rubygems-update 4.0.12 → 4.0.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d207eaa8ea0c17596ba6919cee2053ab7044e1a33c1928e61887a06b2a74700
-  data.tar.gz: 83258ebcc931736a81fc787b12ea9e8f6ecbc20973230ac542326dff6c8e1ae6
+  metadata.gz: 0660c05e56df8027375e8d01d875fc71e9837ed53336eface4ce3caef8463b06
+  data.tar.gz: 41fb9134ffe1423a57d10e9c3974c4fd03d02f31aea6da2d8703df407cb720c2
 SHA512:
-  metadata.gz: fde24bf1c702d73c532d60c5bedff3e8876b6bf6200779abbdf0a959e96570fb9c8b0c3db27dbd4899a3b1db5f3d011c9255d9ab2c6df4c212a020a2290dcf45
-  data.tar.gz: 669918da9e6e3552a74057002a34f54a73c5aef7b0043f510578ae46ec6fb4ae40060a437aaed13c7de0e47f2fdc5ab9432315f0954a5c429ffff7381f1f93ee
+  metadata.gz: ad34acb0f898943a0a749765234e2ec3abec927d9d6eaffcbd5b33498dc04fe8f0a5477d7569a02a4792fdbaa058c05c14abe38c707c43568f2249c0855c050d
+  data.tar.gz: 9bbb91eccb1401d2942b8817734b0130a6c7d33163f4faab4e3204d4f63bbbc317bb78e41a605b494d2224f4954c08d807e75ee3954def54a34e6410d08b85c6

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 4.0.13 / 2026-06-03
+
+### Enhancements:
+
+* Prevent extraction from escaping destination_dir via pre-existing symlinks. Pull request [#9493](https://github.com/ruby/rubygems/pull/9493) by thesmartshadow
+* Close stdin immediately when using popen2e. Pull request [#9540](https://github.com/ruby/rubygems/pull/9540) by rwstauner
+* Fallback to copy symlinks on Windows. Pull request [#9296](https://github.com/ruby/rubygems/pull/9296) by larskanis
+* Installs bundler 4.0.13 as a default gem.
+
 ## 4.0.12 / 2026-05-20
 
 ### Enhancements:

data/bundler/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 4.0.13 / 2026-06-03
+
+### Enhancements:
+
+* Do not hard-code permissions for new gem directories during bundle install. Pull request [#9557](https://github.com/ruby/rubygems/pull/9557) by maxfelsher-cgi
+* Clear gem specification cache after acquiring process lock. Pull request [#9310](https://github.com/ruby/rubygems/pull/9310) by ngan
+* Show release date with bundle outdated. Pull request [#9337](https://github.com/ruby/rubygems/pull/9337) by hsbt
+
+### Bug fixes:
+
+* Apply cooldown to locally installed gem versions. Pull request [#9582](https://github.com/ruby/rubygems/pull/9582) by hsbt
+
+### Security:
+
+* Add `cooldown` to delay newly published gem. Pull request [#9576](https://github.com/ruby/rubygems/pull/9576) by hsbt
+
 ## 4.0.12 / 2026-05-20
 
 ### Enhancements:

data/bundler/lib/bundler/build_metadata.rb

@@ -5,7 +5,7 @@ module Bundler
   module BuildMetadata
     # begin ivars
     @built_at = nil
-    @git_commit_sha = "665f998196".freeze
+    @git_commit_sha = "003f20f0dc".freeze
     # end ivars
 
     # A hash representation of the build metadata.

data/bundler/lib/bundler/cli/add.rb

@@ -14,6 +14,9 @@ module Bundler
     def run
       Bundler.ui.level = "warn" if options[:quiet]
 
+      Bundler::CLI::Common.validate_cooldown!(options[:cooldown])
+      Bundler.settings.set_command_option_if_given :cooldown, options[:cooldown]
+
       validate_options!
       inject_dependencies
       perform_bundle_install unless options["skip-install"]

data/bundler/lib/bundler/cli/common.rb

@@ -2,6 +2,12 @@
 
 module Bundler
   module CLI::Common
+    def self.validate_cooldown!(value)
+      return if value.nil?
+      return if value.is_a?(Integer) && value >= 0
+      raise InvalidOption, "Expected `--cooldown` to be a non-negative integer, got #{value.inspect}"
+    end
+
     def self.output_post_install_messages(messages)
       return if Bundler.settings["ignore_messages"]
       messages.to_a.each do |name, msg|

data/bundler/lib/bundler/cli/install.rb

@@ -112,6 +112,9 @@ module Bundler
 
       Bundler.settings.set_command_option_if_given :jobs, options["jobs"]
 
+      Bundler::CLI::Common.validate_cooldown!(options["cooldown"])
+      Bundler.settings.set_command_option_if_given :cooldown, options["cooldown"]
+
       Bundler.settings.set_command_option_if_given :no_prune, options["no-prune"]
 
       Bundler.settings.set_command_option_if_given :no_install, options["no-install"]

data/bundler/lib/bundler/cli/outdated.rb

@@ -26,6 +26,9 @@ module Bundler
     def run
       check_for_deployment_mode!
 
+      Bundler::CLI::Common.validate_cooldown!(options[:cooldown])
+      Bundler.settings.set_command_option_if_given :cooldown, options[:cooldown]
+
       Bundler.definition.validate_runtime!
       current_specs = Bundler.ui.silence { Bundler.definition.resolve }
 
@@ -199,7 +202,15 @@ module Bundler
       end
 
       spec_outdated_info = "#{active_spec.name} (newest #{spec_version}, " \
-        "installed #{current_version}#{dependency_version})"
+        "installed #{current_version}#{dependency_version}"
+
+      release_date = release_date_for(active_spec)
+      spec_outdated_info += ", released #{release_date}" unless release_date.empty?
+
+      remaining = cooldown_days_remaining(active_spec)
+      spec_outdated_info += ", in cooldown for #{remaining} more day#{"s" if remaining > 1}" if remaining
+
+      spec_outdated_info += ")"
 
       output_message = if options[:parseable]
         spec_outdated_info.to_s
@@ -215,13 +226,25 @@ module Bundler
     def gem_column_for(current_spec, active_spec, dependency, groups)
       current_version = "#{current_spec.version}#{current_spec.git_version}"
       spec_version = "#{active_spec.version}#{active_spec.git_version}"
+      remaining = cooldown_days_remaining(active_spec)
+      spec_version += " (cooldown #{remaining}d)" if remaining
       dependency = dependency.requirement if dependency
 
       ret_val = [active_spec.name, current_version, spec_version, dependency.to_s, groups.to_s]
+      ret_val << release_date_for(active_spec)
       ret_val << loaded_from_for(active_spec).to_s if Bundler.ui.debug?
       ret_val
     end
 
+    def cooldown_days_remaining(spec, now = Time.now)
+      return nil unless spec.respond_to?(:created_at) && spec.created_at
+      return nil unless spec.respond_to?(:remote) && spec.remote
+      days = spec.remote.effective_cooldown
+      return nil if days.nil? || days <= 0
+      remaining = days - ((now - spec.created_at) / 86_400.0)
+      remaining > 0 ? remaining.ceil : nil
+    end
+
     def check_for_deployment_mode!
       return unless Bundler.frozen_bundle?
       suggested_command = if Bundler.settings.locations("frozen").keys.&([:global, :local]).any?
@@ -283,11 +306,28 @@ module Bundler
     end
 
     def table_header
-      header = ["Gem", "Current", "Latest", "Requested", "Groups"]
+      header = ["Gem", "Current", "Latest", "Requested", "Groups", "Release Date"]
       header << "Path" if Bundler.ui.debug?
       header
     end
 
+    def release_date_for(spec)
+      return "" unless spec.respond_to?(:date)
+
+      date = spec.date
+      return "" unless date
+
+      return "" unless Gem.const_defined?(:DEFAULT_SOURCE_DATE_EPOCH)
+      default_date = Time.at(Gem::DEFAULT_SOURCE_DATE_EPOCH).utc
+      default_date = Time.utc(default_date.year, default_date.month, default_date.day)
+
+      date = date.utc if date.respond_to?(:utc)
+
+      return "" if date == default_date
+
+      date.strftime("%Y-%m-%d")
+    end
+
     def justify(row, sizes)
       row.each_with_index.map do |element, index|
         element.ljust(sizes[index])

data/bundler/lib/bundler/cli/update.rb

@@ -66,6 +66,8 @@ module Bundler
       opts["force"] = options[:redownload] if options[:redownload]
 
       Bundler.settings.set_command_option_if_given :jobs, opts["jobs"]
+      Bundler::CLI::Common.validate_cooldown!(options[:cooldown])
+      Bundler.settings.set_command_option_if_given :cooldown, options[:cooldown]
 
       Bundler.definition.validate_runtime!
 

data/bundler/lib/bundler/cli.rb

@@ -274,6 +274,7 @@ module Bundler
     method_option "target-rbconfig", type: :string, banner: "Path to rbconfig.rb for the deployment target platform"
     method_option "without", type: :array, banner: "Exclude gems that are part of the specified named group (removed)."
     method_option "with", type: :array, banner: "Include gems that are part of the specified named group (removed)."
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def install
       %w[clean deployment frozen no-prune path shebang without with].each do |option|
         remembered_flag_deprecation(option)
@@ -324,6 +325,7 @@ module Bundler
     method_option "strict", type: :boolean, banner: "Do not allow any gem to be updated past latest --patch | --minor | --major"
     method_option "conservative", type: :boolean, banner: "Use bundle install conservative update behavior and do not allow shared dependencies to be updated."
     method_option "all", type: :boolean, banner: "Update everything."
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def update(*gems)
       require_relative "cli/update"
       Bundler.settings.temporary(no_install: false) do
@@ -405,6 +407,7 @@ module Bundler
     method_option "skip-install", type: :boolean, banner: "Adds gem to the Gemfile but does not install it"
     method_option "optimistic", type: :boolean, banner: "Adds optimistic declaration of version to gem"
     method_option "strict", type: :boolean, banner: "Adds strict declaration of version to gem"
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def add(*gems)
       require_relative "cli/add"
       Add.new(options.dup, gems).run
@@ -435,6 +438,7 @@ module Bundler
     method_option "filter-patch", type: :boolean, banner: "Only list patch newer versions"
     method_option "parseable", aliases: "--porcelain", type: :boolean, banner: "Use minimal formatting for more parseable output"
     method_option "only-explicit", type: :boolean, banner: "Only list gems specified in your Gemfile, not their dependencies"
+    method_option "cooldown", type: :numeric, banner: "Only consider gem versions published at least N days ago. Use 0 to disable."
     def outdated(*gems)
       require_relative "cli/outdated"
       Outdated.new(options, gems).run

data/bundler/lib/bundler/dsl.rb

@@ -116,6 +116,10 @@ module Bundler
       options = args.last.is_a?(Hash) ? args.pop.dup : {}
       options = normalize_hash(options)
       source = normalize_source(source)
+      cooldown = options["cooldown"]
+      if cooldown && !(cooldown.is_a?(Integer) && cooldown >= 0)
+        raise InvalidOption, "Expected `cooldown` to be a non-negative integer, got #{cooldown.inspect}"
+      end
 
       if options.key?("type")
         options["type"] = options["type"].to_s
@@ -130,9 +134,9 @@ module Bundler
         source_opts = options.merge("uri" => source)
         with_source(@sources.add_plugin_source(options["type"], source_opts), &blk)
       elsif block_given?
-        with_source(@sources.add_rubygems_source("remotes" => source), &blk)
+        with_source(@sources.add_rubygems_source("remotes" => source, "cooldown" => cooldown), &blk)
       else
-        @sources.add_global_rubygems_remote(source)
+        @sources.add_global_rubygems_remote(source, cooldown: cooldown)
       end
     end
 

data/bundler/lib/bundler/endpoint_specification.rb

@@ -5,7 +5,7 @@ module Bundler
   class EndpointSpecification < Gem::Specification
     include MatchRemoteMetadata
 
-    attr_reader :name, :version, :platform, :checksum
+    attr_reader :name, :version, :platform, :checksum, :created_at
     attr_writer :dependencies
     attr_accessor :remote, :locked_platform
 
@@ -145,6 +145,7 @@ module Bundler
       unless data
         @required_ruby_version = nil
         @required_rubygems_version = nil
+        @created_at = nil
         return
       end
 
@@ -161,6 +162,15 @@ module Bundler
           @required_rubygems_version = Gem::Requirement.new(v)
         when "ruby"
           @required_ruby_version = Gem::Requirement.new(v)
+        when "created_at"
+          value = v.is_a?(Array) ? v.last : v
+          if value.is_a?(String)
+            @created_at = begin
+              Time.new(value)
+            rescue ArgumentError
+              nil
+            end
+          end
         end
       end
     rescue StandardError => e

data/bundler/lib/bundler/installer.rb

@@ -63,6 +63,11 @@ module Bundler
       Bundler.create_bundle_path
 
       ProcessLock.lock do
+        # Invalidate any stale gem specification cache from before we acquired the lock.
+        # Another process may have installed gems while we were waiting.
+        Gem::Specification.reset
+        @definition.sources.clear_cache
+
         @definition.ensure_equivalent_gemfile_and_lockfile(options[:deployment])
 
         if @definition.dependencies.empty?

data/bundler/lib/bundler/man/bundle-add.1

@@ -4,7 +4,7 @@
 .SH "NAME"
 \fBbundle\-add\fR \- Add gem to the Gemfile and run bundle install
 .SH "SYNOPSIS"
-\fBbundle add\fR \fIGEM_NAME\fR [\-\-group=GROUP] [\-\-version=VERSION] [\-\-source=SOURCE] [\-\-path=PATH] [\-\-git=GIT|\-\-github=GITHUB] [\-\-branch=BRANCH] [\-\-ref=REF] [\-\-quiet] [\-\-skip\-install] [\-\-strict|\-\-optimistic]
+\fBbundle add\fR \fIGEM_NAME\fR [\-\-group=GROUP] [\-\-version=VERSION] [\-\-source=SOURCE] [\-\-path=PATH] [\-\-git=GIT|\-\-github=GITHUB] [\-\-branch=BRANCH] [\-\-ref=REF] [\-\-cooldown=NUMBER] [\-\-quiet] [\-\-skip\-install] [\-\-strict|\-\-optimistic]
 .SH "DESCRIPTION"
 Adds the named gem to the [\fBGemfile(5)\fR][Gemfile(5)] and run \fBbundle install\fR\. \fBbundle install\fR can be avoided by using the flag \fB\-\-skip\-install\fR\.
 .SH "OPTIONS"
@@ -50,6 +50,9 @@ Adds optimistic declaration of version\.
 .TP
 \fB\-\-strict\fR
 Adds strict declaration of version\.
+.TP
+\fB\-\-cooldown=<number>\fR
+Only consider gem versions published at least \fInumber\fR days ago when resolving\. Pass \fB0\fR to disable cooldown for this run\. See \fBcooldown\fR in bundle\-config(1) for precedence rules\.
 .SH "EXAMPLES"
 .IP "1." 4
 You can add the \fBrails\fR gem to the Gemfile without any version restriction\. The source of the gem will be the global source\.

data/bundler/lib/bundler/man/bundle-add.1.ronn

@@ -5,7 +5,7 @@ bundle-add(1) -- Add gem to the Gemfile and run bundle install
 
 `bundle add` <GEM_NAME> [--group=GROUP] [--version=VERSION] [--source=SOURCE]
            [--path=PATH] [--git=GIT|--github=GITHUB] [--branch=BRANCH] [--ref=REF]
-           [--quiet] [--skip-install] [--strict|--optimistic]
+           [--cooldown=NUMBER] [--quiet] [--skip-install] [--strict|--optimistic]
 
 ## DESCRIPTION
 
@@ -56,6 +56,11 @@ Adds the named gem to the [`Gemfile(5)`][Gemfile(5)] and run `bundle install`.
 * `--strict`:
   Adds strict declaration of version.
 
+* `--cooldown=<number>`:
+  Only consider gem versions published at least <number> days ago when
+  resolving. Pass `0` to disable cooldown for this run. See `cooldown`
+  in bundle-config(1) for precedence rules.
+
 ## EXAMPLES
 
 1. You can add the `rails` gem to the Gemfile without any version restriction.