Back to blog posts
09 Sep 2013
RubyGems 2.1.0 includes several new features and a security update to fix CVE-2013-4287
To update to the latest RubyGems you can run:
gem update --system
If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.
- RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See CVE-2013-4287 for full details including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and 188.8.131.52 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.
- RubyGems uses a new dependency resolver for gem installation which works similar to the bundler resolver. The new resolver can resolve conflicts the previous resolver could not and offers improved diagnostics when conflicts are discovered.
- RubyGems now has improved platform matching for the ARM architecture. Gems built with a CPU of “arm” will match any specific ARM CPU. See
gem help platformfor further details. Fixes #532 by Kim Burgestrand.
The –version option now accepts compound requirements the same as in a gem dependency. The following invocation will install rails between 4.0.0.beta and 4.2:
gem install rails -v '>= 4.0.0.beta, < 4.2'
Fixes #531 by Gary S. Weaver
gem cleannow allows
-nas an alias for
--dryrun. Pull Request #517 by Gastón Ramos
gem update --systemto
gem help. Pull Request #514 by Vince Wadhwani
- Added PATH to
gem envoutput. Pull Request #490 by Michal Papis
- Added –host option to
gem ownerto match other commands using the gemcutter API. Pull Request #462 and issue #461 by Hugo Lopes Tavares
- Added –abort-on-dependent to
gem uninstall. This will abort instead of asking to uninstall a gem that is depended upon by another gem. Pull request #549 by Philip Arndt.
- RubyGems no longer alters Gem::Specification.dirs when installing. Based on Pull Request #452 by Vít Ondruch
- RubyGems uses
makeenvironment variables over rbconfig.rb’s make if present. Pull Request #443 by Erik Hollensbe
- RubyGems can now save remote source cache files in an alternate directory controlled by
ENV["GEM_SPEC_CACHE"]. Pull Request #489 by Michal Papis
- Generated private keys are now encrypted. Pull Request #453 by pietro
- Separated Gem::Request from Gem::RemoteFetcher. Pull Request #283 by Steve Klabnik.
- RubyGems indicates when a .gem’s content is corrupt while verifying. Bug #519 by William T Nelson.
- Refactored common installer setup. Pull request #520 by Gastón Ramos
- Moved activation tests to Gem::Specification. Pull request #521 by Gastón Ramos
- When a –version option with a prerelease version is given RubyGems automatically enables prerelease versions but only the last version is used. If the first version is a prerelease version this is no longer sticky unless an explicit
--no-prereleasewas also given. Fixes part of #531.
- RubyGems now supports an SSL client certificate. Pull request #550 by Robert Kenny.
- RubyGems now suggests how to fix permission errors. Pull request #553 by Odin Dutton.
- Added support for installing a gem as default gems for alternate ruby implementations. Pull request #566 by Charles Nutter.
- Improved performance of Gem::Specification#load by caching the loaded gemspec. Pull request #569 by Charlie Somerville.
- RubyGems now warns when an unsigned gem is verified if -P was given during installation even if the security policy allows unsigned gems and warns when an untrusted certificate is seen even if the security policy allows untrusted certificates. Issue #474 by Grant Olson
- RubyGems can now rewrite executables with or without a shebang of /usr/bin/env via
gem pristine --all --only-executables --env-shebang(or
--no-env-shebang). Issue #579 by Paul Annesley.
- RubyGems can now run its tests without OpenSSL. Ruby Bug #8557 by nobu.
- Improved performance by caching Gem::Version objects and avoiding method_missing in Gem::Specification. Pull request #447 by Jon Leighton.
- Files in a .gem now preserve their modification times. Pull request #582 by Jesse Bowes
- Improved speed of looking up dependencies in SpecFetcher through Array#bsearch (when present). Pull request #595 by Andras Suller
gem uninstallwhich removes all gems in GEM_HOME. Pull request #584 by Shannon Skipper.
- Added Gem.find_latest_files which is equivalent to Gem.find_files but only returns matching files from the latest version of each gem. Issue #186 by Ryan Davis.
- Improved performance of
gem outdatedby reducing duplicate work (it is still slow, but I see a near 50% improvement for 250 gems on a fast connection). See also Gem::Specification::outdated_and_latest_version
- rubygems_plugin.rb files are now only loaded from the latest installed gem.
- Fixed Gem.clear_paths when Security is defined at top-level. Pull request #625 by elarkin
- Fixed credential creation for
--hostis not given. Pull request #622 by Arthur Nogueira Neves