The Gemnasium parser determines gem dependencies from gemfiles and gemspecs, without evaluating the Ruby.
Bundler is wonderful. It takes your gemfile and your gemspec (both just Ruby) and evaluates them, determining your gem dependencies. This works great locally and even on your production server… but only because you can be trusted!
An untrustworthy character could put some pretty nasty stuff in a gemfile. If Gemnasium were to blindly evaluate that Ruby on its servers, havoc would ensue.
This is entirely possible with Gemnasium, but it’s impractical. Gemfiles often
require other files in the repository. So to evaluate a gemfile, Gemnasium needs to clone the entire repo. That’s an expensive operation when only a couple files determine the dependencies.
Parse Ruby like Ruby parses Ruby.
Ruby 1.9 includes a library called Ripper. Ripper is a Ruby parsing library that can break down a gemfile or gemspec into bite-sized chunks, without evaluating the source. Then it can be searched for just the methods that matter.
The problem is that it’s hard to make heads or tails from Ripper’s output, at least for me. I could see the Gemnasium parser one day moving to this strategy. But not today.
If we can’t evaluate the Ruby and Ripper’s output is unmanageable, how else can we find patterns in a gemfile or gemspec and get usable output?
The Gemnasium parser, for both gemfiles and gemspecs, is based on a number of Ruby regular expressions. These patterns match
gem method calls in gemfiles and
add_dependency calls in gemspecs.
For a more comprehensive list of its abilities, see the specs.
- Fork it
- Create your branch (
git checkout -b my-bugfix)
- Commit your changes (
git commit -am "Fix my bug")
- Push your branch (
git push origin my-bugfix)
- Send a pull request
If you have a gemfile or gemspec that the Gemnasium parser screws up…
- Boil it down to its simplest problematic form
- Write a failing spec
- See Contributing