Merge pull request #7555 from rubygems/release/bundler_2.5.8_rubygems…

…_3.5.8

Prepare RubyGems 3.5.8 and Bundler 2.5.8

.github/workflows/bundler.yml

@@ -55,7 +55,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none

.github/workflows/daily-bundler.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ruby-head
           bundler: none

.github/workflows/daily-rubygems.yml

@@ -27,7 +27,7 @@ jobs:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler: none

.github/workflows/install-rubygems.yml

@@ -34,7 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none
@@ -103,7 +103,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none

.github/workflows/jruby-bundler.yml

@@ -34,7 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: jruby-9.4.2.0
           bundler: none

.github/workflows/realworld-bundler.yml

@@ -45,7 +45,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none
@@ -81,7 +81,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none
@@ -106,10 +106,12 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: 3.3.0
           bundler: none
+      - name: Prepare dependencies
+        run: rake setup
       - name: Download all used cassettes as artifacts
         uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:

.github/workflows/ruby-core.yml

@@ -24,7 +24,7 @@ jobs:
         target: [Rubygems, Bundler]
     steps:
       - name: Set up latest ruby head
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: head
           bundler: none

.github/workflows/rubygems.yml

@@ -45,7 +45,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby (Ubuntu/macOS)
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none

.github/workflows/system-rubygems-bundler.yml

@@ -40,7 +40,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: ${{ matrix.ruby.value }}
           bundler: none

.github/workflows/truffleruby-bundler.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: truffleruby-23.1.2
           bundler: none

.github/workflows/ubuntu-lint.yml

@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Setup ruby
-        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # v1.172.0
+        uses: ruby/setup-ruby@5f19ec79cedfadb78ab837f95b87734d0003c899 # v1.173.0
         with:
           ruby-version: 3.3.0
           bundler: none

CHANGELOG.md

@@ -1,3 +1,29 @@
+# 3.5.8 / 2024-04-11
+
+## Security:
+
+* Respect global umask when writing regular files. Pull request
+  [#7518](https://github.com/rubygems/rubygems/pull/7518) by
+  deivid-rodriguez
+
+## Enhancements:
+
+* Allow string keys with gemrc. Pull request
+  [#7543](https://github.com/rubygems/rubygems/pull/7543) by hsbt
+* [Experimental] Add "gem rebuild" command. Pull request
+  [#4913](https://github.com/rubygems/rubygems/pull/4913) by duckinator
+* Installs bundler 2.5.8 as a default gem.
+
+## Bug fixes:
+
+* Fix NoMethodError crash when building errors about corrupt package
+  files. Pull request
+  [#7539](https://github.com/rubygems/rubygems/pull/7539) by jez
+* Fix resolver to properly intersect Arrays of `Gem::Resolver::Activation`
+  objects. Pull request
+  [#7537](https://github.com/rubygems/rubygems/pull/7537) by
+  deivid-rodriguez
+
 # 3.5.7 / 2024-03-22
 
 ## Enhancements:

Manifest.txt

@@ -164,6 +164,7 @@ bundler/lib/bundler/plugin/events.rb
 bundler/lib/bundler/plugin/index.rb
 bundler/lib/bundler/plugin/installer.rb
 bundler/lib/bundler/plugin/installer/git.rb
+bundler/lib/bundler/plugin/installer/path.rb
 bundler/lib/bundler/plugin/installer/rubygems.rb
 bundler/lib/bundler/plugin/source_list.rb
 bundler/lib/bundler/process_lock.rb
@@ -383,6 +384,7 @@ lib/rubygems/commands/pristine_command.rb
 lib/rubygems/commands/push_command.rb
 lib/rubygems/commands/query_command.rb
 lib/rubygems/commands/rdoc_command.rb
+lib/rubygems/commands/rebuild_command.rb
 lib/rubygems/commands/search_command.rb
 lib/rubygems/commands/server_command.rb
 lib/rubygems/commands/setup_command.rb
@@ -424,6 +426,7 @@ lib/rubygems/gemcutter_utilities.rb
 lib/rubygems/gemcutter_utilities/webauthn_listener.rb
 lib/rubygems/gemcutter_utilities/webauthn_listener/response.rb
 lib/rubygems/gemcutter_utilities/webauthn_poller.rb
+lib/rubygems/gemspec_helpers.rb
 lib/rubygems/install_default_message.rb
 lib/rubygems/install_message.rb
 lib/rubygems/install_update_options.rb

bundler/CHANGELOG.md

@@ -1,3 +1,15 @@
+# 2.5.8 (April 11, 2024)
+
+## Enhancements:
+
+  - Allow installing plugins from path via CLI [#6960](https://github.com/rubygems/rubygems/pull/6960)
+  - Improve validation of `bundle plugin install` options [#7529](https://github.com/rubygems/rubygems/pull/7529)
+
+## Bug fixes:
+
+  - Fix resolver error message when it runs out of versions due to `--strict --patch` filtering out everything [#7527](https://github.com/rubygems/rubygems/pull/7527)
+  - Fix incorrect `bundle update --bundler` message [#7516](https://github.com/rubygems/rubygems/pull/7516)
+
 # 2.5.7 (March 22, 2024)
 
 ## Deprecations:

bundler/bin/parallel_rspec

@@ -4,6 +4,8 @@
 require_relative "../spec/support/rubygems_ext"
 
 require_relative "../spec/support/switch_rubygems"
+
+require "ostruct" # Backfill missing require in turbo_tests. Remove when added upstream
 require "turbo_tests"
 
 if RUBY_PLATFORM.match?(/mingw|mswin/)

bundler/lib/bundler/cli/plugin.rb

@@ -5,14 +5,15 @@ module Bundler
   class CLI::Plugin < Thor
     desc "install PLUGINS", "Install the plugin from the source"
     long_desc <<-D
-      Install plugins either from the rubygems source provided (with --source option) or from a git source provided with --git. If no sources are provided, it uses Gem.sources
+      Install plugins either from the rubygems source provided (with --source option), from a git source provided with --git, or a local path provided with --path. If no sources are provided, it uses Gem.sources
    D
     method_option "source", type: :string, default: nil, banner: "URL of the RubyGems source to fetch the plugin from"
     method_option "version", type: :string, default: nil, banner: "The version of the plugin to fetch"
     method_option "git", type: :string, default: nil, banner: "URL of the git repo to fetch from"
     method_option "local_git", type: :string, default: nil, banner: "Path of the local git repo to fetch from (deprecated)"
     method_option "branch", type: :string, default: nil, banner: "The git branch to checkout"
     method_option "ref", type: :string, default: nil, banner: "The git revision to check out"
+    method_option "path", type: :string, default: nil, banner: "Path of a local gem to directly use"
     def install(*plugins)
       Bundler::Plugin.install(plugins, options)
     end

bundler/lib/bundler/gem_version_promoter.rb

@@ -45,17 +45,37 @@ def level=(value)
 
     # Given a Resolver::Package and an Array of Specifications of available
     # versions for a gem, this method will return the Array of Specifications
-    # sorted (and possibly truncated if strict is true) in an order to give
-    # preference to the current level (:major, :minor or :patch) when resolution
-    # is deciding what versions best resolve all dependencies in the bundle.
+    # sorted in an order to give preference to the current level (:major, :minor
+    # or :patch) when resolution is deciding what versions best resolve all
+    # dependencies in the bundle.
     # @param package [Resolver::Package] The package being resolved.
     # @param specs [Specification] An array of Specifications for the package.
-    # @return [Specification] A new instance of the Specification Array sorted and
-    #    possibly filtered.
+    # @return [Specification] A new instance of the Specification Array sorted.
     def sort_versions(package, specs)
-      specs = filter_dep_specs(specs, package) if strict
+      locked_version = package.locked_version
 
-      sort_dep_specs(specs, package)
+      result = specs.sort do |a, b|
+        unless package.prerelease_specified? || pre?
+          a_pre = a.prerelease?
+          b_pre = b.prerelease?
+
+          next 1 if a_pre && !b_pre
+          next -1 if b_pre && !a_pre
+        end
+
+        if major? || locked_version.nil?
+          b <=> a
+        elsif either_version_older_than_locked?(a, b, locked_version)
+          b <=> a
+        elsif segments_do_not_match?(a, b, :major)
+          a <=> b
+        elsif !minor? && segments_do_not_match?(a, b, :minor)
+          a <=> b
+        else
+          b <=> a
+        end
+      end
+      post_sort(result, package.unlock?, locked_version)
     end
 
     # @return [bool] Convenience method for testing value of level variable.
@@ -73,9 +93,18 @@ def pre?
       pre == true
     end
 
-    private
+    # Given a Resolver::Package and an Array of Specifications of available
+    # versions for a gem, this method will truncate the Array if strict
+    # is true. That means filtering out downgrades from the version currently
+    # locked, and filtering out upgrades that go past the selected level (major,
+    # minor, or patch).
+    # @param package [Resolver::Package] The package being resolved.
+    # @param specs [Specification] An array of Specifications for the package.
+    # @return [Specification] A new instance of the Specification Array
+    #   truncated.
+    def filter_versions(package, specs)
+      return specs unless strict
 
-    def filter_dep_specs(specs, package)
       locked_version = package.locked_version
       return specs if locked_version.nil? || major?
 
@@ -89,32 +118,7 @@ def filter_dep_specs(specs, package)
       end
     end
 
-    def sort_dep_specs(specs, package)
-      locked_version = package.locked_version
-
-      result = specs.sort do |a, b|
-        unless package.prerelease_specified? || pre?
-          a_pre = a.prerelease?
-          b_pre = b.prerelease?
-
-          next -1 if a_pre && !b_pre
-          next  1 if b_pre && !a_pre
-        end
-
-        if major? || locked_version.nil?
-          a <=> b
-        elsif either_version_older_than_locked?(a, b, locked_version)
-          a <=> b
-        elsif segments_do_not_match?(a, b, :major)
-          b <=> a
-        elsif !minor? && segments_do_not_match?(a, b, :minor)
-          b <=> a
-        else
-          a <=> b
-        end
-      end
-      post_sort(result, package.unlock?, locked_version)
-    end
+    private
 
     def either_version_older_than_locked?(a, b, locked_version)
       a.version < locked_version || b.version < locked_version
@@ -133,13 +137,13 @@ def post_sort(result, unlock, locked_version)
       if unlock || locked_version.nil?
         result
       else
-        move_version_to_end(result, locked_version)
+        move_version_to_beginning(result, locked_version)
       end
     end
 
-    def move_version_to_end(result, version)
+    def move_version_to_beginning(result, version)
       move, keep = result.partition {|s| s.version.to_s == version.to_s }
-      keep.concat(move)
+      move.concat(keep)
     end
   end
 end

bundler/lib/bundler/man/bundle-add.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-ADD" "1" "February 2024" ""
+.TH "BUNDLE\-ADD" "1" "March 2024" ""
 .SH "NAME"
 \fBbundle\-add\fR \- Add gem to the Gemfile and run bundle install
 .SH "SYNOPSIS"

bundler/lib/bundler/man/bundle-binstubs.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-BINSTUBS" "1" "February 2024" ""
+.TH "BUNDLE\-BINSTUBS" "1" "March 2024" ""
 .SH "NAME"
 \fBbundle\-binstubs\fR \- Install the binstubs of the listed gems
 .SH "SYNOPSIS"

bundler/lib/bundler/man/bundle-cache.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CACHE" "1" "February 2024" ""
+.TH "BUNDLE\-CACHE" "1" "March 2024" ""
 .SH "NAME"
 \fBbundle\-cache\fR \- Package your needed \fB\.gem\fR files into your application
 .SH "SYNOPSIS"

bundler/lib/bundler/man/bundle-check.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CHECK" "1" "February 2024" ""
+.TH "BUNDLE\-CHECK" "1" "March 2024" ""
 .SH "NAME"
 \fBbundle\-check\fR \- Verifies if dependencies are satisfied by installed gems
 .SH "SYNOPSIS"

bundler/lib/bundler/man/bundle-clean.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CLEAN" "1" "February 2024" ""
+.TH "BUNDLE\-CLEAN" "1" "March 2024" ""
 .SH "NAME"
 \fBbundle\-clean\fR \- Cleans up unused gems in your bundler directory
 .SH "SYNOPSIS"

bundler/lib/bundler/man/bundle-config.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CONFIG" "1" "February 2024" ""
+.TH "BUNDLE\-CONFIG" "1" "March 2024" ""
 .SH "NAME"
 \fBbundle\-config\fR \- Set bundler configuration options
 .SH "SYNOPSIS"

bundler/lib/bundler/man/bundle-console.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CONSOLE" "1" "February 2024" ""
+.TH "BUNDLE\-CONSOLE" "1" "March 2024" ""
 .SH "NAME"
 \fBbundle\-console\fR \- Deprecated way to open an IRB session with the bundle pre\-loaded
 .SH "SYNOPSIS"