1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
|
# frozen_string_literal: true
require_relative "lockfile_parser"
require_relative "worker"
module Bundler
class Definition
class << self
# Do not create or modify a lockfile (Makes #lock a noop)
attr_accessor :no_lock
end
attr_writer :lockfile
attr_reader(
:dependencies,
:locked_checksums,
:locked_deps,
:locked_gems,
:platforms,
:ruby_version,
:lockfile,
:gemfiles,
:sources
)
# Given a gemfile and lockfile creates a Bundler definition
#
# @param gemfile [Pathname] Path to Gemfile
# @param lockfile [Pathname,nil] Path to Gemfile.lock
# @param unlock [Hash, Boolean, nil] Gems that have been requested
# to be updated or true if all gems should be updated
# @return [Bundler::Definition]
def self.build(gemfile, lockfile, unlock)
unlock ||= {}
gemfile = Pathname.new(gemfile).expand_path
raise GemfileNotFound, "#{gemfile} not found" unless gemfile.file?
Dsl.evaluate(gemfile, lockfile, unlock)
end
#
# How does the new system work?
#
# * Load information from Gemfile and Lockfile
# * Invalidate stale locked specs
# * All specs from stale source are stale
# * All specs that are reachable only through a stale
# dependency are stale.
# * If all fresh dependencies are satisfied by the locked
# specs, then we can try to resolve locally.
#
# @param lockfile [Pathname] Path to Gemfile.lock
# @param dependencies [Array(Bundler::Dependency)] array of dependencies from Gemfile
# @param sources [Bundler::SourceList]
# @param unlock [Hash, Boolean, nil] Gems that have been requested
# to be updated or true if all gems should be updated
# @param ruby_version [Bundler::RubyVersion, nil] Requested Ruby Version
# @param optional_groups [Array(String)] A list of optional groups
def initialize(lockfile, dependencies, sources, unlock, ruby_version = nil, optional_groups = [], gemfiles = [])
unlock ||= {}
if unlock == true
@unlocking_all = true
strict = false
@unlocking_bundler = false
@unlocking = unlock
@sources_to_unlock = []
@unlocking_ruby = false
@explicit_unlocks = []
conservative = false
else
@unlocking_all = false
strict = unlock.delete(:strict)
@unlocking_bundler = unlock.delete(:bundler)
@unlocking = unlock.any? {|_k, v| !Array(v).empty? }
@sources_to_unlock = unlock.delete(:sources) || []
@unlocking_ruby = unlock.delete(:ruby)
@explicit_unlocks = unlock.delete(:gems) || []
conservative = unlock.delete(:conservative)
end
@dependencies = dependencies
@sources = sources
@optional_groups = optional_groups
@prefer_local = false
@specs = nil
@ruby_version = ruby_version
@gemfiles = gemfiles
@lockfile = lockfile
@lockfile_contents = String.new
@locked_bundler_version = nil
@resolved_bundler_version = nil
@locked_ruby_version = nil
@new_platforms = []
@removed_platforms = []
@originally_invalid_platforms = []
if lockfile_exists?
@lockfile_contents = Bundler.read_file(lockfile)
@locked_gems = LockfileParser.new(@lockfile_contents, strict: strict)
@locked_platforms = @locked_gems.platforms
@most_specific_locked_platform = @locked_gems.most_specific_locked_platform
@platforms = @locked_platforms.dup
@locked_bundler_version = @locked_gems.bundler_version
@locked_ruby_version = @locked_gems.ruby_version
@locked_deps = @locked_gems.dependencies
@originally_locked_specs = SpecSet.new(@locked_gems.specs)
@originally_locked_sources = @locked_gems.sources
@locked_checksums = @locked_gems.checksums
if @unlocking_all
@locked_specs = SpecSet.new([])
@locked_sources = []
else
@locked_specs = @originally_locked_specs
@locked_sources = @originally_locked_sources
end
locked_gem_sources = @originally_locked_sources.select {|s| s.is_a?(Source::Rubygems) }
multisource_lockfile = locked_gem_sources.size == 1 && locked_gem_sources.first.multiple_remotes?
if multisource_lockfile
msg = "Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. Make sure you run `bundle install` in non frozen mode and commit the result to make your lockfile secure."
Bundler::SharedHelpers.feature_removed! msg
end
else
@locked_gems = nil
@locked_platforms = []
@most_specific_locked_platform = nil
@platforms = []
@locked_deps = {}
@locked_specs = SpecSet.new([])
@locked_sources = []
@originally_locked_specs = @locked_specs
@originally_locked_sources = @locked_sources
@locked_checksums = Bundler.settings[:lockfile_checksums]
end
@unlocking_ruby ||= if @ruby_version && locked_ruby_version_object
@ruby_version.diff(locked_ruby_version_object)
end
@unlocking ||= @unlocking_ruby ||= (!@locked_ruby_version ^ !@ruby_version)
@current_platform_missing = add_current_platform unless Bundler.frozen_bundle?
@source_changes = converge_sources
@path_changes = converge_paths
if conservative
@gems_to_unlock = @explicit_unlocks.any? ? @explicit_unlocks : @dependencies.map(&:name)
else
eager_unlock = @explicit_unlocks.map {|name| Dependency.new(name, ">= 0") }
@gems_to_unlock = @locked_specs.for(eager_unlock, platforms).map(&:name).uniq
end
@dependency_changes = converge_dependencies
@local_changes = converge_locals
check_lockfile
end
def gem_version_promoter
@gem_version_promoter ||= GemVersionPromoter.new
end
def check!
# If dependencies have changed, we need to resolve remotely. Otherwise,
# since we'll be resolving with a single local source, we may end up
# locking gems under the wrong source in the lockfile, and missing lockfile
# checksums
resolve_remotely! if @dependency_changes
# Now do a local only resolve, to verify if any gems are missing locally
sources.local_only!
resolve
end
#
# Setup sources according to the given options and the state of the
# definition.
#
# @return [Boolean] Whether fetching remote information will be necessary or not
#
def setup_domain!(options = {})
prefer_local! if options[:"prefer-local"]
sources.cached!
if options[:add_checksums] || (!options[:local] && install_needed?)
sources.remote!
true
else
Bundler.settings.set_command_option(:jobs, 1) unless install_needed? # to avoid the overhead of Bundler::Worker
sources.local!
false
end
end
def resolve_with_cache!
with_cache!
resolve
end
def with_cache!
sources.local!
sources.cached!
end
def resolve_remotely!
remotely!
resolve
end
def remotely!
sources.cached!
sources.remote!
end
def prefer_local!
@prefer_local = true
sources.prefer_local!
end
# For given dependency list returns a SpecSet with Gemspec of all the required
# dependencies.
# 1. The method first resolves the dependencies specified in Gemfile
# 2. After that it tries and fetches gemspec of resolved dependencies
#
# @return [Bundler::SpecSet]
def specs
@specs ||= materialize(requested_dependencies)
end
def new_specs
specs - @locked_specs
end
def removed_specs
@locked_specs - specs
end
def missing_specs
resolve.missing_specs_for(requested_dependencies)
end
def missing_specs?
missing = missing_specs
return false if missing.empty?
Bundler.ui.debug "The definition is missing #{missing.map(&:full_name)}"
true
rescue BundlerError => e
@resolve = nil
@resolver = nil
@resolution_base = nil
@source_requirements = nil
@specs = nil
Bundler.ui.debug "The definition is missing dependencies, failed to resolve & materialize locally (#{e})"
true
end
def requested_specs
specs_for(requested_groups)
end
def requested_dependencies
dependencies_for(requested_groups)
end
def current_dependencies
filter_relevant(dependencies)
end
def current_locked_dependencies
filter_relevant(locked_dependencies)
end
def filter_relevant(dependencies)
dependencies.select do |d|
relevant_deps?(d)
end
end
def relevant_deps?(dep)
platforms_array = [Bundler.generic_local_platform].freeze
dep.should_include? && !dep.gem_platforms(platforms_array).empty?
end
def locked_dependencies
@locked_deps.values
end
def new_deps
@new_deps ||= @dependencies - locked_dependencies
end
def deleted_deps
@deleted_deps ||= locked_dependencies - @dependencies
end
def specs_for(groups)
return specs if groups.empty?
deps = dependencies_for(groups)
materialize(deps)
end
def dependencies_for(groups)
groups.map!(&:to_sym)
deps = current_dependencies # always returns a new array
deps.select! do |d|
d.groups.intersect?(groups)
end
deps
end
# Resolve all the dependencies specified in Gemfile. It ensures that
# dependencies that have been already resolved via locked file and are fresh
# are reused when resolving dependencies
#
# @return [SpecSet] resolved dependencies
def resolve
@resolve ||= if Bundler.frozen_bundle?
Bundler.ui.debug "Frozen, using resolution from the lockfile"
@locked_specs
elsif no_resolve_needed?
if deleted_deps.any?
Bundler.ui.debug "Some dependencies were deleted, using a subset of the resolution from the lockfile"
SpecSet.new(filter_specs(@locked_specs, @dependencies - deleted_deps))
else
Bundler.ui.debug "Found no changes, using resolution from the lockfile"
if @removed_platforms.any? || @locked_gems.may_include_redundant_platform_specific_gems?
SpecSet.new(filter_specs(@locked_specs, @dependencies))
else
@locked_specs
end
end
else
Bundler.ui.debug resolve_needed_reason
start_resolution
end
end
def spec_git_paths
sources.git_sources.filter_map {|s| File.realpath(s.path) if File.exist?(s.path) }
end
def groups
dependencies.flat_map(&:groups).uniq
end
def lock(file_or_preserve_unknown_sections = false, preserve_unknown_sections_or_unused = false)
if [true, false, nil].include?(file_or_preserve_unknown_sections)
target_lockfile = lockfile
preserve_unknown_sections = file_or_preserve_unknown_sections
else
target_lockfile = file_or_preserve_unknown_sections
preserve_unknown_sections = preserve_unknown_sections_or_unused
suggestion = if target_lockfile == lockfile
"To fix this warning, remove it from the `Definition#lock` call."
else
"Instead, instantiate a new definition passing `#{target_lockfile}`, and call `lock` without a file argument on that definition"
end
msg = "`Definition#lock` was passed a target file argument. #{suggestion}"
Bundler::SharedHelpers.feature_removed! msg
end
write_lock(target_lockfile, preserve_unknown_sections)
end
def write_lock(file, preserve_unknown_sections)
return if Definition.no_lock || !lockfile || file.nil?
contents = to_lock
# Convert to \r\n if the existing lock has them
# i.e., Windows with `git config core.autocrlf=true`
contents.gsub!(/\n/, "\r\n") if @lockfile_contents.match?("\r\n")
if @locked_bundler_version
locked_major = @locked_bundler_version.segments.first
current_major = bundler_version_to_lock.segments.first
updating_major = locked_major < current_major
end
preserve_unknown_sections ||= !updating_major && (Bundler.frozen_bundle? || !(unlocking? || @unlocking_bundler))
if File.exist?(file) && lockfiles_equal?(@lockfile_contents, contents, preserve_unknown_sections)
return if Bundler.frozen_bundle?
SharedHelpers.filesystem_access(file) { FileUtils.touch(file) }
return
end
if Bundler.frozen_bundle?
Bundler.ui.error "Cannot write a changed lockfile while frozen."
return
end
begin
SharedHelpers.filesystem_access(file) do |p|
File.open(p, "wb") {|f| f.puts(contents) }
end
rescue ReadOnlyFileSystemError
raise ProductionError, lockfile_changes_summary("file system is read-only")
end
end
def locked_ruby_version
return unless ruby_version
if @unlocking_ruby || !@locked_ruby_version
Bundler::RubyVersion.system
else
@locked_ruby_version
end
end
def locked_ruby_version_object
return unless @locked_ruby_version
@locked_ruby_version_object ||= begin
unless version = RubyVersion.from_string(@locked_ruby_version)
raise LockfileError, "The Ruby version #{@locked_ruby_version} from " \
"#{@lockfile} could not be parsed. " \
"Try running bundle update --ruby to resolve this."
end
version
end
end
def bundler_version_to_lock
@resolved_bundler_version || Bundler.gem_version
end
def to_lock
require_relative "lockfile_generator"
LockfileGenerator.generate(self)
end
def ensure_equivalent_gemfile_and_lockfile(explicit_flag = false)
return unless Bundler.frozen_bundle?
raise ProductionError, "Frozen mode is set, but there's no lockfile" unless lockfile_exists?
msg = lockfile_changes_summary("frozen mode is set")
return unless msg
unless explicit_flag
suggested_command = unless Bundler.settings.locations("frozen").keys.include?(:env)
"bundle config set frozen false"
end
msg << "\n\nIf this is a development machine, remove the #{SharedHelpers.relative_lockfile_path} " \
"freeze by running `#{suggested_command}`." if suggested_command
end
raise ProductionError, msg
end
def validate_runtime!
validate_ruby!
validate_platforms!
end
def validate_ruby!
return unless ruby_version
if diff = ruby_version.diff(Bundler::RubyVersion.system)
problem, expected, actual = diff
msg = case problem
when :engine
"Your Ruby engine is #{actual}, but your Gemfile specified #{expected}"
when :version
"Your Ruby version is #{actual}, but your Gemfile specified #{expected}"
when :engine_version
"Your #{Bundler::RubyVersion.system.engine} version is #{actual}, but your Gemfile specified #{ruby_version.engine} #{expected}"
when :patchlevel
if !expected.is_a?(String)
"The Ruby patchlevel in your Gemfile must be a string"
else
"Your Ruby patchlevel is #{actual}, but your Gemfile specified #{expected}"
end
end
raise RubyVersionMismatch, msg
end
end
def validate_platforms!
return if current_platform_locked? || @platforms.include?(Gem::Platform::RUBY)
raise ProductionError, "Your bundle only supports platforms #{@platforms.map(&:to_s)} " \
"but your local platform is #{Bundler.local_platform}. " \
"Add the current platform to the lockfile with\n`bundle lock --add-platform #{Bundler.local_platform}` and try again."
end
def normalize_platforms
resolve.normalize_platforms!(current_dependencies, platforms)
@resolve = SpecSet.new(resolve.for(current_dependencies, @platforms))
end
def add_platform(platform)
return if @platforms.include?(platform)
@new_platforms << platform
@platforms << platform
end
def remove_platform(platform)
raise InvalidOption, "Unable to remove the platform `#{platform}` since the only platforms are #{@platforms.join ", "}" unless @platforms.include?(platform)
@removed_platforms << platform
@platforms.delete(platform)
end
def nothing_changed?
!something_changed?
end
def no_resolve_needed?
!resolve_needed?
end
def unlocking?
@unlocking
end
def add_checksums
require "rubygems/package"
@locked_checksums = true
setup_domain!(add_checksums: true)
# force materialization to real specifications, so that checksums are fetched
specs.each do |spec|
next unless spec.source.is_a?(Bundler::Source::Rubygems)
# Checksum was fetched from the compact index API.
next if !spec.source.checksum_store.missing?(spec) && !spec.source.checksum_store.empty?(spec)
# The gem isn't installed, can't compute the checksum.
next unless spec.loaded_from
package = Gem::Package.new(spec.source.cached_built_in_gem(spec))
checksum = Checksum.from_gem_package(package)
spec.source.checksum_store.register(spec, checksum)
end
end
private
def lockfile_changes_summary(update_refused_reason)
added = []
deleted = []
changed = []
added.concat @new_platforms.map {|p| "* platform: #{p}" }
deleted.concat @removed_platforms.map {|p| "* platform: #{p}" }
added.concat new_deps.map {|d| "* #{pretty_dep(d)}" } if new_deps.any?
deleted.concat deleted_deps.map {|d| "* #{pretty_dep(d)}" } if deleted_deps.any?
both_sources = Hash.new {|h, k| h[k] = [] }
current_dependencies.each {|d| both_sources[d.name][0] = d }
current_locked_dependencies.each {|d| both_sources[d.name][1] = d }
both_sources.each do |name, (dep, lock_dep)|
next if dep.nil? || lock_dep.nil?
gemfile_source = dep.source || default_source
lock_source = lock_dep.source || default_source
next if lock_source.include?(gemfile_source)
gemfile_source_name = dep.source ? gemfile_source.to_gemfile : "no specified source"
lockfile_source_name = lock_dep.source ? lock_source.to_gemfile : "no specified source"
changed << "* #{name} from `#{lockfile_source_name}` to `#{gemfile_source_name}`"
end
return unless added.any? || deleted.any? || changed.any? || resolve_needed?
msg = String.new("#{change_reason[0].upcase}#{change_reason[1..-1].strip}, but ")
msg << "the lockfile " unless msg.start_with?("Your lockfile")
msg << "can't be updated because #{update_refused_reason}"
msg << "\n\nYou have added to the Gemfile:\n" << added.join("\n") if added.any?
msg << "\n\nYou have deleted from the Gemfile:\n" << deleted.join("\n") if deleted.any?
msg << "\n\nYou have changed in the Gemfile:\n" << changed.join("\n") if changed.any?
msg << "\n\nRun `bundle install` elsewhere and add the updated #{SharedHelpers.relative_lockfile_path} to version control.\n" unless unlocking?
msg
end
def install_needed?
resolve_needed? || missing_specs?
end
def something_changed?
return true unless lockfile_exists?
@source_changes ||
@dependency_changes ||
@current_platform_missing ||
@new_platforms.any? ||
@path_changes ||
@local_changes ||
@missing_lockfile_dep ||
@unlocking_bundler ||
@locked_spec_with_missing_checksums ||
@locked_spec_with_empty_checksums ||
@locked_spec_with_missing_deps ||
@locked_spec_with_invalid_deps
end
def resolve_needed?
unlocking? || something_changed?
end
def should_add_extra_platforms?
!lockfile_exists? && Bundler::MatchPlatform.generic_local_platform_is_ruby? && !Bundler.settings[:force_ruby_platform]
end
def lockfile_exists?
lockfile && File.exist?(lockfile)
end
def resolver
@resolver ||= new_resolver(resolution_base)
end
def expanded_dependencies
dependencies_with_bundler + metadata_dependencies
end
def dependencies_with_bundler
return dependencies unless @unlocking_bundler
return dependencies if dependencies.any? {|d| d.name == "bundler" }
[Dependency.new("bundler", @unlocking_bundler)] + dependencies
end
def resolution_base
@resolution_base ||= begin
last_resolve = converge_locked_specs
remove_invalid_platforms!
base = new_resolution_base(last_resolve: last_resolve, unlock: @unlocking_all || @gems_to_unlock)
base = additional_base_requirements_to_prevent_downgrades(base)
base = additional_base_requirements_to_force_updates(base)
base
end
end
def filter_specs(specs, deps, skips: [])
SpecSet.new(specs).for(deps, platforms, skips: skips)
end
def materialize(dependencies)
specs = begin
resolve.materialize(dependencies)
rescue IncorrectLockfileDependencies => e
raise if Bundler.frozen_bundle?
reresolve_without([e.spec])
retry
end
missing_specs = resolve.missing_specs
if missing_specs.any?
missing_specs.each do |s|
locked_gem = @locked_specs[s.name].last
next if locked_gem.nil? || locked_gem.version != s.version || sources.local_mode?
message = if sources.implicit_global_source?
"Because your Gemfile specifies no global remote source, your bundle is locked to " \
"#{locked_gem} from #{locked_gem.source}. However, #{locked_gem} is not installed. You'll " \
"need to either add a global remote source to your Gemfile or make sure #{locked_gem} is " \
"available locally before rerunning Bundler."
else
"Your bundle is locked to #{locked_gem} from #{locked_gem.source}, but that version can " \
"no longer be found in that source. That means the author of #{locked_gem} has removed it. " \
"You'll need to update your bundle to a version other than #{locked_gem} that hasn't been " \
"removed in order to install."
end
raise GemNotFound, message
end
missing_specs_list = missing_specs.group_by(&:source).map do |source, missing_specs_for_source|
"#{missing_specs_for_source.map(&:full_name).join(", ")} in #{source}"
end
raise GemNotFound, "Could not find #{missing_specs_list.join(" nor ")}"
end
partially_missing_specs = resolve.partially_missing_specs
if partially_missing_specs.any? && !sources.local_mode?
Bundler.ui.warn "Some locked specs have possibly been yanked (#{partially_missing_specs.map(&:full_name).join(", ")}). Ignoring them..."
resolve.delete(partially_missing_specs)
end
incomplete_specs = resolve.incomplete_specs
loop do
break if incomplete_specs.empty?
Bundler.ui.debug("The lockfile does not have all gems needed for the current platform though, Bundler will still re-resolve dependencies")
sources.remote!
reresolve_without(incomplete_specs)
specs = resolve.materialize(dependencies)
still_incomplete_specs = resolve.incomplete_specs
if still_incomplete_specs == incomplete_specs
resolver.raise_incomplete! incomplete_specs
end
incomplete_specs = still_incomplete_specs
end
insecurely_materialized_specs = resolve.insecurely_materialized_specs
if insecurely_materialized_specs.any?
Bundler.ui.warn "The following platform specific gems are getting installed, yet the lockfile includes only their generic ruby version:\n" \
" * #{insecurely_materialized_specs.map(&:full_name).join("\n * ")}\n" \
"Please run `bundle lock --normalize-platforms` and commit the resulting lockfile.\n" \
"Alternatively, you may run `bundle lock --add-platform <list-of-platforms-that-you-want-to-support>`"
end
bundler = sources.metadata_source.specs.search(["bundler", Bundler.gem_version]).last
specs["bundler"] = bundler
specs
end
def reresolve_without(incomplete_specs)
resolution_base.delete(incomplete_specs)
@resolve = start_resolution
end
def start_resolution
local_platform_needed_for_resolvability = @most_specific_non_local_locked_platform && !@platforms.include?(Bundler.local_platform)
@platforms << Bundler.local_platform if local_platform_needed_for_resolvability
result = SpecSet.new(resolver.start)
@resolved_bundler_version = result.find {|spec| spec.name == "bundler" }&.version
@new_platforms.each do |platform|
incomplete_specs = result.incomplete_specs_for_platform(current_dependencies, platform)
if incomplete_specs.any?
resolver.raise_incomplete! incomplete_specs
end
end
if @most_specific_non_local_locked_platform
if result.incomplete_for_platform?(current_dependencies, @most_specific_non_local_locked_platform)
@platforms.delete(@most_specific_non_local_locked_platform)
elsif local_platform_needed_for_resolvability
@platforms.delete(Bundler.local_platform)
end
end
if should_add_extra_platforms?
result.add_extra_platforms!(platforms)
elsif @originally_invalid_platforms.any?
result.add_originally_invalid_platforms!(platforms, @originally_invalid_platforms)
end
SpecSet.new(result.for(dependencies, @platforms | [Gem::Platform::RUBY]))
end
def precompute_source_requirements_for_indirect_dependencies?
sources.non_global_rubygems_sources.all?(&:dependency_api_available?)
end
def current_platform_locked?
@platforms.any? do |bundle_platform|
Bundler.generic_local_platform == bundle_platform || Bundler.local_platform === bundle_platform
end
end
def add_current_platform
return if @platforms.include?(Bundler.local_platform)
@most_specific_non_local_locked_platform = find_most_specific_locked_platform
return if @most_specific_non_local_locked_platform
@platforms << Bundler.local_platform
true
end
def find_most_specific_locked_platform
return unless current_platform_locked?
@most_specific_locked_platform
end
def resolve_needed_reason
if lockfile_exists?
if unlocking?
"Re-resolving dependencies because #{unlocking_reason}"
else
"Found changes from the lockfile, re-resolving dependencies because #{lockfile_changed_reason}"
end
else
"Resolving dependencies because there's no lockfile"
end
end
def change_reason
if resolve_needed?
if unlocking?
unlocking_reason
else
lockfile_changed_reason
end
else
"some dependencies were deleted from your gemfile"
end
end
def unlocking_reason
unlock_targets = if @gems_to_unlock.any?
["gems", @gems_to_unlock]
elsif @sources_to_unlock.any?
["sources", @sources_to_unlock]
end
unlock_reason = if unlock_targets
"#{unlock_targets.first}: (#{unlock_targets.last.join(", ")})"
else
@unlocking_ruby ? "ruby" : ""
end
"bundler is unlocking #{unlock_reason}"
end
def lockfile_changed_reason
[
[@source_changes, "the list of sources changed"],
[@dependency_changes, "the dependencies in your gemfile changed"],
[@current_platform_missing, "your lockfile is missing the current platform"],
[@new_platforms.any?, "you are adding a new platform to your lockfile"],
[@path_changes, "the gemspecs for path gems changed"],
[@local_changes, "the gemspecs for git local gems changed"],
[@missing_lockfile_dep, "your lockfile is missing \"#{@missing_lockfile_dep}\""],
[@unlocking_bundler, "an update to the version of Bundler itself was requested"],
[@locked_spec_with_missing_checksums, "your lockfile is missing a CHECKSUMS entry for \"#{@locked_spec_with_missing_checksums}\""],
[@locked_spec_with_empty_checksums, "your lockfile has an empty CHECKSUMS entry for \"#{@locked_spec_with_empty_checksums}\""],
[@locked_spec_with_missing_deps, "your lockfile includes \"#{@locked_spec_with_missing_deps}\" but not some of its dependencies"],
[@locked_spec_with_invalid_deps, "your lockfile does not satisfy dependencies of \"#{@locked_spec_with_invalid_deps}\""],
].select(&:first).map(&:last).join(", ")
end
def pretty_dep(dep)
SharedHelpers.pretty_dependency(dep)
end
# Check if the specs of the given source changed
# according to the locked source.
def specs_changed?(source)
locked = @locked_sources.find {|s| s == source }
!locked || dependencies_for_source_changed?(source, locked) || specs_for_source_changed?(source)
end
def dependencies_for_source_changed?(source, locked_source)
deps_for_source = @dependencies.select {|dep| dep.source == source }
locked_deps_for_source = locked_dependencies.select {|dep| dep.source == locked_source }
deps_for_source.uniq.sort != locked_deps_for_source.sort
end
def specs_for_source_changed?(source)
locked_index = Index.new
locked_index.use(@locked_specs.select {|s| s.replace_source_with!(source) })
!locked_index.subset?(source.specs)
rescue PathError, GitError => e
Bundler.ui.debug "Assuming that #{source} has not changed since fetching its specs errored (#{e})"
false
end
# Get all locals and override their matching sources.
# Return true if any of the locals changed (for example,
# they point to a new revision) or depend on new specs.
def converge_locals
locals = []
Bundler.settings.local_overrides.map do |k, v|
spec = @dependencies.find {|s| s.name == k }
source = spec&.source
if source&.respond_to?(:local_override!)
source.unlock! if @gems_to_unlock.include?(spec.name)
locals << [source, source.local_override!(v)]
end
end
sources_with_changes = locals.select do |source, changed|
changed || specs_changed?(source)
end.map(&:first)
!sources_with_changes.each {|source| @sources_to_unlock << source.name }.empty?
end
def check_lockfile
@locked_spec_with_invalid_deps = nil
@locked_spec_with_missing_deps = nil
@locked_spec_with_missing_checksums = nil
@locked_spec_with_empty_checksums = nil
missing_deps = []
missing_checksums = []
empty_checksums = []
invalid = []
@locked_specs.each do |s|
if @locked_checksums
checksum_store = s.source.checksum_store
if checksum_store.missing?(s)
missing_checksums << s
elsif checksum_store.empty?(s)
empty_checksums << s
end
end
validation = @locked_specs.validate_deps(s)
missing_deps << s if validation == :missing
invalid << s if validation == :invalid
end
@locked_spec_with_missing_checksums = missing_checksums.first.name if missing_checksums.any?
@locked_spec_with_empty_checksums = empty_checksums.first.name if empty_checksums.any?
if missing_deps.any?
@locked_specs.delete(missing_deps)
@locked_spec_with_missing_deps = missing_deps.first.name
end
if invalid.any?
@locked_specs.delete(invalid)
@locked_spec_with_invalid_deps = invalid.first.name
end
end
def converge_paths
sources.path_sources.any? do |source|
specs_changed?(source)
end
end
def converge_sources
# Replace the sources from the Gemfile with the sources from the Gemfile.lock,
# if they exist in the Gemfile.lock and are `==`. If you can't find an equivalent
# source in the Gemfile.lock, use the one from the Gemfile.
changes = sources.replace_sources!(@locked_sources)
sources.all_sources.each do |source|
# has to be done separately, because we want to keep the locked checksum
# store for a source, even when doing a full update
if @locked_checksums && @locked_gems && locked_source = @originally_locked_sources.find {|s| s == source && !s.equal?(source) }
source.checksum_store.merge!(locked_source.checksum_store)
end
# If the source is unlockable and the current command allows an unlock of
# the source (for example, you are doing a `bundle update <foo>` of a git-pinned
# gem), unlock it. For git sources, this means to unlock the revision, which
# will cause the `ref` used to be the most recent for the branch (or master) if
# an explicit `ref` is not used.
if source.respond_to?(:unlock!) && @sources_to_unlock.include?(source.name)
source.unlock!
changes = true
end
end
changes
end
def converge_dependencies
@missing_lockfile_dep = nil
@changed_dependencies = []
@dependencies.each do |dep|
if dep.source
dep.source = sources.get(dep.source)
end
next unless relevant_deps?(dep)
name = dep.name
dep_changed = @locked_deps[name].nil?
unless name == "bundler"
locked_specs = @originally_locked_specs[name]
if locked_specs.empty?
@missing_lockfile_dep = name if dep_changed == false
else
if locked_specs.map(&:source).uniq.size > 1
@locked_specs.delete(locked_specs.select {|s| s.source != dep.source })
end
unless dep.matches_spec?(locked_specs.first)
@gems_to_unlock << name
dep_changed = true
end
end
end
@changed_dependencies << name if dep_changed
end
@changed_dependencies.any?
end
# Remove elements from the locked specs that are expired. This will most
# commonly happen if the Gemfile has changed since the lockfile was last
# generated
def converge_locked_specs
converged = converge_specs(@locked_specs)
resolve = SpecSet.new(converged)
diff = nil
# Now, we unlock any sources that do not have anymore gems pinned to it
sources.all_sources.each do |source|
next unless source.respond_to?(:unlock!)
unless resolve.any? {|s| s.source == source }
diff ||= @locked_specs.to_a - resolve.to_a
source.unlock! if diff.any? {|s| s.source == source }
end
end
resolve
end
def converge_specs(specs)
converged = []
deps = []
specs.each do |s|
name = s.name
next if @gems_to_unlock.include?(name)
dep = @dependencies.find {|d| s.satisfies?(d) }
lockfile_source = s.source
if dep
replacement_source = dep.source
deps << dep if !replacement_source || lockfile_source.include?(replacement_source) || new_deps.include?(dep)
else
replacement_source = sources.get(lockfile_source)
end
# Replace the locked dependency's source with the equivalent source from the Gemfile
s.source = replacement_source || default_source
next if s.source_changed?
source = s.source
next if @sources_to_unlock.include?(source.name)
# Path sources have special logic
if source.is_a?(Source::Path)
new_spec = source.specs[s].first
if new_spec
s.runtime_dependencies.replace(new_spec.runtime_dependencies)
else
# If the spec is no longer in the path source, unlock it. This
# commonly happens if the version changed in the gemspec
@gems_to_unlock << name
end
end
converged << s
end
filter_specs(converged, deps, skips: @gems_to_unlock)
end
def metadata_dependencies
@metadata_dependencies ||= [
Dependency.new("Ruby\0", Bundler::RubyVersion.system.gem_version),
Dependency.new("RubyGems\0", Gem::VERSION),
]
end
def source_requirements
@source_requirements ||= find_source_requirements
end
def preload_git_source_worker
@preload_git_source_worker ||= Bundler::Worker.new(5, "Git source preloading", ->(source, _) { source.specs })
end
def preload_git_sources
sources.git_sources.each {|source| preload_git_source_worker.enq(source) }
ensure
preload_git_source_worker.stop
end
def find_source_requirements
if Gem.ruby_version >= Gem::Version.new("3.3")
# Ruby 3.2 has a bug that incorrectly triggers a circular dependency warning. This version will continue to
# fetch git repositories one by one.
preload_git_sources
end
# Record the specs available in each gem's source, so that those
# specs will be available later when the resolver knows where to
# look for that gemspec (or its dependencies)
source_requirements = if precompute_source_requirements_for_indirect_dependencies?
all_requirements = source_map.all_requirements
{ default: default_source }.merge(all_requirements)
else
{ default: Source::RubygemsAggregate.new(sources, source_map) }.merge(source_map.direct_requirements)
end
source_requirements.merge!(source_map.locked_requirements) if nothing_changed?
metadata_dependencies.each do |dep|
source_requirements[dep.name] = sources.metadata_source
end
default_bundler_source = source_requirements["bundler"] || default_source
if @unlocking_bundler
default_bundler_source.add_dependency_names("bundler")
else
source_requirements[:default_bundler] = default_bundler_source
source_requirements["bundler"] = sources.metadata_source # needs to come last to override
end
source_requirements
end
def default_source
sources.default_source
end
def requested_groups
values = groups - Bundler.settings[:without] - @optional_groups + Bundler.settings[:with]
values &= Bundler.settings[:only] unless Bundler.settings[:only].empty?
values
end
def lockfiles_equal?(current, proposed, preserve_unknown_sections)
if preserve_unknown_sections
sections_to_ignore = LockfileParser.sections_to_ignore(@locked_bundler_version)
sections_to_ignore += LockfileParser.unknown_sections_in_lockfile(current)
sections_to_ignore << LockfileParser::RUBY
sections_to_ignore << LockfileParser::BUNDLED unless @unlocking_bundler
pattern = /#{Regexp.union(sections_to_ignore)}\n(\s{2,}.*\n)+/
whitespace_cleanup = /\n{2,}/
current = current.gsub(pattern, "\n").gsub(whitespace_cleanup, "\n\n").strip
proposed = proposed.gsub(pattern, "\n").gsub(whitespace_cleanup, "\n\n").strip
end
current == proposed
end
def additional_base_requirements_to_prevent_downgrades(resolution_base)
return resolution_base unless @locked_gems
@originally_locked_specs.each do |locked_spec|
next if locked_spec.source.is_a?(Source::Path) || locked_spec.source_changed?
name = locked_spec.name
next if @changed_dependencies.include?(name)
resolution_base.base_requirements[name] = Gem::Requirement.new(">= #{locked_spec.version}")
end
resolution_base
end
def additional_base_requirements_to_force_updates(resolution_base)
return resolution_base if @explicit_unlocks.empty?
full_update = SpecSet.new(new_resolver_for_full_update.start)
@explicit_unlocks.each do |name|
version = full_update.version_for(name)
resolution_base.base_requirements[name] = Gem::Requirement.new("= #{version}") if version
end
resolution_base
end
def remove_invalid_platforms!
return if Bundler.frozen_bundle?
skips = (@new_platforms + [Bundler.local_platform]).uniq
# We should probably avoid removing non-ruby platforms, since that means
# lockfile will no longer install on those platforms, so a error to give
# heads up to the user may be better. However, we have tests expecting
# non ruby platform autoremoval to work, so leaving that in place for
# now.
skips |= platforms - [Gem::Platform::RUBY] if @dependency_changes
@originally_invalid_platforms = @originally_locked_specs.remove_invalid_platforms!(current_dependencies, platforms, skips: skips)
end
def source_map
@source_map ||= SourceMap.new(sources, dependencies, @locked_specs)
end
def new_resolver_for_full_update
new_resolver(unlocked_resolution_base)
end
def unlocked_resolution_base
new_resolution_base(last_resolve: SpecSet.new([]), unlock: true)
end
def new_resolution_base(last_resolve:, unlock:)
new_resolution_platforms = @current_platform_missing ? @new_platforms + [Bundler.local_platform] : @new_platforms
Resolver::Base.new(source_requirements, expanded_dependencies, last_resolve, @platforms, locked_specs: @originally_locked_specs, unlock: unlock, prerelease: gem_version_promoter.pre?, prefer_local: @prefer_local, new_platforms: new_resolution_platforms)
end
def new_resolver(base)
Resolver.new(base, gem_version_promoter, @most_specific_locked_platform)
end
end
end
|
