Blog
16 Feb 2025
January 2025 RubyGems Updates
Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in January.
Open Source Program Announcements
Our Security Engineer in Residence’s year in review
Samuel Giddins published a review of his 2024 work as Security Engineer in Residence at Ruby Central. It was a busy year with the sigstore work as the centerpiece. He finishes with an overview of what he’ll focus on in 2025.
RubyGems News
In January, we released RubyGems 3.6.3 and Bundler 2.6.3. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include adding the credentials file path to gem env, preventing fallback to evaluating YAML gemspecs as Ruby code, adding support for the Mise version manager file, and including Ruby 3.5 in Gemfile DSL platform values for better compatibility.
Some other important accomplishments from the team this month include:
Improvements to the Bundler documentation site
- The end-of-year Bundler release required documentation updates, but the process was challenging due to warnings, outdated dependencies, and minor issues. Additionally, longstanding problems (such as poor SEO and broken links caused by recent structural changes in the rubygems/rubygems repository) needed attention.
- To improve the site, we addressed build warnings, upgraded all dependencies, fixed broken links, and enhanced SEO to make the Bundler documentation easier to find and navigate.
Improved “multi-Ruby” lockfile support
- In Bundler 2.6 we implemented several changes to allow the same lockfile to be used across different Ruby versions, however, a minor issue was reported related to this functionality.
- To address this, we introduced an additional update to minimize lockfile changes when switching between Ruby versions, reducing unnecessary modifications and improving stability.
Bundler support for ARM architecture on Windows
- Windows RubyInstaller2 added support for running Ruby on ARM architecture and we received a community contribution to enable Bundler compatibility. However, the existing Windows support code was somewhat cumbersome, making it difficult for the contributor to complete the implementation.
- To resolve this, we reworked how
platform: :windowsis handled in the Gemfile, which was the primary blocker. We also refactored the logic to ensure that the:windowsvalue can accommodate similar scenarios in the future.
RubyGems.org News
The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in January was provided by AWS, Fastly and Datadog.
The following are highlights of what the team worked on this month:
Fixed endless 5xx responses leading to pages
- Rails returned response headers exceeding Nginx’s 4KB limit, triggering an
upstream sent too big headererror and causing persistent 502 Bad Gateway responses. The issue stemmed from theRedirector middleware, which generated 301 redirects with excessively long Location headers, particularly forapi.rubygems.org. Debugging was further complicated by a logging issue that hid these errors. - We fixed the logging pipeline to correctly capture errors and updated the middleware to prevent oversized headers. This fix was tested and verified in staging, successfully resolving the 502 errors.
Upgraded to Ruby 3.4.1
- We upgraded RubyGems.org to Ruby 3.4.1 to ensure compatibility with the latest Ruby version and take advantage of performance improvements and security updates.
Removed the Forwarded and X-Forwarded-Host headers
- We removed the
ForwardedandX-Forwarded-Hostheaders to enhance security and mitigate the risk of header spoofing attacks.
Thank you
A huge thank you to all the contributors to RubyGems and RubyGems.org this month! We deeply appreciate your support and dedication.
Contributors to RubyGems:
- @segiddins Samuel Giddins
- @nobu Nobuyoshi Nakada
- @simi Josef Šimánek
- @deivid-rodriguez David Rodríguez
- @duckinator Ellen Marie Dash
- @hsbt Hiroshi Shibata
- @soda92 Maple
- @kyanagi Kouhei Yanagita
- @Vasfed Vasily Fedoseyev
- @joshleblanc Josh LeBlanc
- @rykov Michael Rykov
- @johnnyshields Johnny Shields
- @the-spectator Akshay Birajdar
- @edouard-chin Edouard Chin
- @ntkme なつき
- @larskanis Lars Kanis
Contributors to RubyGems.org:
- @martinemde Martin Emde
- @simi Josef Šimánek
- @segiddins Samuel Giddins
- @hsbt Hiroshi Shibata
- @w-masahiro-ct Masahiro
- @huacnlee Jason Lee
- @gemmaro Gemmaro
- @kairoaraujo Kairo Araujo
- @adrianthedev Adrian Marin
- @MilaZhou22 MilaZhou22
- @skatkov Stanislav (Stas) Katkov
If we missed you, please let us know so we can include you in our shout out!
Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.