はてなブックマーク

Back to blog posts 17 Jul 2025 Bundler v2.7: last release before Bundler 4 by David Rodríguez A major release of Bundler is finally happening, consolidating unreleased major changes that had been pending for a decade. It will be named Bundler 4 (skipping Bundler 3), so that we can release it in lockstep with RubyGems 4, making the version number of Bundler & RubyGems in sync from now on. Final Bun

We’re pleased to introduce several key policies for RubyGems.org for community review. These include a Terms of Service, Privacy Notice, Acceptable Use Policy, and Copyright Policy. While these policies align with how RubyGems has always operated, the absence of formal documentation created ambiguity around acceptable use. These new policies provide clarity and transparency regarding our operation

The RubyGems Team is happy to share this post from our colleague Ngan Pham, Principle Software Engineer @ Gusto. Thank you, Ngan! Working in a large monolith with many engineers, you never fail to get a flurry of changes everytime you pull from main. Then you have the typical ritual of running bundle install and, if you’re on a Rails application, rails db:prepare. Sometimes, you forget to run bund

Hi all! I’m excited to share a new feature that will help make RubyGems.org more secure, as well as making it easier to automate gem publishing. Inspired by the Python package index, we’re calling it Trusted Publishing. Backstory Over the past few years, we’ve increased the minimum multi-factor authentication (MFA) requirements for accounts that own popular gems. We highly encourage requiring MFA

Attacks on the software supply chain are increasing and our community has not gone unscathed. RubyGems has been affected by supply chain attacks in the past, so it’s important for us to mitigate these risks as much as possible. Recommending stronger security practices like enabling multi-factor authentication (MFA) on popular packages is a first step towards improving the security of the RubyGems

Ever since it was first released, the Bundler team has wanted to know more about the developers out there using our code. What versions of Ruby are still being actively used? What versions of RubyGems is it safe to stop supporting? Which operating systems should we focus on testing? It’s been almost 10 years since that first release, but today the RubyGems and Bundler team is excited to announce t

Back to blog posts 31 Oct 2017 Bundler 1.16: 2.0 Is So Close! by Samuel Giddins What’s new in Bundler 1.16? A short summer after the performance-focused Bundler 1.15 release, we’ve shipped 1.16. Before we get to the list of changes, we want to share a very exciting announcement: Bundler 2.0 is right around the corner! We anticipate that v1.16 will be the last 1.x release, and details about the tra

Back to blog posts 19 May 2017 Bundler 1.15: Bundle Oh So Fast by Samuel Giddins What’s new in Bundler 1.15? Hot on the heels of the many small fixes in Bundler 1.14, we’re pushing out 1.15. The list of changes is much shorter, but we think you’re going to love it all the same, since this time around we’ve focused on making Bundler a whole heck of a lot faster. Speed Due to Julian Nadeau’s prompti

Bundler 1.10 is out! In fact, Bundler 1.10.5 is out today, so we thought it was high time to let everyone know about it. This release comes with a bunch of new features: the lock command, support for inline gemfiles in scripts, the ability to disable post-install messages, optional groups, conditional gem installation, dramatically improved outdated output, and the option to force installed gems t

Back to blog posts 20 Mar 2015 Bundler template moves bins to exe by Benjamin Fleischer - spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) } + spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) } This means that the Bundler-generated gems can use and commit binstubs, such as bin/rake, to the bin/ directory. Only files in the exe/ directory will be built with t

Back to blog posts 14 Aug 2014 Bundler may install gems from a different source than expected (CVE-2013-0334) by André Arko Versions Affected: All versions < 1.7.0 Not Affected: Any Gemfile with one or zero sources Fixed Versions: 1.7.0 Releases: 1.7.0 Bundler 1.7 is a security-only release to address CVE-2013-0334, a vulnerability where a gem might be installed from an unintended source server, p

RubyGems 2.2.0 includes major enhancements, minor enhancements and bug fixes. To update to the latest RubyGems you can run: gem update --system If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page. Special thanks to Vít Ondruch and Michal Papis for testing and finding bugs in RubyGems as it

RubyGems 2.1.0 includes several new features and a security update to fix CVE-2013-4287 To update to the latest RubyGems you can run: gem update --system If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page. Security fixes: RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due

TL;DR: We were able to verify that all gems served by rubygems.org are tamper-free. The Incident As most people are aware, on January 30th rubygems.org was hit with a rogue code execution vulnerability. Much has been written (and will be written) about why the bug existed and how we’re going to be dealing with making sure it never happens again. Data Verification Right now, I want to let everyone