[pull] master from ruby:master

.github/workflows/check_sast.yml

@@ -95,17 +95,17 @@ jobs:
         run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
         with:
           languages: ${{ matrix.language }}
           trap-caching: false
           debug: true
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/autobuild@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
         with:
           category: '/language:${{ matrix.language }}'
           upload: False
@@ -135,7 +135,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
         with:
           sarif_file: sarif-results/${{ matrix.language }}.sarif
         continue-on-error: true

.github/workflows/scorecards.yml

@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
         with:
           sarif_file: results.sarif

ext/stringio/stringio.c

@@ -62,6 +62,7 @@ struct StringIO {
     int count;
 };
 
+static struct StringIO *get_strio_for_read(VALUE self);
 static VALUE strio_init(int, VALUE *, struct StringIO *, VALUE);
 static VALUE strio_unget_bytes(struct StringIO *, const char *, long);
 static long strio_write(VALUE self, VALUE str);
@@ -126,8 +127,14 @@ static const rb_data_type_t strio_data_type = {
 static struct StringIO*
 get_strio(VALUE self)
 {
-    struct StringIO *ptr = check_strio(rb_io_taint_check(self));
+    rb_check_frozen(self);
+    return get_strio_for_read(self);
+}
 
+static struct StringIO*
+get_strio_for_read(VALUE self)
+{
+    struct StringIO *ptr = check_strio(self);
     if (!ptr) {
 	rb_raise(rb_eIOError, "uninitialized stream");
     }
@@ -155,6 +162,7 @@ strio_substr(struct StringIO *ptr, long pos, long len, rb_encoding *enc)
 }
 
 #define StringIO(obj) get_strio(obj)
+#define StringIOForRead(obj) get_strio_for_read(obj)
 
 #define STRIO_READABLE FL_USER4
 #define STRIO_WRITABLE FL_USER5
@@ -182,7 +190,7 @@ static VALUE sym_exception;
 static struct StringIO*
 readable(VALUE strio)
 {
-    struct StringIO *ptr = StringIO(strio);
+    struct StringIO *ptr = StringIOForRead(strio);
     if (!READABLE(strio)) {
 	rb_raise(rb_eIOError, "not opened for reading");
     }
@@ -387,7 +395,8 @@ strio_init(int argc, VALUE *argv, struct StringIO *ptr, VALUE self)
 static VALUE
 strio_finalize(VALUE self)
 {
-    struct StringIO *ptr = StringIO(self);
+    struct StringIO *ptr = check_strio(self);
+    if (!ptr) return Qnil;
     RB_OBJ_WRITE(self, &ptr->string, Qnil);
     ptr->flags &= ~FMODE_READWRITE;
     return self;
@@ -439,7 +448,7 @@ strio_s_new(int argc, VALUE *argv, VALUE klass)
 static VALUE
 strio_false(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     return Qfalse;
 }
 
@@ -449,7 +458,7 @@ strio_false(VALUE self)
 static VALUE
 strio_nil(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     return Qnil;
 }
 
@@ -459,7 +468,7 @@ strio_nil(VALUE self)
 static VALUE
 strio_self(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     return self;
 }
 
@@ -469,7 +478,7 @@ strio_self(VALUE self)
 static VALUE
 strio_0(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     return INT2FIX(0);
 }
 
@@ -479,7 +488,7 @@ strio_0(VALUE self)
 static VALUE
 strio_first(VALUE self, VALUE arg)
 {
-    StringIO(self);
+    StringIOForRead(self);
     return arg;
 }
 
@@ -489,7 +498,7 @@ strio_first(VALUE self, VALUE arg)
 static VALUE
 strio_unimpl(int argc, VALUE *argv, VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     rb_notimplement();
 
     UNREACHABLE;
@@ -517,7 +526,7 @@ strio_unimpl(int argc, VALUE *argv, VALUE self)
 static VALUE
 strio_get_string(VALUE self)
 {
-    return StringIO(self)->string;
+    return StringIOForRead(self)->string;
 }
 
 /*
@@ -650,7 +659,7 @@ strio_close_write(VALUE self)
 static VALUE
 strio_closed(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     if (!CLOSED(self)) return Qfalse;
     return Qtrue;
 }
@@ -671,7 +680,7 @@ strio_closed(VALUE self)
 static VALUE
 strio_closed_read(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     if (READABLE(self)) return Qfalse;
     return Qtrue;
 }
@@ -692,7 +701,7 @@ strio_closed_read(VALUE self)
 static VALUE
 strio_closed_write(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     if (WRITABLE(self)) return Qfalse;
     return Qtrue;
 }
@@ -738,7 +747,7 @@ strio_copy(VALUE copy, VALUE orig)
 
     orig = rb_convert_type(orig, T_DATA, "StringIO", "to_strio");
     if (copy == orig) return copy;
-    ptr = StringIO(orig);
+    ptr = StringIOForRead(orig);
     old_ptr = check_strio(copy);
     if (old_ptr) {
 	old_string = old_ptr->string;
@@ -762,7 +771,7 @@ strio_copy(VALUE copy, VALUE orig)
 static VALUE
 strio_get_lineno(VALUE self)
 {
-    return LONG2NUM(StringIO(self)->lineno);
+    return LONG2NUM(StringIOForRead(self)->lineno);
 }
 
 /*
@@ -850,7 +859,7 @@ strio_reopen(int argc, VALUE *argv, VALUE self)
 static VALUE
 strio_get_pos(VALUE self)
 {
-    return LONG2NUM(StringIO(self)->pos);
+    return LONG2NUM(StringIOForRead(self)->pos);
 }
 
 /*
@@ -942,7 +951,7 @@ strio_seek(int argc, VALUE *argv, VALUE self)
 static VALUE
 strio_get_sync(VALUE self)
 {
-    StringIO(self);
+    StringIOForRead(self);
     return Qtrue;
 }
 
@@ -1863,7 +1872,7 @@ strio_syswrite_nonblock(int argc, VALUE *argv, VALUE self)
 static VALUE
 strio_size(VALUE self)
 {
-    VALUE string = StringIO(self)->string;
+    VALUE string = StringIOForRead(self)->string;
     if (NIL_P(string)) {
 	return INT2FIX(0);
     }
@@ -1915,7 +1924,7 @@ strio_truncate(VALUE self, VALUE len)
 static VALUE
 strio_external_encoding(VALUE self)
 {
-    struct StringIO *ptr = StringIO(self);
+    struct StringIO *ptr = StringIOForRead(self);
     return rb_enc_from_encoding(get_enc(ptr));
 }
 

lib/bundler/cli/outdated.rb

@@ -199,7 +199,11 @@ def print_gem(current_spec, active_spec, dependency, groups)
       end
 
       spec_outdated_info = "#{active_spec.name} (newest #{spec_version}, " \
-        "installed #{current_version}#{dependency_version})"
+        "installed #{current_version}#{dependency_version}"
+
+      release_date = release_date_for(active_spec)
+      spec_outdated_info += ", released #{release_date}" unless release_date.empty?
+      spec_outdated_info += ")"
 
       output_message = if options[:parseable]
         spec_outdated_info.to_s
@@ -218,6 +222,7 @@ def gem_column_for(current_spec, active_spec, dependency, groups)
       dependency = dependency.requirement if dependency
 
       ret_val = [active_spec.name, current_version, spec_version, dependency.to_s, groups.to_s]
+      ret_val << release_date_for(active_spec)
       ret_val << loaded_from_for(active_spec).to_s if Bundler.ui.debug?
       ret_val
     end
@@ -283,11 +288,28 @@ def print_indented(matrix)
     end
 
     def table_header
-      header = ["Gem", "Current", "Latest", "Requested", "Groups"]
+      header = ["Gem", "Current", "Latest", "Requested", "Groups", "Release Date"]
       header << "Path" if Bundler.ui.debug?
       header
     end
 
+    def release_date_for(spec)
+      return "" unless spec.respond_to?(:date)
+
+      date = spec.date
+      return "" unless date
+
+      return "" unless Gem.const_defined?(:DEFAULT_SOURCE_DATE_EPOCH)
+      default_date = Time.at(Gem::DEFAULT_SOURCE_DATE_EPOCH).utc
+      default_date = Time.utc(default_date.year, default_date.month, default_date.day)
+
+      date = date.utc if date.respond_to?(:utc)
+
+      return "" if date == default_date
+
+      date.strftime("%Y-%m-%d")
+    end
+
     def justify(row, sizes)
       row.each_with_index.map do |element, index|
         element.ljust(sizes[index])

lib/bundler/man/bundle-outdated.1

@@ -61,42 +61,42 @@ The 3 filtering options do not affect the resolution of versions, merely what ve
 If the regular output shows the following:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
-* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default
-* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
+* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default             2023\-11\-10
+* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test                2022\-08\-19
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-major\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default
+* Gem       Current  Latest  Requested  Groups   Release Date
+* hashie    1\.2\.0    3\.4\.6   = 1\.2\.0    default  2023\-11\-10
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-minor\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test
+* Gem       Current  Latest  Requested  Groups  Release Date
+* headless  2\.2\.3    2\.3\.1   = 2\.2\.3    test    2022\-08\-19
 .fi
 .IP "" 0
 .P
 \fB\-\-filter\-patch\fR would only show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
 .fi
 .IP "" 0
 .P
 Filter options can be combined\. \fB\-\-filter\-minor\fR and \fB\-\-filter\-patch\fR would show:
 .IP "" 4
 .nf
-* Gem       Current  Latest  Requested  Groups
-* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test
+* Gem       Current  Latest  Requested  Groups              Release Date
+* faker     1\.6\.5    1\.6\.6   ~> 1\.4     development, test   2024\-02\-05
 .fi
 .IP "" 0
 .P

lib/bundler/man/bundle-outdated.1.ronn

@@ -82,29 +82,29 @@ in the output.
 
 If the regular output shows the following:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
-    * hashie    1.2.0    3.4.6   = 1.2.0    default
-    * headless  2.2.3    2.3.1   = 2.2.3    test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
+    * hashie    1.2.0    3.4.6   = 1.2.0    default             2023-11-10
+    * headless  2.2.3    2.3.1   = 2.2.3    test                2022-08-19
 
 `--filter-major` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * hashie    1.2.0    3.4.6   = 1.2.0    default
+    * Gem       Current  Latest  Requested  Groups   Release Date
+    * hashie    1.2.0    3.4.6   = 1.2.0    default  2023-11-10
 
 `--filter-minor` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * headless  2.2.3    2.3.1   = 2.2.3    test
+    * Gem       Current  Latest  Requested  Groups  Release Date
+    * headless  2.2.3    2.3.1   = 2.2.3    test    2022-08-19
 
 `--filter-patch` would only show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
 
 Filter options can be combined. `--filter-minor` and `--filter-patch` would show:
 
-    * Gem       Current  Latest  Requested  Groups
-    * faker     1.6.5    1.6.6   ~> 1.4     development, test
+    * Gem       Current  Latest  Requested  Groups              Release Date
+    * faker     1.6.5    1.6.6   ~> 1.4     development, test   2024-02-05
 
 Combining all three `filter` options would be the same result as providing none of them.

spec/bundler/commands/newgem_spec.rb

@@ -1764,7 +1764,7 @@ def create_temporary_dir(dir)
       it "configures the crate such that `cargo test` works", :ruby_repo, :mri_only do
         env = setup_rust_env
         gem_path = bundled_app(gem_name)
-        result = sys_exec("cargo test", env: env, dir: gem_path)
+        result = sys_exec("cargo test", env: env, dir: gem_path, timeout: 300)
 
         expect(result).to include("1 passed")
       end