rubygems-update 3.5.5 → 3.5.10

data/bundler/lib/bundler/vendored_uri.rb

@@ -1,4 +1,21 @@
 # frozen_string_literal: true
 
 module Bundler; end
-require_relative "vendor/uri/lib/uri"
+
+# Use RubyGems vendored copy when available. Otherwise fallback to Bundler
+# vendored copy. The vendored copy in Bundler can be removed once support for
+# RubyGems 3.5 is dropped.
+
+begin
+  require "rubygems/vendor/uri/lib/uri"
+rescue LoadError
+  require_relative "vendor/uri/lib/uri"
+  Gem::URI = Bundler::URI
+
+  module Gem
+    def URI(uri) # rubocop:disable Naming/MethodName
+      Bundler::URI(uri)
+    end
+    module_function :URI
+  end
+end

data/bundler/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.5.5".freeze
+  VERSION = "2.5.10".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/bundler/lib/bundler/yaml_serializer.rb

@@ -58,6 +58,8 @@ module Bundler
       str.split(/\r?\n/) do |line|
         if match = HASH_REGEX.match(line)
           indent, key, quote, val = match.captures
+          val = strip_comment(val)
+
           convert_to_backward_compatible_key!(key)
           depth = indent.size / 2
           if quote.empty? && val.empty?
@@ -72,6 +74,8 @@ module Bundler
           end
         elsif match = ARRAY_REGEX.match(line)
           _, val = match.captures
+          val = strip_comment(val)
+
           last_hash[last_empty_key] = [] unless last_hash[last_empty_key].is_a?(Array)
 
           last_hash[last_empty_key].push(val)
@@ -80,6 +84,14 @@ module Bundler
       res
     end
 
+    def strip_comment(val)
+      if val.include?("#") && !val.start_with?("#")
+        val.split("#", 2).first.strip
+      else
+        val
+      end
+    end
+
     # for settings' keys
     def convert_to_backward_compatible_key!(key)
       key << "/" if /https?:/i.match?(key) && !%r{/\Z}.match?(key)

data/bundler/lib/bundler.rb

@@ -40,6 +40,7 @@ module Bundler
   SUDO_MUTEX = Thread::Mutex.new
 
   autoload :Checksum,               File.expand_path("bundler/checksum", __dir__)
+  autoload :CLI,                    File.expand_path("bundler/cli", __dir__)
   autoload :CIDetector,             File.expand_path("bundler/ci_detector", __dir__)
   autoload :Definition,             File.expand_path("bundler/definition", __dir__)
   autoload :Dependency,             File.expand_path("bundler/dependency", __dir__)
@@ -165,6 +166,25 @@ module Bundler
       end
     end
 
+    # Automatically install dependencies if Bundler.settings[:auto_install] exists.
+    # This is set through config cmd `bundle config set --global auto_install 1`.
+    #
+    # Note that this method `nil`s out the global Definition object, so it
+    # should be called first, before you instantiate anything like an
+    # `Installer` that'll keep a reference to the old one instead.
+    def auto_install
+      return unless settings[:auto_install]
+
+      begin
+        definition.specs
+      rescue GemNotFound, GitError
+        ui.info "Automatically installing missing gems."
+        reset!
+        CLI::Install.new({}).run
+        reset!
+      end
+    end
+
     # Setups Bundler environment (see Bundler.setup) if it is not already set,
     # and loads all gems from groups specified. Unlike ::setup, can be called
     # multiple times with different groups (if they were allowed by setup).
@@ -200,12 +220,13 @@ module Bundler
     #
     # @param unlock [Hash, Boolean, nil] Gems that have been requested
     #   to be updated or true if all gems should be updated
+    # @param lockfile [Pathname] Path to Gemfile.lock
     # @return [Bundler::Definition]
-    def definition(unlock = nil)
+    def definition(unlock = nil, lockfile = default_lockfile)
       @definition = nil if unlock
       @definition ||= begin
         configure
-        Definition.build(default_gemfile, default_lockfile, unlock)
+        Definition.build(default_gemfile, lockfile, unlock)
       end
     end
 

data/lib/rubygems/command.rb

@@ -6,7 +6,7 @@
 # See LICENSE.txt for permissions.
 #++
 
-require_relative "optparse"
+require_relative "vendored_optparse"
 require_relative "requirement"
 require_relative "user_interaction"
 

data/lib/rubygems/command_manager.rb

@@ -60,6 +60,7 @@ class Gem::CommandManager
     :push,
     :query,
     :rdoc,
+    :rebuild,
     :search,
     :server,
     :signin,
@@ -106,7 +107,7 @@ class Gem::CommandManager
   # Register all the subcommands supported by the gem command.
 
   def initialize
-    require_relative "timeout"
+    require_relative "vendored_timeout"
     @commands = {}
 
     BUILTIN_COMMANDS.each do |name|

data/lib/rubygems/commands/build_command.rb

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 
 require_relative "../command"
+require_relative "../gemspec_helpers"
 require_relative "../package"
 require_relative "../version_option"
 
 class Gem::Commands::BuildCommand < Gem::Command
   include Gem::VersionOption
+  include Gem::GemspecHelpers
 
   def initialize
     super "build", "Build a gem from a gemspec"
@@ -75,17 +77,6 @@ Gems can be saved to a specified filename with the output option:
 
   private
 
-  def find_gemspec(glob = "*.gemspec")
-    gemspecs = Dir.glob(glob).sort
-
-    if gemspecs.size > 1
-      alert_error "Multiple gemspecs found: #{gemspecs}, please specify one"
-      terminate_interaction(1)
-    end
-
-    gemspecs.first
-  end
-
   def build_gem
     gemspec = resolve_gem_name
 

data/lib/rubygems/commands/help_command.rb

@@ -59,7 +59,7 @@ multiple environments.  The RubyGems implementation is designed to be
 compatible with Bundler's Gemfile format.  You can see additional
 documentation on the format at:
 
-  http://bundler.io
+  https://bundler.io
 
 RubyGems automatically looks for these gem dependencies files:
 
@@ -172,7 +172,7 @@ and #platforms methods:
 See the bundler Gemfile manual page for a list of platforms supported in a gem
 dependencies file.:
 
-  http://bundler.io/v1.6/man/gemfile.5.html
+  https://bundler.io/v2.5/man/gemfile.5.html
 
 Ruby Version and Engine Dependency
 ==================================

data/lib/rubygems/commands/rdoc_command.rb

@@ -84,14 +84,7 @@ Use --overwrite to force rebuilding of documentation.
         FileUtils.rm_rf File.join(spec.doc_dir, "rdoc")
       end
 
-      begin
-        doc.generate
-      rescue Errno::ENOENT => e
-        match = / - /.match(e.message)
-        alert_error "Unable to document #{spec.full_name}, " \
-                    " #{match.post_match} is missing, skipping"
-        terminate_interaction 1 if specs.length == 1
-      end
+      doc.generate
     end
   end
 end

data/lib/rubygems/commands/rebuild_command.rb

@@ -0,0 +1,264 @@
+# frozen_string_literal: true
+
+require "date"
+require "digest"
+require "fileutils"
+require "tmpdir"
+require_relative "../gemspec_helpers"
+require_relative "../package"
+
+class Gem::Commands::RebuildCommand < Gem::Command
+  include Gem::GemspecHelpers
+
+  DATE_FORMAT = "%Y-%m-%d %H:%M:%S.%N Z"
+
+  def initialize
+    super "rebuild", "Attempt to reproduce a build of a gem."
+
+    add_option "--diff", "If the files don't match, compare them using diffoscope." do |_value, options|
+      options[:diff] = true
+    end
+
+    add_option "--force", "Skip validation of the spec." do |_value, options|
+      options[:force] = true
+    end
+
+    add_option "--strict", "Consider warnings as errors when validating the spec." do |_value, options|
+      options[:strict] = true
+    end
+
+    add_option "--source GEM_SOURCE", "Specify the source to download the gem from." do |value, options|
+      options[:source] = value
+    end
+
+    add_option "--original GEM_FILE", "Specify a local file to compare against (instead of downloading it)." do |value, options|
+      options[:original_gem_file] = value
+    end
+
+    add_option "--gemspec GEMSPEC_FILE", "Specify the name of the gemspec file." do |value, options|
+      options[:gemspec_file] = value
+    end
+
+    add_option "-C PATH", "Run as if gem build was started in <PATH> instead of the current working directory." do |value, options|
+      options[:build_path] = value
+    end
+  end
+
+  def arguments # :nodoc:
+    "GEM_NAME      gem name on gem server\n" \
+    "GEM_VERSION   gem version you are attempting to rebuild"
+  end
+
+  def description # :nodoc:
+    <<-EOF
+The rebuild command allows you to (attempt to) reproduce a build of a gem
+from a ruby gemspec.
+
+This command assumes the gemspec can be built with the `gem build` command.
+If you use any of `gem build`, `rake build`, or`rake release` in the
+build/release process for a gem, it is a potential candidate.
+
+You will need to match the RubyGems version used, since this is included in
+the Gem metadata.
+
+If the gem includes lockfiles (e.g. Gemfile.lock) and similar, it will
+require more effort to reproduce a build. For example, it might require
+more precisely matched versions of Ruby and/or Bundler to be used.
+    EOF
+  end
+
+  def usage # :nodoc:
+    "#{program_name} GEM_NAME GEM_VERSION"
+  end
+
+  def execute
+    gem_name, gem_version = get_gem_name_and_version
+
+    old_dir, new_dir = prep_dirs
+
+    gem_filename = "#{gem_name}-#{gem_version}.gem"
+    old_file = File.join(old_dir, gem_filename)
+    new_file = File.join(new_dir, gem_filename)
+
+    if options[:original_gem_file]
+      FileUtils.copy_file(options[:original_gem_file], old_file)
+    else
+      download_gem(gem_name, gem_version, old_file)
+    end
+
+    rg_version = rubygems_version(old_file)
+    unless rg_version == Gem::VERSION
+      alert_error <<-EOF
+You need to use the same RubyGems version #{gem_name} v#{gem_version} was built with.
+
+#{gem_name} v#{gem_version} was built using RubyGems v#{rg_version}.
+Gem files include the version of RubyGems used to build them.
+This means in order to reproduce #{gem_filename}, you must also use RubyGems v#{rg_version}.
+
+You're using RubyGems v#{Gem::VERSION}.
+
+Please install RubyGems v#{rg_version} and try again.
+      EOF
+      terminate_interaction 1
+    end
+
+    source_date_epoch = get_timestamp(old_file).to_s
+
+    if build_path = options[:build_path]
+      Dir.chdir(build_path) { build_gem(gem_name, source_date_epoch, new_file) }
+    else
+      build_gem(gem_name, source_date_epoch, new_file)
+    end
+
+    compare(source_date_epoch, old_file, new_file)
+  end
+
+  private
+
+  def sha256(file)
+    Digest::SHA256.hexdigest(Gem.read_binary(file))
+  end
+
+  def get_timestamp(file)
+    mtime = nil
+    File.open(file, Gem.binary_mode) do |f|
+      Gem::Package::TarReader.new(f) do |tar|
+        mtime = tar.seek("metadata.gz") {|tf| tf.header.mtime }
+      end
+    end
+
+    mtime
+  end
+
+  def compare(source_date_epoch, old_file, new_file)
+    date = Time.at(source_date_epoch.to_i).strftime("%F %T %Z")
+
+    old_hash = sha256(old_file)
+    new_hash = sha256(new_file)
+
+    say
+    say "Built at: #{date} (#{source_date_epoch})"
+    say "Original build saved to:   #{old_file}"
+    say "Reproduced build saved to: #{new_file}"
+    say "Working directory: #{options[:build_path] || Dir.pwd}"
+    say
+    say "Hash comparison:"
+    say "  #{old_hash}\t#{old_file}"
+    say "  #{new_hash}\t#{new_file}"
+    say
+
+    if old_hash == new_hash
+      say "SUCCESS - original and rebuild hashes matched"
+    else
+      say "FAILURE - original and rebuild hashes did not match"
+      say
+
+      if options[:diff]
+        if system("diffoscope", old_file, new_file).nil?
+          alert_error "error: could not find `diffoscope` executable"
+        end
+      else
+        say "Pass --diff for more details (requires diffoscope to be installed)."
+      end
+
+      terminate_interaction 1
+    end
+  end
+
+  def prep_dirs
+    rebuild_dir = Dir.mktmpdir("gem_rebuild")
+    old_dir = File.join(rebuild_dir, "old")
+    new_dir = File.join(rebuild_dir, "new")
+
+    FileUtils.mkdir_p(old_dir)
+    FileUtils.mkdir_p(new_dir)
+
+    [old_dir, new_dir]
+  end
+
+  def get_gem_name_and_version
+    args = options[:args] || []
+    if args.length == 2
+      gem_name, gem_version = args
+    elsif args.length > 2
+      raise Gem::CommandLineError, "Too many arguments"
+    else
+      raise Gem::CommandLineError, "Expected GEM_NAME and GEM_VERSION arguments (gem rebuild GEM_NAME GEM_VERSION)"
+    end
+
+    [gem_name, gem_version]
+  end
+
+  def build_gem(gem_name, source_date_epoch, output_file)
+    gemspec = options[:gemspec_file] || find_gemspec("#{gem_name}.gemspec")
+
+    if gemspec
+      build_package(gemspec, source_date_epoch, output_file)
+    else
+      alert_error error_message(gem_name)
+      terminate_interaction(1)
+    end
+  end
+
+  def build_package(gemspec, source_date_epoch, output_file)
+    with_source_date_epoch(source_date_epoch) do
+      spec = Gem::Specification.load(gemspec)
+      if spec
+        Gem::Package.build(
+          spec,
+          options[:force],
+          options[:strict],
+          output_file
+        )
+      else
+        alert_error "Error loading gemspec. Aborting."
+        terminate_interaction 1
+      end
+    end
+  end
+
+  def with_source_date_epoch(source_date_epoch)
+    old_sde = ENV["SOURCE_DATE_EPOCH"]
+    ENV["SOURCE_DATE_EPOCH"] = source_date_epoch.to_s
+
+    yield
+  ensure
+    ENV["SOURCE_DATE_EPOCH"] = old_sde
+  end
+
+  def error_message(gem_name)
+    if gem_name
+      "Couldn't find a gemspec file matching '#{gem_name}' in #{Dir.pwd}"
+    else
+      "Couldn't find a gemspec file in #{Dir.pwd}"
+    end
+  end
+
+  def download_gem(gem_name, gem_version, old_file)
+    # This code was based loosely off the `gem fetch` command.
+    version = "= #{gem_version}"
+    dep = Gem::Dependency.new gem_name, version
+
+    specs_and_sources, errors =
+      Gem::SpecFetcher.fetcher.spec_for_dependency dep
+
+    # There should never be more than one item in specs_and_sources,
+    # since we search for an exact version.
+    spec, source = specs_and_sources[0]
+
+    if spec.nil?
+      show_lookup_failure gem_name, version, errors, options[:domain]
+      terminate_interaction 1
+    end
+
+    download_path = source.download spec
+
+    FileUtils.move(download_path, old_file)
+
+    say "Downloaded #{gem_name} version #{gem_version} as #{old_file}."
+  end
+
+  def rubygems_version(gem_file)
+    Gem::Package.new(gem_file).spec.rubygems_version
+  end
+end

data/lib/rubygems/commands/sources_command.rb

@@ -59,7 +59,7 @@ class Gem::Commands::SourcesCommand < Gem::Command
 
         say "#{source_uri} added to sources"
       end
-    rescue URI::Error, ArgumentError
+    rescue Gem::URI::Error, ArgumentError
       say "#{source_uri} is not a URI"
       terminate_interaction 1
     rescue Gem::RemoteFetcher::FetchError => e
@@ -81,7 +81,7 @@ Do you want to add this source?
   end
 
   def check_rubygems_https(source_uri) # :nodoc:
-    uri = URI source_uri
+    uri = Gem::URI source_uri
 
     if uri.scheme && uri.scheme.casecmp("http").zero? &&
        uri.host.casecmp("rubygems.org").zero?

data/lib/rubygems/commands/update_command.rb

@@ -197,18 +197,17 @@ command to remove old versions.
       yield
     else
       require "tmpdir"
-      tmpdir = Dir.mktmpdir
-      FileUtils.mv Gem.plugindir, tmpdir
+      Dir.mktmpdir("gem_update") do |tmpdir|
+        FileUtils.mv Gem.plugindir, tmpdir
 
-      status = yield
+        status = yield
 
-      if status
-        FileUtils.rm_rf tmpdir
-      else
-        FileUtils.mv File.join(tmpdir, "plugins"), Gem.plugindir
-      end
+        unless status
+          FileUtils.mv File.join(tmpdir, "plugins"), Gem.plugindir
+        end
 
-      status
+        status
+      end
     end
   end
 

data/lib/rubygems/config_file.rb

@@ -202,21 +202,33 @@ class Gem::ConfigFile
       @hash = @hash.merge environment_config
     end
 
+    @hash.transform_keys! do |k|
+      # gemhome and gempath are not working with symbol keys
+      if %w[backtrace bulk_threshold verbose update_sources cert_expiration_length_days
+            install_extension_in_lib ipv4_fallback_enabled sources disable_default_gem_server
+            ssl_verify_mode ssl_ca_cert ssl_client_cert].include?(k)
+        k.to_sym
+      else
+        k
+      end
+    end
+
     # HACK: these override command-line args, which is bad
     @backtrace                   = @hash[:backtrace]                   if @hash.key? :backtrace
     @bulk_threshold              = @hash[:bulk_threshold]              if @hash.key? :bulk_threshold
-    @home                        = @hash[:gemhome]                     if @hash.key? :gemhome
-    @path                        = @hash[:gempath]                     if @hash.key? :gempath
-    @update_sources              = @hash[:update_sources]              if @hash.key? :update_sources
     @verbose                     = @hash[:verbose]                     if @hash.key? :verbose
-    @disable_default_gem_server  = @hash[:disable_default_gem_server]  if @hash.key? :disable_default_gem_server
-    @sources                     = @hash[:sources]                     if @hash.key? :sources
+    @update_sources              = @hash[:update_sources]              if @hash.key? :update_sources
+    # TODO: We should handle concurrent_downloads same as other options
     @cert_expiration_length_days = @hash[:cert_expiration_length_days] if @hash.key? :cert_expiration_length_days
     @ipv4_fallback_enabled       = @hash[:ipv4_fallback_enabled]       if @hash.key? :ipv4_fallback_enabled
 
-    @ssl_verify_mode  = @hash[:ssl_verify_mode]  if @hash.key? :ssl_verify_mode
-    @ssl_ca_cert      = @hash[:ssl_ca_cert]      if @hash.key? :ssl_ca_cert
-    @ssl_client_cert  = @hash[:ssl_client_cert]  if @hash.key? :ssl_client_cert
+    @home                        = @hash[:gemhome]                     if @hash.key? :gemhome
+    @path                        = @hash[:gempath]                     if @hash.key? :gempath
+    @sources                     = @hash[:sources]                     if @hash.key? :sources
+    @disable_default_gem_server  = @hash[:disable_default_gem_server]  if @hash.key? :disable_default_gem_server
+    @ssl_verify_mode             = @hash[:ssl_verify_mode]             if @hash.key? :ssl_verify_mode
+    @ssl_ca_cert                 = @hash[:ssl_ca_cert]                 if @hash.key? :ssl_ca_cert
+    @ssl_client_cert             = @hash[:ssl_client_cert]             if @hash.key? :ssl_client_cert
 
     @api_keys         = nil
     @rubygems_api_key = nil

data/lib/rubygems/defaults.rb

@@ -112,7 +112,7 @@ module Gem
   # The path to standard location of the user's configuration directory.
 
   def self.config_home
-    @config_home ||= (ENV["XDG_CONFIG_HOME"] || File.join(Gem.user_home, ".config"))
+    @config_home ||= ENV["XDG_CONFIG_HOME"] || File.join(Gem.user_home, ".config")
   end
 
   ##
@@ -145,21 +145,21 @@ module Gem
   # The path to standard location of the user's cache directory.
 
   def self.cache_home
-    @cache_home ||= (ENV["XDG_CACHE_HOME"] || File.join(Gem.user_home, ".cache"))
+    @cache_home ||= ENV["XDG_CACHE_HOME"] || File.join(Gem.user_home, ".cache")
   end
 
   ##
   # The path to standard location of the user's data directory.
 
   def self.data_home
-    @data_home ||= (ENV["XDG_DATA_HOME"] || File.join(Gem.user_home, ".local", "share"))
+    @data_home ||= ENV["XDG_DATA_HOME"] || File.join(Gem.user_home, ".local", "share")
   end
 
   ##
   # The path to standard location of the user's state directory.
 
   def self.state_home
-    @state_home ||= (ENV["XDG_STATE_HOME"] || File.join(Gem.user_home, ".local", "state"))
+    @state_home ||= ENV["XDG_STATE_HOME"] || File.join(Gem.user_home, ".local", "state")
   end
 
   ##

data/lib/rubygems/dependency.rb

@@ -328,9 +328,9 @@ class Gem::Dependency
     return active if active
 
     unless prerelease?
-      # Move prereleases to the end of the list for >= 0 requirements
+      # Consider prereleases only as a fallback
       pre, matches = matches.partition {|spec| spec.version.prerelease? }
-      matches += pre if requirement == Gem::Requirement.default
+      matches = pre if matches.empty?
     end
 
     matches.first

data/lib/rubygems/dependency_list.rb

@@ -6,7 +6,7 @@
 # See LICENSE.txt for permissions.
 #++
 
-require_relative "tsort"
+require_relative "vendored_tsort"
 require_relative "deprecate"
 
 ##