Merge pull request #7389 from rubygems/release/bundler_2.5.5_rubygems…

…_3.5.5

Prepare RubyGems 3.5.5 and Bundler 2.5.5

.changelog.yml

@@ -21,7 +21,7 @@ changelog_label_mapping:
   "rubygems: enhancement": "## Enhancements:"
   "rubygems: bug fix": "## Bug fixes:"
   "rubygems: documentation": "## Documentation:"
-  "rubygems: backport": null
+  "rubygems: skip changelog": null
 
 patch_level_labels:
   - "rubygems: security"
@@ -30,4 +30,4 @@ patch_level_labels:
   - "rubygems: bug fix"
   - "rubygems: performance"
   - "rubygems: documentation"
-  - "rubygems: backport"
+  - "rubygems: skip changelog"

.github/workflows/realworld-bundler.yml

@@ -57,7 +57,7 @@ jobs:
       - name: Run Test
         run: bin/rake spec:realworld
       - name: Upload used cassettes as artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
         with:
           name: cassettes-bundler-${{ matrix.bundler.name }}-${{ matrix.os.value }}-${{ matrix.ruby.name }}
           path: ./bundler/spec/support/artifice/used_cassettes.txt
@@ -93,7 +93,7 @@ jobs:
       - name: Run Test
         run: bin/rake spec:realworld
       - name: Upload used cassettes as artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
         with:
           name: cassettes-system-rubygems-bundler-${{ matrix.bundler.name }}-${{ matrix.ruby.name }}
           path: ./bundler/spec/support/artifice/used_cassettes.txt
@@ -111,7 +111,7 @@ jobs:
           ruby-version: 3.3.0
           bundler: none
       - name: Download all used cassettes as artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
         with:
           path: ./bundler/spec/support/artifice/used_vcr_cassettes
       - name: Check unused cassettes

.gitignore

@@ -1,5 +1,6 @@
 *.rbc
 *.swp
+.ruby-version
 .DS_Store
 /.idea
 /.rdoc

CHANGELOG.md

@@ -1,4 +1,25 @@
-# 3.5.4 / 2024-01-03
+# 3.5.5 / 2024-01-18
+
+## Enhancements:
+
+* Installs bundler 2.5.5 as a default gem.
+
+## Bug fixes:
+
+* Fix `require` activation conflicts when requiring default gems under
+  some situations. Pull request
+  [#7379](https://github.com/rubygems/rubygems/pull/7379) by
+  deivid-rodriguez
+* Use cache_home instead of data_home in default_spec_cache_dir. Pull
+  request [#7331](https://github.com/rubygems/rubygems/pull/7331) by mrkn
+
+## Documentation:
+
+* Use squiggly heredocs in `Gem::Specification#description` documentation,
+  so it doesn't add leading whitespace. Pull request
+  [#7373](https://github.com/rubygems/rubygems/pull/7373) by bravehager
+
+# 3.5.4 / 2024-01-04
 
 ## Enhancements:
 

POLICIES.md

@@ -79,11 +79,11 @@ changelog.
 If PRs don't have a proper label, they won't be backported to patch releases.
 
 If you want a PR to be backported to a patch level release, but don't want to
-include it in the changelog, you can use the special `rubygems: backport` and
-`bundler: backport` labels. For example, this is useful when backporting a PR
-generates conflicts that are solved by backporting another PR with no user
-visible changes. You can use these special labels to also backport the other PR
-and not get any conflicts.
+include it in the changelog, you can use the special `rubygems: skip changelog`
+and `bundler: skip changelog` labels. For example, this is useful when
+backporting a PR generates conflicts that are solved by backporting another PR
+with no user visible changes. You can use these special labels to also backport
+the other PR and not get any conflicts.
 
 ### Steps for patch releases
 

bundler/.changelog.yml

@@ -15,7 +15,7 @@ changelog_label_mapping:
   "bundler: enhancement": "## Enhancements:"
   "bundler: bug fix": "## Bug fixes:"
   "bundler: documentation": "## Documentation:"
-  "bundler: backport": null
+  "bundler: skip changelog": null
 
 patch_level_labels:
   - "bundler: security"
@@ -24,4 +24,4 @@ patch_level_labels:
   - "bundler: bug fix"
   - "bundler: performance"
   - "bundler: documentation"
-  - "bundler: backport"
+  - "bundler: skip changelog"

bundler/CHANGELOG.md

@@ -1,4 +1,15 @@
-# 2.5.4 (January 3, 2024)
+# 2.5.5 (January 18, 2024)
+
+## Bug fixes:
+
+  - Fix development dependency not being added if introduced by two gemspecs [#7358](https://github.com/rubygems/rubygems/pull/7358)
+  - Fix ETag quoting regression in If-None-Match header of compact index request [#7352](https://github.com/rubygems/rubygems/pull/7352)
+
+## Documentation:
+
+  - Refer to underscores as underscores [#7364](https://github.com/rubygems/rubygems/pull/7364)
+
+# 2.5.4 (January 4, 2024)
 
 ## Bug fixes:
 

bundler/doc/playbooks/MERGING_A_PR.md

@@ -30,8 +30,8 @@ release, make sure the following information is accurate:
   file.
 
   If for some reason you need a PR to be backported to a stable branch, but it
-  doesn't have any user visible changes, apply the "bundler: backport" label to
-  it so that our release scripts know about that.
+  doesn't have any user visible changes, apply the "bundler: skip changelog"
+  label to it so that our release scripts know about that.
 
 Finally, don't forget to review the changes in detail. Make sure you try them
 locally if they are not trivial and make sure you request changes and ask as

bundler/lib/bundler/compact_index_client/updater.rb

@@ -42,7 +42,7 @@ def append(remote_path, local_path, etag_path)
           else
             file.write(response.body)
           end
-          CacheFile.write(etag_path, etag(response))
+          CacheFile.write(etag_path, etag_from_response(response))
           true
         end
       end
@@ -53,13 +53,13 @@ def replace(remote_path, local_path, etag_path)
         response = @fetcher.call(remote_path, request_headers(etag))
         return true if response.is_a?(Gem::Net::HTTPNotModified)
         CacheFile.write(local_path, response.body, parse_digests(response))
-        CacheFile.write(etag_path, etag(response))
+        CacheFile.write(etag_path, etag_from_response(response))
       end
 
       def request_headers(etag, range_start = nil)
         headers = {}
         headers["Range"] = "bytes=#{range_start}-" if range_start
-        headers["If-None-Match"] = etag if etag
+        headers["If-None-Match"] = %("#{etag}") if etag
         headers
       end
 
@@ -77,7 +77,7 @@ def generate_etag(etag_path, file)
         etag
       end
 
-      def etag(response)
+      def etag_from_response(response)
         return unless response["ETag"]
         etag = response["ETag"].delete_prefix("W/")
         return if etag.delete_prefix!('"') && !etag.delete_suffix!('"')

bundler/lib/bundler/dsl.rb

@@ -102,9 +102,6 @@ def gem(name, *args)
 
       # if there's already a dependency with this name we try to prefer one
       if current = @dependencies.find {|d| d.name == dep.name }
-        # Always prefer the dependency from the Gemfile
-        @dependencies.delete(current) if current.gemspec_dev_dep?
-
         if current.requirement != dep.requirement
           current_requirement_open = current.requirements_list.include?(">= 0")
 
@@ -116,8 +113,6 @@ def gem(name, *args)
               Bundler.ui.warn "A gemspec development dependency (#{gemspec_dep.name}, #{gemspec_dep.requirement}) is being overridden by a Gemfile dependency (#{gemfile_dep.name}, #{gemfile_dep.requirement}).\n" \
                               "This behaviour may change in the future. Please remove either of them, or make sure they both have the same requirement\n"
             end
-
-            return if dep.gemspec_dev_dep?
           else
             update_prompt = ""
 
@@ -135,8 +130,13 @@ def gem(name, *args)
                            "You specified: #{current.name} (#{current.requirement}) and #{dep.name} (#{dep.requirement})" \
                            "#{update_prompt}"
           end
-        elsif current.gemspec_dev_dep? || dep.gemspec_dev_dep?
-          return if dep.gemspec_dev_dep?
+        end
+
+        # Always prefer the dependency from the Gemfile
+        if current.gemspec_dev_dep?
+          @dependencies.delete(current)
+        elsif dep.gemspec_dev_dep?
+          return
         elsif current.source != dep.source
           raise GemfileError, "You cannot specify the same gem twice coming from different sources.\n" \
                           "You specified that #{dep.name} (#{dep.requirement}) should come from " \

bundler/lib/bundler/man/bundle-config.1

@@ -302,9 +302,9 @@ Note that any configured credentials will be redacted by informative commands su
 .P
 Also note that to guarantee a sane mapping between valid environment variable names and valid host names, bundler makes the following transformations:
 .IP "\(bu" 4
-Any \fB\-\fR characters in a host name are mapped to a triple dash (\fB___\fR) in the corresponding environment variable\.
+Any \fB\-\fR characters in a host name are mapped to a triple underscore (\fB___\fR) in the corresponding environment variable\.
 .IP "\(bu" 4
-Any \fB\.\fR characters in a host name are mapped to a double dash (\fB__\fR) in the corresponding environment variable\.
+Any \fB\.\fR characters in a host name are mapped to a double underscore (\fB__\fR) in the corresponding environment variable\.
 .IP "" 0
 .P
 This means that if you have a gem server named \fBmy\.gem\-host\.com\fR, you'll need to use the \fBBUNDLE_MY__GEM___HOST__COM\fR variable to configure credentials for it through ENV\.

bundler/lib/bundler/man/bundle-config.1.ronn

@@ -388,10 +388,10 @@ copy-pasting bundler output.
 Also note that to guarantee a sane mapping between valid environment variable
 names and valid host names, bundler makes the following transformations:
 
-* Any `-` characters in a host name are mapped to a triple dash (`___`) in the
+* Any `-` characters in a host name are mapped to a triple underscore (`___`) in the
   corresponding environment variable.
 
-* Any `.` characters in a host name are mapped to a double dash (`__`) in the
+* Any `.` characters in a host name are mapped to a double underscore (`__`) in the
   corresponding environment variable.
 
 This means that if you have a gem server named `my.gem-host.com`, you'll need to

bundler/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.5.4".freeze
+  VERSION = "2.5.5".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

bundler/spec/bundler/compact_index_client/updater_spec.rb

@@ -21,7 +21,7 @@
     before do
       allow(response).to receive(:[]).with("Repr-Digest") { nil }
       allow(response).to receive(:[]).with("Digest") { nil }
-      allow(response).to receive(:[]).with("ETag") { "thisisanetag" }
+      allow(response).to receive(:[]).with("ETag") { '"thisisanetag"' }
     end
 
     it "downloads the file without attempting append" do
@@ -57,7 +57,7 @@
 
       let(:headers) do
         {
-          "If-None-Match" => "LocalEtag",
+          "If-None-Match" => '"LocalEtag"',
           "Range" => "bytes=2-",
         }
       end
@@ -76,7 +76,7 @@
       it "appends the file if etags do not match" do
         expect(fetcher).to receive(:call).once.with(remote_path, headers).and_return(response)
         allow(response).to receive(:[]).with("Repr-Digest") { "sha-256=:#{digest}:" }
-        allow(response).to receive(:[]).with("ETag") { "NewEtag" }
+        allow(response).to receive(:[]).with("ETag") { '"NewEtag"' }
         allow(response).to receive(:is_a?).with(Gem::Net::HTTPPartialContent) { true }
         allow(response).to receive(:is_a?).with(Gem::Net::HTTPNotModified) { false }
         allow(response).to receive(:body) { "c123" }
@@ -90,7 +90,7 @@
       it "replaces the file if response ignores range" do
         expect(fetcher).to receive(:call).once.with(remote_path, headers).and_return(response)
         allow(response).to receive(:[]).with("Repr-Digest") { "sha-256=:#{digest}:" }
-        allow(response).to receive(:[]).with("ETag") { "NewEtag" }
+        allow(response).to receive(:[]).with("ETag") { '"NewEtag"' }
         allow(response).to receive(:body) { full_body }
 
         updater.update(remote_path, local_path, etag_path)
@@ -107,8 +107,8 @@
 
         full_response = double(:full_response, body: full_body, is_a?: false)
         allow(full_response).to receive(:[]).with("Repr-Digest") { "sha-256=:#{digest}:" }
-        allow(full_response).to receive(:[]).with("ETag") { "NewEtag" }
-        expect(fetcher).to receive(:call).once.with(remote_path, { "If-None-Match" => "LocalEtag" }).and_return(full_response)
+        allow(full_response).to receive(:[]).with("ETag") { '"NewEtag"' }
+        expect(fetcher).to receive(:call).once.with(remote_path, { "If-None-Match" => '"LocalEtag"' }).and_return(full_response)
 
         updater.update(remote_path, local_path, etag_path)
 
@@ -123,7 +123,7 @@
           "Range" => "bytes=2-",
           # This MD5 feature should be deleted after sufficient time has passed since release.
           # From then on, requests that still don't have a saved etag will be made without this header.
-          "If-None-Match" => Digest::MD5.hexdigest(local_body),
+          "If-None-Match" => %("#{Digest::MD5.hexdigest(local_body)}"),
         }
       end
 
@@ -135,13 +135,13 @@
         updater.update(remote_path, local_path, etag_path)
 
         expect(local_path.read).to eq("abc")
-        expect(etag_path.read).to eq(headers["If-None-Match"])
+        expect(%("#{etag_path.read}")).to eq(headers["If-None-Match"])
       end
 
       it "appends the file" do
         expect(fetcher).to receive(:call).once.with(remote_path, headers).and_return(response)
         allow(response).to receive(:[]).with("Repr-Digest") { "sha-256=:#{digest}:" }
-        allow(response).to receive(:[]).with("ETag") { "OpaqueEtag" }
+        allow(response).to receive(:[]).with("ETag") { '"OpaqueEtag"' }
         allow(response).to receive(:is_a?).with(Gem::Net::HTTPPartialContent) { true }
         allow(response).to receive(:is_a?).with(Gem::Net::HTTPNotModified) { false }
         allow(response).to receive(:body) { "c123" }
@@ -156,7 +156,7 @@
         expect(fetcher).to receive(:call).once.with(remote_path, headers).and_return(response)
         allow(response).to receive(:[]).with("Repr-Digest") { nil }
         allow(response).to receive(:[]).with("Digest") { nil }
-        allow(response).to receive(:[]).with("ETag") { "OpaqueEtag" }
+        allow(response).to receive(:[]).with("ETag") { '"OpaqueEtag"' }
         allow(response).to receive(:is_a?).with(Gem::Net::HTTPPartialContent) { false }
         allow(response).to receive(:is_a?).with(Gem::Net::HTTPNotModified) { false }
         allow(response).to receive(:body) { full_body }
@@ -180,8 +180,8 @@
 
         full_response = double(:full_response, body: full_body, is_a?: false)
         allow(full_response).to receive(:[]).with("Repr-Digest") { "sha-256=:#{digest}:" }
-        allow(full_response).to receive(:[]).with("ETag") { "NewEtag" }
-        expect(fetcher).to receive(:call).once.with(remote_path, { "If-None-Match" => "LocalEtag" }).and_return(full_response)
+        allow(full_response).to receive(:[]).with("ETag") { '"NewEtag"' }
+        expect(fetcher).to receive(:call).once.with(remote_path, { "If-None-Match" => '"LocalEtag"' }).and_return(full_response)
 
         updater.update(remote_path, local_path, etag_path)
 

bundler/spec/commands/install_spec.rb

@@ -460,6 +460,35 @@
       expect(the_bundle).to include_gems("rubocop 1.37.1")
     end
 
+    it "includes the gem without warning if two gemspecs add it with the same requirement" do
+      gem1 = tmp.join("my-gem-1")
+      gem2 = tmp.join("my-gem-2")
+
+      build_lib "my-gem", path: gem1 do |s|
+        s.add_development_dependency "rubocop", "~> 1.36.0"
+      end
+
+      build_lib "my-gem-2", path: gem2 do |s|
+        s.add_development_dependency "rubocop", "~> 1.36.0"
+      end
+
+      build_repo4 do
+        build_gem "rubocop", "1.36.0"
+      end
+
+      gemfile <<~G
+        source "#{file_uri_for(gem_repo4)}"
+
+        gemspec path: "#{gem1}"
+        gemspec path: "#{gem2}"
+      G
+
+      bundle :install
+
+      expect(err).to be_empty
+      expect(the_bundle).to include_gems("rubocop 1.36.0")
+    end
+
     it "warns when a Gemfile dependency is overriding a gemspec development dependency, with different requirements" do
       build_lib "my-gem", path: bundled_app do |s|
         s.add_development_dependency "rails", ">= 5"

bundler/spec/install/gems/compact_index_spec.rb

@@ -924,15 +924,19 @@ def start
       gem 'rack', '0.9.1'
     G
 
-    rake_info_path = File.join(Bundler.rubygems.user_home, ".bundle", "cache", "compact_index",
-      "localgemserver.test.80.dd34752a738ee965a2a4298dc16db6c5", "info", "rack")
-
     bundle :install, artifice: "compact_index"
 
+    # We must remove the etag so that we don't ignore the range and get a 304 Not Modified.
+    rake_info_etag_path = File.join(Bundler.rubygems.user_home, ".bundle", "cache", "compact_index",
+      "localgemserver.test.80.dd34752a738ee965a2a4298dc16db6c5", "info-etags", "rack-11690b09f16021ff06a6857d784a1870")
+    File.unlink(rake_info_etag_path) if File.exist?(rake_info_etag_path)
+
+    rake_info_path = File.join(Bundler.rubygems.user_home, ".bundle", "cache", "compact_index",
+      "localgemserver.test.80.dd34752a738ee965a2a4298dc16db6c5", "info", "rack")
     expected_rack_info_content = File.read(rake_info_path)
 
-    # Modify the cache files. We expect them to be reset to the normal ones when we re-run :install
-    File.open(rake_info_path, "a") {|f| f << "this is different" }
+    # Modify the cache files to make the range not satisfiable
+    File.open(rake_info_path, "a") {|f| f << "0.9.2 |checksum:c55b525b421fd833a93171ad3d7f04528ca8e87d99ac273f8933038942a5888c" }
 
     # Update the Gemfile so the next install does its normal things
     gemfile <<-G