Don't update default or bundled gems unless we really have to #93
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When we are providing a newer version of a default gem than the one that Ruby ships with, in order to avoid warnings about multiple gem versions being available, we have to remove the gemspec for the older version. Generally, we don't need to ship our own version of a default gem unless it has a CVE and Ruby has not yet fixed it.
Unless we have a good reason to, we don't want to include default gems in ones that we ship. It's hacky to replace the version shipped with the Ruby version, and we should only do it to address a CVE that has not yet been addressed by a new Ruby version.
Component updates: - rubygem-aws-partitions: version 1.1190.0 -> 1.1194.0 - rubygem-aws-sdk-ec2: version 1.583.0 -> 1.584.0 - rubygem-concurrent-ruby: version 1.3.5 -> 1.3.6 - rubygem-date: version 3.5.0 -> 3.5.1 - rubygem-io-console: version 0.8.1 -> 0.8.2 - rubygem-json: version 2.17.1 -> 2.18.0 - rubygem-puppet_forge: version 6.0.0 -> 6.1.0
We shouldn't include these unless we have a very good reason to, like addressing a CVE before Ruby has shipped a new version.
This is a default gem, and Ruby 3.2.9 ships 0.12.4. Version 0.12.5 addresses a CVE, so we ship this version until Ruby 3.2.10 is released which should include it.
nmburgan
force-pushed
the
default_gem_fix
branch
from
bf4f774 to
03fb02f
Compare
bastelfreak
reviewed
Dec 14, 2025
bastelfreak
approved these changes
Dec 14, 2025
There's not really a good reason to update the bundled gems either, unless they have a CVE. This adds them to the list, and the only bundled gem we keep around is rexml, since it currently and often has CVEs.
nmburgan
force-pushed
the
default_gem_fix
branch
from
f51bc5d to
3bd1ef9
Compare
bastelfreak
approved these changes
Dec 15, 2025
nmburgan
changed the title
nmburgan
force-pushed
the
default_gem_fix
branch
from
3c6746d to
3ec7fa6
Compare
The version bundled is too old for modern faraday-net_http
nmburgan
force-pushed
the
default_gem_fix
branch
from
3ec7fa6 to
3511d90
Compare
puppet_forge requires >= 0.2 and Ruby 3.2.9 has 0.1.
Component updates: - rubygem-aws-sdk-ec2: version 1.583.0 -> 1.585.0 - rubygem-openfact: version 5.2.0 -> 5.2.1 - rubygem-openvox: version 8.24.1 -> 8.24.2
nmburgan
force-pushed
the
default_gem_fix
branch
from
c97293b to
a8a20a3
Compare
bastelfreak
approved these changes
Dec 15, 2025
Because we now defensively always try to uninstall old versions, we don't want to confuse people by showing the 'Gem not installed' message if there are no older versions.
bastelfreak
approved these changes
Dec 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Unless we have a good reason to, we don't want to include default gems in ones that we ship. It's hacky to replace the version shipped with the Ruby version, could potentially result in breakage, and we should only do it to address a CVE that has not yet been addressed by a new Ruby version. Most of the time, it doesn't matter too much if a newer version coexists with the default version, but you end up with warnings in run logs where a gem has a loose dependency that could include either version.
We also don't really need to update bundled gems unless we have to for the same reasons.
This updates the
update_gemsautomation to ignore any dependencies that are default or bundled gems, since we don't want to include them here. This also removes all of the default gems that we were including before. The one exception is the URI gem, where the version shipped in Ruby 3.2.9 has a CVE. To provide this without the warnings showing up, we remove the default uri gem's gemspec file.For bundled gems, this removes
prime, but keepsrexml, since this one currently has CVEs and often needs updating for this reason.