bundler 2.4.8 → 2.4.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef4e6f9cc4c071e0c5d5c389813ae098b7aa7977da99d1f83801d8602700e267
-  data.tar.gz: f7f223fd0aa6a6548842126a155bea516b1b5cdc9c8440842d1f657cd8d8b4cc
+  metadata.gz: bea219e989f6693457e01025c959a3ece35ee46c5c07df07cd06e56f475c06dd
+  data.tar.gz: 389b2a53b46bb41a4c95d1ed70e6d4cc3f422de3e8f73ef70067c1e6477da277
 SHA512:
-  metadata.gz: 3bfa3a3201b3ec0eb2bfe836374f0c16c9a36230fa9c05b19ffdb255f55bdd04d8be03de9ba0bb1872aab2362f1e7f5425d085cd36441f245b754c208188d0a0
-  data.tar.gz: b681f7ba478ff42fc2d380c0757192f959b27688ea6aef50839612f8da20242bec4fa6096e6c98bddde9ea561e3dd7e582cc4563c1dc87627b41a2d1bacc885c
+  metadata.gz: 7f9d947e46ea956603b8893d024e6833da24b8684416b9d25376cac3279a641d6bf18bf156b67af1fa2c490020064e09eac1ae04ff759bf0945bc189298a24cb
+  data.tar.gz: f78b90fb696e544268cb590af87b7e6ab4d22c9918222d7d494dde6bc28c91b555af93afa0b61f8ae863a1c48f5151e0370d3443285ae45c7418745e8225f592

data/CHANGELOG.md

@@ -1,3 +1,28 @@
+# 2.4.9 (March 20, 2023)
+
+## Security:
+
+  - Don't recommend `--full-index` on errors [#6493](https://github.com/rubygems/rubygems/pull/6493)
+
+## Enhancements:
+
+  - Fix duplicated specs in some error messages [#6475](https://github.com/rubygems/rubygems/pull/6475)
+  - When running `bundle lock --update <name>`, checkout locked revision of unrelated git sources directly [#6459](https://github.com/rubygems/rubygems/pull/6459)
+  - Avoid expiring git sources when unnecessary [#6458](https://github.com/rubygems/rubygems/pull/6458)
+  - Use `RbSys::ExtensionTask` when creating new rust gems [#6352](https://github.com/rubygems/rubygems/pull/6352)
+  - Don't ignore pre-releases when there's only one candidate [#6441](https://github.com/rubygems/rubygems/pull/6441)
+
+## Bug fixes:
+
+  - Fix incorrect removal of ruby platform when auto-healing corrupted lockfiles [#6495](https://github.com/rubygems/rubygems/pull/6495)
+  - Don't consider platform specific candidates when `force_ruby_platform` set [#6442](https://github.com/rubygems/rubygems/pull/6442)
+  - Better deal with circular dependencies [#6330](https://github.com/rubygems/rubygems/pull/6330)
+
+## Documentation:
+
+  - Add debugging docs [#6387](https://github.com/rubygems/rubygems/pull/6387)
+  - Document our current release policy [#6450](https://github.com/rubygems/rubygems/pull/6450)
+
 # 2.4.8 (March 8, 2023)
 
 ## Security:

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2023-03-08".freeze
-    @git_commit_sha = "a67b2657a0".freeze
+    @built_at = "2023-03-20".freeze
+    @git_commit_sha = "6f8e92bcc6".freeze
     @release = true
     # end ivars
 

data/lib/bundler/endpoint_specification.rb

@@ -26,10 +26,6 @@ module Bundler
       @platform
     end
 
-    def identifier
-      @__identifier ||= [name, version, platform.to_s]
-    end
-
     # needed for standalone, load required_paths from local gemspec
     # after the gem is installed
     def require_paths

data/lib/bundler/fetcher/dependency.rb

@@ -34,14 +34,10 @@ module Bundler
 
         returned_gems = spec_list.map(&:first).uniq
         specs(deps_list, full_dependency_list + returned_gems, spec_list + last_spec_list)
-      rescue MarshalError
+      rescue MarshalError, HTTPError, GemspecError
         Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
         Bundler.ui.debug "could not fetch from the dependency API, trying the full index"
         nil
-      rescue HTTPError, GemspecError
-        Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
-        Bundler.ui.debug "could not fetch from the dependency API\nit's suggested to retry using the full index via `bundle install --full-index`"
-        nil
       end
 
       def dependency_specs(gem_names)

data/lib/bundler/incomplete_specification.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Bundler
+  #
+  # Represents a package name that was found to be incomplete when trying to
+  # materialize a fresh resolution or the lockfile.
+  #
+  # Holds the actual partially complete set of specifications for the name.
+  # These are used so that they can be unlocked in a future resolution, and fix
+  # the situation.
+  #
+  class IncompleteSpecification
+    attr_reader :name, :partially_complete_specs
+
+    def initialize(name, partially_complete_specs = [])
+      @name = name
+      @partially_complete_specs = partially_complete_specs
+    end
+
+    def ==(other)
+      partially_complete_specs == other.partially_complete_specs
+    end
+  end
+end

data/lib/bundler/lazy_specification.rb

@@ -20,7 +20,7 @@ module Bundler
     end
 
     def full_name
-      if platform == Gem::Platform::RUBY
+      @full_name ||= if platform == Gem::Platform::RUBY
         "#{@name}-#{@version}"
       else
         "#{@name}-#{@version}-#{platform}"
@@ -28,15 +28,15 @@ module Bundler
     end
 
     def ==(other)
-      identifier == other.identifier
+      full_name == other.full_name
     end
 
     def eql?(other)
-      identifier.eql?(other.identifier)
+      full_name.eql?(other.full_name)
     end
 
     def hash
-      identifier.hash
+      full_name.hash
     end
 
     ##
@@ -129,10 +129,6 @@ module Bundler
       end
     end
 
-    def identifier
-      @__identifier ||= [name, version, platform.to_s]
-    end
-
     def git_version
       return unless source.is_a?(Bundler::Source::Git)
       " #{source.revision[0..6]}"

data/lib/bundler/lockfile_parser.rb

@@ -86,7 +86,7 @@ module Bundler
           send("parse_#{@state}", line)
         end
       end
-      @specs = @specs.values.sort_by(&:identifier)
+      @specs = @specs.values.sort_by(&:full_name)
     rescue ArgumentError => e
       Bundler.ui.debug(e)
       raise LockfileError, "Your lockfile is unreadable. Run `rm #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)}` " \
@@ -199,7 +199,7 @@ module Bundler
         @current_spec.source = @current_source
         @current_source.add_dependency_names(name)
 
-        @specs[@current_spec.identifier] = @current_spec
+        @specs[@current_spec.full_name] = @current_spec
       elsif spaces.size == 6
         version = version.split(",").map(&:strip) if version
         dep = Gem::Dependency.new(name, version)

data/lib/bundler/remote_specification.rb

@@ -29,12 +29,8 @@ module Bundler
       @platform = _remote_specification.platform
     end
 
-    def identifier
-      @__identifier ||= [name, version, @platform.to_s]
-    end
-
     def full_name
-      if @platform == Gem::Platform::RUBY
+      @full_name ||= if @platform == Gem::Platform::RUBY
         "#{@name}-#{@version}"
       else
         "#{@name}-#{@version}-#{@platform}"
@@ -106,7 +102,7 @@ module Bundler
     def _remote_specification
       @_remote_specification ||= @spec_fetcher.fetch_spec([@name, @version, @original_platform])
       @_remote_specification || raise(GemspecError, "Gemspec data for #{full_name} was" \
-        " missing from the server! Try installing with `--full-index` as a workaround.")
+        " missing from the server!")
     end
 
     def method_missing(method, *args, &blk)

data/lib/bundler/resolver/base.rb

@@ -34,9 +34,11 @@ module Bundler
         @base[name]
       end
 
-      def delete(specs)
-        specs.each do |spec|
-          @base.delete(spec)
+      def delete(incomplete_specs)
+        incomplete_specs.each do |incomplete_spec|
+          incomplete_spec.partially_complete_specs.each do |spec|
+            @base.delete(spec)
+          end
         end
       end
 

data/lib/bundler/resolver.rb

@@ -37,7 +37,9 @@ module Bundler
       root_version = Resolver::Candidate.new(0)
 
       @all_specs = Hash.new do |specs, name|
-        specs[name] = source_for(name).specs.search(name).sort_by {|s| [s.version, s.platform.to_s] }
+        specs[name] = source_for(name).specs.search(name).reject do |s|
+          s.dependencies.any? {|d| d.name == name && !d.requirement.satisfied_by?(s.version) } # ignore versions that depend on themselves incorrectly
+        end.sort_by {|s| [s.version, s.platform.to_s] }
       end
 
       @sorted_versions = Hash.new do |candidates, package|
@@ -55,7 +57,7 @@ module Bundler
           { root_version => root_dependencies }
         else
           Hash.new do |versions, version|
-            versions[version] = to_dependency_hash(version.dependencies, @packages)
+            versions[version] = to_dependency_hash(version.dependencies.reject {|d| d.name == package.name }, @packages)
           end
         end
       end
@@ -186,11 +188,6 @@ module Bundler
       package_deps = @cached_dependencies[package]
       sorted_versions = @sorted_versions[package]
       package_deps[version].map do |dep_package, dep_constraint|
-        if package == dep_package
-          cause = PubGrub::Incompatibility::CircularDependency.new(dep_package, dep_constraint.constraint_string)
-          return [PubGrub::Incompatibility.new([PubGrub::Term.new(dep_constraint, true)], :cause => cause)]
-        end
-
         low = high = sorted_versions.index(version)
 
         # find version low such that all >= low share the same dep
@@ -243,7 +240,7 @@ module Bundler
         ruby_specs = select_best_platform_match(specs, Gem::Platform::RUBY)
         groups << Resolver::Candidate.new(version, :specs => ruby_specs) if ruby_specs.any?
 
-        next groups if platform_specs == ruby_specs
+        next groups if platform_specs == ruby_specs || package.force_ruby_platform?
 
         groups << Resolver::Candidate.new(version, :specs => platform_specs)
 
@@ -302,7 +299,7 @@ module Bundler
     end
 
     def filter_prereleases(specs, package)
-      return specs unless package.ignores_prereleases?
+      return specs unless package.ignores_prereleases? && specs.size > 1
 
       specs.reject {|s| s.version.prerelease? }
     end

data/lib/bundler/settings.rb

@@ -495,7 +495,7 @@ module Bundler
         uri = $2
         suffix = $3
       end
-      uri = "#{uri}/" unless uri.end_with?("/")
+      uri = URINormalizer.normalize_suffix(uri)
       require_relative "vendored_uri"
       uri = Bundler::URI(uri)
       unless uri.absolute?

data/lib/bundler/shared_helpers.rb

@@ -160,7 +160,7 @@ module Bundler
         " (was expecting #{old_deps.map(&:to_s)}, but the real spec has #{new_deps.map(&:to_s)})"
       raise APIResponseMismatchError,
         "Downloading #{spec.full_name} revealed dependencies not in the API or the lockfile (#{extra_deps.join(", ")})." \
-        "\nEither installing with `--full-index` or running `bundle update #{spec.name}` should fix the problem."
+        "\nRunning `bundle update #{spec.name}` should fix the problem."
     end
 
     def pretty_dependency(dep)

data/lib/bundler/source/git/git_proxy.rb

@@ -366,6 +366,11 @@ module Bundler
           args += ["--single-branch"]
           args.unshift("--no-tags") if supports_cloning_with_no_tags?
 
+          # If there's a locked revision, no need to clone any specific branch
+          # or tag, since we will end up checking out that locked revision
+          # anyways.
+          return args if @revision
+
           args += ["--branch", branch || tag] if branch || tag
           args
         end

data/lib/bundler/source/git.rb

@@ -19,7 +19,7 @@ module Bundler
         # Stringify options that could be set as symbols
         %w[ref branch tag revision].each {|k| options[k] = options[k].to_s if options[k] }
 
-        @uri        = options["uri"] || ""
+        @uri        = URINormalizer.normalize_suffix(options["uri"] || "", :trailing_slash => false)
         @safe_uri   = URICredentialsFilter.credential_filtered_uri(@uri)
         @branch     = options["branch"]
         @ref        = options["ref"] || options["branch"] || options["tag"]

data/lib/bundler/source/rubygems.rb

@@ -337,8 +337,7 @@ module Bundler
       end
 
       def normalize_uri(uri)
-        uri = uri.to_s
-        uri = "#{uri}/" unless %r{/$}.match?(uri)
+        uri = URINormalizer.normalize_suffix(uri.to_s)
         require_relative "../vendored_uri"
         uri = Bundler::URI(uri)
         raise ArgumentError, "The source must be an absolute URI. For example:\n" \

data/lib/bundler/spec_set.rb

@@ -7,11 +7,8 @@ module Bundler
     include Enumerable
     include TSort
 
-    attr_reader :incomplete_specs
-
-    def initialize(specs, incomplete_specs = [])
+    def initialize(specs)
       @specs = specs
-      @incomplete_specs = incomplete_specs
     end
 
     def for(dependencies, check = false, platforms = [nil])
@@ -45,11 +42,11 @@ module Bundler
         end
 
         if incomplete && check
-          @incomplete_specs += lookup[name].any? ? lookup[name] : [LazySpecification.new(name, nil, nil)]
+          specs << IncompleteSpecification.new(name, lookup[name])
         end
       end
 
-      specs
+      specs.uniq
     end
 
     def [](key)
@@ -81,10 +78,10 @@ module Bundler
       lookup.dup
     end
 
-    def materialize(deps)
-      materialized = self.for(deps, true)
+    def materialize(deps, platforms = [nil])
+      materialized = self.for(deps, true, platforms)
 
-      SpecSet.new(materialized, incomplete_specs)
+      SpecSet.new(materialized)
     end
 
     # Materialize for all the specs in the spec set, regardless of what platform they're for
@@ -101,15 +98,19 @@ module Bundler
     end
 
     def incomplete_ruby_specs?(deps)
-      self.for(deps, true, [Gem::Platform::RUBY])
+      return false if @specs.empty?
 
-      @incomplete_specs.any?
+      materialize(deps, [Gem::Platform::RUBY]).incomplete_specs.any?
     end
 
     def missing_specs
       @specs.select {|s| s.is_a?(LazySpecification) }
     end
 
+    def incomplete_specs
+      @specs.select {|s| s.is_a?(IncompleteSpecification) }
+    end
+
     def merge(set)
       arr = sorted.dup
       set.each do |set_spec|

data/lib/bundler/templates/newgem/Gemfile.tt

@@ -10,7 +10,7 @@ gem "rake", "~> 13.0"
 
 gem "rake-compiler"
 <%- if config[:ext] == 'rust' -%>
-gem "rb_sys"
+gem "rb_sys", "~> 0.9.63"
 <%- end -%>
 <%- end -%>
 <%- if config[:test] -%>

data/lib/bundler/templates/newgem/Rakefile.tt

@@ -41,6 +41,15 @@ require "standard/rake"
 <% if config[:ext] -%>
 <% default_task_names.unshift(:compile) -%>
 <% default_task_names.unshift(:clobber) unless config[:ext] == 'rust' -%>
+<% if config[:ext] == 'rust' -%>
+require "rb_sys/extensiontask"
+
+task build: :compile
+
+RbSys::ExtensionTask.new(<%= config[:name].inspect %>) do |ext|
+  ext.lib_dir = "lib/<%= config[:namespaced_path] %>"
+end
+<% else -%>
 require "rake/extensiontask"
 
 task build: :compile
@@ -48,6 +57,7 @@ task build: :compile
 Rake::ExtensionTask.new("<%= config[:underscored_name] %>") do |ext|
   ext.lib_dir = "lib/<%= config[:namespaced_path] %>"
 end
+<% end -%>
 
 <% end -%>
 <% if default_task_names.size == 1 -%>

data/lib/bundler/templates/newgem/github/workflows/main.yml.tt

@@ -20,7 +20,7 @@ jobs:
     - uses: actions/checkout@v3
 <%- if config[:ext] == 'rust' -%>
     - name: Set up Ruby & Rust
-      uses: oxidize-rb/actions/setup-ruby-and-rust@main
+      uses: oxidize-rb/actions/setup-ruby-and-rust@v1
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true

data/lib/bundler/uri_normalizer.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Bundler
+  module URINormalizer
+    module_function
+
+    # Normalizes uri to a consistent version, either with or without trailing
+    # slash.
+    #
+    # TODO: Currently gem sources are locked with a trailing slash, while git
+    # sources are locked without a trailing slash. This should be normalized but
+    # the inconsistency is there for now to avoid changing all lockfiles
+    # including GIT sources. We could normalize this on the next major.
+    #
+    def normalize_suffix(uri, trailing_slash: true)
+      if trailing_slash
+        uri.end_with?("/") ? uri : "#{uri}/"
+      else
+        uri.end_with?("/") ? uri.delete_suffix("/") : uri
+      end
+    end
+  end
+end

data/lib/bundler/vendor/pub_grub/lib/pub_grub/incompatibility.rb

@@ -8,9 +8,6 @@ module Bundler::PubGrub
     InvalidDependency = Struct.new(:package, :constraint) do
     end
 
-    CircularDependency = Struct.new(:package, :constraint) do
-    end
-
     NoVersions = Struct.new(:constraint) do
     end
 
@@ -66,8 +63,6 @@ module Bundler::PubGrub
         "#{terms[0].to_s(allow_every: true)} depends on #{terms[1].invert}"
       when Bundler::PubGrub::Incompatibility::InvalidDependency
         "#{terms[0].to_s(allow_every: true)} depends on unknown package #{cause.package}"
-      when Bundler::PubGrub::Incompatibility::CircularDependency
-        "#{terms[0].to_s(allow_every: true)} depends on itself"
       when Bundler::PubGrub::Incompatibility::NoVersions
         "no versions satisfy #{cause.constraint}"
       when Bundler::PubGrub::Incompatibility::ConflictCause

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.4.8".freeze
+  VERSION = "2.4.9".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/lib/bundler.rb

@@ -62,6 +62,7 @@ module Bundler
   autoload :GemHelpers,             File.expand_path("bundler/gem_helpers", __dir__)
   autoload :GemVersionPromoter,     File.expand_path("bundler/gem_version_promoter", __dir__)
   autoload :Graph,                  File.expand_path("bundler/graph", __dir__)
+  autoload :IncompleteSpecification, File.expand_path("bundler/incomplete_specification", __dir__)
   autoload :Index,                  File.expand_path("bundler/index", __dir__)
   autoload :Injector,               File.expand_path("bundler/injector", __dir__)
   autoload :Installer,              File.expand_path("bundler/installer", __dir__)
@@ -85,6 +86,7 @@ module Bundler
   autoload :StubSpecification,      File.expand_path("bundler/stub_specification", __dir__)
   autoload :UI,                     File.expand_path("bundler/ui", __dir__)
   autoload :URICredentialsFilter,   File.expand_path("bundler/uri_credentials_filter", __dir__)
+  autoload :URINormalizer,          File.expand_path("bundler/uri_normalizer", __dir__)
 
   class << self
     def configure

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 2.4.8
+  version: 2.4.9
 platform: ruby
 authors:
 - André Arko
@@ -22,7 +22,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-08 00:00:00.000000000 Z
+date: 2023-03-20 00:00:00.000000000 Z
 dependencies: []
 description: Bundler manages an application's dependencies through its entire life,
   across many machines, systematically and repeatably
@@ -103,6 +103,7 @@ files:
 - lib/bundler/gem_tasks.rb
 - lib/bundler/gem_version_promoter.rb
 - lib/bundler/graph.rb
+- lib/bundler/incomplete_specification.rb
 - lib/bundler/index.rb
 - lib/bundler/injector.rb
 - lib/bundler/inline.rb
@@ -266,6 +267,7 @@ files:
 - lib/bundler/ui/shell.rb
 - lib/bundler/ui/silent.rb
 - lib/bundler/uri_credentials_filter.rb
+- lib/bundler/uri_normalizer.rb
 - lib/bundler/vendor/.document
 - lib/bundler/vendor/connection_pool/LICENSE
 - lib/bundler/vendor/connection_pool/lib/connection_pool.rb
@@ -379,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.0.1
 requirements: []
-rubygems_version: 3.4.8
+rubygems_version: 3.4.9
 signing_key:
 specification_version: 4
 summary: The best way to manage your application's dependencies