What's New in each Release

Bundler 1.7 is a security release, addressing a vulnerability where a gem might be installed from an unintended source server. The changes are limited to fixes for this vulnerability. Full 1.7 changelog

Bundler has always supported fetching gems from multiple gem servers, but it isn't always clear what gems come from what source. Complicating this, Bundler has not been consistent about source priority ordering from one version to another.

Because of this, a Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. This might result in installation of gem code from an unexpected source.

Applications that only have a single source in their Gemfile are not affected.

You can explicitly select an alternate RubyGems repository for one or more gems in your Gemfile using the :source option or a source block. Using multiple top-level gem sources is now deprecated.

If a Gemfile does have multiple top-level gem sources, bundle install now warns when a gem is found in more than one source. This is designed to prevent a situation where a gem that is expected to be found on one gem server is "hijacked" by another server. For backwards compatibility, the gem is still installed, but Bundler prints a warning detailing the gem server URL that was used, and listing others where a gem with the same name was found. Using explicit source selection suppresses this warning.

The order that top-level sources are searched is documented as last added to first added, but prior to version 1.7.0, there was not an automated test for this ordering, and it was inadvertently reversed in versions 1.5.0 through 1.6.5. The documented ordering is restored in this version, and is now included in the test suite to prevent regression.

Bundler adheres strictly to semantic versioning, and version 1.7.0 is fully backwards compatible with any Gemfile that worked with earlier versions. If you have an application that uses multiple gem servers in its Gemfile, you may see warnings about ambiguous gem sources after upgrading. Whether or not you see these warnings, the Bundler team highly recommends that users of multiple gem servers update your Gemfile to use the new syntax.

If you are unable to upgrade all of your environments to 1.7 immediately, there are other ways to mitigate this risk by changing your Gemfile to remove the additional sources:

• First, re-evaluate whether the extra gem sources are even needed. If your application is using a legacy public gem server such as gems.github.com or gems.rubyforge.org, all of your required gems should now be synced to rubygems.org. Try removing these sources.
• If you do use gems that aren't available on rubygems.org, but are available from a git source, you can use the :git option in the gem declaration and it will be guaranteed to come from that git repository rather than a gem server.
• If neither of these situations apply, you can unpack the gem into your vendor directory and use the :path option when declaring the gem in your Gemfile to point it to the unpacked gem directory. In this case, you should commit the vendored gem to your source control system.