bundler 2.2.13 → 2.2.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4227db15ba56c781814845c3e7c2811def8bba66c074098d04496cf3f7ce3ed
-  data.tar.gz: '0295d490ed0dcf0989468a1a25b3b233c618006882757cbbf5a99e179b009568'
+  metadata.gz: 31f2f45fcc46844af7ae85151dd04e9ddd20b8daaee6999b735813bc632b5e28
+  data.tar.gz: 9fe8d309077af1c3d82794d8e020037b788995038c90674885ccb61ff595d4da
 SHA512:
-  metadata.gz: fa78e4e46d7b7fe666950c26fd47df524d7af57612c4e584e088a7a10aa140db5eb243b0688f993dc3586a7b5c4cb2357488a237715b618891747b328d94d01a
-  data.tar.gz: f1baab0b6a8b0c9ccf1c9bdafb7e6068252ba8fac05f96f50540320f47d4da8fa42ecae264e7b082fc1c50d4c0ff7cb456a928b2ffb07d0ca79e84d6272d1b54
+  metadata.gz: 55a040289f2f69a734b222d30fdd716e1789c8a2d18519dd225d16fa4e418748cab1f850888b290f92305fc8e07b02e30a8816ed756d0877ef7f286e6ec2393b
+  data.tar.gz: c810e53e037eec801da65b145ff9ef34d556df32b128086c5f6242b228dc9a6df3595d23aae8f1513a410e54666adc23be8d152a3790346fa4ca97feb51c394b

data/CHANGELOG.md

@@ -1,3 +1,14 @@
+# 2.2.14 (March 8, 2021)
+
+## Security fixes:
+
+  - Lock GEM sources separately and fix locally installed specs confusing bundler [#4381](https://github.com/rubygems/rubygems/pull/4381)
+
+## Bug fixes:
+
+  - Make `rake` available to other gems' installers right after it's installed [#4428](https://github.com/rubygems/rubygems/pull/4428)
+  - Fix encoding issue on compact index updater [#4362](https://github.com/rubygems/rubygems/pull/4362)
+
 # 2.2.13 (March 3, 2021)
 
 ## Enhancements:

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2021-03-03".freeze
-    @git_commit_sha = "9b15ab18c4".freeze
+    @built_at = "2021-03-08".freeze
+    @git_commit_sha = "3a169d80c1".freeze
     @release = true
     # end ivars
 

data/lib/bundler/compact_index_client/updater.rb

@@ -54,7 +54,7 @@ module Bundler
             if response.is_a?(Net::HTTPPartialContent) && local_temp_path.size.nonzero?
               local_temp_path.open("a") {|f| f << slice_body(content, 1..-1) }
             else
-              local_temp_path.open("w") {|f| f << content }
+              local_temp_path.open("wb") {|f| f << content }
             end
           end
 

data/lib/bundler/definition.rb

@@ -106,6 +106,17 @@ module Bundler
         @locked_platforms = []
       end
 
+      @locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
+      @disable_multisource = @locked_gem_sources.all?(&:disable_multisource?)
+
+      unless @disable_multisource
+        msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. You should run `bundle update` or generate your lockfile from scratch."
+
+        Bundler::SharedHelpers.major_deprecation 2, msg
+
+        @sources.merged_gem_lockfile_sections!
+      end
+
       @unlock[:gems] ||= []
       @unlock[:sources] ||= []
       @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
@@ -145,6 +156,10 @@ module Bundler
       end
     end
 
+    def disable_multisource?
+      @disable_multisource
+    end
+
     def resolve_with_cache!
       raise "Specs already loaded" if @specs
       sources.cached!
@@ -530,6 +545,9 @@ module Bundler
     attr_reader :sources
     private :sources
 
+    attr_reader :locked_gem_sources
+    private :locked_gem_sources
+
     def nothing_changed?
       !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes && !@locked_specs_incomplete_for_platform
     end
@@ -654,10 +672,8 @@ module Bundler
     end
 
     def converge_rubygems_sources
-      return false if Bundler.feature_flag.disable_multisource?
+      return false if disable_multisource?
 
-      # Get the RubyGems sources from the Gemfile.lock
-      locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
       return false if locked_gem_sources.empty?
 
       # Get the RubyGems remotes from the Gemfile

data/lib/bundler/dsl.rb

@@ -460,19 +460,16 @@ repo_name ||= user_name
         @sources.add_rubygems_remote(source)
       end
 
-      if Bundler.feature_flag.disable_multisource?
+      if Bundler.feature_flag.bundler_3_mode?
         msg = "This Gemfile contains multiple primary sources. " \
           "Each source after the first must include a block to indicate which gems " \
-          "should come from that source. To downgrade this error to a warning, run " \
-          "`bundle config unset disable_multisource`"
+          "should come from that source"
         raise GemfileEvalError, msg
       else
         Bundler::SharedHelpers.major_deprecation 2, "Your Gemfile contains multiple primary sources. " \
           "Using `source` more than once without a block is a security risk, and " \
           "may result in installing unexpected gems. To resolve this warning, use " \
-          "a block to indicate which gems should come from the secondary source. " \
-          "To upgrade this warning to an error, run `bundle config set --local " \
-          "disable_multisource true`."
+          "a block to indicate which gems should come from the secondary source."
       end
     end
 

data/lib/bundler/installer/parallel_installer.rb

@@ -27,13 +27,8 @@ module Bundler
         state == :failed
       end
 
-      def installation_attempted?
-        installed? || failed?
-      end
-
-      # Only true when spec in neither installed nor already enqueued
       def ready_to_enqueue?
-        !enqueued? && !installation_attempted?
+        state == :none
       end
 
       def has_post_install_message?
@@ -93,6 +88,11 @@ module Bundler
     def call
       check_for_corrupt_lockfile
 
+      if @rake
+        do_install(@rake, 0)
+        Gem::Specification.reset
+      end
+
       if @size > 1
         install_with_worker
       else
@@ -217,8 +217,6 @@ module Bundler
     # are installed.
     def enqueue_specs
       @specs.select(&:ready_to_enqueue?).each do |spec|
-        next if @rake && !@rake.installed? && spec.name != @rake.name
-
         if spec.dependencies_installed? @specs
           spec.state = :enqueued
           worker_pool.enq spec

data/lib/bundler/lockfile_parser.rb

@@ -131,18 +131,8 @@ module Bundler
             @sources << @current_source
           end
         when GEM
-          source_remotes = Array(@opts["remote"])
-
-          if source_remotes.size == 1
-            @opts["remotes"] = @opts.delete("remote")
-            @current_source = TYPES[@type].from_lock(@opts)
-          else
-            source_remotes.each do |url|
-              rubygems_aggregate.add_remote(url)
-            end
-            @current_source = rubygems_aggregate
-          end
-
+          @opts["remotes"] = Array(@opts.delete("remote")).reverse
+          @current_source = TYPES[@type].from_lock(@opts)
           @sources << @current_source
         when PLUGIN
           @current_source = Plugin.source_from_lock(@opts)
@@ -245,9 +235,5 @@ module Bundler
     def parse_ruby(line)
       @ruby_version = line.strip
     end
-
-    def rubygems_aggregate
-      @rubygems_aggregate ||= Source::Rubygems.new
-    end
   end
 end

data/lib/bundler/plugin/api/source.rb

@@ -140,6 +140,13 @@ module Bundler
           end
         end
 
+        # Set internal representation to fetch the gems/specs locally.
+        #
+        # When this is called, the source should try to fetch the specs and
+        # install from the local system.
+        def local!
+        end
+
         # Set internal representation to fetch the gems/specs from remote.
         #
         # When this is called, the source should try to fetch the specs and

data/lib/bundler/source.rb

@@ -33,6 +33,12 @@ module Bundler
       spec.source == self
     end
 
+    def local!; end
+
+    def cached!; end
+
+    def remote!; end
+
     # it's possible that gems from one source depend on gems from some
     # other source, so now we download gemspecs and iterate over those
     # dependencies, looking for gems we don't have info on yet.

data/lib/bundler/source/metadata.rb

@@ -33,10 +33,6 @@ module Bundler
         end
       end
 
-      def cached!; end
-
-      def remote!; end
-
       def options
         {}
       end

data/lib/bundler/source/rubygems.rb

@@ -20,17 +20,29 @@ module Bundler
         @dependency_names = []
         @allow_remote = false
         @allow_cached = false
+        @allow_local = options["allow_local"] || false
         @caches = [cache_path, *Bundler.rubygems.gem_cache]
 
-        Array(options["remotes"] || []).reverse_each {|r| add_remote(r) }
+        Array(options["remotes"]).reverse_each {|r| add_remote(r) }
+      end
+
+      def local!
+        return if @allow_local
+
+        @specs = nil
+        @allow_local = true
       end
 
       def remote!
+        return if @allow_remote
+
         @specs = nil
         @allow_remote = true
       end
 
       def cached!
+        return if @allow_cached
+
         @specs = nil
         @allow_cached = true
       end
@@ -49,8 +61,12 @@ module Bundler
         o.is_a?(Rubygems) && (o.credless_remotes - credless_remotes).empty?
       end
 
+      def disable_multisource?
+        @remotes.size <= 1
+      end
+
       def can_lock?(spec)
-        return super if Bundler.feature_flag.disable_multisource?
+        return super if disable_multisource?
         spec.source.is_a?(Rubygems)
       end
 
@@ -87,7 +103,7 @@ module Bundler
           # small_idx.use large_idx.
           idx = @allow_remote ? remote_specs.dup : Index.new
           idx.use(cached_specs, :override_dupes) if @allow_cached || @allow_remote
-          idx.use(installed_specs, :override_dupes)
+          idx.use(installed_specs, :override_dupes) if @allow_local
           idx
         end
       end
@@ -365,7 +381,7 @@ module Bundler
 
       def cached_specs
         @cached_specs ||= begin
-          idx = installed_specs.dup
+          idx = @allow_local ? installed_specs.dup : Index.new
 
           Dir["#{cache_path}/*.gem"].each do |gemfile|
             next if gemfile =~ /^bundler\-[\d\.]+?\.gem/

data/lib/bundler/source_list.rb

@@ -9,7 +9,7 @@ module Bundler
       :metadata_source
 
     def global_rubygems_source
-      @global_rubygems_source ||= rubygems_aggregate_class.new
+      @global_rubygems_source ||= rubygems_aggregate_class.new("allow_local" => true)
     end
 
     def initialize
@@ -20,6 +20,16 @@ module Bundler
       @global_path_source     = nil
       @rubygems_sources       = []
       @metadata_source        = Source::Metadata.new
+
+      @disable_multisource = true
+    end
+
+    def disable_multisource?
+      @disable_multisource
+    end
+
+    def merged_gem_lockfile_sections!
+      @disable_multisource = false
     end
 
     def add_path_source(options = {})
@@ -47,7 +57,7 @@ module Bundler
     end
 
     def global_rubygems_source=(uri)
-      @global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri)
+      @global_rubygems_source ||= rubygems_aggregate_class.new("remotes" => uri, "allow_local" => true)
     end
 
     def add_rubygems_remote(uri)
@@ -77,7 +87,7 @@ module Bundler
 
     def lock_sources
       lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
-      if Bundler.feature_flag.disable_multisource?
+      if disable_multisource?
         lock_sources + rubygems_sources.sort_by(&:to_s)
       else
         lock_sources << combine_rubygems_sources
@@ -94,7 +104,7 @@ module Bundler
         end
       end
 
-      replacement_rubygems = !Bundler.feature_flag.disable_multisource? &&
+      replacement_rubygems = !disable_multisource? &&
         replacement_sources.detect {|s| s.is_a?(Source::Rubygems) }
       @global_rubygems_source = replacement_rubygems if replacement_rubygems
 

data/lib/bundler/spec_set.rb

@@ -82,6 +82,7 @@ module Bundler
       materialized.map! do |s|
         next s unless s.is_a?(LazySpecification)
         s.source.dependency_names = deps if s.source.respond_to?(:dependency_names=)
+        s.source.local!
         spec = s.__materialize__
         unless spec
           unless missing_specs
@@ -102,6 +103,7 @@ module Bundler
       @specs.map do |s|
         next s unless s.is_a?(LazySpecification)
         s.source.dependency_names = names if s.source.respond_to?(:dependency_names=)
+        s.source.local!
         s.source.remote!
         spec = s.__materialize__
         raise GemNotFound, "Could not find #{s.full_name} in any of the sources" unless spec

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.2.13".freeze
+  VERSION = "2.2.14".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 2.2.13
+  version: 2.2.14
 platform: ruby
 authors:
 - André Arko
@@ -22,7 +22,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-03-03 00:00:00.000000000 Z
+date: 2021-03-08 00:00:00.000000000 Z
 dependencies: []
 description: Bundler manages an application's dependencies through its entire life,
   across many machines, systematically and repeatably
@@ -352,7 +352,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.5.2
 requirements: []
-rubygems_version: 3.2.13
+rubygems_version: 3.2.14
 signing_key: 
 specification_version: 4
 summary: The best way to manage your application's dependencies