Merge pull request #4470 from rubygems/release/bundler_2.2.15_rubygem…

…s_3.2.15

Prepare rubygems 3.2.15 and bundler 2.2.15

CHANGELOG.md

@@ -1,3 +1,14 @@
+# 3.2.15 / 2021-03-18
+
+## Enhancements:
+
+* Prevent downgrades to untested rubygems versions. Pull request #4460 by
+  deivid-rodriguez
+
+## Bug fixes:
+
+* Fix missing require breaking `gem cert`. Pull request #4464 by lukehinds
+
 # 3.2.14 / 2021-03-08
 
 ## Enhancements:

bundler/CHANGELOG.md

@@ -1,3 +1,15 @@
+# 2.2.15 (March 18, 2021)
+
+## Enhancements:
+
+  - Add a hint about bundler installing executables for path gems [#4461](https://github.com/rubygems/rubygems/pull/4461)
+  - Warn lockfiles with incorrect resolutions [#4459](https://github.com/rubygems/rubygems/pull/4459)
+  - Don't generate duplicate redundant sources in the lockfile [#4456](https://github.com/rubygems/rubygems/pull/4456)
+
+## Bug fixes:
+
+  - Respect running ruby when resolving platforms [#4449](https://github.com/rubygems/rubygems/pull/4449)
+
 # 2.2.14 (March 8, 2021)
 
 ## Security fixes:

bundler/lib/bundler/installer/parallel_installer.rb

@@ -6,10 +6,11 @@
 module Bundler
   class ParallelInstaller
     class SpecInstallation
-      attr_accessor :spec, :name, :post_install_message, :state, :error
+      attr_accessor :spec, :name, :full_name, :post_install_message, :state, :error
       def initialize(spec)
         @spec = spec
         @name = spec.name
+        @full_name = spec.full_name
         @state = :none
         @post_install_message = ""
         @error = nil
@@ -49,14 +50,11 @@ def dependencies_installed?(all_specs)
       # Represents only the non-development dependencies, the ones that are
       # itself and are in the total list.
       def dependencies
-        @dependencies ||= begin
-          all_dependencies.reject {|dep| ignorable_dependency? dep }
-        end
+        @dependencies ||= all_dependencies.reject {|dep| ignorable_dependency? dep }
       end
 
       def missing_lockfile_dependencies(all_spec_names)
-        deps = all_dependencies.reject {|dep| ignorable_dependency? dep }
-        deps.reject {|dep| all_spec_names.include? dep.name }
+        dependencies.reject {|dep| all_spec_names.include? dep.name }
       end
 
       # Represents all dependencies
@@ -65,7 +63,7 @@ def all_dependencies
       end
 
       def to_s
-        "#<#{self.class} #{@spec.full_name} (#{state})>"
+        "#<#{self.class} #{full_name} (#{state})>"
       end
     end
 
@@ -99,12 +97,37 @@ def call
         install_serially
       end
 
+      check_for_unmet_dependencies
+
       handle_error if failed_specs.any?
       @specs
     ensure
       worker_pool && worker_pool.stop
     end
 
+    def check_for_unmet_dependencies
+      unmet_dependencies = @specs.map do |s|
+        [
+          s,
+          s.dependencies.reject {|dep| @specs.any? {|spec| dep.matches_spec?(spec.spec) } },
+        ]
+      end.reject {|a| a.last.empty? }
+      return if unmet_dependencies.empty?
+
+      warning = []
+      warning << "Your lockfile doesn't include a valid resolution."
+      warning << "You can fix this by regenerating your lockfile or trying to manually editing the bad locked gems to a version that satisfies all dependencies."
+      warning << "The unmet dependencies are:"
+
+      unmet_dependencies.each do |spec, unmet_spec_dependencies|
+        unmet_spec_dependencies.each do |unmet_spec_dependency|
+          warning << "* #{unmet_spec_dependency}, depended upon #{spec.full_name}, unsatisfied by #{@specs.find {|s| s.name == unmet_spec_dependency.name && !unmet_spec_dependency.matches_spec?(s.spec) }.full_name}"
+        end
+      end
+
+      Bundler.ui.warn(warning.join("\n"))
+    end
+
     def check_for_corrupt_lockfile
       missing_dependencies = @specs.map do |s|
         [

bundler/lib/bundler/lazy_specification.rb

@@ -73,7 +73,12 @@ def __materialize__
         same_platform_candidates = candidates.select do |spec|
           MatchPlatform.platforms_match?(spec.platform, platform_object)
         end
-        search = same_platform_candidates.last || candidates.last
+        installable_candidates = same_platform_candidates.select do |spec|
+          !spec.is_a?(RemoteSpecification) &&
+            spec.required_ruby_version.satisfied_by?(Gem.ruby_version) &&
+            spec.required_rubygems_version.satisfied_by?(Gem.rubygems_version)
+        end
+        search = installable_candidates.last || same_platform_candidates.last
         search.dependencies = dependencies if search && (search.is_a?(RemoteSpecification) || search.is_a?(EndpointSpecification))
         search
       end

bundler/lib/bundler/source/path.rb

@@ -82,7 +82,9 @@ def name
       end
 
       def install(spec, options = {})
-        print_using_message "Using #{version_message(spec)} from #{self}"
+        using_message = "Using #{version_message(spec)} from #{self}"
+        using_message += " and installing its executables" unless spec.executables.empty?
+        print_using_message using_message
         generate_bin(spec, :disable_extensions => true)
         nil # no post-install message
       end

bundler/lib/bundler/source/path/installer.rb

@@ -35,7 +35,7 @@ def post_install
             run_hooks(:post_build)
           end
 
-          generate_bin unless spec.executables.nil? || spec.executables.empty?
+          generate_bin unless spec.executables.empty?
 
           run_hooks(:post_install)
         ensure

bundler/lib/bundler/source_list.rb

@@ -88,7 +88,7 @@ def get(source)
     def lock_sources
       lock_sources = (path_sources + git_sources + plugin_sources).sort_by(&:to_s)
       if disable_multisource?
-        lock_sources + rubygems_sources.sort_by(&:to_s)
+        lock_sources + rubygems_sources.sort_by(&:to_s).uniq
       else
         lock_sources << combine_rubygems_sources
       end

bundler/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.2.14".freeze
+  VERSION = "2.2.15".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

bundler/spec/bundler/installer/parallel_installer_spec.rb

@@ -44,4 +44,37 @@
       end
     end
   end
+
+  context "when the spec set is not a valid resolution" do
+    let(:all_specs) do
+      [
+        build_spec("cucumber", "4.1.0") {|s| s.runtime "diff-lcs", "< 1.4" },
+        build_spec("diff-lcs", "1.4.4"),
+      ].flatten
+    end
+
+    it "prints a warning" do
+      expect(Bundler.ui).to receive(:warn).with(<<-W.strip)
+Your lockfile doesn't include a valid resolution.
+You can fix this by regenerating your lockfile or trying to manually editing the bad locked gems to a version that satisfies all dependencies.
+The unmet dependencies are:
+* diff-lcs (< 1.4), depended upon cucumber-4.1.0, unsatisfied by diff-lcs-1.4.4
+      W
+      subject.check_for_unmet_dependencies
+    end
+  end
+
+  context "when the spec set is a valid resolution" do
+    let(:all_specs) do
+      [
+        build_spec("cucumber", "4.1.0") {|s| s.runtime "diff-lcs", "< 1.4" },
+        build_spec("diff-lcs", "1.3"),
+      ].flatten
+    end
+
+    it "doesn't print a warning" do
+      expect(Bundler.ui).not_to receive(:warn)
+      subject.check_for_unmet_dependencies
+    end
+  end
 end

bundler/spec/bundler/installer/spec_installation_spec.rb

@@ -8,6 +8,10 @@
     def a_spec.name
       "I like tests"
     end
+
+    def a_spec.full_name
+      "I really like tests"
+    end
     a_spec
   end
 

bundler/spec/install/gemfile/path_spec.rb

@@ -328,11 +328,12 @@
       s.executables = "foobar"
     end
 
-    install_gemfile <<-G
+    install_gemfile <<-G, :verbose => true
       path "#{lib_path("foo-1.0")}" do
         gem 'foo'
       end
     G
+    expect(out).to include("Using foo 1.0 from source at `#{lib_path("foo-1.0")}` and installing its executables")
     expect(the_bundle).to include_gems "foo 1.0"
 
     bundle "exec foobar"

bundler/spec/lock/lockfile_spec.rb

@@ -641,6 +641,30 @@
     G
   end
 
+  it "removes redundant sources" do
+    install_gemfile <<-G
+      source "#{file_uri_for(gem_repo2)}/"
+
+      gem "rack", :source => "#{file_uri_for(gem_repo2)}/"
+    G
+
+    lockfile_should_be <<-G
+      GEM
+        remote: #{file_uri_for(gem_repo2)}/
+        specs:
+          rack (1.0.0)
+
+      PLATFORMS
+        #{lockfile_platforms}
+
+      DEPENDENCIES
+        rack!
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    G
+  end
+
   it "lists gems alphabetically" do
     install_gemfile <<-G
       source "#{file_uri_for(gem_repo2)}/"

bundler/spec/runtime/platform_spec.rb

@@ -108,6 +108,44 @@
     expect(lockfile).to eq(good_lockfile)
   end
 
+  it "will not try to install platform specific gems when they don't match the current ruby if locked only to ruby" do
+    build_repo4 do
+      build_gem "nokogiri", "1.11.1"
+
+      build_gem "nokogiri", "1.11.1" do |s|
+        s.platform = Bundler.local_platform
+        s.required_ruby_version = "< #{Gem.ruby_version}"
+      end
+    end
+
+    gemfile <<-G
+      source "https://gems.repo4"
+      gem "nokogiri"
+    G
+
+    lockfile <<~L
+      GEM
+        remote: https://gems.repo4/
+        specs:
+          nokogiri (1.11.1)
+
+      PLATFORMS
+        ruby
+
+      DEPENDENCIES
+        nokogiri
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+
+    bundle "install", :artifice => "compact_index", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo4.to_s }
+
+    expect(out).to include("Fetching nokogiri 1.11.1")
+    expect(the_bundle).to include_gems "nokogiri 1.11.1"
+    expect(the_bundle).not_to include_gems "nokogiri 1.11.1 #{Bundler.local_platform}"
+  end
+
   it "will use the java platform if both generic java and generic ruby platforms are locked", :jruby do
     gemfile <<-G
       source "#{file_uri_for(gem_repo1)}"

bundler/test_gems.rb.lock

@@ -40,4 +40,4 @@ DEPENDENCIES
   webrick (= 1.7.0)
 
 BUNDLED WITH
-   2.2.14
+   2.2.15

dev_gems.rb.lock

@@ -3,7 +3,7 @@ GEM
   specs:
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    ast (2.4.0)
+    ast (2.4.2)
     aws-eventstream (1.1.0)
     aws-partitions (1.411.0)
     aws-sdk-core (3.110.0)
@@ -113,4 +113,4 @@ DEPENDENCIES
   webrick (~> 1.6)
 
 BUNDLED WITH
-   2.2.14
+   2.2.15

lib/rubygems.rb

@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = "3.2.14".freeze
+  VERSION = "3.2.15".freeze
 end
 
 # Must be first since it unloads the prelude from 1.9.2

lib/rubygems/commands/update_command.rb

@@ -76,7 +76,7 @@ def check_latest_rubygems(version) # :nodoc:
 
   def check_oldest_rubygems(version) # :nodoc:
     if oldest_supported_version > version
-      alert_error "rubygems #{version} is not supported. The oldest supported version is #{oldest_supported_version}"
+      alert_error "rubygems #{version} is not supported on #{RUBY_VERSION}. The oldest version supported by this ruby is #{oldest_supported_version}"
       terminate_interaction 1
     end
   end
@@ -322,8 +322,26 @@ def which_to_update(highest_installed_gems, gem_names, system = false)
 
   private
 
+  #
+  # Oldest version we support downgrading to. This is the version that
+  # originally ships with the first patch version of each ruby, because we never
+  # test each ruby against older rubygems, so we can't really guarantee it
+  # works. Version list can be checked here: https://stdgems.org/rubygems
+  #
   def oldest_supported_version
-    # for Ruby 2.3
-    @oldest_supported_version ||= Gem::Version.new("2.5.2")
+    @oldest_supported_version ||=
+      if Gem.ruby_version > Gem::Version.new("3.0.a")
+        Gem::Version.new("3.2.3")
+      elsif Gem.ruby_version > Gem::Version.new("2.7.a")
+        Gem::Version.new("3.1.2")
+      elsif Gem.ruby_version > Gem::Version.new("2.6.a")
+        Gem::Version.new("3.0.1")
+      elsif Gem.ruby_version > Gem::Version.new("2.5.a")
+        Gem::Version.new("2.7.3")
+      elsif Gem.ruby_version > Gem::Version.new("2.4.a")
+        Gem::Version.new("2.6.8")
+      else
+        Gem::Version.new("2.5.2")
+      end
   end
 end

lib/rubygems/security/trust_dir.rb

@@ -104,6 +104,7 @@ def trust_cert(certificate)
   # permissions.
 
   def verify
+    require 'fileutils'
     if File.exist? @dir
       raise Gem::Security::Exception,
         "trust directory #{@dir} is not a directory" unless

rubygems-update.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = "rubygems-update"
-  s.version = "3.2.14"
+  s.version = "3.2.15"
   s.authors = ["Jim Weirich", "Chad Fowler", "Eric Hodel", "Luis Lavena", "Aaron Patterson", "Samuel Giddins", "André Arko", "Evan Phoenix", "Hiroshi SHIBATA"]
   s.email = ["", "", "drbrain@segment7.net", "luislavena@gmail.com", "aaron@tenderlovemaking.com", "segiddins@segiddins.me", "andre@arko.net", "evan@phx.io", "hsbt@ruby-lang.org"]