end
|
253
239
|
end
|
@@ -140,6 +140,13 @@ module Bundler
|
|
140
140
|
end
|
141
141
|
end
|
142
142
|
|
143
|
+
# Set internal representation to fetch the gems/specs locally.
|
144
|
+
#
|
145
|
+
# When this is called, the source should try to fetch the specs and
|
146
|
+
# install from the local system.
|
147
|
+
def local!
|
148
|
+
end
|
149
|
+
|
143
150
|
# Set internal representation to fetch the gems/specs from remote.
|
144
151
|
#
|
145
152
|
# When this is called, the source should try to fetch the specs and
|
data/lib/bundler/source.rb
CHANGED
@@ -33,6 +33,12 @@ module Bundler
|
|
33
33
|
spec.source == self
|
34
34
|
end
|
35
35
|
|
36
|
+
def local!; end
|
37
|
+
|
38
|
+
def cached!; end
|
39
|
+
|
40
|
+
def remote!; end
|
41
|
+
|
36
42
|
# it's possible that gems from one source depend on gems from some
|
37
43
|
# other source, so now we download gemspecs and iterate over those
|
38
44
|
# dependencies, looking for gems we don't have info on yet.
|
@@ -20,17 +20,29 @@ module Bundler
|
|
20
20
|
@dependency_names = []
|
21
21
|
@allow_remote = false
|
22
22
|
@allow_cached = false
|
23
|
+
@allow_local = options["allow_local"] || false
|
23
24
|
@caches = [cache_path, *Bundler.rubygems.gem_cache]
|
24
25
|
|
25
|
-
Array(options["remotes"]
|
26
|
+
Array(options["remotes"]).reverse_each {|r| add_remote(r) }
|
27
|
+
end
|
28
|
+
|
29
|
+
def local!
|
30
|
+
return if @allow_local
|
31
|
+
|
32
|
+
@specs = nil
|
33
|
+
@allow_local = true
|
26
34
|
end
|
27
35
|
|
28
36
|
def remote!
|
37
|
+
return if @allow_remote
|
38
|
+
|
29
39
|
@specs = nil
|
30
40
|
@allow_remote = true
|
31
41
|
end
|
32
42
|
|
33
43
|
def cached!
|
44
|
+
return if @allow_cached
|
45
|
+
|
34
46
|
@specs = nil
|
35
47
|
@allow_cached = true
|
36
48
|
end
|
@@ -49,8 +61,12 @@ module Bundler
|
|
49
61
|
o.is_a?(Rubygems) && (o.credless_remotes - credless_remotes).empty?
|
50
62
|
end
|
51
63
|
|
64
|
+
def disable_multisource?
|
65
|
+
@remotes.size <= 1
|
66
|
+
end
|
67
|
+
|
52
68
|
def can_lock?(spec)
|
53
|
-
return super if
|
69
|
+
return super if disable_multisource?
|
54
70
|
spec.source.is_a?(Rubygems)
|
55
71
|
end
|
56
72
|
|
@@ -87,7 +103,7 @@ module Bundler
|
|
87
103
|
# small_idx.use large_idx.
|
88
104
|
idx = @allow_remote ? remote_specs.dup : Index.new
|
89
105
|
idx.use(cached_specs, :override_dupes) if @allow_cached || @allow_remote
|
90
|
-
idx.use(installed_specs, :override_dupes)
|
106
|
+
idx.use(installed_specs, :override_dupes) if @allow_local
|
91
107
|
idx
|
92
108
|
end
|
93
109
|
end
|
@@ -365,7 +381,7 @@ module Bundler
|
|
365
381
|
|
366
382
|
def cached_specs
|
367
383
|
@cached_specs ||= begin
|
368
|
-
idx = installed_specs.dup
|
384
|
+
idx = @allow_local ? installed_specs.dup : Index.new
|
369
385
|
|
370
386
|
Dir["#{cache_path}/*.gem"].each do |gemfile|
|
371
387
|
next if gemfile =~ /^bundler\-[\d\.]+?\.gem/
|
data/lib/bundler/source_list.rb
CHANGED
@@ -9,7 +9,7 @@ module Bundler
|
|
9
9
|
:metadata_source
|
10
10
|
|
11
11
|
def global_rubygems_source
|
12
|
-
@global_rubygems_source ||= rubygems_aggregate_class.new
|
12
|
+
@global_rubygems_source ||= rubygems_aggregate_class.new("allow_local" => true)
|
13
13
|
end
|
14
14
|
|
15
15
|
def initialize
|
@@ -20,6 +20,16 @@ module Bundler
|
|
20
20
|
@global_path_source = nil
|
21
21
|
@rubygems_sources = []
|
22
22
|
@metadata_source = Source::Metadata.new
|
23
|
+
|
24
|
+
@disable_multisource = true
|
25
|
+
end
|
26
|
+
|
27
|
+
def disable_multisource?
|
28
|
+
@disable_multisource
|
29
|
+
end
|
30
|
+
|
31
|
+
def merged_gem_lockfile_sections!
|
32
|
+
@disable_multisource = false
|
23
33
|
end
|
24
34
|
|
25
35
|
def add_path_source(options = {})
|
@@ -47,7 +57,7 @@ module Bundler
|
|
47
57
|
end
|
48
58
|
|
49
59
|
def global_rubygems_source=(uri)
|
50
|
-
@global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri)
|
60
|
+
@global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri, "allow_local" => true)
|
51
61
|
end
|
52
62
|
|
53
63
|
def add_rubygems_remote(uri)
|
@@ -77,7 +87,7 @@ module Bundler
|
|
77
87
|
|
78
88
|
def lock_sources
|
79
89
|
lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
|
80
|
-
if
|
90
|
+
if disable_multisource?
|
81
91
|
lock_sources + rubygems_sources.sort_by(&:to_s)
|
82
92
|
else
|
83
93
|
lock_sources << combine_rubygems_sources
|
@@ -94,7 +104,7 @@ module Bundler
|
|
94
104
|
end
|
95
105
|
end
|
96
106
|
|
97
|
-
replacement_rubygems = !
|
107
|
+
replacement_rubygems = !disable_multisource? &&
|
98
108
|
replacement_sources.detect {|s| s.is_a?(Source::Rubygems) }
|
99
109
|
@global_rubygems_source = replacement_rubygems if replacement_rubygems
|
100
110
|
|
data/lib/bundler/spec_set.rb
CHANGED
@@ -82,6 +82,7 @@ module Bundler
|
|
82
82
|
materialized.map! do |s|
|
83
83
|
next s unless s.is_a?(LazySpecification)
|
84
84
|
s.source.dependency_names = deps if s.source.respond_to?(:dependency_names=)
|
85
|
+
s.source.local!
|
85
86
|
spec = s.__materialize__
|
86
87
|
unless spec
|
87
88
|
unless missing_specs
|
@@ -102,6 +103,7 @@ module Bundler
|
|
102
103
|
@specs.map do |s|
|
103
104
|
next s unless s.is_a?(LazySpecification)
|
104
105
|
s.source.dependency_names = names if s.source.respond_to?(:dependency_names=)
|
106
|
+
s.source.local!
|
105
107
|
s.source.remote!
|
106
108
|
spec = s.__materialize__
|
107
109
|
raise GemNotFound, "Could not find #{s.full_name} in any of the sources" unless spec
|
data/lib/bundler/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: bundler
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.2.
|
4
|
+
version: 2.2.14
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- André Arko
|
@@ -22,7 +22,7 @@ authors:
|
|
22
22
|
autorequire:
|
23
23
|
bindir: exe
|
24
24
|
cert_chain: []
|
25
|
-
date: 2021-03-
|
25
|
+
date: 2021-03-08 00:00:00.000000000 Z
|
26
26
|
dependencies: []
|
27
27
|
description: Bundler manages an application's dependencies through its entire life,
|
28
28
|
across many machines, systematically and repeatably
|
@@ -352,7 +352,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
352
352
|
- !ruby/object:Gem::Version
|
353
353
|
version: 2.5.2
|
354
354
|
requirements: []
|
355
|
-
rubygems_version: 3.2.
|
355
|
+
rubygems_version: 3.2.14
|
356
356
|
signing_key:
|
357
357
|
specification_version: 4
|
358
358
|
summary: The best way to manage your application's dependencies
|