| Age | Commit message (Collapse) | Author |
|---|
|
https://github.com/ruby/prism/commit/92b48ce940
|
|
https://github.com/ruby/prism/commit/88a247a486
|
|
https://github.com/ruby/prism/commit/1b594e10da
|
|
https://github.com/ruby/prism/commit/2b5298128e
|
|
https://github.com/ruby/prism/commit/a4a44cb14a
|
|
https://github.com/ruby/prism/commit/323f7f16f8
|
|
https://github.com/ruby/prism/commit/1e3ec12adc
|
|
https://github.com/ruby/prism/commit/01d575aa2f
|
|
https://github.com/ruby/prism/commit/400b217393
|
|
https://github.com/ruby/prism/commit/8ad880255d
|
|
https://github.com/ruby/prism/commit/2496b0105b
|
|
https://github.com/ruby/prism/commit/8d1df7815e
|
|
https://github.com/ruby/prism/commit/cc93903d08
|
|
https://github.com/ruby/prism/commit/abd0a833be
|
|
https://github.com/ruby/prism/commit/d2ec3620fa
|
|
https://github.com/ruby/prism/commit/f9f9cd55d2
|
|
https://github.com/ruby/prism/commit/c6610459c7
|
|
https://github.com/ruby/prism/commit/60e105fc0c
|
|
https://github.com/ruby/prism/commit/b27fd8276d
|
|
https://github.com/ruby/prism/commit/281244ff57
|
|
https://github.com/ruby/prism/commit/cc97110ba1
|
|
https://github.com/ruby/prism/commit/af683324ea
|
|
https://github.com/ruby/prism/commit/104b6abd10
|
|
https://github.com/ruby/prism/commit/a18e3ca178
|
|
https://github.com/ruby/prism/commit/c03b69b16e
|
|
https://github.com/ruby/prism/commit/c74b7c3f52
|
|
https://github.com/ruby/prism/commit/895b395b99
|
|
https://github.com/ruby/prism/commit/58586902b1
|
|
https://github.com/ruby/prism/commit/5966ab67f3
|
|
https://github.com/ruby/prism/commit/16fd2bf08a
|
|
https://github.com/ruby/prism/commit/cdc9b97f4d
|
|
https://github.com/ruby/prism/commit/cdf8bed9ba
|
|
https://github.com/ruby/prism/commit/e4df04157a
|
|
https://github.com/ruby/prism/commit/bda0f889b5
|
|
https://github.com/ruby/prism/commit/429672ea58
|
|
(https://github.com/ruby/erb/pull/108)
https://github.com/ruby/erb/commit/2fd0a6b71c
Co-authored-by: Takashi Kokubun <takashikkbn@gmail.com>
|
|
https://github.com/ruby/rubygems/commit/432a0f7e61
|
|
- ### Problem
With the Bundler autoswitch feature, system Bundler may install
a `bundler.gem` that matches the Gemfile.lock.
The `bundler.gem` that gets downloaded is like any other gems,
but its treated differently (it doesn't appear in the Gemfile specs
and we also don't lock its checksum).
If for any reason Bundler itself gets compromised, it's a security
concern.
### Details
I'd like to introduce this change into two separate changes for
easier reviews.
The first (this commit) only produce the checksum in the lockfile,
nothings consumes it or verify it yet.
The second patch will make sure that whenever the Bundler
auto-install kicks in, Bundler will verify that the locked checksum
matches the Bundler version being downloaded and installed.
### Solution
Overall the solution here is similar to how checksums are already
generated for other gems. However, the `bundler` gem comes from a
different source (the `Bundler::Source::Metadata`) and so it needs
to be handled slightly differently.
A big part ot the change is test related. Instead of having to
modify all tests that assert the state of the lockfile (which
will be broken now, since the lockfile includes the Bundler
checksum), I opted to automatically include the checksum whenever
the helper metod `checksums_section` is called.
https://github.com/ruby/rubygems/commit/9ce52a2188
|
|
- ### Problem
For each git gems in a Gemfile a new Git source object is
instantiated. Each git source will make a system call to check the
version of git. This is inefficient and we lose ~50ms on each system
calls.
### Solution
The version of git will not change from one source to the other,
so we can memoize the value at the class level instead.
https://github.com/ruby/rubygems/commit/1415940a83
|
|
- Clarify what `BUNDLE_JOB` is used for and that it affects the
number of parallel downloads.
https://github.com/ruby/rubygems/commit/36f572b4db
|
|
- ### Problem
I'd like to normalize the number of workers when downloading gems
and use the `BUNDLE_JOBS` configuration (or default to
`Etc.nprocessors`).
Right now the number of workers when doing parallel work seems a bit
random.
### Benchmarks
**Downloading 40 git gems**
=== Comparison Summary ===
Scenario: git-gems (40 gems)
Cold +/- Warm +/-
------------------------------------------------------------------------------
more-downloads 7.94s 1.44s baseline 5.02s 0.31s baseline
master 14.59s 1.67s 83.7% slower 5.72s 0.30s 13.9% slower
_________________________________
**Downloading 249 gems from a fake gemserver with a 300ms latency**
=== Comparison Summary ===
Scenario: no-deps (249 gems)
Cold +/- Warm +/-
------------------------------------------------------------------------------
more-downloads 11.11s 0.66s baseline 1.23s 0.14s baseline
master 16.89s 0.60s 52.0% slower 1.03s 0.09s 16.2% faster
### Context
I originally added those workers count in
1. https://github.com/ruby/rubygems/pull/9087/changes#diff-524173391e40a96577540013a1ad749433454155f79aa05c5d0832235b0bdad1R11
2. https://github.com/ruby/rubygems/pull/9100/changes#diff-04ae823e98259f697c78d2d0b4eab0ced6a83a84a986578703eb2837d6db1a32R1105
For 1. (downloading gems from Rubygems.org)I opted to go with a
hardcoded worker count of 5 and not anything higher as I was
that we could hammer RubyGems.org. I think this concern
is not valid, because requests to download gems don't even hit
RubyGems.org server as there is the fastly CDN in front of the s3
bucket.
For 2. I went with a worker count of 5 to match, without giving this
a second thought.
https://github.com/ruby/rubygems/commit/170c9d75c2
|
|
- Rename add_trailing_slash to normalize_source_uri to better reflect
that it also removes duplicated trailing slashes
- Extract build_source and build_new_source to eliminate duplicated
source creation pattern across add_source, append_source,
prepend_source, and remove_source
- Apply URI normalization to remove_source as well
- Use \z instead of $ in trailing slash regex for correctness
https://github.com/ruby/rubygems/commit/3e81961ef8
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
gem sources
GitHub's private gem registry expects the first path segment after the host
to represent the namespace, typically the organization or user name. [1]
When adding a source with
```
gem sources --add https://user:password@rubygems.pkg.github.com/my-org
```
without a trailing slash, the last path segment ("my-org") is interpreted as a
file and removed during relative path resolution. This causes the resulting
URI to become
```
https://user:password@rubygems.pkg.github.com/gems/foo.gem
```
instead of the correct
```
https://user:password@rubygems.pkg.github.com/my-org/gems/foo.gem. [2]
```
Example error:
```
gem source -a https://user:password@rubygems.pkg.github.com/my-org
gem install -rf foo.gem
rubygems/remote_fetcher.rb:238:in `fetch_http': bad response Not Found 404 (https://user:REDACTED@rubygems.pkg.github.com/gems/foo-0.7.1.gem) (Gem::RemoteFetcher::FetchError)
```
Although this behavior complies with RFC 2396, it's incompatible with GitHub's
gem registry requirements.
The remote fetcher is just append a relative path without using ./ [3]
To address this, we automatically append a trailing slash when adding new gem
sources.
As illustrated in [4] and [5], given the base URI
```
http://a/b/c/d;p?q
```
and a relative path
```
g/f
```
the resolution process replaces "d;p?q" and yields
```
http://a/b/c/g/f
```
[1] https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-rubygems-registry#authenticating-with-a-personal-access-token
[2] https://github.com/ruby/rubygems/blob/master/lib/rubygems/vendor/uri/lib/uri/generic.rb#L1053
[3] https://github.com/ruby/rubygems/blob/master/lib/rubygems/remote_fetcher.rb#L148
[4] https://www.rfc-editor.org/rfc/rfc2396#section-5.2
[5] https://www.rfc-editor.org/rfc/rfc2396#appendix-C
https://github.com/ruby/rubygems/commit/b1e4fb15ae
|
|
https://github.com/ruby/rubygems/commit/bbaad86665
|
|
https://github.com/ruby/net-http/commit/2842ca5539
|
|
The predicate checks whether depth is set, which applies equally to
clone and fetch contexts. Rename to shallow? so the intent reads
naturally in both places.
https://github.com/ruby/rubygems/commit/7e47f408c3
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
Dumb HTTP git servers do not support shallow capabilities, causing
`git fetch --depth` to fail. The retry-without-depth logic already
existed for clone but was missing for fetch.
Also refactor clone_needs_extra_fetch? to rebuild the command via
helper methods instead of using fragile delete_at index manipulation.
https://github.com/ruby/rubygems/commit/a0448fed3e
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
conflicts occur
When `find_unloaded_by_path` returns nil, the subsequent
`spec.name` call raises NoMethodError because `spec` has been
overwritten. Save the gem name before reassigning `spec`.
Fixes https://bugs.ruby-lang.org/issues/21954
https://github.com/ruby/rubygems/commit/60e7365256
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
https://github.com/ruby/rubygems/commit/d6364956b6
|
|
consistently with Psych
Align YAMLSerializer's `permitted_classes` validation with Psych's whitelist
semantics: an empty `permitted_classes` list denies all tagged classes, matching
`Psych::ClassLoader::Restricted` behavior.
- Rename `@permitted_tags` to `@permitted_classes` and simplify initialization
- Extract `raise_disallowed_class!` from `validate_tag!` for clarity
- Move `check_anchor!` before `validate_tag!` in `build_mapping`
- Add test for `Gem::Version::Requirement` tag used by old gems like `escape`
https://github.com/ruby/rubygems/commit/3c5855e833
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
