diff options
| author | Mercedes Bernard <[email protected]> | 2023-02-10 13:34:30 -0600 |
|---|---|---|
| committer | Hiroshi SHIBATA <[email protected]> | 2023-10-23 13:59:01 +0900 |
| commit | 69d7e9a12eb6e3dbfa1b1021b73c2afcbf7d4a46 (patch) | |
| tree | 10e56a9112f606e866624095ec8acacce0500288 /spec/bundler/commands/update_spec.rb | |
| parent | ad08674d8dc17c4ca031ce20760c4a4779c83e27 (diff) | |
[rubygems/rubygems] Use the server checksum, then calculate from gem on disk if possible
1. Use the checksum provided by the server if provided: provides security
knowing if the gem you downloaded matches the gem on the server
2. Calculate the checksum from the gem on disk: provides security knowing
if the gem has changed between installs
3. In some cases, neither is possible in which case we don't put anything
in the checksum and we maintain functionality as it is today
Add the checksums to specs in the index if we already have them
Prior to checksums, we didn't lose any information when overwriting specs
in the index with stubs. But now when we overwrite EndpointSpecifications
or RemoteSpecifications with more generic specs, we could lose checksum
info. This manually sets checksum info so we keep it in the index.
https://github.com/rubygems/rubygems/commit/de00a4f153
Diffstat (limited to 'spec/bundler/commands/update_spec.rb')
| -rw-r--r-- | spec/bundler/commands/update_spec.rb | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/spec/bundler/commands/update_spec.rb b/spec/bundler/commands/update_spec.rb index eb578d4dff..cf6a8d5be1 100644 --- a/spec/bundler/commands/update_spec.rb +++ b/spec/bundler/commands/update_spec.rb @@ -291,6 +291,8 @@ RSpec.describe "bundle update" do country_select CHECKSUMS + #{checksum_for_repo_gem(gem_repo4, "countries", "3.1.0")} + #{checksum_for_repo_gem(gem_repo4, "country_select", "5.1.0")} BUNDLED WITH #{Bundler::VERSION} @@ -560,6 +562,7 @@ RSpec.describe "bundle update" do activesupport (~> 6.0.0) CHECKSUMS + #{expected_checksums} BUNDLED WITH #{Bundler::VERSION} @@ -1282,7 +1285,7 @@ RSpec.describe "bundle update --bundler" do G lockfile lockfile.sub(/(^\s*)#{Bundler::VERSION}($)/, '\11.0.0\2') - excepted_checksum = checksum_for_repo_gem(gem_repo4, "rack", "1.0") + expected_checksum = checksum_for_repo_gem(gem_repo4, "rack", "1.0") FileUtils.rm_r gem_repo4 @@ -1302,7 +1305,7 @@ RSpec.describe "bundle update --bundler" do rack CHECKSUMS - #{excepted_checksum} + #{expected_checksum} BUNDLED WITH #{Bundler::VERSION} @@ -1714,6 +1717,14 @@ RSpec.describe "bundle update conservative" do it "should only change direct dependencies when updating the lockfile with --conservative" do bundle "lock --update --conservative" + expected_checksums = construct_checksum_section do |c| + c.repo_gem gem_repo4, "isolated_dep", "2.0.1" + c.repo_gem gem_repo4, "isolated_owner", "1.0.2" + c.repo_gem gem_repo4, "shared_dep", "5.0.1" + c.repo_gem gem_repo4, "shared_owner_a", "3.0.2" + c.repo_gem gem_repo4, "shared_owner_b", "4.0.2" + end + expect(lockfile).to eq <<~L GEM remote: #{file_uri_for(gem_repo4)}/ @@ -1736,6 +1747,7 @@ RSpec.describe "bundle update conservative" do shared_owner_b CHECKSUMS + #{expected_checksums} BUNDLED WITH #{Bundler::VERSION} |