RubyGems - bundler - Versions diffs - 4.0.13 → 4.0.14 - Mend

bundler 4.0.13 → 4.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +7 -0
data/lib/bundler/build_metadata.rb +1 -1
data/lib/bundler/resolver.rb +16 -0
data/lib/bundler/source/rubygems.rb +1 -1
data/lib/bundler/source_list.rb +4 -0
data/lib/bundler/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6aecb16228f32866a007c26b7a70fd787bcf81d42ee002004ba3ec2dd2625694
-  data.tar.gz: 5bce03c60cbf8034dfc540848298fbe3d8958314dc8513b61c0e8238f180f096
+  metadata.gz: 2c7cfeed01a046a9b186ddcdb1039e59c4605673529e12fb08b3fb32f424650f
+  data.tar.gz: 375e9b2540c5493fb90cb4e2004372c4fdbac9ed67d09a680bc23fdb71e04c58
 SHA512:
-  metadata.gz: 4500a906181c0c43b1384fd9dda403dcc00ec11466911c156b01b309f2886336e756057af742396786ad2a0111e1a650729ad7bc03d09d04b0984a3770d4ebf4
-  data.tar.gz: 11e96f5ebdeca17df80db3506f010fd190b35c12cc8fd82532f6eeea9b51aa7b113a353c1cf88df215846c0226696a672813a79bf06202a3e5ffd7b543b0805a
+  metadata.gz: 55a5604bfb508d0c3b509702ce84a42bd4811f3f42222176133942fed42ff0f224ed64fcf68873e163cfe63d8cc183f11b67f4ec915814d3e121bb70f575296d
+  data.tar.gz: 4178ca638dd4f4ede2977526c4edba39cb6ae21f9d7d0ba6cab55d47235556d9ea41bfc4353b2349a1085746af76825c84e5597deba5130d874150f8ae1f91ef

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,12 @@
 # Changelog
+## 4.0.14 / 2026-06-10
+### Bug fixes:
+* Preserve per-source cooldown when converging sources from the lockfile. Pull request [#9601](https://github.com/ruby/rubygems/pull/9601) by bryanwoods
+* Don't exclude the locked version from cooldown during bundle update. Pull request [#9599](https://github.com/ruby/rubygems/pull/9599) by hsbt
 ## 4.0.13 / 2026-06-03
 ### Enhancements:

data/lib/bundler/build_metadata.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Bundler
   module BuildMetadata
     # begin ivars
     @built_at = nil
-    @git_commit_sha = "003f20f0dc".freeze
+    @git_commit_sha = "265babb801".freeze
     # end ivars
     # A hash representation of the build metadata.

data/lib/bundler/resolver.rb CHANGED Viewed

@@ -437,11 +437,27 @@ module Bundler
     def cooldown_excluded?(spec)
       return false unless spec.respond_to?(:created_at) && spec.created_at
       return false unless spec.respond_to?(:remote) && spec.remote
+      return false if pinned_by_lockfile_floor?(spec)
       days = spec.remote.effective_cooldown
       return false if days.nil? || days <= 0
       (cooldown_now - spec.created_at) < (days * 86_400)
     end
+    # A spec sitting exactly at a `>= locked_version` prevent-downgrade floor is
+    # the version the lockfile currently pins. `bundle update` and `bundle
+    # outdated` install that floor so resolution never moves a gem backwards.
+    # Filtering it out for cooldown would then make resolution impossible
+    # whenever the locked version is itself inside the cooldown window, which is
+    # exactly what happens to a lockfile written before cooldown was enabled.
+    # Keep it eligible; gems being explicitly updated carry an exact `=`
+    # requirement instead and stay subject to the cooldown filter.
+    def pinned_by_lockfile_floor?(spec)
+      return false unless defined?(@base) && @base
+      requirement = base_requirements[spec.name]
+      return false unless requirement && !requirement.exact?
+      requirement.requirements.any? {|op, version| op == ">=" && version == spec.version }
+    end
     def cooldown_now
       @cooldown_now ||= Time.now
     end

data/lib/bundler/source/rubygems.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Bundler
       API_REQUEST_SIZE = 100
       REQUIRE_MUTEX = Mutex.new
-      attr_accessor :remotes
+      attr_accessor :remotes, :remote_cooldowns
       def initialize(options = {})
         @options = options

data/lib/bundler/source_list.rb CHANGED Viewed

@@ -169,6 +169,10 @@ module Bundler
         # locked sources never include credentials so always prefer remotes from the gemfile
         replacement_source.remotes = gemfile_source.remotes
+        # cooldowns are only ever declared in the Gemfile, so carry them over
+        # along with the remotes they apply to
+        replacement_source.remote_cooldowns = gemfile_source.remote_cooldowns
         yield replacement_source if block_given?
         replacement_source

data/lib/bundler/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 module Bundler
-  VERSION = "4.0.13".freeze
+  VERSION = "4.0.14".freeze
   def self.bundler_major_version
     @bundler_major_version ||= gem_version.segments.first

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 4.0.13
+  version: 4.0.14
 platform: ruby
 authors:
 - André Arko
@@ -402,7 +402,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.4.1
 requirements: []
-rubygems_version: 4.0.10
+rubygems_version: 4.0.13
 specification_version: 4
 summary: The best way to manage your application's dependencies
 test_files: []