rubygems-update 3.2.17 → 3.2.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dcfc421015c33e4d4d5d8239aa5ba4f8355677b0509a7e83cb8e13fd22a8ef27
-  data.tar.gz: b535b85781ca843a1a876770a42a495f2384bf698d1d2e8dbabba15a5e0e0ea0
+  metadata.gz: 7b503ab1ec419e166f305736955f0539fae884d2653b84d57147a5e6b63e484f
+  data.tar.gz: 0c1840cb14e65c6711aa0dee3baba49e4cbf725839faa2131c32647282eb5a0a
 SHA512:
-  metadata.gz: 13c39ab5f867862e4a4b54e592fb8e7cddc2832dd2d57b54698887b618ff5785f33e06860129c9c85bc8ed63fb87a9dbb4789532c6824f44dbbbb3068307e613
-  data.tar.gz: 780f6bab25cdb0c7fc4f328c632dcaaa60275e0bb823b5b4b891780a69df3dc6cf1b3ee8488dd4472f6c03cb382daf5069584b39ba756d115f23ba9bfae70e9d
+  metadata.gz: 3bd0087496816b8814d90435c8401cba34779442f6830a9a247c50b2f39a1d7ac5accf515e7ba7ea84ea7739e619a57fa8ab06e7aacb9b7ede5029245fbb1c72
+  data.tar.gz: 3500016861f8abbd10d16e6d37d674430d4cfa709fd5769b12f0fdbfea8b2059dba86234968b49c4f66e1d74b784c570511c468ed6528bb87f3b09bb9b5f775a

data/CHANGELOG.md

@@ -1,3 +1,42 @@
+# 3.2.21 / 2021-06-23
+
+## Enhancements:
+
+* Fix typo in OpenSSL detection. Pull request #4679 by osyoyu
+* Add the most recent licenses from spdx.org. Pull request #4662 by nobu
+* Simplify setup.rb code to allow installing rubygems from source on
+  truffleruby 21.0 and 21.1. Pull request #4624 by deivid-rodriguez
+
+## Bug fixes:
+
+* Create credentials folder when setting API keys if not there yet. Pull
+  request #4665 by deivid-rodriguez
+
+# 3.2.20 / 2021-06-11
+
+## Security fixes:
+
+* Verify plaform before installing to avoid potential remote code
+  execution. Pull request #4667 by sonalkr132
+
+## Enhancements:
+
+* Add better specification policy error description. Pull request #4658 by
+  ceritium
+
+# 3.2.19 / 2021-05-31
+
+## Enhancements:
+
+* Fix `gem help build` output format. Pull request #4613 by tnir
+
+# 3.2.18 / 2021-05-25
+
+## Enhancements:
+
+* Don't leave temporary directory around when building extensions to
+  improve build reproducibility. Pull request #4610 by baloo
+
 # 3.2.17 / 2021-05-05
 
 ## Enhancements:

data/Manifest.txt

@@ -180,7 +180,9 @@ bundler/lib/bundler/source/path.rb
 bundler/lib/bundler/source/path/installer.rb
 bundler/lib/bundler/source/rubygems.rb
 bundler/lib/bundler/source/rubygems/remote.rb
+bundler/lib/bundler/source/rubygems_aggregate.rb
 bundler/lib/bundler/source_list.rb
+bundler/lib/bundler/source_map.rb
 bundler/lib/bundler/spec_set.rb
 bundler/lib/bundler/stub_specification.rb
 bundler/lib/bundler/templates/.document
@@ -536,6 +538,7 @@ test/rubygems/invalidchild_cert.pem
 test/rubygems/invalidchild_cert_32.pem
 test/rubygems/invalidchild_key.pem
 test/rubygems/packages/ascii_binder-0.1.10.1.gem
+test/rubygems/packages/ill-formatted-platform-1.0.0.10.gem
 test/rubygems/plugin/exception/rubygems_plugin.rb
 test/rubygems/plugin/load/rubygems_plugin.rb
 test/rubygems/plugin/standarderror/rubygems_plugin.rb

data/Rakefile

@@ -86,11 +86,6 @@ end
 
 task rubocop: %w[rubocop:rubygems rubocop:bundler]
 
-desc "Run a test suite bisection"
-task(:bisect) do
-  sh "util/bisect"
-end
-
 # --------------------------------------------------------------------
 # Creating a release
 
@@ -254,7 +249,7 @@ end
 
 directory '../blog.rubygems.org' do
   sh 'git', 'clone',
-     'git@github.com:rubygems/rubygems.github.com.git',
+     'git@github.com:rubygems/rubygems.github.io.git',
      '../blog.rubygems.org'
 end
 
@@ -388,6 +383,11 @@ task :check_manifest do
   end
 end
 
+desc "Update License list from SPDX.org"
+task :update_licenses do
+  load "util/generate_spdx_license_list.rb"
+end
+
 namespace :bundler do
   task :build_metadata do
     chdir('bundler') { sh "rake build_metadata" }

data/bundler/CHANGELOG.md

@@ -1,3 +1,57 @@
+# 2.2.21 (June 23, 2021)
+
+## Security fixes:
+
+  - Auto-update insecure lockfile to split GEM source sections whenever possible [#4647](https://github.com/rubygems/rubygems/pull/4647)
+
+## Enhancements:
+
+  - Use a more limited number of threads when fetching in parallel from the Compact Index API [#4670](https://github.com/rubygems/rubygems/pull/4670)
+  - Update TODO link in bundle gem template to https [#4671](https://github.com/rubygems/rubygems/pull/4671)
+
+## Bug fixes:
+
+  - Fix `bundle install --local` hitting the network when `cache_all_platforms` configured [#4677](https://github.com/rubygems/rubygems/pull/4677)
+
+# 2.2.20 (June 11, 2021)
+
+## Enhancements:
+
+  - Don't print bug report template on server side errors [#4663](https://github.com/rubygems/rubygems/pull/4663)
+  - Don't load `resolv` unnecessarily [#4640](https://github.com/rubygems/rubygems/pull/4640)
+
+## Bug fixes:
+
+  - Fix `bundle outdated` edge case [#4648](https://github.com/rubygems/rubygems/pull/4648)
+  - Fix `bundle check` with scoped rubygems sources [#4639](https://github.com/rubygems/rubygems/pull/4639)
+
+## Performance:
+
+  - Don't use `extra_rdoc_files` with md files in gemspec to make installing bundler with docs faster [#4628](https://github.com/rubygems/rubygems/pull/4628)
+
+# 2.2.19 (May 31, 2021)
+
+## Bug fixes:
+
+  - Restore support for configuration keys with dashes [#4582](https://github.com/rubygems/rubygems/pull/4582)
+  - Fix some cached gems being unintentionally ignored when using rubygems 3.2.18 [#4623](https://github.com/rubygems/rubygems/pull/4623)
+
+# 2.2.18 (May 25, 2021)
+
+## Security fixes:
+
+  - Fix dependency confusion issues with implicit dependencies [#4609](https://github.com/rubygems/rubygems/pull/4609)
+
+## Enhancements:
+
+  - Use simpler notation for generated `required_ruby_version` [#4598](https://github.com/rubygems/rubygems/pull/4598)
+  - Undeprecate bundle show [#4586](https://github.com/rubygems/rubygems/pull/4586)
+  - Make sure link to new issue uses the proper template [#4592](https://github.com/rubygems/rubygems/pull/4592)
+
+## Bug fixes:
+
+  - Fix platform specific gems being removed from the lockfile [#4580](https://github.com/rubygems/rubygems/pull/4580)
+
 # 2.2.17 (May 5, 2021)
 
 ## Enhancements:

data/bundler/bundler.gemspec

@@ -34,13 +34,12 @@ Gem::Specification.new do |s|
   s.required_ruby_version     = ">= 2.3.0"
   s.required_rubygems_version = ">= 2.5.2"
 
-  s.files = Dir.glob("{lib,exe}/**/*", File::FNM_DOTMATCH).reject {|f| File.directory?(f) }
+  s.files = Dir.glob("lib/bundler{.rb,/**/*}", File::FNM_DOTMATCH).reject {|f| File.directory?(f) }
 
-  # Include the CHANGELOG.md, LICENSE.md, README.md manually
-  s.files += %w[CHANGELOG.md LICENSE.md README.md]
   # include the gemspec itself because warbler breaks w/o it
   s.files += %w[bundler.gemspec]
 
+  s.files += %w[CHANGELOG.md LICENSE.md README.md]
   s.bindir        = "exe"
   s.executables   = %w[bundle bundler]
   s.require_paths = ["lib"]

data/bundler/lib/bundler.rb

@@ -69,6 +69,7 @@ module Bundler
   autoload :SharedHelpers,          File.expand_path("bundler/shared_helpers", __dir__)
   autoload :Source,                 File.expand_path("bundler/source", __dir__)
   autoload :SourceList,             File.expand_path("bundler/source_list", __dir__)
+  autoload :SourceMap,              File.expand_path("bundler/source_map", __dir__)
   autoload :SpecSet,                File.expand_path("bundler/spec_set", __dir__)
   autoload :StubSpecification,      File.expand_path("bundler/stub_specification", __dir__)
   autoload :UI,                     File.expand_path("bundler/ui", __dir__)
@@ -197,7 +198,7 @@ module Bundler
 
     def frozen_bundle?
       frozen = settings[:deployment]
-      frozen ||= settings[:frozen] unless feature_flag.deployment_means_frozen?
+      frozen ||= settings[:frozen]
       frozen
     end
 

data/bundler/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2021-05-05".freeze
-    @git_commit_sha = "69cbd6e10e".freeze
+    @built_at = "2021-06-23".freeze
+    @git_commit_sha = "0b5db72094".freeze
     @release = true
     # end ivars
 

data/bundler/lib/bundler/cli.rb

@@ -308,39 +308,19 @@ module Bundler
       end
     end
 
-    unless Bundler.feature_flag.bundler_3_mode?
-      desc "show GEM [OPTIONS]", "Shows all gems that are part of the bundle, or the path to a given gem"
-      long_desc <<-D
-        Show lists the names and versions of all gems that are required by your Gemfile.
-        Calling show with [GEM] will list the exact location of that gem on your machine.
-      D
-      method_option "paths", :type => :boolean,
-                             :banner => "List the paths of all gems that are required by your Gemfile."
-      method_option "outdated", :type => :boolean,
-                                :banner => "Show verbose output including whether gems are outdated."
-      def show(gem_name = nil)
-        if ARGV[0] == "show"
-          rest = ARGV[1..-1]
-
-          if flag = rest.find{|arg| ["--verbose", "--outdated"].include?(arg) }
-            Bundler::SharedHelpers.major_deprecation(2, "the `#{flag}` flag to `bundle show` was undocumented and will be removed without replacement")
-          else
-            new_command = rest.find {|arg| !arg.start_with?("--") } ? "info" : "list"
-
-            new_arguments = rest.map do |arg|
-              next arg if arg != "--paths"
-              next "--path" if new_command == "info"
-            end
-
-            old_argv = ARGV.join(" ")
-            new_argv = [new_command, *new_arguments.compact].join(" ")
-
-            Bundler::SharedHelpers.major_deprecation(2, "use `bundle #{new_argv}` instead of `bundle #{old_argv}`")
-          end
-        end
-        require_relative "cli/show"
-        Show.new(options, gem_name).run
-      end
+    desc "show GEM [OPTIONS]", "Shows all gems that are part of the bundle, or the path to a given gem"
+    long_desc <<-D
+      Show lists the names and versions of all gems that are required by your Gemfile.
+      Calling show with [GEM] will list the exact location of that gem on your machine.
+    D
+    method_option "paths", :type => :boolean,
+                           :banner => "List the paths of all gems that are required by your Gemfile."
+    method_option "outdated", :type => :boolean,
+                              :banner => "Show verbose output including whether gems are outdated."
+    def show(gem_name = nil)
+      SharedHelpers.major_deprecation(2, "the `--outdated` flag to `bundle show` was undocumented and will be removed without replacement") if ARGV.include?("--outdated")
+      require_relative "cli/show"
+      Show.new(options, gem_name).run
     end
 
     desc "list", "List all gems in the bundle"

data/bundler/lib/bundler/cli/check.rb

@@ -11,9 +11,11 @@ module Bundler
     def run
       Bundler.settings.set_command_option_if_given :path, options[:path]
 
+      definition = Bundler.definition
+      definition.validate_runtime!
+
       begin
-        definition = Bundler.definition
-        definition.validate_runtime!
+        definition.resolve_only_locally!
         not_installed = definition.missing_specs
       rescue GemNotFound, VersionConflict
         Bundler.ui.error "Bundler can't satisfy your Gemfile's dependencies."

data/bundler/lib/bundler/cli/install.rb

@@ -33,12 +33,8 @@ module Bundler
 
         options[:local] = true if Bundler.app_cache.exist?
 
-        if Bundler.feature_flag.deployment_means_frozen?
-          Bundler.settings.set_command_option :deployment, true
-        else
-          Bundler.settings.set_command_option :deployment, true if options[:deployment]
-          Bundler.settings.set_command_option :frozen, true if options[:frozen]
-        end
+        Bundler.settings.set_command_option :deployment, true if options[:deployment]
+        Bundler.settings.set_command_option :frozen, true if options[:frozen]
       end
 
       # When install is called with --no-deployment, disable deployment mode
@@ -62,7 +58,10 @@ module Bundler
       definition.validate_runtime!
 
       installer = Installer.install(Bundler.root, definition, options)
-      Bundler.load.cache if Bundler.app_cache.exist? && !options["no-cache"] && !Bundler.frozen_bundle?
+
+      Bundler.settings.temporary(:cache_all_platforms => options[:local] ? false : Bundler.settings[:cache_all_platforms]) do
+        Bundler.load.cache if Bundler.app_cache.exist? && !options["no-cache"] && !Bundler.frozen_bundle?
+      end
 
       Bundler.ui.confirm "Bundle complete! #{dependencies_count_for(definition)}, #{gems_installed_for(definition)}."
       Bundler::CLI::Common.output_without_groups_message(:install)

data/bundler/lib/bundler/cli/outdated.rb

@@ -146,17 +146,16 @@ module Bundler
     end
 
     def retrieve_active_spec(definition, current_spec)
-      if strict
-        active_spec = definition.find_resolved_spec(current_spec)
-      else
-        active_specs = definition.find_indexed_specs(current_spec)
-        if !current_spec.version.prerelease? && !options[:pre] && active_specs.size > 1
-          active_specs.delete_if {|b| b.respond_to?(:version) && b.version.prerelease? }
-        end
-        active_spec = active_specs.last
-      end
+      active_spec = definition.resolve.find_by_name_and_platform(current_spec.name, current_spec.platform)
+      return unless active_spec
 
-      active_spec
+      return active_spec if strict
+
+      active_specs = active_spec.source.specs.search(current_spec.name).select {|spec| spec.match_platform(current_spec.platform) }.sort_by(&:version)
+      if !current_spec.version.prerelease? && !options[:pre] && active_specs.size > 1
+        active_specs.delete_if {|b| b.respond_to?(:version) && b.version.prerelease? }
+      end
+      active_specs.last
     end
 
     def print_gems(gems_list)

data/bundler/lib/bundler/definition.rb

@@ -107,12 +107,14 @@ module Bundler
       end
 
       @locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
-      @disable_multisource = @locked_gem_sources.all?(&:disable_multisource?)
+      @multisource_allowed = @locked_gem_sources.any?(&:multiple_remotes?) && (sources.aggregate_global_source? || Bundler.frozen_bundle?)
 
-      unless @disable_multisource
-        msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. You should run `bundle update` or generate your lockfile from scratch."
+      if @multisource_allowed
+        unless sources.aggregate_global_source?
+          msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. Make sure you run `bundle install` in non frozen mode and commit the result to make your lockfile secure."
 
-        Bundler::SharedHelpers.major_deprecation 2, msg
+          Bundler::SharedHelpers.major_deprecation 2, msg
+        end
 
         @sources.merged_gem_lockfile_sections!
       end
@@ -156,8 +158,14 @@ module Bundler
       end
     end
 
-    def disable_multisource?
-      @disable_multisource
+    def multisource_allowed?
+      @multisource_allowed
+    end
+
+    def resolve_only_locally!
+      @remote = false
+      sources.local_only!
+      resolve
     end
 
     def resolve_with_cache!
@@ -219,7 +227,6 @@ module Bundler
       Bundler.ui.debug "The definition is missing #{missing.map(&:full_name)}"
       true
     rescue BundlerError => e
-      @index = nil
       @resolve = nil
       @specs = nil
       @gem_version_promoter = nil
@@ -282,50 +289,6 @@ module Bundler
       end
     end
 
-    def index
-      @index ||= Index.build do |idx|
-        dependency_names = @dependencies.map(&:name)
-
-        sources.all_sources.each do |source|
-          source.dependency_names = dependency_names - pinned_spec_names(source)
-          idx.add_source source.specs
-          dependency_names.concat(source.unmet_deps).uniq!
-        end
-
-        double_check_for_index(idx, dependency_names)
-      end
-    end
-
-    # Suppose the gem Foo depends on the gem Bar.  Foo exists in Source A.  Bar has some versions that exist in both
-    # sources A and B.  At this point, the API request will have found all the versions of Bar in source A,
-    # but will not have found any versions of Bar from source B, which is a problem if the requested version
-    # of Foo specifically depends on a version of Bar that is only found in source B. This ensures that for
-    # each spec we found, we add all possible versions from all sources to the index.
-    def double_check_for_index(idx, dependency_names)
-      pinned_names = pinned_spec_names
-      loop do
-        idxcount = idx.size
-
-        names = :names # do this so we only have to traverse to get dependency_names from the index once
-        unmet_dependency_names = lambda do
-          return names unless names == :names
-          new_names = sources.all_sources.map(&:dependency_names_to_double_check)
-          return names = nil if new_names.compact!
-          names = new_names.flatten(1).concat(dependency_names)
-          names.uniq!
-          names -= pinned_names
-          names
-        end
-
-        sources.all_sources.each do |source|
-          source.double_check_for(unmet_dependency_names)
-        end
-
-        break if idxcount == idx.size
-      end
-    end
-    private :double_check_for_index
-
     def has_rubygems_remotes?
       sources.rubygems_sources.any? {|s| s.remotes.any? }
     end
@@ -532,14 +495,6 @@ module Bundler
       end
     end
 
-    def find_resolved_spec(current_spec)
-      specs.find_by_name_and_platform(current_spec.name, current_spec.platform)
-    end
-
-    def find_indexed_specs(current_spec)
-      index[current_spec.name].select {|spec| spec.match_platform(current_spec.platform) }.sort_by(&:version)
-    end
-
     attr_reader :sources
     private :sources
 
@@ -556,6 +511,10 @@ module Bundler
 
     private
 
+    def precompute_source_requirements_for_indirect_dependencies?
+      sources.non_global_rubygems_sources.all?(&:dependency_api_available?) && !sources.aggregate_global_source?
+    end
+
     def current_ruby_platform_locked?
       return false unless generic_local_platform == Gem::Platform::RUBY
 
@@ -670,7 +629,7 @@ module Bundler
     end
 
     def converge_rubygems_sources
-      return false if disable_multisource?
+      return false unless multisource_allowed?
 
       return false if locked_gem_sources.empty?
 
@@ -681,9 +640,9 @@ module Bundler
       changes = false
 
       # If there is a RubyGems source in both
-      locked_gem_sources.each do |locked_gem|
+      locked_gem_sources.each do |locked_gem_source|
         # Merge the remotes from the Gemfile into the Gemfile.lock
-        changes |= locked_gem.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
+        changes |= locked_gem_source.replace_remotes(actual_remotes, Bundler.settings[:allow_deployment_source_credential_changes])
       end
 
       changes
@@ -902,26 +861,22 @@ module Bundler
     end
 
     def source_requirements
-      # Load all specs from remote sources
-      index
-
       # Record the specs available in each gem's source, so that those
       # specs will be available later when the resolver knows where to
       # look for that gemspec (or its dependencies)
-      source_requirements = { :default => sources.default_source }.merge(dependency_source_requirements)
+      source_requirements = if precompute_source_requirements_for_indirect_dependencies?
+        { :default => sources.default_source }.merge(source_map.all_requirements)
+      else
+        { :default => Source::RubygemsAggregate.new(sources, source_map) }.merge(source_map.direct_requirements)
+      end
       metadata_dependencies.each do |dep|
         source_requirements[dep.name] = sources.metadata_source
       end
-      source_requirements[:global] = index unless Bundler.feature_flag.disable_multisource?
-      source_requirements[:default_bundler] = source_requirements["bundler"] || source_requirements[:default]
+      source_requirements[:default_bundler] = source_requirements["bundler"] || sources.default_source
       source_requirements["bundler"] = sources.metadata_source # needs to come last to override
       source_requirements
     end
 
-    def pinned_spec_names(skip = nil)
-      dependency_source_requirements.reject {|_, source| source == skip }.keys
-    end
-
     def requested_groups
       groups - Bundler.settings[:without] - @optional_groups + Bundler.settings[:with]
     end
@@ -977,16 +932,8 @@ module Bundler
       Bundler.settings[:allow_deployment_source_credential_changes] && source.equivalent_remotes?(sources.rubygems_remotes)
     end
 
-    def dependency_source_requirements
-      @dependency_source_requirements ||= begin
-        source_requirements = {}
-        default = sources.default_source
-        dependencies.each do |dep|
-          dep_source = dep.source || default
-          source_requirements[dep.name] = dep_source
-        end
-        source_requirements
-      end
+    def source_map
+      @source_map ||= SourceMap.new(sources, dependencies)
     end
   end
 end