当我在.gemspec中拥有所有宝石时,如何避免捆绑者警告多个来源?

时间:2021-03-28 20:48:14

In my own gem, I have a Gemfile that looks basically like this:

在我自己的gem中,我有一个看起来基本上是这样的Gemfile:

source 'https://my.gemserver.com'
source 'https://rubygems.org'

gemspec

My .gemspec has all dependencies listed as add_dependency and add_development_dependency.

我的.gemspec将所有依赖项列为add_dependency和add_development_dependency。

As of Bundler 1.8, I get the warning:

截至Bundler 1.8,我收到警告:

Warning: this Gemfile contains multiple primary sources. Using `source` more than
once without a block is a security risk, and may result in installing unexpected gems.
To resolve this warning, use a block to indicate which gems should come from the
secondary source. To upgrade this warning to an error,
run `bundle config disable_multisource true`.

Is there a way to resolve this warning (without muting via bundle config)? I cannot find anything about a source option in the Rubygems specification.

有没有办法解决此警告(没有通过捆绑配置静音)?我在Rubygems规范中找不到任何关于源选项的内容。

3 个解决方案

#1


6  

No, you'll either need to mute the warning or add the source block to your Gemfile with the specific gems you want to come from your private server. There isn't a need to duplicate the ones that come from rubygems.org (or you could do it the other way around, if you depend on more private gems than public ones, and your private gems do not themselves depend on public ones).

不,您需要将警告静音或将源块添加到Gemfile中,并使用您希望来自私有服务器的特定gem。没有必要复制来自rubygems.org的那些(或者你可以反过来做,如果你依赖更多的私人宝石而不是公共宝石,你的私人宝石本身不依赖于公共宝石) 。

The problem is that the gemspec format has no support for specifying the source for each gem, so without duplicating them into the Gemfile, there is no way to specify which gems come from each source.

问题是gemspec格式不支持为每个gem指定源,因此不将它们复制到Gemfile中,就无法指定来自每个源的gem。

#2


5  

Kind of sad, but one has to move it out to Gemfile :-(

有点伤心,但一个人必须把它移到Gemfile :-(

Gemfile:

的Gemfile:

source 'https://my.gemserver.com' do
  your_gem1
  your_gem2
  #...
end

source 'https://rubygems.org'

gemspec

but then, if some of your gems should be included in :development or :test group, following could be used

但是,如果您的某些宝石应该包含在:development或:test group中,则可以使用以下内容

Gemfile:

的Gemfile:

your_gem1, :source => 'https://my.gemserver.com'
#...
group :development do
  your_gem2, :source => 'https://my.gemserver.com'
  #...
end

source 'https://rubygems.org'

gemspec

#3


2  

To elaborate on the discussion on the bundler issue, as previous answers have stated, you must include the gem in you Gemfile. However, you only need to specify the version of the gem in your .gemspec. If you change versions more often than private dependencies this isn't a terrible solution.

要详细讨论关于捆绑器问题的讨论,如前面的答案所述,您必须在Gemfile中包含gem。但是,您只需要在.gemspec中指定gem的版本。如果你比私有依赖项更频繁地更改版本,这不是一个糟糕的解决方案。

Reference the gem without version in Gemfile:

在Gemfile中引用没有版本的gem:

# Gemfile
source 'https://rubygems.org'

source 'https://xxx@gem.fury.io/me/' do
  gem 'my-private-dependency'
end

gemspec

Reference the gem with version specification in the .gemspec:

在.gemspec中引用带有版本规范的gem:

# my-gem.gemspec
lib = File.expand_path('../lib', __FILE__)
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)

Gem::Specification.new do |spec|
  spec.add_dependency 'my-private-dependency', '~> 0.1.5'
end

#1


6  

No, you'll either need to mute the warning or add the source block to your Gemfile with the specific gems you want to come from your private server. There isn't a need to duplicate the ones that come from rubygems.org (or you could do it the other way around, if you depend on more private gems than public ones, and your private gems do not themselves depend on public ones).

不,您需要将警告静音或将源块添加到Gemfile中,并使用您希望来自私有服务器的特定gem。没有必要复制来自rubygems.org的那些(或者你可以反过来做,如果你依赖更多的私人宝石而不是公共宝石,你的私人宝石本身不依赖于公共宝石) 。

The problem is that the gemspec format has no support for specifying the source for each gem, so without duplicating them into the Gemfile, there is no way to specify which gems come from each source.

问题是gemspec格式不支持为每个gem指定源,因此不将它们复制到Gemfile中,就无法指定来自每个源的gem。

#2


5  

Kind of sad, but one has to move it out to Gemfile :-(

有点伤心,但一个人必须把它移到Gemfile :-(

Gemfile:

的Gemfile:

source 'https://my.gemserver.com' do
  your_gem1
  your_gem2
  #...
end

source 'https://rubygems.org'

gemspec

but then, if some of your gems should be included in :development or :test group, following could be used

但是,如果您的某些宝石应该包含在:development或:test group中,则可以使用以下内容

Gemfile:

的Gemfile:

your_gem1, :source => 'https://my.gemserver.com'
#...
group :development do
  your_gem2, :source => 'https://my.gemserver.com'
  #...
end

source 'https://rubygems.org'

gemspec

#3


2  

To elaborate on the discussion on the bundler issue, as previous answers have stated, you must include the gem in you Gemfile. However, you only need to specify the version of the gem in your .gemspec. If you change versions more often than private dependencies this isn't a terrible solution.

要详细讨论关于捆绑器问题的讨论,如前面的答案所述,您必须在Gemfile中包含gem。但是,您只需要在.gemspec中指定gem的版本。如果你比私有依赖项更频繁地更改版本,这不是一个糟糕的解决方案。

Reference the gem without version in Gemfile:

在Gemfile中引用没有版本的gem:

# Gemfile
source 'https://rubygems.org'

source 'https://xxx@gem.fury.io/me/' do
  gem 'my-private-dependency'
end

gemspec

Reference the gem with version specification in the .gemspec:

在.gemspec中引用带有版本规范的gem:

# my-gem.gemspec
lib = File.expand_path('../lib', __FILE__)
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)

Gem::Specification.new do |spec|
  spec.add_dependency 'my-private-dependency', '~> 0.1.5'
end