Vendor securerandom
#7930
Closed
Vendor securerandom
#7930
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is loaded by `Fetcher` so in most case it's fine. But if using `bundler/inline` and a gem need to be fetched, `securerandom` will be loaded and cause a conflict. Can be reproduced with: ```ruby require 'bundler/inline' gemfile do source 'https://rubygems.org' gem 'graphql', '~> 2.0' gem 'graphql-client', '~> 0.18' end require 'json' require 'graphql/client' require 'graphql/client/http' ``` Ref: rails/rails#52473 (comment)
|
Thanks for opening a pull request and helping make RubyGems and Bundler better! Someone from the RubyGems team will take a look at your pull request shortly and leave any feedback. Please make sure that your pull request has tests for any changes or added functionality. We use GitHub Actions to test and make sure your change works functionally and uses acceptable conventions, you can review the current progress of GitHub Actions in the PR status window below. If you have any questions or concerns that you wish to ask, feel free to leave a comment in this PR or join our #rubygems or #bundler channel on Slack. For more information about contributing to the RubyGems project feel free to review our CONTRIBUTING guide |
|
is it possible to solve this more generally by having bundler inline re-exec itself once the gem install is done? we have historically tried to limit what we vendor by installing in a separate process from |
I don't know. On paper that seems possible, but I'm not super familiar with the bundler codebase. |
diff --git a/bundler/lib/bundler/inline.rb b/bundler/lib/bundler/inline.rb
index ae4ccf213..d62dd8775 100644
--- a/bundler/lib/bundler/inline.rb
+++ b/bundler/lib/bundler/inline.rb
@@ -60,6 +60,11 @@ def definition.lock(*); end
Bundler.ui.info "Post-install message from #{name}:\n#{message}"
end
end
+
+ unless install
+ Bundler.ui.info "Re-executing script with installed gems"
+ Process.exec(RbConfig.ruby, $PROGRAM_NAME, *ARGV)
+ end
end
runtime = Bundler::Runtime.new(nil, definition)Seem to work on the happy path, no idea if it could cause issues. Assuming there is no side effect in scripts before |
|
awesome, thanks for investigating. I'd like to wait a little bit to get feedback from other maintainers and users, but I think in the long run it reduces the team's maintenance burden if installing can use non-vendored stdlib gems etc. |
byroot
added a commit
to byroot/rubygems
that referenced
this pull request
Aug 13, 2024
Alternate: ruby#7930 Fix: ruby#7930 When bundler inline has to install gems, it loads more dependencies than when it goes through the fast path of all gems being installed. One of them is `securerandom` so if trying to use `bundler/inline` with a gem that have a dependency on `securerandom` that don't match the default version, the script fails with `Gem::LoadError`. This can be preproduced on Ruby 3.2.x, after making sure to `gem uninstall securerandom` so only the default gem remains`, and then running the following script: ```ruby require 'bundler/inline' gemfile do source 'https://rubygems.org' gem 'activesupport', '7.2.0' # depends on securerandom >= 0.3 end require 'securerandom' ```
|
Opened the alternative at #7933 |
|
Thanks a lot for investigating and taking the time to look into this! 🙇 |
casperisfine
pushed a commit
to casperisfine/rubygems
that referenced
this pull request
Aug 19, 2024
Unless of course fork isn't available. Alternate: ruby#7930, ruby#7933 Fix: ruby#7930, ruby#7933 When bundler inline has to install gems, it loads more dependencies than when it goes through the fast path of all gems being installed. One of them is `securerandom` so if trying to use bundler/inline with a gem that have a dependency on securerandom that don't match the default version, the script fails with `Gem::LoadError`. This can be preproduced on Ruby 3.2.x, after making sure to `gem uninstall securerandom` so only the default gem remains, and then running the following script: ```ruby require 'bundler/inline' gemfile do source 'https://rubygems.org' gem 'activesupport', '7.2.0' # depends on securerandom >= 0.3 end require 'securerandom' ```
casperisfine
pushed a commit
to casperisfine/rubygems
that referenced
this pull request
Aug 19, 2024
Unless of course fork isn't available. Alternate: ruby#7930, ruby#7933 Fix: ruby#7930, ruby#7933 When bundler inline has to install gems, it loads more dependencies than when it goes through the fast path of all gems being installed. One of them is `securerandom` so if trying to use bundler/inline with a gem that have a dependency on securerandom that don't match the default version, the script fails with `Gem::LoadError`. This can be preproduced on Ruby 3.2.x, after making sure to `gem uninstall securerandom` so only the default gem remains, and then running the following script: ```ruby require 'bundler/inline' gemfile do source 'https://rubygems.org' gem 'activesupport', '7.2.0' # depends on securerandom >= 0.3 end require 'securerandom' ```
casperisfine
pushed a commit
to casperisfine/rubygems
that referenced
this pull request
Aug 19, 2024
Unless of course fork isn't available. Alternate: ruby#7930, ruby#7933 Fix: ruby#7930, ruby#7933 When bundler inline has to install gems, it loads more dependencies than when it goes through the fast path of all gems being installed. One of them is `securerandom` so if trying to use bundler/inline with a gem that have a dependency on securerandom that don't match the default version, the script fails with `Gem::LoadError`. This can be preproduced on Ruby 3.2.x, after making sure to `gem uninstall securerandom` so only the default gem remains, and then running the following script: ```ruby require 'bundler/inline' gemfile do source 'https://rubygems.org' gem 'activesupport', '7.2.0' # depends on securerandom >= 0.3 end require 'securerandom' ```
casperisfine
pushed a commit
to casperisfine/rubygems
that referenced
this pull request
Aug 19, 2024
Unless of course fork isn't available. Alternate: ruby#7930, ruby#7933 Fix: ruby#7930, ruby#7933 When bundler inline has to install gems, it loads more dependencies than when it goes through the fast path of all gems being installed. One of them is `securerandom` so if trying to use bundler/inline with a gem that have a dependency on securerandom that don't match the default version, the script fails with `Gem::LoadError`. This can be preproduced on Ruby 3.2.x, after making sure to `gem uninstall securerandom` so only the default gem remains, and then running the following script: ```ruby require 'bundler/inline' gemfile do source 'https://rubygems.org' gem 'activesupport', '7.2.0' # depends on securerandom >= 0.3 end require 'securerandom' ```
|
SecureRandom has been vendored in PR #7960 which got merged. Can we close this issue? |
|
@byroot Can you still reproduce the problem? My suspicion was that to fix this issue we still need to vendor |
|
I don't know how to test bundler/rubygems edge. |
|
I normally use an alias like this |
|
Seems not to be working still: |
|
I can also reproduce the problem with the latest rubygems main branch: |
|
To be fair I can also reproduce the problem when I check out this PR locally. So maybe the |
4 tasks
hsbt
pushed a commit
to byroot/rubygems
that referenced
this pull request
Aug 5, 2025
Alternate: ruby#7930 Fix: ruby#7930 When bundler inline has to install gems, it loads more dependencies than when it goes through the fast path of all gems being installed. One of them is `securerandom` so if trying to use `bundler/inline` with a gem that have a dependency on `securerandom` that don't match the default version, the script fails with `Gem::LoadError`. This can be preproduced on Ruby 3.2.x, after making sure to `gem uninstall securerandom` so only the default gem remains`, and then running the following script: ```ruby require 'bundler/inline' gemfile do source 'https://rubygems.org' gem 'activesupport', '7.2.0' # depends on securerandom >= 0.3 end require 'securerandom' ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It is loaded by
Fetcherso in most case it's fine.But if using
bundler/inlineand a gem need to be fetched,securerandomwill be loaded and cause a conflict.Can be reproduced with:
Ref: rails/rails#52473 (comment)