1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[rubygems/rubygems] Converts Bundler lockfile checksum validation to opt-in only

Browse Source 
Looks for the CHECKSUMS section in the lockfile, activating the feature
only if the section exists. Without a CHECKSUMS section, Bundler will
continue as normal, validating checksums when gems are installed while
checksums from the compact index are present.

https://github.com/rubygems/rubygems/commit/2353cc93a4
This commit is contained in:
Martin Emde 2023-12-01 14:20:51 -08:00 committed by git
parent a33632e1ca
commit 5f0ea3f590
28 changed files with 869 additions and 827 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lib/bundler/checksum.rb
View File

@ -9,6 +9,18 @@ module Bundler
private_constant :DEFAULT_BLOCK_SIZE
class << self
def from_gem_package(gem_package, algo = DEFAULT_ALGORITHM)
return if Bundler.settings[:disable_checksum_validation]
return unless source = gem_package.instance_variable_get(:@gem)
return unless source.respond_to?(:with_read_io)
source.with_read_io do |io|
from_gem(io, source.path)
ensure
io.rewind
end
end
def from_gem(io, pathname, algo = DEFAULT_ALGORITHM)
digest = Bundler::SharedHelpers.digest(algo.upcase).new
buf = String.new(:capacity => DEFAULT_BLOCK_SIZE)
@ -17,6 +29,7 @@ module Bundler
end
def from_api(digest, source_uri, algo = DEFAULT_ALGORITHM)
return if Bundler.settings[:disable_checksum_validation]
Checksum.new(algo, to_hexdigest(digest, algo), Source.new(:api, source_uri))
end
@ -177,7 +190,6 @@ module Bundler
# This ensures a mismatch error where there are multiple top level sources
# that contain the same gem with different checksums.
def replace(spec, checksum)
return if Bundler.settings[:disable_checksum_validation]
return unless checksum
name_tuple = spec.name_tuple
@ -193,7 +205,6 @@ module Bundler
end
def register(spec, checksum)
return if Bundler.settings[:disable_checksum_validation]
return unless checksum
register_checksum(spec.name_tuple, checksum)
end

7
lib/bundler/definition.rb
View File

@ -18,7 +18,8 @@ module Bundler
:platforms,
:ruby_version,
:lockfile,
:gemfiles
:gemfiles,
:locked_checksums
)
# Given a gemfile and lockfile creates a Bundler definition
@ -92,6 +93,7 @@ module Bundler
@locked_bundler_version = @locked_gems.bundler_version
@locked_ruby_version = @locked_gems.ruby_version
@originally_locked_specs = SpecSet.new(@locked_gems.specs)
@locked_checksums = @locked_gems.checksums
if unlock != true
@locked_deps = @locked_gems.dependencies
@ -112,6 +114,7 @@ module Bundler
@originally_locked_specs = @locked_specs
@locked_sources = []
@locked_platforms = []
@locked_checksums = nil
end
locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
@ -767,7 +770,7 @@ module Bundler
sources.all_sources.each do |source|
# has to be done separately, because we want to keep the locked checksum
# store for a source, even when doing a full update
if @locked_gems && locked_source = @locked_gems.sources.find {|s| s == source && !s.equal?(source) }
if @locked_checksums && @locked_gems && locked_source = @locked_gems.sources.find {|s| s == source && !s.equal?(source) }
source.checksum_store.merge!(locked_source.checksum_store)
end
# If the source is unlockable and the current command allows an unlock of

1
lib/bundler/endpoint_specification.rb
View File

@ -125,7 +125,6 @@ module Bundler
next unless v
case k.to_s
when "checksum"
next if Bundler.settings[:disable_checksum_validation]
begin
@checksum = Checksum.from_api(v.last, @spec_fetcher.uri)
rescue ArgumentError => e

1
lib/bundler/lockfile_generator.rb
View File

@ -67,6 +67,7 @@ module Bundler
end
def add_checksums
return unless definition.locked_checksums
checksums = definition.resolve.map do |spec|
spec.source.checksum_store.to_lock(spec)
end

15
lib/bundler/lockfile_parser.rb
View File

@ -24,7 +24,15 @@ module Bundler
end
end
attr_reader :sources, :dependencies, :specs, :platforms, :bundler_version, :ruby_version, :checksums
attr_reader(
:sources,
:dependencies,
:specs,
:platforms,
:bundler_version,
:ruby_version,
:checksums,
)
BUNDLED = "BUNDLED WITH"
DEPENDENCIES = "DEPENDENCIES"
@ -111,6 +119,9 @@ module Bundler
elsif line == DEPENDENCIES
@parse_method = :parse_dependency
elsif line == CHECKSUMS
# This is a temporary solution to make this feature disabled by default
# for all gemfiles that don't already explicitly include the feature.
@checksums = true
@parse_method = :parse_checksum
elsif line == PLATFORMS
@parse_method = :parse_platform
@ -228,8 +239,6 @@ module Bundler
version = Gem::Version.new(version)
platform = platform ? Gem::Platform.new(platform) : Gem::Platform::RUBY
full_name = Gem::NameTuple.new(name, version, platform).full_name
# Don't raise exception if there's a checksum for a gem that's not in the lockfile,
# we prefer to heal invalid lockfiles
return unless spec = @specs[full_name]
checksums.split(",") do |lock_checksum|

10
lib/bundler/rubygems_gem_installer.rb
View File

@ -103,15 +103,7 @@ module Bundler
end
def gem_checksum
return nil if Bundler.settings[:disable_checksum_validation]
return nil unless source = @package.instance_variable_get(:@gem)
return nil unless source.respond_to?(:with_read_io)
source.with_read_io do |io|
Checksum.from_gem(io, source.path)
ensure
io.rewind
end
Checksum.from_gem_package(@package)
end
private

40
spec/bundler/bundler/definition_spec.rb
View File

@ -56,6 +56,11 @@ RSpec.describe Bundler::Definition do
s.add_dependency "rack", "1.0"
end
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.checksum gem_repo1, "rack", "1.0.0"
end
bundle :install, :env => { "DEBUG" => "1" }
expect(out).to match(/re-resolving dependencies/)
@ -76,11 +81,7 @@ RSpec.describe Bundler::Definition do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum "foo", "1.0"}
#{checksum_for_repo_gem gem_repo1, "rack", "1.0.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -110,6 +111,11 @@ RSpec.describe Bundler::Definition do
s.add_development_dependency "net-ssh", "1.0"
end
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.checksum gem_repo1, "rack", "1.0.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gem "foo", :path => "#{lib_path("foo")}"
@ -135,17 +141,17 @@ RSpec.describe Bundler::Definition do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum "foo", "1.0"}
#{checksum_for_repo_gem gem_repo1, "rack", "1.0.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "for a locked gem for another platform" do
checksums = checksums_section_when_existing do |c|
c.no_checksum "only_java", "1.1", "java"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gem "only_java", platform: :jruby
@ -166,16 +172,17 @@ RSpec.describe Bundler::Definition do
DEPENDENCIES
only_java
CHECKSUMS
only_java (1.1-java)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "for a rubygems gem" do
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo1, "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gem "foo"
@ -195,10 +202,7 @@ RSpec.describe Bundler::Definition do
DEPENDENCIES
foo
CHECKSUMS
#{checksum_for_repo_gem gem_repo1, "foo", "1.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G

31
spec/bundler/cache/gems_spec.rb vendored
View File

@ -289,11 +289,24 @@ RSpec.describe "bundle cache" do
expect(cached_gem("rack-1.0.0")).to exist
end
it "raises an error when the gem file is altered and produces a different checksum" do
it "raises an error when the gem is altered and produces a different checksum" do
cached_gem("rack-1.0.0").rmtree
build_gem "rack", "1.0.0", :path => bundled_app("vendor/cache")
checksums = checksums_section do |c|
c.checksum gem_repo1, "rack", "1.0.0"
end
simulate_new_machine
lockfile <<-L
GEM
remote: #{file_uri_for(gem_repo2)}/
specs:
rack (1.0.0)
#{checksums}
L
bundle :install, :raise_on_error => false
expect(exitstatus).to eq(37)
expect(err).to include("Bundler found mismatched checksums.")
@ -305,6 +318,22 @@ RSpec.describe "bundle cache" do
expect(cached_gem("rack-1.0.0")).to exist
end
it "installs a modified gem with a non-matching checksum when checksums is not opted in" do
cached_gem("rack-1.0.0").rmtree
build_gem "rack", "1.0.0", :path => bundled_app("vendor/cache")
simulate_new_machine
lockfile <<-L
GEM
remote: #{file_uri_for(gem_repo2)}/
specs:
rack (1.0.0)
L
bundle :install
expect(cached_gem("rack-1.0.0")).to exist
end
it "handles directories and non .gem files in the cache" do
bundled_app("vendor/cache/foo").mkdir
File.open(bundled_app("vendor/cache/bar"), "w") {|f| f.write("not a gem") }

25
spec/bundler/commands/check_spec.rb
View File

@ -406,6 +406,12 @@ RSpec.describe "bundle check" do
it "returns success when the Gemfile is satisfied and generates a correct lockfile" do
system_gems "depends_on_rack-1.0", "rack-1.0", :gem_repo => gem_repo4, :path => default_bundle_path
bundle :check
checksums = checksums_section_when_existing do |c|
c.no_checksum "depends_on_rack", "1.0"
c.no_checksum "rack", "1.0"
end
expect(out).to include("The Gemfile's dependencies are satisfied")
expect(lockfile).to eq <<~L
GEM
@ -424,11 +430,7 @@ RSpec.describe "bundle check" do
DEPENDENCIES
depends_on_rack!
CHECKSUMS
depends_on_rack (1.0)
rack (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -468,6 +470,12 @@ RSpec.describe "bundle check" do
bundle "check --verbose", :dir => tmp.join("bundle-check-issue")
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "awesome_print", "1.0"
c.no_checksum "bundle-check-issue", "9999"
c.checksum gem_repo2, "dex-dispatch-engine", "1.0"
end
expect(File.read(tmp.join("bundle-check-issue/Gemfile.lock"))).to eq <<~L
PATH
remote: .
@ -491,12 +499,7 @@ RSpec.describe "bundle check" do
DEPENDENCIES
bundle-check-issue!
dex-dispatch-engine!
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "awesome_print", "1.0"}
bundle-check-issue (9999)
#{checksum_for_repo_gem gem_repo2, "dex-dispatch-engine", "1.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

43
spec/bundler/commands/install_spec.rb
View File

@ -622,6 +622,7 @@ RSpec.describe "bundle install with gem sources" do
end
it "writes current Ruby version to Gemfile.lock" do
checksums = checksums_section_when_existing
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo1)}/
@ -631,9 +632,7 @@ RSpec.describe "bundle install with gem sources" do
#{lockfile_platforms}
DEPENDENCIES
CHECKSUMS
#{checksums}
RUBY VERSION
#{Bundler::RubyVersion.system}
@ -648,6 +647,8 @@ RSpec.describe "bundle install with gem sources" do
source "#{file_uri_for(gem_repo1)}"
G
checksums = checksums_section_when_existing
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo1)}/
@ -657,9 +658,7 @@ RSpec.describe "bundle install with gem sources" do
#{lockfile_platforms}
DEPENDENCIES
CHECKSUMS
#{checksums}
RUBY VERSION
#{Bundler::RubyVersion.system}
@ -1074,11 +1073,11 @@ RSpec.describe "bundle install with gem sources" do
gem "loofah", "~> 2.12.0"
G
checksums = checksum_section do |c|
c.repo_gem gem_repo4, "crass", "1.0.6"
c.repo_gem gem_repo4, "loofah", "2.12.0"
c.repo_gem gem_repo4, "nokogiri", "1.12.4", "x86_64-darwin"
c.repo_gem gem_repo4, "racca", "1.5.2"
checksums = checksums_section do |c|
c.checksum gem_repo4, "crass", "1.0.6"
c.checksum gem_repo4, "loofah", "2.12.0"
c.checksum gem_repo4, "nokogiri", "1.12.4", "x86_64-darwin"
c.checksum gem_repo4, "racca", "1.5.2"
end
lockfile <<-L
@ -1099,10 +1098,7 @@ RSpec.describe "bundle install with gem sources" do
DEPENDENCIES
loofah (~> 2.12.0)
CHECKSUMS
#{checksums}
#{checksums}
RUBY VERSION
#{Bundler::RubyVersion.system}
@ -1118,12 +1114,12 @@ RSpec.describe "bundle install with gem sources" do
bundle "install", :artifice => "compact_index"
end
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "crass", "1.0.6"
c.repo_gem gem_repo4, "loofah", "2.12.0"
c.repo_gem gem_repo4, "nokogiri", "1.12.4", "x86_64-darwin"
c.repo_gem gem_repo4, "nokogiri", "1.12.4", "x86_64-linux"
c.repo_gem gem_repo4, "racca", "1.5.2"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "crass", "1.0.6"
c.checksum gem_repo4, "loofah", "2.12.0"
c.checksum gem_repo4, "nokogiri", "1.12.4", "x86_64-darwin"
c.checksum gem_repo4, "racca", "1.5.2"
c.checksum gem_repo4, "nokogiri", "1.12.4", "x86_64-linux"
end
expect(lockfile).to eq <<~L
@ -1146,10 +1142,7 @@ RSpec.describe "bundle install with gem sources" do
DEPENDENCIES
loofah (~> 2.12.0)
CHECKSUMS
#{expected_checksums}
#{checksums}
RUBY VERSION
#{Bundler::RubyVersion.system}

264
spec/bundler/commands/lock_spec.rb
View File

@ -11,16 +11,16 @@ RSpec.describe "bundle lock" do
gem "foo"
G
expected_checksums = checksum_section do |c|
c.repo_gem repo, "actionmailer", "2.3.2"
c.repo_gem repo, "actionpack", "2.3.2"
c.repo_gem repo, "activerecord", "2.3.2"
c.repo_gem repo, "activeresource", "2.3.2"
c.repo_gem repo, "activesupport", "2.3.2"
c.repo_gem repo, "foo", "1.0"
c.repo_gem repo, "rails", "2.3.2"
c.repo_gem repo, "rake", "13.0.1"
c.repo_gem repo, "weakling", "0.0.3"
checksums = checksums_section_when_existing do |c|
c.checksum repo, "actionmailer", "2.3.2"
c.checksum repo, "actionpack", "2.3.2"
c.checksum repo, "activerecord", "2.3.2"
c.checksum repo, "activeresource", "2.3.2"
c.checksum repo, "activesupport", "2.3.2"
c.checksum repo, "foo", "1.0"
c.checksum repo, "rails", "2.3.2"
c.checksum repo, "rake", "13.0.1"
c.checksum repo, "weakling", "0.0.3"
end
@lockfile = <<~L
@ -53,10 +53,7 @@ RSpec.describe "bundle lock" do
foo
rails
weakling
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -65,12 +62,18 @@ RSpec.describe "bundle lock" do
it "prints a lockfile when there is no existing lockfile with --print" do
bundle "lock --print"
# No checksums because no way to get them from a file uri source
# + no existing lockfile that has them
expect(out).to eq(remove_checksums_from_lockfile(@lockfile.chomp))
expect(out).to eq(@lockfile.chomp)
end
it "prints a lockfile when there is an existing lockfile with --print" do
lockfile remove_checksums_section_from_lockfile(@lockfile)
bundle "lock --print"
expect(out).to eq(remove_checksums_section_from_lockfile(@lockfile).chomp)
end
it "prints a lockfile when there is an existing checksums lockfile with --print" do
lockfile @lockfile
bundle "lock --print"
@ -81,26 +84,39 @@ RSpec.describe "bundle lock" do
it "writes a lockfile when there is no existing lockfile" do
bundle "lock"
# No checksums because no way to get them from a file uri source
# + no existing lockfile that has them
expect(read_lockfile).to eq(remove_checksums_from_lockfile(@lockfile))
expect(read_lockfile).to eq(@lockfile)
end
it "prints a lockfile without fetching new checksums if the existing lockfile had no checksums" do
lockfile remove_checksums_from_lockfile(@lockfile)
bundle "lock --print"
expect(out).to eq(remove_checksums_from_lockfile(@lockfile).chomp)
end
it "writes a lockfile when there is an outdated lockfile using --update" do
lockfile remove_checksums_from_lockfile(@lockfile.gsub("2.3.2", "2.3.1"), " (2.3.1)")
bundle "lock --update"
expect(read_lockfile).to eq(remove_checksums_from_lockfile(@lockfile))
end
it "writes a lockfile with checksums on --update when checksums exist" do
lockfile @lockfile.gsub("2.3.2", "2.3.1")
bundle "lock --update"
expect(read_lockfile).to eq(remove_checksums_from_lockfile(@lockfile, "(2.3.2)"))
expect(read_lockfile).to eq(@lockfile)
end
it "writes a lockfile when there is an outdated lockfile using a bundle is frozen" do
it "writes a lockfile when there is an outdated lockfile and bundle is frozen" do
lockfile @lockfile.gsub("2.3.2", "2.3.1")
bundle "lock --update", :env => { "BUNDLE_FROZEN" => "true" }
# No checksums for the updated gems
expect(read_lockfile).to eq(remove_checksums_from_lockfile(@lockfile, "(2.3.2)"))
expect(read_lockfile).to eq(@lockfile)
end
it "does not fetch remote specs when using the --local option" do
@ -109,11 +125,24 @@ RSpec.describe "bundle lock" do
expect(err).to match(/locally installed gems/)
end
it "does not fetch remote checksums with --local" do
lockfile remove_checksums_from_lockfile(@lockfile)
bundle "lock --print --local"
# No checksums because --local prevents fetching them
expect(out).to eq(remove_checksums_from_lockfile(@lockfile).chomp)
end
it "works with --gemfile flag" do
create_file "CustomGemfile", <<-G
source "#{file_uri_for(repo)}"
gem "foo"
G
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
lockfile = <<~L
GEM
remote: #{file_uri_for(repo)}/
@ -125,10 +154,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
foo
CHECKSUMS
#{gem_no_checksum "foo", "1.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -151,16 +177,16 @@ RSpec.describe "bundle lock" do
bundle "install"
bundle "lock --lockfile=lock"
expected_checksums = checksum_section do |c|
c.repo_gem repo, "actionmailer", "2.3.2"
c.repo_gem repo, "actionpack", "2.3.2"
c.repo_gem repo, "activerecord", "2.3.2"
c.repo_gem repo, "activeresource", "2.3.2"
c.repo_gem repo, "activesupport", "2.3.2"
c.repo_gem repo, "foo", "1.0"
c.repo_gem repo, "rails", "2.3.2"
c.repo_gem repo, "rake", "13.0.1"
c.repo_gem repo, "weakling", "0.0.3"
checksums = checksums_section_when_existing do |c|
c.checksum repo, "actionmailer", "2.3.2"
c.checksum repo, "actionpack", "2.3.2"
c.checksum repo, "activerecord", "2.3.2"
c.checksum repo, "activeresource", "2.3.2"
c.checksum repo, "activesupport", "2.3.2"
c.checksum repo, "foo", "1.0"
c.checksum repo, "rails", "2.3.2"
c.checksum repo, "rake", "13.0.1"
c.checksum repo, "weakling", "0.0.3"
end
lockfile = <<~L
@ -193,10 +219,7 @@ RSpec.describe "bundle lock" do
foo
rails
weakling
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -510,6 +533,11 @@ RSpec.describe "bundle lock" do
end
end
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "nokogiri", "1.12.0"
c.checksum gem_repo4, "nokogiri", "1.12.0", "x86_64-darwin"
end
simulate_platform "x86_64-darwin-22" do
install_gemfile <<~G
source "#{file_uri_for(gem_repo4)}"
@ -531,15 +559,13 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
nokogiri
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "nokogiri", "1.12.0"}
#{checksum_for_repo_gem gem_repo4, "nokogiri", "1.12.0", "x86_64-darwin"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
checksums.delete("nokogiri", Gem::Platform::RUBY)
simulate_platform "x86_64-darwin-22" do
bundle "lock --remove-platform ruby"
end
@ -555,10 +581,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
nokogiri
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "nokogiri", "1.12.0", "x86_64-darwin"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -606,6 +629,13 @@ RSpec.describe "bundle lock" do
gem "gssapi"
G
checksums = checksums_section_when_existing do |c|
c.no_checksum "ffi", "1.9.14", "x86-mingw32"
c.no_checksum "gssapi", "1.2.0"
c.no_checksum "mixlib-shellout", "2.2.6", "universal-mingw32"
c.no_checksum "win32-process", "0.8.3"
end
simulate_platform(x86_mingw32) { bundle :lock }
expect(lockfile).to eq <<~G
@ -626,13 +656,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
gssapi
mixlib-shellout
CHECKSUMS
#{gem_no_checksum "ffi", "1.9.14", "x86-mingw32"}
#{gem_no_checksum "gssapi", "1.2.0"}
#{gem_no_checksum "mixlib-shellout", "2.2.6", "universal-mingw32"}
#{gem_no_checksum "win32-process", "0.8.3"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -640,6 +664,9 @@ RSpec.describe "bundle lock" do
bundle "config set --local force_ruby_platform true"
bundle :lock
checksums.no_checksum "ffi", "1.9.14"
checksums.no_checksum "mixlib-shellout", "2.2.6"
expect(lockfile).to eq <<~G
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -661,15 +688,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
gssapi
mixlib-shellout
CHECKSUMS
#{gem_no_checksum "ffi", "1.9.14"}
#{gem_no_checksum "ffi", "1.9.14", "x86-mingw32"}
#{gem_no_checksum "gssapi", "1.2.0"}
#{gem_no_checksum "mixlib-shellout", "2.2.6"}
#{gem_no_checksum "mixlib-shellout", "2.2.6", "universal-mingw32"}
#{gem_no_checksum "win32-process", "0.8.3"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -735,6 +754,11 @@ RSpec.describe "bundle lock" do
simulate_platform(Gem::Platform.new("x86_64-darwin-19")) { bundle "lock" }
checksums = checksums_section_when_existing do |c|
c.no_checksum "libv8", "8.4.255.0", "x86_64-darwin-19"
c.no_checksum "libv8", "8.4.255.0", "x86_64-darwin-20"
end
expect(lockfile).to eq <<~G
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -748,11 +772,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
libv8
CHECKSUMS
#{gem_no_checksum "libv8", "8.4.255.0", "x86_64-darwin-19"}
#{gem_no_checksum "libv8", "8.4.255.0", "x86_64-darwin-20"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -769,6 +789,11 @@ RSpec.describe "bundle lock" do
end
end
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-19"
c.checksum gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-20"
end
gemfile <<-G
source "#{file_uri_for(gem_repo4)}"
@ -787,11 +812,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
libv8
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-19"}
#{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-20"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -960,16 +981,16 @@ RSpec.describe "bundle lock" do
it "does not implicitly update" do
bundle "lock"
expected_checksums = checksum_section do |c|
c.repo_gem repo, "actionmailer", "2.3.2"
c.repo_gem repo, "actionpack", "2.3.2"
c.repo_gem repo, "activerecord", "2.3.2"
c.repo_gem repo, "activeresource", "2.3.2"
c.repo_gem repo, "activesupport", "2.3.2"
c.repo_gem repo, "foo", "1.0"
c.repo_gem repo, "rails", "2.3.2"
c.repo_gem repo, "rake", "13.0.1"
c.repo_gem repo, "weakling", "0.0.3"
checksums = checksums_section_when_existing do |c|
c.checksum repo, "actionmailer", "2.3.2"
c.checksum repo, "actionpack", "2.3.2"
c.checksum repo, "activerecord", "2.3.2"
c.checksum repo, "activeresource", "2.3.2"
c.checksum repo, "activesupport", "2.3.2"
c.checksum repo, "foo", "1.0"
c.checksum repo, "rails", "2.3.2"
c.checksum repo, "rake", "13.0.1"
c.checksum repo, "weakling", "0.0.3"
end
expected_lockfile = <<~L
@ -1002,10 +1023,7 @@ RSpec.describe "bundle lock" do
foo
rails
weakling
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1017,16 +1035,16 @@ RSpec.describe "bundle lock" do
gemfile gemfile.gsub('"foo"', '"foo", "2.0"')
bundle "lock"
expected_checksums = checksum_section do |c|
c.repo_gem repo, "actionmailer", "2.3.2"
c.repo_gem repo, "actionpack", "2.3.2"
c.repo_gem repo, "activerecord", "2.3.2"
c.repo_gem repo, "activeresource", "2.3.2"
c.repo_gem repo, "activesupport", "2.3.2"
checksums = checksums_section_when_existing do |c|
c.checksum repo, "actionmailer", "2.3.2"
c.checksum repo, "actionpack", "2.3.2"
c.checksum repo, "activerecord", "2.3.2"
c.checksum repo, "activeresource", "2.3.2"
c.checksum repo, "activesupport", "2.3.2"
c.no_checksum "foo", "2.0"
c.repo_gem repo, "rails", "2.3.2"
c.repo_gem repo, "rake", "13.0.1"
c.repo_gem repo, "weakling", "0.0.3"
c.checksum repo, "rails", "2.3.2"
c.checksum repo, "rake", "13.0.1"
c.checksum repo, "weakling", "0.0.3"
end
expected_lockfile = <<~L
@ -1059,10 +1077,7 @@ RSpec.describe "bundle lock" do
foo (= 2.0)
rails
weakling
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1111,9 +1126,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
debug
CHECKSUMS
#{checksums_section}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1122,6 +1135,11 @@ RSpec.describe "bundle lock" do
bundle "lock"
end
checksums = checksums_section do |c|
c.no_checksum "debug", "1.6.3"
c.no_checksum "irb", "1.5.0"
end
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -1136,11 +1154,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
debug
CHECKSUMS
#{gem_no_checksum "debug", "1.6.3"}
#{gem_no_checksum "irb", "1.5.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1422,6 +1436,11 @@ RSpec.describe "bundle lock" do
end
it "locks ruby specs" do
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.no_checksum "nokogiri", "1.14.2"
end
simulate_platform "x86_64-linux" do
bundle "lock"
end
@ -1443,11 +1462,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum "foo", "1.0"}
#{gem_no_checksum "nokogiri", "1.14.2"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1508,6 +1523,13 @@ RSpec.describe "bundle lock" do
end
it "does not downgrade top level dependencies" do
checksums = checksums_section_when_existing do |c|
c.no_checksum "actionpack", "7.0.4.3"
c.no_checksum "activesupport", "7.0.4.3"
c.no_checksum "govuk_app_config", "4.13.0"
c.no_checksum "railties", "7.0.4.3"
end
simulate_platform "arm64-darwin-22" do
bundle "lock"
end
@ -1530,13 +1552,7 @@ RSpec.describe "bundle lock" do
DEPENDENCIES
activesupport (= 7.0.4.3)
govuk_app_config
CHECKSUMS
#{gem_no_checksum "actionpack", "7.0.4.3"}
#{gem_no_checksum "activesupport", "7.0.4.3"}
#{gem_no_checksum "govuk_app_config", "4.13.0"}
#{gem_no_checksum "railties", "7.0.4.3"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

97
spec/bundler/commands/update_spec.rb
View File

@ -275,6 +275,11 @@ RSpec.describe "bundle update" do
gem "countries"
G
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo4, "countries", "3.1.0")
c.checksum(gem_repo4, "country_select", "5.1.0")
end
lockfile <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -289,11 +294,7 @@ RSpec.describe "bundle update" do
DEPENDENCIES
countries
country_select
CHECKSUMS
#{checksum_for_repo_gem(gem_repo4, "countries", "3.1.0")}
#{checksum_for_repo_gem(gem_repo4, "country_select", "5.1.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -509,9 +510,9 @@ RSpec.describe "bundle update" do
original_lockfile = lockfile
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "activesupport", "6.0.4.1"
c.repo_gem gem_repo4, "tzinfo", "1.2.9"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "activesupport", "6.0.4.1"
c.checksum gem_repo4, "tzinfo", "1.2.9"
end
expected_lockfile = <<~L
@ -527,10 +528,7 @@ RSpec.describe "bundle update" do
DEPENDENCIES
activesupport (~> 6.0.0)
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1152,9 +1150,10 @@ RSpec.describe "bundle update --ruby" do
G
gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
source "#{file_uri_for(gem_repo1)}"
G
end
it "removes the Ruby from the Gemfile.lock" do
bundle "update --ruby"
@ -1168,8 +1167,6 @@ RSpec.describe "bundle update --ruby" do
DEPENDENCIES
CHECKSUMS
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1184,30 +1181,29 @@ RSpec.describe "bundle update --ruby" do
G
gemfile <<-G
ruby '~> #{current_ruby_minor}'
source "#{file_uri_for(gem_repo1)}"
ruby '~> #{current_ruby_minor}'
source "#{file_uri_for(gem_repo1)}"
G
end
it "updates the Gemfile.lock with the latest version" do
bundle "update --ruby"
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo1)}/
specs:
GEM
remote: #{file_uri_for(gem_repo1)}/
specs:
PLATFORMS
#{lockfile_platforms}
PLATFORMS
#{lockfile_platforms}
DEPENDENCIES
DEPENDENCIES
CHECKSUMS
RUBY VERSION
#{Bundler::RubyVersion.system}
RUBY VERSION
#{Bundler::RubyVersion.system}
BUNDLED WITH
#{Bundler::VERSION}
BUNDLED WITH
#{Bundler::VERSION}
L
end
end
@ -1257,6 +1253,7 @@ RSpec.describe "bundle update --ruby" do
source "#{file_uri_for(gem_repo1)}"
G
end
it "updates the Gemfile.lock with the latest version" do
bundle "update --ruby"
@ -1288,11 +1285,14 @@ RSpec.describe "bundle update --bundler" do
build_gem "rack", "1.0"
end
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo4, "rack", "1.0")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo4)}"
gem "rack"
G
expected_checksum = checksum_for_repo_gem(gem_repo4, "rack", "1.0")
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -1304,10 +1304,7 @@ RSpec.describe "bundle update --bundler" do
DEPENDENCIES
rack
CHECKSUMS
#{expected_checksum}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1327,10 +1324,7 @@ RSpec.describe "bundle update --bundler" do
DEPENDENCIES
rack
CHECKSUMS
#{expected_checksum}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1351,6 +1345,10 @@ RSpec.describe "bundle update --bundler" do
G
lockfile lockfile.sub(/(^\s*)#{Bundler::VERSION}($)/, "2.3.9")
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo4, "rack", "1.0")
end
bundle :update, :bundler => true, :artifice => "compact_index", :verbose => true
expect(out).to include("Using bundler #{Bundler::VERSION}")
@ -1365,10 +1363,7 @@ RSpec.describe "bundle update --bundler" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo4, "rack", "1.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1458,8 +1453,11 @@ RSpec.describe "bundle update --bundler" do
bundle :update, :bundler => "2.3.0.dev", :verbose => "true"
# Only updates properly on modern RubyGems.
if Gem.rubygems_version >= Gem::Version.new("3.3.0.dev")
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo4, "rack", "1.0")
end
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -1471,10 +1469,7 @@ RSpec.describe "bundle update --bundler" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo4, "rack", "1.0")}
#{checksums}
BUNDLED WITH
2.3.0.dev
L
@ -1500,6 +1495,9 @@ RSpec.describe "bundle update --bundler" do
expect(out).not_to include("Fetching gem metadata from https://rubygems.org/")
# Only updates properly on modern RubyGems.
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo4, "rack", "1.0")
end
if Gem.rubygems_version >= Gem::Version.new("3.3.0.dev")
expect(lockfile).to eq <<~L
@ -1513,10 +1511,7 @@ RSpec.describe "bundle update --bundler" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo4, "rack", "1.0")}
#{checksums}
BUNDLED WITH
2.3.9
L

89
spec/bundler/install/gemfile/gemspec_spec.rb
View File

@ -28,14 +28,14 @@ RSpec.describe "bundle install from an existing gemspec" do
x64_mingw_archs.join("\n ")
end
let(:x64_mingw_checksums) do
x64_mingw_archs.map do |arch|
def x64_mingw_checksums(checksums)
x64_mingw_archs.each do |arch|
if arch == "x64-mingw-ucrt"
gem_no_checksum "platform_specific", "1.0", arch
checksums.no_checksum "platform_specific", "1.0", arch
else
checksum_for_repo_gem gem_repo2, "platform_specific", "1.0", arch
checksums.checksum gem_repo2, "platform_specific", "1.0", arch
end
end.join("\n ")
end
end
it "should install runtime and development dependencies" do
@ -368,6 +368,10 @@ RSpec.describe "bundle install from an existing gemspec" do
gemspec :path => "../foo"
G
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
lockfile <<-L
PATH
remote: ../foo
@ -385,7 +389,7 @@ RSpec.describe "bundle install from an existing gemspec" do
DEPENDENCIES
foo!
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -459,6 +463,13 @@ RSpec.describe "bundle install from an existing gemspec" do
it "keeps all platform dependencies in the lockfile" do
expect(the_bundle).to include_gems "foo 1.0", "platform_specific 1.0 RUBY"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.checksum gem_repo2, "platform_specific", "1.0"
c.checksum gem_repo2, "platform_specific", "1.0", "java"
x64_mingw_checksums(c)
end
expect(lockfile).to eq <<~L
PATH
remote: .
@ -480,13 +491,7 @@ RSpec.describe "bundle install from an existing gemspec" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksum_for_repo_gem gem_repo2, "platform_specific", "1.0"}
#{checksum_for_repo_gem gem_repo2, "platform_specific", "1.0", "java"}
#{x64_mingw_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -499,6 +504,13 @@ RSpec.describe "bundle install from an existing gemspec" do
it "keeps all platform dependencies in the lockfile" do
expect(the_bundle).to include_gems "foo 1.0", "platform_specific 1.0 RUBY"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.checksum gem_repo2, "platform_specific", "1.0"
c.checksum gem_repo2, "platform_specific", "1.0", "java"
x64_mingw_checksums(c)
end
expect(lockfile).to eq <<~L
PATH
remote: .
@ -520,13 +532,7 @@ RSpec.describe "bundle install from an existing gemspec" do
DEPENDENCIES
foo!
platform_specific
CHECKSUMS
foo (1.0)
#{checksum_for_repo_gem gem_repo2, "platform_specific", "1.0"}
#{checksum_for_repo_gem gem_repo2, "platform_specific", "1.0", "java"}
#{x64_mingw_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -540,6 +546,14 @@ RSpec.describe "bundle install from an existing gemspec" do
it "keeps all platform dependencies in the lockfile" do
expect(the_bundle).to include_gems "foo 1.0", "indirect_platform_specific 1.0", "platform_specific 1.0 RUBY"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.checksum gem_repo2, "indirect_platform_specific", "1.0"
c.checksum gem_repo2, "platform_specific", "1.0"
c.checksum gem_repo2, "platform_specific", "1.0", "java"
x64_mingw_checksums(c)
end
expect(lockfile).to eq <<~L
PATH
remote: .
@ -563,14 +577,7 @@ RSpec.describe "bundle install from an existing gemspec" do
DEPENDENCIES
foo!
indirect_platform_specific
CHECKSUMS
foo (1.0)
#{checksum_for_repo_gem gem_repo2, "indirect_platform_specific", "1.0"}
#{checksum_for_repo_gem gem_repo2, "platform_specific", "1.0"}
#{checksum_for_repo_gem gem_repo2, "platform_specific", "1.0", "java"}
#{x64_mingw_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -634,6 +641,12 @@ RSpec.describe "bundle install from an existing gemspec" do
gemspec :path => "../chef"
G
checksums = checksums_section_when_existing do |c|
c.no_checksum "chef", "17.1.17"
c.no_checksum "chef", "17.1.17", "universal-mingw32"
c.checksum gem_repo4, "win32-api", "1.5.3", "universal-mingw32"
end
initial_lockfile = <<~L
PATH
remote: ../chef
@ -654,12 +667,7 @@ RSpec.describe "bundle install from an existing gemspec" do
DEPENDENCIES
chef!
CHECKSUMS
chef (17.1.17)
chef (17.1.17-universal-mingw32)
#{checksum_for_repo_gem gem_repo4, "win32-api", "1.5.3", "universal-mingw32"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -697,6 +705,12 @@ RSpec.describe "bundle install from an existing gemspec" do
end
it "does not remove the platform specific specs from the lockfile when re-resolving due to gemspec changes" do
checksums = checksums_section_when_existing do |c|
c.no_checksum "activeadmin", "2.9.0"
c.no_checksum "jruby-openssl", "0.10.7", "java"
c.checksum gem_repo4, "railties", "6.1.4"
end
expect(lockfile).to eq <<~L
PATH
remote: ../activeadmin
@ -716,12 +730,7 @@ RSpec.describe "bundle install from an existing gemspec" do
DEPENDENCIES
activeadmin!
jruby-openssl
CHECKSUMS
activeadmin (2.9.0)
jruby-openssl (0.10.7-java)
#{checksum_for_repo_gem gem_repo4, "railties", "6.1.4"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

15
spec/bundler/install/gemfile/install_if_spec.rb
View File

@ -18,6 +18,13 @@ RSpec.describe "bundle install with install_if conditionals" do
expect(the_bundle).not_to include_gems("thin")
expect(the_bundle).not_to include_gems("foo")
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo1, "activesupport", "2.3.5"
c.no_checksum "foo", "1.0"
c.checksum gem_repo1, "rack", "1.0.0"
c.no_checksum "thin", "1.0"
end
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo1)}/
@ -36,13 +43,7 @@ RSpec.describe "bundle install with install_if conditionals" do
foo
rack
thin
CHECKSUMS
#{checksum_for_repo_gem gem_repo1, "activesupport", "2.3.5"}
#{gem_no_checksum "foo", "1.0"}
#{checksum_for_repo_gem gem_repo1, "rack", "1.0.0"}
#{gem_no_checksum "thin", "1.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

73
spec/bundler/install/gemfile/path_spec.rb
View File

@ -98,6 +98,11 @@ RSpec.describe "bundle install with explicit source paths" do
gem "aaa", :path => "./aaa"
G
checksums = checksums_section_when_existing do |c|
c.no_checksum "aaa", "1.0"
c.no_checksum "demo", "1.0"
end
lockfile = <<~L
PATH
remote: .
@ -119,11 +124,7 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
aaa!
demo!
CHECKSUMS
#{gem_no_checksum("aaa", "1.0")}
#{gem_no_checksum("demo", "1.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -345,6 +346,11 @@ RSpec.describe "bundle install with explicit source paths" do
lockfile_path = lib_path("foo/Gemfile.lock")
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "0.1.0"
c.checksum gem_repo4, "graphql", "2.0.15"
end
original_lockfile = <<~L
PATH
remote: .
@ -362,11 +368,7 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum("foo", "0.1.0")}
#{checksum_for_repo_gem(gem_repo4, "graphql", "2.0.15")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -673,6 +675,11 @@ RSpec.describe "bundle install with explicit source paths" do
expect(the_bundle).to include_gems "rack 0.9.1"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.checksum gem_repo1, "rack", "0.9.1"
end
expect(lockfile).to eq <<~G
PATH
remote: #{lib_path("foo")}
@ -690,11 +697,7 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum("foo", "1.0")}
#{checksum_for_repo_gem(gem_repo1, "rack", "0.9.1")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -722,11 +725,7 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum("foo", "1.0")}
#{checksum_for_repo_gem(gem_repo1, "rack", "0.9.1")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -743,6 +742,11 @@ RSpec.describe "bundle install with explicit source paths" do
expect(the_bundle).to include_gems "rack 0.9.1"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.checksum gem_repo1, "rack", "0.9.1"
end
expect(lockfile).to eq <<~G
PATH
remote: #{lib_path("foo")}
@ -760,11 +764,7 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum("foo", "1.0")}
#{checksum_for_repo_gem(gem_repo1, "rack", "0.9.1")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -776,6 +776,8 @@ RSpec.describe "bundle install with explicit source paths" do
bundle "install"
checksums.checksum gem_repo1, "rake", "13.0.1"
expect(lockfile).to eq <<~G
PATH
remote: #{lib_path("foo")}
@ -795,12 +797,7 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum("foo", "1.0")}
#{checksum_for_repo_gem(gem_repo1, "rack", "0.9.1")}
#{checksum_for_repo_gem(gem_repo1, "rake", "13.0.1")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -813,6 +810,10 @@ RSpec.describe "bundle install with explicit source paths" do
s.add_dependency "rack", "0.9.1"
end
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
lockfile <<~L
PATH
remote: #{lib_path("foo")}
@ -824,13 +825,15 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
foo!
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
bundle "lock"
checksums.no_checksum "rack", "0.9.1"
expect(lockfile).to eq <<~G
PATH
remote: #{lib_path("foo")}
@ -848,11 +851,7 @@ RSpec.describe "bundle install with explicit source paths" do
DEPENDENCIES
foo!
CHECKSUMS
#{gem_no_checksum("foo", "1.0")}
#{gem_no_checksum("rack", "0.9.1")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G

58
spec/bundler/install/gemfile/platform_spec.rb
View File

@ -203,6 +203,15 @@ RSpec.describe "bundle install across platforms" do
gem "pry"
G
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "coderay", "1.1.2"
c.checksum gem_repo4, "empyrean", "0.1.0"
c.checksum gem_repo4, "ffi", "1.9.23", "java"
c.checksum gem_repo4, "method_source", "0.9.0"
c.checksum gem_repo4, "pry", "0.11.3", "java"
c.checksum gem_repo4, "spoon", "0.0.6"
end
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -224,15 +233,7 @@ RSpec.describe "bundle install across platforms" do
DEPENDENCIES
empyrean (= 0.1.0)
pry
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "coderay", "1.1.2"}
#{checksum_for_repo_gem gem_repo4, "empyrean", "0.1.0"}
#{checksum_for_repo_gem gem_repo4, "ffi", "1.9.23", "java"}
#{checksum_for_repo_gem gem_repo4, "method_source", "0.9.0"}
#{checksum_for_repo_gem gem_repo4, "pry", "0.11.3", "java"}
#{checksum_for_repo_gem gem_repo4, "spoon", "0.0.6"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -264,16 +265,7 @@ RSpec.describe "bundle install across platforms" do
DEPENDENCIES
empyrean (= 0.1.0)
pry
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "coderay", "1.1.2"}
#{checksum_for_repo_gem gem_repo4, "empyrean", "0.1.0"}
#{checksum_for_repo_gem gem_repo4, "ffi", "1.9.23", "java"}
#{checksum_for_repo_gem gem_repo4, "method_source", "0.9.0"}
pry (0.11.3)
#{checksum_for_repo_gem gem_repo4, "pry", "0.11.3", "java"}
#{checksum_for_repo_gem gem_repo4, "spoon", "0.0.6"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -306,15 +298,7 @@ RSpec.describe "bundle install across platforms" do
DEPENDENCIES
empyrean (= 0.1.0)
pry
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "coderay", "1.1.2"}
#{checksum_for_repo_gem gem_repo4, "empyrean", "0.1.0"}
#{checksum_for_repo_gem gem_repo4, "ffi", "1.9.23", "java"}
#{checksum_for_repo_gem gem_repo4, "method_source", "0.9.0"}
#{checksum_for_repo_gem gem_repo4, "pry", "0.11.3", "java"}
#{checksum_for_repo_gem gem_repo4, "spoon", "0.0.6"}
#{checksums}
BUNDLED WITH
1.16.1
L
@ -388,6 +372,11 @@ RSpec.describe "bundle install across platforms" do
end
it "keeps existing platforms when installing with force_ruby_platform" do
checksums = checksums_section do |c|
c.no_checksum "platform_specific", "1.0"
c.no_checksum "platform_specific", "1.0", "java"
end
lockfile <<-G
GEM
remote: #{file_uri_for(gem_repo1)}/
@ -399,6 +388,7 @@ RSpec.describe "bundle install across platforms" do
DEPENDENCIES
platform_specific
#{checksums}
G
bundle "config set --local force_ruby_platform true"
@ -408,6 +398,8 @@ RSpec.describe "bundle install across platforms" do
gem "platform_specific"
G
checksums.checksum gem_repo1, "platform_specific", "1.0"
expect(the_bundle).to include_gem "platform_specific 1.0 RUBY"
expect(lockfile).to eq <<~G
@ -423,11 +415,7 @@ RSpec.describe "bundle install across platforms" do
DEPENDENCIES
platform_specific
CHECKSUMS
#{checksum_for_repo_gem(gem_repo1, "platform_specific", "1.0")}
#{gem_no_checksum "platform_specific", "1.0", "java"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -596,9 +584,7 @@ RSpec.describe "bundle install with platform conditionals" do
DEPENDENCIES
rack
CHECKSUMS
#{checksums_section_when_existing}
BUNDLED WITH
#{Bundler::VERSION}
L

192
spec/bundler/install/gemfile/sources_spec.rb
View File

@ -28,15 +28,32 @@ RSpec.describe "bundle install with gems on multiple sources" do
end
it "refuses to install mismatched checksum because one gem has been tampered with", :bundler => "< 3" do
lockfile <<~L
GEM
remote: https://gem.repo3/
remote: https://gem.repo1/
specs:
rack (1.0.0)
PLATFORMS
#{local_platform}
DEPENDENCIES
depends_on_rack!
BUNDLED WITH
#{Bundler::VERSION}
L
bundle :install, :artifice => "compact_index", :raise_on_error => false
expect(exitstatus).to eq(37)
expect(err).to eq <<~E.strip
[DEPRECATED] Your Gemfile contains multiple global sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source.
Bundler found mismatched checksums. This is a potential security risk.
#{checksum_for_repo_gem(gem_repo1, "rack", "1.0.0")}
#{checksum_to_lock(gem_repo1, "rack", "1.0.0")}
from the API at https://gem.repo1/
#{checksum_for_repo_gem(gem_repo3, "rack", "1.0.0")}
#{checksum_to_lock(gem_repo3, "rack", "1.0.0")}
from the API at https://gem.repo3/
Mismatched checksums each have an authoritative source:
@ -129,7 +146,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
end
it "works in standalone mode", :bundler => "< 3" do
gem_checksum = checksum_for_repo_gem(gem_repo4, "foo", "1.0").split(Bundler::Checksum::ALGO_SEPARATOR).last
gem_checksum = checksum_digest(gem_repo4, "foo", "1.0")
bundle "install --standalone", :artifice => "compact_index", :env => { "BUNDLER_SPEC_FOO_CHECKSUM" => gem_checksum }
end
end
@ -314,9 +331,9 @@ RSpec.describe "bundle install with gems on multiple sources" do
expect(err).to eq(<<~E.strip)
[DEPRECATED] Your Gemfile contains multiple global sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source.
Bundler found mismatched checksums. This is a potential security risk.
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksum_to_lock(gem_repo2, "rack", "1.0.0")}
from the API at https://gem.repo2/
#{checksum_for_repo_gem(gem_repo1, "rack", "1.0.0")}
#{checksum_to_lock(gem_repo1, "rack", "1.0.0")}
from the API at https://gem.repo1/
Mismatched checksums each have an authoritative source:
@ -340,7 +357,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
rack (1.0.0) sha256=#{rack_checksum}
from the API at https://gem.repo2/
and the API at https://gem.repo1/
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksum_to_lock(gem_repo2, "rack", "1.0.0")}
from the gem at #{default_bundle_path("cache", "rack-1.0.0.gem")}
If you trust the API at https://gem.repo2/, to resolve this issue you can:
@ -354,15 +371,15 @@ RSpec.describe "bundle install with gems on multiple sources" do
end
it "installs from the other source and warns about ambiguous gems when the sources have the same checksum", :bundler => "< 3" do
gem_checksum = checksum_for_repo_gem(gem_repo2, "rack", "1.0.0").split(Bundler::Checksum::ALGO_SEPARATOR).last
gem_checksum = checksum_digest(gem_repo2, "rack", "1.0.0")
bundle :install, :artifice => "compact_index", :env => { "BUNDLER_SPEC_RACK_CHECKSUM" => gem_checksum, "DEBUG" => "1" }
expect(err).to include("Warning: the gem 'rack' was found in multiple sources.")
expect(err).to include("Installed from: https://gem.repo2")
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo3, "depends_on_rack", "1.0.1"
c.repo_gem gem_repo2, "rack", "1.0.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo3, "depends_on_rack", "1.0.1"
c.checksum gem_repo2, "rack", "1.0.0"
end
expect(lockfile).to eq <<~L
@ -383,10 +400,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
depends_on_rack!
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -403,7 +417,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
expect(err).to include("Warning: the gem 'rack' was found in multiple sources.")
expect(err).to include("Installed from: https://gem.repo2")
expected_checksums = checksum_section do |c|
checksums = checksums_section_when_existing do |c|
c.no_checksum "depends_on_rack", "1.0.1"
c.no_checksum "rack", "1.0.0"
end
@ -426,10 +440,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
depends_on_rack!
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -772,6 +783,21 @@ RSpec.describe "bundle install with gems on multiple sources" do
end
G
@locked_checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "activesupport", "6.0.3.4"
c.checksum gem_repo2, "concurrent-ruby", "1.1.8"
c.checksum gem_repo2, "connection_pool", "2.2.3"
c.checksum gem_repo2, "i18n", "1.8.9"
c.checksum gem_repo2, "minitest", "5.14.3"
c.checksum gem_repo2, "rack", "2.2.3"
c.checksum gem_repo2, "redis", "4.2.5"
c.checksum gem_repo2, "sidekiq", "6.1.3"
c.checksum gem_repo3, "sidekiq-pro", "5.2.1"
c.checksum gem_repo2, "thread_safe", "0.3.6"
c.checksum gem_repo2, "tzinfo", "1.2.9"
c.checksum gem_repo2, "zeitwerk", "2.4.2"
end
lockfile <<~L
GEM
remote: https://gem.repo2/
@ -808,7 +834,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
activesupport
sidekiq-pro!
#{@locked_checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -825,21 +851,6 @@ RSpec.describe "bundle install with gems on multiple sources" do
expect(the_bundle).to include_gems("concurrent-ruby 1.1.8")
expect(the_bundle).not_to include_gems("concurrent-ruby 1.1.9")
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "activesupport", "6.0.3.4"
c.repo_gem gem_repo2, "concurrent-ruby", "1.1.8"
c.repo_gem gem_repo2, "connection_pool", "2.2.3"
c.repo_gem gem_repo2, "i18n", "1.8.9"
c.repo_gem gem_repo2, "minitest", "5.14.3"
c.repo_gem gem_repo2, "rack", "2.2.3"
c.repo_gem gem_repo2, "redis", "4.2.5"
c.repo_gem gem_repo2, "sidekiq", "6.1.3"
c.repo_gem gem_repo3, "sidekiq-pro", "5.2.1"
c.repo_gem gem_repo2, "thread_safe", "0.3.6"
c.repo_gem gem_repo2, "tzinfo", "1.2.9"
c.repo_gem gem_repo2, "zeitwerk", "2.4.2"
end
expect(lockfile).to eq <<~L
GEM
remote: https://gem.repo2/
@ -879,10 +890,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
activesupport
sidekiq-pro!
CHECKSUMS
#{expected_checksums}
#{@locked_checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -923,24 +931,16 @@ RSpec.describe "bundle install with gems on multiple sources" do
expect(the_bundle).not_to include_gems("activesupport 6.0.3.4")
expect(the_bundle).to include_gems("activesupport 6.1.2.1")
@locked_checksums.checksum gem_repo2, "activesupport", "6.1.2.1"
expect(the_bundle).not_to include_gems("tzinfo 1.2.9")
expect(the_bundle).to include_gems("tzinfo 2.0.4")
@locked_checksums.checksum gem_repo2, "tzinfo", "2.0.4"
@locked_checksums.delete "thread_safe"
expect(the_bundle).not_to include_gems("concurrent-ruby 1.1.8")
expect(the_bundle).to include_gems("concurrent-ruby 1.1.9")
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "activesupport", "6.1.2.1"
c.repo_gem gem_repo2, "concurrent-ruby", "1.1.9"
c.repo_gem gem_repo2, "connection_pool", "2.2.3"
c.repo_gem gem_repo2, "i18n", "1.8.9"
c.repo_gem gem_repo2, "minitest", "5.14.3"
c.repo_gem gem_repo2, "rack", "2.2.3"
c.repo_gem gem_repo2, "redis", "4.2.5"
c.repo_gem gem_repo2, "sidekiq", "6.1.3"
c.repo_gem gem_repo3, "sidekiq-pro", "5.2.1"
c.repo_gem gem_repo2, "tzinfo", "2.0.4"
c.repo_gem gem_repo2, "zeitwerk", "2.4.2"
end
@locked_checksums.checksum gem_repo2, "concurrent-ruby", "1.1.9"
expect(lockfile).to eq <<~L
GEM
@ -980,10 +980,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
activesupport
sidekiq-pro!
CHECKSUMS
#{expected_checksums}
#{@locked_checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1000,20 +997,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
expect(the_bundle).to include_gems("concurrent-ruby 1.1.9")
expect(the_bundle).not_to include_gems("concurrent-ruby 1.1.8")
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "activesupport", "6.0.3.4"
c.repo_gem gem_repo2, "concurrent-ruby", "1.1.9"
c.repo_gem gem_repo2, "connection_pool", "2.2.3"
c.repo_gem gem_repo2, "i18n", "1.8.9"
c.repo_gem gem_repo2, "minitest", "5.14.3"
c.repo_gem gem_repo2, "rack", "2.2.3"
c.repo_gem gem_repo2, "redis", "4.2.5"
c.repo_gem gem_repo2, "sidekiq", "6.1.3"
c.repo_gem gem_repo3, "sidekiq-pro", "5.2.1"
c.repo_gem gem_repo2, "thread_safe", "0.3.6"
c.repo_gem gem_repo2, "tzinfo", "1.2.9"
c.repo_gem gem_repo2, "zeitwerk", "2.4.2"
end
@locked_checksums.checksum gem_repo2, "concurrent-ruby", "1.1.9"
expect(lockfile).to eq <<~L
GEM
@ -1054,10 +1038,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
activesupport
sidekiq-pro!
CHECKSUMS
#{expected_checksums}
#{@locked_checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1125,10 +1106,10 @@ RSpec.describe "bundle install with gems on multiple sources" do
end
it "installs from the default source without any warnings or errors and generates a proper lockfile" do
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo3, "handsoap", "0.2.5.5"
c.repo_gem gem_repo2, "nokogiri", "1.11.1"
c.repo_gem gem_repo2, "racca", "1.5.2"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo3, "handsoap", "0.2.5.5"
c.checksum gem_repo2, "nokogiri", "1.11.1"
c.checksum gem_repo2, "racca", "1.5.2"
end
expected_lockfile = <<~L
@ -1151,10 +1132,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
handsoap!
nokogiri
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1243,7 +1221,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
rack!
#{checksums_section}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1302,8 +1280,8 @@ RSpec.describe "bundle install with gems on multiple sources" do
bundle "install", :artifice => "compact_index", :raise_on_error => false
api_checksum1 = checksum_for_repo_gem(gem_repo1, "rack", "0.9.1").split("sha256=").last
api_checksum3 = checksum_for_repo_gem(gem_repo3, "rack", "0.9.1").split("sha256=").last
api_checksum1 = checksum_digest(gem_repo1, "rack", "0.9.1")
api_checksum3 = checksum_digest(gem_repo3, "rack", "0.9.1")
expect(exitstatus).to eq(37)
expect(err).to eq(<<~E.strip)
@ -1712,9 +1690,9 @@ RSpec.describe "bundle install with gems on multiple sources" do
it "upgrades the lockfile correctly" do
bundle "lock --update", :artifice => "compact_index"
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "capybara", "2.5.0"
c.repo_gem gem_repo4, "mime-types", "3.0.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "capybara", "2.5.0"
c.checksum gem_repo4, "mime-types", "3.0.0"
end
expect(lockfile).to eq <<~L
@ -1735,10 +1713,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
capybara (~> 2.5.0)
mime-types (~> 3.0)!
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1774,6 +1749,11 @@ RSpec.describe "bundle install with gems on multiple sources" do
it "handles that fine" do
bundle "install", :artifice => "compact_index_extra", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo4.to_s }
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "pdf-writer", "1.1.8"
c.checksum gem_repo2, "ruport", "1.7.0.3"
end
expect(lockfile).to eq <<~L
GEM
remote: https://localgemserver.test/
@ -1791,11 +1771,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
ruport (= 1.7.0.3)!
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "pdf-writer", "1.1.8"}
#{checksum_for_repo_gem gem_repo2, "ruport", "1.7.0.3"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1831,9 +1807,9 @@ RSpec.describe "bundle install with gems on multiple sources" do
it "handles that fine" do
bundle "install", :artifice => "compact_index_extra", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo4.to_s }
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "pdf-writer", "1.1.8"
c.repo_gem gem_repo2, "ruport", "1.7.0.3"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "pdf-writer", "1.1.8"
c.checksum gem_repo2, "ruport", "1.7.0.3"
end
expect(lockfile).to eq <<~L
@ -1853,10 +1829,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
ruport (= 1.7.0.3)!
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1886,8 +1859,8 @@ RSpec.describe "bundle install with gems on multiple sources" do
it "handles that fine" do
bundle "install --verbose", :artifice => "endpoint", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo4.to_s }
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "pdf-writer", "1.1.8"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "pdf-writer", "1.1.8"
end
expect(lockfile).to eq <<~L
@ -1901,10 +1874,7 @@ RSpec.describe "bundle install with gems on multiple sources" do
DEPENDENCIES
pdf-writer (= 1.1.8)
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

164
spec/bundler/install/gemfile/specific_platform_spec.rb
View File

@ -66,6 +66,10 @@ RSpec.describe "bundle install with specific platforms" do
gemfile google_protobuf
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "google-protobuf", "3.0.0.alpha.4.0"
end
# simulate lockfile created with old bundler, which only locks for ruby platform
lockfile <<-L
GEM
@ -78,16 +82,15 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
google-protobuf
CHECKSUMS
google-protobuf (3.0.0.alpha.4.0)
#{checksums}
BUNDLED WITH
2.1.4
L
bundle "update", :env => { "BUNDLER_VERSION" => Bundler::VERSION }
checksums.checksum gem_repo2, "google-protobuf", "3.0.0.alpha.5.0.5.1"
# make sure the platform that the platform specific dependency is used, since we're only locked to ruby
expect(the_bundle).to include_gem("google-protobuf 3.0.0.alpha.5.0.5.1 universal-darwin")
@ -103,10 +106,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
google-protobuf
CHECKSUMS
google-protobuf (3.0.0.alpha.5.0.5.1)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -528,11 +528,11 @@ RSpec.describe "bundle install with specific platforms" do
bundle "update"
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "sorbet", "0.5.10160"
c.repo_gem gem_repo4, "sorbet-runtime", "0.5.10160"
c.repo_gem gem_repo4, "sorbet-static", "0.5.10160", Gem::Platform.local
c.repo_gem gem_repo4, "sorbet-static-and-runtime", "0.5.10160"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "sorbet", "0.5.10160"
c.checksum gem_repo4, "sorbet-runtime", "0.5.10160"
c.checksum gem_repo4, "sorbet-static", "0.5.10160", Gem::Platform.local
c.checksum gem_repo4, "sorbet-static-and-runtime", "0.5.10160"
end
expect(lockfile).to eq <<~L
@ -552,10 +552,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
sorbet-static-and-runtime
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -587,6 +584,11 @@ RSpec.describe "bundle install with specific platforms" do
G
end
checksums = checksums_section_when_existing do |c|
c.no_checksum "nokogiri", "1.13.0", "x86_64-darwin"
c.no_checksum "sorbet-static", "0.5.10601", "x86_64-darwin"
end
lockfile <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -602,7 +604,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri
sorbet-static
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -624,11 +626,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri
sorbet-static
CHECKSUMS
#{gem_no_checksum "nokogiri", "1.13.0", "x86_64-darwin"}
#{gem_no_checksum "sorbet-static", "0.5.10601", "x86_64-darwin"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -682,11 +680,11 @@ RSpec.describe "bundle install with specific platforms" do
bundle "update"
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "sorbet", "0.5.10160"
c.repo_gem gem_repo4, "sorbet-runtime", "0.5.10160"
c.repo_gem gem_repo4, "sorbet-static", "0.5.10160", Gem::Platform.local
c.repo_gem gem_repo4, "sorbet-static-and-runtime", "0.5.10160"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "sorbet", "0.5.10160"
c.checksum gem_repo4, "sorbet-runtime", "0.5.10160"
c.checksum gem_repo4, "sorbet-static", "0.5.10160", Gem::Platform.local
c.checksum gem_repo4, "sorbet-static-and-runtime", "0.5.10160"
end
expect(lockfile).to eq <<~L
@ -706,10 +704,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
sorbet-static-and-runtime
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -760,9 +755,9 @@ RSpec.describe "bundle install with specific platforms" do
bundle "update"
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "nokogiri", "1.14.0", "x86_64-linux"
c.repo_gem gem_repo4, "sorbet-static", "0.5.10696", "x86_64-linux"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "nokogiri", "1.14.0", "x86_64-linux"
c.checksum gem_repo4, "sorbet-static", "0.5.10696", "x86_64-linux"
end
expect(lockfile).to eq <<~L
@ -778,10 +773,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri
sorbet-static
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -807,6 +799,11 @@ RSpec.describe "bundle install with specific platforms" do
gem "sorbet-static", "= 0.5.10549"
G
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-20"
c.checksum gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-21"
end
# Make sure the lockfile is missing sorbet-static-0.5.10549-universal-darwin-21
lockfile <<~L
GEM
@ -819,17 +816,15 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
sorbet-static (= 0.5.10549)
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-20"}
#{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-21"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
bundle "install"
checksums.no_checksum "sorbet-static", "0.5.10549", "universal-darwin-21"
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -842,11 +837,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
sorbet-static (= 0.5.10549)
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-20"}
#{gem_no_checksum "sorbet-static", "0.5.10549", "universal-darwin-21"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -893,6 +884,11 @@ RSpec.describe "bundle install with specific platforms" do
bundle "lock --update"
checksums = checksums_section_when_existing do |c|
c.no_checksum "nokogiri", "1.13.8"
c.no_checksum "nokogiri", "1.13.8", Gem::Platform.local
end
updated_lockfile = <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -906,11 +902,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri
tzinfo (~> 1.2)
CHECKSUMS
#{gem_no_checksum "nokogiri", "1.13.8"}
#{gem_no_checksum "nokogiri", "1.13.8", Gem::Platform.local}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -931,6 +923,11 @@ RSpec.describe "bundle install with specific platforms" do
gem "rack"
G
checksums = checksums_section_when_existing do |c|
c.no_checksum "concurrent-ruby", "1.2.2"
c.no_checksum "rack", "3.0.7"
end
lockfile <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -942,7 +939,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
concurrent-ruby
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -962,11 +959,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
concurrent-ruby
rack
CHECKSUMS
#{gem_no_checksum "concurrent-ruby", "1.2.2"}
#{gem_no_checksum "rack", "3.0.7"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1029,6 +1022,10 @@ RSpec.describe "bundle install with specific platforms" do
gem "nokogiri", "1.14.0"
G
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "nokogiri", "1.14.0", "x86_64-linux"
end
lockfile <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -1040,13 +1037,17 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri (= 1.14.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
bundle :install
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "nokogiri", "1.14.0"
end
expect(lockfile).to eq(<<~L)
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -1058,10 +1059,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri (= 1.14.0)
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "nokogiri", "1.14.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1101,6 +1099,12 @@ RSpec.describe "bundle install with specific platforms" do
bundle "lock"
checksums = checksums_section_when_existing do |c|
c.no_checksum "nokogiri", "1.14.0"
c.no_checksum "nokogiri", "1.14.0", "arm-linux"
c.no_checksum "nokogiri", "1.14.0", "x86_64-linux"
end
# locks all compatible platforms, excluding Java and Windows
expect(lockfile).to eq(<<~L)
GEM
@ -1117,12 +1121,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri
CHECKSUMS
#{gem_no_checksum "nokogiri", "1.14.0"}
#{gem_no_checksum "nokogiri", "1.14.0", "arm-linux"}
#{gem_no_checksum "nokogiri", "1.14.0", "x86_64-linux"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1138,6 +1137,10 @@ RSpec.describe "bundle install with specific platforms" do
bundle "lock"
checksums.delete "nokogiri", "arm-linux"
checksums.no_checksum "sorbet-static", "0.5.10696", "universal-darwin-22"
checksums.no_checksum "sorbet-static", "0.5.10696", "x86_64-linux"
# locks only platforms compatible with all gems in the bundle
expect(lockfile).to eq(<<~L)
GEM
@ -1155,13 +1158,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri
sorbet-static
CHECKSUMS
#{gem_no_checksum "nokogiri", "1.14.0"}
#{gem_no_checksum "nokogiri", "1.14.0", "x86_64-linux"}
#{gem_no_checksum "sorbet-static", "0.5.10696", "universal-darwin-22"}
#{gem_no_checksum "sorbet-static", "0.5.10696", "x86_64-linux"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1191,10 +1188,10 @@ RSpec.describe "bundle install with specific platforms" do
gem "sass-embedded"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo4, "nokogiri", "1.15.5"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo4, "nokogiri", "1.15.5"
c.no_checksum "sass-embedded", "1.69.5"
c.repo_gem gem_repo4, "sass-embedded", "1.69.5", "x86_64-linux-gnu"
c.checksum gem_repo4, "sass-embedded", "1.69.5", "x86_64-linux-gnu"
end
simulate_platform "x86_64-linux" do
@ -1216,10 +1213,7 @@ RSpec.describe "bundle install with specific platforms" do
DEPENDENCIES
nokogiri
sass-embedded
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

26
spec/bundler/install/gems/compact_index_spec.rb
View File

@ -961,8 +961,25 @@ RSpec.describe "compact index api" do
end
describe "checksum validation" do
before do
lockfile <<-L
GEM
remote: #{source_uri}
specs:
rack (1.0.0)
PLATFORMS
ruby
DEPENDENCIES
#{checksums_section}
BUNDLED WITH
#{Bundler::VERSION}
L
end
it "handles checksums from the server in base64" do
api_checksum = checksum_for_repo_gem(gem_repo1, "rack", "1.0.0").split("sha256=").last
api_checksum = checksum_digest(gem_repo1, "rack", "1.0.0")
rack_checksum = [[api_checksum].pack("H*")].pack("m0")
install_gemfile <<-G, :artifice => "compact_index", :env => { "BUNDLER_SPEC_RACK_CHECKSUM" => rack_checksum }
source "#{source_uri}"
@ -979,8 +996,6 @@ RSpec.describe "compact index api" do
gem "rack"
G
api_checksum = checksum_for_repo_gem(gem_repo1, "rack", "1.0.0").split("sha256=").last
gem_path = if Bundler.feature_flag.global_gem_cache?
default_cache_path.dirname.join("cache", "gems", "localgemserver.test.80.dd34752a738ee965a2a4298dc16db6c5", "rack-1.0.0.gem")
else
@ -992,7 +1007,7 @@ RSpec.describe "compact index api" do
Bundler found mismatched checksums. This is a potential security risk.
rack (1.0.0) sha256=2222222222222222222222222222222222222222222222222222222222222222
from the API at http://localgemserver.test/
rack (1.0.0) sha256=#{api_checksum}
#{checksum_to_lock(gem_repo1, "rack", "1.0.0")}
from the gem at #{gem_path}
If you trust the API at http://localgemserver.test/, to resolve this issue you can:
@ -1057,6 +1072,7 @@ Running `bundle update rails` should fix the problem.
G
gem_command "uninstall activemerchant"
bundle "update rails", :artifice => "compact_index"
expect(lockfile.scan(/activemerchant \(/).size).to eq(2) # Once in the specs, and once in CHECKSUMS
count = lockfile.match?("CHECKSUMS") ? 2 : 1 # Once in the specs, and once in CHECKSUMS
expect(lockfile.scan(/activemerchant \(/).size).to eq(count)
end
end

20
spec/bundler/install/gems/flex_spec.rb
View File

@ -268,6 +268,11 @@ RSpec.describe "bundle flex_install" do
it "should work when you install" do
bundle "install"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo1, "rack", "0.9.1"
c.checksum gem_repo1, "rack-obama", "1.0"
end
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo1)}/
@ -282,11 +287,7 @@ RSpec.describe "bundle flex_install" do
DEPENDENCIES
rack (= 0.9.1)
rack-obama
CHECKSUMS
#{checksum_for_repo_gem gem_repo1, "rack", "0.9.1"}
#{checksum_for_repo_gem gem_repo1, "rack-obama", "1.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -312,6 +313,10 @@ RSpec.describe "bundle flex_install" do
gem "rack"
G
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo1, "rack", "1.0.0"
end
expect(lockfile).to eq <<~L
GEM
remote: #{file_uri_for(gem_repo1)}/
@ -327,10 +332,7 @@ RSpec.describe "bundle flex_install" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem gem_repo1, "rack", "1.0.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

33
spec/bundler/install/gems/resolving_spec.rb
View File

@ -256,6 +256,10 @@ RSpec.describe "bundle install with install-time dependencies" do
gem 'parallel_tests'
G
checksums = checksums_section do |c|
c.checksum gem_repo2, "parallel_tests", "3.8.0"
end
lockfile <<~L
GEM
remote: http://localgemserver.test/
@ -267,7 +271,7 @@ RSpec.describe "bundle install with install-time dependencies" do
DEPENDENCIES
parallel_tests
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -276,6 +280,10 @@ RSpec.describe "bundle install with install-time dependencies" do
it "automatically updates lockfile to use the older version" do
bundle "install --verbose", :artifice => "compact_index", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo2.to_s }
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "parallel_tests", "3.7.0"
end
expect(lockfile).to eq <<~L
GEM
remote: http://localgemserver.test/
@ -287,10 +295,7 @@ RSpec.describe "bundle install with install-time dependencies" do
DEPENDENCIES
parallel_tests
CHECKSUMS
#{checksum_for_repo_gem gem_repo2, "parallel_tests", "3.7.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -335,6 +340,11 @@ RSpec.describe "bundle install with install-time dependencies" do
gem 'rubocop'
G
checksums = checksums_section do |c|
c.checksum gem_repo2, "rubocop", "1.35.0"
c.checksum gem_repo2, "rubocop-ast", "1.21.0"
end
lockfile <<~L
GEM
remote: http://localgemserver.test/
@ -348,7 +358,7 @@ RSpec.describe "bundle install with install-time dependencies" do
DEPENDENCIES
parallel_tests
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -357,6 +367,11 @@ RSpec.describe "bundle install with install-time dependencies" do
it "automatically updates lockfile to use the older compatible versions" do
bundle "install --verbose", :artifice => "compact_index", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo2.to_s }
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "rubocop", "1.28.2"
c.checksum gem_repo2, "rubocop-ast", "1.17.0"
end
expect(lockfile).to eq <<~L
GEM
remote: http://localgemserver.test/
@ -370,11 +385,7 @@ RSpec.describe "bundle install with install-time dependencies" do
DEPENDENCIES
rubocop
CHECKSUMS
#{checksum_for_repo_gem gem_repo2, "rubocop", "1.28.2"}
#{checksum_for_repo_gem gem_repo2, "rubocop-ast", "1.17.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

4
spec/bundler/install/yanked_spec.rb
View File

@ -160,10 +160,6 @@ RSpec.context "when resolving a bundle that includes yanked gems, but unlocking
bar
foo
CHECKSUMS
#{gem_no_checksum "bar", "2.0.0"}
#{gem_no_checksum "foo", "9.0.0"}
BUNDLED WITH
#{Bundler::VERSION}
L

353
spec/bundler/lock/lockfile_spec.rb
View File

@ -6,6 +6,10 @@ RSpec.describe "the lockfile format" do
end
it "generates a simple lockfile for a single source, gem" do
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo2, "rack", "1.0.0")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}"
@ -23,10 +27,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -78,9 +79,6 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -134,6 +132,10 @@ RSpec.describe "the lockfile format" do
it "does not update the lockfile's bundler version if nothing changed during bundle install, and uses the latest version", :rubygems => "< 3.3.0.a" do
version = "#{Bundler::VERSION.split(".").first}.0.0.a"
checksums = checksums_section do |c|
c.checksum(gem_repo2, "rack", "1.0.0")
end
lockfile <<-L
GEM
remote: #{file_uri_for(gem_repo2)}/
@ -145,10 +147,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{version}
L
@ -173,10 +172,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{version}
G
@ -214,9 +210,6 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack (> 0)
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -264,9 +257,6 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
BUNDLED WITH
#{current_version}
G
@ -279,9 +269,9 @@ RSpec.describe "the lockfile format" do
gem "rack-obama"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "rack", "1.0.0"
c.repo_gem gem_repo2, "rack-obama", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "rack", "1.0.0"
c.checksum gem_repo2, "rack-obama", "1.0"
end
expect(lockfile).to eq <<~G
@ -297,10 +287,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack-obama
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -313,9 +300,9 @@ RSpec.describe "the lockfile format" do
gem "rack-obama", ">= 1.0"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "rack", "1.0.0"
c.repo_gem gem_repo2, "rack-obama", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "rack", "1.0.0"
c.checksum gem_repo2, "rack-obama", "1.0"
end
expect(lockfile).to eq <<~G
@ -331,10 +318,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack-obama (>= 1.0)
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -355,9 +339,9 @@ RSpec.describe "the lockfile format" do
end
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "rack", "1.0.0"
c.repo_gem gem_repo2, "rack-obama", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "rack", "1.0.0"
c.checksum gem_repo2, "rack-obama", "1.0"
end
expect(lockfile).to eq <<~G
@ -381,10 +365,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack-obama (>= 1.0)!
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -396,9 +377,9 @@ RSpec.describe "the lockfile format" do
gem "net-sftp"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "net-sftp", "1.1.1"
c.repo_gem gem_repo2, "net-ssh", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "net-sftp", "1.1.1"
c.checksum gem_repo2, "net-ssh", "1.0"
end
expect(lockfile).to eq <<~G
@ -414,10 +395,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
net-sftp
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -433,6 +411,10 @@ RSpec.describe "the lockfile format" do
gem "foo", :git => "#{lib_path("foo-1.0")}"
G
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
expect(lockfile).to eq <<~G
GIT
remote: #{lib_path("foo-1.0")}
@ -449,10 +431,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -500,6 +479,10 @@ RSpec.describe "the lockfile format" do
it "serializes global git sources" do
git = build_git "foo"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
git "#{lib_path("foo-1.0")}" do
@ -523,10 +506,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -536,6 +516,10 @@ RSpec.describe "the lockfile format" do
git = build_git "foo"
update_git "foo", :branch => "omg"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gem "foo", :git => "#{lib_path("foo-1.0")}", :branch => "omg"
@ -558,10 +542,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -571,6 +552,10 @@ RSpec.describe "the lockfile format" do
git = build_git "foo"
update_git "foo", :tag => "omg"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gem "foo", :git => "#{lib_path("foo-1.0")}", :tag => "omg"
@ -593,10 +578,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -683,10 +665,6 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
ckeditor!
CHECKSUMS
#{gem_no_checksum "ckeditor", "4.0.8"}
#{gem_no_checksum "orm_adapter", "0.4.1"}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -695,6 +673,10 @@ RSpec.describe "the lockfile format" do
it "serializes pinned path sources to the lockfile" do
build_lib "foo"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gem "foo", :path => "#{lib_path("foo-1.0")}"
@ -715,10 +697,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -727,6 +706,10 @@ RSpec.describe "the lockfile format" do
it "serializes pinned path sources to the lockfile even when packaging" do
build_lib "foo"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gem "foo", :path => "#{lib_path("foo-1.0")}"
@ -751,10 +734,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -764,6 +744,12 @@ RSpec.describe "the lockfile format" do
build_lib "foo"
bar = build_git "bar"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
c.no_checksum "bar", "1.0"
c.checksum gem_repo2, "rack", "1.0.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}/"
@ -796,12 +782,7 @@ RSpec.describe "the lockfile format" do
bar!
foo!
rack
CHECKSUMS
bar (1.0)
foo (1.0)
#{checksum_for_repo_gem gem_repo2, "rack", "1.0.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -814,8 +795,8 @@ RSpec.describe "the lockfile format" do
gem "rack", :source => "#{file_uri_for(gem_repo2)}/"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "rack", "1.0.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "rack", "1.0.0"
end
expect(lockfile).to eq <<~G
@ -829,10 +810,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack!
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -847,12 +825,12 @@ RSpec.describe "the lockfile format" do
gem "rack-obama"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "actionpack", "2.3.2"
c.repo_gem gem_repo2, "activesupport", "2.3.2"
c.repo_gem gem_repo2, "rack", "1.0.0"
c.repo_gem gem_repo2, "rack-obama", "1.0"
c.repo_gem gem_repo2, "thin", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "actionpack", "2.3.2"
c.checksum gem_repo2, "activesupport", "2.3.2"
c.checksum gem_repo2, "rack", "1.0.0"
c.checksum gem_repo2, "rack-obama", "1.0"
c.checksum gem_repo2, "thin", "1.0"
end
expect(lockfile).to eq <<~G
@ -875,10 +853,7 @@ RSpec.describe "the lockfile format" do
actionpack
rack-obama
thin
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -891,14 +866,14 @@ RSpec.describe "the lockfile format" do
gem "rails"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "actionmailer", "2.3.2"
c.repo_gem gem_repo2, "actionpack", "2.3.2"
c.repo_gem gem_repo2, "activerecord", "2.3.2"
c.repo_gem gem_repo2, "activeresource", "2.3.2"
c.repo_gem gem_repo2, "activesupport", "2.3.2"
c.repo_gem gem_repo2, "rails", "2.3.2"
c.repo_gem gem_repo2, "rake", "13.0.1"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "actionmailer", "2.3.2"
c.checksum gem_repo2, "actionpack", "2.3.2"
c.checksum gem_repo2, "activerecord", "2.3.2"
c.checksum gem_repo2, "activeresource", "2.3.2"
c.checksum gem_repo2, "activesupport", "2.3.2"
c.checksum gem_repo2, "rails", "2.3.2"
c.checksum gem_repo2, "rake", "13.0.1"
end
expect(lockfile).to eq <<~G
@ -927,10 +902,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rails
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -952,9 +924,9 @@ RSpec.describe "the lockfile format" do
gem 'double_deps'
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "double_deps", "1.0"
c.repo_gem gem_repo2, "net-ssh", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "double_deps", "1.0"
c.checksum gem_repo2, "net-ssh", "1.0"
end
expect(lockfile).to eq <<~G
@ -971,10 +943,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
double_deps
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -987,9 +956,9 @@ RSpec.describe "the lockfile format" do
gem "rack-obama", ">= 1.0", :require => "rack/obama"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "rack", "1.0.0"
c.repo_gem gem_repo2, "rack-obama", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "rack", "1.0.0"
c.checksum gem_repo2, "rack-obama", "1.0"
end
expect(lockfile).to eq <<~G
@ -1005,10 +974,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack-obama (>= 1.0)
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1021,9 +987,9 @@ RSpec.describe "the lockfile format" do
gem "rack-obama", ">= 1.0", :group => :test
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "rack", "1.0.0"
c.repo_gem gem_repo2, "rack-obama", "1.0"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "rack", "1.0.0"
c.checksum gem_repo2, "rack-obama", "1.0"
end
expect(lockfile).to eq <<~G
@ -1039,10 +1005,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack-obama (>= 1.0)
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1051,6 +1014,10 @@ RSpec.describe "the lockfile format" do
it "stores relative paths when the path is provided in a relative fashion and in Gemfile dir" do
build_lib "foo", :path => bundled_app("foo")
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
path "foo" do
@ -1073,10 +1040,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1085,6 +1049,10 @@ RSpec.describe "the lockfile format" do
it "stores relative paths when the path is provided in a relative fashion and is above Gemfile dir" do
build_lib "foo", :path => bundled_app(File.join("..", "foo"))
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
path "../foo" do
@ -1107,10 +1075,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1119,6 +1084,10 @@ RSpec.describe "the lockfile format" do
it "stores relative paths when the path is provided in an absolute fashion but is relative" do
build_lib "foo", :path => bundled_app("foo")
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
path File.expand_path("foo", __dir__) do
@ -1141,10 +1110,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1153,6 +1119,10 @@ RSpec.describe "the lockfile format" do
it "stores relative paths when the path is provided for gemspec" do
build_lib("foo", :path => tmp.join("foo"))
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "1.0"
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo1)}"
gemspec :path => "../foo"
@ -1173,16 +1143,17 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
foo!
CHECKSUMS
foo (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "keeps existing platforms in the lockfile" do
checksums = checksums_section_when_existing do |c|
c.no_checksum "rack", "1.0.0"
end
lockfile <<-G
GEM
remote: #{file_uri_for(gem_repo2)}/
@ -1194,7 +1165,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1205,6 +1176,8 @@ RSpec.describe "the lockfile format" do
gem "rack"
G
checksums.checksum(gem_repo2, "rack", "1.0.0")
expect(lockfile).to eq <<~G
GEM
remote: #{file_uri_for(gem_repo2)}/
@ -1216,10 +1189,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1239,8 +1209,8 @@ RSpec.describe "the lockfile format" do
gem "platform_specific"
G
expected_checksums = checksum_section do |c|
c.repo_gem gem_repo2, "platform_specific", "1.0", "universal-java-16"
checksums = checksums_section_when_existing do |c|
c.checksum gem_repo2, "platform_specific", "1.0", "universal-java-16"
end
expect(lockfile).to eq <<~G
@ -1254,16 +1224,18 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
platform_specific
CHECKSUMS
#{expected_checksums}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "does not add duplicate gems" do
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo2, "activesupport", "2.3.5")
c.checksum(gem_repo2, "rack", "1.0.0")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}/"
gem "rack"
@ -1288,17 +1260,17 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
activesupport
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "activesupport", "2.3.5")}
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "does not add duplicate dependencies" do
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo2, "rack", "1.0.0")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}/"
gem "rack"
@ -1316,16 +1288,17 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "does not add duplicate dependencies with versions" do
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo2, "rack", "1.0.0")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}/"
gem "rack", "1.0"
@ -1343,16 +1316,17 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack (= 1.0)
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "does not add duplicate dependencies in different groups" do
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo2, "rack", "1.0.0")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}/"
gem "rack", "1.0", :group => :one
@ -1370,10 +1344,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack (= 1.0)
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1402,6 +1373,10 @@ RSpec.describe "the lockfile format" do
end
it "works correctly with multiple version dependencies" do
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo2, "rack", "0.9.1")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}/"
gem "rack", "> 0.9", "< 1.0"
@ -1418,16 +1393,17 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack (> 0.9, < 1.0)
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "0.9.1")}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
end
it "captures the Ruby version in the lockfile" do
checksums = checksums_section_when_existing do |c|
c.checksum(gem_repo2, "rack", "0.9.1")
end
install_gemfile <<-G
source "#{file_uri_for(gem_repo2)}/"
ruby '#{Gem.ruby_version}'
@ -1445,10 +1421,7 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
rack (> 0.9, < 1.0)
CHECKSUMS
#{checksum_for_repo_gem(gem_repo2, "rack", "0.9.1")}
#{checksums}
RUBY VERSION
#{Bundler::RubyVersion.system}
@ -1526,10 +1499,6 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
direct_dependency
CHECKSUMS
#{checksum_for_repo_gem(gem_repo4, "direct_dependency", "4.5.6")}
#{checksum_for_repo_gem(gem_repo4, "indirect_dependency", "1.2.3")}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -1584,10 +1553,6 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
minitest-bisect
CHECKSUMS
#{checksum_for_repo_gem(gem_repo4, "minitest-bisect", "1.6.0")}
#{checksum_for_repo_gem(gem_repo4, "path_expander", "1.1.1")}
BUNDLED WITH
#{Bundler::VERSION}
L
@ -1654,10 +1619,6 @@ RSpec.describe "the lockfile format" do
DEPENDENCIES
minitest-bisect
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "minitest-bisect", "1.6.0"}
#{checksum_for_repo_gem gem_repo4, "path_expander", "1.1.1"}
BUNDLED WITH
#{Bundler::VERSION}
L

18
spec/bundler/plugins/source/example_spec.rb
View File

@ -70,6 +70,10 @@ RSpec.describe "real source plugins" do
it "writes to lock file" do
bundle "install"
checksums = checksums_section_when_existing do |c|
c.no_checksum "a-path-gem", "1.0"
end
expect(lockfile).to eq <<~G
PLUGIN SOURCE
remote: #{lib_path("a-path-gem-1.0")}
@ -86,10 +90,7 @@ RSpec.describe "real source plugins" do
DEPENDENCIES
a-path-gem!
CHECKSUMS
a-path-gem (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G
@ -339,6 +340,10 @@ RSpec.describe "real source plugins" do
revision = revision_for(lib_path("ma-gitp-gem-1.0"))
bundle "install"
checksums = checksums_section_when_existing do |c|
c.no_checksum "ma-gitp-gem", "1.0"
end
expect(lockfile).to eq <<~G
PLUGIN SOURCE
remote: #{file_uri_for(lib_path("ma-gitp-gem-1.0"))}
@ -356,10 +361,7 @@ RSpec.describe "real source plugins" do
DEPENDENCIES
ma-gitp-gem!
CHECKSUMS
ma-gitp-gem (1.0)
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G

15
spec/bundler/runtime/platform_spec.rb
View File

@ -73,6 +73,13 @@ RSpec.describe "Bundler.setup with multi platform stuff" do
build_gem "racca", "1.5.2"
end
checksums = checksums_section do |c|
c.checksum gem_repo4, "mini_portile2", "2.5.0"
c.checksum gem_repo4, "nokogiri", "1.11.1"
c.checksum gem_repo4, "nokogiri", "1.11.1", Bundler.local_platform
c.checksum gem_repo4, "racca", "1.5.2"
end
good_lockfile = <<~L
GEM
remote: #{file_uri_for(gem_repo4)}/
@ -90,13 +97,7 @@ RSpec.describe "Bundler.setup with multi platform stuff" do
DEPENDENCIES
nokogiri (~> 1.11)
CHECKSUMS
#{checksum_for_repo_gem gem_repo4, "mini_portile2", "2.5.0"}
#{checksum_for_repo_gem gem_repo4, "nokogiri", "1.11.1"}
#{checksum_for_repo_gem gem_repo4, "nokogiri", "1.11.1", Bundler.local_platform}
#{checksum_for_repo_gem gem_repo4, "racca", "1.5.2"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
L

8
spec/bundler/runtime/setup_spec.rb
View File

@ -1216,6 +1216,10 @@ end
let(:ruby_version) { nil }
def lock_with(ruby_version = nil)
checksums = checksums_section do |c|
c.checksum gem_repo1, "rack", "1.0.0"
end
lock = <<~L
GEM
remote: #{file_uri_for(gem_repo1)}/
@ -1227,9 +1231,7 @@ end
DEPENDENCIES
rack
CHECKSUMS
#{checksum_for_repo_gem gem_repo1, "rack", "1.0.0"}
#{checksums}
L
if ruby_version

68
spec/bundler/support/checksums.rb
View File

@ -3,46 +3,74 @@
module Spec
module Checksums
class ChecksumsBuilder
def initialize(&block)
def initialize(enabled = true, &block)
@enabled = enabled
@checksums = {}
yield self if block_given?
end
def repo_gem(repo, name, version, platform = Gem::Platform::RUBY)
def initialize_copy(original)
super
@checksums = @checksums.dup
end
def checksum(repo, name, version, platform = Gem::Platform::RUBY)
name_tuple = Gem::NameTuple.new(name, version, platform)
gem_file = File.join(repo, "gems", "#{name_tuple.full_name}.gem")
File.open(gem_file, "rb") do |f|
@checksums[name_tuple] = Bundler::Checksum.from_gem(f, "#{gem_file} (via ChecksumsBuilder#repo_gem)")
register(name_tuple, Bundler::Checksum.from_gem(f, "#{gem_file} (via ChecksumsBuilder#checksum)"))
end
end
def no_checksum(name, version, platform = Gem::Platform::RUBY)
name_tuple = Gem::NameTuple.new(name, version, platform)
@checksums[name_tuple] = nil
register(name_tuple, nil)
end
def to_lock
@checksums.map do |name_tuple, checksum|
def delete(name, platform = nil)
@checksums.reject! {|k, _| k.name == name && (platform.nil? || k.platform == platform) }
end
def to_s
return "" unless @enabled
locked_checksums = @checksums.map do |name_tuple, checksum|
checksum &&= " #{checksum.to_lock}"
" #{name_tuple.lock_name}#{checksum}\n"
end.sort.join.strip
end
"\nCHECKSUMS\n#{locked_checksums.sort.join}"
end
private
def register(name_tuple, checksum)
delete(name_tuple.name, name_tuple.platform)
@checksums[name_tuple] = checksum
end
end
def checksum_section(&block)
ChecksumsBuilder.new(&block).to_lock
def checksums_section(enabled = true, &block)
ChecksumsBuilder.new(enabled, &block)
end
def checksum_for_repo_gem(*args)
checksum_section do |c|
c.repo_gem(*args)
def checksums_section_when_existing(&block)
begin
enabled = lockfile.match?(/^CHECKSUMS$/)
rescue Errno::ENOENT
enabled = false
end
checksums_section(enabled, &block)
end
def gem_no_checksum(*args)
checksum_section do |c|
c.no_checksum(*args)
end
def checksum_to_lock(*args)
checksums_section do |c|
c.checksum(*args)
end.to_s.sub(/^CHECKSUMS\n/, "").strip
end
def checksum_digest(*args)
checksum_to_lock(*args).split(Bundler::Checksum::ALGO_SEPARATOR, 2).last
end
# if prefixes is given, removes all checksums where the line
@ -50,6 +78,7 @@ module Spec
# otherwise, removes all checksums from the lockfile
def remove_checksums_from_lockfile(lockfile, *prefixes)
head, remaining = lockfile.split(/^CHECKSUMS$/, 2)
return lockfile unless remaining
checksums, tail = remaining.split("\n\n", 2)
prefixes =
@ -74,5 +103,12 @@ module Spec
tail
)
end
def remove_checksums_section_from_lockfile(lockfile)
head, remaining = lockfile.split(/^CHECKSUMS$/, 2)
return lockfile unless remaining
_checksums, tail = remaining.split("\n\n", 2)
head.concat(tail)
end
end
end

11
spec/bundler/update/git_spec.rb
View File

@ -309,6 +309,11 @@ RSpec.describe "bundle update" do
bundle "update --source bar"
checksums = checksums_section_when_existing do |c|
c.no_checksum "foo", "2.0"
c.checksum gem_repo2, "rack", "1.0.0"
end
expect(lockfile).to eq <<~G
GIT
remote: #{@git.path}
@ -327,11 +332,7 @@ RSpec.describe "bundle update" do
DEPENDENCIES
foo!
rack
CHECKSUMS
foo (2.0)
#{checksum_for_repo_gem gem_repo2, "rack", "1.0.0"}
#{checksums}
BUNDLED WITH
#{Bundler::VERSION}
G