[rubygems/rubygems] Never write credentials to lockfiles

https://github.com/rubygems/rubygems/commit/e8a363713e

lib/bundler/man/bundle-add.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-ADD" "1" "March 2024" ""
+.TH "BUNDLE\-ADD" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-add\fR \- Add gem to the Gemfile and run bundle install
 .SH "SYNOPSIS"

lib/bundler/man/bundle-binstubs.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-BINSTUBS" "1" "March 2024" ""
+.TH "BUNDLE\-BINSTUBS" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-binstubs\fR \- Install the binstubs of the listed gems
 .SH "SYNOPSIS"

lib/bundler/man/bundle-cache.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CACHE" "1" "March 2024" ""
+.TH "BUNDLE\-CACHE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-cache\fR \- Package your needed \fB\.gem\fR files into your application
 .SH "SYNOPSIS"

lib/bundler/man/bundle-check.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CHECK" "1" "March 2024" ""
+.TH "BUNDLE\-CHECK" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-check\fR \- Verifies if dependencies are satisfied by installed gems
 .SH "SYNOPSIS"

lib/bundler/man/bundle-clean.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CLEAN" "1" "March 2024" ""
+.TH "BUNDLE\-CLEAN" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-clean\fR \- Cleans up unused gems in your bundler directory
 .SH "SYNOPSIS"

lib/bundler/man/bundle-config.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CONFIG" "1" "March 2024" ""
+.TH "BUNDLE\-CONFIG" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-config\fR \- Set bundler configuration options
 .SH "SYNOPSIS"
@@ -95,8 +95,6 @@ Any periods in the configuration keys must be replaced with two underscores when
 .SH "LIST OF AVAILABLE KEYS"
 The following is a list of all configuration keys and their purpose\. You can learn more about their operation in bundle install(1) \fIbundle\-install\.1\.html\fR\.
 .IP "\(bu" 4
-\fBallow_deployment_source_credential_changes\fR (\fBBUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES\fR): When in deployment mode, allow changing the credentials to a gem's source\. Ex: \fBhttps://some\.host\.com/gems/path/\fR \-> \fBhttps://user_name:password@some\.host\.com/gems/path\fR
-.IP "\(bu" 4
 \fBallow_offline_install\fR (\fBBUNDLE_ALLOW_OFFLINE_INSTALL\fR): Allow Bundler to use cached data when installing without network access\.
 .IP "\(bu" 4
 \fBauto_clean_without_path\fR (\fBBUNDLE_AUTO_CLEAN_WITHOUT_PATH\fR): Automatically run \fBbundle clean\fR after installing when an explicit \fBpath\fR has not been set and Bundler is not installing into the system gems\.

lib/bundler/man/bundle-config.1.ronn

@@ -137,9 +137,6 @@ the environment variable `BUNDLE_LOCAL__RACK`.
 The following is a list of all configuration keys and their purpose. You can
 learn more about their operation in [bundle install(1)](bundle-install.1.html).
 
-* `allow_deployment_source_credential_changes` (`BUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES`):
-   When in deployment mode, allow changing the credentials to a gem's source.
-   Ex: `https://some.host.com/gems/path/` -> `https://user_name:password@some.host.com/gems/path`
 * `allow_offline_install` (`BUNDLE_ALLOW_OFFLINE_INSTALL`):
    Allow Bundler to use cached data when installing without network access.
 * `auto_clean_without_path` (`BUNDLE_AUTO_CLEAN_WITHOUT_PATH`):

lib/bundler/man/bundle-console.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-CONSOLE" "1" "March 2024" ""
+.TH "BUNDLE\-CONSOLE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-console\fR \- Deprecated way to open an IRB session with the bundle pre\-loaded
 .SH "SYNOPSIS"

lib/bundler/man/bundle-doctor.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-DOCTOR" "1" "March 2024" ""
+.TH "BUNDLE\-DOCTOR" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-doctor\fR \- Checks the bundle for common problems
 .SH "SYNOPSIS"

lib/bundler/man/bundle-exec.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-EXEC" "1" "March 2024" ""
+.TH "BUNDLE\-EXEC" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-exec\fR \- Execute a command in the context of the bundle
 .SH "SYNOPSIS"

lib/bundler/man/bundle-gem.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-GEM" "1" "March 2024" ""
+.TH "BUNDLE\-GEM" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-gem\fR \- Generate a project skeleton for creating a rubygem
 .SH "SYNOPSIS"

lib/bundler/man/bundle-help.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-HELP" "1" "March 2024" ""
+.TH "BUNDLE\-HELP" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-help\fR \- Displays detailed help for each subcommand
 .SH "SYNOPSIS"

lib/bundler/man/bundle-info.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INFO" "1" "March 2024" ""
+.TH "BUNDLE\-INFO" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-info\fR \- Show information for the given gem in your bundle
 .SH "SYNOPSIS"

lib/bundler/man/bundle-init.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INIT" "1" "March 2024" ""
+.TH "BUNDLE\-INIT" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-init\fR \- Generates a Gemfile into the current working directory
 .SH "SYNOPSIS"

lib/bundler/man/bundle-inject.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INJECT" "1" "March 2024" ""
+.TH "BUNDLE\-INJECT" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-inject\fR \- Add named gem(s) with version requirements to Gemfile
 .SH "SYNOPSIS"

lib/bundler/man/bundle-install.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-INSTALL" "1" "March 2024" ""
+.TH "BUNDLE\-INSTALL" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-install\fR \- Install the dependencies specified in your Gemfile
 .SH "SYNOPSIS"

lib/bundler/man/bundle-list.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-LIST" "1" "March 2024" ""
+.TH "BUNDLE\-LIST" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-list\fR \- List all the gems in the bundle
 .SH "SYNOPSIS"

lib/bundler/man/bundle-lock.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-LOCK" "1" "March 2024" ""
+.TH "BUNDLE\-LOCK" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-lock\fR \- Creates / Updates a lockfile without installing
 .SH "SYNOPSIS"

lib/bundler/man/bundle-open.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-OPEN" "1" "March 2024" ""
+.TH "BUNDLE\-OPEN" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-open\fR \- Opens the source directory for a gem in your bundle
 .SH "SYNOPSIS"

lib/bundler/man/bundle-outdated.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-OUTDATED" "1" "March 2024" ""
+.TH "BUNDLE\-OUTDATED" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-outdated\fR \- List installed gems with newer versions available
 .SH "SYNOPSIS"

lib/bundler/man/bundle-platform.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-PLATFORM" "1" "March 2024" ""
+.TH "BUNDLE\-PLATFORM" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-platform\fR \- Displays platform compatibility information
 .SH "SYNOPSIS"

lib/bundler/man/bundle-plugin.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-PLUGIN" "1" "March 2024" ""
+.TH "BUNDLE\-PLUGIN" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-plugin\fR \- Manage Bundler plugins
 .SH "SYNOPSIS"

lib/bundler/man/bundle-pristine.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-PRISTINE" "1" "March 2024" ""
+.TH "BUNDLE\-PRISTINE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-pristine\fR \- Restores installed gems to their pristine condition
 .SH "SYNOPSIS"

lib/bundler/man/bundle-remove.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-REMOVE" "1" "March 2024" ""
+.TH "BUNDLE\-REMOVE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-remove\fR \- Removes gems from the Gemfile
 .SH "SYNOPSIS"

lib/bundler/man/bundle-show.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-SHOW" "1" "March 2024" ""
+.TH "BUNDLE\-SHOW" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-show\fR \- Shows all the gems in your bundle, or the path to a gem
 .SH "SYNOPSIS"

lib/bundler/man/bundle-update.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-UPDATE" "1" "March 2024" ""
+.TH "BUNDLE\-UPDATE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-update\fR \- Update your gems to the latest available versions
 .SH "SYNOPSIS"

lib/bundler/man/bundle-version.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-VERSION" "1" "March 2024" ""
+.TH "BUNDLE\-VERSION" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-version\fR \- Prints Bundler version information
 .SH "SYNOPSIS"

lib/bundler/man/bundle-viz.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE\-VIZ" "1" "March 2024" ""
+.TH "BUNDLE\-VIZ" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\-viz\fR \- Generates a visual dependency graph for your Gemfile
 .SH "SYNOPSIS"

lib/bundler/man/bundle.1

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "BUNDLE" "1" "March 2024" ""
+.TH "BUNDLE" "1" "April 2024" ""
 .SH "NAME"
 \fBbundle\fR \- Ruby Dependency Management
 .SH "SYNOPSIS"

lib/bundler/man/gemfile.5

@@ -1,6 +1,6 @@
 .\" generated with nRonn/v0.11.1
 .\" https://github.com/n-ronn/nronn/tree/0.11.1
-.TH "GEMFILE" "5" "March 2024" ""
+.TH "GEMFILE" "5" "April 2024" ""
 .SH "NAME"
 \fBGemfile\fR \- A format for describing gem dependencies for Ruby programs
 .SH "SYNOPSIS"

lib/bundler/settings.rb

@@ -7,7 +7,6 @@ module Bundler
     autoload :Validator, File.expand_path("settings/validator", __dir__)
 
     BOOL_KEYS = %w[
-      allow_deployment_source_credential_changes
       allow_offline_install
       auto_clean_without_path
       auto_install

lib/bundler/source/rubygems.rb

@@ -10,7 +10,7 @@ module Bundler
       # Ask for X gems per API request
       API_REQUEST_SIZE = 50
 
-      attr_reader :remotes
+      attr_accessor :remotes
 
       def initialize(options = {})
         @options = options
@@ -96,7 +96,7 @@ module Bundler
       def to_lock
         out = String.new("GEM\n")
         remotes.reverse_each do |remote|
-          out << "  remote: #{suppress_configured_credentials remote}\n"
+          out << "  remote: #{remove_auth remote}\n"
         end
         out << "  specs:\n"
       end
@@ -312,11 +312,7 @@ module Bundler
       end
 
       def credless_remotes
-        if Bundler.settings[:allow_deployment_source_credential_changes]
-          remotes.map(&method(:remove_auth))
-        else
-          remotes.map(&method(:suppress_configured_credentials))
-        end
+        remotes.map(&method(:remove_auth))
       end
 
       def remotes_for_spec(spec)
@@ -355,15 +351,6 @@ module Bundler
         uri
       end
 
-      def suppress_configured_credentials(remote)
-        remote_nouser = remove_auth(remote)
-        if remote.userinfo && remote.userinfo == Bundler.settings[remote_nouser]
-          remote_nouser
-        else
-          remote
-        end
-      end
-
       def remove_auth(remote)
         if remote.user || remote.password
           remote.dup.tap {|uri| uri.user = uri.password = nil }.to_s

lib/bundler/source_list.rb

@@ -157,7 +157,11 @@ module Bundler
     end
 
     def map_sources(replacement_sources)
-      rubygems, git, plugin = [@rubygems_sources, @git_sources, @plugin_sources].map do |sources|
+      rubygems = @rubygems_sources.map do |source|
+        replace_rubygems_source(replacement_sources, source) || source
+      end
+
+      git, plugin = [@git_sources, @plugin_sources].map do |sources|
         sources.map do |source|
           replacement_sources.find {|s| s == source } || source
         end
@@ -171,13 +175,22 @@ module Bundler
     end
 
     def global_replacement_source(replacement_sources)
-      replacement_source = replacement_sources.find {|s| s == global_rubygems_source }
+      replacement_source = replace_rubygems_source(replacement_sources, global_rubygems_source)
       return global_rubygems_source unless replacement_source
 
       replacement_source.cached!
       replacement_source
     end
 
+    def replace_rubygems_source(replacement_sources, gemfile_source)
+      replacement_source = replacement_sources.find {|s| s == gemfile_source }
+      return unless replacement_source
+
+      # locked sources never include credentials so always prefer remotes from the gemfile
+      replacement_source.remotes = gemfile_source.remotes
+      replacement_source
+    end
+
     def different_sources?(lock_sources, replacement_sources)
       !equivalent_sources?(lock_sources, replacement_sources)
     end

spec/bundler/install/deploy_spec.rb

@@ -183,50 +183,10 @@ RSpec.describe "install in deployment or frozen mode" do
       bundle "config set --local deployment true"
     end
 
-    it "prevents the replace by default" do
-      bundle :install, raise_on_error: false
+    it "allows the replace" do
+      bundle :install
 
-      expect(err).to match(/The list of sources changed/)
-    end
-
-    context "when allow_deployment_source_credential_changes is true" do
-      before { bundle "config set allow_deployment_source_credential_changes true" }
-
-      it "allows the replace" do
-        bundle :install
-
-        expect(out).to match(/Bundle complete!/)
-      end
-    end
-
-    context "when allow_deployment_source_credential_changes is false" do
-      before { bundle "config set allow_deployment_source_credential_changes false" }
-
-      it "prevents the replace" do
-        bundle :install, raise_on_error: false
-
-        expect(err).to match(/The list of sources changed/)
-      end
-    end
-
-    context "when BUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES env var is true" do
-      before { ENV["BUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES"] = "true" }
-
-      it "allows the replace" do
-        bundle :install
-
-        expect(out).to match(/Bundle complete!/)
-      end
-    end
-
-    context "when BUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES env var is false" do
-      before { ENV["BUNDLE_ALLOW_DEPLOYMENT_SOURCE_CREDENTIAL_CHANGES"] = "false" }
-
-      it "prevents the replace" do
-        bundle :install, raise_on_error: false
-
-        expect(err).to match(/The list of sources changed/)
-      end
+      expect(out).to match(/Bundle complete!/)
     end
   end
 

spec/bundler/lock/lockfile_spec.rb

@@ -324,7 +324,7 @@ RSpec.describe "the lockfile format" do
     G
   end
 
-  it "generates a lockfile without credentials for a configured source" do
+  it "generates a lockfile without credentials" do
     bundle "config set http://localgemserver.test/ user:pass"
 
     install_gemfile(<<-G, artifice: "endpoint_strict_basic_authentication", quiet: true)
@@ -354,7 +354,7 @@ RSpec.describe "the lockfile format" do
         specs:
 
       GEM
-        remote: http://user:pass@othergemserver.test/
+        remote: http://othergemserver.test/
         specs:
           rack (1.0.0)
           rack-obama (1.0)