bundler 2.5.9 → 2.5.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b343f681293b03c25fbc82c8d4c323154aec1af8dc5f34e619779c7f4d4c634b
-  data.tar.gz: 0566537e3cc941f3160e5060c806f0418907cca56e8d0e56a5b79dbb7d9bd94f
+  metadata.gz: f2695a15d38685b993a09dcf7eb0acc5d52c61ea0259a5467b161bd5fd7a7ce6
+  data.tar.gz: 794b454b5687c3cd0851daf45d355326cd8eaddce8abfc46e3e01f8cdbed87ad
 SHA512:
-  metadata.gz: 2effd5a50b198e6113853e8d695bcc98d396f6bc0d036e55756a7615755fa8f7498fbab09f7b51d13aef5fe0c2acd1de807c16f7446c5a188de18f7793ebab4b
-  data.tar.gz: 8cdafdd6dbe2da1aa03e44717211fc88440974c03c2057f57ecf514c5b9253d1aa7f1e9994758bcfb5ba614435b0853d070dfe32bfd25a7a033f45b03db86ca2
+  metadata.gz: eb611d6aed04553214e7304d6b3775cc64e34f5eb7e251c67d3e2e80fffb117681b322bbbaf759e58c942675b95c47d934f27ed715bd63b2ae4542a52c0a4ab5
+  data.tar.gz: b5482313980b8e1e3dd3477b21e16248b009dd22ff54c519cd2f7328b2031689a18c724eb6c6fe26d441c532bb38bd18e0d91bd256f72f05ebac77067f9e8ac6

data/CHANGELOG.md

@@ -1,3 +1,27 @@
+# 2.5.10 (May 3, 2024)
+
+## Security:
+
+  - Never write credentials to lockfiles [#7560](https://github.com/rubygems/rubygems/pull/7560)
+
+## Enhancements:
+
+  - Add auto_install support to require "bundler/setup" [#6561](https://github.com/rubygems/rubygems/pull/6561)
+  - Add `--glob` flag to `bundle add` [#7557](https://github.com/rubygems/rubygems/pull/7557)
+
+## Bug fixes:
+
+  - Make sure `bundle update <specific_gems>` can always update to the latest resolvable version of each requested gem [#7558](https://github.com/rubygems/rubygems/pull/7558)
+  - Show better error when installed gemspecs are unreadable [#7603](https://github.com/rubygems/rubygems/pull/7603)
+  - Fix `bundle update` not working on an out of sync lockfile [#7607](https://github.com/rubygems/rubygems/pull/7607)
+  - Don't upcase Windows ENV before backing it up [#7574](https://github.com/rubygems/rubygems/pull/7574)
+  - Properly resolve aliases when `bundle help` is run [#7601](https://github.com/rubygems/rubygems/pull/7601)
+  - Fix issue installing gems with linux-musl variant on non musl linux [#7583](https://github.com/rubygems/rubygems/pull/7583)
+
+## Documentation:
+
+  - Clarify `bundle check` behaviour in docs [#7613](https://github.com/rubygems/rubygems/pull/7613)
+
 # 2.5.9 (April 12, 2024)
 
 ## Bug fixes:

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2024-04-12".freeze
-    @git_commit_sha = "4304697e0c".freeze
+    @built_at = "2024-05-03".freeze
+    @git_commit_sha = "24cac00613".freeze
     @release = true
     # end ivars
 

data/lib/bundler/cli.rb

@@ -5,6 +5,7 @@ require_relative "vendored_thor"
 module Bundler
   class CLI < Thor
     require_relative "cli/common"
+    require_relative "cli/install"
 
     package_name "Bundler"
 
@@ -69,7 +70,7 @@ module Bundler
       Bundler.settings.set_command_option_if_given :retry, options[:retry]
 
       current_cmd = args.last[:current_command].name
-      auto_install if AUTO_INSTALL_CMDS.include?(current_cmd)
+      Bundler.auto_install if AUTO_INSTALL_CMDS.include?(current_cmd)
     rescue UnknownArgumentError => e
       raise InvalidOption, e.message
     ensure
@@ -114,6 +115,8 @@ module Bundler
     class_option "verbose", type: :boolean, desc: "Enable verbose output mode", aliases: "-V"
 
     def help(cli = nil)
+      cli = self.class.all_aliases[cli] if self.class.all_aliases[cli]
+
       case cli
       when "gemfile" then command = "gemfile"
       when nil       then command = "bundle"
@@ -347,6 +350,7 @@ module Bundler
     method_option "github", type: :string
     method_option "branch", type: :string
     method_option "ref", type: :string
+    method_option "glob", type: :string, banner: "The location of a dependency's .gemspec, expanded within Ruby (single quotes recommended)"
     method_option "skip-install", type: :boolean, banner: "Adds gem to the Gemfile but does not install it"
     method_option "optimistic", type: :boolean, banner: "Adds optimistic declaration of version to gem"
     method_option "strict", type: :boolean, banner: "Adds strict declaration of version to gem"
@@ -682,7 +686,6 @@ module Bundler
       exec_used = args.index {|a| exec_commands.include? a }
 
       command = args.find {|a| bundler_commands.include? a }
-      command = all_aliases[command] if all_aliases[command]
 
       if exec_used && help_used
         if exec_used + help_used == 1
@@ -735,26 +738,6 @@ module Bundler
 
     private
 
-    # Automatically invoke `bundle install` and resume if
-    # Bundler.settings[:auto_install] exists. This is set through config cmd
-    # `bundle config set --global auto_install 1`.
-    #
-    # Note that this method `nil`s out the global Definition object, so it
-    # should be called first, before you instantiate anything like an
-    # `Installer` that'll keep a reference to the old one instead.
-    def auto_install
-      return unless Bundler.settings[:auto_install]
-
-      begin
-        Bundler.definition.specs
-      rescue GemNotFound, GitError
-        Bundler.ui.info "Automatically installing missing gems."
-        Bundler.reset!
-        invoke :install, []
-        Bundler.reset!
-      end
-    end
-
     def current_command
       _, _, config = @_initializer
       config[:current_command]

data/lib/bundler/definition.rb

@@ -92,11 +92,12 @@ module Bundler
         @platforms = @locked_platforms.dup
         @locked_bundler_version = @locked_gems.bundler_version
         @locked_ruby_version = @locked_gems.ruby_version
+        @originally_locked_deps = @locked_gems.dependencies
         @originally_locked_specs = SpecSet.new(@locked_gems.specs)
         @locked_checksums = @locked_gems.checksums
 
         if unlock != true
-          @locked_deps    = @locked_gems.dependencies
+          @locked_deps    = @originally_locked_deps
           @locked_specs   = @originally_locked_specs
           @locked_sources = @locked_gems.sources
         else
@@ -111,6 +112,7 @@ module Bundler
         @locked_gems    = nil
         @locked_deps    = {}
         @locked_specs   = SpecSet.new([])
+        @originally_locked_deps = {}
         @originally_locked_specs = @locked_specs
         @locked_sources = []
         @locked_platforms = []
@@ -130,7 +132,7 @@ module Bundler
         @sources.merged_gem_lockfile_sections!(locked_gem_sources.first)
       end
 
-      @unlock[:sources] ||= []
+      @sources_to_unlock = @unlock.delete(:sources) || []
       @unlock[:ruby] ||= if @ruby_version && locked_ruby_version_object
         @ruby_version.diff(locked_ruby_version_object)
       end
@@ -142,11 +144,13 @@ module Bundler
       @path_changes = converge_paths
       @source_changes = converge_sources
 
+      @explicit_unlocks = @unlock.delete(:gems) || []
+
       if @unlock[:conservative]
-        @unlock[:gems] ||= @dependencies.map(&:name)
+        @gems_to_unlock = @explicit_unlocks.any? ? @explicit_unlocks : @dependencies.map(&:name)
       else
-        eager_unlock = (@unlock[:gems] || []).map {|name| Dependency.new(name, ">= 0") }
-        @unlock[:gems] = @locked_specs.for(eager_unlock, false, platforms).map(&:name).uniq
+        eager_unlock = @explicit_unlocks.map {|name| Dependency.new(name, ">= 0") }
+        @gems_to_unlock = @locked_specs.for(eager_unlock, false, platforms).map(&:name).uniq
       end
 
       @dependency_changes = converge_dependencies
@@ -225,7 +229,6 @@ module Bundler
       @resolver = nil
       @resolution_packages = nil
       @specs = nil
-      @gem_version_promoter = nil
 
       Bundler.ui.debug "The definition is missing dependencies, failed to resolve & materialize locally (#{e})"
       true
@@ -566,8 +569,10 @@ module Bundler
       @resolution_packages ||= begin
         last_resolve = converge_locked_specs
         remove_invalid_platforms!(current_dependencies)
-        packages = Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: @unlock[:gems], prerelease: gem_version_promoter.pre?)
-        additional_base_requirements_for_resolve(packages, last_resolve)
+        packages = Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: @gems_to_unlock, prerelease: gem_version_promoter.pre?)
+        packages = additional_base_requirements_to_prevent_downgrades(packages, last_resolve)
+        packages = additional_base_requirements_to_force_updates(packages)
+        packages
       end
     end
 
@@ -671,14 +676,18 @@ module Bundler
 
     def change_reason
       if unlocking?
-        unlock_reason = @unlock.reject {|_k, v| Array(v).empty? }.map do |k, v|
-          if v == true
-            k.to_s
-          else
-            v = Array(v)
-            "#{k}: (#{v.join(", ")})"
-          end
-        end.join(", ")
+        unlock_targets = if @gems_to_unlock.any?
+          ["gems", @gems_to_unlock]
+        elsif @sources_to_unlock.any?
+          ["sources", @sources_to_unlock]
+        end
+
+        unlock_reason = if unlock_targets
+          "#{unlock_targets.first}: (#{unlock_targets.last.join(", ")})"
+        else
+          @unlock[:ruby] ? "ruby" : ""
+        end
+
         return "bundler is unlocking #{unlock_reason}"
       end
       [
@@ -733,7 +742,7 @@ module Bundler
         spec   = @dependencies.find {|s| s.name == k }
         source = spec&.source
         if source&.respond_to?(:local_override!)
-          source.unlock! if @unlock[:gems].include?(spec.name)
+          source.unlock! if @gems_to_unlock.include?(spec.name)
           locals << [source, source.local_override!(v)]
         end
       end
@@ -741,7 +750,7 @@ module Bundler
       sources_with_changes = locals.select do |source, changed|
         changed || specs_changed?(source)
       end.map(&:first)
-      !sources_with_changes.each {|source| @unlock[:sources] << source.name }.empty?
+      !sources_with_changes.each {|source| @sources_to_unlock << source.name }.empty?
     end
 
     def check_lockfile
@@ -818,7 +827,7 @@ module Bundler
         # gem), unlock it. For git sources, this means to unlock the revision, which
         # will cause the `ref` used to be the most recent for the branch (or master) if
         # an explicit `ref` is not used.
-        if source.respond_to?(:unlock!) && @unlock[:sources].include?(source.name)
+        if source.respond_to?(:unlock!) && @sources_to_unlock.include?(source.name)
           source.unlock!
           changes = true
         end
@@ -835,9 +844,7 @@ module Bundler
           dep.source = sources.get(dep.source)
         end
 
-        next if unlocking?
-
-        unless locked_dep = @locked_deps[dep.name]
+        unless locked_dep = @originally_locked_deps[dep.name]
           changes = true
           next
         end
@@ -864,7 +871,7 @@ module Bundler
     def converge_locked_specs
       converged = converge_specs(@locked_specs)
 
-      resolve = SpecSet.new(converged.reject {|s| @unlock[:gems].include?(s.name) })
+      resolve = SpecSet.new(converged.reject {|s| @gems_to_unlock.include?(s.name) })
 
       diff = nil
 
@@ -897,7 +904,7 @@ module Bundler
 
           @specs_that_changed_sources << s if gemfile_source != lockfile_source
           deps << dep if !dep.source || lockfile_source.include?(dep.source)
-          @unlock[:gems] << name if lockfile_source.include?(dep.source) && lockfile_source != gemfile_source
+          @gems_to_unlock << name if lockfile_source.include?(dep.source) && lockfile_source != gemfile_source
 
           # Replace the locked dependency's source with the equivalent source from the Gemfile
           s.source = gemfile_source
@@ -906,7 +913,7 @@ module Bundler
           s.source = default_source unless sources.get(lockfile_source)
         end
 
-        next if @unlock[:sources].include?(s.source.name)
+        next if @sources_to_unlock.include?(s.source.name)
 
         # Path sources have special logic
         if s.source.instance_of?(Source::Path) || s.source.instance_of?(Source::Gemspec)
@@ -928,12 +935,12 @@ module Bundler
           else
             # If the spec is no longer in the path source, unlock it. This
             # commonly happens if the version changed in the gemspec
-            @unlock[:gems] << name
+            @gems_to_unlock << name
           end
         end
 
         if dep.nil? && requested_dependencies.find {|d| name == d.name }
-          @unlock[:gems] << s.name
+          @gems_to_unlock << s.name
         else
           converged << s
         end
@@ -1010,7 +1017,7 @@ module Bundler
       current == proposed
     end
 
-    def additional_base_requirements_for_resolve(resolution_packages, last_resolve)
+    def additional_base_requirements_to_prevent_downgrades(resolution_packages, last_resolve)
       return resolution_packages unless @locked_gems && !sources.expired_sources?(@locked_gems.sources)
       converge_specs(@originally_locked_specs - last_resolve).each do |locked_spec|
         next if locked_spec.source.is_a?(Source::Path)
@@ -1019,6 +1026,28 @@ module Bundler
       resolution_packages
     end
 
+    def additional_base_requirements_to_force_updates(resolution_packages)
+      return resolution_packages if @explicit_unlocks.empty?
+      full_update = dup_for_full_unlock.resolve
+      @explicit_unlocks.each do |name|
+        version = full_update[name].first&.version
+        resolution_packages.base_requirements[name] = Gem::Requirement.new("= #{version}") if version
+      end
+      resolution_packages
+    end
+
+    def dup_for_full_unlock
+      unlocked_definition = self.class.new(@lockfile, @dependencies, @sources, true, @ruby_version, @optional_groups, @gemfiles)
+      unlocked_definition.resolution_mode = { "local" => !@remote }
+      unlocked_definition.setup_sources_for_resolve
+      unlocked_definition.gem_version_promoter.tap do |gvp|
+        gvp.level = gem_version_promoter.level
+        gvp.strict = gem_version_promoter.strict
+        gvp.pre = gem_version_promoter.pre
+      end
+      unlocked_definition
+    end
+
     def remove_invalid_platforms!(dependencies)
       return if Bundler.frozen_bundle?
 

data/lib/bundler/dependency.rb

@@ -7,7 +7,7 @@ require_relative "rubygems_ext"
 module Bundler
   class Dependency < Gem::Dependency
     attr_reader :autorequire
-    attr_reader :groups, :platforms, :gemfile, :path, :git, :github, :branch, :ref
+    attr_reader :groups, :platforms, :gemfile, :path, :git, :github, :branch, :ref, :glob
 
     ALL_RUBY_VERSIONS = (18..27).to_a.concat((30..34).to_a).freeze
     PLATFORM_MAP = {
@@ -39,6 +39,7 @@ module Bundler
       @github         = options["github"]
       @branch         = options["branch"]
       @ref            = options["ref"]
+      @glob           = options["glob"]
       @platforms      = Array(options["platforms"])
       @env            = options["env"]
       @should_include = options.fetch("should_include", true)

data/lib/bundler/environment_preserver.rb

@@ -19,14 +19,7 @@ module Bundler
     BUNDLER_PREFIX = "BUNDLER_ORIG_"
 
     def self.from_env
-      new(env_to_hash(ENV), BUNDLER_KEYS)
-    end
-
-    def self.env_to_hash(env)
-      to_hash = env.to_hash
-      return to_hash unless Gem.win_platform?
-
-      to_hash.each_with_object({}) {|(k,v), a| a[k.upcase] = v }
+      new(ENV.to_hash, BUNDLER_KEYS)
     end
 
     # @param env [Hash]
@@ -39,18 +32,7 @@ module Bundler
 
     # Replaces `ENV` with the bundler environment variables backed up
     def replace_with_backup
-      unless Gem.win_platform?
-        ENV.replace(backup)
-        return
-      end
-
-      # Fallback logic for Windows below to workaround
-      # https://bugs.ruby-lang.org/issues/16798. Can be dropped once all
-      # supported rubies include the fix for that.
-
-      ENV.clear
-
-      backup.each {|k, v| ENV[k] = v }
+      ENV.replace(backup)
     end
 
     # @return [Hash]

data/lib/bundler/injector.rb

@@ -120,9 +120,10 @@ module Bundler
         github = ", :github => \"#{d.github}\"" unless d.github.nil?
         branch = ", :branch => \"#{d.branch}\"" unless d.branch.nil?
         ref = ", :ref => \"#{d.ref}\"" unless d.ref.nil?
+        glob = ", :glob => \"#{d.glob}\"" unless d.glob.nil?
         require_path = ", :require => #{convert_autorequire(d.autorequire)}" unless d.autorequire.nil?
 
-        %(gem #{name}#{requirement}#{group}#{source}#{path}#{git}#{github}#{branch}#{ref}#{require_path})
+        %(gem #{name}#{requirement}#{group}#{source}#{path}#{git}#{github}#{branch}#{ref}#{glob}#{require_path})
       end.join("\n")
     end
 

data/lib/bundler/man/bundle-add.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-ADD" "1" "March 2024" ""
+.TH "BUNDLE\-ADD" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-add\fR \- Add gem to the Gemfile and run bundle install
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-binstubs.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-BINSTUBS" "1" "March 2024" ""
+.TH "BUNDLE\-BINSTUBS" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-binstubs\fR \- Install the binstubs of the listed gems
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-cache.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CACHE" "1" "March 2024" ""
+.TH "BUNDLE\-CACHE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-cache\fR \- Package your needed \fB\.gem\fR files into your application
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-check.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CHECK" "1" "March 2024" ""
+.TH "BUNDLE\-CHECK" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-check\fR \- Verifies if dependencies are satisfied by installed gems
 .SH "SYNOPSIS"
@@ -9,6 +9,8 @@
 \fBcheck\fR searches the local machine for each of the gems requested in the Gemfile\. If all gems are found, Bundler prints a success message and exits with a status of 0\.
 .P
 If not, the first missing gem is listed and Bundler exits status 1\.
+.P
+If the lockfile needs to be updated then it will be resolved using the gems installed on the local machine, if they satisfy the requirements\.
 .SH "OPTIONS"
 .TP
 \fB\-\-dry\-run\fR

data/lib/bundler/man/bundle-check.1.ronn

@@ -15,6 +15,9 @@ a status of 0.
 
 If not, the first missing gem is listed and Bundler exits status 1.
 
+If the lockfile needs to be updated then it will be resolved using the gems
+installed on the local machine, if they satisfy the requirements.
+
 ## OPTIONS
 
 * `--dry-run`:

data/lib/bundler/man/bundle-clean.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CLEAN" "1" "March 2024" ""
+.TH "BUNDLE\-CLEAN" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-clean\fR \- Cleans up unused gems in your bundler directory
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-config.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CONFIG" "1" "March 2024" ""
+.TH "BUNDLE\-CONFIG" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-config\fR \- Set bundler configuration options
 .SH "SYNOPSIS"
@@ -95,8 +95,6 @@ Any periods in the configuration keys must be replaced with two underscores when
 .SH "LIST OF AVAILABLE KEYS"
 The following is a list of all configuration keys and their purpose\. You can learn more about their operation in bundle install(1) \fIbundle\-install\.1\.html\fR\.
 .IP "\(bu" 4
-\fBallow_deployment_source_credential_changes\fR (\fBBUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES\fR): When in deployment mode, allow changing the credentials to a gem's source\. Ex: \fBhttps://some\.host\.com/gems/path/\fR \-> \fBhttps://user_name:password@some\.host\.com/gems/path\fR
-.IP "\(bu" 4
 \fBallow_offline_install\fR (\fBBUNDLE_ALLOW_OFFLINE_INSTALL\fR): Allow Bundler to use cached data when installing without network access\.
 .IP "\(bu" 4
 \fBauto_clean_without_path\fR (\fBBUNDLE_AUTO_CLEAN_WITHOUT_PATH\fR): Automatically run \fBbundle clean\fR after installing when an explicit \fBpath\fR has not been set and Bundler is not installing into the system gems\.

data/lib/bundler/man/bundle-config.1.ronn

@@ -137,9 +137,6 @@ the environment variable `BUNDLE_LOCAL__RACK`.
 The following is a list of all configuration keys and their purpose. You can
 learn more about their operation in [bundle install(1)](bundle-install.1.html).
 
-* `allow_deployment_source_credential_changes` (`BUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES`):
-   When in deployment mode, allow changing the credentials to a gem's source.
-   Ex: `https://some.host.com/gems/path/` -> `https://user_name:password@some.host.com/gems/path`
 * `allow_offline_install` (`BUNDLE_ALLOW_OFFLINE_INSTALL`):
    Allow Bundler to use cached data when installing without network access.
 * `auto_clean_without_path` (`BUNDLE_AUTO_CLEAN_WITHOUT_PATH`):

data/lib/bundler/man/bundle-console.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CONSOLE" "1" "March 2024" ""
+.TH "BUNDLE\-CONSOLE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-console\fR \- Deprecated way to open an IRB session with the bundle pre\-loaded
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-doctor.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-DOCTOR" "1" "March 2024" ""
+.TH "BUNDLE\-DOCTOR" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-doctor\fR \- Checks the bundle for common problems
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-exec.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-EXEC" "1" "March 2024" ""
+.TH "BUNDLE\-EXEC" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-exec\fR \- Execute a command in the context of the bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-gem.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-GEM" "1" "March 2024" ""
+.TH "BUNDLE\-GEM" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-gem\fR \- Generate a project skeleton for creating a rubygem
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-help.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-HELP" "1" "March 2024" ""
+.TH "BUNDLE\-HELP" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-help\fR \- Displays detailed help for each subcommand
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-info.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INFO" "1" "March 2024" ""
+.TH "BUNDLE\-INFO" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-info\fR \- Show information for the given gem in your bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-init.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INIT" "1" "March 2024" ""
+.TH "BUNDLE\-INIT" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-init\fR \- Generates a Gemfile into the current working directory
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-inject.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INJECT" "1" "March 2024" ""
+.TH "BUNDLE\-INJECT" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-inject\fR \- Add named gem(s) with version requirements to Gemfile
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-install.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INSTALL" "1" "March 2024" ""
+.TH "BUNDLE\-INSTALL" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-install\fR \- Install the dependencies specified in your Gemfile
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-list.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-LIST" "1" "March 2024" ""
+.TH "BUNDLE\-LIST" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-list\fR \- List all the gems in the bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-lock.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-LOCK" "1" "March 2024" ""
+.TH "BUNDLE\-LOCK" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-lock\fR \- Creates / Updates a lockfile without installing
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-open.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-OPEN" "1" "March 2024" ""
+.TH "BUNDLE\-OPEN" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-open\fR \- Opens the source directory for a gem in your bundle
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-outdated.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-OUTDATED" "1" "March 2024" ""
+.TH "BUNDLE\-OUTDATED" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-outdated\fR \- List installed gems with newer versions available
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-platform.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-PLATFORM" "1" "March 2024" ""
+.TH "BUNDLE\-PLATFORM" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-platform\fR \- Displays platform compatibility information
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-plugin.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-PLUGIN" "1" "March 2024" ""
+.TH "BUNDLE\-PLUGIN" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-plugin\fR \- Manage Bundler plugins
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-pristine.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-PRISTINE" "1" "March 2024" ""
+.TH "BUNDLE\-PRISTINE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-pristine\fR \- Restores installed gems to their pristine condition
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-remove.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-REMOVE" "1" "March 2024" ""
+.TH "BUNDLE\-REMOVE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-remove\fR \- Removes gems from the Gemfile
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-show.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-SHOW" "1" "March 2024" ""
+.TH "BUNDLE\-SHOW" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-show\fR \- Shows all the gems in your bundle, or the path to a gem
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-update.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-UPDATE" "1" "March 2024" ""
+.TH "BUNDLE\-UPDATE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-update\fR \- Update your gems to the latest available versions
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-version.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-VERSION" "1" "March 2024" ""
+.TH "BUNDLE\-VERSION" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-version\fR \- Prints Bundler version information
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle-viz.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-VIZ" "1" "March 2024" ""
+.TH "BUNDLE\-VIZ" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-viz\fR \- Generates a visual dependency graph for your Gemfile
 .SH "SYNOPSIS"

data/lib/bundler/man/bundle.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE" "1" "March 2024" ""
+.TH "BUNDLE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\fR \- Ruby Dependency Management
 .SH "SYNOPSIS"

data/lib/bundler/man/gemfile.5

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "GEMFILE" "5" "March 2024" ""
+.TH "GEMFILE" "5" "April 2024" ""
 .SH "NAME"
 \fBGemfile\fR \- A format for describing gem dependencies for Ruby programs
 .SH "SYNOPSIS"

data/lib/bundler/rubygems_ext.rb

@@ -146,6 +146,18 @@ module Gem
     end
   end
 
+  module BetterPermissionError
+    def data
+      Bundler::SharedHelpers.filesystem_access(loaded_from, :read) do
+        super
+      end
+    end
+  end
+
+  class StubSpecification
+    prepend BetterPermissionError
+  end
+
   class Dependency
     include ::Bundler::ForcePlatform
 

data/lib/bundler/settings.rb

@@ -7,7 +7,6 @@ module Bundler
     autoload :Validator, File.expand_path("settings/validator", __dir__)
 
     BOOL_KEYS = %w[
-      allow_deployment_source_credential_changes
       allow_offline_install
       auto_clean_without_path
       auto_install

data/lib/bundler/setup.rb

@@ -5,6 +5,9 @@ require_relative "shared_helpers"
 if Bundler::SharedHelpers.in_bundle?
   require_relative "../bundler"
 
+  # try to auto_install first before we get to the `Bundler.ui.silence`, so user knows what is happening
+  Bundler.auto_install
+
   if STDOUT.tty? || ENV["BUNDLER_FORCE_TTY"]
     begin
       Bundler.ui.silence { Bundler.setup }

data/lib/bundler/source/rubygems.rb

@@ -10,7 +10,7 @@ module Bundler
       # Ask for X gems per API request
       API_REQUEST_SIZE = 50
 
-      attr_reader :remotes
+      attr_accessor :remotes
 
       def initialize(options = {})
         @options = options
@@ -96,7 +96,7 @@ module Bundler
       def to_lock
         out = String.new("GEM\n")
         remotes.reverse_each do |remote|
-          out << "  remote: #{suppress_configured_credentials remote}\n"
+          out << "  remote: #{remove_auth remote}\n"
         end
         out << "  specs:\n"
       end
@@ -312,11 +312,7 @@ module Bundler
       end
 
       def credless_remotes
-        if Bundler.settings[:allow_deployment_source_credential_changes]
-          remotes.map(&method(:remove_auth))
-        else
-          remotes.map(&method(:suppress_configured_credentials))
-        end
+        remotes.map(&method(:remove_auth))
       end
 
       def remotes_for_spec(spec)
@@ -355,15 +351,6 @@ module Bundler
         uri
       end
 
-      def suppress_configured_credentials(remote)
-        remote_nouser = remove_auth(remote)
-        if remote.userinfo && remote.userinfo == Bundler.settings[remote_nouser]
-          remote_nouser
-        else
-          remote
-        end
-      end
-
       def remove_auth(remote)
         if remote.user || remote.password
           remote.dup.tap {|uri| uri.user = uri.password = nil }.to_s

data/lib/bundler/source_list.rb

@@ -157,7 +157,11 @@ module Bundler
     end
 
     def map_sources(replacement_sources)
-      rubygems, git, plugin = [@rubygems_sources, @git_sources, @plugin_sources].map do |sources|
+      rubygems = @rubygems_sources.map do |source|
+        replace_rubygems_source(replacement_sources, source) || source
+      end
+
+      git, plugin = [@git_sources, @plugin_sources].map do |sources|
         sources.map do |source|
           replacement_sources.find {|s| s == source } || source
         end
@@ -171,13 +175,22 @@ module Bundler
     end
 
     def global_replacement_source(replacement_sources)
-      replacement_source = replacement_sources.find {|s| s == global_rubygems_source }
+      replacement_source = replace_rubygems_source(replacement_sources, global_rubygems_source)
       return global_rubygems_source unless replacement_source
 
       replacement_source.cached!
       replacement_source
     end
 
+    def replace_rubygems_source(replacement_sources, gemfile_source)
+      replacement_source = replacement_sources.find {|s| s == gemfile_source }
+      return unless replacement_source
+
+      # locked sources never include credentials so always prefer remotes from the gemfile
+      replacement_source.remotes = gemfile_source.remotes
+      replacement_source
+    end
+
     def different_sources?(lock_sources, replacement_sources)
       !equivalent_sources?(lock_sources, replacement_sources)
     end

data/lib/bundler/spec_set.rb

@@ -65,7 +65,7 @@ module Bundler
 
       platforms.concat(new_platforms)
 
-      less_specific_platform = new_platforms.find {|platform| platform != Gem::Platform::RUBY && Bundler.local_platform === platform }
+      less_specific_platform = new_platforms.find {|platform| platform != Gem::Platform::RUBY && Bundler.local_platform === platform && platform === Bundler.local_platform }
       platforms.delete(Bundler.local_platform) if less_specific_platform
 
       platforms

data/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.5.9".freeze
+  VERSION = "2.5.10".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/lib/bundler.rb

@@ -40,6 +40,7 @@ module Bundler
   SUDO_MUTEX = Thread::Mutex.new
 
   autoload :Checksum,               File.expand_path("bundler/checksum", __dir__)
+  autoload :CLI,                    File.expand_path("bundler/cli", __dir__)
   autoload :CIDetector,             File.expand_path("bundler/ci_detector", __dir__)
   autoload :Definition,             File.expand_path("bundler/definition", __dir__)
   autoload :Dependency,             File.expand_path("bundler/dependency", __dir__)
@@ -165,6 +166,25 @@ module Bundler
       end
     end
 
+    # Automatically install dependencies if Bundler.settings[:auto_install] exists.
+    # This is set through config cmd `bundle config set --global auto_install 1`.
+    #
+    # Note that this method `nil`s out the global Definition object, so it
+    # should be called first, before you instantiate anything like an
+    # `Installer` that'll keep a reference to the old one instead.
+    def auto_install
+      return unless settings[:auto_install]
+
+      begin
+        definition.specs
+      rescue GemNotFound, GitError
+        ui.info "Automatically installing missing gems."
+        reset!
+        CLI::Install.new({}).run
+        reset!
+      end
+    end
+
     # Setups Bundler environment (see Bundler.setup) if it is not already set,
     # and loads all gems from groups specified. Unlike ::setup, can be called
     # multiple times with different groups (if they were allowed by setup).

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 2.5.9
+  version: 2.5.10
 platform: ruby
 authors:
 - André Arko
@@ -22,7 +22,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-04-12 00:00:00.000000000 Z
+date: 2024-05-03 00:00:00.000000000 Z
 dependencies: []
 description: Bundler manages an application's dependencies through its entire life,
   across many machines, systematically and repeatably
@@ -399,7 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.2.3
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.10
 signing_key:
 specification_version: 4
 summary: The best way to manage your application's dependencies