Blog
19 Mar 2025
February 2025 RubyGems Updates
Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in February.
RubyGems News
In February, we released RubyGems 3.6.4, 3.6.5 and Bundler 2.6.4, 2.6.5. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include removing gem server from gem help to streamline command output, raising a clearer error message when RubyGems fails to activate a dependency, ensuring Bundler correctly considers gems under platform: :windows in the Gemfile when running on Windows with ARM architecture, and fixing a resolver issue caused by incorrectly defined version ranges.
Some other important accomplishments from the team this month include:
Upgrading Kubernetes cluster to v1.32 and our OpenSearch cluster to v2.17
- We regularly update our infrastructure systems to ensure we’re taking advantage of the latest software features and security patches. This upgrade was scheduled and performed seamlessly without impacting users.
Developing wheels for RubyGems
- A proposal is in progress to introduce “wheels” for RubyGems, improving the gem build process until every gem ships precompiled binaries.
- This is better for security as it eliminates the need to execute code during installation. It’s also a huge improvement for the gem install experience thanks to removing the need for build tools, avoiding compilation errors, and reducing installation time. An outline of the project goals has been published at traveling.engineer, and implementation sketches are in the works.
Resolution improvements in Bundler
- A release of Ruby 3.4.2 introduced incorrect gemspec dependencies for
net-smtp, leading to multiple bug reports. To prevent similar issues in the future, Bundler now attempts to automatically fix incorrect dependencies in the lockfile whenever possible. When auto-fixing is not possible (e.g., in frozen mode), Bundler now provides clearer error messages to help users resolve the issue. - Depfu reported cases where Bundler 2.6 was unexpectedly downgrading dependencies. This was fixed by ensuring Bundler properly respects locked versions and re-adds necessary lower bound requirements.
- Investigating these issues also led to fixing the only known issue in our resolver engine (pub_grub), improving Bundler’s dependency resolution logic.
RubyGems.org News
The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in February was provided by AWS, Fastly and Datadog.
The following are highlights of what the team worked on this month:
Fixed API key role creation for Buildkite
- A system test was added to fix an issue where creating an API Key Role for Buildkite incorrectly assigned a GitHub Actions principal instead of the correct Buildkite principal. This happened because the form defaulted to GitHub OIDC settings, hiding the principal input and preventing users from changing it.
- The fix removes the unnecessary principal assignment, allowing the correct value to be set automatically for GitHub Actions and Buildkite, ensuring smoother API Key Role creation.
RubyGems Ecosystem News
This is where we highlight exciting updates made to Ruby infrastructure projects that support our RubyGems work.
Sigstore
sigstore-ruby
- The sigstore-ruby client is nearly ready for its 0.3.0 release, bringing improved spec compliance and JRuby support.
- Adding JRuby support was particularly challenging, as it required the reimplementation of certain cryptographic operations using Java security APIs instead of relying on the
jruby-opensslgem. - You can read more about the development of sigstore-ruby in Sam’s 2024 year in review.
Ecosystem adoption
- A tracker has been launched to monitor sigstore adoption among the most popular gems: Are We Attested Yet?
- Currently, 20 of the top gems are shipping attestations, and efforts are ongoing to help more maintainers integrate sigstore signing into their release workflows.
Thank you
A huge thank you to all the contributors to RubyGems and RubyGems.org this month! We deeply appreciate your support and dedication.
Contributors to RubyGems:
- @segiddins Samuel Giddins
- @simi Josef Šimánek
- @martinemde Martin Emde
- @deivid-rodriguez David Rodríguez
- @hsbt Hiroshi Shibata
- @johnnyshields Johnny Shields
- @edouard-chin Edouard Chin
- @y-yagi Y Yagi
- @saraid Michael Chui
Contributors to RubyGems.org:
- @martinemde Martin Emde
- @simi Josef Šimánek
- @segiddins Samuel Giddins
- @hsbt Hiroshi Shibata
- @yob James Healy
- @kachick Kenichi Kamiya
If we missed you, please let us know so we can include you in our shout out!
Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.