rubygems-update 3.6.8 → 3.6.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d8c683b5b8ebeb45839a1e4e148c66e706823d2d3e79d168fce8745b9be194df
-  data.tar.gz: 245eb17bc84ee70ea02919f508d819a19570443a8e569c49fbe58e3d4ca77c92
+  metadata.gz: a27b88f13655c46ac4a7e221526bba0507a4abb98fa767dae209ce8d5ee43a80
+  data.tar.gz: 4abec332a0660f5f8bda5f727e1e2b0f28fbb14f3d8739213a8ddb3eb7fee9cf
 SHA512:
-  metadata.gz: 73cb48fa32e961185618f1a9978f67c66b29f28597ebfb7c6c764e20d719336458884e0371ad49e9ef7a3bf7a3363850315984d43f189266a7852766924dff95
-  data.tar.gz: 2bbaeff8ede469f7e70beed2523517884d7fef8a69834a8df00feac62efdc0094a0a9f5c5388e689728d87033e351ffb2a6f1af5b65c3c63d51382f5807e1bbf
+  metadata.gz: 9e2c1e36afe7b9c34738b7e675d9a8eacaa7de0b748abe9abe8dcb02ac12201b66d6e7d65991608f1b3e9258307241c8b04d4f378dfabd3c1dcc234d4b041ba6
+  data.tar.gz: 171f85c2ef9b011cf049d8f415481ff7543723409a60ba30ab77caca83ee545db50d3fa1b3f18d4863d39cfcf44d8175f38b2319c24aaca5357479b56e09d4a6

data/CHANGELOG.md

@@ -1,3 +1,27 @@
+# 3.6.9 / 2025-05-13
+
+## Enhancements:
+
+* Add mtime to Gem::Package::TarWriter#add_file argument. Pull request
+  [#8673](https://github.com/rubygems/rubygems/pull/8673) by unasuke
+* Print webauthn authentication link as a separate line to make it easier
+  to visit. Pull request
+  [#8663](https://github.com/rubygems/rubygems/pull/8663) by mperham
+* Remove shellwords autoload. Pull request
+  [#8644](https://github.com/rubygems/rubygems/pull/8644) by
+  deivid-rodriguez
+* Installs bundler 2.6.9 as a default gem.
+
+## Performance:
+
+* Avoid unnecessary splat allocation. Pull request
+  [#8640](https://github.com/rubygems/rubygems/pull/8640) by jeremyevans
+
+## Documentation:
+
+* Fix typo in Changelog for 3.6.0 / 2024-12-16. Pull request
+  [#8638](https://github.com/rubygems/rubygems/pull/8638) by thatrobotdev
+
 # 3.6.8 / 2025-04-13
 
 ## Enhancements:
@@ -172,7 +196,7 @@
 
 * Fix missing single quote in git source example. Pull request
   [#8303](https://github.com/rubygems/rubygems/pull/8303) by nobu
-* Update the `gem install` demo in REAME to use a gem that just works on
+* Update the `gem install` demo in README to use a gem that just works on
   Windows. Pull request
   [#8262](https://github.com/rubygems/rubygems/pull/8262) by soda92
 * Unify rubygems and bundler docs directory. Pull request

data/Manifest.txt

@@ -26,6 +26,8 @@ bundler/lib/bundler/cli/common.rb
 bundler/lib/bundler/cli/config.rb
 bundler/lib/bundler/cli/console.rb
 bundler/lib/bundler/cli/doctor.rb
+bundler/lib/bundler/cli/doctor/diagnose.rb
+bundler/lib/bundler/cli/doctor/ssl.rb
 bundler/lib/bundler/cli/exec.rb
 bundler/lib/bundler/cli/fund.rb
 bundler/lib/bundler/cli/gem.rb
@@ -518,7 +520,6 @@ lib/rubygems/security/policy.rb
 lib/rubygems/security/signer.rb
 lib/rubygems/security/trust_dir.rb
 lib/rubygems/security_option.rb
-lib/rubygems/shellwords.rb
 lib/rubygems/source.rb
 lib/rubygems/source/git.rb
 lib/rubygems/source/installed.rb

data/bundler/CHANGELOG.md

@@ -1,3 +1,16 @@
+# 2.6.9 (May 13, 2025)
+
+## Enhancements:
+
+  - Fix doctor command parsing of otool output [#8665](https://github.com/rubygems/rubygems/pull/8665)
+  - Add SSL troubleshooting to `bundle doctor` [#8624](https://github.com/rubygems/rubygems/pull/8624)
+  - Let `bundle lock --normalize-platforms` remove invalid platforms [#8631](https://github.com/rubygems/rubygems/pull/8631)
+
+## Bug fixes:
+
+  - Fix `bundle lock` sometimes allowing invalid platforms into the lockfile [#8630](https://github.com/rubygems/rubygems/pull/8630)
+  - Fix false positive warning about insecure materialization in frozen mode [#8629](https://github.com/rubygems/rubygems/pull/8629)
+
 # 2.6.8 (April 13, 2025)
 
 ## Enhancements:

data/bundler/lib/bundler/build_metadata.rb

@@ -5,7 +5,7 @@ module Bundler
   module BuildMetadata
     # begin ivars
     @built_at = "1980-01-02".freeze
-    @git_commit_sha = "2a353e42e2e".freeze
+    @git_commit_sha = "8a2a14d63da".freeze
     @release = true
     # end ivars
 

data/bundler/lib/bundler/cli/doctor/diagnose.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+require "rbconfig"
+require "shellwords"
+
+module Bundler
+  class CLI::Doctor::Diagnose
+    DARWIN_REGEX = /\s+(.+) \(compatibility /
+    LDD_REGEX = /\t\S+ => (\S+) \(\S+\)/
+
+    attr_reader :options
+
+    def initialize(options)
+      @options = options
+    end
+
+    def otool_available?
+      Bundler.which("otool")
+    end
+
+    def ldd_available?
+      Bundler.which("ldd")
+    end
+
+    def dylibs_darwin(path)
+      output = `/usr/bin/otool -L #{path.shellescape}`.chomp
+      dylibs = output.split("\n")[1..-1].filter_map {|l| l.match(DARWIN_REGEX)&.match(1) }.uniq
+      # ignore @rpath and friends
+      dylibs.reject {|dylib| dylib.start_with? "@" }
+    end
+
+    def dylibs_ldd(path)
+      output = `/usr/bin/ldd #{path.shellescape}`.chomp
+      output.split("\n").filter_map do |l|
+        match = l.match(LDD_REGEX)
+        next if match.nil?
+        match.captures[0]
+      end
+    end
+
+    def dylibs(path)
+      case RbConfig::CONFIG["host_os"]
+      when /darwin/
+        return [] unless otool_available?
+        dylibs_darwin(path)
+      when /(linux|solaris|bsd)/
+        return [] unless ldd_available?
+        dylibs_ldd(path)
+      else # Windows, etc.
+        Bundler.ui.warn("Dynamic library check not supported on this platform.")
+        []
+      end
+    end
+
+    def bundles_for_gem(spec)
+      Dir.glob("#{spec.full_gem_path}/**/*.bundle")
+    end
+
+    def lookup_with_fiddle(path)
+      require "fiddle"
+      Fiddle.dlopen(path)
+      false
+    rescue Fiddle::DLError
+      true
+    end
+
+    def check!
+      require_relative "../check"
+      Bundler::CLI::Check.new({}).run
+    end
+
+    def diagnose_ssl
+      require_relative "ssl"
+      Bundler::CLI::Doctor::SSL.new({}).run
+    end
+
+    def run
+      Bundler.ui.level = "warn" if options[:quiet]
+      Bundler.settings.validate!
+      check!
+      diagnose_ssl if options[:ssl]
+
+      definition = Bundler.definition
+      broken_links = {}
+
+      definition.specs.each do |spec|
+        bundles_for_gem(spec).each do |bundle|
+          bad_paths = dylibs(bundle).select do |f|
+            lookup_with_fiddle(f)
+          end
+          if bad_paths.any?
+            broken_links[spec] ||= []
+            broken_links[spec].concat(bad_paths)
+          end
+        end
+      end
+
+      permissions_valid = check_home_permissions
+
+      if broken_links.any?
+        message = "The following gems are missing OS dependencies:"
+        broken_links.flat_map do |spec, paths|
+          paths.uniq.map do |path|
+            "\n * #{spec.name}: #{path}"
+          end
+        end.sort.each {|m| message += m }
+        raise ProductionError, message
+      elsif permissions_valid
+        Bundler.ui.info "No issues found with the installed bundle"
+      end
+    end
+
+    private
+
+    def check_home_permissions
+      require "find"
+      files_not_readable = []
+      files_not_readable_and_owned_by_different_user = []
+      files_not_owned_by_current_user_but_still_readable = []
+      broken_symlinks = []
+      Find.find(Bundler.bundle_path.to_s).each do |f|
+        if !File.exist?(f)
+          broken_symlinks << f
+        elsif !File.readable?(f)
+          if File.stat(f).uid != Process.uid
+            files_not_readable_and_owned_by_different_user << f
+          else
+            files_not_readable << f
+          end
+        elsif File.stat(f).uid != Process.uid
+          files_not_owned_by_current_user_but_still_readable << f
+        end
+      end
+
+      ok = true
+
+      if broken_symlinks.any?
+        Bundler.ui.warn "Broken links exist in the Bundler home. Please report them to the offending gem's upstream repo. These files are:\n - #{broken_symlinks.join("\n - ")}"
+
+        ok = false
+      end
+
+      if files_not_owned_by_current_user_but_still_readable.any?
+        Bundler.ui.warn "Files exist in the Bundler home that are owned by another " \
+          "user, but are still readable. These files are:\n - #{files_not_owned_by_current_user_but_still_readable.join("\n - ")}"
+
+        ok = false
+      end
+
+      if files_not_readable_and_owned_by_different_user.any?
+        Bundler.ui.warn "Files exist in the Bundler home that are owned by another " \
+          "user, and are not readable. These files are:\n - #{files_not_readable_and_owned_by_different_user.join("\n - ")}"
+
+        ok = false
+      end
+
+      if files_not_readable.any?
+        Bundler.ui.warn "Files exist in the Bundler home that are not " \
+          "readable by the current user. These files are:\n - #{files_not_readable.join("\n - ")}"
+
+        ok = false
+      end
+
+      ok
+    end
+  end
+end

data/bundler/lib/bundler/cli/doctor/ssl.rb

@@ -0,0 +1,249 @@
+# frozen_string_literal: true
+
+require "rubygems/remote_fetcher"
+require "uri"
+
+module Bundler
+  class CLI::Doctor::SSL
+    attr_reader :options
+
+    def initialize(options)
+      @options = options
+    end
+
+    def run
+      return unless openssl_installed?
+
+      output_ssl_environment
+      bundler_success = bundler_connection_successful?
+      rubygem_success = rubygem_connection_successful?
+
+      return unless net_http_connection_successful?
+
+      Explanation.summarize(bundler_success, rubygem_success, host)
+    end
+
+    private
+
+    def host
+      @options[:host] || "rubygems.org"
+    end
+
+    def tls_version
+      @options[:"tls-version"].then do |version|
+        "TLS#{version.sub(".", "_")}".to_sym if version
+      end
+    end
+
+    def verify_mode
+      mode = @options[:"verify-mode"] || :peer
+
+      @verify_mode ||= mode.then {|mod| OpenSSL::SSL.const_get("verify_#{mod}".upcase) }
+    end
+
+    def uri
+      @uri ||= URI("https://#{host}")
+    end
+
+    def openssl_installed?
+      require "openssl"
+
+      true
+    rescue LoadError
+      Bundler.ui.warn(<<~MSG)
+        Oh no! Your Ruby doesn't have OpenSSL, so it can't connect to #{host}.
+        You'll need to recompile or reinstall Ruby with OpenSSL support and try again.
+      MSG
+
+      false
+    end
+
+    def output_ssl_environment
+      Bundler.ui.info(<<~MESSAGE)
+        Here's your OpenSSL environment:
+
+        OpenSSL:       #{OpenSSL::VERSION}
+        Compiled with: #{OpenSSL::OPENSSL_VERSION}
+        Loaded with:   #{OpenSSL::OPENSSL_LIBRARY_VERSION}
+      MESSAGE
+    end
+
+    def bundler_connection_successful?
+      Bundler.ui.info("\nTrying connections to #{uri}:\n")
+
+      bundler_uri = Gem::URI(uri.to_s)
+      Bundler::Fetcher.new(
+        Bundler::Source::Rubygems::Remote.new(bundler_uri)
+      ).send(:connection).request(bundler_uri)
+
+      Bundler.ui.info("Bundler:       success")
+
+      true
+    rescue StandardError => error
+      Bundler.ui.warn("Bundler:       failed     (#{Explanation.explain_bundler_or_rubygems_error(error)})")
+
+      false
+    end
+
+    def rubygem_connection_successful?
+      Gem::RemoteFetcher.fetcher.fetch_path(uri)
+      Bundler.ui.info("RubyGems:      success")
+
+      true
+    rescue StandardError => error
+      Bundler.ui.warn("RubyGems:      failed     (#{Explanation.explain_bundler_or_rubygems_error(error)})")
+
+      false
+    end
+
+    def net_http_connection_successful?
+      ::Gem::Net::HTTP.new(uri.host, uri.port).tap do |http|
+        http.use_ssl = true
+        http.min_version = tls_version
+        http.max_version = tls_version
+        http.verify_mode = verify_mode
+      end.start
+
+      Bundler.ui.info("Ruby net/http: success")
+      warn_on_unsupported_tls12
+
+      true
+    rescue StandardError => error
+      Bundler.ui.warn(<<~MSG)
+        Ruby net/http: failed
+
+        Unfortunately, this Ruby can't connect to #{host}.
+
+        #{Explanation.explain_net_http_error(error, host, tls_version)}
+      MSG
+
+      false
+    end
+
+    def warn_on_unsupported_tls12
+      ctx = OpenSSL::SSL::SSLContext.new
+      supported = true
+
+      if ctx.respond_to?(:min_version=)
+        begin
+          ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
+        rescue OpenSSL::SSL::SSLError, NameError
+          supported = false
+        end
+      else
+        supported = OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2) # rubocop:disable Naming/VariableNumber
+      end
+
+      Bundler.ui.warn(<<~EOM) unless supported
+
+        WARNING: Although your Ruby can connect to #{host} today, your OpenSSL is very old!
+        WARNING: You will need to upgrade OpenSSL to use #{host}.
+
+      EOM
+    end
+
+    module Explanation
+      extend self
+
+      def explain_bundler_or_rubygems_error(error)
+        case error.message
+        when /certificate verify failed/
+          "certificate verification"
+        when /read server hello A/
+          "SSL/TLS protocol version mismatch"
+        when /tlsv1 alert protocol version/
+          "requested TLS version is too old"
+        else
+          error.message
+        end
+      end
+
+      def explain_net_http_error(error, host, tls_version)
+        case error.message
+        # Check for certificate errors
+        when /certificate verify failed/
+          <<~MSG
+            #{show_ssl_certs}
+            Your Ruby can't connect to #{host} because you are missing the certificate files OpenSSL needs to verify you are connecting to the genuine #{host} servers.
+          MSG
+        # Check for TLS version errors
+        when /read server hello A/, /tlsv1 alert protocol version/
+          if tls_version.to_s == "TLS1_3"
+            "Your Ruby can't connect to #{host} because #{tls_version} isn't supported yet.\n"
+          else
+            <<~MSG
+              Your Ruby can't connect to #{host} because your version of OpenSSL is too old.
+              You'll need to upgrade your OpenSSL install and/or recompile Ruby to use a newer OpenSSL.
+            MSG
+          end
+        # OpenSSL doesn't support TLS version specified by argument
+        when /unknown SSL method/
+          "Your Ruby can't connect because #{tls_version} isn't supported by your version of OpenSSL."
+        else
+          <<~MSG
+            Even worse, we're not sure why.
+
+            Here's the full error information:
+            #{error.class}: #{error.message}
+              #{error.backtrace.join("\n  ")}
+
+            You might have more luck using Mislav's SSL doctor.rb script. You can get it here:
+            https://github.com/mislav/ssl-tools/blob/8b3dec4/doctor.rb
+
+            Read more about the script and how to use it in this blog post:
+            https://mislav.net/2013/07/ruby-openssl/
+          MSG
+        end
+      end
+
+      def summarize(bundler_success, rubygems_success, host)
+        guide_url = "http://ruby.to/ssl-check-failed"
+
+        message = if bundler_success && rubygems_success
+          <<~MSG
+            Hooray! This Ruby can connect to #{host}.
+            You are all set to use Bundler and RubyGems.
+
+          MSG
+        elsif !bundler_success && !rubygems_success
+          <<~MSG
+            For some reason, your Ruby installation can connect to #{host}, but neither RubyGems nor Bundler can.
+            The most likely fix is to manually upgrade RubyGems by following the instructions at #{guide_url}.
+            After you've done that, run `gem install bundler` to upgrade Bundler, and then run this script again to make sure everything worked. ❣
+
+          MSG
+        elsif !bundler_success
+          <<~MSG
+            Although your Ruby installation and RubyGems can both connect to #{host}, Bundler is having trouble.
+            The most likely way to fix this is to upgrade Bundler by running `gem install bundler`.
+            Run this script again after doing that to make sure everything is all set.
+            If you're still having trouble, check out the troubleshooting guide at #{guide_url}.
+
+          MSG
+        else
+          <<~MSG
+            It looks like Ruby and Bundler can connect to #{host}, but RubyGems itself cannot.
+            You can likely solve this by manually downloading and installing a RubyGems update.
+            Visit #{guide_url} for instructions on how to manually upgrade RubyGems.
+
+          MSG
+        end
+
+        Bundler.ui.info("\n#{message}")
+      end
+
+      private
+
+      def show_ssl_certs
+        ssl_cert_file = ENV["SSL_CERT_FILE"] || OpenSSL::X509::DEFAULT_CERT_FILE
+        ssl_cert_dir  = ENV["SSL_CERT_DIR"]  || OpenSSL::X509::DEFAULT_CERT_DIR
+
+        <<~MSG
+          Below affect only Ruby net/http connections:
+          SSL_CERT_FILE: #{File.exist?(ssl_cert_file) ? "exists     #{ssl_cert_file}" : "is missing #{ssl_cert_file}"}
+          SSL_CERT_DIR:  #{Dir.exist?(ssl_cert_dir)   ? "exists     #{ssl_cert_dir}"  : "is missing #{ssl_cert_dir}"}
+        MSG
+      end
+    end
+  end
+end

data/bundler/lib/bundler/cli/doctor.rb

@@ -1,161 +1,33 @@
 # frozen_string_literal: true
 
-require "rbconfig"
-require "shellwords"
-
 module Bundler
-  class CLI::Doctor
-    DARWIN_REGEX = /\s+(.+) \(compatibility /
-    LDD_REGEX = /\t\S+ => (\S+) \(\S+\)/
-
-    attr_reader :options
-
-    def initialize(options)
-      @options = options
-    end
-
-    def otool_available?
-      Bundler.which("otool")
-    end
-
-    def ldd_available?
-      Bundler.which("ldd")
-    end
-
-    def dylibs_darwin(path)
-      output = `/usr/bin/otool -L #{path.shellescape}`.chomp
-      dylibs = output.split("\n")[1..-1].map {|l| l.match(DARWIN_REGEX).captures[0] }.uniq
-      # ignore @rpath and friends
-      dylibs.reject {|dylib| dylib.start_with? "@" }
-    end
-
-    def dylibs_ldd(path)
-      output = `/usr/bin/ldd #{path.shellescape}`.chomp
-      output.split("\n").filter_map do |l|
-        match = l.match(LDD_REGEX)
-        next if match.nil?
-        match.captures[0]
-      end
-    end
-
-    def dylibs(path)
-      case RbConfig::CONFIG["host_os"]
-      when /darwin/
-        return [] unless otool_available?
-        dylibs_darwin(path)
-      when /(linux|solaris|bsd)/
-        return [] unless ldd_available?
-        dylibs_ldd(path)
-      else # Windows, etc.
-        Bundler.ui.warn("Dynamic library check not supported on this platform.")
-        []
-      end
-    end
-
-    def bundles_for_gem(spec)
-      Dir.glob("#{spec.full_gem_path}/**/*.bundle")
-    end
-
-    def lookup_with_fiddle(path)
-      require "fiddle"
-      Fiddle.dlopen(path)
-      false
-    rescue Fiddle::DLError
-      true
-    end
-
-    def check!
-      require_relative "check"
-      Bundler::CLI::Check.new({}).run
-    end
-
-    def run
-      Bundler.ui.level = "warn" if options[:quiet]
-      Bundler.settings.validate!
-      check!
-
-      definition = Bundler.definition
-      broken_links = {}
-
-      definition.specs.each do |spec|
-        bundles_for_gem(spec).each do |bundle|
-          bad_paths = dylibs(bundle).select do |f|
-            lookup_with_fiddle(f)
-          end
-          if bad_paths.any?
-            broken_links[spec] ||= []
-            broken_links[spec].concat(bad_paths)
-          end
-        end
-      end
-
-      permissions_valid = check_home_permissions
-
-      if broken_links.any?
-        message = "The following gems are missing OS dependencies:"
-        broken_links.flat_map do |spec, paths|
-          paths.uniq.map do |path|
-            "\n * #{spec.name}: #{path}"
-          end
-        end.sort.each {|m| message += m }
-        raise ProductionError, message
-      elsif permissions_valid
-        Bundler.ui.info "No issues found with the installed bundle"
-      end
-    end
-
-    private
-
-    def check_home_permissions
-      require "find"
-      files_not_readable = []
-      files_not_readable_and_owned_by_different_user = []
-      files_not_owned_by_current_user_but_still_readable = []
-      broken_symlinks = []
-      Find.find(Bundler.bundle_path.to_s).each do |f|
-        if !File.exist?(f)
-          broken_symlinks << f
-        elsif !File.readable?(f)
-          if File.stat(f).uid != Process.uid
-            files_not_readable_and_owned_by_different_user << f
-          else
-            files_not_readable << f
-          end
-        elsif File.stat(f).uid != Process.uid
-          files_not_owned_by_current_user_but_still_readable << f
-        end
-      end
-
-      ok = true
-
-      if broken_symlinks.any?
-        Bundler.ui.warn "Broken links exist in the Bundler home. Please report them to the offending gem's upstream repo. These files are:\n - #{broken_symlinks.join("\n - ")}"
-
-        ok = false
-      end
-
-      if files_not_owned_by_current_user_but_still_readable.any?
-        Bundler.ui.warn "Files exist in the Bundler home that are owned by another " \
-          "user, but are still readable. These files are:\n - #{files_not_owned_by_current_user_but_still_readable.join("\n - ")}"
-
-        ok = false
-      end
-
-      if files_not_readable_and_owned_by_different_user.any?
-        Bundler.ui.warn "Files exist in the Bundler home that are owned by another " \
-          "user, and are not readable. These files are:\n - #{files_not_readable_and_owned_by_different_user.join("\n - ")}"
-
-        ok = false
-      end
-
-      if files_not_readable.any?
-        Bundler.ui.warn "Files exist in the Bundler home that are not " \
-          "readable by the current user. These files are:\n - #{files_not_readable.join("\n - ")}"
-
-        ok = false
-      end
-
-      ok
+  class CLI::Doctor < Thor
+    default_command(:diagnose)
+
+    desc "diagnose [OPTIONS]", "Checks the bundle for common problems"
+    long_desc <<-D
+      Doctor scans the OS dependencies of each of the gems requested in the Gemfile. If
+      missing dependencies are detected, Bundler prints them and exits status 1.
+      Otherwise, Bundler prints a success message and exits with a status of 0.
+    D
+    method_option "gemfile", type: :string, banner: "Use the specified gemfile instead of Gemfile"
+    method_option "quiet", type: :boolean, banner: "Only output warnings and errors."
+    method_option "ssl", type: :boolean, default: false, banner: "Diagnose SSL problems."
+    def diagnose
+      require_relative "doctor/diagnose"
+      Diagnose.new(options).run
+    end
+
+    desc "ssl [OPTIONS]", "Diagnose SSL problems"
+    long_desc <<-D
+      Diagnose SSL problems, especially related to certificates or TLS version while connecting to https://rubygems.org.
+    D
+    method_option "host", type: :string, banner: "The host to diagnose."
+    method_option "tls-version", type: :string, banner: "Specify the SSL/TLS version when running the diagnostic. Accepts either <1.1> or <1.2>"
+    method_option "verify-mode", type: :string, banner: "Specify the mode used for certification verification. Accepts either <peer> or <none>"
+    def ssl
+      require_relative "doctor/ssl"
+      SSL.new(options).run
     end
   end
 end

data/bundler/lib/bundler/cli/issue.rb

@@ -34,8 +34,8 @@ module Bundler
     end
 
     def doctor
-      require_relative "doctor"
-      Bundler::CLI::Doctor.new({}).run
+      require_relative "doctor/diagnose"
+      Bundler::CLI::Doctor::Diagnose.new({}).run
     end
   end
 end

data/bundler/lib/bundler/cli.rb

@@ -610,17 +610,8 @@ module Bundler
     end
 
     desc "doctor [OPTIONS]", "Checks the bundle for common problems"
-    long_desc <<-D
-      Doctor scans the OS dependencies of each of the gems requested in the Gemfile. If
-      missing dependencies are detected, Bundler prints them and exits status 1.
-      Otherwise, Bundler prints a success message and exits with a status of 0.
-    D
-    method_option "gemfile", type: :string, banner: "Use the specified gemfile instead of Gemfile"
-    method_option "quiet", type: :boolean, banner: "Only output warnings and errors."
-    def doctor
-      require_relative "cli/doctor"
-      Doctor.new(options).run
-    end
+    require_relative "cli/doctor"
+    subcommand("doctor", Doctor)
 
     desc "issue", "Learn how to report an issue in Bundler"
     def issue

data/bundler/lib/bundler/definition.rb

@@ -257,7 +257,7 @@ module Bundler
     rescue BundlerError => e
       @resolve = nil
       @resolver = nil
-      @resolution_packages = nil
+      @resolution_base = nil
       @source_requirements = nil
       @specs = nil
 
@@ -614,7 +614,7 @@ module Bundler
     end
 
     def resolver
-      @resolver ||= Resolver.new(resolution_packages, gem_version_promoter, @most_specific_locked_platform)
+      @resolver ||= Resolver.new(resolution_base, gem_version_promoter, @most_specific_locked_platform)
     end
 
     def expanded_dependencies
@@ -628,15 +628,15 @@ module Bundler
       [Dependency.new("bundler", @unlocking_bundler)] + dependencies
     end
 
-    def resolution_packages
-      @resolution_packages ||= begin
+    def resolution_base
+      @resolution_base ||= begin
         last_resolve = converge_locked_specs
         remove_invalid_platforms!
         new_resolution_platforms = @current_platform_missing ? @new_platforms + [local_platform] : @new_platforms
-        packages = Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: @unlocking_all || @gems_to_unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: new_resolution_platforms)
-        packages = additional_base_requirements_to_prevent_downgrades(packages)
-        packages = additional_base_requirements_to_force_updates(packages)
-        packages
+        base = Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: @unlocking_all || @gems_to_unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: new_resolution_platforms)
+        base = additional_base_requirements_to_prevent_downgrades(base)
+        base = additional_base_requirements_to_force_updates(base)
+        base
       end
     end
 
@@ -711,8 +711,7 @@ module Bundler
         still_incomplete_specs = resolve.incomplete_specs
 
         if still_incomplete_specs == incomplete_specs
-          package = resolution_packages.get_package(incomplete_specs.first.name)
-          resolver.raise_not_found! package
+          resolver.raise_incomplete! incomplete_specs
         end
 
         incomplete_specs = still_incomplete_specs
@@ -734,7 +733,7 @@ module Bundler
     end
 
     def reresolve_without(incomplete_specs)
-      resolution_packages.delete(incomplete_specs)
+      resolution_base.delete(incomplete_specs)
       @resolve = start_resolution
     end
 
@@ -747,8 +746,16 @@ module Bundler
 
       @resolved_bundler_version = result.find {|spec| spec.name == "bundler" }&.version
 
+      @new_platforms.each do |platform|
+        incomplete_specs = result.incomplete_specs_for_platform(current_dependencies, platform)
+
+        if incomplete_specs.any?
+          resolver.raise_incomplete! incomplete_specs
+        end
+      end
+
       if @most_specific_non_local_locked_platform
-        if spec_set_incomplete_for_platform?(result, @most_specific_non_local_locked_platform)
+        if result.incomplete_for_platform?(current_dependencies, @most_specific_non_local_locked_platform)
           @platforms.delete(@most_specific_non_local_locked_platform)
         elsif local_platform_needed_for_resolvability
           @platforms.delete(local_platform)
@@ -1124,27 +1131,27 @@ module Bundler
       current == proposed
     end
 
-    def additional_base_requirements_to_prevent_downgrades(resolution_packages)
-      return resolution_packages unless @locked_gems && !sources.expired_sources?(@locked_gems.sources)
+    def additional_base_requirements_to_prevent_downgrades(resolution_base)
+      return resolution_base unless @locked_gems && !sources.expired_sources?(@locked_gems.sources)
       @originally_locked_specs.each do |locked_spec|
         next if locked_spec.source.is_a?(Source::Path)
 
         name = locked_spec.name
         next if @changed_dependencies.include?(name)
 
-        resolution_packages.base_requirements[name] = Gem::Requirement.new(">= #{locked_spec.version}")
+        resolution_base.base_requirements[name] = Gem::Requirement.new(">= #{locked_spec.version}")
       end
-      resolution_packages
+      resolution_base
     end
 
-    def additional_base_requirements_to_force_updates(resolution_packages)
-      return resolution_packages if @explicit_unlocks.empty?
+    def additional_base_requirements_to_force_updates(resolution_base)
+      return resolution_base if @explicit_unlocks.empty?
       full_update = dup_for_full_unlock.resolve
       @explicit_unlocks.each do |name|
         version = full_update.version_for(name)
-        resolution_packages.base_requirements[name] = Gem::Requirement.new("= #{version}") if version
+        resolution_base.base_requirements[name] = Gem::Requirement.new("= #{version}") if version
       end
-      resolution_packages
+      resolution_base
     end
 
     def dup_for_full_unlock
@@ -1161,25 +1168,16 @@ module Bundler
     def remove_invalid_platforms!
       return if Bundler.frozen_bundle?
 
-      @originally_invalid_platforms = platforms.select do |platform|
-        next if local_platform == platform ||
-                @new_platforms.include?(platform)
+      skips = (@new_platforms + [local_platform]).uniq
 
-        # We should probably avoid removing non-ruby platforms, since that means
-        # lockfile will no longer install on those platforms, so a error to give
-        # heads up to the user may be better. However, we have tests expecting
-        # non ruby platform autoremoval to work, so leaving that in place for
-        # now.
-        next if @dependency_changes && platform != Gem::Platform::RUBY
-
-        spec_set_incomplete_for_platform?(@originally_locked_specs, platform)
-      end
-
-      @platforms -= @originally_invalid_platforms
-    end
+      # We should probably avoid removing non-ruby platforms, since that means
+      # lockfile will no longer install on those platforms, so a error to give
+      # heads up to the user may be better. However, we have tests expecting
+      # non ruby platform autoremoval to work, so leaving that in place for
+      # now.
+      skips |= platforms - [Gem::Platform::RUBY] if @dependency_changes
 
-    def spec_set_incomplete_for_platform?(spec_set, platform)
-      spec_set.incomplete_for_platform?(current_dependencies, platform)
+      @originally_invalid_platforms = @originally_locked_specs.remove_invalid_platforms!(current_dependencies, platforms, skips: skips)
     end
 
     def source_map

data/bundler/lib/bundler/lazy_specification.rb

@@ -213,22 +213,31 @@ module Bundler
       end
       if search.nil? && fallback_to_non_installable
         search = candidates.last
-      elsif search && search.full_name == full_name
-        # We don't validate locally installed dependencies but accept what's in
-        # the lockfile instead for performance, since loading locally installed
-        # dependencies would mean evaluating all gemspecs, which would affect
-        # `bundler/setup` performance
-        if search.is_a?(StubSpecification)
-          search.dependencies = dependencies
-        else
-          if !source.is_a?(Source::Path) && search.runtime_dependencies.sort != dependencies.sort
-            raise IncorrectLockfileDependencies.new(self)
-          end
+      end
 
-          search.locked_platform = platform if search.instance_of?(RemoteSpecification) || search.instance_of?(EndpointSpecification)
-        end
+      if search
+        validate_dependencies(search) if search.platform == platform
+
+        search.locked_platform = platform if search.instance_of?(RemoteSpecification) || search.instance_of?(EndpointSpecification)
       end
       search
     end
+
+    # Validate dependencies of this locked spec are consistent with dependencies
+    # of the actual spec that was materialized.
+    #
+    # Note that we don't validate dependencies of locally installed gems but
+    # accept what's in the lockfile instead for performance, since loading
+    # dependencies of locally installed gems would mean evaluating all gemspecs,
+    # which would affect `bundler/setup` performance.
+    def validate_dependencies(spec)
+      if spec.is_a?(StubSpecification)
+        spec.dependencies = dependencies
+      else
+        if !source.is_a?(Source::Path) && spec.runtime_dependencies.sort != dependencies.sort
+          raise IncorrectLockfileDependencies.new(self)
+        end
+      end
+    end
   end
 end

data/bundler/lib/bundler/resolver.rb

@@ -312,6 +312,16 @@ module Bundler
       "Gemfile"
     end
 
+    def raise_incomplete!(incomplete_specs)
+      raise_not_found!(@base.get_package(incomplete_specs.first.name))
+    end
+
+    def sort_versions_by_preferred(package, versions)
+      @gem_version_promoter.sort_versions(package, versions)
+    end
+
+    private
+
     def raise_not_found!(package)
       name = package.name
       source = source_for(name)
@@ -348,12 +358,6 @@ module Bundler
       raise GemNotFound, message
     end
 
-    def sort_versions_by_preferred(package, versions)
-      @gem_version_promoter.sort_versions(package, versions)
-    end
-
-    private
-
     def filtered_versions_for(package)
       @gem_version_promoter.filter_versions(package, @all_versions[package])
     end

data/bundler/lib/bundler/spec_set.rb

@@ -29,6 +29,7 @@ module Bundler
     end
 
     def normalize_platforms!(deps, platforms)
+      remove_invalid_platforms!(deps, platforms)
       add_extra_platforms!(platforms)
 
       platforms.map! do |platform|
@@ -53,6 +54,20 @@ module Bundler
       end
     end
 
+    def remove_invalid_platforms!(deps, platforms, skips: [])
+      invalid_platforms = []
+
+      platforms.reject! do |platform|
+        next false if skips.include?(platform)
+
+        invalid = incomplete_for_platform?(deps, platform)
+        invalid_platforms << platform if invalid
+        invalid
+      end
+
+      invalid_platforms
+    end
+
     def add_extra_platforms!(platforms)
       if @specs.empty?
         platforms.concat([Gem::Platform::RUBY]).uniq
@@ -130,12 +145,15 @@ module Bundler
     end
 
     def incomplete_for_platform?(deps, platform)
-      return false if @specs.empty?
+      incomplete_specs_for_platform(deps, platform).any?
+    end
+
+    def incomplete_specs_for_platform(deps, platform)
+      return [] if @specs.empty?
 
       validation_set = self.class.new(@specs)
       validation_set.for(deps, [platform])
-
-      validation_set.incomplete_specs.any?
+      validation_set.incomplete_specs
     end
 
     def missing_specs_for(deps)

data/bundler/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.6.8".freeze
+  VERSION = "2.6.9".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/lib/rubygems/commands/push_command.rb

@@ -92,7 +92,8 @@ The push command will use ~/.gem/credentials to authenticate to a server, but yo
   private
 
   def send_push_request(name, args)
-    rubygems_api_request(*args, scope: get_push_scope) do |request|
+    scope = get_push_scope
+    rubygems_api_request(*args, scope: scope) do |request|
       body = Gem.read_binary name
       if options[:attestations].any?
         request.set_form([

data/lib/rubygems/ext/builder.rb

@@ -7,7 +7,6 @@
 #++
 
 require_relative "../user_interaction"
-require_relative "../shellwords"
 
 class Gem::Ext::Builder
   include Gem::UserInteraction
@@ -29,7 +28,7 @@ class Gem::Ext::Builder
     target_rbconfig["configure_args"] =~ /with-make-prog\=(\w+)/
     make_program_name = ENV["MAKE"] || ENV["make"] || $1
     make_program_name ||= RUBY_PLATFORM.include?("mswin") ? "nmake" : "make"
-    make_program = Shellwords.split(make_program_name)
+    make_program = shellsplit(make_program_name)
 
     # The installation of the bundled gems is failed when DESTDIR is empty in mswin platform.
     destdir = /\bnmake/i !~ make_program_name || ENV["DESTDIR"] && ENV["DESTDIR"] != "" ? format("DESTDIR=%s", ENV["DESTDIR"]) : ""
@@ -58,7 +57,7 @@ class Gem::Ext::Builder
 
   def self.ruby
     # Gem.ruby is quoted if it contains whitespace
-    cmd = Shellwords.split(Gem.ruby)
+    cmd = shellsplit(Gem.ruby)
 
     # This load_path is only needed when running rubygems test without a proper installation.
     # Prepending it in a normal installation will cause problem with order of $LOAD_PATH.
@@ -83,7 +82,7 @@ class Gem::Ext::Builder
         p(command)
       end
       results << "current directory: #{dir}"
-      results << Shellwords.join(command)
+      results << shelljoin(command)
 
       require "open3"
       # Set $SOURCE_DATE_EPOCH for the subprocess.
@@ -127,6 +126,18 @@ class Gem::Ext::Builder
     end
   end
 
+  def self.shellsplit(command)
+    require "shellwords"
+
+    Shellwords.split(command)
+  end
+
+  def self.shelljoin(command)
+    require "shellwords"
+
+    Shellwords.join(command)
+  end
+
   ##
   # Creates a new extension builder for +spec+.  If the +spec+ does not yet
   # have build arguments, saved, set +build_args+ which is an ARGV-style

data/lib/rubygems/ext/cargo_builder.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative "../shellwords"
-
 # This class is used by rubygems to build Rust extensions. It is a thin-wrapper
 # over the `cargo rustc` command which takes care of building Rust code in a way
 # that Ruby can use.
@@ -159,7 +157,7 @@ class Gem::Ext::CargoBuilder < Gem::Ext::Builder
   # We want to use the same linker that Ruby uses, so that the linker flags from
   # mkmf work properly.
   def linker_args
-    cc_flag = Shellwords.split(makefile_config("CC"))
+    cc_flag = self.class.shellsplit(makefile_config("CC"))
     linker = cc_flag.shift
     link_args = cc_flag.flat_map {|a| ["-C", "link-arg=#{a}"] }
 
@@ -178,7 +176,7 @@ class Gem::Ext::CargoBuilder < Gem::Ext::Builder
 
   def libruby_args(dest_dir)
     libs = makefile_config(ruby_static? ? "LIBRUBYARG_STATIC" : "LIBRUBYARG_SHARED")
-    raw_libs = Shellwords.split(libs)
+    raw_libs = self.class.shellsplit(libs)
     raw_libs.flat_map {|l| ldflag_to_link_modifier(l) }
   end
 
@@ -261,7 +259,7 @@ EOF
   end
 
   def split_flags(var)
-    Shellwords.split(RbConfig::CONFIG.fetch(var, ""))
+    self.class.shellsplit(RbConfig::CONFIG.fetch(var, ""))
   end
 
   def ldflag_to_link_modifier(arg)

data/lib/rubygems/ext/rake_builder.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative "../shellwords"
-
 #--
 # Copyright 2006 by Chad Fowler, Rich Kilmer, Jim Weirich and others.
 # All rights reserved.
@@ -22,7 +20,7 @@ class Gem::Ext::RakeBuilder < Gem::Ext::Builder
     rake = ENV["rake"]
 
     if rake
-      rake = Shellwords.split(rake)
+      rake = shellsplit(rake)
     else
       begin
         rake = ruby << "-rrubygems" << Gem.bin_path("rake", "rake")

data/lib/rubygems/gemcutter_utilities.rb

@@ -263,7 +263,10 @@ module Gem::GemcutterUtilities
       port = server.addr[1].to_s
 
       url_with_port = "#{webauthn_url}?port=#{port}"
-      say "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option."
+      say "You have enabled multi-factor authentication. Please visit the following URL to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option."
+      say ""
+      say url_with_port
+      say ""
 
       threads = [WebauthnListener.listener_thread(host, server), WebauthnPoller.poll_thread(options, host, webauthn_url, credentials)]
       otp_thread = wait_for_otp_thread(*threads)

data/lib/rubygems/package/tar_writer.rb

@@ -95,10 +95,11 @@ class Gem::Package::TarWriter
   end
 
   ##
-  # Adds file +name+ with permissions +mode+, and yields an IO for writing the
-  # file to
+  # Adds file +name+ with permissions +mode+ and mtime +mtime+ (sets
+  # Gem.source_date_epoch if not specified), and yields an IO for
+  # writing the file to
 
-  def add_file(name, mode) # :yields: io
+  def add_file(name, mode, mtime=nil) # :yields: io
     check_closed
 
     name, prefix = split_name name
@@ -118,7 +119,7 @@ class Gem::Package::TarWriter
 
     header = Gem::Package::TarHeader.new name: name, mode: mode,
                                          size: size, prefix: prefix,
-                                         mtime: Gem.source_date_epoch
+                                         mtime: mtime || Gem.source_date_epoch
 
     @io.write header
     @io.pos = final_pos

data/lib/rubygems.rb

@@ -9,7 +9,7 @@
 require "rbconfig"
 
 module Gem
-  VERSION = "3.6.8"
+  VERSION = "3.6.9"
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/rubygems-update.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = "rubygems-update"
-  s.version = "3.6.8"
+  s.version = "3.6.9"
   s.authors = ["Jim Weirich", "Chad Fowler", "Eric Hodel", "Luis Lavena", "Aaron Patterson", "Samuel Giddins", "André Arko", "Evan Phoenix", "Hiroshi SHIBATA"]
   s.email = ["", "", "drbrain@segment7.net", "luislavena@gmail.com", "aaron@tenderlovemaking.com", "segiddins@segiddins.me", "andre@arko.net", "evan@phx.io", "hsbt@ruby-lang.org"]
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 3.6.8
+  version: 3.6.9
 platform: ruby
 authors:
 - Jim Weirich
@@ -111,6 +111,8 @@ files:
 - bundler/lib/bundler/cli/config.rb
 - bundler/lib/bundler/cli/console.rb
 - bundler/lib/bundler/cli/doctor.rb
+- bundler/lib/bundler/cli/doctor/diagnose.rb
+- bundler/lib/bundler/cli/doctor/ssl.rb
 - bundler/lib/bundler/cli/exec.rb
 - bundler/lib/bundler/cli/fund.rb
 - bundler/lib/bundler/cli/gem.rb
@@ -603,7 +605,6 @@ files:
 - lib/rubygems/security/signer.rb
 - lib/rubygems/security/trust_dir.rb
 - lib/rubygems/security_option.rb
-- lib/rubygems/shellwords.rb
 - lib/rubygems/source.rb
 - lib/rubygems/source/git.rb
 - lib/rubygems/source/installed.rb
@@ -747,7 +748,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.8
+rubygems_version: 3.6.9
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby. This gem is downloaded
   and installed by `gem update --system`, so that the `gem` CLI can update itself.

data/lib/rubygems/shellwords.rb

@@ -1,3 +0,0 @@
-# frozen_string_literal: true
-
-autoload :Shellwords, "shellwords"