Blog
20 Nov 2024
October 2024 RubyGems Updates
Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in October.
RubyGems News
In October, we released RubyGems 3.5.21 and 3.5.22 along with Bundler 2.5.21 and 2.5.22. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include updates to the vendored uri and net-http libraries, fixes to prevent gem pristine etc from resetting twice and the removal of code that degraded the accuracy of suggest_gems_from_name.
Some other important accomplishments from the team this month include:
Improved Support for Shared GEM_HOMEs
- Sharing
GEM_HOMEacross environments, though common, often leads to complex errors tied to native library incompatibilities. These issues are challenging to diagnose and frequently reported by users. Our goal with this update was to reduce these reports, enhance user experience, and free maintainers to focus on other priorities. - Initially, we aimed to detect and clarify these errors, but their varied nature made precise messaging difficult. Further analysis showed that RubyGems and Bundler already handle such cases by ignoring improperly built extension gems, except when conflicts involved default gems. Recognizing this, we implemented a straightforward bug fix to resolve these edge cases.
Enhanced Bundler Integration with RubyGems, Resolving bundle exec Edge Case
- A reported issue involved
bundlerfailing to run (with a final “r”), prompting a suggested fix. However, the affected code resided within Bundler’s monkeypatches applied duringbundle/setupto RubyGems, which has long been a suboptimal approach. This presented an opportunity to improve Bundler’s integration with RubyGems, offering potential long-term maintenance benefits. - We resolved the issue by eliminating these monkeypatches entirely. This was achieved by correcting Bundler’s usage of the RubyGems API for setting gem specifications
Gem::Specification.all=, which had previously overlooked default gems (including Bundler itself). Once corrected, the other monkeypatches were rendered unnecessary. - Beyond fixing this edge case, our goal is to gradually integrate Bundler with RubyGems using proper APIs, reducing technical debt and potentially paving the way for a unified library in the future.
Improved Webauthn CLI Experience
- Recent webauthn support for the CLI encountered issues when
gem pushor other commands required two authenticated requests, such as when an API key had invalid scopes or when signing in before using the gem CLI. This required obtaining or fixing the API key before completing the intended operation. - The issue arose from reusing the same OTP obtained through webauthn for both requests, which is not permitted. The solution was to perform two separate webauthn requests to generate distinct OTP codes.
In October, RubyGems gained 166 new commits contributed by 15 authors. There were 1,302 additions and 14,205 deletions across 529 files.
RubyGems.org News
The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in October was provided by AWS, Fastly, and DataDog.
The following are highlights of what the team worked on this month:
Released Maintainer Role Feature
- Until now, every gem owner on Rubygems.org had the same permissions, regardless of their role or trust level within their organization. This highlighted a significant weakness: users with lower levels of trust could potentially cause considerable harm to widely used gems.
- To address this, we’ve introduced a new role field for gem ownerships. This enhancement allows gem owners to assign and configure roles for their gems, better reflecting real-world organizational structures and reducing potential security risks.
Converted RubyGems.org to Use Propshaft
- With Rails 8 adopting Propshaft as the default, we aimed to make the switch. After transitioning to importmaps earlier this year, we were largely ready to move from Sprockets. However, our first attempt led to styles not loading on staging, prompting us to delay.
- While working on a new design, we realized our site’s caching behavior could be longer than expected, and Propshaft might work fine. After thorough staging checks and timing refresh intervals, we deployed to production. Unfortunately, things broke longer than on staging. New assets triggered 404 errors, causing some initial panic before resolving on their own.
- Lesson learned: A smoother deploy would have involved loading new assets alongside old ones to allow for gradual cache warming. We underestimated the impact and duration of the disruption—apologies for the temporary issues. All is working fine now!
Added bcrypt Password Validation
- This update introduces bcrypt password validation to enhance security for password handling on RubyGems.org. It uses byte-size validation to prevent passwords longer than 72 bytes, as bcrypt silently truncates passwords exceeding this length.
In October, RubyGems.org gained 106 new commits contributed by 9 authors. There were 5,008 additions and 2,076 deletions across 288 files.
Thank you
Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.
Contributors to RubyGems:
- @segiddins Samuel Giddins
- @simi Josef Šimánek
- @deivid-rodriguez David Rodríguez
- @hsbt Hiroshi Shibata
- @jbampton John Bampton
- @nobu Nobuyoshi Nakada
- @simi Josef Šimánek
- @tompng Tomoya Ishida
- @leoarnold Leo Arnold
- @jeromedalbert Jerome Dalbert
- @duckinator Ellen Marie Dash
- @sue445 Go Sueyoshi
- @karreiro Guilherme Carreiro
Contributors to RubyGems.org:
- @martinemde Martin Emde
- @simi Josef Šimánek
- @segiddins Samuel Giddins
- @hsbt Hiroshi Shibata
- @colby-swandale Colby Swandale
- @manuelmeurer Manuel Meurer
- @kuanchiliao1 Tony Liao
- @indirect André Arko
If we missed you, please let us know so we can include you in our shout out!
Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage.