RubyGems Blog

4.0.11 Released

2026-04-30T00:00:00+00:00

RubyGems 4.0.11 includes enhancements and Bundler 4.0.11 includes enhancements, bug fixes and documentation.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.11

RubyGems Release Notes

Enhancements:

Add commented-out rubygems_mfa_required to bundle gem template. Pull request #9487 by MatheusRich
Clarify the name and meaning of the first argument to gem spec. Pull request #9476 by eregon
Installs bundler 4.0.11 as a default gem.

Bundler Release Notes

Enhancements:

Update gem creation guide URL to rubygems.org. Pull request #9500 by nissyi-gh
Lock the checksum of Bundler itself in the lockfile. Pull request #9366 by Edouard-chin

Bug fixes:

Fix installing gems with native extensions + transitive dependencies. Pull request #9477 by nicholasdower
Fix the bundler version not being updated in dev/test lockfile. Pull request #9463 by Edouard-chin
Ensure the release CI doesn’t break due to the Bundler checksum feature. Pull request #9436 by Edouard-chin

Documentation:

Fix formatting for BUNDLE_PREFER_PATCH variable in man page. Pull request #9474 by toy

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.11.tgz
95fe9d9d5293d022ceb29afac56eee4e2d46f901de309ab46915ff84d5ec68e8
rubygems-4.0.11.zip
1b5800bf8b94d0ac4027d71efe8eace3d1ec24442397731cd0c6b16ecfa30163
rubygems-update-4.0.11.gem
d851e6dfc3d1984952c1f6129798472baa899d3ad84ea9eb687cd1237b341068

Scaling Ruby's defenses with AI

2026-04-29T00:00:00+00:00

On April 23rd, we submitted a vulnerability report to the Nokogiri maintainers. It was the first one our team has filed using AI-assisted scanning. The maintainers accepted the report and published it as GHSA-c4rq-3m3g-8wgx.

The same week, news broke that Mythos, Anthropic’s most capable security model, had been accessed by unauthorized users through a third-party vendor. According to Anthropic, Mythos has identified thousands of zero-day vulnerabilities across every major operating system and web browser, including a 17-year-old remote code execution flaw in FreeBSD and a 27-year-old bug in OpenBSD. Two stories on the same shift, one from each side of it. The capability gap between attackers and defenders just widened, and most open source ecosystems have nothing to close it with.

Anthropic is bringing some open source maintainers into Project Glasswing. Ruby is on the list, and agreements signed, but the access is not live yet. We cannot afford to be on the wrong side of that gap.

We have been working on the defender side. RubyGems hosts roughly 190,000 gems, and you cannot audit them all. The OpenSSF Criticality Score lets us focus on the gems whose compromise would cascade through the rest of the ecosystem. We’re looking at those first.

We are using Claude Opus 4.7 to surface candidate vulnerabilities. A human reviewer triages, verifies, and writes up every finding before anything reaches a maintainer. None of this work happens without backing. Alpha Omega, a project of the OpenSSF at the Linux Foundation, is sponsoring this work. Anthropic is providing the model access we need to operate at the scale it needs.

The bug we found in Nokogiri is a regex backtracking pathology in the CSS tokenizer. A short, unterminated attribute selector could hang the Ruby process indefinitely because the tokenizer’s regex tries to interpret each escape sequence two different ways and explores an exponential number of possibilities before giving up. Every public Nokogiri CSS entry point routes through this tokenizer. Most large consumers (Rails, Capybara, Loofah) pass developer-written selectors and were unaffected. But any application that lets user input flow into a CSS selector (scrapers, feed readers) was exposed to an unauthenticated denial-of-service via a payload small enough to fit in a request parameter.

ReDoS bugs are a sweet spot for model-assisted finding. They are hard to spot by reading code and easy to verify by running them. Opus 4.7 flagged the ambiguous STRING rule in the CSS tokenizer and proposed a payload to exercise it: an unterminated attribute selector followed by a run of \a escape sequences. I ran it. Parsing took 6ms at fifteen escape sequences and timed out past five seconds at twenty-four. Each added escape roughly quadrupled the runtime, which is what catastrophic backtracking looks like. I wrote up the report. The Nokogiri maintainers accepted it, patched the bug, and published the advisory. The fix is in.

Open source maintainers are already drowning in AI-generated security reports that don’t hold up. Each one wastes a maintainer’s day and makes the next legitimate report harder to act on. We are not going to be part of that.

Opus 4.7 is the most capable model we have access to right now, and it produced a real advisory in one of the most widely used gems in the ecosystem. We are working with Anthropic to gain access to Mythos through Project Glasswing. We did not need to wait for it to find this bug, and we will not wait to find the next one.

RubyCentral is hiring a small team of security engineers to scale this work. The job is to run AI-assisted reviews against the most critical gems on rubygems.org, verify findings, and earn the kind of relationship with maintainers where an advisory from us is taken seriously and acted on quickly. If you have done open source security work in any ecosystem and want to do it at scale, we would like to hear from you. Please reach out to oss@rubycentral.org.

We submitted our first report on April 23rd. There are 190,000 more gems to look at.

Update, 30 April 2026: An earlier version of this post said “Ruby is not in yet” in reference to Project Glasswing. We have been invited into the program, but the access is not live yet. The line has been clarified to reflect that.

rubygems.org has a public roadmap

2026-04-15T00:00:00+00:00

rubygems.org has been a busy project. This past year we shipped formal policies for the first time in the registry’s history, launched the Organizations private beta, and made some meaningful security improvements to how gems get validated and how compromised passwords get caught. A lot of that work happened quietly. If you wanted to know where things were headed, you had to catch the right conference talk or subscribe to the right newsletter, and even then you’d only get pieces. The roadmap puts it in one place.

The roadmap covers work at different stages, from Organizations moving toward general availability to longer-horizon work on security tooling, gem archival, and acceptable use policies. The full list is on the board.

As the registry has grown, the stakes of each change have grown with it. Those changes ripple out to gem authors, client maintainers, and anyone who depends on the ecosystem being stable. Getting that right requires input from people outside the core team. Contributors from both the RubyGems client team and Shopify are already working with us on making native gems a better experience for the Ruby community. A public roadmap makes more of that possible.

If you see something on the roadmap that affects your work, leave a comment on the issue. If something’s missing that you think should be there, open an issue.

The roadmap is public now. We’re curious what the community does with it.

Protecting rubygems.org from the outside in: DoS prevention and compromised passwords

2026-04-09T00:00:00+00:00

Every gem published to rubygems.org ends up running on someone’s computer. It’s up to rubygems.org to ensure that each gem contains what it claims, that its metadata is well-formed, and that the person who pushed it is who they say they are.

We’ve been chipping away at that. Over the past few months, we shipped two changes that tighten rubygems.org’s defences at very different layers: stronger validation of gem contents at push time, and integration with Have I Been Pwned to catch compromised passwords at login.

What rubygems.org checks when you gem push

A RubyGem is actually just a regular tar file, which contains 3 sections: the code, metadata, and checksums, which you can inspect for yourself.

$ gem fetch rails
Fetching rails-8.1.3.gem
Downloaded rails-8.1.3

$ tar -xvf rails-8.1.3.gem
x metadata.gz
x data.tar.gz
x checksums.yaml.gz

rubygems.org closely inspects all 3 of these files when a gem is published, but the ones we’re looking at are the metadata and checksums.yaml.

The checksums.yaml certifies the integrity hash of the data.tar.gz and metadata.gz with a sha256 after gem build. If someone tampers with the code directly, the checksums won’t match and rubygems.org rejects the push immediately. Checksums are the easy part.

metadata.gz has the serialised YAML of the gem metadata, generated from the gemspec during gem build.

 --- !ruby/object:Gem::Specification
name: rails
version: !ruby/object:Gem::Version
  version: 8.1.3
platform: ruby
authors:
- David Heinemeier Hansson
bindir: bin
cert_chain: []
date: 1980-01-02 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
  name: activesupport
  requirement: !ruby/object:Gem::Requirement
    requirements:
    - - '='
      - !ruby/object:Gem::Version
        version: 8.1.3
  type: :runtime
  prerelease: false
  version_requirements: !ruby/object:Gem::Requirement
    requirements:
    - - '='
      - !ruby/object:Gem::Version
        version: 8.1.3
...

When a gem is pushed, rubygems.org deserialises the YAML and reconstructs a Gem::Specification object from it. It then validates the result, checking that the name and version are well-formed, that the declared dependencies are valid, that the person pushing is authorised. This is where gem validation gets complex.

Exploiting the validation process

This process of reconstructing the gemspec YAML into a Gem::Specification object invites a class of exploitation called insecure deserialisation that would allow a crafted YAML to attack rubygems.org.

This isn’t a theoretical concern. In 2017, a security researcher discovered that rubygems.org was using a bare YAML.load to deserialise checksums inside gem files, a vulnerability that had potentially been present since 2012. The team patched it within hours by switching to YAML.safe_load, which restricts which Ruby objects can be instantiated from a document. But that only narrowed the problem. Even with a precise allowlist of classes and objects, malicious gems could still exploit the deserialisation process to exhaust memory or CPU before any validation even ran, causing rubygems.org servers to stop working.

Validating gems without `Gem::Specification`

The fix was to stop trusting the YAML to tell rubygems.org what to do with itself.

This was largely Aaron Patterson’s (tenderlove) work. He designed and built the AST-based approach from the ground up. Rather than handing the document to Ruby and letting it materialise objects, we traverse the parsed tree ourselves and extract only the values we expect to find. The YAML never gets to decide what gets instantiated. We also validate the structure against a schema derived from the real thing: Aaron audited all 180,000 gems published on rubygems.org and built a tool to validate them against it. Some very old gems turned up edge cases we deliberately chose not to handle. If those gems were pushed today, they’d be rejected, but these gems that haven’t seen a new version in years almost certainly never will be. His contribution here is greatly appreciated.

The result is that an entire class of exploitation (using malformed metadata to attack the push endpoint itself) is no longer possible. The attack surface doesn’t exist anymore.

Compromised passwords and the supply chain

Gem validation protects rubygems.org from what gets pushed. But there’s a separate persistent threat: who’s doing the pushing.

Package registries are high-value targets for credential stuffing. If an attacker gets hold of a developer’s reused password from an unrelated breach, they can log in as that developer and push a malicious version of a legitimate gem. The code is signed by a trusted account. The checksums match. Everything looks right, because as far as rubygems.org can tell, it is.

Have I Been Pwned (HIBP) is a service run by security researcher Troy Hunt that tracks passwords exposed in known data breaches. At the time of writing, it contains over 10 billion compromised passwords. rubygems.org now checks against it at login, registration and password resets.

Checking passwords without exposing them

The obvious concern with checking your password against a third-party service is privacy. rubygems.org never sends your password, or even a full hash of it, to HIBP.

Instead, it uses HIBP’s k-anonymity model. When you log in, rubygems.org computes a SHA-1 hash of your password and sends only the first 5 characters of that hash to the HIBP API. HIBP returns a list of all hashed passwords in its database that start with those 5 characters. rubygems.org then checks that list locally. Your full password hash never leaves our servers.

If your password appears in the results, rubygems.org blocks the session and shows a warning explaining your password has been found in a known breach. You’ll need to reset your password before you can log in again.

Since shipping, it’s detected 1,166 accounts with compromised passwords. Because rubygems.org hashes passwords with bcrypt, we’ve never been able to inspect the strength of passwords in the database directly. This is the first real window into how widespread the problem is, and a way to start course correcting it.

Shipping the work

rubygems.org serves almost a billion gem downloads every single day. Every Ruby application, from side projects to the infrastructure powering large parts of the internet, depends on the integrity of what we distribute.

These two changes address the supply chain at different layers: one at the moment a gem is built and pushed, the other at the moment a person logs in. Neither is glamorous. Validating YAML ASTs and hashing password prefixes don’t ship in a splash announcement. But this is the work: closing specific, real attack vectors before someone finds them for you. If you want to follow along or get involved, everything happens in the open at github.com/rubygems/rubygems.org.

4.0.10 Released

2026-04-08T00:00:00+00:00

RubyGems 4.0.10 includes enhancements and bug fixes and Bundler 4.0.10 includes enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.10

RubyGems Release Notes

Enhancements:

Ignore warnings with spec different platforms. Pull request #8508 by hsbt
Better algorithm for sorting gem version. Pull request #9421 by Edouard-chin
Update SPDX license list as of 2026-02-20. Pull request #9434 by hsbt
Installs bundler 4.0.10 as a default gem.

Bug fixes:

Register native extension files in default spec map. Pull request #9431 by hsbt
Fix NoMethodError in Gem.try_activate when activation conflicts occur. Pull request #9404 by hsbt

Bundler Release Notes

Enhancements:

Ignore warnings with spec different platforms. Pull request #8508 by hsbt
Improve error message when current platform is not in lockfile. Pull request #9439 by 55728
Cache package version selection. Pull request #9410 by Edouard-chin
Check happy path first when comparing gem version. Pull request #9417 by Edouard-chin
[feature] default_cli_command for config what command bundler runs when no specific command is provided. Pull request #8886 by jonbarlo
Introduce a fast path for comparing Gem::Version. Pull request #9414 by Edouard-chin

Bug fixes:

Restore rb_sys dependency for Rust. Pull request #9416 by bangseongbeom

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.10.tgz
6a225b7a8883de45d90c9b3f7ee14391759b286030ba1d1d77588cd7282e6cc7
rubygems-4.0.10.zip
edbb019691ef32e5e086595f54e1bc24bcfe5b9fe77e27aa893c7c752ef190d9
rubygems-update-4.0.10.gem
bd9dcd20076e809467739c868df95bcd628744f63e3b63d9df169d6223dabf6d

Temporarily disabling language support on rubygems.org

2026-04-07T00:00:00+00:00

I’m one of the operators of rubygems.org. Here’s what’s been happening over the past week, and a temporary change we’re making as a result.

For the past seven days, rubygems.org has been under sustained bot traffic from many different sources scraping data from every published gem. The volume has been large enough to force the site offline while we respond. The bots are deliberately bypassing the Fastly cache, hitting our origin servers directly.

The primary target has been our language locale pages, the translated versions of rubygems.org. Unfortunately, the locale system wasn’t designed to cache easily through a CDN. To protect site stability, we’re temporarily disabling language support while we rearchitect how locale pages are cached.

We’ll restore language support as soon as we have caching in place that can handle this volume. Thank you for your patience.

P.S. if you need gem and version data for a project, we publish regular database exports at https://rubygems.org/pages/data. We strongly recommend using those instead of scraping rubygems.org directly.

4.0.9 Released

2026-03-25T00:00:00+00:00

RubyGems 4.0.9 includes enhancements, bug fixes and documentation and Bundler 4.0.9 includes enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.9

RubyGems Release Notes

Enhancements:

Fix: include owner role in gem owner. Pull request #9403 by gjtorikian
Installs bundler 4.0.9 as a default gem.

Bug fixes:

Fix: Ensure trailing slash is added to source URIs added via gem sources. Pull request #9055 by zirni

Documentation:

[DOC] Fix link. Pull request #9409 by BurdetteLamar

Bundler Release Notes

Enhancements:

Check the git version only once per bundle install. Pull request #9406 by Edouard-chin
Normalize the number of workers when performing parallel operations. Pull request #9400 by Edouard-chin
Add exponential backoff to bundler retries. Pull request #9163 by ChrisBr
Introduce a priority queue. Pull request #9389 by Edouard-chin
Split the download and install process of a gem. Pull request #9381 by Edouard-chin

Bug fixes:

Retry git fetch without –depth for dumb HTTP transport. Pull request #9405 by hsbt

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.9.tgz
39b1e2c878946e420116c3c26e4e708c0ddbdf7cd4a13c48dd0fc0774c7add8d
rubygems-4.0.9.zip
d77dfd4baabcdc5b0a268f79332239bbbe2647f78d40778c243beace61d856a6
rubygems-update-4.0.9.gem
e1c0b84abaf481a4e0553d666986156090399afcc099aa18cac6fabbddc45514

4.0.8 Released

2026-03-11T00:00:00+00:00

RubyGems 4.0.8 includes enhancements and documentation and Bundler 4.0.8 includes enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.8

RubyGems Release Notes

Enhancements:

Use JSON for cargo metadata parsing. Pull request #9373 by hsbt
Fix NameError in Gem::Request.get_proxy_from_env when requiring rubygems/request directly. Pull request #9362 by afurm
Installs bundler 4.0.8 as a default gem.

Documentation:

Unify Compact Index API naming. Pull request #9372 by simi

Bundler Release Notes

Enhancements:

Add a new Bundler config to control how many specs are fetched #9363
Restrict GitHub Actions workflow permissions for newgem #9361

Bug fixes:

Fix plugin new version not registering #9355

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.8.tgz
b18663def26384e467f2594bf27190c580771df0ca7ba444afa1d76609881813
rubygems-4.0.8.zip
205198b7513521d2ba358e6b4df88924601be89b329d2b49fc0c0f55e41b167b
rubygems-update-4.0.8.gem
3465eef02174a0bbad1f8d343eff67a33e7fc6eeb84cf69f1d1ca77ce565045c

4.0.7 Released

2026-02-25T00:00:00+00:00

RubyGems 4.0.7 includes enhancements and documentation and Bundler 4.0.7 includes enhancements, bug fixes and documentation.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.7

RubyGems Release Notes

Enhancements:

Add Gem.disable_system_update_message in setup.rb. Pull request #9020 by hyuraku
Print message when signing in with an existing API key. Pull request #9312 by hsbt
Installs bundler 4.0.7 as a default gem.

Documentation:

Document gemspecs must be deterministic. Pull request #9321 by fxn
Remove “##” from a comment to require. Pull request #9306 by tompng

Bundler Release Notes

Enhancements:

Don’t check whether a plugin needs to be installed: #9328
[rust gem] Major improvements for gem scaffolding (rebased) #8455
Fix(bundler): only preload git sources for requested groups #9234
Raise error when gem contains capital letters #5432

Bug fixes:

Fix Bundler crashing when it tries to install plugin: #9335
Run git operations in parallel (take 2): #9323
Add support for help flag in plugin commands #9263

Documentation:

[DOC] Fix link in Bundler #9315

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.7.tgz
80578da300518eca7abebb4c89ad26e5751ac8a77919f246b4fed67609f919e3
rubygems-4.0.7.zip
e6c46b17a7495a8fdeef91de1bf76d225e0ec4f164e6b88ea5f38f43ca531ba8
rubygems-update-4.0.7.gem
273c1291b85cd5882b10242e3c8463995164bcb2d37c2a92347ecd04fa5ae99a

Organizations Private Beta

2026-02-16T00:00:00+00:00

We’re excited to announce that the Organizations feature for RubyGems.org has entered private beta!

A long time coming

We started the Organizations work back in 2024 as announced in our June 2024 RubyGems update, where we shared our plans to bring organization accounts, memberships, and more precise gem permission controls to the platform. Since then, the team has been steadily building out the feature from refactoring our permissions models to introducing ownership roles, building the organization onboarding experience, and updating our guides to cover how Organizations work. After more than a year of development, Organizations is ready for real-world feedback.

Join the Private Beta

While ready for testing, it’s not ready for general release. We’re still refining some workflows and welcome feedback on any gaps you encounter. After talking to our friends at PyPI, we know that a public rollout of a feature like this will not be trivial. Instead, we’re adding a limited number of private beta organizations to help us refine the feature. We’ve already onboarded four organizations, with another four accepted into the program.

We envision Organizations primarily serving publishers with extended teams who manage gem publishing workflows. We’re especially interested in organizations that approach publishing in unusual or non-standard ways as these edge cases will help us build a better feature for everyone. If you’re interested in participating, please complete our interest form to get started.

What’s Next

We’ll be iterating on the feature based on what we learn from beta participants. Our goal is to open Organizations to the broader community once we’re confident the experience is solid. As we don’t have an anticipated timeline, stay tuned for updates.

4.0.6 Released

2026-02-05T00:00:00+00:00

RubyGems 4.0.6 includes enhancements and Bundler 4.0.6 includes bug fixes and documentation.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.6

RubyGems Release Notes

Enhancements:

Update vendored resolv to 0.7.0. Pull request #9298 by hsbt
Installs bundler 4.0.6 as a default gem.

Bundler Release Notes

Bug fixes:

Fix gzip cache corruption when recovering from HTTP 416 responses #9272
Fallback git/path sources to default source #9301
Ensure revision is always re-resolved in git_proxy.rb #9294

Documentation:

Clarify local gem override docs to require git-sourced gems #9305

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.6.tgz
98049c08fb8a94a12cc10c43ef4997faec76c4c6f328733a938f1ca6aa2c811e
rubygems-4.0.6.zip
5dc4e49b1399a99465bf1ea4c188d920fbe28e0b7193a3dc44891216e1b1d5ff
rubygems-update-4.0.6.gem
bbd93b2e1410ebc41d22e07c1b3346d03b633b09b12421bf0b776ad5c9a3acc4

4.0.5 Released

2026-01-29T00:00:00+00:00

RubyGems 4.0.5 includes enhancements, bug fixes and documentation and Bundler 4.0.5 includes enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.5

RubyGems Release Notes

Enhancements:

Removed unused deprecate loading. Pull request #9266 by hsbt
Validate executable names for invalid characters. Pull request #9257 by hsbt
Installs bundler 4.0.5 as a default gem.

Bug fixes:

Fix RubyGems not able to require the right gem:. Pull request #9246 by Edouard-chin
Remove special behavior for rake. Pull request #9245 by JasonLunn

Documentation:

Added another usage of pristine command. Pull request #9255 by hsbt

Bundler Release Notes

Enhancements:

Fix Bundler that re-exec $0 when a version is present in the config: #9249

Bug fixes:

Only use parent source with Git and Path sources #9269

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.5.tgz
f3d3be045119301be1f2dbb4d6ac018a76f2969a367cf072c94ce06392961c75
rubygems-4.0.5.zip
a890bd73dd7f9382cdf9e89655f8b626eac919080a8e67d5cfffb74ee5bd24d4
rubygems-update-4.0.5.gem
00f14f539debafb3c207cf4d5af097bd458bc57d12538354275da3ebdc8276a0

4.0.4 Released

2026-01-15T00:00:00+00:00

RubyGems 4.0.4 includes enhancements and bug fixes and Bundler 4.0.4 includes enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.4

RubyGems Release Notes

Enhancements:

Remove date require from rebuild command. Pull request #9232 by jeremyevans
Installs bundler 4.0.4 as a default gem.

Bug fixes:

Add a missing “require ‘etc’” statement:. Pull request #9242 by Edouard-chin

Bundler Release Notes

Enhancements:

Validate more options for add sub-command #5905
Support Ruby 4.1 #9219

Bug fixes:

Fix dependency source bug in bundler #9213
Retain current bundler version on bundle clean #9221

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.4.tgz
89668a8eaba1a53c6f525221ab58cfe901dae41765b6f5e7ad2bd9c3119421e8
rubygems-4.0.4.zip
eec3ac3fb8bc00ec8797c495b4aaa5930ad0539304bbe419761f8a4194ab29a8
rubygems-update-4.0.4.gem
3c9f05b54dacb41ac6385f3793566a7b0ad7a0519fc412aa9bebdb181ed1dbd8

What's New in RubyGems/Bundler 4

2025-12-26T00:00:00+00:00

Ruby 4.0.0 was released on December 25, 2025, and RubyGems/Bundler 4.0.3 is now bundled with Ruby 4.0.0.

Since my previous post focused on migration and compatibility concerns, I’d like to highlight some of the exciting new features in this release.

Parallelization of C-extension Gem Builds

Add MAKEFLAGS=-j by default before compiling

When installing gems with C extensions (such as mysql2 or pg), RubyGems now automatically adds MAKEFLAGS=-j to the make command for parallel execution. Users previously had to manually configure this themselves. By leveraging multi-core CPUs by default, installation times are significantly reduced.

By default, RubyGems uses Etc.nprocessors + 1, fully utilizing available CPU cores during compilation. You can override this by setting MAKEFLAGS explicitly (e.g., MAKEFLAGS=-j2).

While convenient for local development, we discovered after implementation that in containerized environments like CircleCI, Etc.nprocessors returns the host server’s CPU count rather than the container’s allocation. This caused failures when jobs were assigned -j32 despite having only 2 available CPUs. To address this, we’ve introduced the following improvements.

Unified Parallel Job Execution Options

Pass down value of BUNDLE_JOBS to RubyGems before compiling & introduce a new gem install -j flag

To prevent resource exhaustion in virtual environments, a new -j flag for gem install and automatic passing of BUNDLE_JOBS to RubyGems have been introduced.

Now when you set BUNDLE_JOBS=4, bundle install runs with 4-way parallelism, and C extensions are built with -j4. In resource-constrained CI environments, specifying 1 or 2 prevents resource exhaustion.

However, even with these changes, worst-case scenarios remain (where BUNDLE_JOBS=4 could consume up to 16 CPU cores). To address this, we’re exploring a GNU Make jobserver—a mechanism where a server controls available CPUs and jobs query it before running.

While the specifics are still in development, this should eliminate worst-case scenarios. We’ve also learned that Go’s GOMAXPROCS handles containerized environments like CircleCI by reading CPU info from cgroup:

Feature #21797: Improve Etc.nprocessors for cgroup environment

By incorporating this approach into Ruby core and combining it with a jobserver, we expect to achieve optimal build speeds while fully utilizing available CPUs. Stay tuned!

Increased Connection Pool and Efficient Network Communication

Increase connection pool to allow for up to 70% speed increase on bundle install

The default connection pool for Bundler and RubyGems network requests has been expanded to 5 parallel connections. This improvement reportedly reduces bundle install times by up to 70%.

Adjust the API_REQUEST_LIMIT to make less network roundtrip

Additionally, API_REQUEST_LIMIT (which controls batch sizes of dependency information) has increased from 50 to 100, doubling the gems per request. For example, a Gemfile with 400 dependencies now requires just 4 network requests instead of 8.

Pattern Matching Support for Gem::NameTuple and Gem::Platform

Add pattern matching support to Gem::Platform

When writing scripts that need to inspect gem names, versions, or platforms, you can now use Ruby’s pattern matching for cleaner and safer logic.

As shown in the GitHub PR, you can write platform-specific logic cleanly using pattern matching on Gem::Platform:

case platform
in cpu: "x86_64", os: "linux"
  install_linux_x64
in cpu: "arm64", os: "darwin"
  install_macos_arm
else
  # ...
end

Pattern matching support for Gem::Version is still under consideration and may not move forward.

Add pattern matching support to Gem::Version

The proposal suggested decomposing versions into major, minor, and build components, but real-world versions include strings like 4.0.0.beta3 or 4.0.0.beta.3. It would be inconsistent for these to equal 4.0.0, and equally confusing for beta3 and beta.3 to be treated as equivalent. Additionally, since build is sometimes called tiny or patch and lacks a clear definition, I’m hesitant about introducing this feature.

JSON Output for bundle list

Introduce bundle list --format=json

A new --format=json option for bundle list makes it easy to integrate Bundler with external tools.

When analyzing a project’s gem dependencies programmatically (via CI tools, security scanners, etc.), JSON output eliminates the need to parse text, greatly simplifying integration. While Bundler has parsers for Gemfiles and lockfiles, they’re essentially Ruby code or custom formats—so being able to process them with tools like jq is a welcome addition.

$ bundle list --format=json | jq -r '.gems[] | select(.name == "json") | .version'
2.18.0

bundle install Without Generating a Lockfile

Add support for lockfile in Gemfile and bundle install –no-lock

The bundle install --no-lock flag now skips lockfile generation, which is convenient when you want to test dependency resolution without creating or modifying lockfile artifacts.

Specifying the Generated Lockfile Name

Support bundle install –lockfile option

You can now specify a custom lockfile name using bundle install --gemfile=foo --lockfile=bar. This defaults to the .lock extension if not specified, but is useful when working with variants like Gemfile.next or Gemfile.rails81.

Creating Go-extension Gems

Add --ext=go to bundle gem

RubyGems’ gem scaffolding and build tools previously supported C and Rust extensions. Support for Go has now been added. You can create a Go-extension gem template with bundle gem --ext=go foo.

Using did_you_mean for Bundler Typo Checks

Use DidYouMean::SpellChecker for gem suggestions in Bundler

Bundler’s typo detection and command suggestions previously used a custom implementation. This has now been updated to use did_you_mean, keeping it consistent with other Ruby tools.

Summary

This post highlighted some major new features in RubyGems/Bundler 4.0. The project consists of two main components: the “resolver” (which handles dependency resolution) and the “CLI/UI” (which manages user interaction).

Historically, RubyGems and Bundler have maintained separate codebases for their resolvers despite performing similar tasks. Looking ahead to version 4.1, we plan to gradually consolidate and unify these components.

I’m looking forward to work with you all to make RubyGems and Bundler even better in 2026!

4.0.3 Released

2025-12-23T00:00:00+00:00

RubyGems 4.0.3 includes enhancements and documentation and Bundler 4.0.3 includes enhancements.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.3

RubyGems Release Notes

Enhancements:

Installs bundler 4.0.3 as a default gem.

Documentation:

Fix broken documentation links. Pull request #9208 by eileencodes

Bundler Release Notes

Enhancements:

Fall back to ruby platform gem when precompiled variant is incompatible #9211

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.3.tgz
f5f728a40603773eec1a5c0857693485e7a118619f6ae70dcece6c2e719129a0
rubygems-4.0.3.zip
2b8c02560ed846e7e007564a97ef2d1c5b6f77d1f957ed4d4e5635a3083a83b7
rubygems-update-4.0.3.gem
eeb62154c557a5750f28a30e7361b7d333631db6178cd4ccafe7b3361ffdbb1e

4.0.2 Released

2025-12-17T00:00:00+00:00

RubyGems 4.0.2 includes enhancements and Bundler 4.0.2 includes enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.2

RubyGems Release Notes

Enhancements:

Pass down value of BUNDLE_JOBS to RubyGems before compiling & introduce a new gem install -j flag. Pull request #9171 by Edouard-chin
Installs bundler 4.0.2 as a default gem.

Bundler Release Notes

Enhancements:

Support single quotes in mise format ruby version #9183
Tweak the Bundler’s “X gems now installed message”: #9194

Bug fixes:

Allow to show cli_help with bundler executable #9198
Allow bundle pristine to work for git gems in the same repo #9196

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.2.tgz
a5fdbcbd3cbd616360fc9b82d75cdfa1aea3cf1aa357496d8aecce6574d85bf8
rubygems-4.0.2.zip
9f395a4a1c1a6a3a85b94eadc1960d7455818099317ce1111f393a17adb59ae2
rubygems-update-4.0.2.gem
f9d627eaee40c74d784274aa6ac7d74ddc468223d947f8ade136905944154883

4.0.1 Released

2025-12-09T00:00:00+00:00

RubyGems 4.0.1 includes enhancements, bug fixes and documentation and Bundler 4.0.1 includes performance, enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.1

RubyGems Release Notes

Enhancements:

Installs bundler 4.0.1 as a default gem.

Bug fixes:

Fixed unexpected default bundler installation. Pull request #9167 by hsbt

Documentation:

Update contributing docs with RGV. Pull request #9155 by eileencodes

Bundler Release Notes

Performance:

Increase connection pool to allow for up to 70% speed increase on bundle install #9087

Enhancements:

Fix the config suggestion in the warning for $ bundle #9164
Fix native extension loading in newgem template for RHEL-based systems #9156

Bug fixes:

Fix Bundler removing executables after creating them #9169

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.1.tgz
efbdf2a575544198f0f9516dbffac2b0d576fbb504aea6d52d1976d0db512652
rubygems-4.0.1.zip
98b829062f6f030603ed2243b9d05c6db6718c04b6d8589d68038474ec99adf3
rubygems-update-4.0.1.gem
c2ff99782fc56f649d04edb3f88bbbb6c50d731d8dc87e2c0670dc79536e5c73

Upgrading to RubyGems/Bundler 4

2025-12-03T00:00:00+00:00

We introduced breaking changes in RubyGems/Bundler 4 in order to improve usability, security, and maintainability of the tool. This document describes the changes that you will find when upgrading to RubyGems 4 and Bundler 4, and how to prepare for them while still using Bundler 2.7.

RubyGems 4: CLI behavior changes

Removed `gem query` command

Please use gem search or gem list instead.

Completely removed `gem install --default` feature

The --default option was confusing for RubyGems users and caused broken installs.

This was an unfinished feature originally intended to install gems directly into the Ruby standard library location, but it only generated executables without properly copying library files. This partial implementation led to a complicated environment with no real benefit for users.

RubyGems 4: API behavior changes

No replacements for removed deprecated methods

The following deprecated methods have been removed with no replacement:

Gem::Specification#has_rdoc, has_rdoc= and has_rdoc?
Gem::DependencyInstaller#find_gems_with_sources
Gem::Util.silent_system
Gem::Specification#validate_metadata, validate_dependencies and validate_permissions
Gem::Specification#default_executable
Gem::Installer#unpack

Removed deprecated Gem::Platform.match

Please use Gem::Platform.match_spec? or match_gem? instead.

Removed deprecated `Gem::BasicSpecification.default_specifications_dir`

Please use Gem.default_specifications_dir instead.

Bundler 4 simulation mode

In order to prepare for Bundler 4, you can easily configure Bundler 2.7 to behave exactly like Bundler 4 will behave. To do so, you have three options:

Set the environment variable BUNDLE_SIMULATE_VERSION to 4.
Run bundle config set --global simulate_version 4.
Run bundle config set --local simulate_version 4.

From now on in this document we will assume that all three of these configuration options are available, but will only mention bundle config set <option> <value>.

The following is a summary of the changes that we introduced in Bundler 4, and why we made those changes. Some of them should be well known already by existing users, because we have been printing deprecation messages for years, but some of them are defaults that were switched in Bundler 4.

Bundler 4: CLI behavior changes

Running just `bundle` to mean `bundle install` is not recommended anymore

Update for version 4.0.1: install_or_cli_help is merged into install for backward compatibility of Bundler 2.x. We recommend using install instead of install_or_cli_help.

We changed this default to make Bundler more friendly for new users. We do understand that long time users already know how Bundler works and found it useful that just bundle defaulted to bundle install.

Currently, Bundler uses install by default for backward compatibility. This automatically uses bundle install or shows help depending on the context.

If you want to keep the current behavior in the future, you can explicitly configure:

bundle config set default_cli_command install --global

However, if you want to adopt the new behavior immediately where bundle only shows help, you can configure:

bundle config set default_cli_command cli_help --global

Please use bundle install explicitly in your scripts and documentation, so that everyone is clear about what is happening.

Flags passed to `bundle install` that relied on being remembered across invocations have been removed

In particular, the --clean, --deployment, --frozen, --no-prune, --path, --shebang, --system, --without, and --with options to bundle install.

Remembering CLI options has been a source of historical confusion and bug reports, not only for beginners but also for experienced users.

A CLI tool should not behave differently across exactly the same invocations unless explicitly configured to do so. This is what configuration is about after all, and things should never be silently configured without the user knowing about it.

The problem with this behavior was that very common workflows were relying on it. For example, when you ran bundle install --without development:test in production, those flags were persisted in the app’s configuration file and further bundle invocations would happily ignore development and test gems.

This magic has been removed from Bundler 4, and you now explicitly need to configure it, either through environment variables, application configuration, or machine configuration. For example, with bundle config set --local without development test.

`bundle viz` has been removed and extracted to a plugin.

This was the only bundler command requiring external dependencies, both an OS dependency (the graphviz package) and a gem dependency (the ruby-graphviz gem). Removing these dependencies made development easier and it was also seen by the bundler team as an opportunity to develop a bundler plugin that is officially maintained by the RubyGems team, and that users can take as a reference to develop their own plugins.

The new plugin is called bundler-graph and it is available at https://github.com/rubygems/bundler-graph now.

The plugin contains the same code as the old core command, the only difference being that the command is now implemented as bundle graph which is much easier to understand.

The `bundle install` command no longer accepts a `--binstubs` flag.

The --binstubs option has been removed from bundle install and replaced with the bundle binstubs command.

The --binstubs flag would create binstubs for all executables present inside the gems in the project. This was hardly useful since most users only use a subset of all the binstubs available to them. Also, it would force the introduction of a bunch of most likely unused files into source control. Because of this, binstubs now must be created and checked into version control individually.

If you still want to create binstubs for all gems, you can run:

bundle binstubs --all

The `bundle inject` command has been replaced with `bundle add`

We believe the new command fits the user’s mental model better and it supports a wider set of use cases.

The interface supported by bundle inject works exactly the same in bundle add, so it should be easy to migrate to the new command.

Bundler 4: Gemfile and lockfile behavior changes

Bundler includes checksums in new lockfiles by default

We shipped this security feature and turned it on by default, so that everyone benefits from the extra security assurances. So whenever you create a new lockfile, Bundler now includes a CHECKSUMS section.

Bundler will not automatically add a CHECKSUMS section to existing lockfiles, though, unless explicitly requested through bundle lock --add-checksums.

Strict source pinning in Gemfile is enforced by default

In Bundler 4, the source for every dependency is now unambiguously defined, and Bundler refuses to run otherwise.

Multiple global Gemfile sources are no longer supported.

Instead of something like this:

source "https://main_source"
source "https://another_source"

gem "dependency1"
gem "dependency2"

do something like this:

source "https://main_source"

gem "dependency1"

source "https://another_source" do
  gem "dependency2"
end

Global path and git sources are no longer supported.

Instead of something like this:

path "/my/path/with/gems"
git "https://my_git_repo_with_gems"

gem "dependency1"
gem "dependency2"

do something like this:

gem "dependency1", path: "/my/path/with/gems"
gem "dependency2", git: "https://my_git_repo_with_gems"

or use the block forms if you have multiple gems for each source and you want to be a bit DRYer:

path "/my/path/with/gems" do
  # gem "dependency1"
  # ...
  # gem "dependencyn"
end

git "https://my_git_repo_with_gems" do
  # gem "dependency1"
  # ...
  # gem "dependencyn"
end

Change Ruby and Bundler version format

In the RUBY VERSION and BUNDLED WITH sections of the lockfile, we fixed the three space indentation to be just two spaces, to be consistent with the rest of the lockfile format. and we also removed the patch version from the Ruby version, since it’s not relevant for Ruby versioning policy.

Bundler 4: Cache behavior changes

Git and Path gems are included in `vendor/cache` by default

If you have a vendor/cache directory (to support offline scenarios, for example), Bundler now includes gems from path and git sources in there.

We’re unsure why these gems were treated specially so we’ll start caching them normally.

Bundler uses cached local data if available when network issues are found during resolution

Just trying to provide a more resilient behavior here.

Bundler 4: API behavior changes

`Bundler.clean_env`, `Bundler.with_clean_env`, `Bundler.clean_system`, and `Bundler.clean_exec` have been removed

All of these helpers ultimately used Bundler.clean_env under the hood, which made sure all bundler-related environment variables were removed inside the block it yields.

After quite a lot of user reports, we noticed that users don’t usually want this but instead want the bundler environment as it was before the current process was started. Thus, Bundler.with_original_env, Bundler.original_system, and Bundler.original_exec were born. They all use the new Bundler.original_env under the hood.

There are however some specific cases where the good old Bundler.clean_env behavior can be useful. For example, when testing Rails generators, you really want an environment where bundler is out of the picture. This is why we decided to keep the old behavior under a new more clear name, because we figured the word “clean” was too ambiguous. So we introduced Bundler.unbundled_env, Bundler.with_unbundled_env, Bundler.unbundled_system, and Bundler.unbundled_exec.

`Bundler.environment` has been deprecated in favor of `Bundler.load`.

We’re not sure how people might be using this directly but we removed the Bundler::Environment class which was instantiated by Bundler.environment since we realized the Bundler::Runtime class was the same thing. Bundler.environment now delegates to Bundler.load, which holds the reference to the Bundler::Runtime.

Removed public methods of `Bundler::SpecSet`

SpecSet#- and SpecSet#<< have been removed with no replacement.

`SpecSet#for` always implicitly performs validation

SpecSet#for received a check parameter, but that’s no longer used and deprecated. Please remove this parameter.

`CurrentRuby#maglev?` was removed with no replacement.

Please use the built-in Ruby RUBY_ENGINE constant to check the Ruby implementation you are running on.

`Bundler.rubygems.all_specs` has been removed

Please use Bundler.rubygems.installed_specs instead.

Bundler 4: Other notable changes

Deployment helpers for `vlad` and `capistrano` have been removed.

These were natural deprecations since the vlad tool has had no activity for years whereas capistrano 3 has built-in Bundler integration in the form of the capistrano-bundler gem, and everyone using Capistrano 3 should already be using that instead. If for some reason, you are still using Capistrano 2, feel free to copy the Capistrano tasks out of the Bundler 2 file lib/bundler/deployment.rb and put them into your app.

In general, we don’t want to maintain integrations for every deployment system out there, so that’s why we removed these.

4.0.0 Released

2025-12-03T00:00:00+00:00

RubyGems 4.0.0 includes features, performance, enhancements, bug fixes, security, breaking changes, deprecations and documentation and Bundler 4.0.0 includes features, performance, enhancements, bug fixes, security, breaking changes and documentation.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.0

RubyGems Release Notes

Features:

Undeprecate Gem::Version.new(nil). Pull request #9086 by tenderlove
Add pattern matching support to Gem::NameTuple. Pull request #9064 by baweaver
Add pattern matching support to Gem::Platform. Pull request #9062 by baweaver

Performance:

Add MAKEFLAGS=-j by default before compiling. Pull request #9131 by Edouard-chin
Remove some memoization. Pull request #9017 by tenderlove
Pull Gem.win_platform? out of a hot path. Pull request #8983 by tenderlove
Stop trying to remove every file on extraction. Pull request #8974 by tenderlove
Use IO.copy_stream with IO object directly. Pull request #8970 by tenderlove
Pass a file size to IO.copy_stream. Pull request #8966 by tenderlove
Use File#chmod rather than FileUtils.chmod. Pull request #8965 by tenderlove

Enhancements:

Update all vendored libraries to latest version. Pull request #9089 by hsbt
Removed unused Gem::Deprecate. Pull request #9090 by hsbt
Add debug logging information to see the time it took to download and install a gem. Pull request #9066 by Edouard-chin
Fix constants in TAR to be frozen. Pull request #9041 by tenderlove
Remove open-ended and prerelease dependency warnings when building gems. Pull request #9050 by jeremyevans
Revamp CmakeBuilder. Pull request #8753 by cfis
Restrict what schemes are acceptable in the remote fetcher. Pull request #9022 by tenderlove
gem sources --prepend and --append allow finer grained control of sources. Pull request #8901 by martinemde
Improve gem sources --remove output. Pull request #8909 by deivid-rodriguez
Make gem sources output more clear. Pull request #8938 by deivid-rodriguez
Don’t fail if there is no makefile, simply don’t do anything. Pull request #8879 by ioquatix
Use IMDSv2 for S3 instance credentials. Pull request #7709 by folbricht-stripe
Fix regression in presence of RVM gems. Pull request #8854 by deivid-rodriguez
Restore parsing “–” as an unknown platform rather than crashing. Pull request #8846 by deivid-rodriguez
Installs bundler 4.0.0 as a default gem.

Bug fixes:

Fix test failure of mswin and nmake. Pull request #9135 by hsbt
Respect BUNDLE_VERSION config at Gem::BundlerVersionFinder. Pull request #9106 by hsbt
Fix “did you mean” suggestions for unknown commands. Pull request #8948 by deivid-rodriguez
Fix trailing slashes not considered by gem sources --remove. Pull request #8939 by deivid-rodriguez

Security:

Bump up vendored URI to 1.0.4. Pull request #9031 by hsbt

Breaking changes:

Removed deprecated -C option from gem build. Pull request #9088 by hsbt
Removed deprecated Gem::Specification#has_rdoc, has_rdoc= and has_rdoc?. Pull request #9084 by hsbt
Removed deprecated gem query command. Pull request #9083 by hsbt
Removed deprecated Gem::DependencyInstaller#find_gems_with_sources. Pull request #9082 by hsbt
Remove deprecated methods of RubyGems. Pull request #9081 by hsbt
Make verification methods private. Pull request #9051 by tenderlove
Deprecate --default option from install command. Pull request #7588 by hsbt
Removed compatibility.rb for RG 4.0. Pull request #8899 by hsbt

Deprecations:

Deprecate Gem::Specification#datadir. Pull request #8900 by hsbt

Documentation:

Unified UPGRADING.md and extract blog.rubygems.org. Pull request #9148 by hsbt
Remove italic formatting from changelog section headers. Pull request #9128 by hsbt
[DOC] Fix the location of Gem::Deprecate document. Pull request #9065 by nobu
Fix typo. Pull request #9012 by etiennebarrie
Added document for Gem::Uninstaller. Pull request #8904 by hsbt
Use mailto link in Code of Conduct. Pull request #8849 by deivid-rodriguez
Update Code of Conduct email to conduct@rubygems.org. Pull request #8848 by indirect

Bundler Release Notes

Features:

Support bundle install –lockfile option #9111
Add support for lockfile in Gemfile and bundle install –no-lock #9059
Add --ext=go to bundle gem #8183
Update Bundler::CurrentRuby::ALL_RUBY_VERSIONS #9058
Introduce bundle list --format=json #8728

Performance:

Run git operations in parallel to speed things up: #9100
Replace instance method look up in plugin installer #9094
Adjust the API_REQUEST_LIMIT to make less network roundtrip #9071

Enhancements:

Make BUNDLE_LOCKFILE environment variable have precedence over lockfile method in Gemfile #9146
Improve banner message for the default command #9145
Introduce install_or_cli_help and use it default bundle command #9136
Add go_gem/rake_task for Go native extension gem skeleton #9105
Warn users that bundle now display the help: #9092
Use DidYouMean::SpellChecker for gem suggestions in Bundler #3857
Update all vendored libraries to latest version #9089
We don’t need to allow some warning now #9074
Support to embedded Pathname #9056
Enforce activation of irb when running with bundle console #9033
Update Magnus version in Rust extension gem template #9025
Add checksum of gems hosted on private servers: #9004
Loading support on Windows #8254
Improve error message when the same source is specified through gemspec and path #8460
Raise an error in frozen mode if some registry gems have empty checksums #8888
Bump vendored thor to 1.4.0 #8883
Delay default path and global cache changes to Bundler 5 #8867
Fix spacing in bundle gem newgem.gemspec.tt #8865
Add some missing deprecation messages #8844

Bug fixes:

Fixed checksums generation issue when no source is specified #9133
Check for file existence before deletion from cache #9095
Use method_defined?(:method, false) #9098
Handle BUNDLER_VERSION being set to an empty string #6928
Fix bundle install when the Gemfile contains “install_if” git gems: #8992
Fix installation issue related to path sources and precompiled gems #8973
Fix outdated lockfile during bundle lock when source changes #8962
Raise error on missing version file #8963
Fix bundle cache --frozen and bundle cache --no-prune not printing a deprecation message #8926
Fix local installation incorrectly forced if there’s a vendor/cache directory and frozen mode is set #8925
Fix bundle lock --update <gem> with --lockfile flag updating all gems #8922
Fix bundle show --verbose and recommend it as an alternative to bundle show --outdated #8915
Fix bundle cache --no-all not printing a deprecation warning #8912
Fix bundle update foo unable to update foo in an edge case #8897
Fix Bundler printing more flags than actually passed in verbose mode #8914
Fix bundler failing to install sorbet-static in truffleruby when there’s no lockfile #8872
Cancel deprecation of --force flag to bundle install and bundle update #8843

Security:

Bump up vendored URI to 1.0.4 #9031

Breaking changes:

Fix triple spacing when generating lockfile #9076
Hide patchlevel from lockfile #7772
Remove bundler_4_mode #9038
Pick and add extra changes for 4.0.0 version #9018
Replaced Bundler::SharedHelpers.major_deprecation to feature_removed! or feature_deprecated! #9016
Removed legacy_check option from SpecSet#for #9015
Make update_requires_all_flag to settings #9011
Make default cli command settings #9010
Make global_gem_cache flag to settings #9009
Consolidate removal of Bundler.rubygems.all_specs #9008
Consolidate removal of Bundler::SpecSet#- and Bundler::SpecSet#<< #9007
Replaced Bundler.feature_flag.plugins? to Bundler.settings #9006
Make bundle show --outdated raise an error #8980
Make --local-git flag to bundle plugin install raise an error #8979
Switch cache_all to be true by default #8975
Completely forbid passing --ext to bundle gem without a value #8976
Switch lockfile_checksums to be true by default #8981
Make bundle install --binstubs raise an error #8978
Make bundle remove --install raise an error #8977
Remove support for multiple global sources in Gemfile & lockfile #8968
Remove allow_offline_install setting #8969
Completely remove --rubocop flag to bundle gem, and related configuration #8967
Completely remove all remembered CLI flags #8958
Remove implementation of deployment, capistrano and vlad entrypoints #8957
Remove deprecated Bundler.*clean*, and Bundler.environment helpers #8924
Remove deprecated bundle viz and bundle inject commands #8923
Removed to workaround for Bundler 2.2 #8903

Documentation:

Unified UPGRADING.md and extract blog.rubygems.org #9148
Remove italic formatting from changelog section headers #9128
Small clarifications to Bundler 4 upgrade docs #8964
Improve documentation of bundle doctor, bundle plugin, and bundle config #8919
Make sure all CLI flags and subcommands are documented #8861
Clarify documentation about new default gem installation directory in Bundler 4 #8857
Use mailto link in Code of Conduct #8849
Update Code of Conduct email to conduct@rubygems.org #8848
Add missing link to irb repo in DEBUGGING.md #8842

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.0.tgz
31ee4f84cf6d06db294f998d6028835e286847c8b3fed7b9037f9b8562abdb84
rubygems-4.0.0.zip
1fd3800c4aa945a246965ca3de89e8e21dd191ece2154526694f99f49819f1cc
rubygems-update-4.0.0.gem
acb143e17e81d2851ecdc0d06f9362b05d4dcf288b53775b4588fe1401f8c3a6

4.0.0.beta2 Released

2025-11-26T00:00:00+00:00

RubyGems 4.0.0.beta2 includes deprecations, enhancements and bug fixes and Bundler 4.0.0.beta2 includes features, performance, enhancements and bug fixes.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.0.beta2

RubyGems Release Notes

Deprecations:

Deprecate comparing Gem::Version objects with strings. Pull request #9085 by tenderlove

Enhancements:

Undeprecate Gem::Version#<=> against strings. Pull request #9110 by byroot
Installs bundler 4.0.0.beta2 as a default gem.

Bug fixes:

Respect BUNDLE_VERSION config at Gem::BundlerVersionFinder. Pull request #9106 by hsbt

Bundler Release Notes

Features:

Support bundle install –lockfile option #9111
Add support for lockfile in Gemfile and bundle install –no-lock #9059

Performance:

Run git operations in parallel to speed things up: #9100

Enhancements:

Fixup GH-9085 #9108
Add go_gem/rake_task for Go native extention gem skeleton #9105
Keep legacy windows platform, not removed them #9104

Bug fixes:

Check for file existence before deletion from cache #9095

Manual Installation

To install RubyGems by hand see the Download RubyGems page.

SHA256 Checksums:

rubygems-4.0.0.beta2.tgz
56363005d89de2e7d0ffb309ea966eff32e4aba80364366b0aac47cca6536748
rubygems-4.0.0.beta2.zip
66cda8eaf12a0c20e0b44461c9d6bd33b647c03c333c0c59cd49b8ba7dce5dcf
rubygems-update-4.0.0.beta2.gem
6aa2c4352e176b97982ffe8d85cd285730c04f980b35d093af3975ca8a89c6a7

RubyGems Blog

4.0.11 Released

RubyGems Release Notes

Enhancements:

Bundler Release Notes

Enhancements:

Bug fixes:

Documentation:

Manual Installation

Scaling Ruby's defenses with AI

rubygems.org has a public roadmap

Protecting rubygems.org from the outside in: DoS prevention and compromised passwords

What rubygems.org checks when you gem push

Exploiting the validation process

Validating gems without Gem::Specification

Compromised passwords and the supply chain

Checking passwords without exposing them

Shipping the work

4.0.10 Released

RubyGems Release Notes

Enhancements:

Bug fixes:

Bundler Release Notes

Enhancements:

Bug fixes:

Manual Installation

Temporarily disabling language support on rubygems.org

4.0.9 Released

RubyGems Release Notes

Enhancements:

Bug fixes:

Documentation:

Bundler Release Notes

Enhancements:

Bug fixes:

Manual Installation

4.0.8 Released

RubyGems Release Notes

Enhancements:

Documentation:

Bundler Release Notes

Enhancements:

Bug fixes:

Manual Installation

4.0.7 Released

RubyGems Release Notes

Enhancements:

Documentation:

Bundler Release Notes

Enhancements:

Bug fixes:

Documentation:

Manual Installation

Organizations Private Beta

A long time coming

Join the Private Beta

What’s Next

4.0.6 Released

RubyGems Release Notes

Enhancements:

Bundler Release Notes

Bug fixes:

Documentation:

Manual Installation

4.0.5 Released

RubyGems Release Notes

Enhancements:

Bug fixes:

Documentation:

Bundler Release Notes

Enhancements:

Bug fixes:

Manual Installation

4.0.4 Released

RubyGems Release Notes

Enhancements:

Bug fixes:

Bundler Release Notes

Enhancements:

Bug fixes:

Validating gems without `Gem::Specification`

Removed `gem query` command

Completely removed `gem install --default` feature

Removed deprecated `Gem::BasicSpecification.default_specifications_dir`

Running just `bundle` to mean `bundle install` is not recommended anymore

Flags passed to `bundle install` that relied on being remembered across invocations have been removed

`bundle viz` has been removed and extracted to a plugin.

The `bundle install` command no longer accepts a `--binstubs` flag.

The `bundle inject` command has been replaced with `bundle add`

Git and Path gems are included in `vendor/cache` by default

`Bundler.clean_env`, `Bundler.with_clean_env`, `Bundler.clean_system`, and `Bundler.clean_exec` have been removed

`Bundler.environment` has been deprecated in favor of `Bundler.load`.

Removed public methods of `Bundler::SpecSet`

`SpecSet#for` always implicitly performs validation

`CurrentRuby#maglev?` was removed with no replacement.

`Bundler.rubygems.all_specs` has been removed

Deployment helpers for `vlad` and `capistrano` have been removed.