bundler 2.6.6 → 2.6.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 04be45da6f2c0f4d36af4bbed990919e3fafcba6d1ae0f29adff18b814bbd343
-  data.tar.gz: 4b2dc4d27575de59e07cfe3cbb397248c60288b0da5a3f857ef5f2ad738b46b9
+  metadata.gz: 9135fec12672acb616058b986f9ee528f8dbaf5b5452a413a93bf4188f381813
+  data.tar.gz: 8b5ffbe95febae6b17210c94972b43ecf3009c665720e976156a8ecbb4d0cc8b
 SHA512:
-  metadata.gz: a1f8470b8caa25f59bdef6c9a62b938292b6e8dc2a1799c93971f931e774aee8c766dc503007900dbd8e743a6396dad8803ea92f6d47261fb82748d46705d865
-  data.tar.gz: 50c0f2dabb906fe79566eea2024f1c346469026ae57936cc1c0c4d4bbaeab0321e0261c82128ad2c36985f998dbc0db21f1311c4bef2fb097ecd24d641136450
+  metadata.gz: 246ae795176220dde699c7d808bc876d4cbf0180b4eb58521efb6785ab699266ffbfbee550380e4e98c002a74cfca386eb7e238d37286775b7a870b4521abcda
+  data.tar.gz: '040083539b5e2bd6d968a80de1314c65bc46bb3652189dc0849b73653aed0825993770adc5e7eca99099078be3aba7b47cc34fe10e4c8bfa5fc6927328aaf12f'

data/CHANGELOG.md

@@ -1,3 +1,22 @@
+# 2.6.7 (April 3, 2025)
+
+## Enhancements:
+
+  - Fix crash when server compact index API implementation only lists versions [#8594](https://github.com/rubygems/rubygems/pull/8594)
+  - Fix lockfile when a gem ends up accidentally under two different sources [#8579](https://github.com/rubygems/rubygems/pull/8579)
+  - Refuse to install and print an error in frozen mode if some entries are missing in CHECKSUMS lockfile section [#8563](https://github.com/rubygems/rubygems/pull/8563)
+  - Support git 2.49 [#8581](https://github.com/rubygems/rubygems/pull/8581)
+  - Improve wording of a few messages [#8570](https://github.com/rubygems/rubygems/pull/8570)
+
+## Bug fixes:
+
+  - Fix `bundle add` sometimes generating invalid lockfiles [#8586](https://github.com/rubygems/rubygems/pull/8586)
+
+## Performance:
+
+  - Implement pub_grub strategy interface [#8589](https://github.com/rubygems/rubygems/pull/8589)
+  - Update vendored pub_grub [#8571](https://github.com/rubygems/rubygems/pull/8571)
+
 # 2.6.6 (March 13, 2025)
 
 ## Enhancements:
@@ -1318,7 +1337,7 @@
   - Enable parallel installation on Windows by default [#4822](https://github.com/rubygems/rubygems/pull/4822)
   - More logging when compact index is not used and we fallback to other APIs [#4546](https://github.com/rubygems/rubygems/pull/4546)
   - `bundle gem` generated MiniTest file and class now start with 'test' [#3893](https://github.com/rubygems/rubygems/pull/3893)
-  - Add `Bundler::Definition.no_lock` accessor for skipping lock file creation/update [#3401](https://github.com/rubygems/rubygems/pull/3401)
+  - Add `Bundler::Definition.no_lock` accessor for skipping lockfile creation/update [#3401](https://github.com/rubygems/rubygems/pull/3401)
 
 ## Bug fixes:
 
@@ -2060,7 +2079,7 @@
   - Fix `bundle outdated --group NAME` when the group is listed second in the Gemfile ([#6116](https://github.com/rubygems/bundler/pull/6116))
   - Improve conflict resolution messages by not calling "ruby" a gem when conflict happens in the `required_ruby_version`, and by filtering out requirements that didn't contribute to the conflict ([#6647](https://github.com/rubygems/bundler/pull/6647))
   - Avoid fetching and rebuilding git gems whenever any gem is changed in the Gemfile ([#6711](https://github.com/rubygems/bundler/pull/6711))
-  - Include the exact bundler version in the lock file in the suggested command when bundler warns about version mismatches of itself [#6971](https://github.com/rubygems/bundler/pull/6971)
+  - Include the exact bundler version in the lockfile in the suggested command when bundler warns about version mismatches of itself [#6971](https://github.com/rubygems/bundler/pull/6971)
   - Fix plugins being installed every time a command is run #[#6978](https://github.com/rubygems/bundler/pull/6978)
   - Fallback to sequentially fetching specs on 429s [#6728](https://github.com/rubygems/bundler/pull/6728)
   - Make `bundle clean` also clean native extensions for gems with a git source [#7058](https://github.com/rubygems/bundler/pull/7058)
@@ -3525,7 +3544,7 @@ Changes
 
 ## Bug fixes:
 
-  - Revert gem source sorting in lock files (@indirect)
+  - Revert gem source sorting in lockfiles (@indirect)
 
 # 1.7.1 (August 20, 2014)
 
@@ -3625,7 +3644,7 @@ Changes
   - redirects across hosts now work on rubies without OpenSSL ([#2686](https://github.com/rubygems/bundler/issues/2686), @grddev)
   - gemspecs now handle filenames with newlines ([#2634](https://github.com/rubygems/bundler/issues/2634), @jasonmp85)
   - support escaped characters in usernames and passwords (@punkie)
-  - no more exception on `update GEM` without lock file (@simi)
+  - no more exception on `update GEM` without lockfile (@simi)
   - allow long config values ([#2823](https://github.com/rubygems/bundler/issues/2823), @kgrz)
   - cache successfully even locked to gems shipped with Ruby ([#2869](https://github.com/rubygems/bundler/issues/2869), @aughr)
   - respect NO_PROXY even if a proxy is configured ([#2878](https://github.com/rubygems/bundler/issues/2878), @stlay)
@@ -3773,7 +3792,7 @@ Changes
 
 ## Bug fixes:
 
-  - make gemspec path option preserve relative paths in lock file (@bwillis)
+  - make gemspec path option preserve relative paths in lockfile (@bwillis)
   - use umask when creating binstubs ([#1618](https://github.com/rubygems/bundler/issues/1618), @v-yarotsky)
   - warn if graphviz is not installed ([#2435](https://github.com/rubygems/bundler/issues/2435), @Agis-)
   - show git errors while loading gemspecs
@@ -4662,7 +4681,7 @@ Changes
   - Skeleton gemspec now works with older versions of git
   - Fix shell quoting and ref fetching in GemHelper
   - Disable colored output in --deployment
-  - Preserve line endings in lock file
+  - Preserve line endings in lockfile
 
 ## Features:
 

data/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2025-03-13".freeze
-    @git_commit_sha = "25cf0763954".freeze
+    @built_at = "1980-01-02".freeze
+    @git_commit_sha = "32896b3570e".freeze
     @release = true
     # end ivars
 

data/lib/bundler/checksum.rb

@@ -190,7 +190,7 @@ module Bundler
       def replace(spec, checksum)
         return unless checksum
 
-        lock_name = spec.name_tuple.lock_name
+        lock_name = spec.lock_name
         @store_mutex.synchronize do
           existing = fetch_checksum(lock_name, checksum.algo)
           if !existing || existing.same_source?(checksum)
@@ -201,10 +201,12 @@ module Bundler
         end
       end
 
-      def register(spec, checksum)
-        return unless checksum
+      def missing?(spec)
+        @store[spec.lock_name].nil?
+      end
 
-        register_checksum(spec.name_tuple.lock_name, checksum)
+      def register(spec, checksum)
+        register_checksum(spec.lock_name, checksum)
       end
 
       def merge!(other)
@@ -216,9 +218,9 @@ module Bundler
       end
 
       def to_lock(spec)
-        lock_name = spec.name_tuple.lock_name
+        lock_name = spec.lock_name
         checksums = @store[lock_name]
-        if checksums
+        if checksums&.any?
           "#{lock_name} #{checksums.values.map(&:to_lock).sort.join(",")}"
         else
           lock_name
@@ -229,11 +231,15 @@ module Bundler
 
       def register_checksum(lock_name, checksum)
         @store_mutex.synchronize do
-          existing = fetch_checksum(lock_name, checksum.algo)
-          if existing
-            merge_checksum(lock_name, checksum, existing)
+          if checksum
+            existing = fetch_checksum(lock_name, checksum.algo)
+            if existing
+              merge_checksum(lock_name, checksum, existing)
+            else
+              store_checksum(lock_name, checksum)
+            end
           else
-            store_checksum(lock_name, checksum)
+            init_checksum(lock_name)
           end
         end
       end
@@ -243,7 +249,11 @@ module Bundler
       end
 
       def store_checksum(lock_name, checksum)
-        (@store[lock_name] ||= {})[checksum.algo] = checksum
+        init_checksum(lock_name)[checksum.algo] = checksum
+      end
+
+      def init_checksum(lock_name)
+        @store[lock_name] ||= {}
       end
 
       def fetch_checksum(lock_name, algo)

data/lib/bundler/compact_index_client/cache.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative "gem_parser"
+require "rubygems/resolver/api_set/gem_parser"
 
 module Bundler
   class CompactIndexClient

data/lib/bundler/compact_index_client/parser.rb

@@ -64,7 +64,7 @@ module Bundler
       end
 
       def gem_parser
-        @gem_parser ||= GemParser.new
+        @gem_parser ||= Gem::Resolver::APISet::GemParser.new
       end
 
       # This is mostly the same as `split(" ", 3)` but it avoids allocating extra objects.

data/lib/bundler/definition.rb

@@ -95,6 +95,7 @@ module Bundler
       @locked_ruby_version = nil
       @new_platforms = []
       @removed_platforms = []
+      @originally_invalid_platforms = []
 
       if lockfile_exists?
         @lockfile_contents = Bundler.read_file(lockfile)
@@ -147,9 +148,8 @@ module Bundler
 
       @current_platform_missing = add_current_platform unless Bundler.frozen_bundle?
 
-      converge_path_sources_to_gemspec_sources
-      @path_changes = converge_paths
       @source_changes = converge_sources
+      @path_changes = converge_paths
 
       if conservative
         @gems_to_unlock = @explicit_unlocks.any? ? @explicit_unlocks : @dependencies.map(&:name)
@@ -539,12 +539,13 @@ module Bundler
 
       reason = resolve_needed? ? change_reason : "some dependencies were deleted from your gemfile"
 
-      msg = String.new
-      msg << "#{reason.capitalize.strip}, but the lockfile can't be updated because #{update_refused_reason}"
+      msg = String.new("#{reason.capitalize.strip}, but ")
+      msg << "the lockfile " unless msg.start_with?("Your lockfile")
+      msg << "can't be updated because #{update_refused_reason}"
       msg << "\n\nYou have added to the Gemfile:\n" << added.join("\n") if added.any?
       msg << "\n\nYou have deleted from the Gemfile:\n" << deleted.join("\n") if deleted.any?
       msg << "\n\nYou have changed in the Gemfile:\n" << changed.join("\n") if changed.any?
-      msg << "\n\nRun `bundle install` elsewhere and add the updated #{SharedHelpers.relative_gemfile_path} to version control.\n" unless unlocking?
+      msg << "\n\nRun `bundle install` elsewhere and add the updated #{SharedHelpers.relative_lockfile_path} to version control.\n" unless unlocking?
       msg
     end
 
@@ -563,6 +564,7 @@ module Bundler
         @local_changes ||
         @missing_lockfile_dep ||
         @unlocking_bundler ||
+        @locked_spec_with_missing_checksums ||
         @locked_spec_with_missing_deps ||
         @locked_spec_with_invalid_deps
     end
@@ -759,7 +761,11 @@ module Bundler
         end
       end
 
-      @platforms = result.add_extra_platforms!(platforms) if should_add_extra_platforms?
+      if should_add_extra_platforms?
+        result.add_extra_platforms!(platforms)
+      elsif @originally_invalid_platforms.any?
+        result.add_originally_invalid_platforms!(platforms, @originally_invalid_platforms)
+      end
 
       SpecSet.new(result.for(dependencies, @platforms | [Gem::Platform::RUBY]))
     end
@@ -809,13 +815,14 @@ module Bundler
       [
         [@source_changes, "the list of sources changed"],
         [@dependency_changes, "the dependencies in your gemfile changed"],
-        [@current_platform_missing, "your lockfile does not include the current platform"],
+        [@current_platform_missing, "your lockfile is missing the current platform"],
         [@new_platforms.any?, "you are adding a new platform to your lockfile"],
         [@path_changes, "the gemspecs for path gems changed"],
         [@local_changes, "the gemspecs for git local gems changed"],
-        [@missing_lockfile_dep, "your lock file is missing \"#{@missing_lockfile_dep}\""],
+        [@missing_lockfile_dep, "your lockfile is missing \"#{@missing_lockfile_dep}\""],
         [@unlocking_bundler, "an update to the version of Bundler itself was requested"],
-        [@locked_spec_with_missing_deps, "your lock file includes \"#{@locked_spec_with_missing_deps}\" but not some of its dependencies"],
+        [@locked_spec_with_missing_checksums, "your lockfile is missing a CHECKSUMS entry for \"#{@locked_spec_with_missing_checksums}\""],
+        [@locked_spec_with_missing_deps, "your lockfile includes \"#{@locked_spec_with_missing_deps}\" but not some of its dependencies"],
         [@locked_spec_with_invalid_deps, "your lockfile does not satisfy dependencies of \"#{@locked_spec_with_invalid_deps}\""],
       ].select(&:first).map(&:last).join(", ")
     end
@@ -832,8 +839,8 @@ module Bundler
       !locked || dependencies_for_source_changed?(source, locked) || specs_for_source_changed?(source)
     end
 
-    def dependencies_for_source_changed?(source, locked_source = source)
-      deps_for_source = @dependencies.select {|s| s.source == source }
+    def dependencies_for_source_changed?(source, locked_source)
+      deps_for_source = @dependencies.select {|dep| dep.source == source }
       locked_deps_for_source = locked_dependencies.select {|dep| dep.source == locked_source }
 
       deps_for_source.uniq.sort != locked_deps_for_source.sort
@@ -841,7 +848,7 @@ module Bundler
 
     def specs_for_source_changed?(source)
       locked_index = Index.new
-      locked_index.use(@locked_specs.select {|s| source.can_lock?(s) })
+      locked_index.use(@locked_specs.select {|s| s.replace_source_with!(source) })
 
       !locked_index.subset?(source.specs)
     rescue PathError, GitError => e
@@ -873,21 +880,27 @@ module Bundler
     def check_lockfile
       @locked_spec_with_invalid_deps = nil
       @locked_spec_with_missing_deps = nil
+      @locked_spec_with_missing_checksums = nil
 
-      missing = []
+      missing_deps = []
+      missing_checksums = []
       invalid = []
 
       @locked_specs.each do |s|
+        missing_checksums << s if @locked_checksums && s.source.checksum_store.missing?(s)
+
         validation = @locked_specs.validate_deps(s)
 
-        missing << s if validation == :missing
+        missing_deps << s if validation == :missing
         invalid << s if validation == :invalid
       end
 
-      if missing.any?
-        @locked_specs.delete(missing)
+      @locked_spec_with_missing_checksums = missing_checksums.first.name if missing_checksums.any?
 
-        @locked_spec_with_missing_deps = missing.first.name
+      if missing_deps.any?
+        @locked_specs.delete(missing_deps)
+
+        @locked_spec_with_missing_deps = missing_deps.first.name
       end
 
       if invalid.any?
@@ -903,24 +916,6 @@ module Bundler
       end
     end
 
-    def converge_path_source_to_gemspec_source(source)
-      return source unless source.instance_of?(Source::Path)
-      gemspec_source = sources.path_sources.find {|s| s.is_a?(Source::Gemspec) && s.as_path_source == source }
-      gemspec_source || source
-    end
-
-    def converge_path_sources_to_gemspec_sources
-      @locked_sources.map! do |source|
-        converge_path_source_to_gemspec_source(source)
-      end
-      @locked_specs.each do |spec|
-        spec.source &&= converge_path_source_to_gemspec_source(spec.source)
-      end
-      @locked_deps.each do |_, dep|
-        dep.source &&= converge_path_source_to_gemspec_source(dep.source)
-      end
-    end
-
     def converge_sources
       # Replace the sources from the Gemfile with the sources from the Gemfile.lock,
       # if they exist in the Gemfile.lock and are `==`. If you can't find an equivalent
@@ -963,11 +958,17 @@ module Bundler
         unless name == "bundler"
           locked_specs = @originally_locked_specs[name]
 
-          if locked_specs.any? && !dep.matches_spec?(locked_specs.first)
-            @gems_to_unlock << name
-            dep_changed = true
-          elsif locked_specs.empty? && dep_changed == false
-            @missing_lockfile_dep = name
+          if locked_specs.empty?
+            @missing_lockfile_dep = name if dep_changed == false
+          else
+            if locked_specs.map(&:source).uniq.size > 1
+              @locked_specs.delete(locked_specs.select {|s| s.source != dep.source })
+            end
+
+            unless dep.matches_spec?(locked_specs.first)
+              @gems_to_unlock << name
+              dep_changed = true
+            end
           end
         end
 
@@ -1141,16 +1142,21 @@ module Bundler
     def remove_invalid_platforms!
       return if Bundler.frozen_bundle?
 
-      platforms.reverse_each do |platform|
+      @originally_invalid_platforms = platforms.select do |platform|
         next if local_platform == platform ||
-                @new_platforms.include?(platform) ||
-                @path_changes ||
-                @dependency_changes ||
-                @locked_spec_with_invalid_deps ||
-                !spec_set_incomplete_for_platform?(@originally_locked_specs, platform)
+                @new_platforms.include?(platform)
 
-        remove_platform(platform)
+        # We should probably avoid removing non-ruby platforms, since that means
+        # lockfile will no longer install on those platforms, so a error to give
+        # heads up to the user may be better. However, we have tests expecting
+        # non ruby platform autoremoval to work, so leaving that in place for
+        # now.
+        next if @dependency_changes && platform != Gem::Platform::RUBY
+
+        spec_set_incomplete_for_platform?(@originally_locked_specs, platform)
       end
+
+      @platforms -= @originally_invalid_platforms
     end
 
     def spec_set_incomplete_for_platform?(spec_set, platform)

data/lib/bundler/dsl.rb

@@ -77,7 +77,7 @@ module Bundler
 
         @gemspecs << spec
 
-        path path, "glob" => glob, "name" => spec.name do
+        path path, "glob" => glob, "name" => spec.name, "gemspec" => spec do
           add_dependency spec.name
         end
 
@@ -141,8 +141,7 @@ module Bundler
     def path(path, options = {}, &blk)
       source_options = normalize_hash(options).merge(
         "path" => Pathname.new(path),
-        "root_path" => gemfile_root,
-        "gemspec" => gemspecs.find {|g| g.name == options["name"] }
+        "root_path" => gemfile_root
       )
 
       source_options["global"] = true unless block_given?

data/lib/bundler/lazy_specification.rb

@@ -175,6 +175,14 @@ module Bundler
       @force_ruby_platform = true
     end
 
+    def replace_source_with!(gemfile_source)
+      return unless gemfile_source.can_lock?(self)
+
+      @source = gemfile_source
+
+      true
+    end
+
     private
 
     def use_exact_resolved_specifications?
@@ -196,7 +204,7 @@ module Bundler
 
     # If in frozen mode, we fallback to a non-installable candidate because by
     # doing this we avoid re-resolving and potentially end up changing the
-    # lock file, which is not allowed. In that case, we will give a proper error
+    # lockfile, which is not allowed. In that case, we will give a proper error
     # about the mismatch higher up the stack, right before trying to install the
     # bad gem.
     def choose_compatible(candidates, fallback_to_non_installable: Bundler.frozen_bundle?)

data/lib/bundler/lockfile_parser.rb

@@ -239,7 +239,6 @@ module Bundler
       spaces = $1
       return unless spaces.size == 2
       checksums = $6
-      return unless checksums
       name = $2
       version = $3
       platform = $4
@@ -249,10 +248,14 @@ module Bundler
       full_name = Gem::NameTuple.new(name, version, platform).full_name
       return unless spec = @specs[full_name]
 
-      checksums.split(",") do |lock_checksum|
-        column = line.index(lock_checksum) + 1
-        checksum = Checksum.from_lock(lock_checksum, "#{@lockfile_path}:#{@pos.line}:#{column}")
-        spec.source.checksum_store.register(spec, checksum)
+      if checksums
+        checksums.split(",") do |lock_checksum|
+          column = line.index(lock_checksum) + 1
+          checksum = Checksum.from_lock(lock_checksum, "#{@lockfile_path}:#{@pos.line}:#{column}")
+          spec.source.checksum_store.register(spec, checksum)
+        end
+      else
+        spec.source.checksum_store.register(spec, nil)
       end
     end
 

data/lib/bundler/plugin/api/source.rb

@@ -67,7 +67,7 @@ module Bundler
         # to check out same version of gem later.
         #
         # There options are passed when the source plugin is created from the
-        # lock file.
+        # lockfile.
         #
         # @return [Hash]
         def options_to_lock

data/lib/bundler/plugin/installer/path.rb

@@ -8,6 +8,14 @@ module Bundler
           SharedHelpers.in_bundle? ? Bundler.root : Plugin.root
         end
 
+        def eql?(other)
+          return unless other.class == self.class
+          expanded_original_path == other.expanded_original_path &&
+            version == other.version
+        end
+
+        alias_method :==, :eql?
+
         def generate_bin(spec, disable_extensions = false)
           # Need to find a way without code duplication
           # For now, we can ignore this

data/lib/bundler/plugin.rb

@@ -195,7 +195,7 @@ module Bundler
       @sources[name]
     end
 
-    # @param [Hash] The options that are present in the lock file
+    # @param [Hash] The options that are present in the lockfile
     # @return [API::Source] the instance of the class that handles the source
     #                       type passed in locked_opts
     def from_lock(locked_opts)

data/lib/bundler/resolver/candidate.rb

@@ -17,7 +17,7 @@ module Bundler
     # Some candidates may also keep some information explicitly about the
     # package they refer to. These candidates are referred to as "canonical" and
     # are used when materializing resolution results back into RubyGems
-    # specifications that can be installed, written to lock files, and so on.
+    # specifications that can be installed, written to lockfiles, and so on.
     #
     class Candidate
       include Comparable

data/lib/bundler/resolver/strategy.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Bundler
+  class Resolver
+    class Strategy
+      def initialize(source)
+        @source = source
+      end
+
+      def next_package_and_version(unsatisfied)
+        package, range = next_term_to_try_from(unsatisfied)
+
+        [package, most_preferred_version_of(package, range).first]
+      end
+
+      private
+
+      def next_term_to_try_from(unsatisfied)
+        unsatisfied.min_by do |package, range|
+          matching_versions = @source.versions_for(package, range)
+          higher_versions = @source.versions_for(package, range.upper_invert)
+
+          [matching_versions.count <= 1 ? 0 : 1, higher_versions.count]
+        end
+      end
+
+      def most_preferred_version_of(package, range)
+        versions = @source.versions_for(package, range)
+
+        # Conditional avoids (among other things) calling
+        # sort_versions_by_preferred with the root package
+        if versions.size > 1
+          @source.sort_versions_by_preferred(package, versions)
+        else
+          versions
+        end
+      end
+    end
+  end
+end

data/lib/bundler/resolver.rb

@@ -12,6 +12,7 @@ module Bundler
     require_relative "resolver/candidate"
     require_relative "resolver/incompatibility"
     require_relative "resolver/root"
+    require_relative "resolver/strategy"
 
     include GemHelpers
 
@@ -78,7 +79,7 @@ module Bundler
     end
 
     def solve_versions(root:, logger:)
-      solver = PubGrub::VersionSolver.new(source: self, root: root, logger: logger)
+      solver = PubGrub::VersionSolver.new(source: self, root: root, strategy: Strategy.new(self), logger: logger)
       result = solver.solve
       resolved_specs = result.flat_map {|package, version| version.to_specs(package, @most_specific_locked_platform) }
       SpecSet.new(resolved_specs).specs_with_additional_variants_from(@base.locked_specs)
@@ -167,15 +168,7 @@ module Bundler
     end
 
     def versions_for(package, range=VersionRange.any)
-      versions = select_sorted_versions(package, range)
-
-      # Conditional avoids (among other things) calling
-      # sort_versions_by_preferred with the root package
-      if versions.size > 1
-        sort_versions_by_preferred(package, versions)
-      else
-        versions
-      end
+      range.select_versions(@sorted_versions[package])
     end
 
     def no_versions_incompatibility_for(package, unsatisfied_term)
@@ -284,8 +277,8 @@ module Bundler
         ruby_group = Resolver::SpecGroup.new(ruby_specs)
 
         unless ruby_group.empty?
-          platform_specs.each do |specs|
-            ruby_group.merge(Resolver::SpecGroup.new(specs))
+          platform_specs.each do |s|
+            ruby_group.merge(Resolver::SpecGroup.new(s))
           end
 
           groups << Resolver::Candidate.new(version, group: ruby_group, priority: -1)
@@ -355,6 +348,10 @@ module Bundler
       raise GemNotFound, message
     end
 
+    def sort_versions_by_preferred(package, versions)
+      @gem_version_promoter.sort_versions(package, versions)
+    end
+
     private
 
     def filtered_versions_for(package)
@@ -414,10 +411,6 @@ module Bundler
       requirement.satisfied_by?(spec.version) || spec.source.is_a?(Source::Gemspec)
     end
 
-    def sort_versions_by_preferred(package, versions)
-      @gem_version_promoter.sort_versions(package, versions)
-    end
-
     def repository_for(package)
       source_for(package.name)
     end
@@ -433,7 +426,7 @@ module Bundler
         next [dep_package, dep_constraint] if name == "bundler"
 
         dep_range = dep_constraint.range
-        versions = select_sorted_versions(dep_package, dep_range)
+        versions = versions_for(dep_package, dep_range)
         if versions.empty?
           if dep_package.ignores_prereleases? || dep_package.prefer_local?
             @all_versions.delete(dep_package)
@@ -441,7 +434,7 @@ module Bundler
           end
           dep_package.consider_prereleases! if dep_package.ignores_prereleases?
           dep_package.consider_remote_versions! if dep_package.prefer_local?
-          versions = select_sorted_versions(dep_package, dep_range)
+          versions = versions_for(dep_package, dep_range)
         end
 
         if versions.empty? && select_all_versions(dep_package, dep_range).any?
@@ -456,10 +449,6 @@ module Bundler
       end.to_h
     end
 
-    def select_sorted_versions(package, range)
-      range.select_versions(@sorted_versions[package])
-    end
-
     def select_all_versions(package, range)
       range.select_versions(@all_versions[package])
     end