Closed
Conversation
Lock the checksum of Bundler itself in the lockfile (cherry picked from commit 44f4b15)
Ensure the release CI doesn't break due to the Bundler checksum feature (cherry picked from commit 9baf3e0)
Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/a9efe3b4-99c9-4af2-9954-a65a2859edfc Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 3d4e90a)
…el_tests' Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/dd120552-e56f-4a0e-9143-ec483aa07bfc Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 56a9827)
… gem Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/61efd9ab-67d3-4ce2-b81d-4b6e8ef07f99 Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit bf73b51)
Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/9cf2fa2e-02a9-4dde-a833-8ad11974e1eb Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 5ac4c84)
…version helpers Agent-Logs-Url: https://github.com/ruby/rubygems/sessions/4028db0e-e050-48af-9704-4219653a4753 Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com> (cherry picked from commit 951ef62)
Change "and lock the mutex" to "and to lock the mutex" for correct parallel infinitive structure. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> (cherry picked from commit 94f9267)
Fix the bundler version not being updated in dev/test lockfile (cherry picked from commit 4758fb5)
fix formatting for BUNDLE_PREFER_PATCH variable in man page (cherry picked from commit a3d2d2c)
Package registries are active supply chain attack targets. Recent high-profile incidents include the Axios NPM compromise (https://socket.dev/blog/axios-npm-package-compromised) and the LiteLLM PyPI compromise (https://docs.litellm.ai/blog/security-update-march-2026). RubyGems supports an MFA-required opt-in via gemspec metadata: spec.metadata["rubygems_mfa_required"] = "true" but most gems haven't enabled it. A big reason is discoverability. Nothing in the `bundle gem` flow mentions the option, so authors would need to already know it exists to find it. Reference: https://guides.rubygems.org/mfa-requirement-opt-in/ This commit adds a commented-out `spec.metadata["rubygems_mfa_required"] = "true"` line, along with a short explanatory comment and a reference link, to the gemspec template used by `bundle gem`. Default behavior is unchanged because the line is commented out, but every new gem author now sees the MFA opt-in right where they configure their gemspec. Opting in is then a matter of deleting the leading `# `. (cherry picked from commit 2fd3496)
Fix installing gems with native extensions + transitive dependencies (cherry picked from commit 49c0aff)
Update the gem creation guide links in the CLI output and gemspac template. The previous Bundler guide URL now redirects to RubyGems Guides. (cherry picked from commit 0b469ed)
* Skip bundler self-checksum for unreleased bundlers
Using `Bundler.gem_version.end_with?(".dev")` only skips the own
checksum on master, but patch releases run from a source checkout
(e.g., bumping bundler/lib/bundler/version.rb to 4.0.11 on a release
branch) still record the checksum, which is environment dependent on
the local gem cache and causes frozen-lock drift on CI.
Generalize the guard with `released_bundler?`, which returns false for
any prerelease version and for bundlers loaded outside of an installed
gem location (`/specifications/`), so dev workflows don't record
self-checksums while released installs still do.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Revert "Skip bundler self-checksum for unreleased bundlers"
This reverts commit d4e51dd.
* Skip bundler checksum when running version:update_locked_bundler:
- Our development lockfile should not include the checksum of bundler
itself. No matter if we are doing a release.
The problem being that including a checksum in our development
lockfile create issues as some rake tasks don't run the same way on
CI.
For example, some rake tasks, build bundler.gem and some other
don't. I explained in more details the issue here 2c40b8d
This commit here is motivated by the fact that when the release
manager runs `version:update_locked_bundler`, if a
`bundler-<VERSION>.gem` exists on its system (e.g it previously ran
`rake bundler:install`), then the lockfile will include a checksum
entry.
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Edouard CHIN <chin.edouard@gmail.com>
(cherry picked from commit ee558f2)
* Skip bundler self-checksum on ruby-core in test fixtures In ruby-core test setup, bundler is loaded as a default gem and the bundler.gem cache file is not present on disk where LockfileGenerator#bundler_checksum looks for it. As a result, the generator omits the bundler checksum from the regenerated lockfile, while the test's checksums_section helper still adds it, making the "does not change the lock" expectations in setup_spec.rb fail on ruby-core CI for release branches (where Bundler::VERSION does not end in .dev). Mirror the generator's give-up conditions in the helper so that test fixtures and the regenerated lockfile stay in sync. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> (cherry picked from commit 40112f7)
Contributor
There was a problem hiding this comment.
Pull request overview
Prepares the RubyGems/Bundler 4.0.11 release by bumping versions/lockfiles, updating release notes/docs, and incorporating recent Bundler behavior changes (notably lockfile self-checksums and native-extension install ordering).
Changes:
- Bump RubyGems/Bundler versions to 4.0.11 and update associated lockfiles/fixtures/changelogs.
- Enhance Bundler lockfile checksum handling (including bundler self-checksum) and adjust specs/helpers accordingly.
- Fix/test updates across docs, templates, and installer behavior for transitive native-extension dependencies.
Reviewed changes
Copilot reviewed 57 out of 66 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tool/bundler/vendor_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/test_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/standard_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/rubocop_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/release_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/lint_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| tool/bundler/dev_gems.rb.lock | Update locked Bundler version to 4.0.11. |
| test/rubygems/test_gem_stub_specification.rb | Fix gemspec stub helper filenames to match stubbed gem names and avoid collisions. |
| test/rubygems/test_gem_commands_push_command.rb | Fix expected push response message gem name/version mismatch. |
| lib/rubygems/commands/specification_command.rb | Clarify gem spec argument naming/usage and improve error message. |
| lib/rubygems.rb | Bump RubyGems version to 4.0.11. |
| bundler/spec/support/checksums.rb | Extend checksum test helpers to cover Bundler self-checksum behavior and cache folder layout. |
| bundler/spec/runtime/setup_spec.rb | Disable lockfile checksums for a specific runtime setup spec to avoid fixture drift. |
| bundler/spec/realworld/fixtures/warbler/Gemfile.lock | Update bundled-with version to 4.0.11. |
| bundler/spec/realworld/fixtures/tapioca/Gemfile.lock | Update bundled-with version to 4.0.11. |
| bundler/spec/install/gems/resolving_spec.rb | Fix lockfile fixture dependency gem name (rubocop vs parallel_tests). |
| bundler/spec/install/gemfile/git_spec.rb | Fix heredoc indentation and a test description typo. |
| bundler/spec/commands/update_spec.rb | Update lockfile expectations to accommodate checksum section changes and bundler checksum coverage. |
| bundler/spec/commands/newgem_spec.rb | Add coverage for commented MFA metadata hint in generated gemspec template. |
| bundler/spec/commands/lock_spec.rb | Update lockfile expectation to use checksums helper output. |
| bundler/spec/commands/install_spec.rb | Add regression spec for native extension requiring transitive deps at build time. |
| bundler/spec/bundler/installer/spec_installation_spec.rb | Refactor/expand tests around dependency readiness checks for installation. |
| bundler/lib/bundler/version.rb | Bump Bundler version to 4.0.11. |
| bundler/lib/bundler/templates/newgem/newgem.gemspec.tt | Add commented MFA requirement metadata hint + update guide URL. |
| bundler/lib/bundler/source/rubygems.rb | Comment tweak in extension cache mutex section. |
| bundler/lib/bundler/source/metadata.rb | Add checksum store to metadata source to support bundler self-checksum. |
| bundler/lib/bundler/man/gemfile.5 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-version.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-update.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-show.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-remove.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-pristine.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-plugin.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-platform.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-outdated.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-open.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-lock.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-list.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-licenses.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-issue.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-install.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-init.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-info.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-help.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-gem.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-fund.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-exec.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-env.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-doctor.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-console.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-config.1.ronn | Fix formatting for BUNDLE_PREFER_PATCH in manpage source. |
| bundler/lib/bundler/man/bundle-config.1 | Update generated manpage header date + formatting for BUNDLE_PREFER_PATCH. |
| bundler/lib/bundler/man/bundle-clean.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-check.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-cache.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-binstubs.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/man/bundle-add.1 | Update generated manpage header date to April 2026. |
| bundler/lib/bundler/lockfile_parser.rb | Track metadata source for bundler checksum parsing and create bundler spec for checksum-only entries. |
| bundler/lib/bundler/lockfile_generator.rb | Append Bundler self-checksum to CHECKSUMS section when enabled. |
| bundler/lib/bundler/installer/parallel_installer.rb | Ensure native-extension install readiness checks consider transitive dependencies. |
| bundler/lib/bundler/definition.rb | Merge locked metadata-source checksum store so bundler checksum persists across convergence. |
| bundler/lib/bundler/cli/gem.rb | Update gem creation guide URL to rubygems.org. |
| bundler/CHANGELOG.md | Add Bundler 4.0.11 release notes. |
| Rakefile | Adjust version:update_locked_bundler task to correctly update bundler version in lockfiles and skip self-checksum. |
| CHANGELOG.md | Add RubyGems 4.0.11 release notes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
509
to
+511
| # We are using a mutex to reaed and write from/to the hash. | ||
| # The reason this double synchronization was added is for performance | ||
| # and lock the mutex for the shortest possible amount of time. Otherwise, | ||
| # and to lock the mutex for the shortest possible amount of time. Otherwise, |
There was a problem hiding this comment.
Typo in comment: "reaed" should be "read" ("We are using a mutex to read and write from/to the hash.").
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
gem spec#9476