RubyGems - dependabot-bundler - Versions diffs - 0.375.0 → 0.376.0 - Mend

dependabot-bundler 0.375.0 → 0.376.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/helpers/v2/build +18 -3
data/helpers/v2/lib/bundler_version_constraint.rb +25 -0
data/helpers/v2/lib/functions/dependency_source.rb +4 -3
data/helpers/v2/lib/functions.rb +8 -5
data/helpers/v2/run.rb +8 -1
data/helpers/v2/spec/bundler_version_constraint_spec.rb +65 -0
data/helpers/v2/spec/native_spec_helper.rb +7 -0
data/lib/dependabot/bundler/package_manager.rb +8 -2
metadata +6 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e93ad1b7b9508dac2455f5702b7e25be3d7b9b31ee174e16a179b8a1ab5e7e40
-  data.tar.gz: 8fe5e19a9305bcabf19a90caf59e00c3373cab545922f51420d812535b1fcf23
+  metadata.gz: 1de871ae226d50afe2ee9c43c5d194c97647f59627ace7d9e6385b89f4d3815c
+  data.tar.gz: 5ba64cdc7f057d8f030d207ccd0f0d4b0d942ca46941b152a79163b4018add01
 SHA512:
-  metadata.gz: 9ad35ac701e3be680672ed62414836daac3116b05c5b32181169c1a35bde247d6428845ffbcaa218fdd88663b411b57ed7873c3884e8e02048dba60f36727f53
-  data.tar.gz: d47a12316edb81d78c36d84ff103a77597a8149993665d76d1a723c6cacb3e1bd35935c931930cad91eb310872f1a082ca948bbdfcf26f5dcf2b63060494f208
+  metadata.gz: 2f6e3f4606609ce3fdf72ce4c1636d8e24eea56947353624ad276b0e20c50180f2e0f530e34eb29aec1a8e8623007ff9072fb67ab0382f45f55fe31156729490
+  data.tar.gz: f124fcf4c386db1087d85117913cd634140ba3ab1204114c082c60b4e718420c31e5d5e57d223d753fe6c1167172c4b85b93e0cefe3e5d1e584574f04c036995

data/helpers/v2/build CHANGED Viewed

@@ -19,12 +19,27 @@ fi
 cd "$install_dir"
-default_version=$(ruby -rbundler -e'print Bundler::VERSION')
+# Default to Bundler 4, with an override for controlled testing/rollouts.
+bundler_constraint="${DEPENDABOT_BUNDLER_VERSION_CONSTRAINT:-${BUNDLER_VERSION_CONSTRAINT:-~> 4.0}}"
 export GEM_HOME=$install_dir/.bundle
-gem install bundler -v "$default_version" --no-document
+gem install bundler -v "$bundler_constraint" --no-document
+# Resolve the Bundler version that was actually installed in GEM_HOME to ensure
+# consistency with what was requested and to avoid picking up system gems.
+default_version=$(ruby -e '
+  gemspecs = Dir.glob("#{ENV["GEM_HOME"]}/specifications/bundler-*.gemspec")
+  latest = gemspecs.max_by { |f| Gem::Version.new(File.basename(f).match(/bundler-(.*)\.gemspec/)[1]) }
+  abort("No bundler gemspec found in #{ENV["GEM_HOME"]}/specifications") unless latest
+  print File.basename(latest).match(/bundler-(.*)\.gemspec/)[1]
+')
+if [ -z "$default_version" ]; then
+  echo "error: failed to resolve installed Bundler version in $GEM_HOME" >&2
+  exit 1
+fi
 if [ -z "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
-  bundle install
+  bundle _"$default_version"_ install
 fi

data/helpers/v2/lib/bundler_version_constraint.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# typed: true
+# frozen_string_literal: true
+# Resolves the Bundler version constraint that the native helper should use
+# at activation time. Honors DEPENDABOT_BUNDLER_VERSION_CONSTRAINT, falling
+# back to BUNDLER_VERSION_CONSTRAINT, and finally to the supplied default.
+#
+# Used by both `run.rb` (for activation via `gem`) and the helper specs so
+# the rollback/staged-rollout behavior is exercised by real code.
+module BundlerVersionConstraint
+  DEFAULT_ACTIVATION_CONSTRAINT = ">= 2.4, < 5"
+  def self.resolve(env: ENV, default: DEFAULT_ACTIVATION_CONSTRAINT)
+    env.fetch(
+      "DEPENDABOT_BUNDLER_VERSION_CONSTRAINT",
+      env.fetch("BUNDLER_VERSION_CONSTRAINT", default)
+    )
+  end
+  # Splits a comma-separated requirement string into the individual clauses
+  # accepted by Kernel#gem (e.g. ">= 2.4, < 5" -> [">= 2.4", "< 5"]).
+  def self.activation_clauses(constraint)
+    constraint.split(",").map(&:strip)
+  end
+end

data/helpers/v2/lib/functions/dependency_source.rb CHANGED Viewed

@@ -41,9 +41,10 @@ module Functions
       bundler_source
         .fetchers.flat_map do |fetcher|
-          fetcher
-            .specs([dependency_name], bundler_source)
-            .search_all(dependency_name).map(&:version)
+          index = fetcher.specs([dependency_name], bundler_source)
+          # Bundler 4 removed Index#search_all; use #search which returns all matches
+          specs = index.respond_to?(:search_all) ? index.search_all(dependency_name) : index.search(dependency_name)
+          specs.map(&:version)
         end
     end

data/helpers/v2/lib/functions.rb CHANGED Viewed

@@ -91,11 +91,14 @@ module Functions
     # Set flags and credentials
     set_bundler_flags_and_credentials(dir: args.fetch(:dir), credentials: args.fetch(:credentials))
-    Bundler::Definition.build(args.fetch(:gemfile_name), nil, {})
-                       .send(:sources)
-                       .rubygems_remotes
-                       .find { |uri| uri.host.include?("jfrog") }
-                       &.host
+    sources = Bundler::Definition.build(args.fetch(:gemfile_name), nil, {}).send(:sources)
+    # Bundler 4 removed SourceList#rubygems_remotes; use rubygems_sources + flat_map(&:remotes)
+    remotes = if sources.respond_to?(:rubygems_remotes)
+                sources.rubygems_remotes
+              else
+                sources.rubygems_sources.flat_map(&:remotes)
+              end
+    remotes.find { |uri| uri.host&.include?("jfrog") }&.host
   end
   def self.git_specs(**args)

data/helpers/v2/run.rb CHANGED Viewed

@@ -1,7 +1,14 @@
 # typed: true
 # frozen_string_literal: true
-gem "bundler", "~> 2.4"
+require_relative "lib/bundler_version_constraint"
+# Allow Bundler 4 by default with an upper bound to prevent unintended future
+# major versions. Honor DEPENDABOT_BUNDLER_VERSION_CONSTRAINT (or its
+# BUNDLER_VERSION_CONSTRAINT fallback) so staged rollouts and emergency
+# rollbacks performed by the build script are respected at activation time.
+bundler_constraint = BundlerVersionConstraint.resolve
+gem "bundler", *BundlerVersionConstraint.activation_clauses(bundler_constraint)
 require "bundler"
 require "json"

data/helpers/v2/spec/bundler_version_constraint_spec.rb ADDED Viewed

@@ -0,0 +1,65 @@
+# typed: false
+# frozen_string_literal: true
+require "native_spec_helper"
+require_relative "../lib/bundler_version_constraint"
+RSpec.describe BundlerVersionConstraint do
+  describe "helper runtime activation" do
+    it "is running a supported Bundler major version" do
+      # Bundler 3 was intentionally skipped upstream (Bundler jumped from 2.7
+      # straight to 4.0 to align with RubyGems) so the supported window is
+      # 2.x or 4.x.
+      bundler_major = Bundler::VERSION.split(".").first.to_i
+      expect(bundler_major).to be_between(2, 4)
+    end
+  end
+  describe ".resolve" do
+    it "returns the DEPENDABOT_BUNDLER_VERSION_CONSTRAINT override when set" do
+      env = { "DEPENDABOT_BUNDLER_VERSION_CONSTRAINT" => "~> 2.7" }
+      expect(described_class.resolve(env: env)).to eq("~> 2.7")
+    end
+    it "prefers DEPENDABOT_BUNDLER_VERSION_CONSTRAINT over BUNDLER_VERSION_CONSTRAINT" do
+      env = {
+        "DEPENDABOT_BUNDLER_VERSION_CONSTRAINT" => "~> 2.7",
+        "BUNDLER_VERSION_CONSTRAINT" => "~> 4.0"
+      }
+      expect(described_class.resolve(env: env)).to eq("~> 2.7")
+    end
+    it "falls back to BUNDLER_VERSION_CONSTRAINT when only that is set" do
+      env = { "BUNDLER_VERSION_CONSTRAINT" => "~> 4.0" }
+      expect(described_class.resolve(env: env)).to eq("~> 4.0")
+    end
+    it "uses the default activation constraint when no env var is set" do
+      expect(described_class.resolve(env: {})).to eq(">= 2.4, < 5")
+    end
+    it "honours an explicit default override" do
+      expect(described_class.resolve(env: {}, default: "~> 4.0")).to eq("~> 4.0")
+    end
+  end
+  describe ".activation_clauses" do
+    it "splits comma-separated requirement strings into trimmed clauses" do
+      expect(described_class.activation_clauses(">= 2.4, < 5")).to eq([">= 2.4", "< 5"])
+    end
+    it "returns a single clause for a single requirement" do
+      expect(described_class.activation_clauses("~> 4.0")).to eq(["~> 4.0"])
+    end
+  end
+  describe "build script GEM_HOME isolation" do
+    it "resolves Bundler version from GEM_HOME only" do
+      gem_home = ENV.fetch("GEM_HOME", nil)
+      skip "GEM_HOME not set in test environment" unless gem_home
+      bundler_specs = Dir.glob("#{gem_home}/specifications/bundler-*.gemspec")
+      expect(bundler_specs.length).to be_positive
+    end
+  end
+end

data/helpers/v2/spec/native_spec_helper.rb CHANGED Viewed

@@ -6,6 +6,13 @@ require "webmock/rspec"
 require "webmock/http_lib_adapters/excon_adapter"
 require "debug"
+# Bundler 4's stricter $LOAD_PATH handling breaks RSpec's lazy autoload of
+# built-in matchers (e.g. `satisfy`, `raise_error`, `contain_exactly`, `has`).
+# Eagerly load all of them so tests don't hit LoadError mid-run.
+Gem.loaded_specs["rspec-expectations"]&.then do |spec|
+  Dir[File.join(spec.full_gem_path, "lib/rspec/matchers/built_in/*.rb")].each { |f| require f }
+end
 $LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
 $LOAD_PATH.unshift(File.expand_path("../monkey_patches", __dir__))
 $LOAD_PATH.unshift(File.expand_path("../../spec_helpers", __dir__))

data/lib/dependabot/bundler/package_manager.rb CHANGED Viewed

@@ -11,8 +11,14 @@ module Dependabot
     ECOSYSTEM = "bundler"
     PACKAGE_MANAGER = "bundler"
-    # Keep versions in ascending order
-    SUPPORTED_BUNDLER_VERSIONS = T.let([Version.new("2")].freeze, T::Array[Dependabot::Version])
+    # Keep versions in ascending order.
+    # Note: Bundler 3 was intentionally skipped upstream — Bundler jumped from
+    # 2.7 directly to 4.0 to align its major version with RubyGems, so there
+    # is no Bundler 3.x release to support.
+    SUPPORTED_BUNDLER_VERSIONS = T.let(
+      [Version.new("2"), Version.new("4")].freeze,
+      T::Array[Dependabot::Version]
+    )
     # Currently, we don't support any deprecated versions of Bundler
     # When a version is going to be unsupported, it will be added here for a while to give users time to upgrade

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.375.0
+  version: 0.376.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.375.0
+        version: 0.376.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.375.0
+        version: 0.376.0
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -259,6 +259,7 @@ files:
 - helpers/v2/.gitignore
 - helpers/v2/Gemfile
 - helpers/v2/build
+- helpers/v2/lib/bundler_version_constraint.rb
 - helpers/v2/lib/functions.rb
 - helpers/v2/lib/functions/conflicting_dependency_resolver.rb
 - helpers/v2/lib/functions/dependency_source.rb
@@ -270,6 +271,7 @@ files:
 - helpers/v2/monkey_patches/definition_ruby_version_patch.rb
 - helpers/v2/monkey_patches/git_source_patch.rb
 - helpers/v2/run.rb
+- helpers/v2/spec/bundler_version_constraint_spec.rb
 - helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb
 - helpers/v2/spec/functions/dependency_source_spec.rb
 - helpers/v2/spec/functions/file_parser_spec.rb
@@ -322,7 +324,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.375.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.376.0
 rdoc_options: []
 require_paths:
 - lib