[pull] master from ruby:master#863
Merged
pull[bot] merged 11 commits intoturkdevops:masterfrom Mar 19, 2026
Merged
Conversation
- ### Problem With the Bundler autoswitch feature, system Bundler may install a `bundler.gem` that matches the Gemfile.lock. The `bundler.gem` that gets downloaded is like any other gems, but its treated differently (it doesn't appear in the Gemfile specs and we also don't lock its checksum). If for any reason Bundler itself gets compromised, it's a security concern. ### Details I'd like to introduce this change into two separate changes for easier reviews. The first (this commit) only produce the checksum in the lockfile, nothings consumes it or verify it yet. The second patch will make sure that whenever the Bundler auto-install kicks in, Bundler will verify that the locked checksum matches the Bundler version being downloaded and installed. ### Solution Overall the solution here is similar to how checksums are already generated for other gems. However, the `bundler` gem comes from a different source (the `Bundler::Source::Metadata`) and so it needs to be handled slightly differently. A big part ot the change is test related. Instead of having to modify all tests that assert the state of the lockfile (which will be broken now, since the lockfile includes the Bundler checksum), I opted to automatically include the checksum whenever the helper metod `checksums_section` is called. ruby/rubygems@9ce52a2188
ZJIT CI runs with --zjit-call-threshold=1 which JIT-compiles every function on first call, adding significant overhead. The 5-second timeout for test-syntax-suggest's "does not timeout on massive files" test is too tight under this configuration, causing random failures on slow CI runners. YJIT CI is unaffected at 5 seconds.
In `JSON.parse(doc, allow_duplicate_key: false)`. ruby/json@393b41c3e5
In addition to compile-time knowledge, we can also (now that the global regalloc has landed) check at run time if the value being stored is a heap object.
`ar` with replace mode preserves old archive members that are no longer in the input list. When object files like prism/node.o get recompiled with different symbols (e.g. after prism updates), the stale version in the archive can cause undefined reference errors during zjit-test linking. Delete the archive first to ensure it only contains current objects.
Today you can read instance variables from non-main Ractors, but many Rails applications use cvars, and we cannot read them. For example: ```ruby class Foo # This is NOT allowed to be read in non-main Ractors @@bar = 123 def self.bar; @@bar; end # This is allowed to be read in non-main Ractors @baz = 123 def self.baz; @baz; end end # This is OK Ractor.new { p Foo.baz }.value # Exception here Ractor.new { p Foo.bar }.value ``` This commit changes the semantics of cvars to be the same as instance variables: * It's ok to read Ractor shareable objects from the non-main Ractor * It's NOT ok to write from the non-main Ractor [Feature #21942]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )