Conversation
Lock the checksum of Bundler itself in the lockfile (cherry picked from commit 44f4b15)
Ensure the release CI doesn't break due to the Bundler checksum feature (cherry picked from commit 9baf3e0)
Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/a9efe3b4-99c9-4af2-9954-a65a2859edfc Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 3d4e90a)
…el_tests' Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/dd120552-e56f-4a0e-9143-ec483aa07bfc Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 56a9827)
… gem Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/61efd9ab-67d3-4ce2-b81d-4b6e8ef07f99 Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit bf73b51)
Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/9cf2fa2e-02a9-4dde-a833-8ad11974e1eb Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 5ac4c84)
…version helpers Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/4028db0e-e050-48af-9704-4219653a4753 Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 951ef62)
Change "and lock the mutex" to "and to lock the mutex" for correct parallel infinitive structure. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> (cherry picked from commit 94f9267)
Fix the bundler version not being updated in dev/test lockfile (cherry picked from commit 4758fb5)
fix formatting for BUNDLE_PREFER_PATCH variable in man page (cherry picked from commit a3d2d2c)
Package registries are active supply chain attack targets. Recent high-profile incidents include the Axios NPM compromise (https://socket.dev/blog/axios-npm-package-compromised) and the LiteLLM PyPI compromise (https://docs.litellm.ai/blog/security-update-march-2026). RubyGems supports an MFA-required opt-in via gemspec metadata: spec.metadata["rubygems_mfa_required"] = "true" but most gems haven't enabled it. A big reason is discoverability. Nothing in the `bundle gem` flow mentions the option, so authors would need to already know it exists to find it. Reference: https://guides.rubygems.org/mfa-requirement-opt-in/ This commit adds a commented-out `spec.metadata["rubygems_mfa_required"] = "true"` line, along with a short explanatory comment and a reference link, to the gemspec template used by `bundle gem`. Default behavior is unchanged because the line is commented out, but every new gem author now sees the MFA opt-in right where they configure their gemspec. Opting in is then a matter of deleting the leading `# `. (cherry picked from commit 2fd3496)
Fix installing gems with native extensions + transitive dependencies (cherry picked from commit 49c0aff)
Update the gem creation guide links in the CLI output and gemspac template. The previous Bundler guide URL now redirects to RubyGems Guides. (cherry picked from commit 0b469ed)
* Skip bundler self-checksum for unreleased bundlers
Using `Bundler.gem_version.end_with?(".dev")` only skips the own
checksum on master, but patch releases run from a source checkout
(e.g., bumping bundler/lib/bundler/version.rb to 4.0.11 on a release
branch) still record the checksum, which is environment dependent on
the local gem cache and causes frozen-lock drift on CI.
Generalize the guard with `released_bundler?`, which returns false for
any prerelease version and for bundlers loaded outside of an installed
gem location (`/specifications/`), so dev workflows don't record
self-checksums while released installs still do.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Revert "Skip bundler self-checksum for unreleased bundlers"
This reverts commit d4e51dd.
* Skip bundler checksum when running version:update_locked_bundler:
- Our development lockfile should not include the checksum of bundler
itself. No matter if we are doing a release.
The problem being that including a checksum in our development
lockfile create issues as some rake tasks don't run the same way on
CI.
For example, some rake tasks, build bundler.gem and some other
don't. I explained in more details the issue here 2c40b8d
This commit here is motivated by the fact that when the release
manager runs `version:update_locked_bundler`, if a
`bundler-<VERSION>.gem` exists on its system (e.g it previously ran
`rake bundler:install`), then the lockfile will include a checksum
entry.
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Edouard CHIN <chin.edouard@gmail.com>
(cherry picked from commit ee558f2)
* Skip bundler self-checksum on ruby-core in test fixtures In ruby-core test setup, bundler is loaded as a default gem and the bundler.gem cache file is not present on disk where LockfileGenerator#bundler_checksum looks for it. As a result, the generator omits the bundler checksum from the regenerated lockfile, while the test's checksums_section helper still adds it, making the "does not change the lock" expectations in setup_spec.rb fail on ruby-core CI for release branches (where Bundler::VERSION does not end in .dev). Mirror the generator's give-up conditions in the helper so that test fixtures and the regenerated lockfile stay in sync. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> (cherry picked from commit 40112f7)
The blanket skip in checksums_section from #9506 caused 82 ruby-core test failures whose lockfile expectations legitimately include the bundler checksum (paths that go through `bundle install` where bundler is activated as a gem). Revert that change and instead tag only the affected setup_spec example with :ruby_repo, since its `ruby "require 'bundler/setup'"` invocation is the one case where bundler is loaded from $LOAD_PATH and Source::Metadata's synthetic bundler spec has no cache_file on disk. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> (cherry picked from commit 66c7546)
Contributor
There was a problem hiding this comment.
Pull request overview
Prepares the RubyGems/Bundler codebase for the 4.0.11 release by bumping versions and synchronizing lockfiles, while also incorporating recent fixes around Bundler lockfile checksums, installer behavior for native extensions, and assorted test/docs cleanup.
Changes:
- Bump RubyGems and Bundler versions to 4.0.11 and update associated lockfiles and changelogs.
- Extend lockfile checksum handling to support Bundler self-checksums (and adjust specs/fixtures accordingly).
- Fix parallel installation ordering for native extensions that require transitive dependencies, plus several small test/doc correctness fixes.
Reviewed changes
Copilot reviewed 57 out of 66 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tool/bundler/vendor_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/test_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/standard_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/rubocop_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/release_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/lint_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/dev_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| test/rubygems/test_gem_stub_specification.rb | Fix gemspec stub filenames to match declared gem names and avoid collisions. |
| test/rubygems/test_gem_commands_push_command.rb | Fix expected push response message to match the gem under test. |
| lib/rubygems/commands/specification_command.rb | Clarify gem spec argument naming/usage and improve error message wording. |
| lib/rubygems.rb | Bump RubyGems VERSION constant to 4.0.11. |
| bundler/spec/support/checksums.rb | Add support for adding Bundler’s own checksum in test lockfile helpers. |
| bundler/spec/runtime/setup_spec.rb | Adjust runtime specs for bundler checksum behavior (targeted :ruby_repo skip, env override). |
| bundler/spec/realworld/fixtures/warbler/Gemfile.lock | Update fixture lockfile Bundler version to 4.0.11. |
| bundler/spec/realworld/fixtures/tapioca/Gemfile.lock | Update fixture lockfile Bundler version to 4.0.11. |
| bundler/spec/install/gems/resolving_spec.rb | Fix lockfile fixture dependency name mismatch. |
| bundler/spec/install/gemfile/git_spec.rb | Fix heredoc indentation and a test description typo. |
| bundler/spec/commands/update_spec.rb | Update checksum expectations to account for Bundler self-checksum behavior. |
| bundler/spec/commands/newgem_spec.rb | Add spec asserting the gemspec template includes an MFA hint. |
| bundler/spec/commands/lock_spec.rb | Update checksum expectations for bundle lock --add-checksums. |
| bundler/spec/commands/install_spec.rb | Add regression spec for native extensions needing transitive deps at build time. |
| bundler/spec/bundler/installer/spec_installation_spec.rb | Update/expand unit coverage for transitive dependency readiness logic. |
| bundler/lib/bundler/version.rb | Bump Bundler VERSION constant to 4.0.11. |
| bundler/lib/bundler/templates/newgem/newgem.gemspec.tt | Add commented MFA metadata hint and update “make your own gem” guide URL. |
| bundler/lib/bundler/source/rubygems.rb | Fix comment grammar in extension cache mutex rationale. |
| bundler/lib/bundler/source/metadata.rb | Add checksum_store support for metadata source. |
| bundler/lib/bundler/man/gemfile.5 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-version.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-update.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-show.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-remove.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-pristine.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-plugin.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-platform.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-outdated.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-open.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-lock.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-list.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-licenses.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-issue.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-install.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-init.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-info.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-help.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-gem.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-fund.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-exec.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-env.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-doctor.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-console.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-config.1.ronn | Fix formatting of BUNDLE_PREFER_PATCH in the ronn source. |
| bundler/lib/bundler/man/bundle-config.1 | Regenerate manpage + fix env var formatting for prefer_patch. |
| bundler/lib/bundler/man/bundle-clean.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-check.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-cache.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-binstubs.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/man/bundle-add.1 | Regenerate manpage header date (April 2026). |
| bundler/lib/bundler/lockfile_parser.rb | Enable parsing/storing Bundler checksum entries via a metadata source. |
| bundler/lib/bundler/lockfile_generator.rb | Emit Bundler self-checksum into CHECKSUMS section when appropriate. |
| bundler/lib/bundler/installer/parallel_installer.rb | Make extension installation wait on transitive (recursive) dependencies. |
| bundler/lib/bundler/definition.rb | Merge metadata-source checksum store data from lockfile into active sources. |
| bundler/lib/bundler/cli/gem.rb | Update gem creation guide URL in CLI output. |
| bundler/CHANGELOG.md | Add 4.0.11 changelog entry. |
| Rakefile | Update version:update_locked_bundler behavior and skip Bundler self-checksum while generating dev/test lockfiles. |
| CHANGELOG.md | Add RubyGems 4.0.11 changelog entry. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+49
to
54
| # Recursively checks that all dependencies (direct and transitive) have been installed. | ||
| def dependencies_installed?(installed_specs) | ||
| dependencies.all? {|d| installed_specs.include? d.name } | ||
| end | ||
|
|
||
| # Represents only the non-development dependencies, the ones that are | ||
| # itself and are in the total list. | ||
| def dependencies | ||
| @dependencies ||= all_dependencies.reject {|dep| ignorable_dependency? dep } | ||
| end | ||
|
|
||
| # Represents all dependencies | ||
| def all_dependencies | ||
| @spec.dependencies | ||
| dependencies.all? do |dep| | ||
| installed_specs.include?(dep.name) && dep.dependencies_installed?(installed_specs) | ||
| end | ||
| end |
Comment on lines
+57
to
+63
| def checksums_section(enabled = true, bundler_checksum: true, &block) | ||
| ChecksumsBuilder.new(enabled, &block).tap do |builder| | ||
| next if builder.bundler_registered || !bundler_checksum | ||
|
|
||
| next if Bundler::VERSION.to_s.end_with?(".dev") | ||
| builder.checksum(system_gem_path, "bundler", Bundler::VERSION, Gem::Platform::RUBY, "cache") | ||
| end |
Comment on lines
33
to
39
| stdout = Spec::Rubygems.dev_bundle "--version" | ||
| version = stdout.split(" ").last | ||
| ENV["SKIP_BUNDLER_CHECKSUM"] = "1" | ||
|
|
||
| Dir.glob("{tool/bundler/*_gems.rb,bundler/spec/realworld/fixtures/*/Gemfile}").each do |file| | ||
| Spec::Rubygems.dev_bundle("update", "--bundler", version, gemfile: file) | ||
| Spec::Rubygems.dev_bundle("lock", "--update", "--bundler", version, gemfile: file) | ||
| end |
Comment on lines
249
to
+261
| checksums = $6 | ||
| name = $2 | ||
| version = $3 | ||
| platform = $4 | ||
|
|
||
| version = Gem::Version.new(version) | ||
| platform = platform ? Gem::Platform.new(platform) : Gem::Platform::RUBY | ||
| full_name = Gem::NameTuple.new(name, version, platform).full_name | ||
| return unless spec = @specs[full_name] | ||
| spec = @specs[full_name] | ||
|
|
||
| if name == "bundler" | ||
| spec ||= LazySpecification.new(name, version, platform, @metadata_source) | ||
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
gem spec#9476