13 Jan 2021
December 2020 RubyGems Updates
Welcome to the RubyGems monthly update! As part of our efforts at Ruby Together, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in December.
In December, we finally released
bundler 2.2 and
Rubygems 3.2 🎉. On the Bundler side, this minor release provides some major enhancements in how Bundler treats platforms, and also a few extra features. Check this blog post about bundler-v2-2 release for details. On the RubyGems side, the release provides a lot of bug fixes, a noticeable boot time speed-up, better integration in ruby-core and alternative implementations, and adds support for a change in the server side that allows using scoped API keys.
After the releases, we also received the corresponding feedback and regression reports, and addressed almost everything reported through 4 patch level releases of each library. In particular, we made it on time for Ruby’s Christmas release and managed to include
rubygems 3.2.3 and
bundler 2.2.3 with the final release of
This month, we published a guide on RubyGems.org about API keys, their scopes, and CLI usage - #275. We also investigated and removed
pretty_color gems for containing malicious code which could steal sensitive information; this issue was reported by @mensfeld for obfuscated code. - Gems yanked and Accounts Locked Wiki
In addition to that, we made the following improvements and fixes:
- deployed a PR to update
versions_downloadsin elastic search and reindex to fix the mismatch in downloads count. #2534
- deployed an API key with scopes and migrated legacy per account keys to the new API keys with encrypted storage. #1962
- setup insecure.rubygems.org to not redirect dependency endpoints to HTTPS. #2590
- worked on a PR to block throw-away domains from signup. #2579
- merged a PR to update a failing test on ruby 2.7. #2580
- worked on a PR to update to Rails 6.1. #2584
- worked on a PR to update gem dependencies to support elastic search 6. #2585
- updated a PR to update clearance. #2446
- enabled a few more Rails 6 defaults. #2583
updated the rubygems.org TLS certificate to support TLS 1.3.
- deployed a PR and backfilled
canonical_versionsto disallow publishing of duplicate canonical version numbers. It resolves the issue of clients installing potentially malicious versions of existing releases. #2559
version_downloadsto use the most_recent version implementation. #2534
- fixed a script to block users with handles that had uppercase letters. #2570
- merged a PR to enable Rails 6 default for
As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.
Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.