From e14897a0674af69b5e738a1f1525616ef1265b6b Mon Sep 17 00:00:00 2001
From: git <svn-admin@ruby-lang.org>
Date: Wed, 15 Apr 2026 07:13:16 +0000
Subject: [PATCH 1/4] Update bundled gems list as of 2026-04-15

---
 NEWS.md           | 6 +++++-
 gems/bundled_gems | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/NEWS.md b/NEWS.md
index bf49b0358f0711..6c748e874d314d 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -88,7 +88,9 @@ releases.
 
 ### The following bundled gems are updated.
 
-* minitest 6.0.3
+* minitest 6.0.4
+* rake 13.4.1
+  * 13.3.1 to [v13.4.0][rake-v13.4.0], [v13.4.1][rake-v13.4.1]
 * test-unit 3.7.7
   * 3.7.5 to [3.7.6][test-unit-3.7.6], [3.7.7][test-unit-3.7.7]
 * net-imap 0.6.3
@@ -182,6 +184,8 @@ A lot of work has gone into making Ractors more stable, performant, and usable.
 [resolv-v0.7.1]: https://github.com/ruby/resolv/releases/tag/v0.7.1
 [strscan-v3.1.7]: https://github.com/ruby/strscan/releases/tag/v3.1.7
 [timeout-v0.6.1]: https://github.com/ruby/timeout/releases/tag/v0.6.1
+[rake-v13.4.0]: https://github.com/ruby/rake/releases/tag/v13.4.0
+[rake-v13.4.1]: https://github.com/ruby/rake/releases/tag/v13.4.1
 [test-unit-3.7.6]: https://github.com/test-unit/test-unit/releases/tag/3.7.6
 [test-unit-3.7.7]: https://github.com/test-unit/test-unit/releases/tag/3.7.7
 [net-imap-v0.6.3]: https://github.com/ruby/net-imap/releases/tag/v0.6.3
diff --git a/gems/bundled_gems b/gems/bundled_gems
index eb2ffd37f2c976..dcabd4895b8f99 100644
--- a/gems/bundled_gems
+++ b/gems/bundled_gems
@@ -6,9 +6,9 @@
 # - revision: revision in repository-url to test
 #   if `revision` is not given, "v"+`version` or `version` will be used.
 
-minitest            6.0.3  https://github.com/minitest/minitest
+minitest            6.0.4  https://github.com/minitest/minitest
 power_assert        3.0.1   https://github.com/ruby/power_assert
-rake                13.3.1  https://github.com/ruby/rake
+rake                13.4.1  https://github.com/ruby/rake
 test-unit           3.7.7   https://github.com/test-unit/test-unit
 rexml               3.4.4   https://github.com/ruby/rexml
 rss                 0.3.2   https://github.com/ruby/rss

From 945c6ec3955544195964d4956153034e65e40945 Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Tue, 26 Oct 2021 22:14:23 +0200
Subject: [PATCH 2/4] [ruby/rubygems] Print a warning for a potential confusion
 from the indirect dependencies.

Print a warning when a confusion by the indirect dependencies may happen.
See CVE-2020-36327 for the security risk.

https://github.com/ruby/rubygems/commit/403d6744b2
---
 lib/bundler/definition.rb               | 22 +++++++++-
 spec/bundler/bundler/definition_spec.rb | 55 +++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)

diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index a923a8cb20e8c4..b3f113bd48a78e 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -777,7 +777,27 @@ def start_resolution
     end
 
     def precompute_source_requirements_for_indirect_dependencies?
-      sources.non_global_rubygems_sources.all?(&:dependency_api_available?)
+      return false unless @remote && !sources.aggregate_global_source?
+
+      if sources.non_global_rubygems_sources.all?(&:dependency_api_available?)
+        true
+      else
+        non_dependency_api_warning
+        false
+      end
+    end
+
+    def non_dependency_api_warning
+      non_api_sources = sources.non_global_rubygems_sources.reject(&:dependency_api_available?)
+      non_api_source_names = non_api_sources.map {|d| "  * #{d}" }.join("\n")
+
+      msg = String.new
+      msg << "Your Gemfile contains scoped sources that don't implement a dependency API, namely:\n\n"
+      msg << non_api_source_names
+      msg << "\n\nUsing the above gem servers may result in installing unexpected gems. " \
+        "To resolve this warning, make sure you use gem servers that implement dependency APIs, " \
+        "such as gemstash or geminabox gem servers."
+      Bundler.ui.warn msg
     end
 
     def current_platform_locked?
diff --git a/spec/bundler/bundler/definition_spec.rb b/spec/bundler/bundler/definition_spec.rb
index 9524c70193ebd8..1811f2db567ed0 100644
--- a/spec/bundler/bundler/definition_spec.rb
+++ b/spec/bundler/bundler/definition_spec.rb
@@ -289,6 +289,61 @@
     end
   end
 
+  describe "#precompute_source_requirements_for_indirect_dependencies?" do
+    before do
+      allow(Bundler::SharedHelpers).to receive(:find_gemfile) { Pathname.new("Gemfile") }
+    end
+
+    let(:sources) { Bundler::SourceList.new }
+    subject { Bundler::Definition.new(nil, [], sources, []) }
+
+    context "when remote and does not have multiple global sources" do
+      before do
+        subject.instance_variable_set(:@remote, true)
+        allow(sources).to receive(:aggregate_global_source?).and_return(false)
+        allow(sources).to receive(:non_global_rubygems_sources).and_return(non_global_rubygems_sources)
+      end
+
+      context "when all the scoped sources contain a dependency API" do
+        let(:non_global_rubygems_sources) do
+          [
+            double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
+            double("non-global-source-1", :dependency_api_available? => true, :to_s => "b"),
+          ]
+        end
+
+        it "will not raise a warning" do
+          expect(subject).not_to receive(:non_dependency_api_warning)
+
+          expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_truthy
+        end
+      end
+
+      context "when scoped sources do not contain a dependency API" do
+        let(:non_global_rubygems_sources) do
+          [
+            double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
+            double("non-global-source-1", :dependency_api_available? => false, :to_s => "b"),
+            double("non-global-source-2", :dependency_api_available? => false, :to_s => "c"),
+          ]
+        end
+
+        it "will raise a warning" do
+          expect(Bundler.ui).to receive(:warn).with(<<-W.strip)
+Your Gemfile contains scoped sources that don't implement a dependency API, namely:
+
+  * b
+  * c
+
+Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers.
+          W
+
+          expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_falsy
+        end
+      end
+    end
+  end
+
   def mock_source_list
     Class.new do
       def all_sources

From 1bc44ad4f069eaab51a4633781a96f423c195d0a Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Wed, 15 Apr 2026 17:11:43 +0900
Subject: [PATCH 3/4] [ruby/rubygems] Remove extra guard conditions to preserve
 existing behavior

The original PR added @remote and aggregate_global_source? checks to
precompute_source_requirements_for_indirect_dependencies?, but these
conditions did not exist in the current codebase and would change the
method's behavior in cases where @remote is false or
aggregate_global_source? is true. Since the goal is only to warn when
falling back to the insecure aggregate resolution path, keep the
existing condition as-is and just add the warning on the false branch.

Simplify the corresponding tests accordingly.

https://github.com/ruby/rubygems/commit/ddd292acf1

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/bundler/definition.rb               |  2 -
 spec/bundler/bundler/definition_spec.rb | 56 ++++++++++++-------------
 2 files changed, 26 insertions(+), 32 deletions(-)

diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index b3f113bd48a78e..a620475c18cf48 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -777,8 +777,6 @@ def start_resolution
     end
 
     def precompute_source_requirements_for_indirect_dependencies?
-      return false unless @remote && !sources.aggregate_global_source?
-
       if sources.non_global_rubygems_sources.all?(&:dependency_api_available?)
         true
       else
diff --git a/spec/bundler/bundler/definition_spec.rb b/spec/bundler/bundler/definition_spec.rb
index 1811f2db567ed0..1e821f590180d1 100644
--- a/spec/bundler/bundler/definition_spec.rb
+++ b/spec/bundler/bundler/definition_spec.rb
@@ -297,49 +297,45 @@
     let(:sources) { Bundler::SourceList.new }
     subject { Bundler::Definition.new(nil, [], sources, []) }
 
-    context "when remote and does not have multiple global sources" do
-      before do
-        subject.instance_variable_set(:@remote, true)
-        allow(sources).to receive(:aggregate_global_source?).and_return(false)
-        allow(sources).to receive(:non_global_rubygems_sources).and_return(non_global_rubygems_sources)
-      end
+    before do
+      allow(sources).to receive(:non_global_rubygems_sources).and_return(non_global_rubygems_sources)
+    end
 
-      context "when all the scoped sources contain a dependency API" do
-        let(:non_global_rubygems_sources) do
-          [
-            double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
-            double("non-global-source-1", :dependency_api_available? => true, :to_s => "b"),
-          ]
-        end
+    context "when all the scoped sources implement a dependency API" do
+      let(:non_global_rubygems_sources) do
+        [
+          double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
+          double("non-global-source-1", :dependency_api_available? => true, :to_s => "b"),
+        ]
+      end
 
-        it "will not raise a warning" do
-          expect(subject).not_to receive(:non_dependency_api_warning)
+      it "returns true without warning" do
+        expect(subject).not_to receive(:non_dependency_api_warning)
 
-          expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_truthy
-        end
+        expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_truthy
       end
+    end
 
-      context "when scoped sources do not contain a dependency API" do
-        let(:non_global_rubygems_sources) do
-          [
-            double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
-            double("non-global-source-1", :dependency_api_available? => false, :to_s => "b"),
-            double("non-global-source-2", :dependency_api_available? => false, :to_s => "c"),
-          ]
-        end
+    context "when some scoped sources do not implement a dependency API" do
+      let(:non_global_rubygems_sources) do
+        [
+          double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
+          double("non-global-source-1", :dependency_api_available? => false, :to_s => "b"),
+          double("non-global-source-2", :dependency_api_available? => false, :to_s => "c"),
+        ]
+      end
 
-        it "will raise a warning" do
-          expect(Bundler.ui).to receive(:warn).with(<<-W.strip)
+      it "returns false and warns about the non-API sources" do
+        expect(Bundler.ui).to receive(:warn).with(<<-W.strip)
 Your Gemfile contains scoped sources that don't implement a dependency API, namely:
 
   * b
   * c
 
 Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers.
-          W
+        W
 
-          expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_falsy
-        end
+        expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_falsy
       end
     end
   end

From 75387fd3d7a3466e265839dd32ef3b399c1e6b80 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Wed, 15 Apr 2026 17:16:41 +0900
Subject: [PATCH 4/4] [ruby/rubygems] Fix Style/HashSyntax offenses in
 definition_spec.rb

https://github.com/ruby/rubygems/commit/97d05b3fc5

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 spec/bundler/bundler/definition_spec.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/spec/bundler/bundler/definition_spec.rb b/spec/bundler/bundler/definition_spec.rb
index 1e821f590180d1..8c7d5667ac6657 100644
--- a/spec/bundler/bundler/definition_spec.rb
+++ b/spec/bundler/bundler/definition_spec.rb
@@ -304,8 +304,8 @@
     context "when all the scoped sources implement a dependency API" do
       let(:non_global_rubygems_sources) do
         [
-          double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
-          double("non-global-source-1", :dependency_api_available? => true, :to_s => "b"),
+          double("non-global-source-0", "dependency_api_available?":true, to_s:"a"),
+          double("non-global-source-1", "dependency_api_available?":true, to_s:"b"),
         ]
       end
 
@@ -319,9 +319,9 @@
     context "when some scoped sources do not implement a dependency API" do
       let(:non_global_rubygems_sources) do
         [
-          double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
-          double("non-global-source-1", :dependency_api_available? => false, :to_s => "b"),
-          double("non-global-source-2", :dependency_api_available? => false, :to_s => "c"),
+          double("non-global-source-0", "dependency_api_available?":true, to_s:"a"),
+          double("non-global-source-1", "dependency_api_available?":false, to_s:"b"),
+          double("non-global-source-2", "dependency_api_available?":false, to_s:"c"),
         ]
       end