rubygems-update 4.0.13 → 4.0.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0660c05e56df8027375e8d01d875fc71e9837ed53336eface4ce3caef8463b06
-  data.tar.gz: 41fb9134ffe1423a57d10e9c3974c4fd03d02f31aea6da2d8703df407cb720c2
+  metadata.gz: 872371a3357601311ae655a4d31f14fe22ac4c581f07e56ce7c4e0a8e446c404
+  data.tar.gz: ac7b86aecc58b095555483690de516232b00a7c3ef95e42f4d6bdd84b2561b4a
 SHA512:
-  metadata.gz: ad34acb0f898943a0a749765234e2ec3abec927d9d6eaffcbd5b33498dc04fe8f0a5477d7569a02a4792fdbaa058c05c14abe38c707c43568f2249c0855c050d
-  data.tar.gz: 9bbb91eccb1401d2942b8817734b0130a6c7d33163f4faab4e3204d4f63bbbc317bb78e41a605b494d2224f4954c08d807e75ee3954def54a34e6410d08b85c6
+  metadata.gz: 8c48fb0c258070df0ce8b3bb8041e93b738ebdb927540d87fae2a6d2e52e4a9f811ad8e546a30900e73fd8ea14ee7d036626d15a9807ba224478313165e7f010
+  data.tar.gz: 2c890803e82d118d04b4fcdc1a090eb075ad4062eab6db4f395223f4bf95c045c1b46465912edfff7fda692b737c1724d5f1d7345c0bc84913c6a97c3135d36d

data/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 4.0.15 / 2026-06-24
+
+### Enhancements:
+
+* Rubygems: Fix Gem::Request for PQC support, adding integration connection tests. Pull request [#9615](https://github.com/ruby/rubygems/pull/9615) by junaruga
+* Reduce peak memory usage of full index loading and bundle install. Pull request [#9618](https://github.com/ruby/rubygems/pull/9618) by hsbt
+* Installs bundler 4.0.15 as a default gem.
+
+### Bug fixes:
+
+* Forward security policy to old-format gems. Pull request [#9611](https://github.com/ruby/rubygems/pull/9611) by hsbt
+
+## 4.0.14 / 2026-06-10
+
+### Enhancements:
+
+* Add executables and bindir validation to the gem installer. Pull request [#9595](https://github.com/ruby/rubygems/pull/9595) by hsbt
+* Strip C1 control characters from displayed gem text. Pull request [#9597](https://github.com/ruby/rubygems/pull/9597) by hsbt
+* Installs bundler 4.0.14 as a default gem.
+
 ## 4.0.13 / 2026-06-03
 
 ### Enhancements:

data/Manifest.txt

@@ -167,6 +167,7 @@ bundler/lib/bundler/plugin/installer/git.rb
 bundler/lib/bundler/plugin/installer/path.rb
 bundler/lib/bundler/plugin/installer/rubygems.rb
 bundler/lib/bundler/plugin/source_list.rb
+bundler/lib/bundler/plugin/unloaded_source.rb
 bundler/lib/bundler/process_lock.rb
 bundler/lib/bundler/remote_specification.rb
 bundler/lib/bundler/resolver.rb

data/bundler/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## 4.0.15 / 2026-06-24
+
+### Enhancements:
+
+* Resolve Git LFS files in git sources from the real remote. Pull request [#9632](https://github.com/ruby/rubygems/pull/9632) by hsbt
+* Suggest access issues, not only yanking, for missing locked gems. Pull request [#9631](https://github.com/ruby/rubygems/pull/9631) by hsbt
+* Implement a make jobserver (continuation of #9210). Pull request [#9625](https://github.com/ruby/rubygems/pull/9625) by hsbt
+* Reduce peak memory usage of full index loading and bundle install. Pull request [#9618](https://github.com/ruby/rubygems/pull/9618) by hsbt
+* Bump up to rb-sys 0.9.128. Pull request [#9569](https://github.com/ruby/rubygems/pull/9569) by hsbt
+
+### Bug fixes:
+
+* Skip the make jobserver on Windows. Pull request [#9630](https://github.com/ruby/rubygems/pull/9630) by hsbt
+* Don't require source plugins to be installed to parse a lockfile: 4.0.x. Pull request [#9621](https://github.com/ruby/rubygems/pull/9621) by hsbt
+* Exempt lockfile versions from cooldown on every resolution path. Pull request [#9619](https://github.com/ruby/rubygems/pull/9619) by hsbt
+* Set `Bundler.settings[:ssl_ca_cert]` to download gems. Pull request [#9610](https://github.com/ruby/rubygems/pull/9610) by junaruga
+
+## 4.0.14 / 2026-06-10
+
+### Bug fixes:
+
+* Preserve per-source cooldown when converging sources from the lockfile. Pull request [#9601](https://github.com/ruby/rubygems/pull/9601) by bryanwoods
+* Don't exclude the locked version from cooldown during bundle update. Pull request [#9599](https://github.com/ruby/rubygems/pull/9599) by hsbt
+
 ## 4.0.13 / 2026-06-03
 
 ### Enhancements:

data/bundler/lib/bundler/build_metadata.rb

@@ -5,7 +5,7 @@ module Bundler
   module BuildMetadata
     # begin ivars
     @built_at = nil
-    @git_commit_sha = "003f20f0dc".freeze
+    @git_commit_sha = "12ba1f437b".freeze
     # end ivars
 
     # A hash representation of the build metadata.

data/bundler/lib/bundler/definition.rb

@@ -230,6 +230,16 @@ module Bundler
       sources.prefer_local!
     end
 
+    # Releases memory only needed during resolution, such as remote spec
+    # indexes and resolver state. Only safe to call once resolution is
+    # complete and the result has been materialized, since any further
+    # resolution will need to refetch remote specs.
+    def release_resolution_memory!
+      @resolver = nil
+      @resolution_base = nil
+      sources.release_resolution_memory!
+    end
+
     # For given dependency list returns a SpecSet with Gemspec of all the required
     # dependencies.
     #  1. The method first resolves the dependencies specified in Gemfile
@@ -688,9 +698,10 @@ module Bundler
             "available locally before rerunning Bundler."
           else
             "Your bundle is locked to #{locked_gem} from #{locked_gem.source}, but that version can " \
-            "no longer be found in that source. That means the author of #{locked_gem} has removed it. " \
-            "You'll need to update your bundle to a version other than #{locked_gem} that hasn't been " \
-            "removed in order to install."
+            "no longer be found in that source. That means either the author of #{locked_gem} has removed it, " \
+            "or you no longer have access to that source. You'll need to update your bundle to a version other " \
+            "than #{locked_gem} that hasn't been removed, or check your credentials and access rights for " \
+            "#{locked_gem.source}, in order to install."
           end
 
           raise GemNotFound, message
@@ -1283,7 +1294,7 @@ module Bundler
 
     def new_resolution_base(last_resolve:, unlock:)
       new_resolution_platforms = @current_platform_missing ? @new_platforms + [Bundler.local_platform] : @new_platforms
-      Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: new_resolution_platforms)
+      Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: new_resolution_platforms, explicit_unlocks: @explicit_unlocks)
     end
 
     def new_resolver(base)

data/bundler/lib/bundler/fetcher/base.rb

@@ -38,6 +38,9 @@ module Bundler
         false
       end
 
+      def release_resolution_memory!
+      end
+
       private
 
       def log_specs(&block)

data/bundler/lib/bundler/fetcher/compact_index.rb

@@ -63,6 +63,13 @@ module Bundler
         true
       end
 
+      # The client holds the parsed checksums of all info files in the
+      # index. Dropping it is always safe because it is rebuilt from the
+      # local cache on demand.
+      def release_resolution_memory!
+        @compact_index_client = nil
+      end
+
       private
 
       def compact_index_client
@@ -73,6 +80,12 @@ module Bundler
       end
 
       def fetch_gem_infos(names)
+        # Create the client and update the versions file on this thread.
+        # Otherwise the workers race to lazily create the client and update
+        # the versions file concurrently, e.g. when the client was released
+        # after resolution and is being rebuilt for `bundle cache`.
+        compact_index_client.available?
+
         in_parallel(names) {|name| compact_index_client.info(name) }
       rescue TooManyRequestsError # rubygems.org is rate limiting us, slow down.
         @bundle_worker&.stop

data/bundler/lib/bundler/fetcher/gem_remote_fetcher.rb

@@ -9,6 +9,8 @@ module Bundler
         super
 
         @pool_size = Bundler.settings.installation_parallelization
+        ssl_ca_cert = Bundler.settings[:ssl_ca_cert]
+        @cert_files << ssl_ca_cert if ssl_ca_cert
       end
 
       def request(*args)

data/bundler/lib/bundler/fetcher.rb

@@ -243,6 +243,10 @@ module Bundler
       fetchers.first.api_fetcher?
     end
 
+    def release_resolution_memory!
+      @fetchers&.each(&:release_resolution_memory!)
+    end
+
     def gem_remote_fetcher
       @gem_remote_fetcher ||= begin
         require_relative "fetcher/gem_remote_fetcher"

data/bundler/lib/bundler/installer/parallel_installer.rb

@@ -110,10 +110,49 @@ module Bundler
     end
 
     def install_with_worker
-      installed_specs = {}
-      enqueue_specs(installed_specs)
+      with_jobserver do
+        installed_specs = {}
+        enqueue_specs(installed_specs)
 
-      process_specs(installed_specs) until finished_installing?
+        process_specs(installed_specs) until finished_installing?
+      end
+    end
+
+    def with_jobserver
+      # The jobserver hands tokens to child `make` processes through MAKEFLAGS
+      # using the GNU make `--jobserver-auth` protocol. nmake, the default make
+      # on mswin, instead reads MAKEFLAGS as bare option letters and aborts
+      # every native extension build with `fatal error U1065: invalid option
+      # '-'`. Skip the jobserver when nmake is in use. Other Windows toolchains
+      # such as mingw use GNU make and keep working through the inherited pipe.
+      return yield if nmake?
+
+      begin
+        r, w = IO.pipe
+        r.close_on_exec = false
+        w.close_on_exec = false
+        w.write("*" * @size)
+
+        old_makeflags = ENV["MAKEFLAGS"]
+        ENV["MAKEFLAGS"] = [old_makeflags, "--jobserver-auth=#{r.fileno},#{w.fileno}"].compact.join(" ")
+
+        yield
+      ensure
+        # Restore MAKEFLAGS before closing the pipe so a close failure can't
+        # leave the process with descriptors that point at a closed pipe.
+        old_makeflags ? ENV["MAKEFLAGS"] = old_makeflags : ENV.delete("MAKEFLAGS")
+
+        r&.close
+        w&.close
+      end
+    end
+
+    # Mirror how RubyGems' extension builder picks the make program so the
+    # jobserver is only set up when a GNU-compatible make will consume it.
+    def nmake?
+      make = ENV["MAKE"] || ENV["make"]
+      make ||= "nmake" if RUBY_PLATFORM.include?("mswin")
+      /\bnmake/i.match?(make.to_s)
     end
 
     def install_serially

data/bundler/lib/bundler/installer.rb

@@ -195,7 +195,13 @@ module Bundler
       force = options[:force]
       local = options[:local] || options[:"prefer-local"]
       jobs = Bundler.settings.installation_parallelization
-      spec_installations = ParallelInstaller.call(self, @definition.specs, jobs, standalone, force, local: local)
+      specs = @definition.specs
+      # Installing default gems may need the remote index again to cache
+      # their .gem files, so keep resolution memory around in that case.
+      # The bundler spec itself is excluded because it comes from the
+      # metadata source and never goes through that path.
+      @definition.release_resolution_memory! if specs.none? {|s| s.default_gem? && s.source.is_a?(Source::Rubygems) }
+      spec_installations = ParallelInstaller.call(self, specs, jobs, standalone, force, local: local)
       spec_installations.each do |installation|
         post_install_messages[installation.name] = installation.post_install_message if installation.has_post_install_message?
       end

data/bundler/lib/bundler/mirror.rb

@@ -160,18 +160,18 @@ module Bundler
 
       def wait_for_writtable_socket(socket, address, timeout)
         if IO.select(nil, [socket], nil, timeout)
-          probe_writtable_socket(socket, address)
+          probe_writtable_socket(socket)
         else # TCP Handshake timed out, or there is something dropping packets
           false
         end
       end
 
-      def probe_writtable_socket(socket, address)
-        socket.connect_nonblock(address)
-      rescue Errno::EISCONN
-        true
-      rescue StandardError # Connection failed
-        false
+      def probe_writtable_socket(socket)
+        # Check the pending error on the socket rather than calling
+        # +connect_nonblock+ a second time. On BSD-based systems such as macOS a
+        # second connect returns +EISCONN+ even when the asynchronous connect
+        # failed, which would make a down mirror look reachable.
+        socket.getsockopt(Socket::SOL_SOCKET, Socket::SO_ERROR).int == 0
       end
     end
   end

data/bundler/lib/bundler/plugin/unloaded_source.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Plugin
+    # Stands in for a source handled by a plugin that is not loaded yet, so
+    # that the lockfile can still be parsed during the plugin install pass,
+    # and by external tools reading a lockfile without the plugin installed.
+    class UnloadedSource
+      include API::Source
+
+      # Unlike real plugin sources, where the handling class encodes the
+      # source type, all unloaded sources share this class, so the type must
+      # be compared explicitly.
+      def ==(other)
+        super && options["type"] == other.options["type"]
+      end
+
+      alias_method :eql?, :==
+
+      def hash
+        [super, options["type"]].hash
+      end
+    end
+  end
+end

data/bundler/lib/bundler/plugin.rb

@@ -4,11 +4,12 @@ require_relative "plugin/api"
 
 module Bundler
   module Plugin
-    autoload :DSL,        File.expand_path("plugin/dsl", __dir__)
-    autoload :Events,     File.expand_path("plugin/events", __dir__)
-    autoload :Index,      File.expand_path("plugin/index", __dir__)
-    autoload :Installer,  File.expand_path("plugin/installer", __dir__)
-    autoload :SourceList, File.expand_path("plugin/source_list", __dir__)
+    autoload :DSL,            File.expand_path("plugin/dsl", __dir__)
+    autoload :Events,         File.expand_path("plugin/events", __dir__)
+    autoload :Index,          File.expand_path("plugin/index", __dir__)
+    autoload :Installer,      File.expand_path("plugin/installer", __dir__)
+    autoload :SourceList,     File.expand_path("plugin/source_list", __dir__)
+    autoload :UnloadedSource, File.expand_path("plugin/unloaded_source", __dir__)
 
     class MalformattedPlugin < PluginError; end
     class UndefinedCommandError < PluginError; end
@@ -199,9 +200,14 @@ module Bundler
     # @return [API::Source] the instance of the class that handles the source
     #                       type passed in locked_opts
     def from_lock(locked_opts)
+      opts = locked_opts.merge("uri" => locked_opts["remote"])
+      # use an inert placeholder when the plugin handling this source is not
+      # installed, so that the lockfile can still be parsed
+      return UnloadedSource.new(opts) unless source?(locked_opts["type"])
+
       src = source(locked_opts["type"])
 
-      src.new(locked_opts.merge("uri" => locked_opts["remote"]))
+      src.new(opts)
     end
 
     # To be called via the API to register a hooks and corresponding block that

data/bundler/lib/bundler/resolver/base.rb

@@ -8,6 +8,7 @@ module Bundler
       attr_reader :packages, :requirements, :source_requirements, :locked_specs
 
       def initialize(source_requirements, dependencies, base, platforms, options)
+        @explicit_unlocks = options.delete(:explicit_unlocks) || []
         @source_requirements = source_requirements
         @locked_specs = options[:locked_specs]
 
@@ -43,6 +44,14 @@ module Bundler
         @packages[name]
       end
 
+      # Gems the user named on a `bundle update GEM` / `bundle lock --update GEM`
+      # command line. These are the only ones meant to move off their locked
+      # version, so cooldown keeps applying to them while every other locked gem
+      # stays exempt.
+      def explicitly_unlocked?(name)
+        @explicit_unlocks.include?(name)
+      end
+
       def base_requirements
         @base_requirements ||= build_base_requirements
       end

data/bundler/lib/bundler/resolver.rb

@@ -437,11 +437,31 @@ module Bundler
     def cooldown_excluded?(spec)
       return false unless spec.respond_to?(:created_at) && spec.created_at
       return false unless spec.respond_to?(:remote) && spec.remote
+      return false if locked_by_lockfile?(spec)
       days = spec.remote.effective_cooldown
       return false if days.nil? || days <= 0
       (cooldown_now - spec.created_at) < (days * 86_400)
     end
 
+    # A version already written to the lockfile has been adopted, and cooldown
+    # only governs the adoption of *new* versions, so it must never retract one
+    # the lockfile already pins. Keying this off the locked specs rather than the
+    # prevent-downgrade floor matters because that floor is absent on resolutions
+    # that re-pick a gem from scratch: the auxiliary full update run to compute
+    # `--update` targets, and the from-scratch retries after a conflict unlocks a
+    # gem. In those passes the locked version is the only candidate, so filtering
+    # it out makes an unrelated operation impossible whenever every published
+    # version matching the requirement sits inside the cooldown window.
+    #
+    # Gems named on a `bundle update GEM` command are the exception: the user
+    # asked to move them, so they stay subject to cooldown and a locked-but-fresh
+    # release is pushed back to an older one (or fails loudly when none exists).
+    def locked_by_lockfile?(spec)
+      return false unless defined?(@base) && @base
+      return false if @base.explicitly_unlocked?(spec.name)
+      @base.locked_specs[spec.name].any? {|locked| locked.version == spec.version }
+    end
+
     def cooldown_now
       @cooldown_now ||= Time.now
     end

data/bundler/lib/bundler/rubygems_gem_installer.rb

@@ -4,6 +4,11 @@ require "rubygems/installer"
 
 module Bundler
   class RubyGemsGemInstaller < Gem::Installer
+    # Cap how many jobserver slots a single gem's `make` may grab so that one
+    # gem with many recipes doesn't starve the others sharing the pool. Beyond
+    # a handful of jobs the extra parallelism rarely pays off in practice.
+    MAX_JOBS_PER_GEM = 3
+
     def check_executable_overwrite(filename)
       # Bundler needs to install gems regardless of binstub overwriting
     end
@@ -101,10 +106,18 @@ module Bundler
     end
 
     def build_jobs
-      Bundler.settings[:jobs] || super
+      @jobserver_read_io&.read_nonblock(MAX_JOBS_PER_GEM, @jobserver_tokens)
+      acquired_jobs = @jobserver_tokens.empty? ? nil : @jobserver_tokens.size
+
+      acquired_jobs || Bundler.settings[:jobs] || super
+    rescue IO::WaitReadable, EOFError
+      1
     end
 
     def build_extensions
+      @jobserver_tokens = +""
+      @jobserver_read_io, @jobserver_write_io = connect_to_jobserver
+
       extension_cache_path = options[:bundler_extension_cache_path]
       extension_dir = spec.extension_dir
       unless extension_cache_path && extension_dir
@@ -128,6 +141,11 @@ module Bundler
           FileUtils.cp_r extension_dir, extension_cache_path
         end
       end
+    ensure
+      unless @jobserver_tokens.empty?
+        @jobserver_write_io.write(@jobserver_tokens)
+        @jobserver_write_io.flush
+      end
     end
 
     def spec
@@ -144,6 +162,21 @@ module Bundler
 
     private
 
+    def connect_to_jobserver
+      return unless ENV["MAKEFLAGS"]
+      # We append our own --jobserver-auth, so read the last one. Otherwise a
+      # parent jobserver's descriptors (e.g. `bundle install` run under
+      # `make -j`) would be picked up instead of the pool ParallelInstaller created.
+      read_fd, write_fd = ENV["MAKEFLAGS"].scan(/--jobserver-auth=(\d+),(\d+)/).last
+
+      return unless read_fd && write_fd
+
+      # Pass explicit modes. On POSIX, IO.new detects the descriptor's access
+      # mode, but on Windows it can't, so the write end would default to read
+      # mode and raise "IOError: not opened for writing" when releasing slots.
+      [IO.new(read_fd.to_i, "r", autoclose: false), IO.new(write_fd.to_i, "w", autoclose: false)]
+    end
+
     def prepare_extension_build(extension_dir)
       SharedHelpers.filesystem_access(extension_dir, :create) do
         FileUtils.mkdir_p extension_dir

data/bundler/lib/bundler/source/git/git_proxy.rb

@@ -144,6 +144,12 @@ module Bundler
                 FileUtils.rm_rf(p)
               end
               git "clone", "--no-checkout", "--quiet", path.to_s, destination.to_s
+              # The copy is cloned from the local bare cache, which holds no Git LFS
+              # objects, so point origin back at the real remote and let git-lfs derive
+              # its endpoint from there when checking out. Use the credential-filtered
+              # URI to avoid persisting secrets in the copy's .git/config; auth is left
+              # to git's credential helper.
+              git "remote", "set-url", "origin", credential_filtered_uri, dir: destination
               File.chmod((File.stat(destination).mode | 0o777) & ~File.umask, destination)
             rescue Errno::EEXIST => e
               file_path = e.message[%r{.*?((?:[a-zA-Z]:)?/.*)}, 1]

data/bundler/lib/bundler/source/rubygems.rb

@@ -11,7 +11,7 @@ module Bundler
       API_REQUEST_SIZE = 100
       REQUIRE_MUTEX = Mutex.new
 
-      attr_accessor :remotes
+      attr_accessor :remotes, :remote_cooldowns
 
       def initialize(options = {})
         @options = options
@@ -25,6 +25,7 @@ module Bundler
         @checksum_store = Checksum::Store.new
         @gem_installers = {}
         @gem_installers_mutex = Mutex.new
+        @remote_specs_mutex = Mutex.new
 
         cooldown = options["cooldown"]
         Array(options["remotes"]).reverse_each {|r| add_remote(r, cooldown: cooldown) }
@@ -243,7 +244,7 @@ module Bundler
       def cached_built_in_gem(spec, local: false)
         cached_path = cached_gem(spec)
         if cached_path.nil? && !local
-          remote_spec = remote_specs.search(spec).first
+          remote_spec = remote_spec_for(spec)
           if remote_spec
             cached_path = fetch_gem(remote_spec)
             spec.remote = remote_spec.remote
@@ -337,6 +338,12 @@ module Bundler
         @cached_specs = nil
       end
 
+      def release_resolution_memory!
+        @specs = nil
+        @remote_specs_mutex.synchronize { @remote_specs = nil }
+        @fetchers&.each(&:release_resolution_memory!)
+      end
+
       protected
 
       def remote_names
@@ -414,17 +421,30 @@ module Bundler
       end
 
       def remote_specs
-        @remote_specs ||= Index.build do |idx|
-          index_fetchers = fetchers - api_fetchers
+        @remote_specs ||= @remote_specs_mutex.synchronize do
+          @remote_specs ||= Index.build do |idx|
+            index_fetchers = fetchers - api_fetchers
 
-          if index_fetchers.empty?
-            fetch_names(api_fetchers, dependency_names, idx)
-          else
-            fetch_names(fetchers, nil, idx)
+            if index_fetchers.empty?
+              fetch_names(api_fetchers, dependency_names, idx)
+            else
+              fetch_names(fetchers, nil, idx)
+            end
           end
         end
       end
 
+      # Looks up a single spec in the remote sources, fetching only its own
+      # name when the full remote index is not already materialized.
+      def remote_spec_for(spec)
+        return remote_specs.search(spec).first if @remote_specs || api_fetchers.empty?
+
+        index = Index.build do |idx|
+          fetch_names(api_fetchers, [spec.name], idx)
+        end
+        index.search(spec).first
+      end
+
       def fetch_names(fetchers, dependency_names, index)
         fetchers.each do |f|
           if dependency_names

data/bundler/lib/bundler/source_list.rb

@@ -140,6 +140,10 @@ module Bundler
       rubygems_sources.each(&:clear_cache)
     end
 
+    def release_resolution_memory!
+      rubygems_sources.each(&:release_resolution_memory!)
+    end
+
     private
 
     def map_sources(replacement_sources)
@@ -169,6 +173,10 @@ module Bundler
         # locked sources never include credentials so always prefer remotes from the gemfile
         replacement_source.remotes = gemfile_source.remotes
 
+        # cooldowns are only ever declared in the Gemfile, so carry them over
+        # along with the remotes they apply to
+        replacement_source.remote_cooldowns = gemfile_source.remote_cooldowns
+
         yield replacement_source if block_given?
 
         replacement_source

data/bundler/lib/bundler/templates/newgem/newgem.gemspec.tt

@@ -47,7 +47,7 @@ Gem::Specification.new do |spec|
   # Uncomment to register a new dependency of your gem
   # spec.add_dependency "example-gem", "~> 1.0"
 <%- if config[:ext] == 'rust' -%>
-  spec.add_dependency "rb_sys", "~> 0.9.91"
+  spec.add_dependency "rb_sys", "~> 0.9.128"
 <%- end -%>
 <%- if config[:ext] == 'go' -%>
   spec.add_dependency "go_gem", "~> 0.2"

data/bundler/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "4.0.13".freeze
+  VERSION = "4.0.15".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= gem_version.segments.first

data/lib/rubygems/ext/builder.rb

@@ -41,8 +41,9 @@ class Gem::Ext::Builder
     # nmake doesn't support parallel build
     unless is_nmake
       have_make_arguments = make_program.size > 1
+      n_jobs ||= 0
 
-      if !have_make_arguments && !ENV["MAKEFLAGS"] && n_jobs
+      if !have_make_arguments && n_jobs > 1 && !ENV["MAKEFLAGS"]&.match(/-j\d*(\s|\Z)/)
         make_program << "-j#{n_jobs}"
       end
     end

data/lib/rubygems/installer.rb

@@ -294,7 +294,7 @@ class Gem::Installer
 
     File.chmod(dir_mode, gem_dir) if dir_mode
 
-    say spec.post_install_message if options[:post_install_message] && !spec.post_install_message.nil?
+    say clean_text(spec.post_install_message.to_s) if options[:post_install_message] && !spec.post_install_message.nil?
 
     Gem::Specification.add_spec(spec) unless @install_dir
 
@@ -707,6 +707,18 @@ class Gem::Installer
     if spec.dependencies.any? {|dep| dep.name =~ /(?:\R|[<>])/ }
       raise Gem::InstallError, "#{spec} has an invalid dependencies"
     end
+
+    if spec.executables.any? {|name| !name.is_a?(String) || name != File.basename(name) || /\A\.\.?\z|\R/.match?(name) }
+      raise Gem::InstallError, "#{spec} has an invalid executable"
+    end
+
+    raise Gem::InstallError, "#{spec} has an invalid bindir" unless spec.bindir.is_a?(String)
+
+    expanded_gem_dir = File.expand_path(gem_dir)
+    expanded_bindir = File.expand_path(File.join(gem_dir, spec.bindir))
+    unless expanded_bindir == expanded_gem_dir || expanded_bindir.start_with?("#{expanded_gem_dir}/")
+      raise Gem::InstallError, "#{spec} has an invalid bindir"
+    end
   end
 
   ##
@@ -715,6 +727,7 @@ class Gem::Installer
   def app_script_text(bin_file_name)
     # NOTE: that the `load` lines cannot be indented, as old RG versions match
     # against the beginning of the line
+    escaped_bin_file_name = bin_file_name.gsub(/[\\']/) {|c| "\\#{c}" }
     <<~TEXT
       #{shebang bin_file_name}
       #
@@ -738,9 +751,9 @@ class Gem::Installer
       end
 
       if Gem.respond_to?(:activate_and_load_bin_path)
-        Gem.activate_and_load_bin_path('#{spec.name}', '#{bin_file_name}', version)
+        Gem.activate_and_load_bin_path('#{spec.name}', '#{escaped_bin_file_name}', version)
       else
-        load Gem.activate_bin_path('#{spec.name}', '#{bin_file_name}', version)
+        load Gem.activate_bin_path('#{spec.name}', '#{escaped_bin_file_name}', version)
       end
     TEXT
   end

data/lib/rubygems/package.rb

@@ -161,7 +161,7 @@ class Gem::Package
     return super unless gem.start
     return super unless gem.start.include? "MD5SUM ="
 
-    Gem::Package::Old.new gem
+    Gem::Package::Old.new gem, security_policy
   end
 
   ##

data/lib/rubygems/request.rb

@@ -61,7 +61,7 @@ class Gem::Request
     if Gem.configuration.ssl_client_cert
       pem = File.read Gem.configuration.ssl_client_cert
       connection.cert = OpenSSL::X509::Certificate.new pem
-      connection.key = OpenSSL::PKey::RSA.new pem
+      connection.key = OpenSSL::PKey.read pem
     end
 
     store.set_default_paths

data/lib/rubygems/safe_marshal/reader.rb

@@ -28,6 +28,8 @@ module Gem
 
       def initialize(io)
         @io = io
+        @object_links = {}
+        @symbol_links = {}
       end
 
       def read!
@@ -191,7 +193,7 @@ module Gem
 
       def read_symbol_link
         offset = read_integer
-        Elements::SymbolLink.new(offset)
+        @symbol_links[offset] ||= Elements::SymbolLink.new(offset)
       end
 
       def read_user_marshal
@@ -200,43 +202,9 @@ module Gem
         Elements::UserMarshal.new(name, data)
       end
 
-      # profiling bundle install --full-index shows that
-      # offset 6 is by far the most common object link,
-      # so we special case it to avoid allocating a new
-      # object a third of the time.
-      # the following are all the object links that
-      # appear more than 10000 times in my profiling
-
-      OBJECT_LINKS = {
-        6 => Elements::ObjectLink.new(6).freeze,
-        30 => Elements::ObjectLink.new(30).freeze,
-        81 => Elements::ObjectLink.new(81).freeze,
-        34 => Elements::ObjectLink.new(34).freeze,
-        38 => Elements::ObjectLink.new(38).freeze,
-        50 => Elements::ObjectLink.new(50).freeze,
-        91 => Elements::ObjectLink.new(91).freeze,
-        42 => Elements::ObjectLink.new(42).freeze,
-        46 => Elements::ObjectLink.new(46).freeze,
-        150 => Elements::ObjectLink.new(150).freeze,
-        100 => Elements::ObjectLink.new(100).freeze,
-        104 => Elements::ObjectLink.new(104).freeze,
-        108 => Elements::ObjectLink.new(108).freeze,
-        242 => Elements::ObjectLink.new(242).freeze,
-        246 => Elements::ObjectLink.new(246).freeze,
-        139 => Elements::ObjectLink.new(139).freeze,
-        143 => Elements::ObjectLink.new(143).freeze,
-        114 => Elements::ObjectLink.new(114).freeze,
-        308 => Elements::ObjectLink.new(308).freeze,
-        200 => Elements::ObjectLink.new(200).freeze,
-        54 => Elements::ObjectLink.new(54).freeze,
-        62 => Elements::ObjectLink.new(62).freeze,
-        1_286_245 => Elements::ObjectLink.new(1_286_245).freeze,
-      }.freeze
-      private_constant :OBJECT_LINKS
-
       def read_object_link
         offset = read_integer
-        OBJECT_LINKS[offset] || Elements::ObjectLink.new(offset)
+        @object_links[offset] ||= Elements::ObjectLink.new(offset)
       end
 
       EMPTY_HASH = Elements::Hash.new([].freeze).freeze

data/lib/rubygems/text.rb

@@ -8,7 +8,16 @@ module Gem::Text
   # Remove any non-printable characters and make the text suitable for
   # printing.
   def clean_text(text)
-    text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".")
+    text = text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".")
+
+    # Match C1 control characters (U+0080-U+009F) as codepoints. This requires
+    # a valid UTF-8 string so the regexp does not split a multibyte sequence;
+    # strings in other encodings are left unchanged.
+    if text.encoding == Encoding::UTF_8 && text.valid_encoding?
+      text = text.gsub(/[\u0080-\u009f]/, ".")
+    end
+
+    text
   end
 
   def truncate_text(text, description, max_length = 100_000)

data/lib/rubygems.rb

@@ -9,7 +9,7 @@
 require "rbconfig"
 
 module Gem
-  VERSION = "4.0.13"
+  VERSION = "4.0.15"
 end
 
 require_relative "rubygems/defaults"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 4.0.13
+  version: 4.0.15
 platform: ruby
 authors:
 - Jim Weirich
@@ -250,6 +250,7 @@ files:
 - bundler/lib/bundler/plugin/installer/path.rb
 - bundler/lib/bundler/plugin/installer/rubygems.rb
 - bundler/lib/bundler/plugin/source_list.rb
+- bundler/lib/bundler/plugin/unloaded_source.rb
 - bundler/lib/bundler/process_lock.rb
 - bundler/lib/bundler/remote_specification.rb
 - bundler/lib/bundler/resolver.rb
@@ -724,7 +725,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.10
+rubygems_version: 4.0.13
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby. This gem is downloaded
   and installed by `gem update --system`, so that the `gem` CLI can update itself.