This repository was archived by the owner on Apr 14, 2021. It is now read-only.
Add failing test for invalid warning#4059
Closed
jbarreneche wants to merge 1 commit intorubygems:masterfrom
jbarreneche:bug/warn-on-second-install
Closed
Add failing test for invalid warning#4059jbarreneche wants to merge 1 commit intorubygems:masterfrom jbarreneche:bug/warn-on-second-install
jbarreneche wants to merge 1 commit intorubygems:masterfrom
jbarreneche:bug/warn-on-second-install
Conversation
Contributor
|
☔ The latest upstream changes (presumably e7cdd95) made this pull request unmergeable. Please resolve the merge conflicts. |
Contributor
|
This will be fixed by #4714 in Bundler 2.0, thanks for the test @jbarreneche! |
Contributor
|
Closed via #4714 |
bundlerbot
added a commit
that referenced
this pull request
Jun 27, 2017
[2.0] Remove RubyGems Aggregate & support transitive source pinning ### What was the end-user problem that led to this PR? The problem was that the resolver could resolve specs from _any_ of the sources specified in the Gemfile, even if that source had nothing to do with the spec in question. This was such a large security vulnerability that, when discovered, it warranted a CVE and its own minor release of Bundler. Closes #3671. Closes #3696. Closes #4059. ### Was was your diagnosis of the problem? My diagnosis was that we needed to get rid of the notion of a `rubygems aggregate` and enforce that specs could only come either from the source they were declared to come from (the top-level source if declared at the top-level of the Gemfile, else a scoped source), or a source that it transitively "inherited" from the gems that required it. ### What is your fix for the problem, implemented in this PR? My fix is to disable multiple top-level sources in the Gemfile, remove the RubyGems aggregate, and filter the sources gems could come from as described above. ### Why did you choose this fix out of the possible options? I chose this fix because it allows doing the filtering in a reasonably performant manner, and refactors the way we handle sources to abstract some of the grossness in such a way that the machinations to make sure that all of the necessary gem info is downloaded is encapsulated into a single method, driven from the definition, rather than being specific to rubygems sources. See #4714 and #4930 for the prior implementation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Failing test case for issue #4058