From 8efa0a9be349d231d570250d7afd2179a3a57244 Mon Sep 17 00:00:00 2001
From: kuanchiliao1 <kuanchiliao@gmail.com>
Date: Wed, 18 Dec 2024 15:38:07 -0800
Subject: [PATCH] Disallow pushing of gems with unresolved dependencies

---
 app/models/pusher.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/app/models/pusher.rb b/app/models/pusher.rb
index 0f0dab75908..a409d420a0e 100644
--- a/app/models/pusher.rb
+++ b/app/models/pusher.rb
@@ -26,6 +26,7 @@ def process
         authorize &&
         verify_gem_scope &&
         verify_mfa_requirement &&
+        verify_dependencies_resolvable &&
         validate &&
         save
     end
@@ -46,6 +47,20 @@ def verify_mfa_requirement
       notify("Rubygem requires owners to enable MFA. You must enable MFA before pushing new version.", 403)
   end
 
+  def verify_dependencies_resolvable
+    return true if spec.dependencies.empty?
+
+    dependency_names = spec.dependencies.map(&:name)
+    existing_gems = Rubygem.where(name: dependency_names).pluck(:name)
+    missing_gems = dependency_names - existing_gems
+
+    if missing_gems.any?
+      return notify("There was a problem saving your gem: \nThe following dependencies don't exist: #{missing_gems.join(', ')}", 422)
+    end
+
+    true
+  end
+
   def validate
     unless validate_signature_exists?
       return notify("There was a problem saving your gem: \nYou have added cert_chain in gemspec but signature was empty", 403)