rubygems-update 4.0.13 → 4.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +8 -0
  3. data/bundler/CHANGELOG.md +7 -0
  4. data/bundler/lib/bundler/build_metadata.rb +1 -1
  5. data/bundler/lib/bundler/resolver.rb +16 -0
  6. data/bundler/lib/bundler/source/rubygems.rb +1 -1
  7. data/bundler/lib/bundler/source_list.rb +4 -0
  8. data/bundler/lib/bundler/version.rb +1 -1
  9. data/lib/rubygems/installer.rb +16 -3
  10. data/lib/rubygems/text.rb +10 -1
  11. data/lib/rubygems.rb +1 -1
  12. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0660c05e56df8027375e8d01d875fc71e9837ed53336eface4ce3caef8463b06
4
- data.tar.gz: 41fb9134ffe1423a57d10e9c3974c4fd03d02f31aea6da2d8703df407cb720c2
3
+ metadata.gz: 2980ecf46a965c28fb000ecb237f727b01f18d8ac4afe54ffa988cca3f2b3b3f
4
+ data.tar.gz: c13cef25aea438ea9a544a163ccd325083c3d3f8975bc528ae7d3e726d796d1c
5
5
  SHA512:
6
- metadata.gz: ad34acb0f898943a0a749765234e2ec3abec927d9d6eaffcbd5b33498dc04fe8f0a5477d7569a02a4792fdbaa058c05c14abe38c707c43568f2249c0855c050d
7
- data.tar.gz: 9bbb91eccb1401d2942b8817734b0130a6c7d33163f4faab4e3204d4f63bbbc317bb78e41a605b494d2224f4954c08d807e75ee3954def54a34e6410d08b85c6
6
+ metadata.gz: 00243fb6cf2854afc5bcb4c83203734dd35cde728683ef1ab502f0a91afca19c408f1cbc54f1cfdad14674f566e7891bfd568fc3573da5ca290c19f866b1c5f1
7
+ data.tar.gz: 0d70c17470247896c8329e2264cb5083dff233c79866f0ffaadb642404a496d025788b6a4c51fbbf6431105c4267d48372ba4a28dbf6871038d254b72ad845ad
data/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Changelog
2
2
 
3
+ ## 4.0.14 / 2026-06-10
4
+
5
+ ### Enhancements:
6
+
7
+ * Add executables and bindir validation to the gem installer. Pull request [#9595](https://github.com/ruby/rubygems/pull/9595) by hsbt
8
+ * Strip C1 control characters from displayed gem text. Pull request [#9597](https://github.com/ruby/rubygems/pull/9597) by hsbt
9
+ * Installs bundler 4.0.14 as a default gem.
10
+
3
11
  ## 4.0.13 / 2026-06-03
4
12
 
5
13
  ### Enhancements:
data/bundler/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## 4.0.14 / 2026-06-10
4
+
5
+ ### Bug fixes:
6
+
7
+ * Preserve per-source cooldown when converging sources from the lockfile. Pull request [#9601](https://github.com/ruby/rubygems/pull/9601) by bryanwoods
8
+ * Don't exclude the locked version from cooldown during bundle update. Pull request [#9599](https://github.com/ruby/rubygems/pull/9599) by hsbt
9
+
3
10
  ## 4.0.13 / 2026-06-03
4
11
 
5
12
  ### Enhancements:
data/bundler/lib/bundler/build_metadata.rb CHANGED
@@ -5,7 +5,7 @@ module Bundler
5
5
  module BuildMetadata
6
6
  # begin ivars
7
7
  @built_at = nil
8
- @git_commit_sha = "003f20f0dc".freeze
8
+ @git_commit_sha = "265babb801".freeze
9
9
  # end ivars
10
10
 
11
11
  # A hash representation of the build metadata.
data/bundler/lib/bundler/resolver.rb CHANGED
@@ -437,11 +437,27 @@ module Bundler
437
437
  def cooldown_excluded?(spec)
438
438
  return false unless spec.respond_to?(:created_at) && spec.created_at
439
439
  return false unless spec.respond_to?(:remote) && spec.remote
440
+ return false if pinned_by_lockfile_floor?(spec)
440
441
  days = spec.remote.effective_cooldown
441
442
  return false if days.nil? || days <= 0
442
443
  (cooldown_now - spec.created_at) < (days * 86_400)
443
444
  end
444
445
 
446
+ # A spec sitting exactly at a `>= locked_version` prevent-downgrade floor is
447
+ # the version the lockfile currently pins. `bundle update` and `bundle
448
+ # outdated` install that floor so resolution never moves a gem backwards.
449
+ # Filtering it out for cooldown would then make resolution impossible
450
+ # whenever the locked version is itself inside the cooldown window, which is
451
+ # exactly what happens to a lockfile written before cooldown was enabled.
452
+ # Keep it eligible; gems being explicitly updated carry an exact `=`
453
+ # requirement instead and stay subject to the cooldown filter.
454
+ def pinned_by_lockfile_floor?(spec)
455
+ return false unless defined?(@base) && @base
456
+ requirement = base_requirements[spec.name]
457
+ return false unless requirement && !requirement.exact?
458
+ requirement.requirements.any? {|op, version| op == ">=" && version == spec.version }
459
+ end
460
+
445
461
  def cooldown_now
446
462
  @cooldown_now ||= Time.now
447
463
  end
data/bundler/lib/bundler/source/rubygems.rb CHANGED
@@ -11,7 +11,7 @@ module Bundler
11
11
  API_REQUEST_SIZE = 100
12
12
  REQUIRE_MUTEX = Mutex.new
13
13
 
14
- attr_accessor :remotes
14
+ attr_accessor :remotes, :remote_cooldowns
15
15
 
16
16
  def initialize(options = {})
17
17
  @options = options
data/bundler/lib/bundler/source_list.rb CHANGED
@@ -169,6 +169,10 @@ module Bundler
169
169
  # locked sources never include credentials so always prefer remotes from the gemfile
170
170
  replacement_source.remotes = gemfile_source.remotes
171
171
 
172
+ # cooldowns are only ever declared in the Gemfile, so carry them over
173
+ # along with the remotes they apply to
174
+ replacement_source.remote_cooldowns = gemfile_source.remote_cooldowns
175
+
172
176
  yield replacement_source if block_given?
173
177
 
174
178
  replacement_source
data/bundler/lib/bundler/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: false
2
2
 
3
3
  module Bundler
4
- VERSION = "4.0.13".freeze
4
+ VERSION = "4.0.14".freeze
5
5
 
6
6
  def self.bundler_major_version
7
7
  @bundler_major_version ||= gem_version.segments.first
data/lib/rubygems/installer.rb CHANGED
@@ -294,7 +294,7 @@ class Gem::Installer
294
294
 
295
295
  File.chmod(dir_mode, gem_dir) if dir_mode
296
296
 
297
- say spec.post_install_message if options[:post_install_message] && !spec.post_install_message.nil?
297
+ say clean_text(spec.post_install_message.to_s) if options[:post_install_message] && !spec.post_install_message.nil?
298
298
 
299
299
  Gem::Specification.add_spec(spec) unless @install_dir
300
300
 
@@ -707,6 +707,18 @@ class Gem::Installer
707
707
  if spec.dependencies.any? {|dep| dep.name =~ /(?:\R|[<>])/ }
708
708
  raise Gem::InstallError, "#{spec} has an invalid dependencies"
709
709
  end
710
+
711
+ if spec.executables.any? {|name| !name.is_a?(String) || name != File.basename(name) || /\A\.\.?\z|\R/.match?(name) }
712
+ raise Gem::InstallError, "#{spec} has an invalid executable"
713
+ end
714
+
715
+ raise Gem::InstallError, "#{spec} has an invalid bindir" unless spec.bindir.is_a?(String)
716
+
717
+ expanded_gem_dir = File.expand_path(gem_dir)
718
+ expanded_bindir = File.expand_path(File.join(gem_dir, spec.bindir))
719
+ unless expanded_bindir == expanded_gem_dir || expanded_bindir.start_with?("#{expanded_gem_dir}/")
720
+ raise Gem::InstallError, "#{spec} has an invalid bindir"
721
+ end
710
722
  end
711
723
 
712
724
  ##
@@ -715,6 +727,7 @@ class Gem::Installer
715
727
  def app_script_text(bin_file_name)
716
728
  # NOTE: that the `load` lines cannot be indented, as old RG versions match
717
729
  # against the beginning of the line
730
+ escaped_bin_file_name = bin_file_name.gsub(/[\\']/) {|c| "\\#{c}" }
718
731
  <<~TEXT
719
732
  #{shebang bin_file_name}
720
733
  #
@@ -738,9 +751,9 @@ class Gem::Installer
738
751
  end
739
752
 
740
753
  if Gem.respond_to?(:activate_and_load_bin_path)
741
- Gem.activate_and_load_bin_path('#{spec.name}', '#{bin_file_name}', version)
754
+ Gem.activate_and_load_bin_path('#{spec.name}', '#{escaped_bin_file_name}', version)
742
755
  else
743
- load Gem.activate_bin_path('#{spec.name}', '#{bin_file_name}', version)
756
+ load Gem.activate_bin_path('#{spec.name}', '#{escaped_bin_file_name}', version)
744
757
  end
745
758
  TEXT
746
759
  end
data/lib/rubygems/text.rb CHANGED
@@ -8,7 +8,16 @@ module Gem::Text
8
8
  # Remove any non-printable characters and make the text suitable for
9
9
  # printing.
10
10
  def clean_text(text)
11
- text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".")
11
+ text = text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".")
12
+
13
+ # Match C1 control characters (U+0080-U+009F) as codepoints. This requires
14
+ # a valid UTF-8 string so the regexp does not split a multibyte sequence;
15
+ # strings in other encodings are left unchanged.
16
+ if text.encoding == Encoding::UTF_8 && text.valid_encoding?
17
+ text = text.gsub(/[\u0080-\u009f]/, ".")
18
+ end
19
+
20
+ text
12
21
  end
13
22
 
14
23
  def truncate_text(text, description, max_length = 100_000)
data/lib/rubygems.rb CHANGED
@@ -9,7 +9,7 @@
9
9
  require "rbconfig"
10
10
 
11
11
  module Gem
12
- VERSION = "4.0.13"
12
+ VERSION = "4.0.14"
13
13
  end
14
14
 
15
15
  require_relative "rubygems/defaults"
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubygems-update
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.13
4
+ version: 4.0.14
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jim Weirich
@@ -724,7 +724,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
724
724
  - !ruby/object:Gem::Version
725
725
  version: '0'
726
726
  requirements: []
727
- rubygems_version: 4.0.10
727
+ rubygems_version: 4.0.13
728
728
  specification_version: 4
729
729
  summary: RubyGems is a package management framework for Ruby. This gem is downloaded
730
730
  and installed by `gem update --system`, so that the `gem` CLI can update itself.