Skip to content

chore(deps): update dependency bundler to v4 [security]#36

Open
sc-renovate[bot] wants to merge 1 commit into
masterfrom
renovate/rubygems-bundler-vulnerability
Open

chore(deps): update dependency bundler to v4 [security]#36
sc-renovate[bot] wants to merge 1 commit into
masterfrom
renovate/rubygems-bundler-vulnerability

Conversation

@sc-renovate

@sc-renovate sc-renovate Bot commented Jun 1, 2026

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
bundler (source, changelog) "~> 1.0""~> 4.0" age confidence

GitHub Vulnerability Alerts

CVE-2019-3881

Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.

Severity
  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-36327

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.

Severity
  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-43809

In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false.

To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as git clone. These commands are being constructed using user input (e.g. the repository URL). When building the
commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.

Since this value comes from the Gemfile file, it can contain any character, including a leading dash.

Exploitation

To exploit this vulnerability, an attacker has to craft a directory containing a Gemfile file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of -u./payload. This URL
will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as bundle lock, inside.

Impact

This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the Gemfile (although they would need the weird URL with a leading dash to not raise any flags).

This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on.

Patches

Bundler 2.2.33 has patched this problem by inserting -- as an argument before any positional arguments to those Git commands that were affected by this issue.

Workarounds

Regardless of whether users can upgrade or not, they should review any untrustred Gemfile's before running any bundler commands that may read them, since they can contain arbitrary ruby code.

References

https://cwe.mitre.org/data/definitions/88.html

Severity
  • CVSS Score: 6.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2016-7954

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

Severity
  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Release Notes

ruby/rubygems (bundler)

v4.0.16

Compare Source

Enhancements:
  • Installs bundler 4.0.16 as a default gem.
Bug fixes:
  • Skip the make job server when using BSD make. Pull request #​9676 by flavorjones

v4.0.15

Compare Source

Enhancements:
  • Rubygems: Fix Gem::Request for PQC support, adding integration connection tests. Pull request #​9615 by junaruga
  • Reduce peak memory usage of full index loading and bundle install. Pull request #​9618 by hsbt
  • Installs bundler 4.0.15 as a default gem.
Bug fixes:
  • Forward security policy to old-format gems. Pull request #​9611 by hsbt

v4.0.14

Compare Source

Enhancements:
  • Add executables and bindir validation to the gem installer. Pull request #​9595 by hsbt
  • Strip C1 control characters from displayed gem text. Pull request #​9597 by hsbt
  • Installs bundler 4.0.14 as a default gem.

v4.0.13

Compare Source

Enhancements:
  • Prevent extraction from escaping destination_dir via pre-existing symlinks. Pull request #​9493 by thesmartshadow
  • Close stdin immediately when using popen2e. Pull request #​9540 by rwstauner
  • Fallback to copy symlinks on Windows. Pull request #​9296 by larskanis
  • Installs bundler 4.0.13 as a default gem.

v4.0.12

Compare Source

Enhancements:
  • Remove cygwin from WIN_PATTERNS. Pull request #​9527 by fd00
  • Installs bundler 4.0.12 as a default gem.
Bug fixes:
  • Fall back to lockfile version when BUNDLE_VERSION is "lockfile". Pull request #​9545 by hsbt
  • Read BUNDLE_VERSION env var in BundlerVersionFinder. Pull request #​9538 by hsbt

v4.0.11

Compare Source

Enhancements:
  • Add commented-out rubygems_mfa_required to bundle gem template. Pull request #​9487 by MatheusRich
  • Clarify the name and meaning of the first argument to gem spec. Pull request #​9476 by eregon
  • Installs bundler 4.0.11 as a default gem.

v4.0.10

Compare Source

Enhancements:
  • Ignore warnings with spec different platforms. Pull request #​8508 by hsbt
  • Better algorithm for sorting gem version. Pull request #​9421 by Edouard-chin
  • Update SPDX license list as of 2026-02-20. Pull request #​9434 by hsbt
  • Installs bundler 4.0.10 as a default gem.
Bug fixes:
  • Register native extension files in default spec map. Pull request #​9431 by hsbt
  • Fix NoMethodError in Gem.try_activate when activation conflicts occur. Pull request #​9404 by hsbt

v4.0.9

Compare Source

Enhancements:
  • Fix: include owner role in gem owner. Pull request #​9403 by gjtorikian
  • Installs bundler 4.0.9 as a default gem.
Bug fixes:
  • Fix: Ensure trailing slash is added to source URIs added via gem sources. Pull request #​9055 by zirni
Documentation:
  • [DOC] Fix link. Pull request #​9409 by BurdetteLamar

v4.0.8

Compare Source

Enhancements:
  • Use JSON for cargo metadata parsing. Pull request
    #​9373 by hsbt
  • Fix NameError in Gem::Request.get_proxy_from_env when requiring
    rubygems/request directly. Pull request
    #​9362 by afurm
  • Installs bundler 4.0.8 as a default gem.
Documentation:
  • Unify Compact Index API naming. Pull request
    #​9372 by simi

v4.0.7

Compare Source

Enhancements:
  • Add Gem.disable_system_update_message in setup.rb. Pull request
    #​9020 by hyuraku
  • Print message when signing in with an existing API key. Pull request
    #​9312 by hsbt
  • Installs bundler 4.0.7 as a default gem.
Documentation:
  • Document gemspecs must be deterministic. Pull request
    #​9321 by fxn
  • Remove "##" from a comment to require. Pull request
    #​9306 by tompng

v4.0.6

Compare Source

Enhancements:
  • Update vendored resolv to 0.7.0. Pull request
    #​9298 by hsbt
  • Installs bundler 4.0.6 as a default gem.

v4.0.5

Compare Source

Enhancements:
  • Removed unused deprecate loading. Pull request
    #​9266 by hsbt
  • Validate executable names for invalid characters. Pull request
    #​9257 by hsbt
  • Installs bundler 4.0.5 as a default gem.
Bug fixes:
  • Fix RubyGems not able to require the right gem:. Pull request
    #​9246 by Edouard-chin
  • Remove special behavior for rake. Pull request
    #​9245 by JasonLunn
Documentation:
  • Added another usage of pristine command. Pull request
    #​9255 by hsbt

v4.0.4

Compare Source

Enhancements:
  • Remove date require from rebuild command. Pull request
    #​9232 by jeremyevans
  • Installs bundler 4.0.4 as a default gem.
Bug fixes:
  • Add a missing "require 'etc'" statement:. Pull request
    #​9242 by Edouard-chin

v4.0.3

Compare Source

Enhancements:
  • Installs bundler 4.0.3 as a default gem.
Documentation:
  • Fix broken documentation links. Pull request
    #​9208 by eileencodes

v4.0.2

Compare Source

Enhancements:
  • Pass down value of BUNDLE_JOBS to RubyGems before compiling &
    introduce a new gem install -j flag. Pull request
    #​9171 by Edouard-chin
  • Installs bundler 4.0.2 as a default gem.

v4.0.1

Compare Source

Enhancements:
  • Installs bundler 4.0.16 as a default gem.
Bug fixes:
  • Skip the make job server when using BSD make. Pull request #​9676 by flavorjones

v4.0.0

Compare Source

Features:
  • Undeprecate Gem::Version.new(nil). Pull request
    #​9086 by tenderlove
  • Add pattern matching support to Gem::NameTuple. Pull request
    #​9064 by baweaver
  • Add pattern matching support to Gem::Platform. Pull request
    #​9062 by baweaver
Performance:
  • Add MAKEFLAGS=-j by default before compiling. Pull request
    #​9131 by Edouard-chin
  • Remove some memoization. Pull request
    #​9017 by tenderlove
  • Pull Gem.win_platform? out of a hot path. Pull request
    #​8983 by tenderlove
  • Stop trying to remove every file on extraction. Pull request
    #​8974 by tenderlove
  • Use IO.copy_stream with IO object directly. Pull request
    #​8970 by tenderlove
  • Pass a file size to IO.copy_stream. Pull request
    #​8966 by tenderlove
  • Use File#chmod rather than FileUtils.chmod. Pull request
    #​8965 by tenderlove
Enhancements:
  • Update all vendored libraries to latest version. Pull request
    #​9089 by hsbt
  • Removed unused Gem::Deprecate. Pull request
    #​9090 by hsbt
  • Add debug logging information to see the time it took to download and
    install a gem. Pull request
    #​9066 by Edouard-chin
  • Fix constants in TAR to be frozen. Pull request
    #​9041 by tenderlove
  • Remove open-ended and prerelease dependency warnings when building gems.
    Pull request #​9050 by
    jeremyevans
  • Revamp CmakeBuilder. Pull request
    #​8753 by cfis
  • Restrict what schemes are acceptable in the remote fetcher. Pull request
    #​9022 by tenderlove
  • gem sources --prepend and --append allow finer grained control of
    sources. Pull request #​8901
    by martinemde
  • Improve gem sources --remove output. Pull request
    #​8909 by deivid-rodriguez
  • Make gem sources output more clear. Pull request
    #​8938 by deivid-rodriguez
  • Don't fail if there is no makefile, simply don't do anything. Pull
    request #​8879 by ioquatix
  • Use IMDSv2 for S3 instance credentials. Pull request
    #​7709 by folbricht-stripe
  • Fix regression in presence of RVM gems. Pull request
    #​8854 by deivid-rodriguez
  • Restore parsing "--" as an unknown platform rather than crashing. Pull
    request #​8846 by
    deivid-rodriguez
  • Installs bundler 4.0.0 as a default gem.
Bug fixes:
  • Fix test failure of mswin and nmake. Pull request
    #​9135 by hsbt
  • Respect BUNDLE_VERSION config at Gem::BundlerVersionFinder. Pull
    request #​9106 by hsbt
  • Fix "did you mean" suggestions for unknown commands. Pull request
    #​8948 by deivid-rodriguez
  • Fix trailing slashes not considered by gem sources --remove. Pull
    request #​8939 by
    deivid-rodriguez
Security:
  • Bump up vendored URI to 1.0.4. Pull request
    #​9031 by hsbt
Breaking changes:
  • Removed deprecated -C option from gem build. Pull request
    #​9088 by hsbt
  • Removed deprecated Gem::Specification#has_rdoc, has_rdoc= and has_rdoc?.
    Pull request #​9084 by hsbt
  • Removed deprecated gem query command. Pull request
    #​9083 by hsbt
  • Removed deprecated Gem::DependencyInstaller#find_gems_with_sources. Pull
    request #​9082 by hsbt
  • Remove deprecated methods of RubyGems. Pull request
    #​9081 by hsbt
  • Make verification methods private. Pull request
    #​9051 by tenderlove
  • Deprecate --default option from install command. Pull request
    #​7588 by hsbt
  • Removed compatibility.rb for RG 4.0. Pull request
    #​8899 by hsbt
Deprecations:
  • Deprecate Gem::Specification#datadir. Pull request
    #​8900 by hsbt
Documentation:
  • Unified UPGRADING.md and extract blog.rubygems.org. Pull request
    #​9148 by hsbt
  • Remove italic formatting from changelog section headers. Pull request
    #​9128 by hsbt
  • [DOC] Fix the location of Gem::Deprecate document. Pull request
    #​9065 by nobu
  • Fix typo. Pull request
    #​9012 by etiennebarrie
  • Added document for Gem::Uninstaller. Pull request
    #​8904 by hsbt
  • Use mailto link in Code of Conduct. Pull request
    #​8849 by deivid-rodriguez
  • Update Code of Conduct email to conduct@rubygems.org. Pull request
    #​8848 by indirect

v2.7.2

Compare Source

Enhancements:
  • gem sources --prepend and --append allow finer grained control of
    sources. Pull request
    #​8901 by martinemde
  • Improve gem sources --remove output. Pull request
    #​8909 by
    deivid-rodriguez
  • Make gem sources output more clear. Pull request
    #​8938 by
    deivid-rodriguez
  • Use IMDSv2 for S3 instance credentials. Pull request
    #​7709 by
    folbricht-stripe
  • Installs bundler 2.7.2 as a default gem.
Bug fixes:
  • Fix "did you mean" suggestions for unknown commands. Pull request
    #​8948 by
    deivid-rodriguez
  • Fix trailing slashes not considered by gem sources --remove. Pull
    request #​8939 by
    deivid-rodriguez

v2.7.1

Compare Source

Enhancements:
  • Fix regression in presence of RVM gems. Pull request
    #​8854 by
    deivid-rodriguez
  • Restore parsing "--" as an unknown platform rather than crashing. Pull
    request #​8846 by
    deivid-rodriguez
  • Installs bundler 2.7.1 as a default gem.
Documentation:

v2.7.0

Compare Source

Security:
  • Update vendored resolv to 0.6.2. Pull request
    #​8831 by hsbt
Breaking changes:
  • Stop generating binstubs with support for RubyGems before 2.6.2. Pull
    request #​8833 by
    deivid-rodriguez
  • Drop support for Ruby 3.1. Pull request
    #​8634 by segiddins
Enhancements:
  • Update SPDX license list as of 2025-07-01. Pull request
    #​8829 by
    github-actions[bot]
  • Add push_rubygem as a default scope for gem signin command. Pull
    request #​8672 by hsbt
  • Update bundled tls certs. Pull request
    #​8731 by segiddins
  • Install the best matching gem for the current platform in gem install.
    Pull request #​8751 by
    segiddins
  • Move most of Bundler::GemHelpers to Gem::Platform. Pull request
    #​8703 by segiddins
  • Ensure that Gem::Platform parses strings to a fix point. Pull request
    #​8584 by segiddins
  • Installs bundler 2.7.0 as a default gem.
Bug fixes:
  • Fix signing HEAD and date formatting in S3 signer. Pull request
    #​8763 by rye-stripe
  • Fix --bindir <foo> flag to gem install failing when <foo> is not in
    the default GEM_HOME and its parent directory does not exist yet. Pull
    request #​8783 by larouxn
  • Fix gem install sometimes compiling the wrong source files. Pull
    request #​8764 by
    deivid-rodriguez
  • Workaround rust extension compilation when ccache or sccache are
    used. Pull request #​8521
    by hsbt
  • Fix gem pristine not recompiling extensions sometimes. Pull request
    #​8757 by
    deivid-rodriguez
  • Fix --prerelease flag to gem install sometimes not respected. Pull
    request #​8648 by ntl
Documentation:
  • Fix incorrect UPGRADING link in README.md. Pull request
    #​8838 by djbender
  • Add a root CONTRIBUTING.md file. Pull request
    #​8822 by
    deivid-rodriguez
  • Add a SECURITY.md file. Pull request
    #​8812 by
    deivid-rodriguez
  • Fix heading ranks in documentation. Pull request
    #​8711 by antoinem

v2.6.9

Compare Source

Enhancements:
  • Add mtime to Gem::Package::TarWriter#add_file argument. Pull request
    #​8673 by unasuke
  • Print webauthn authentication link as a separate line to make it easier
    to visit. Pull request
    #​8663 by mperham
  • Remove shellwords autoload. Pull request
    #​8644 by
    deivid-rodriguez
  • Installs bundler 2.6.9 as a default gem.
Performance:
  • Avoid unnecessary splat allocation. Pull request
    #​8640 by jeremyevans
Documentation:
  • Fix typo in Changelog for 3.6.0 / 2024-12-16. Pull request
    #​8638 by thatrobotdev

v2.6.8

Compare Source

Enhancements:
  • Installs bundler 2.6.8 as a default gem.

v2.6.7

Compare Source

Enhancements:
  • Sorting files in metadata for build reproducibility. Pull request
    #​8569 by
    giacomobenedetti
  • Default to a SOURCE_DATE_EPOCH of 3156192, to simplify reproducible
    builds. Pull request
    #​8568 by duckinator
  • Let gem exec raise an error in ambiguous cases. Pull request
    #​8573 by
    deivid-rodriguez
  • Installs bundler 2.6.7 as a default gem.
Performance:
  • Speed up Version#<=> ~20-50% when lengths differ. Pull request
    #​8565 by skipkayhil

v2.6.6

Compare Source

Enhancements:
  • Update vendored uri to 1.0.3. Pull request
    #​8534 by hsbt
  • Installs bundler 2.6.6 as a default gem.
Bug fixes:
  • Fix gem rdoc not working with newer versions of rdoc when not
    installed as default gems. Pull request
    #​8549 by
    deivid-rodriguez

v2.6.5

Compare Source

Enhancements:
  • Installs bundler 2.6.5 as a default gem.
Documentation:
  • Removed gem server from gem help. Pull request
    #​8507 by hsbt

v2.6.4

Compare Source

Enhancements:
  • Raise a simpler error when RubyGems fails to activate a dependency. Pull
    request #​8449 by
    deivid-rodriguez
  • Installs bundler 2.6.4 as a default gem.
Performance:
  • Allocate strings from Requirement match only once. Pull request
    #​8245 by segiddins

v2.6.3

Compare Source

Enhancements:
  • Add credentials file path to gem env. Pull request
    #​8375 by duckinator
  • Update SPDX license list as of 2024-12-30. Pull request
    #​8387 by
    github-actions[bot]
  • Installs bundler 2.6.3 as a default gem.
Bug fixes:
  • Fix @licenses array unmarshalling. Pull request
    #​8411 by rykov

v2.6.2

Compare Source

Security:
  • Fix Gem::SafeMarshal buffer overrun when given lengths larger than fit
    into a byte. Pull request
    #​8305 by segiddins
  • Improve type checking in marshal_load methods. Pull request
    #​8306 by segiddins
Enhancements:
  • Skip rdoc hooks and their tests on newer rdoc versions. Pull request
    #​8340 by
    deivid-rodriguez
  • Installs bundler 2.6.2 as a default gem.
Bug fixes:
  • Fix serialized metadata including an empty @original_platform
    attribute. Pull request
    #​8355 by
    deivid-rodriguez

v2.6.1

Compare Source

Enhancements:
  • Installs bundler 2.6.1 as a default gem.
Bug fixes:
  • Fix gem info tagging some non default gems as default. Pull request
    #​8321 by
    deivid-rodriguez
Documentation:
  • Fix broken links. Pull request
    #​8327 by st0012

v2.6.0

Compare Source

Security:
  • Stop storing executable names in ivars. Pull request
    #​8307 by segiddins
Breaking changes:
  • Drop ruby 3.0 support. Pull request
    #​8091 by segiddins
Features:
  • Add --attestation option to gem push. Pull request
    #​8239 by segiddins
Enhancements:
  • Skip unresolved deps warning on Gem::Specification.reset on benign
    cases. Pull request
    #​8309 by
    deivid-rodriguez
  • Let gem install <name> suggest <name>-ruby and ruby-<name> when
    providing "did you mean" suggestions. Pull request
    #​8197 by duckinator
  • Update SPDX license list as of 2024-08-19. Pull request
    #​8233 by
    github-actions[bot]
  • Add --target-rbconfig option to gem install and gem update
    commands. Pull request
    #​7628 by kateinoigakukun
  • Skip nil-value keys to make metadata reproducible. Pull request
    #​7129 by nobu
  • Allow disabling installation of compiled extensions into lib through
    Gem.configuration.install_extension_in_lib. Pull request
    #​6463 by hsbt
  • Installs bundler 2.6.0 as a default gem.
Bug fixes:
  • Set $0 to exe when running gem exec to fix name in CLI output. Pull
    request #​8267 by adam12
  • Fix manifest in gem package using incorrect platform sometimes. Pull
    request #​8202 by
    deivid-rodriguez
Documentation:
  • Fix missing single quote in git source example. Pull request
    #​8303 by nobu
  • Update the gem install demo in README to use a gem that just works on
    Windows. Pull request
    #​8262 by soda92
  • Unify rubygems and bundler docs directory. Pull request
    #​8159 by hsbt

v2.5.23

Compare Source

Enhancements:
  • Validate user input encoding of gem CLI arguments. Pull request
    #​6471 by
    deivid-rodriguez
  • Fix gem update --system leaving old default bundler executables
    around. Pull request
    #​8172 by
    deivid-rodriguez
  • Installs bundler 2.5.23 as a default gem.
Bug fixes:
  • Fix commands with 2 MFA requests when webauthn is enabled. Pull request
    #​8174 by
    deivid-rodriguez
  • Make --enable-load-relative binstubs prolog work when Ruby is not
    installed in the same directory as the binstub. Pull request
    #​7872 by
    deivid-rodriguez
Performance:
  • Speed up gem install <nonexistent-gem> by finding alternative name
    suggestions faster. Pull request
    #​8084 by duckinator
Documentation:
  • Add missing comma in documentation. Pull request
    #​8152 by leoarnold

v2.5.22

Compare Source

Enhancements:
  • Prevent ._* files in packages generated from macOS. Pull request
    #​8150 by
    deivid-rodriguez
  • Fix gem pristine etc resetting gem twice sometimes. Pull request
    #​8117 by
    deivid-rodriguez
  • Allow gem pristine to reset default gems too. Pull request
    #​8118 by
    deivid-rodriguez
  • Update vendored uri and net-http. Pull request
    #​8112 by segiddins
  • Installs bundler 2.5.22 as a default gem.
Bug fixes:
  • Fix gem contents for default gems. Pull request
    #​8132 by
    deivid-rodriguez
  • Fix duplicated specs when they have been previously activated. Pull
    request #​8131 by
    deivid-rodriguez
  • Fix gem install on NFS shares. Pull request
    #​8123 by
    deivid-rodriguez
  • Fix a gem install crash during "done installing" hooks. Pull request
    #​8113 by
    deivid-rodriguez
  • Fix plugin command loading. Pull request
    #​8121 by
    deivid-rodriguez

v2.5.21

Compare Source

Enhancements:
  • Fix Gem::MissingSpecVersionError#to_s not showing exception message.
    Pull request #​8074 by
    deivid-rodriguez
  • Remove code that makes suggest_gems_from_name give worse results. Pull
    request #​8083 by
    duckinator
  • Warning about PATH in --user-install mode is only necessary for gems
    with executables. Pull request
    #​8071 by
    deivid-rodriguez
  • Installs bundler 2.5.21 as a default gem.
Bug fixes:
  • Fix error in one source when fetching dependency APIs clearing results
    from all sources. Pull request
    #​8080 by
    deivid-rodriguez
  • Fix gem cleanup warning when two versions of psych installed. Pull
    request #​8072 by
    deivid-rodriguez

v2.5.20

Compare Source

Enhancements:
  • Installs bundler 2.5.20 as a default gem.

v2.5.19

Compare Source

Enhancements:
  • Standardize pretty-print output for Gem::Source and subclasses. Pull
    request #​7994 by
    djberube
  • Update vendored molinillo to master and vendored resolv to 0.4.0.
    Pull request #​7521 by
    hsbt
  • Installs bundler 2.5.19 as a default gem.
Bug fixes:
  • Fix bundle exec rake install failing when local gem has extensions.
    Pull request #​7977 by
    deivid-rodriguez
  • Make gem exec use the standard GEM_HOME. Pull request
    #​7982 by
    deivid-rodriguez
  • Fix gem fetch always exiting with zero status code. Pull request
    #​8007 by
    deivid-rodriguez
  • Remove temporary .lock files unintentionally left around by gem
    installer. Pull request
    #​7939 by nobu
  • Removed unused stringio. Pull request
    #​8001 by hsbt
  • Avoid another race condition of open mode. Pull request
    #​7931 by nobu
  • Fix @license typo preventing licenses from being correctly
    unmarshalled. Pull request
    #​7975 by djberube
Performance:
  • Fix gem install does-not-exist being super slow. Pull request
    #​8006 by
    deivid-rodriguez

v2.5.18

Compare Source

Enhancements:
  • Installs bundler 2.5.18 as a default gem.
Bug fixes:
  • Fix gem uninstall <name>:<version> failing on shadowed default gems.
    Pull request #​7949 by
    deivid-rodriguez

v2.5.17

Compare Source

Enhancements:
  • Explicitly encode Gem::Dependency to yaml. Pull request
    #​7867 by segiddins
  • Installs bundler 2.5.17 as a default gem.
Bug fixes:
  • Fix gem list regression when a regular gem shadows a default one. Pull
    request #​7892 by
    deivid-rodriguez
  • Always leave default gem executables around. Pull request
    #​7879 by
    deivid-rodriguez
  • Fix line comment issue for hash when loading gemrc. Pull request
    #​7857 by leetking

v2.5.16

Compare Source

Enhancements:
  • Installs bundler 2.5.16 as a default gem.
Bug fixes:
  • Fix gemspec require_paths validation. Pull request
    #​7866 by
    deivid-rodriguez
  • Fix loading of nested gemrc config keys when specified as symbols.
    Pull request #​7851 by
    moofkit
Performance:
  • Use caller_locations instead of splitting caller. Pull request
    #​7708 by nobu

v2.5.15

Compare Source

Enhancements:
  • Installs bundler 2.5.15 as a default gem.
Bug fixes:
  • Restrict generic arm to only match 32-bit arm. Pull request
    #​7830 by ntkme
  • Protect creating binstubs with a file lock. Pull request
    #​7806 by
    deivid-rodriguez
Documentation:
  • Make it clearer that add_dependency is the main way to add
    non-development dependencies. Pull request
    #​7800 by jeromedalbert

v2.5.14

Compare Source

Enhancements:
  • Installs bundler 2.5.14 as a default gem.
Bug fixes:
  • Make "bundler? update --bundler" behave identically. Pull request
    #​7778 by x-yuri

v2.5.13

Compare Source

Enhancements:
  • Installs bundler 2.5.13 as a default gem.
Bug fixes:
  • Never remove executables that may belong to a default gem. Pull request
    #​7747 by
    deivid-rodriguez

v2.5.12

Compare Source

Enhancements:
  • Installs bundler 2.5.12 as a default gem.
Bug fixes:
  • Fix gem uninstall unresolved specifications warning. Pull request
    #​7667 by
    deivid-rodriguez
  • Fix gem pristine sometimes failing to pristine user installed gems.
    Pull request #​7664 by
    deivid-rodriguez

v2.5.11

Compare Source

Enhancements:
  • Update SPDX license list as of 2024-05-22. Pull request
    #​7689 by
    github-actions[bot]
  • Fix the update_rubygems inconsistency (--disable-gems). Pull request
    #​7658 by x-yuri
  • Accept WASI as an OS name in Gem::Platform. Pull request
    #​7629 by kateinoigakukun
  • Warn if RubyGems version explicitly set in gemspec does not match
    running version. Pull request
    #​7460 by
    deivid-rodriguez
  • Installs bundler 2.5.11 as a default gem.
Bug fixes:
  • Fix binstubs sometimes not getting regenerated when --destdir is
    given. Pull request
    #​7660 by
    deivid-rodriguez
  • Fix gem uninstall --user-install for symlinked HOME. Pull request
    #​7645 by
    deivid-rodriguez
  • Fix issue when plugin stubs would sometimes not be properly removed by
    gem uninstall. Pull request
    #​7631 by
    deivid-rodriguez
  • Fix plugins uninstallation for user installed gems. Pull request
    #​6456 by voxik
Performance:
  • Use a constant empty tar header to avoid extra allocations. Pull request
    #​7484 by segiddins
Documentation:
  • Recommend bin/rake over rake in contributing docs. Pull request
    #​7648 by
    deivid-rodriguez

v2.5.10

Compare Source

Security:
  • Add a limit to the size of the metadata and checksums files in a gem
    package. Pull request
    #​7568 by segiddins
Enhancements:
  • Don't fully require rubygems from rubygems/package to prevent some
    circular require warnings when using Bundler. Pull request
    #​7612 by
    deivid-rodriguez
  • Installs bundler 2.5.10 as a default gem.
Bug fixes:
  • Rename credential email to identifier in WebAuthn poller. Pull request
    #​7623 by jenshenny

v2.5.9

Compare Source

Enhancements:
  • Installs bundler 2.5.9 as a default gem.

v2.5.8

Compare Source

Security:
  • Respect global umask when writing regular files. Pull request
    #​7518 by
    deivid-rodriguez
Enhancements:
  • Allow string keys with gemrc. Pull request
    #​7543 by hsbt
  • [Experimental] Add "gem rebuild" command. Pull request
    #​4913 by duckinator
  • Installs bundler 2.5.8 as a default gem.
Bug fixes:
  • Fix NoMethodError crash when building errors about corrupt package
    files. Pull request
    #​7539 by jez
  • Fix resolver to properly intersect Arrays of Gem::Resolver::Activation
    objects. Pull request
    #​7537 by
    deivid-rodriguez

v2.5.7

Compare Source

Enhancements:
  • Warn on empty or open required_ruby_version specification attribute.
    Pull request #​5010 by
    simi
  • Control whether YAML aliases are enabled in Gem::SafeYAML.safe_load via
    attribute. Pull request
    #​7464 by segiddins
  • Update SPDX license list as of 2024-02-08. Pull request
    #​7468 by
    github-actions[bot]
  • Installs bundler 2.5.7 as a default gem.
Bug fixes:
  • Allow prerelease activation (even if requirement is not explicit about
    it) when it's the only possibility. Pull request
    #​7428 by kimesf
Documentation:
  • Fix a typo. Pull request
    #​7505 by hsbt
  • Use https instead of http in documentation links. Pull request
    #​7481 by hsbt

v2.5.6

Compare Source

Enhancements:
  • Deep copy requirements in Gem::Specification and Gem::Requirement.
    Pull request #​7439 by
    flavorjones
  • Change gem login message to clear up that username can be also used.
    Pull request #​7422 by
    VitaliySerov
  • Add metadata for rubygems.org. Pull request
    #​7435 by m-nakamura145
  • Improve gem login scope selection. Pull request
    #​7342 by williantenfen
  • Vendor uri in RubyGems. Pull request
    #​7386 by
    deivid-rodriguez
  • Installs bundler 2.5.6 as a default gem.
Bug fixes:
  • Skip to load commented out words. Pull request
    #​7413 by hsbt
  • Fix rake runtime dependency warning for rake based extension. Pull
    request #​7395 by ntkme

v2.5.5

Compare Source

Enhancements:
  • Installs bundler 2.5.5 as a default gem.
Bug fixes:
  • Fix require activation conflicts when requiring default gems under
    some situations. Pull request
    #​7379 by
    deivid-rodriguez
  • Use cache_home instead of data_home in default_spec_cache_dir. Pull
    request #​7331 by mrkn
Documentation:
  • Use squiggly heredocs in Gem::Specification#description documentation,
    so it doesn't add leading whitespace. Pull request
    #​7373 by bravehager

v2.5.4

Compare Source

Enhancements:
  • Always avoid "Updating rubygems-update" message. Pull request
    #​7335 by
    deivid-rodriguez
  • Installs bundler 2.5.4 as a default gem.
Bug fixes:
  • Make gem update --system respect ruby version constraints. Pull
    request #​7334 by
    deivid-rodriguez

v2.5.3

Compare Source

Enhancements:
  • Installs bundler 2.5.3 as a default gem.

v2.5.2

Compare Source

Enhancements:
  • Validate user input encoding of gem CLI arguments. Pull request
    #​6471 by
    deivid-rodriguez
  • Fix gem update --system leaving old default bundler executables
    around. Pull request
    #​8172 by
    deivid-rodriguez
  • Installs bundler 2.5.23 as a default gem.
Bug fixes:
  • Fix commands with 2 MFA requests when webauthn is enabled. Pull request
    #​8174 by
    deivid-rodriguez
  • Make --enable-load-relative

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@sc-renovate sc-renovate Bot added dependencies Pull requests that update a dependency file renovate labels Jun 1, 2026
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch from aeadb06 to 2cc6f21 Compare June 1, 2026 13:33
@sc-renovate sc-renovate Bot changed the title chore(deps): update dependency bundler to v4 [security] chore(deps): update dependency bundler to v2 [security] Jun 1, 2026
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch from 2cc6f21 to 2b9747e Compare June 1, 2026 15:27
@sc-renovate sc-renovate Bot changed the title chore(deps): update dependency bundler to v2 [security] chore(deps): update dependency bundler to v4 [security] Jun 1, 2026
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch from 2b9747e to 5c5426d Compare June 2, 2026 00:59
@sc-renovate sc-renovate Bot changed the title chore(deps): update dependency bundler to v4 [security] chore(deps): update dependency bundler to v2 [security] Jun 2, 2026
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch from 5c5426d to a909b8c Compare June 6, 2026 08:31
@sc-renovate sc-renovate Bot changed the title chore(deps): update dependency bundler to v2 [security] chore(deps): update dependency bundler to v4 [security] Jun 6, 2026
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch 3 times, most recently from 123ab3b to a7d3b88 Compare June 10, 2026 02:19
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch 4 times, most recently from 1241ad0 to 6dcbe71 Compare June 20, 2026 00:56
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch 4 times, most recently from f681375 to 899597f Compare June 30, 2026 13:17
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch 2 times, most recently from 7fe9238 to 45f4ee6 Compare July 6, 2026 00:31
@sc-renovate sc-renovate Bot force-pushed the renovate/rubygems-bundler-vulnerability branch from 45f4ee6 to 1e4bc2a Compare July 10, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate

Development

Successfully merging this pull request may close these issues.

0 participants