rubygems-update 2.6.14 → 2.7.0

data/bundler/lib/bundler/cli/package.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Bundler
   class CLI::Package
     attr_reader :options
@@ -9,15 +10,15 @@ module Bundler
 
     def run
       Bundler.ui.level = "error" if options[:quiet]
-      Bundler.settings[:path] = File.expand_path(options[:path]) if options[:path]
-      Bundler.settings[:cache_all_platforms] = options["all-platforms"] if options.key?("all-platforms")
-      Bundler.settings[:cache_path] = options["cache-path"] if options.key?("cache-path")
+      Bundler.settings.set_command_option_if_given :path, options[:path]
+      Bundler.settings.set_command_option_if_given :cache_all_platforms, options["all-platforms"]
+      Bundler.settings.set_command_option_if_given :cache_path, options["cache-path"]
 
       setup_cache_all
       install
 
       # TODO: move cache contents here now that all bundles are locked
-      custom_path = Pathname.new(options[:path]) if options[:path]
+      custom_path = Bundler.settings[:path] if options[:path]
       Bundler.load.cache(custom_path)
     end
 
@@ -34,9 +35,11 @@ module Bundler
     end
 
     def setup_cache_all
-      Bundler.settings[:cache_all] = options[:all] if options.key?("all")
+      all = options.fetch(:all, Bundler.feature_flag.cache_command_is_package? || nil)
+
+      Bundler.settings.set_command_option_if_given :cache_all, all
 
-      if Bundler.definition.has_local_dependencies? && !Bundler.settings[:cache_all]
+      if Bundler.definition.has_local_dependencies? && !Bundler.feature_flag.cache_all?
         Bundler.ui.warn "Your Gemfile contains path and git dependencies. If you want "    \
           "to package them as well, please pass the --all flag. This will be the default " \
           "on Bundler 2.0."

data/bundler/lib/bundler/cli/platform.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Bundler
   class CLI::Platform
     attr_reader :options

data/bundler/lib/bundler/cli/plugin.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require "bundler/vendored_thor"
 module Bundler
   class CLI::Plugin < Thor

data/bundler/lib/bundler/cli/pristine.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Bundler
+  class CLI::Pristine
+    def initialize(gems)
+      @gems = gems
+    end
+
+    def run
+      CLI::Common.ensure_all_gems_in_lockfile!(@gems)
+      definition = Bundler.definition
+      definition.validate_runtime!
+      installer = Bundler::Installer.new(Bundler.root, definition)
+
+      Bundler.load.specs.each do |spec|
+        next if spec.name == "bundler" # Source::Rubygems doesn't install bundler
+        next if !@gems.empty? && !@gems.include?(spec.name)
+
+        gem_name = "#{spec.name} (#{spec.version}#{spec.git_version})"
+        gem_name += " (#{spec.platform})" if !spec.platform.nil? && spec.platform != Gem::Platform::RUBY
+
+        case source = spec.source
+        when Source::Rubygems
+          cached_gem = spec.cache_file
+          unless File.exist?(cached_gem)
+            Bundler.ui.error("Failed to pristine #{gem_name}. Cached gem #{cached_gem} does not exist.")
+            next
+          end
+
+          FileUtils.rm_rf spec.full_gem_path
+        when Source::Git
+          source.remote!
+          FileUtils.rm_rf spec.full_gem_path
+        else
+          Bundler.ui.warn("Cannot pristine #{gem_name}. Gem is sourced from local path.")
+          next
+        end
+
+        Bundler::GemInstaller.new(spec, installer, false, 0, true).install_from_spec
+      end
+    end
+  end
+end

data/bundler/lib/bundler/cli/show.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-require "bundler/cli/common"
 
 module Bundler
   class CLI::Show
@@ -64,6 +63,7 @@ module Bundler
       else
         definition.resolve_with_cache!
       end
+      Bundler.reset!
       definition.specs
     end
 

data/bundler/lib/bundler/cli/update.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-require "bundler/cli/common"
 
 module Bundler
   class CLI::Update
@@ -17,7 +16,18 @@ module Bundler
       sources = Array(options[:source])
       groups  = Array(options[:group]).map(&:to_sym)
 
-      if gems.empty? && sources.empty? && groups.empty? && !options[:ruby] && !options[:bundler]
+      full_update = gems.empty? && sources.empty? && groups.empty? && !options[:ruby] && !options[:bundler]
+
+      if full_update && !options[:all]
+        if Bundler.feature_flag.update_requires_all_flag?
+          raise InvalidOption, "To update everything, pass the `--all` flag."
+        end
+        SharedHelpers.major_deprecation 2, "Pass --all to `bundle update` to update everything"
+      elsif !full_update && options[:all]
+        raise InvalidOption, "Cannot specify --all along with specific options."
+      end
+
+      if full_update
         # We're doing a full update
         Bundler.definition(true)
       else
@@ -25,12 +35,7 @@ module Bundler
           raise GemfileLockNotFound, "This Bundle hasn't been installed yet. " \
             "Run `bundle install` to update and install the bundled gems."
         end
-        # cycle through the requested gems, to make sure they exist
-        names = Bundler.locked_gems.specs.map(&:name)
-        gems.each do |g|
-          next if names.include?(g)
-          raise GemNotFound, Bundler::CLI::Common.gem_not_found_message(g, names)
-        end
+        Bundler::CLI::Common.ensure_all_gems_in_lockfile!(gems)
 
         if groups.any?
           specs = Bundler.definition.specs_for groups
@@ -38,7 +43,8 @@ module Bundler
         end
 
         Bundler.definition(:gems => gems, :sources => sources, :ruby => options[:ruby],
-                           :lock_shared_dependencies => options[:conservative])
+                           :lock_shared_dependencies => options[:conservative],
+                           :bundler => options[:bundler])
       end
 
       Bundler::CLI::Common.configure_gem_version_promoter(Bundler.definition, options)
@@ -49,17 +55,32 @@ module Bundler
       opts["update"] = true
       opts["local"] = options[:local]
 
-      Bundler.settings[:jobs] = opts["jobs"] if opts["jobs"]
+      Bundler.settings.set_command_option_if_given :jobs, opts["jobs"]
 
       Bundler.definition.validate_runtime!
       installer = Installer.install Bundler.root, Bundler.definition, opts
       Bundler.load.cache if Bundler.app_cache.exist?
 
-      if Bundler.settings[:clean] && Bundler.settings[:path]
+      if CLI::Common.clean_after_install?
         require "bundler/cli/clean"
         Bundler::CLI::Clean.new(options).run
       end
 
+      if locked_gems = Bundler.definition.locked_gems
+        gems.each do |name|
+          locked_version = locked_gems.specs.find {|s| s.name == name }.version
+          new_version = Bundler.definition.specs[name].first
+          new_version &&= new_version.version
+          if !new_version
+            Bundler.ui.warn "Bundler attempted to update #{name} but it was removed from the bundle"
+          elsif new_version < locked_version
+            Bundler.ui.warn "Bundler attempted to update #{name} but its version regressed from #{locked_version} to #{new_version}"
+          elsif new_version == locked_version
+            Bundler.ui.warn "Bundler attempted to update #{name} but its version stayed the same"
+          end
+        end
+      end
+
       Bundler.ui.confirm "Bundle updated!"
       Bundler::CLI::Common.output_without_groups_message
       Bundler::CLI::Common.output_post_install_messages installer.post_install_messages

data/bundler/lib/bundler/cli/viz.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Bundler
   class CLI::Viz
     attr_reader :options, :gem_name
@@ -7,6 +8,9 @@ module Bundler
     end
 
     def run
+      # make sure we get the right `graphviz`. There is also a `graphviz`
+      # gem we're not built to support
+      gem "ruby-graphviz"
       require "graphviz"
 
       options[:without] = options[:without].join(":").tr(" ", ":").split(":")
@@ -21,7 +25,7 @@ module Bundler
     rescue StandardError => e
       raise unless e.message =~ /GraphViz not installed or dot not in PATH/
       Bundler.ui.error e.message
-      Bundler.ui.warn "Please install GraphViz. On a Mac with homebrew, you can run `brew install graphviz`."
+      Bundler.ui.warn "Please install GraphViz. On a Mac with Homebrew, you can run `brew install graphviz`."
     end
   end
 end

data/bundler/lib/bundler/compact_index_client.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require "pathname"
 require "set"
 

data/bundler/lib/bundler/compact_index_client/cache.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-require "digest/md5"
 
 module Bundler
   class CompactIndexClient
@@ -68,7 +67,7 @@ module Bundler
       def info_path(name)
         name = name.to_s
         if name =~ /[^a-z0-9_-]/
-          name += "-#{Digest::MD5.hexdigest(name).downcase}"
+          name += "-#{SharedHelpers.digest(:MD5).hexdigest(name).downcase}"
           info_roots.last.join(name)
         else
           info_roots.first.join(name)

data/bundler/lib/bundler/compact_index_client/updater.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
-require "fileutils"
+
+require "bundler/vendored_fileutils"
 require "stringio"
-require "tmpdir"
 require "zlib"
 
 module Bundler
@@ -22,6 +22,7 @@ module Bundler
 
       def initialize(fetcher)
         @fetcher = fetcher
+        require "tmpdir"
       end
 
       def update(local_path, remote_path, retrying = nil)
@@ -34,7 +35,14 @@ module Bundler
           if retrying.nil? && local_path.file?
             FileUtils.cp local_path, local_temp_path
             headers["If-None-Match"] = etag_for(local_temp_path)
-            headers["Range"] = "bytes=#{local_temp_path.size}-"
+            headers["Range"] =
+              if local_temp_path.size.nonzero?
+                # Subtract a byte to ensure the range won't be empty.
+                # Avoids 416 (Range Not Satisfiable) responses.
+                "bytes=#{local_temp_path.size - 1}-"
+              else
+                "bytes=#{local_temp_path.size}-"
+              end
           else
             # Fastly ignores Range when Accept-Encoding: gzip is set
             headers["Accept-Encoding"] = "gzip"
@@ -48,12 +56,15 @@ module Bundler
             content = Zlib::GzipReader.new(StringIO.new(content)).read
           end
 
-          mode = response.is_a?(Net::HTTPPartialContent) ? "a" : "w"
           SharedHelpers.filesystem_access(local_temp_path) do
-            local_temp_path.open(mode) {|f| f << content }
+            if response.is_a?(Net::HTTPPartialContent) && local_temp_path.size.nonzero?
+              local_temp_path.open("a") {|f| f << slice_body(content, 1..-1) }
+            else
+              local_temp_path.open("w") {|f| f << content }
+            end
           end
 
-          response_etag = response["ETag"].gsub(%r{\AW/}, "")
+          response_etag = (response["ETag"] || "").gsub(%r{\AW/}, "")
           if etag_for(local_temp_path) == response_etag
             SharedHelpers.filesystem_access(local_path) do
               FileUtils.mv(local_temp_path, local_path)
@@ -74,13 +85,21 @@ module Bundler
         sum ? %("#{sum}") : nil
       end
 
+      def slice_body(body, range)
+        if body.respond_to?(:byteslice)
+          body.byteslice(range)
+        else # pre-1.9.3
+          body.unpack("@#{range.first}a#{range.end + 1}").first
+        end
+      end
+
       def checksum_for_file(path)
         return nil unless path.file?
         # This must use IO.read instead of Digest.file().hexdigest
         # because we need to preserve \n line endings on windows when calculating
         # the checksum
         SharedHelpers.filesystem_access(path, :read) do
-          Digest::MD5.hexdigest(IO.read(path))
+          SharedHelpers.digest(:MD5).hexdigest(IO.read(path))
         end
       end
     end

data/bundler/lib/bundler/compatibility_guard.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: false
+
+require "rubygems"
+require "bundler/version"
+
+if Bundler::VERSION.split(".").first.to_i >= 2
+  if Gem::Version.new(Object::RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    abort "Bundler 2 requires Ruby 2.3 or later. Either install bundler 1 or update to a supported Ruby version."
+  end
+
+  if Gem::Version.new(Gem::VERSION.dup) < Gem::Version.new("2.5")
+    abort "Bundler 2 requires RubyGems 2.5 or later. Either install bundler 1 or update to a supported RubyGems version."
+  end
+end

data/bundler/lib/bundler/constants.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Bundler
   WINDOWS = RbConfig::CONFIG["host_os"] =~ /(msdos|mswin|djgpp|mingw)/
   FREEBSD = RbConfig::CONFIG["host_os"] =~ /bsd/

data/bundler/lib/bundler/current_ruby.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Bundler
   # Returns current version of Ruby
   #
@@ -8,7 +9,7 @@ module Bundler
   end
 
   class CurrentRuby
-    KNOWN_MINOR_VERSIONS = %w(
+    KNOWN_MINOR_VERSIONS = %w[
       1.8
       1.9
       2.0
@@ -17,11 +18,11 @@ module Bundler
       2.3
       2.4
       2.5
-    ).freeze
+    ].freeze
 
     KNOWN_MAJOR_VERSIONS = KNOWN_MINOR_VERSIONS.map {|v| v.split(".", 2).first }.uniq.freeze
 
-    KNOWN_PLATFORMS = %w(
+    KNOWN_PLATFORMS = %w[
       jruby
       maglev
       mingw
@@ -31,7 +32,7 @@ module Bundler
       rbx
       ruby
       x64_mingw
-    ).freeze
+    ].freeze
 
     def ruby?
       !mswin? && (!defined?(RUBY_ENGINE) || RUBY_ENGINE == "ruby" || RUBY_ENGINE == "rbx" || RUBY_ENGINE == "maglev")
@@ -58,15 +59,15 @@ module Bundler
     end
 
     def mswin64?
-      Bundler::WINDOWS && Bundler.local_platform.os == "mswin64" && Bundler.local_platform.cpu == "x64"
+      Bundler::WINDOWS && Bundler.local_platform != Gem::Platform::RUBY && Bundler.local_platform.os == "mswin64" && Bundler.local_platform.cpu == "x64"
     end
 
     def mingw?
-      Bundler::WINDOWS && Bundler.local_platform.os == "mingw32" && Bundler.local_platform.cpu != "x64"
+      Bundler::WINDOWS && Bundler.local_platform != Gem::Platform::RUBY && Bundler.local_platform.os == "mingw32" && Bundler.local_platform.cpu != "x64"
     end
 
     def x64_mingw?
-      Bundler::WINDOWS && Bundler.local_platform.os == "mingw32" && Bundler.local_platform.cpu == "x64"
+      Bundler::WINDOWS && Bundler.local_platform != Gem::Platform::RUBY && Bundler.local_platform.os == "mingw32" && Bundler.local_platform.cpu == "x64"
     end
 
     (KNOWN_MINOR_VERSIONS + KNOWN_MAJOR_VERSIONS).each do |version|

data/bundler/lib/bundler/definition.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
+
 require "bundler/lockfile_parser"
-require "digest/sha1"
 require "set"
 
 module Bundler
@@ -14,7 +14,9 @@ module Bundler
       :locked_gems,
       :platforms,
       :requires,
-      :ruby_version
+      :ruby_version,
+      :lockfile,
+      :gemfiles
     )
 
     # Given a gemfile and lockfile creates a Bundler definition
@@ -51,8 +53,16 @@ module Bundler
     #   to be updated or true if all gems should be updated
     # @param ruby_version [Bundler::RubyVersion, nil] Requested Ruby Version
     # @param optional_groups [Array(String)] A list of optional groups
-    def initialize(lockfile, dependencies, sources, unlock, ruby_version = nil, optional_groups = [])
-      @unlocking = unlock == true || !unlock.empty?
+    def initialize(lockfile, dependencies, sources, unlock, ruby_version = nil, optional_groups = [], gemfiles = [])
+      if [true, false].include?(unlock)
+        @unlocking_bundler = false
+        @unlocking = unlock
+      else
+        unlock = unlock.dup
+        @unlocking_bundler = unlock.delete(:bundler)
+        unlock.delete_if {|_k, v| Array(v).empty? }
+        @unlocking = !unlock.empty?
+      end
 
       @dependencies    = dependencies
       @sources         = sources
@@ -61,6 +71,7 @@ module Bundler
       @remote          = false
       @specs           = nil
       @ruby_version    = ruby_version
+      @gemfiles        = gemfiles
 
       @lockfile               = lockfile
       @lockfile_contents      = String.new
@@ -81,7 +92,7 @@ module Bundler
           @locked_sources = @locked_gems.sources
         else
           @unlock         = {}
-          @locked_deps    = []
+          @locked_deps    = {}
           @locked_specs   = SpecSet.new([])
           @locked_sources = []
         end
@@ -89,7 +100,7 @@ module Bundler
         @unlock         = {}
         @platforms      = []
         @locked_gems    = nil
-        @locked_deps    = []
+        @locked_deps    = {}
         @locked_specs   = SpecSet.new([])
         @locked_sources = []
         @locked_platforms = []
@@ -102,9 +113,11 @@ module Bundler
       end
       @unlocking ||= @unlock[:ruby] ||= (!@locked_ruby_version ^ !@ruby_version)
 
-      add_current_platform unless Bundler.settings[:frozen]
+      add_current_platform unless Bundler.frozen?
 
+      converge_path_sources_to_gemspec_sources
       @path_changes = converge_paths
+      @source_changes = converge_sources
 
       unless @unlock[:lock_shared_dependencies]
         eager_unlock = expand_dependencies(@unlock[:gems])
@@ -113,33 +126,15 @@ module Bundler
 
       @gem_version_promoter = create_gem_version_promoter
 
-      @source_changes = converge_sources
       @dependency_changes = converge_dependencies
       @local_changes = converge_locals
 
       @requires = compute_requires
-
-      fixup_dependency_types!
-    end
-
-    def fixup_dependency_types!
-      # XXX This is a temporary workaround for a bug when using rubygems 1.8.15
-      # where Gem::Dependency#== matches Gem::Dependency#type. As the lockfile
-      # doesn't carry a notion of the dependency type, if you use
-      # add_development_dependency in a gemspec that's loaded with the gemspec
-      # directive, the lockfile dependencies and resolved dependencies end up
-      # with a mismatch on #type.
-      # Test coverage to catch a regression on this is in gemspec_spec.rb
-      @dependencies.each do |d|
-        if ld = @locked_deps.find {|l| l.name == d.name }
-          ld.instance_variable_set(:@type, d.type)
-        end
-      end
     end
 
     def create_gem_version_promoter
       locked_specs =
-        if @unlocking && @locked_specs.empty? && !@lockfile_contents.empty?
+        if unlocking? && @locked_specs.empty? && !@lockfile_contents.empty?
           # Definition uses an empty set of locked_specs to indicate all gems
           # are unlocked, but GemVersionPromoter needs the locked_specs
           # for conservative comparison.
@@ -183,9 +178,8 @@ module Bundler
                              "to a different version of #{locked_gem} that hasn't been removed in order to install."
         end
         unless specs["bundler"].any?
-          local = Bundler.settings[:frozen] ? rubygems_index : index
-          bundler = local.search(Gem::Dependency.new("bundler", VERSION)).last
-          specs["bundler"] = bundler if bundler
+          bundler = sources.metadata_source.specs.search(Gem::Dependency.new("bundler", VERSION)).last
+          specs["bundler"] = bundler
         end
 
         specs
@@ -210,10 +204,19 @@ module Bundler
       missing
     end
 
-    def missing_dependencies
-      missing = []
-      resolve.materialize(current_dependencies, missing)
-      missing
+    def missing_specs?
+      missing = missing_specs
+      return false if missing.empty?
+      Bundler.ui.debug "The definition is missing #{missing.map(&:full_name)}"
+      true
+    rescue BundlerError => e
+      @index = nil
+      @resolve = nil
+      @specs = nil
+      @gem_version_promoter = create_gem_version_promoter
+
+      Bundler.ui.debug "The definition is missing dependencies, failed to resolve & materialize locally (#{e})"
+      true
     end
 
     def requested_specs
@@ -242,13 +245,16 @@ module Bundler
     def resolve
       @resolve ||= begin
         last_resolve = converge_locked_specs
-        if Bundler.settings[:frozen] || (!@unlocking && nothing_changed?)
+        if Bundler.frozen?
+          Bundler.ui.debug "Frozen, using resolution from the lockfile"
+          last_resolve
+        elsif !unlocking? && nothing_changed?
           Bundler.ui.debug("Found no changes, using resolution from the lockfile")
           last_resolve
         else
           # Run a resolve against the locally available gems
           Bundler.ui.debug("Found changes from the lockfile, re-resolving dependencies because #{change_reason}")
-          last_resolve.merge Resolver.resolve(expanded_dependencies, index, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve)
+          last_resolve.merge Resolver.resolve(expanded_dependencies, index, source_requirements, last_resolve, gem_version_promoter, additional_base_requirements_for_resolve, platforms)
         end
       end
     end
@@ -258,25 +264,44 @@ module Bundler
         dependency_names = @dependencies.map(&:name)
 
         sources.all_sources.each do |source|
-          source.dependency_names = dependency_names.dup
+          source.dependency_names = dependency_names - pinned_spec_names(source)
           idx.add_source source.specs
-          dependency_names -= pinned_spec_names(source.specs)
           dependency_names.concat(source.unmet_deps).uniq!
         end
-        idx << Gem::Specification.new("ruby\0", RubyVersion.system.to_gem_version_with_patchlevel)
-        idx << Gem::Specification.new("rubygems\0", Gem::VERSION)
-      end
-    end
 
-    # used when frozen is enabled so we can find the bundler
-    # spec, even if (say) a git gem is not checked out.
-    def rubygems_index
-      @rubygems_index ||= Index.build do |idx|
-        sources.rubygems_sources.each do |rubygems|
-          idx.add_source rubygems.specs
+        double_check_for_index(idx, dependency_names)
+      end
+    end
+
+    # Suppose the gem Foo depends on the gem Bar.  Foo exists in Source A.  Bar has some versions that exist in both
+    # sources A and B.  At this point, the API request will have found all the versions of Bar in source A,
+    # but will not have found any versions of Bar from source B, which is a problem if the requested version
+    # of Foo specifically depends on a version of Bar that is only found in source B. This ensures that for
+    # each spec we found, we add all possible versions from all sources to the index.
+    def double_check_for_index(idx, dependency_names)
+      pinned_names = pinned_spec_names
+      loop do
+        idxcount = idx.size
+
+        names = :names # do this so we only have to traverse to get dependency_names from the index once
+        unmet_dependency_names = lambda do
+          return names unless names == :names
+          new_names = sources.all_sources.map(&:dependency_names_to_double_check)
+          return names = nil if new_names.compact!
+          names = new_names.flatten(1).concat(dependency_names)
+          names.uniq!
+          names -= pinned_names
+          names
         end
+
+        sources.all_sources.each do |source|
+          source.double_check_for(unmet_dependency_names, :override_dupes)
+        end
+
+        break if idxcount == idx.size
       end
     end
+    private :double_check_for_index
 
     def has_rubygems_remotes?
       sources.rubygems_sources.any? {|s| s.remotes.any? }
@@ -311,10 +336,10 @@ module Bundler
         end
       end
 
-      preserve_unknown_sections ||= !updating_major && (Bundler.settings[:frozen] || !@unlocking)
+      preserve_unknown_sections ||= !updating_major && (Bundler.frozen? || !(unlocking? || @unlocking_bundler))
       return if lockfiles_equal?(@lockfile_contents, contents, preserve_unknown_sections)
 
-      if Bundler.settings[:frozen]
+      if Bundler.frozen?
         Bundler.ui.error "Cannot write a changed lockfile while frozen."
         return
       end
@@ -354,51 +379,8 @@ module Bundler
     end
 
     def to_lock
-      out = String.new
-
-      sources.lock_sources.each do |source|
-        # Add the source header
-        out << source.to_lock
-        # Find all specs for this source
-        resolve.
-          select {|s| source.can_lock?(s) }.
-          # This needs to be sorted by full name so that
-          # gems with the same name, but different platform
-          # are ordered consistently
-          sort_by(&:full_name).
-          each do |spec|
-            next if spec.name == "bundler"
-            out << spec.to_lock
-          end
-        out << "\n"
-      end
-
-      out << "PLATFORMS\n"
-
-      platforms.map(&:to_s).sort.each do |p|
-        out << "  #{p}\n"
-      end
-
-      out << "\n"
-      out << "DEPENDENCIES\n"
-
-      handled = []
-      dependencies.sort_by(&:to_s).each do |dep|
-        next if handled.include?(dep.name)
-        out << dep.to_lock
-        handled << dep.name
-      end
-
-      if locked_ruby_version
-        out << "\nRUBY VERSION\n"
-        out << "   #{locked_ruby_version}\n"
-      end
-
-      # Record the version of Bundler that was used to create the lockfile
-      out << "\nBUNDLED WITH\n"
-      out << "   #{locked_bundler_version}\n"
-
-      out
+      require "bundler/lockfile_generator"
+      LockfileGenerator.generate(self)
     end
 
     def ensure_equivalent_gemfile_and_lockfile(explicit_flag = false)
@@ -408,8 +390,15 @@ module Bundler
              "updated #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)} to version control."
 
       unless explicit_flag
+        suggested_command = if Bundler.settings.locations("frozen")[:global]
+          "bundle config --delete frozen"
+        elsif Bundler.settings.locations("deployment").keys.&([:global, :local]).any?
+          "bundle config --delete deployment"
+        else
+          "bundle install --no-deployment"
+        end
         msg << "\n\nIf this is a development machine, remove the #{Bundler.default_gemfile} " \
-               "freeze \nby running `bundle install --no-deployment`."
+               "freeze \nby running `#{suggested_command}`."
       end
 
       added =   []
@@ -426,13 +415,13 @@ module Bundler
       new_sources = gemfile_sources - @locked_sources
       deleted_sources = @locked_sources - gemfile_sources
 
-      new_deps = @dependencies - @locked_deps
-      deleted_deps = @locked_deps - @dependencies
+      new_deps = @dependencies - @locked_deps.values
+      deleted_deps = @locked_deps.values - @dependencies
 
       # Check if it is possible that the source is only changed thing
       if (new_deps.empty? && deleted_deps.empty?) && (!new_sources.empty? && !deleted_sources.empty?)
-        new_sources.reject! {|source| source.is_a_path? && source.path.exist? }
-        deleted_sources.reject! {|source| source.is_a_path? && source.path.exist? }
+        new_sources.reject! {|source| (source.path? && source.path.exist?) || equivalent_rubygems_remotes?(source) }
+        deleted_sources.reject! {|source| (source.path? && source.path.exist?) || equivalent_rubygems_remotes?(source) }
       end
 
       if @locked_sources != gemfile_sources
@@ -452,7 +441,7 @@ module Bundler
 
       both_sources = Hash.new {|h, k| h[k] = [] }
       @dependencies.each {|d| both_sources[d.name][0] = d }
-      @locked_deps.each  {|d| both_sources[d.name][1] = d.source }
+      @locked_deps.each  {|name, d| both_sources[name][1] = d.source }
 
       both_sources.each do |name, (dep, lock_source)|
         next unless (dep.nil? && !lock_source.nil?) || (!dep.nil? && !lock_source.nil? && !lock_source.can_lock?(dep))
@@ -461,12 +450,14 @@ module Bundler
         changed << "* #{name} from `#{gemfile_source_name}` to `#{lockfile_source_name}`"
       end
 
+      reason = change_reason
+      msg << "\n\n#{reason.split(", ").map(&:capitalize).join("\n")}" unless reason.strip.empty?
       msg << "\n\nYou have added to the Gemfile:\n" << added.join("\n") if added.any?
       msg << "\n\nYou have deleted from the Gemfile:\n" << deleted.join("\n") if deleted.any?
       msg << "\n\nYou have changed in the Gemfile:\n" << changed.join("\n") if changed.any?
       msg << "\n"
 
-      raise ProductionError, msg if added.any? || deleted.any? || changed.any?
+      raise ProductionError, msg if added.any? || deleted.any? || changed.any? || !nothing_changed?
     end
 
     def validate_runtime!
@@ -523,7 +514,7 @@ module Bundler
 
     def add_current_platform
       current_platform = Bundler.local_platform
-      add_platform(current_platform) if Bundler.settings[:specific_platform]
+      add_platform(current_platform) if Bundler.feature_flag.specific_platform?
       add_platform(generic(current_platform))
     end
 
@@ -538,14 +529,18 @@ module Bundler
     attr_reader :sources
     private :sources
 
-  private
-
     def nothing_changed?
       !@source_changes && !@dependency_changes && !@new_platform && !@path_changes && !@local_changes
     end
 
+    def unlocking?
+      @unlocking
+    end
+
+  private
+
     def change_reason
-      if @unlocking
+      if unlocking?
         unlock_reason = @unlock.reject {|_k, v| Array(v).empty? }.map do |k, v|
           if v == true
             k.to_s
@@ -566,10 +561,7 @@ module Bundler
     end
 
     def pretty_dep(dep, source = false)
-      msg = String.new(dep.name)
-      msg << " (#{dep.requirement})" unless dep.requirement == Gem::Requirement.default
-      msg << " from the `#{dep.source}` source" if source && dep.source
-      msg
+      SharedHelpers.pretty_dependency(dep, source)
     end
 
     # Check if the specs of the given source changed
@@ -582,7 +574,7 @@ module Bundler
 
     def dependencies_for_source_changed?(source, locked_source = source)
       deps_for_source = @dependencies.select {|s| s.source == source }
-      locked_deps_for_source = @locked_deps.select {|s| s.source == locked_source }
+      locked_deps_for_source = @locked_deps.values.select {|dep| dep.source == locked_source }
 
       Set.new(deps_for_source) != Set.new(locked_deps_for_source)
     end
@@ -591,7 +583,11 @@ module Bundler
       locked_index = Index.new
       locked_index.use(@locked_specs.select {|s| source.can_lock?(s) })
 
-      source.specs != locked_index
+      # order here matters, since Index#== is checking source.specs.include?(locked_index)
+      locked_index != source.specs
+    rescue PathError, GitError => e
+      Bundler.ui.debug "Assuming that #{source} has not changed since fetching its specs errored (#{e})"
+      false
     end
 
     # Get all locals and override their matching sources.
@@ -627,29 +623,44 @@ module Bundler
       gemspec_source || source
     end
 
-    def converge_sources
-      changes = false
-
+    def converge_path_sources_to_gemspec_sources
       @locked_sources.map! do |source|
         converge_path_source_to_gemspec_source(source)
       end
       @locked_specs.each do |spec|
         spec.source &&= converge_path_source_to_gemspec_source(spec.source)
       end
+      @locked_deps.each do |_, dep|
+        dep.source &&= converge_path_source_to_gemspec_source(dep.source)
+      end
+    end
+
+    def converge_rubygems_sources
+      return false if Bundler.feature_flag.lockfile_uses_separate_rubygems_sources?
 
-      # Get the Rubygems sources from the Gemfile.lock
+      changes = false
+
+      # Get the RubyGems sources from the Gemfile.lock
       locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
-      # Get the Rubygems remotes from the Gemfile
+      # Get the RubyGems remotes from the Gemfile
       actual_remotes = sources.rubygems_remotes
 
-      # If there is a Rubygems source in both
+      # If there is a RubyGems source in both
       if !locked_gem_sources.empty? && !actual_remotes.empty?
         locked_gem_sources.each do |locked_gem|
           # Merge the remotes from the Gemfile into the Gemfile.lock
-          changes |= locked_gem.replace_remotes(actual_remotes)
+          changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
         end
       end
 
+      changes
+    end
+
+    def converge_sources
+      changes = false
+
+      changes |= converge_rubygems_sources
+
       # Replace the sources from the Gemfile with the sources from the Gemfile.lock,
       # if they exist in the Gemfile.lock and are `==`. If you can't find an equivalent
       # source in the Gemfile.lock, use the one from the Gemfile.
@@ -671,11 +682,12 @@ module Bundler
     end
 
     def converge_dependencies
-      (@dependencies + @locked_deps).each do |dep|
-        locked_source = @locked_deps.select {|d| d.name == dep.name }.last
+      frozen = Bundler.frozen?
+      (@dependencies + @locked_deps.values).each do |dep|
+        locked_source = @locked_deps[dep.name]
         # This is to make sure that if bundler is installing in deployment mode and
         # after locked_source and sources don't match, we still use locked_source.
-        if Bundler.settings[:frozen] && !locked_source.nil? &&
+        if frozen && !locked_source.nil? &&
             locked_source.respond_to?(:source) && locked_source.source.instance_of?(Source::Path) && locked_source.source.path.exist?
           dep.source = locked_source.source
         elsif dep.source
@@ -685,7 +697,31 @@ module Bundler
           dep.platforms.concat(@platforms.map {|p| Dependency::REVERSE_PLATFORM_MAP[p] }.flatten(1)).uniq!
         end
       end
-      Set.new(@dependencies) != Set.new(@locked_deps)
+
+      changes = false
+      # We want to know if all match, but don't want to check all entries
+      # This means we need to return false if any dependency doesn't match
+      # the lock or doesn't exist in the lock.
+      @dependencies.each do |dependency|
+        unless locked_dep = @locked_deps[dependency.name]
+          changes = true
+          next
+        end
+
+        # Gem::Dependency#== matches Gem::Dependency#type. As the lockfile
+        # doesn't carry a notion of the dependency type, if you use
+        # add_development_dependency in a gemspec that's loaded with the gemspec
+        # directive, the lockfile dependencies and resolved dependencies end up
+        # with a mismatch on #type. Work around that by setting the type on the
+        # dep from the lockfile.
+        locked_dep.instance_variable_set(:@type, dependency.type)
+
+        # We already know the name matches from the hash lookup
+        # so we only need to check the requirement now
+        changes ||= dependency.requirement != locked_dep.requirement
+      end
+
+      changes
     end
 
     # Remove elements from the locked specs that are expired. This will most
@@ -698,12 +734,11 @@ module Bundler
       # and Gemfile.lock. If the Gemfile modified a dependency, but
       # the gem in the Gemfile.lock still satisfies it, this is fine
       # too.
-      locked_deps_hash = @locked_deps.inject({}) do |hsh, dep|
-        hsh[dep] = dep
-        hsh
-      end
       @dependencies.each do |dep|
-        locked_dep = locked_deps_hash[dep]
+        locked_dep = @locked_deps[dep.name]
+
+        # If the locked_dep doesn't match the dependency we're looking for then we ignore the locked_dep
+        locked_dep = nil unless locked_dep == dep
 
         if in_locked_deps?(dep, locked_dep) || satisfies_locked_spec?(dep)
           deps << dep
@@ -717,6 +752,8 @@ module Bundler
         end
       end
 
+      unlock_source_unlocks_spec = Bundler.feature_flag.unlock_source_unlocks_spec?
+
       converged = []
       @locked_specs.each do |s|
         # Replace the locked dependency's source with the equivalent source from the Gemfile
@@ -724,42 +761,58 @@ module Bundler
         s.source = (dep && dep.source) || sources.get(s.source)
 
         # Don't add a spec to the list if its source is expired. For example,
-        # if you change a Git gem to Rubygems.
-        next if s.source.nil? || @unlock[:sources].include?(s.source.name)
+        # if you change a Git gem to RubyGems.
+        next if s.source.nil?
+        next if @unlock[:sources].include?(s.source.name)
 
         # XXX This is a backwards-compatibility fix to preserve the ability to
         # unlock a single gem by passing its name via `--source`. See issue #3759
-        next if s.source.nil? || @unlock[:sources].include?(s.name)
+        # TODO: delete in Bundler 2
+        next if unlock_source_unlocks_spec && @unlock[:sources].include?(s.name)
 
         # If the spec is from a path source and it doesn't exist anymore
         # then we unlock it.
 
         # Path sources have special logic
         if s.source.instance_of?(Source::Path) || s.source.instance_of?(Source::Gemspec)
-          other = s.source.specs[s].first
+          other_sources_specs = begin
+            s.source.specs
+          rescue PathError, GitError
+            # if we won't need the source (according to the lockfile),
+            # don't error if the path/git source isn't available
+            next if @locked_specs.
+                    for(requested_dependencies, [], false, true, false).
+                    none? {|locked_spec| locked_spec.source == s.source }
+
+            raise
+          end
+
+          other = other_sources_specs[s].first
 
           # If the spec is no longer in the path source, unlock it. This
           # commonly happens if the version changed in the gemspec
           next unless other
 
           deps2 = other.dependencies.select {|d| d.type != :development }
+          runtime_dependencies = s.dependencies.select {|d| d.type != :development }
           # If the dependencies of the path source have changed, unlock it
-          next unless s.dependencies.sort == deps2.sort
+          next unless runtime_dependencies.sort == deps2.sort
         end
 
         converged << s
       end
 
       resolve = SpecSet.new(converged)
-      resolve = resolve.for(expand_dependencies(deps, true), @unlock[:gems])
-      diff    = @locked_specs.to_a - resolve.to_a
+      resolve = resolve.for(expand_dependencies(deps, true), @unlock[:gems], false, false, false)
+      diff    = nil
 
       # Now, we unlock any sources that do not have anymore gems pinned to it
       sources.all_sources.each do |source|
         next unless source.respond_to?(:unlock!)
 
         unless resolve.any? {|s| s.source == source }
-          source.unlock! if !diff.empty? && diff.any? {|s| s.source == source }
+          diff ||= @locked_specs.to_a - resolve.to_a
+          source.unlock! if diff.any? {|s| s.source == source }
         end
       end
 
@@ -774,24 +827,28 @@ module Bundler
     end
 
     def satisfies_locked_spec?(dep)
-      @locked_specs.any? {|s| s.satisfies?(dep) && (!dep.source || s.source.include?(dep.source)) }
+      @locked_specs[dep].any? {|s| s.satisfies?(dep) && (!dep.source || s.source.include?(dep.source)) }
     end
 
     # This list of dependencies is only used in #resolve, so it's OK to add
     # the metadata dependencies here
     def expanded_dependencies
       @expanded_dependencies ||= begin
+        expand_dependencies(dependencies + metadata_dependencies, @remote)
+      end
+    end
+
+    def metadata_dependencies
+      @metadata_dependencies ||= begin
         ruby_versions = concat_ruby_version_requirements(@ruby_version)
         if ruby_versions.empty? || !@ruby_version.exact?
           concat_ruby_version_requirements(RubyVersion.system)
           concat_ruby_version_requirements(locked_ruby_version_object) unless @unlock[:ruby]
         end
-
-        metadata_dependencies = [
+        [
           Dependency.new("ruby\0", ruby_versions),
           Dependency.new("rubygems\0", Gem::VERSION),
         ]
-        expand_dependencies(dependencies + metadata_dependencies, @remote)
       end
     end
 
@@ -812,17 +869,20 @@ module Bundler
     end
 
     def expand_dependencies(dependencies, remote = false)
+      sorted_platforms = Resolver.sort_platforms(@platforms)
       deps = []
       dependencies.each do |dep|
         dep = Dependency.new(dep, ">= 0") unless dep.respond_to?(:name)
         next if !remote && !dep.current_platform?
-        platforms = dep.gem_platforms(@platforms)
+        platforms = dep.gem_platforms(sorted_platforms)
         if platforms.empty?
+          mapped_platforms = dep.platforms.map {|p| Dependency::PLATFORM_MAP[p] }
           Bundler.ui.warn \
             "The dependency #{dep} will be unused by any of the platforms Bundler is installing for. " \
             "Bundler is installing for #{@platforms.join ", "} but the dependency " \
-            "is only for #{dep.platforms.map {|p| Dependency::PLATFORM_MAP[p] }.join ", "}. " \
-            "To add those platforms to the bundle, run `bundle lock --add-platform #{dep.platforms.join ", "}`."
+            "is only for #{mapped_platforms.join ", "}. " \
+            "To add those platforms to the bundle, " \
+            "run `bundle lock --add-platform #{mapped_platforms.join " "}`."
         end
         platforms.each do |p|
           deps << DepProxy.new(dep, p) if remote || p == generic_local_platform
@@ -844,30 +904,33 @@ module Bundler
       # Record the specs available in each gem's source, so that those
       # specs will be available later when the resolver knows where to
       # look for that gemspec (or its dependencies)
-      source_requirements = {}
+      default = sources.default_source
+      source_requirements = { :default => default }
+      default = nil unless Bundler.feature_flag.lockfile_uses_separate_rubygems_sources?
       dependencies.each do |dep|
-        next unless dep.source
-        source_requirements[dep.name] = dep.source.specs
+        next unless source = dep.source || default
+        source_requirements[dep.name] = source
+      end
+      metadata_dependencies.each do |dep|
+        source_requirements[dep.name] = sources.metadata_source
       end
+      source_requirements["bundler"] = sources.metadata_source # needs to come last to override
       source_requirements
     end
 
-    def pinned_spec_names(specs)
-      names = []
-      specs.each do |s|
-        # TODO: when two sources without blocks is an error, we can change
-        # this check to !s.source.is_a?(Source::LocalRubygems). For now,
-        # we need to ask every Rubygems for every gem name.
-        if s.source.is_a?(Source::Git) || s.source.is_a?(Source::Path)
-          names << s.name
-        end
+    def pinned_spec_names(skip = nil)
+      pinned_names = []
+      default = Bundler.feature_flag.lockfile_uses_separate_rubygems_sources? && sources.default_source
+      @dependencies.each do |dep|
+        next unless dep_source = dep.source || default
+        next if dep_source == skip
+        pinned_names << dep.name
       end
-      names.uniq!
-      names
+      pinned_names
     end
 
     def requested_groups
-      groups - Bundler.settings.without - @optional_groups + Bundler.settings.with
+      groups - Bundler.settings[:without] - @optional_groups + Bundler.settings[:with]
     end
 
     def lockfiles_equal?(current, proposed, preserve_unknown_sections)
@@ -902,11 +965,20 @@ module Bundler
 
     def additional_base_requirements_for_resolve
       return [] unless @locked_gems && Bundler.feature_flag.only_update_to_newer_versions?
+      dependencies_by_name = dependencies.group_by(&:name)
       @locked_gems.specs.reduce({}) do |requirements, locked_spec|
-        dep = Gem::Dependency.new(locked_spec.name, ">= #{locked_spec.version}")
-        requirements[locked_spec.name] = DepProxy.new(dep, locked_spec.platform)
+        name = locked_spec.name
+        next requirements if @locked_deps[name] != dependencies_by_name[name]
+        dep = Gem::Dependency.new(name, ">= #{locked_spec.version}")
+        requirements[name] = DepProxy.new(dep, locked_spec.platform)
         requirements
       end.values
     end
+
+    def equivalent_rubygems_remotes?(source)
+      return false unless source.is_a?(Source::Rubygems)
+
+      Bundler.settings[:allow_deployment_source_credential_changes] && source.equivalent_remotes?(sources.rubygems_remotes)
+    end
   end
 end