Merge branch 'rubygems:master' into fix-bundle-plugin-bug

.github/dependabot.yml

@@ -5,7 +5,7 @@ updates:
     schedule:
       interval: 'weekly'
   - package-ecosystem: 'cargo'
-    directory: '/test/rubygems/test_gem_ext_cargo_builder/custom_name/'
+    directory: '/test/rubygems/test_gem_ext_cargo_builder/custom_name/ext/custom_name_lib'
     schedule:
       interval: 'weekly'
   - package-ecosystem: 'cargo'

.github/workflows/install-rubygems.yml

@@ -105,7 +105,7 @@ jobs:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none
       - name: Setup java
-        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0
         with:
           distribution: temurin
           java-version: 19.0.2

.github/workflows/jruby-bundler.yml

@@ -36,7 +36,7 @@ jobs:
           ruby-version: jruby-9.4.2.0
           bundler: none
       - name: Setup java
-        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0
         with:
           distribution: temurin
           java-version: 19.0.2

.github/workflows/weekly-update.yml

@@ -0,0 +1,43 @@
+name: weekly-update
+
+on:
+  schedule:
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  weekly_update:
+    name: Rubygems weekly update
+    runs-on: ${{ matrix.os }}
+    if: github.repository == 'rubygems/rubygems'
+    strategy:
+      matrix:
+        os: [ ubuntu-latest ]
+    steps:
+      - name: Config git
+        run: |
+          git config --global user.name "License Update"
+          git config --global user.email license.update@rubygems.org
+          git config --global push.autoSetupRemote true
+
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Check versions
+        run: |
+          ruby --version
+          rake --version
+
+      - name: Update SPDX license list
+        run: |
+          rake update_licenses_branch
+          git diff --no-ext-diff --ignore-submodules --quiet "${BASE##*/}" -- || {
+            git push origin
+            gh pr create --base "${BASE##*/}" --fill --label "rubygems: enhancement"
+          }
+        env:
+          BASE: ${{ github.ref }}
+          GH_TOKEN: ${{ github.token }}

CHANGELOG.md

@@ -1,3 +1,39 @@
+# 3.4.19 / 2023-08-17
+
+## Enhancements:
+
+* Installs bundler 2.4.19 as a default gem.
+
+## Performance:
+
+* Speedup building docs when updating rubygems. Pull request
+  [#6864](https://github.com/rubygems/rubygems/pull/6864) by
+  deivid-rodriguez
+
+# 3.4.18 / 2023-08-02
+
+## Enhancements:
+
+* Add poller to fetch WebAuthn OTP. Pull request
+  [#6774](https://github.com/rubygems/rubygems/pull/6774) by jenshenny
+* Remove side effects when unmarshaling old `Gem::Specification`. Pull
+  request [#6825](https://github.com/rubygems/rubygems/pull/6825) by nobu
+* Ship rubygems executables in `exe` folder. Pull request
+  [#6704](https://github.com/rubygems/rubygems/pull/6704) by hsbt
+* Installs bundler 2.4.18 as a default gem.
+
+# 3.4.17 / 2023-07-14
+
+## Enhancements:
+
+* Installs bundler 2.4.17 as a default gem.
+
+## Performance:
+
+* Avoid unnecessary work for private local gem installation. Pull request
+  [#6810](https://github.com/rubygems/rubygems/pull/6810) by
+  deivid-rodriguez
+
 # 3.4.16 / 2023-07-10
 
 ## Enhancements:

Manifest.txt

@@ -403,6 +403,9 @@ lib/rubygems/ext/ext_conf_builder.rb
 lib/rubygems/ext/rake_builder.rb
 lib/rubygems/gem_runner.rb
 lib/rubygems/gemcutter_utilities.rb
+lib/rubygems/gemcutter_utilities/webauthn_listener.rb
+lib/rubygems/gemcutter_utilities/webauthn_listener/response.rb
+lib/rubygems/gemcutter_utilities/webauthn_poller.rb
 lib/rubygems/indexer.rb
 lib/rubygems/install_default_message.rb
 lib/rubygems/install_message.rb
@@ -541,8 +544,6 @@ lib/rubygems/util/list.rb
 lib/rubygems/validator.rb
 lib/rubygems/version.rb
 lib/rubygems/version_option.rb
-lib/rubygems/webauthn_listener.rb
-lib/rubygems/webauthn_listener/response.rb
 lib/rubygems/yaml_serializer.rb
 rubygems-update.gemspec
 setup.rb

POLICIES.md

@@ -95,7 +95,7 @@ and not get any conflicts.
     changelogs into master.
 *   Once CI passes, merge the release PR, switch to the stable branch and pull
     the PR just merged.
-*   Release `bundler` with `(cd bundler && bin/rake release)`.
+*   Release `bundler` with `rake bundler:release`.
 *   Release `rubygems` with `rake release`.
 
 ### Steps for minor and major releases
@@ -112,7 +112,7 @@ and not get any conflicts.
     to the master PR.
 *   Once CI passes, merge the release PR, switch to  the stable branch and pull
     the PR just merged.
-*   Release `bundler` with `(cd bundler && bin/rake release)`.
+*   Release `bundler` with `rake bundler:release`.
 *   Release `rubygems` with `rake release`.
 
 ## Committer Access

Rakefile

@@ -418,8 +418,8 @@ namespace "blog" do
       digest = OpenSSL::Digest::SHA256.file(file).hexdigest
       basename = File.basename(file)
 
-      checksums << "* #{basename}  \n"
-      checksums << "  #{digest}\n"
+      checksums += "* #{basename}  \n"
+      checksums += "  #{digest}\n"
 
       release_url = URI("https://rubygems.org/#{file.end_with?("gem") ? "gems" : "rubygems"}/#{basename}")
       response = Net::HTTP.get_response(release_url)
@@ -547,9 +547,23 @@ task :check_manifest do
   end
 end
 
+license_last_update = nil
+
 desc "Update License list from SPDX.org"
 task :update_licenses do
   load "tool/generate_spdx_license_list.rb"
+  license_last_update = generate_spdx_license_list
+end
+
+desc "Create branch to update License list"
+task :update_licenses_branch => :update_licenses do
+  if license_last_update
+    file, mtime = license_last_update
+    date = mtime.strftime("%Y-%m-%d")
+    branch_name = "license-list-#{date}"
+    system(*%w[git checkout -b], branch_name, exception: true)
+    system(*%w[git commit -m], "Update SPDX license list as of #{date}", *file, exception: true)
+  end
 end
 
 require_relative "bundler/spec/support/rubygems_ext"
@@ -727,7 +741,9 @@ namespace :bundler do
   task :build => ["bundler:build_metadata"] do
     Rake::Task["bundler:build_metadata:clean"].tap(&:reenable).invoke
   end
-  task "bundler:release:rubygem_push" => ["bundler:release:setup", "man:check", "bundler:build_metadata", "bundler:release:github"]
+
+  desc "Push to rubygems.org"
+  task "release:rubygem_push" => ["bundler:release:setup", "man:check", "bundler:build_metadata", "bundler:release:github"]
 
   desc "Generates the changelog for a specific target version"
   task :generate_changelog, [:version] do |_t, opts|

bundler/CHANGELOG.md

@@ -1,3 +1,43 @@
+# 2.4.19 (August 17, 2023)
+
+## Enhancements:
+
+  - Add `file` option to `ruby` method in Gemfile [#6876](https://github.com/rubygems/rubygems/pull/6876)
+  - Show better error when PAT can't authenticate to a private server [#6871](https://github.com/rubygems/rubygems/pull/6871)
+  - Don't fallback to old dependency API when bad credentials are configured [#6869](https://github.com/rubygems/rubygems/pull/6869)
+
+## Bug fixes:
+
+  - Fix git source conservativeness [#6850](https://github.com/rubygems/rubygems/pull/6850)
+
+## Documentation:
+
+  - Clarify that `bundle info` takes a gem name [#6875](https://github.com/rubygems/rubygems/pull/6875)
+
+# 2.4.18 (August 2, 2023)
+
+## Security:
+
+  - Merge URI-0.12.2 for Bundler [#6779](https://github.com/rubygems/rubygems/pull/6779)
+
+## Enhancements:
+
+  - Update Magnus version in Rust extension gem template [#6843](https://github.com/rubygems/rubygems/pull/6843)
+
+## Documentation:
+
+  - Update bundle-outdated(1) man to use table output [#6833](https://github.com/rubygems/rubygems/pull/6833)
+
+# 2.4.17 (July 14, 2023)
+
+## Enhancements:
+
+  - Avoid printing "Using ..." messages when version has not changed [#6804](https://github.com/rubygems/rubygems/pull/6804)
+
+## Bug fixes:
+
+  - Fix `bundler/setup` unintendedly writing to the filesystem [#6814](https://github.com/rubygems/rubygems/pull/6814)
+
 # 2.4.16 (July 10, 2023)
 
 ## Bug fixes:

bundler/doc/playbooks/RELEASING.md

@@ -93,8 +93,8 @@ $ git cherry-pick -m 1 dd6aef9
 
 After running the task, you'll have a release branch ready to be merged into the
 stable branch. You'll want to open a PR from this branch into the stable branch
-and provided CI is green, you can go ahead, merge the PR and run `bin/rake
-release` from `bundler/` directory in the updated stable branch.
+and provided CI is green, you can go ahead, merge the PR and run `rake
+bundler:release` from the updated stable branch.
 
 Here's the checklist for releasing new minor versions:
 
@@ -105,8 +105,8 @@ Here's the checklist for releasing new minor versions:
   a PR to the stable branch with the generated changes.
 * [ ] Get the PR reviewed, make sure CI is green, and merge it.
 * [ ] Pull the updated stable branch, wait for CI to complete on it and get excited.
-* [ ] Run `bin/rake release` from the `bundler/` directory updated stable
-  branch, tweet, blog, let people know about the prerelease!
+* [ ] Run `rake bundler:release` from the updated stable branch, tweet, blog,
+  let people know about the prerelease!
 * [ ] Wait a **minimum of 7 days**
 * [ ] If significant problems are found, increment the prerelease (i.e. 2.2.pre.2)
   and repeat, but treating `.pre.2` as a _patch release_. In general, once a stable
@@ -124,8 +124,8 @@ Wait! You're not done yet! After your prelease looks good:
 * [ ] Write a blog post announcing the new version, highlighting new features and
   notable bugfixes
 * [ ] Pull the updated stable branch, wait for CI to complete on it and get excited.
-* [ ] Run `bin/rake release` in the `bundler/` directory of the updated stable
-  branch, tweet, link to the blog post, etc.
+* [ ] Run `rake bundler:release` from the updated stable branch, tweet, link to
+  the blog post, etc.
 
 At this point, you're a release manager! Pour yourself several tasty drinks and
 think about taking a vacation in the tropics.

bundler/lib/bundler/definition.rb

@@ -390,8 +390,8 @@ def ensure_equivalent_gemfile_and_lockfile(explicit_flag = false)
       both_sources.each do |name, (dep, lock_dep)|
         next if dep.nil? || lock_dep.nil?
 
-        gemfile_source = dep.source || sources.default_source
-        lock_source = lock_dep.source || sources.default_source
+        gemfile_source = dep.source || default_source
+        lock_source = lock_dep.source || default_source
         next if lock_source.include?(gemfile_source)
 
         gemfile_source_name = dep.source ? gemfile_source.to_gemfile : "no specified source"
@@ -805,26 +805,27 @@ def converge_locked_specs
 
     def converge_specs(specs)
       converged = []
-
-      deps = @dependencies.select do |dep|
-        specs[dep].any? {|s| s.satisfies?(dep) && (!dep.source || s.source.include?(dep.source)) }
-      end
+      deps = []
 
       @specs_that_changed_sources = []
 
       specs.each do |s|
+        name = s.name
         dep = @dependencies.find {|d| s.satisfies?(d) }
+        lockfile_source = s.source
 
-        # Replace the locked dependency's source with the equivalent source from the Gemfile
-        s.source = if dep&.source
-          gemfile_source = dep.source
-          lockfile_source = s.source
+        if dep
+          gemfile_source = dep.source || default_source
 
           @specs_that_changed_sources << s if gemfile_source != lockfile_source
+          deps << dep if !dep.source || lockfile_source.include?(dep.source)
+          @unlock[:gems] << name if lockfile_source.include?(dep.source) && lockfile_source != gemfile_source
 
-          gemfile_source
+          # Replace the locked dependency's source with the equivalent source from the Gemfile
+          s.source = gemfile_source
         else
-          sources.get_with_fallback(s.source)
+          # Replace the locked dependency's source with the default source, if the locked source is no longer in the Gemfile
+          s.source = default_source unless sources.get(lockfile_source)
         end
 
         next if @unlock[:sources].include?(s.source.name)
@@ -833,9 +834,9 @@ def converge_specs(specs)
         if s.source.instance_of?(Source::Path) || s.source.instance_of?(Source::Gemspec)
           new_specs = begin
             s.source.specs
-          rescue PathError, GitError
+          rescue PathError
             # if we won't need the source (according to the lockfile),
-            # don't error if the path/git source isn't available
+            # don't error if the path source isn't available
             next if specs.
                     for(requested_dependencies, false).
                     none? {|locked_spec| locked_spec.source == s.source }
@@ -849,11 +850,11 @@ def converge_specs(specs)
           else
             # If the spec is no longer in the path source, unlock it. This
             # commonly happens if the version changed in the gemspec
-            @unlock[:gems] << s.name
+            @unlock[:gems] << name
           end
         end
 
-        if dep.nil? && requested_dependencies.find {|d| s.name == d.name }
+        if dep.nil? && requested_dependencies.find {|d| name == d.name }
           @unlock[:gems] << s.name
         else
           converged << s
@@ -877,7 +878,7 @@ def source_requirements
       source_requirements = if precompute_source_requirements_for_indirect_dependencies?
         all_requirements = source_map.all_requirements
         all_requirements = pin_locally_available_names(all_requirements) if @prefer_local
-        { :default => sources.default_source }.merge(all_requirements)
+        { :default => default_source }.merge(all_requirements)
       else
         { :default => Source::RubygemsAggregate.new(sources, source_map) }.merge(source_map.direct_requirements)
       end
@@ -886,7 +887,7 @@ def source_requirements
         source_requirements[dep.name] = sources.metadata_source
       end
 
-      default_bundler_source = source_requirements["bundler"] || sources.default_source
+      default_bundler_source = source_requirements["bundler"] || default_source
 
       if @unlocking_bundler
         default_bundler_source.add_dependency_names("bundler")
@@ -899,6 +900,10 @@ def source_requirements
       source_requirements
     end
 
+    def default_source
+      sources.default_source
+    end
+
     def verify_changed_sources!
       @specs_that_changed_sources.each do |s|
         if s.source.specs.search(s.name).empty?