rubygems-update 3.6.9 → 3.7.0

data/doc/bundler/UPGRADING.md

@@ -1,150 +1,85 @@
 # Upgrading
 
-## Bundler 3
+## Bundler 4
 
-The following is a summary of the changes that we plan to introduce in Bundler
-3, why we will be making those changes, and what the deprecation process will
-look like. All these deprecations are printed by default in the Bundler 2.1 release.
-
-If you don't want to deal with deprecations right now and want to toggle them
-off, you can do it through configuration. Set the `BUNDLE_SILENCE_DEPRECATIONS`
-environment variable to "true", or configure it through `bundle config` either
-globally through `bundle config set --global silence_deprecations true` command, or
-locally through `bundle config set --local silence_deprecations true`. From now
-on in this document we will assume that all three of these configuration options
-are available, but will only mention `bundle config set <option> <value>`.
-
-As a general note, these changes are intended to improve the experience using
-bundler for _new_ users, who have no existing usage routines nor possibly biased
-opinions about how the tool should work based on how it has historically worked.
-We do understand that changing behaviour that have been existing for years can
-be annoying for old users, that's why we intend to make this process as smooth
-as possible for everyone.
-
-I'll be dividing the deprecations into four groups: CLI deprecations, Helper
-deprecations, DSL deprecations, and misc deprecations. Let's dive into each of
-them.
-
-### CLI deprecations
-
-The CLI defines a set of commands and options that can be used by our users to
-create command lines that bundler can understand. There's a number of changes
-in the upcoming 3 version.
-
-* Flags passed to `bundle install` that relied on being remembered across invocations have been deprecated.
-
-  In particular, the `--clean`, `--deployment`, `--frozen`,
-  `--no-prune`, `--path`, `--shebang`, `--system`, `--without`, and `--with`
-  options to `bundle install`.
-
-  Remembering CLI options has been a source of historical confusion and bug
-  reports, not only for beginners but also for experienced users. A CLI tool
-  should not behave differently across exactly the same invocations _unless_
-  explicitly configured to do so. This is what configuration is about after all,
-  and things should never be silently configured without the user knowing about
-  it.
-
-  The problem with changing this behavior is that very common workflows are
-  relying on it. For example, when you run `bundle install --without
-  development:test` in production, those flags are persisted in the app's
-  configuration file and further `bundle` invocations will happily ignore
-  development and test gems.  This magic will disappear from bundler 3, and
-  you will explicitly need to configure it, either through environment
-  variables, application configuration, or machine configuration. For example,
-  with `bundle config set --local without development test`.
-
-  The removal of this kind of flag also applies to analogous commands, for
-  example, to `bundle check --path`.
-
-* The `--force` flag to `bundle install` and `bundle update` has been renamed to `--redownload`.
-
-  This is just a simple rename of the flag, to make more apparent what it
-  actually does. This flag forces redownloading every gem, it doesn't "force"
-  anything else.
-
-* `bundle viz` will be removed and extracted to a plugin.
-
-  This is the only bundler command requiring external dependencies, both an OS
-  dependency (the `graphviz` package) and a gem dependency (the `ruby-graphviz`
-  gem). Removing these dependencies will make development easier and it was also
-  seen by the bundler team as an opportunity to develop a bundler plugin that
-  it's officially maintained by the bundler team, and that users can take as a
-  reference to develop their own plugins. The plugin will contain the same code
-  as the old core command, the only difference being that the command is now
-  implemented as `bundle graph` which is much easier to understand. However, the
-  details of the plugin are under discussion. See [#3333](https://github.com/rubygems/rubygems/issues/3333).
+In order to prepare for Bundler 4, you can easily configure Bundler 2.7 to
+behave exactly like Bundler 4 will behave. To do so, set the environment
+variable `BUNDLE_SIMULATE_VERSION` to `4`. Alternatively, you can use `bundle
+config` and enable "Bundler 4 mode" either globally through `bundle config set
+--global simulate_version 4`, or locally through `bundle config set --local
+simulate_version 4`. From now on in this document we will assume that all three
+of these configuration options are available, but will only mention `bundle
+config set <option> <value>`.
 
-* The `bundle console` will be removed and replaced with `bin/console`.
+The following is a summary of the changes that we plan to introduce in Bundler
+4, and why we will be making those changes. Some of them should be well known
+already by existing users, because we have been printing deprecation messages
+for years, but some of them are defaults that will be switched in Bundler 4 and
+needs some heads up.
 
-  Over time we found `bundle console` hard to maintain because every user would
-  want to add her own specific tweaks to it. In order to ease maintenance and
-  reduce bikeshedding discussions, we're removing the `bundle console` command
-  in favor of a `bin/console` script created by `bundle gem` on gem generation
-  that users can tweak to their needs.
+### Running just `bundle`  will print help usage
 
+We're changing this default to make Bundler more friendly for new users. We do
+understand that long time users already know how Bundler works and find useful
+that just `bundle` defaults to `bundle install`. Those users can keep the
+existing default by configuring
 
-* The `bundle install` command will no longer accept a `--binstubs` flag.
+```
+bundle config default_cli_command install
+```
 
-  The `--binstubs` option has been removed from `bundle install` and replaced
-  with the `bundle binstubs` command. The `--binstubs` flag would create
-  binstubs for all executables present inside the gems in the project. This was
-  hardly useful since most users will only use a subset of all the binstubs
-  available to them. Also, it would force the introduction of a bunch of most
-  likely unused files into source control. Because of this, binstubs now must
-  be created and checked into version control individually.
-
-
-* The `bundle inject` command is deprecated and replaced with `bundle add`.
-
-  We believe the new command fits the user's mental model better and it supports
-  a wider set of use cases. The interface supported by `bundle inject` works
-  exactly the same in `bundle add`, so it should be easy to migrate to the new
-  command.
+### Bundler will install to a `.bundle` folder relative to repository root by default
 
-#### Cancelled CLI deprecations
+We're making this change to improve isolation.
 
-These deprecations have been initially announced before, but the deprecations
-were cancelled before the release of Bundler 2.1.0 in [rubygems/bundler#7475](https://github.com/rubygems/bundler/pull/7475).
+The previous default of installing to system changes can be kept with `bundle
+config path.system true`.
 
-* ~The `bundle update` command will no longer update all gems, you'll need to pass `--all` to it.~ (postponed)
+Related to this change, and to alleviate potential bad consequences from it,
+we're also shipping some related changes:
 
-* ~The `bundle config` command will no longer accept old subcommand-based interface before Bundler 2.1.~ (postponed)
+* To keep disk usage under control, Bundler will cleanup unused gems when
+  installing gems per application using the new default. This new behavior can
+  be disabled by toggling back installing to system gems as explained before, or
+  by configuring `bundle config clean false`.
 
-### Helper deprecations
+* To avoid duplicate downloads of `.gem` packages and recompilation of
+  extensions, Bundler will keep a global cache of gem packages and compiled
+  extensions. This new behaviour can be disabled with `bundle config
+  global_gem_cache false`, or by toggling back installing to system gems as
+  explained before.
 
-* `Bundler.clean_env`, `Bundler.with_clean_env`, `Bundler.clean_system`, and `Bundler.clean_exec` are deprecated.
+### Flags passed to `bundle install` that relied on being remembered across invocations will be removed
 
-  All of these helpers ultimately use `Bundler.clean_env` under the hood, which
-  makes sure all bundler-related environment are removed inside the block it
-  yields.
+In particular, the `--clean`, `--deployment`, `--frozen`, `--no-prune`,
+`--path`, `--shebang`, `--system`, `--without`, and `--with` options to `bundle
+install`.
 
-  After quite a lot user reports, we noticed that users don't usually want this
-  but instead want the bundler environment as it was before the current process
-  was started. Thus, `Bundler.with_original_env`, `Bundler.original_system`, and
-  `Bundler.original_exec` were born. They all use the new `Bundler.original_env`
-  under the hood.
+Remembering CLI options has been a source of historical confusion and bug
+reports, not only for beginners but also for experienced users. A CLI tool
+should not behave differently across exactly the same invocations _unless_
+explicitly configured to do so. This is what configuration is about after all,
+and things should never be silently configured without the user knowing about
+it.
 
-  There's however some specific cases where the good old `Bundler.clean_env`
-  behavior can be useful. For example, when testing Rails generators, you really
-  want an environment where `bundler` is out of the picture. This is why we
-  decided to keep the old behavior under a new more clear name, because we
-  figured the word "clean" was too ambiguous. So we have introduced
-  `Bundler.unbundled_env`, `Bundler.with_unbundled_env`,
-  `Bundler.unbundled_system`, and `Bundler.unbundled_exec`.
+The problem with changing this behavior is that very common workflows are
+relying on it. For example, when you run `bundle install --without
+development:test` in production, those flags are persisted in the app's
+configuration file and further `bundle` invocations will happily ignore
+development and test gems.  This magic will disappear from bundler 4, and you
+will explicitly need to configure it, either through environment variables,
+application configuration, or machine configuration. For example, with `bundle
+config set --local without development test`.
 
-* `Bundler.environment` is deprecated in favor of `Bundler.load`.
+### Bundler will include checksums in the lockfile by default
 
-  We're not sure how people might be using this directly but we have removed the
-  `Bundler::Environment` class which was instantiated by `Bundler.environment`
-  since we realized the `Bundler::Runtime` class was the same thing. During the
-  transition `Bundler.environment` will delegate to `Bundler.load`, which holds
-  the reference to the `Bundler::Environment`.
+We shipped this security feature recently and we believe it's time to turn it on
+by default, so that everyone benefits from the extra security assurances by default.
 
-#### DSL deprecations
+### Strict source pinning in Gemfile is enforced by default
 
-The following deprecations in bundler's DSL are meant to prepare for the strict
-source pinning in bundler 3, where the source for every dependency will be
-unambiguously defined.
+In bundler 4, the source for every dependency will be unambiguously defined, and
+Bundler will refuse to run otherwise.
 
 * Multiple global Gemfile sources will no longer be supported.
 
@@ -207,7 +142,82 @@ unambiguously defined.
   end
   ```
 
-#### Misc deprecations
+#### Notable CLI changes
+
+* The `--force` flag to `bundle install` and `bundle update` will be renamed to `--redownload`.
+
+  This is just a simple rename of the flag, to make more apparent what it
+  actually does. This flag forces redownloading every gem, it doesn't "force"
+  anything else.
+
+* `bundle viz` will be removed and extracted to a plugin.
+
+  This is the only bundler command requiring external dependencies, both an OS
+  dependency (the `graphviz` package) and a gem dependency (the `ruby-graphviz`
+  gem). Removing these dependencies will make development easier and it was also
+  seen by the bundler team as an opportunity to develop a bundler plugin that
+  it's officially maintained by the bundler team, and that users can take as a
+  reference to develop their own plugins. The plugin will contain the same code
+  as the old core command, the only difference being that the command is now
+  implemented as `bundle graph` which is much easier to understand. However, the
+  details of the plugin are under discussion. See [#3333](https://github.com/rubygems/rubygems/issues/3333).
+
+* The `bundle install` command will no longer accept a `--binstubs` flag.
+
+  The `--binstubs` option has been removed from `bundle install` and replaced
+  with the `bundle binstubs` command. The `--binstubs` flag would create
+  binstubs for all executables present inside the gems in the project. This was
+  hardly useful since most users will only use a subset of all the binstubs
+  available to them. Also, it would force the introduction of a bunch of most
+  likely unused files into source control. Because of this, binstubs now must
+  be created and checked into version control individually.
+
+* The `bundle inject` command will be replaced with `bundle add`
+
+  We believe the new command fits the user's mental model better and it supports
+  a wider set of use cases. The interface supported by `bundle inject` works
+  exactly the same in `bundle add`, so it should be easy to migrate to the new
+  command.
+
+### Other notable changes
+
+* Git and Path gems will be included in `vendor/cache` by default
+
+  We're unsure why these gems were treated specially so we'll start caching them
+  normally.
+
+* Bundler will use cached local data if available when network issues are found
+  during resolution.
+
+  Just trying to provide a more resilient behavior here.
+
+* `Bundler.clean_env`, `Bundler.with_clean_env`, `Bundler.clean_system`, and `Bundler.clean_exec` will be removed
+
+  All of these helpers ultimately use `Bundler.clean_env` under the hood, which
+  makes sure all bundler-related environment are removed inside the block it
+  yields.
+
+  After quite a lot user reports, we noticed that users don't usually want this
+  but instead want the bundler environment as it was before the current process
+  was started. Thus, `Bundler.with_original_env`, `Bundler.original_system`, and
+  `Bundler.original_exec` were born. They all use the new `Bundler.original_env`
+  under the hood.
+
+  There's however some specific cases where the good old `Bundler.clean_env`
+  behavior can be useful. For example, when testing Rails generators, you really
+  want an environment where `bundler` is out of the picture. This is why we
+  decided to keep the old behavior under a new more clear name, because we
+  figured the word "clean" was too ambiguous. So we have introduced
+  `Bundler.unbundled_env`, `Bundler.with_unbundled_env`,
+  `Bundler.unbundled_system`, and `Bundler.unbundled_exec`.
+
+* `Bundler.environment` is deprecated in favor of `Bundler.load`.
+
+  We're not sure how people might be using this directly but we have removed the
+  `Bundler::Environment` class which was instantiated by `Bundler.environment`
+  since we realized the `Bundler::Runtime` class was the same thing. During the
+  transition `Bundler.environment` will delegate to `Bundler.load`, which holds
+  the reference to the `Bundler::Environment`.
 
 * Deployment helpers for `vlad` and `capistrano` are being removed.
 

data/doc/rubygems/CONTRIBUTING.md

@@ -52,7 +52,7 @@ To run commands like `gem install` from the repo:
 
 To run commands like `bundle install` from the repo:
 
-    ruby bundler/spec/support/bundle.rb install
+    bundler/bin/bundle install
 
 ### Running Tests
 

data/lib/rubygems/basic_specification.rb

@@ -256,6 +256,13 @@ class Gem::BasicSpecification
     raise NotImplementedError
   end
 
+  def installable_on_platform?(target_platform) # :nodoc:
+    return true if [Gem::Platform::RUBY, nil, target_platform].include?(platform)
+    return true if Gem::Platform.new(platform) === target_platform
+
+    false
+  end
+
   def raw_require_paths # :nodoc:
     raise NotImplementedError
   end

data/lib/rubygems/commands/pristine_command.rb

@@ -137,11 +137,14 @@ extensions will be restored.
     specs.group_by(&:full_name_with_location).values.each do |grouped_specs|
       spec = grouped_specs.find {|s| !s.default_gem? } || grouped_specs.first
 
-      unless only_executables_or_plugins?
+      only_executables = options[:only_executables]
+      only_plugins = options[:only_plugins]
+
+      unless only_executables || only_plugins
         # Default gemspecs include changes provided by ruby-core installer that
         # can't currently be pristined (inclusion of compiled extension targets in
         # the file list). So stick to resetting executables if it's a default gem.
-        options[:only_executables] = true if spec.default_gem?
+        only_executables = true if spec.default_gem?
       end
 
       if options.key? :skip
@@ -151,14 +154,14 @@ extensions will be restored.
         end
       end
 
-      unless spec.extensions.empty? || options[:extensions] || only_executables_or_plugins?
+      unless spec.extensions.empty? || options[:extensions] || only_executables || only_plugins
         say "Skipped #{spec.full_name_with_location}, it needs to compile an extension"
         next
       end
 
       gem = spec.cache_file
 
-      unless File.exist?(gem) || only_executables_or_plugins?
+      unless File.exist?(gem) || only_executables || only_plugins
         require_relative "../remote_fetcher"
 
         say "Cached gem for #{spec.full_name_with_location} not found, attempting to fetch..."
@@ -194,10 +197,10 @@ extensions will be restored.
         bin_dir: bin_dir,
       }
 
-      if options[:only_executables]
+      if only_executables
         installer = Gem::Installer.for_spec(spec, installer_options)
         installer.generate_bin
-      elsif options[:only_plugins]
+      elsif only_plugins
         installer = Gem::Installer.for_spec(spec, installer_options)
         installer.generate_plugins
       else
@@ -208,10 +211,4 @@ extensions will be restored.
       say "Restored #{spec.full_name_with_location}"
     end
   end
-
-  private
-
-  def only_executables_or_plugins?
-    options[:only_executables] || options[:only_plugins]
-  end
 end

data/lib/rubygems/commands/setup_command.rb

@@ -7,8 +7,8 @@ require_relative "../command"
 # RubyGems checkout or tarball.
 
 class Gem::Commands::SetupCommand < Gem::Command
-  HISTORY_HEADER = %r{^#\s*[\d.a-zA-Z]+\s*/\s*\d{4}-\d{2}-\d{2}\s*$}
-  VERSION_MATCHER = %r{^#\s*([\d.a-zA-Z]+)\s*/\s*\d{4}-\d{2}-\d{2}\s*$}
+  HISTORY_HEADER = %r{^##\s*[\d.a-zA-Z]+\s*/\s*\d{4}-\d{2}-\d{2}\s*$}
+  VERSION_MATCHER = %r{^##\s*([\d.a-zA-Z]+)\s*/\s*\d{4}-\d{2}-\d{2}\s*$}
 
   ENV_PATHS = %w[/usr/bin/env /bin/env].freeze
 

data/lib/rubygems/core_ext/kernel_require.rb

@@ -64,8 +64,11 @@ module Kernel
           rp
         end
 
-        Kernel.send(:gem, name, Gem::Requirement.default_prerelease) unless
-          resolved_path
+        next if resolved_path
+
+        Kernel.send(:gem, name, Gem::Requirement.default_prerelease)
+
+        Gem.load_bundler_extensions(Gem.loaded_specs[name].version) if name == "bundler"
 
         next
       end

data/lib/rubygems/ext/cargo_builder.rb

@@ -158,6 +158,10 @@ class Gem::Ext::CargoBuilder < Gem::Ext::Builder
   # mkmf work properly.
   def linker_args
     cc_flag = self.class.shellsplit(makefile_config("CC"))
+    # Avoid to ccache like tool from Rust build
+    # see https://github.com/rubygems/rubygems/pull/8521#issuecomment-2689854359
+    # ex. CC="ccache gcc" or CC="sccache clang --any --args"
+    cc_flag.shift if cc_flag.size >= 2 && !cc_flag[1].start_with?("-")
     linker = cc_flag.shift
     link_args = cc_flag.flat_map {|a| ["-C", "link-arg=#{a}"] }
 

data/lib/rubygems/gemcutter_utilities/webauthn_listener.rb

@@ -85,10 +85,17 @@ module Gem::GemcutterUtilities
     end
 
     def parse_otp_from_uri(uri)
-      require "cgi"
+      query = uri.query
+      return unless query && !query.empty?
 
-      return if uri.query.nil?
-      CGI.parse(uri.query).dig("code", 0)
+      query.split("&") do |param|
+        key, value = param.split("=", 2)
+        if value && Gem::URI.decode_www_form_component(key) == "code"
+          return Gem::URI.decode_www_form_component(value)
+        end
+      end
+
+      nil
     end
 
     class SocketResponder

data/lib/rubygems/gemcutter_utilities.rb

@@ -319,7 +319,7 @@ module Gem::GemcutterUtilities
   end
 
   def get_scope_params(scope)
-    scope_params = { index_rubygems: true }
+    scope_params = { index_rubygems: true, push_rubygem: true }
 
     if scope
       scope_params = { scope => true }

data/lib/rubygems/installer.rb

@@ -228,8 +228,7 @@ class Gem::Installer
       ruby_executable = true
       existing = io.read.slice(/
           ^\s*(
-            gem \s |
-            load \s Gem\.bin_path\( |
+            Gem\.activate_and_load_bin_path\( |
             load \s Gem\.activate_bin_path\(
           )
           (['"])(.*?)(\2),
@@ -749,54 +748,53 @@ class Gem::Installer
   def app_script_text(bin_file_name)
     # NOTE: that the `load` lines cannot be indented, as old RG versions match
     # against the beginning of the line
-    <<-TEXT
-#{shebang bin_file_name}
-#
-# This file was generated by RubyGems.
-#
-# The application '#{spec.name}' is installed as part of a gem, and
-# this file is here to facilitate running it.
-#
-
-require 'rubygems'
-#{gemdeps_load(spec.name)}
-version = "#{Gem::Requirement.default_prerelease}"
-
-str = ARGV.first
-if str
-  str = str.b[/\\A_(.*)_\\z/, 1]
-  if str and Gem::Version.correct?(str)
-    #{explicit_version_requirement(spec.name)}
-    ARGV.shift
-  end
-end
+    <<~TEXT
+      #{shebang bin_file_name}
+      #
+      # This file was generated by RubyGems.
+      #
+      # The application '#{spec.name}' is installed as part of a gem, and
+      # this file is here to facilitate running it.
+      #
+
+      require 'rubygems'
+      #{gemdeps_load(spec.name)}
+      version = "#{Gem::Requirement.default_prerelease}"
+
+      str = ARGV.first
+      if str
+        str = str.b[/\\A_(.*)_\\z/, 1]
+        if str and Gem::Version.correct?(str)
+          #{explicit_version_requirement(spec.name)}
+          ARGV.shift
+        end
+      end
 
-if Gem.respond_to?(:activate_bin_path)
-load Gem.activate_bin_path('#{spec.name}', '#{bin_file_name}', version)
-else
-gem #{spec.name.dump}, version
-load Gem.bin_path(#{spec.name.dump}, #{bin_file_name.dump}, version)
-end
-TEXT
+      if Gem.respond_to?(:activate_and_load_bin_path)
+        Gem.activate_and_load_bin_path('#{spec.name}', '#{bin_file_name}', version)
+      else
+        load Gem.activate_bin_path('#{spec.name}', '#{bin_file_name}', version)
+      end
+    TEXT
   end
 
   def gemdeps_load(name)
     return "" if name == "bundler"
 
-    <<-TEXT
+    <<~TEXT
 
-Gem.use_gemdeps
-TEXT
+      Gem.use_gemdeps
+    TEXT
   end
 
   def explicit_version_requirement(name)
     code = "version = str"
     return code unless name == "bundler"
 
-    code += <<-TEXT
+    code += <<~TEXT
 
-    ENV['BUNDLER_VERSION'] = str
-TEXT
+      ENV['BUNDLER_VERSION'] = str
+    TEXT
   end
 
   ##
@@ -811,9 +809,9 @@ TEXT
 
     if File.exist?(File.join(bindir, ruby_exe))
       # stub & ruby.exe within same folder.  Portable
-      <<-TEXT
-@ECHO OFF
-@"%~dp0#{ruby_exe}" "%~dpn0" %*
+      <<~TEXT
+        @ECHO OFF
+        @"%~dp0#{ruby_exe}" "%~dpn0" %*
       TEXT
     elsif bindir.downcase.start_with? rb_topdir.downcase
       # stub within ruby folder, but not standard bin.  Portable
@@ -821,16 +819,16 @@ TEXT
       from = Pathname.new bindir
       to   = Pathname.new "#{rb_topdir}/bin"
       rel  = to.relative_path_from from
-      <<-TEXT
-@ECHO OFF
-@"%~dp0#{rel}/#{ruby_exe}" "%~dpn0" %*
+      <<~TEXT
+        @ECHO OFF
+        @"%~dp0#{rel}/#{ruby_exe}" "%~dpn0" %*
       TEXT
     else
       # outside ruby folder, maybe -user-install or bundler.  Portable, but ruby
       # is dependent on PATH
-      <<-TEXT
-@ECHO OFF
-@#{ruby_exe} "%~dpn0" %*
+      <<~TEXT
+        @ECHO OFF
+        @#{ruby_exe} "%~dpn0" %*
       TEXT
     end
   end
@@ -953,11 +951,8 @@ TEXT
   end
 
   def ensure_writable_dir(dir) # :nodoc:
-    begin
-      Dir.mkdir dir, *[options[:dir_mode] && 0o755].compact
-    rescue SystemCallError
-      raise unless File.directory? dir
-    end
+    require "fileutils"
+    FileUtils.mkdir_p dir, mode: options[:dir_mode] && 0o755
 
     raise Gem::FilePermissionError.new(dir) unless File.writable? dir
   end