chore(deps): update dependency bundler to v2 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bundler (source, changelog)	"~> 1.5" -> "~> 2.2", ">= 2.2.33"

GitHub Vulnerability Alerts

CVE-2021-43809

In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false.

To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as git clone. These commands are being constructed using user input (e.g. the repository URL). When building the
commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.

Since this value comes from the Gemfile file, it can contain any character, including a leading dash.

Exploitation

To exploit this vulnerability, an attacker has to craft a directory containing a Gemfile file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of -u./payload. This URL
will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as bundle lock, inside.

Impact

This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the Gemfile (although they would need the weird URL with a leading dash to not raise any flags).

This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on.

Patches

Bundler 2.2.33 has patched this problem by inserting -- as an argument before any positional arguments to those Git commands that were affected by this issue.

Workarounds

Regardless of whether users can upgrade or not, they should review any untrustred Gemfile's before running any bundler commands that may read them, since they can contain arbitrary ruby code.

References

https://cwe.mitre.org/data/definitions/88.html

CVE-2016-7954

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

---

Release Notes

rubygems/rubygems (bundler)

v2.2.33

Compare Source

Security fixes:

• Pass "--" to git commands to separate positional and optional args #​5142

Enhancements:

• Accept pull request URLs as github source #​5126
• Add --version parameter to bundle info command #​5137
• Let original Errno::EACCES error be raised in compact index updater #​5110
• Improve gemfile-lockfile source equivalence errors #​5120
• Avoid float-to-string loss of characters in GitHub Actions configuration labels in new gem template #​5089
• Add an initial rbs template to bundle gem skeleton #​5041
• Avoid shared libraries not getting environment passed right after argv in memory when bundle exec is used #​4815

Bug fixes:

• Don't cleanup paths from gems already activated from $LOAD_PATH #​5111
• Fix handling prereleases of 0 versions, like 0.0.0.dev or 0.0.0.SNAPSHOT #​5116
• Fix escape of filenames in bundle doctor #​5102
• Don't unlock dependencies when running bundle install after changing global source #​5090
• Fix missing locked specs when depended on another platform #​5092
• Fix bundle info sometimes claiming that bundler has been deleted #​5097

Documentation:

• Ignore to generate the documentation from vendored libraries #​5118

v2.2.32

Compare Source

Enhancements:

• Clarify bundle viz deprecation #​5083
• Unlock dependencies that no longer match lockfile #​5068
• Use shellsplit instead of array of strings for git push #​5062
• Re-enable default_ignores option for standard #​5003

Bug fixes:

• Fix downgrading dependencies by changing the Gemfile and running bundle update #​5078

v2.2.31

Compare Source

Enhancements:

• Link to working bundler-graph plugin in bundle viz deprecation message #​5061
• Memoize materialized specs when requiring bundler/setup #​5033
• Allow custom LicenseRef #​5013
• Better error when installing a lockfile with git sources and git is not installed #​5036
• Only delete cached gem when it's corrupted #​5031
• Support gemified tsort #​5032
• Add standard option alongside rubocop to bundle gem #​4411

Bug fixes:

• Fix system man pages no longer working after bundler overrides MANPATH #​5039
• Don't warn when a lockfile is locked to a dev version #​5018

v2.2.30

Compare Source

Enhancements:

• Add a custom SHA1 digest implementation to no longer depend on the digest gem before we know which version to activate #​4989
• Ensure vendored gems have licenses #​4998
• Update broken link in Bundler::Fetcher::CertificateFailureError #​4987
• Give better errors for some permission issues #​4965
• Print better errors when bundler/gem_tasks fail #​4872
• Fix bundle install to reinstall deleted gems #​4974
• Unify issue template and ISSUES.md document #​4980
• Bump vendored connection_pool to 2.2.5 #​4738

Bug fixes:

• Fix error message pointing to non existing file when using a global gem cache #​4999
• Fix install crash when lockfile has missing dependencies for the current platform #​4941
• Make bundle info show a proper warning every time it finds a deleted gem #​4971

v2.2.29

Compare Source

Enhancements:

• Require at least Ruby 2.6.0 for gems created with recent rubies #​4920
• Include glob information in string representation of git sources to make generated lockfiles deterministic #​4947
• Add missing rubygem_push prerequisite #​4930

v2.2.28

Compare Source

Enhancements:

• Use example.com in new gem template, since it will never have a potentially dangerous backing website #​4918
• Deprecate --install flag to bundle remove and trigger install by default #​4891

v2.2.27

Compare Source

Enhancements:

• Optimize some requires #​4887
• Correctly redact credentials when using x-oauth-basic #​4866

Bug fixes:

• Add missing key branches: to template for GitHub Actions #​4883
• Fix bundle plugin install detection of already installed plugins #​4869
• Make plugin installation idempotent #​4864
• Fix bundle check showing duplicated gems when multiple platforms are locked #​4854
• Fix bundle check incorrectly considering cached gems #​4853

v2.2.26

Compare Source

Enhancements:

• Remove RUBYGEMS_GEMDEPS warning #​4827
• Better defaults for GitHub Actions template generated by bundle gem #​4619
• Make bundle exec keep file descriptors by default #​4812
• Exclude gemspec file itself from file list of gems generated by bundle gem #​4650
• Fix a couple small typos in deprecation / error messages #​4806
• Make script generated by bundle install --standalone resilient to moving the application to a differently nested folder when path sources are used #​4792
• Exclude CI files and issue templates from file list of gems generated by bundle gem #​4033

Bug fixes:

• Respect BUNDLE_USER_HOME env when choosing config location #​4828
• Fix bundle gem on path with spaces #​4816
• Fix bundler hitting the network in some cases where not allowed #​4805

v2.2.25

Compare Source

Deprecations:

• Deprecate Gemfile without an explicit global source #​4779
• Deprecate bundle cache --path #​4496

Enhancements:

• Give better errors when materialization fails #​4788
• Lazily load shellwords library #​4786
• Show original error and backtrace directly on bundle install errors instead of a more brittle gem install hint #​4778
• Remove LoadError message in regards to requiring a relative file #​4772

Bug fixes:

• Fix BUNDLE_USER_CONFIG no longer respected as config location #​4797
• Fix --standalone installation of default gems #​4782
• Fix --quiet flag not printing warnings #​4781
• Fix bundler binstub version selection #​4775
• Fix interrupt handling in Bundler workers #​4767

v2.2.24

Compare Source

Bug fixes:

• Fix development gem unintentionally removed on an edge case #​4751
• Fix dangling empty plugin hooks #​4755
• Fix bundle plugin install --help showing bundle install's help #​4756
• Make sure bundle check shows uniq missing gems #​4749

Performance:

• Slightly speed up bundler/setup #​4750

v2.2.23

Compare Source

Enhancements:

• Fix bundle install on truffleruby selecting incorrect variant for sorbet-static gem #​4625
• Spare meaningless warning on read-only bundle invocations #​4724

Bug fixes:

• Fix incorrect warning about duplicated gems in the Gemfile #​4732
• Fix bundle plugin install foo crashing #​4734

v2.2.22

Compare Source

Enhancements:

• Never downgrade indirect dependencies when running bundle update #​4713
• Fix getaddrinfo errors not treated as fatal on non darwin platforms #​4703

Bug fixes:

• Fix bundle update <gem> sometimes hanging and bundle lock --update not being able to update an insecure lockfile to the new format if it requires downgrades #​4652
• Fix edge case combination of DSL methods and duplicated sources causing gems to not be found #​4711
• Fix bundle doctor crashing when finding a broken symlink #​4707
• Fix incorrect re-resolve edge case #​4700
• Fix some gems being unintentionally locked under multiple lockfile sections #​4701
• Fix --conservative flag unexpectedly updating indirect dependencies. NOTE: As part of this bug fix, some undocumented, unintentional code causing bundle update --source <gem> to update conservatively was fixed. Use the documented bundle update --conservative <gem> instead #​4692

v2.2.21

Compare Source

Security fixes:

• Auto-update insecure lockfile to split GEM source sections whenever possible #​4647

Enhancements:

• Use a more limited number of threads when fetching in parallel from the Compact Index API #​4670
• Update TODO link in bundle gem template to https #​4671

Bug fixes:

• Fix bundle install --local hitting the network when cache_all_platforms configured #​4677

v2.2.20

Compare Source

Enhancements:

• Don't print bug report template on server side errors #​4663
• Don't load resolv unnecessarily #​4640

Bug fixes:

• Fix bundle outdated edge case #​4648
• Fix bundle check with scoped rubygems sources #​4639

Performance:

• Don't use extra_rdoc_files with md files in gemspec to make installing bundler with docs faster #​4628

v2.2.19

Compare Source

Bug fixes:

• Restore support for configuration keys with dashes #​4582
• Fix some cached gems being unintentionally ignored when using rubygems 3.2.18 #​4623

v2.2.18

Compare Source

Security fixes:

• Fix dependency confusion issues with implicit dependencies #​4609

Enhancements:

• Use simpler notation for generated required_ruby_version #​4598
• Undeprecate bundle show #​4586
• Make sure link to new issue uses the proper template #​4592

Bug fixes:

• Fix platform specific gems being removed from the lockfile #​4580

v2.2.17

Compare Source

Enhancements:

• Improve authentication required error message to include an alternative using ENV #​4565
• Discard partial range responses without etag #​4563
• Fix configuring ENV for a gem server with a name including dashes #​4571
• Redact credentials from bundle env and bundle config #​4566
• Redact all sources in verbose mode #​4564
• Improve bundle pristine error if BUNDLE_GEMFILE does not exist #​4536
• [CurrentRuby] Add 3.0 as a known minor #​4535
• Prefer File.read instead of IO.read #​4530
• Add space after open curly bracket in Gemfile and gems.rb template #​4518

Bug fixes:

• Make sure specs are fetched from the right source when materializing #​4562
• Fix bundle cache with an up-to-date lockfile and specs not already installed #​4554
• Ignore deployment setting in inline mode #​4523

Performance:

• Don't materialize resolutions when not necessary #​4556

v2.2.16

Compare Source

Enhancements:

• Add --github-username option and config to bundle gem #​3687
• Bump vendored tmpdir library copy #​4506
• Add rake build:checksum task to build checksums for a gem package #​4156
• Enable bundler-cache for GitHub Actions template #​4498
• Improve bundle info error when gem is on a "disabled" group #​4492
• Small tweak to yank message #​4494
• Don't show duplicate entries in bundle outdated output #​4474
• Never downgrade top level gems when running bundle update #​4473

Bug fixes:

• Fix incorrect logic for filtering metadata matching candidates #​4497

v2.2.15

Compare Source

Enhancements:

• Add a hint about bundler installing executables for path gems #​4461
• Warn lockfiles with incorrect resolutions #​4459
• Don't generate duplicate redundant sources in the lockfile #​4456

Bug fixes:

• Respect running ruby when resolving platforms #​4449

v2.2.14

Compare Source

Security fixes:

• Lock GEM sources separately and fix locally installed specs confusing bundler #​4381

Bug fixes:

• Make rake available to other gems' installers right after it's installed #​4428
• Fix encoding issue on compact index updater #​4362

v2.2.13

Compare Source

Enhancements:

• Respect user configured default branch in README links in new generated gems #​4303

Bug fixes:

• Fix gems sometimes being pulled from irrelevant sources #​4418

v2.2.12

Compare Source

Bug fixes:

• Fix sporadic warnings about nil gemspec on install/update and make those faster #​4409
• Fix deployment install with duplicate path gems added to Gemfile #​4410

v2.2.11

Compare Source

Bug fixes:

• Revert disable_multisource changes #​4385

v2.2.10

Compare Source

Security fixes:

• Fix source priority for transitive dependencies and split lockfile rubygems source sections #​3655

Bug fixes:

• Fix adding platforms to lockfile sometimes conflicting on ruby requirements #​4371
• Fix bundler sometimes choosing ruby variants over java ones #​4367

Documentation:

• Update man pages to reflect to new default for bundle install jobs #​4188

v2.2.9

Compare Source

Enhancements:

• Stop removing existing platforms when force_ruby_platform is true #​4336

Bug fixes:

• Don't install platform specific gems on truffleruby #​4333

v2.2.8

Compare Source

Enhancements:

• Add a CHANGELOG.md file to gems generated by bundle gem #​4093
• Support gemified set #​4297

Bug fixes:

• Fix standalone Kernel.require visibility #​4337

Performance:

• Fix resolver edge cases and speed up bundler #​4277

v2.2.7

Compare Source

Enhancements:

• Improve error messages when dependency on bundler conflicts with running version #​4308
• Avoid showing platforms with requirements in error messages #​4310
• Introduce disable_local_revision_check config #​4237
• Reverse rubygems require mixin with bundler standalone #​4299

Bug fixes:

• Fix releasing from a not yet pushed branch #​4309
• Install cache only once if it already exists #​4304
• Fix force_ruby_platform no longer being respected #​4302

Performance:

• Fix resolver dependency comparison #​4289

v2.2.6

Compare Source

Enhancements:

• Improve resolver debugging #​4288

Bug fixes:

• Fix dependency locking for path source #​4293

Performance:

• Speed up complex dependency resolves by creating DepProxy factory and cache #​4216

v2.2.5

Compare Source

Enhancements:

• Improve rubocop setup in the new gem template #​4220
• Support repositories with default branch not named master #​4224

Bug fixes:

• Let Net::HTTP decompress the index instead of doing it manually #​4081
• Workaround for another jruby crash when autoloading a constant #​4252
• Fix another performance regression in the resolver #​4243
• Restore support for old git versions #​4233
• Give a proper error if cache path does not have write access #​4215
• Fix running rake release from an ambiguous ref #​4219

v2.2.4

Compare Source

Bug fixes:

• Fix bundle man pages display on truffleruby #​4209
• Fix Windows + JRuby no longer being able to install git sources #​4196

v2.2.3

Compare Source

Security fixes:

• Pass "--" to git commands to separate positional and optional args #​5142

Enhancements:

• Accept pull request URLs as github source #​5126
• Add --version parameter to bundle info command #​5137
• Let original Errno::EACCES error be raised in compact index updater #​5110
• Improve gemfile-lockfile source equivalence errors #​5120
• Avoid float-to-string loss of characters in GitHub Actions configuration labels in new gem template #​5089
• Add an initial rbs template to bundle gem skeleton #​5041
• Avoid shared libraries not getting environment passed right after argv in memory when bundle exec is used #​4815

Bug fixes:

• Don't cleanup paths from gems already activated from $LOAD_PATH #​5111
• Fix handling prereleases of 0 versions, like 0.0.0.dev or 0.0.0.SNAPSHOT #​5116
• Fix escape of filenames in bundle doctor #​5102
• Don't unlock dependencies when running bundle install after changing global source #​5090
• Fix missing locked specs when depended on another platform #​5092
• Fix bundle info sometimes claiming that bundler has been deleted #​5097

Documentation:

• Ignore to generate the documentation from vendored libraries #​5118

v2.2.2

Compare Source

Enhancements:

• Require at least Ruby 2.6.0 for gems created with recent rubies #​4920
• Include glob information in string representation of git sources to make generated lockfiles deterministic #​4947
• Add missing rubygem_push prerequisite #​4930

v2.2.1

Compare Source

Bug fixes:

• Restore support for configuration keys with dashes #​4582
• Fix some cached gems being unintentionally ignored when using rubygems 3.2.18 #​4623

v2.2.0

Compare Source

Enhancements:

• New gem template: prefer require_relative to require #​4066
• Always show underlying error when fetching specs fails #​4061
• Add --all-platforms flag to bundle binstubs to generate binstubs for all platforms #​3886
• Improve gem not found in source error messages #​4019
• Revert resolving all Gemfile platforms automatically #​4052
• Remove extra empty line from README template #​4041
• Lazily load erb #​4011

Bug fixes:

• Fix Bundler::Plugin::API::Source#to_s having empty source type #​4084
• Raise consistent errors with or without bundle exec #​4063
• Fix edge case resulting in a crash when using zeitwerk inside a nested bundle exec invocation #​4062
• Enable specific_platform by default #​4015
• Prevent remove command from deleting gemfile lines that are comments #​4045
• Fix issue with cache_all_platforms and specific_platform configured #​4042
• Fix incorrect error message on Windows #​4039
• Make printed drive letters consistent on Windows #​4038
• Load rubygems plugins from RUBYLIB during bundle install and bundle update #​3534
• Fix specific_platform and cache_all with bundle cache --all-platforms #​4022
• Bring back the possibility to install a plugin from path #​4020
• Move ronn pages to lib #​3997
• Fix fileutils double load when using bundler/inline #​3991
• Accept responses with no etag header #​3865

Documentation:

• Fix typo of bundle-install.1 (v2.1) #​4079
• Add commented out example and more information link to generated gemspec #​4034

v2.1.4

Compare Source

Bug fixes:

• Fix net-http-pipeline no longer being allowed in Gemfiles if already installed in the system due to our vendored version of net-http-persistent optionally requiring it #​7529
• Fix inline gems no longer being requirable if no Gemfile is present in the directory hierarchy #​7537

v2.1.3

Compare Source

Bug fixes:

• Fix rake build when path has spaces on it #​7514
• Fix rake release git push tasks when the running shell has git as an alias of another command (like hub) #​7510
• Fix some circular require warnings #​7520
• Fix bundle config set deployment true recommended alternative to bundle config --deployment to behave in the same way as the --deployment flag #​7519

v2.1.2

Compare Source

Bug fixes:

• Restore an explicit require "rubygems" on top rubygems_integration.rb to avoid some missing constant errors under some convoluted setups #​7505

v2.1.1

Bug fixes:

• Fix some cases of shelling out to rubygems still being silent #​7493
• Restore compatibility with rubygems-bundler so that binstubs work under RVM #​7498

v2.1.0

Features:

• Add support for new default gems. In particular,

  • open3 #​7455
  • cgi: #​7456
  • uri #​7460

  plus other PRs removing or lazily loading usages of these gems from other places to not interfere with user's choice, such as #​7471 or #​7473

Bug fixes:

• Fix bundle exec rake install failing #​7474
• Fix bundle exec'ing to rubygems being silent #​7442
• Restore previous BUNDLE_GEMFILE in bundler/inline #​7418
• Fix error when using gem DSL's :glob option for selecting gemspecs from a specific source #​7419

Enhancements:

• bundle config no longer warns when using "old interface" (might be deprecated again in the future) #​7475
• bundle update no longer warns when used without arguments (might be deprecated again in the future) #​7475

v2.0.2

Compare Source

Enhancements:

• Fixes for Bundler integration with ruby-src (#​6941, #​6973, #​6977, #​6315, #​7061)
• Use __dir__ instead of __FILE__ when generating a gem with bundle gem (#​6503)
• Use https on externals links in the Bundler gemspec (#​6721)
• Removed duplicate gem names from the suggested did you mean list for gem typos (#​6739)
• Removed Ruby 1.x compatibility code (#​6764, #​6806)
• Fixed an issue where bundle remove would crash with certain Gemfiles (#​6768)
• Fixed indentation in the Bundler executable template (#​6773)
• Fixed an issue where plugins could register for the same Bundler hook multiple times (#​6775)
• Changed the "multiple sources" message in bundle install to be a warning instead of an error (#​6790)
• Fixed a bug where path gems would break when using only_update_to_newer_versions (#​6774)
• Fixed a bug where installing plugins with the --deployment setting would fail (#​6805)
• Fixed an issue where bundle update couldn't update & install a gem when no_install was set (a bundle package config) (#​7078)
• Fixed an issue where users could not run bundle exec on default gems (#​6963)
• Updated vendor libraries to their latest version (#​7076, #​7068)
• Fixed an issue where the github source was not using https by default that we mentioned in the 2.0 release (#​7182)
• Fixed an issue where rake release was not outputting the message to users asking for a 2fa token (#​7199)

Documentation:

• Fix incorrect documented BUNDLE_PATH_RELATIVE_TO_CWD env var (#​6751)
• Update URLs in Bundler's documentation to use https (#​6935)

v2.0.1

Bug fixes:

• Relaxed RubyGems requirement to >= 2.5.0 (#​6867)

v2.0.0

No changes.

v1.17.3

Compare Source

Bug fixes:

• Fix a Bundler error when installing gems on old versions of RubyGems (#​6839, @​colby-swandale)
• Fix a rare issue where Bundler was removing itself after a bundle clean (#​6829, @​colby-swandale)

Documentation:

• Add entry for the bundle remove command to the main Bundler manual page

v1.17.2

Compare Source

• Add compatibility for bundler merge with Ruby 2.6

v1.17.1

Compare Source

• Convert Pathnames to Strings before sorting them, fixing #​6760 and #​6758 (#​6761, @​alexggordon)

v1.17.0

Compare Source

No changes.

v1.16.6

Compare Source

Enhancements:

• Add an error message when adding a gem with bundle add that's already in the bundle (#​6341, @​agrim123)
• Add Homepage, Source Code and Changelog URI metadata fields to the bundle gem gemspec template (@​walf443)

Bug fixes:

• Fix issue where updating a gem resulted in the gem's version being downgraded when BUNDLE_ONLY_UPDATE_TO_NEWER_VERSIONS was set (#​6529, @​theflow)
• Fix some rescue calls that don't specify error type (@​utilum)
• Fix an issue when the Lockfile would contain platform-specific gems that it didn't need (#​6491, @​segiddins)
• Improve handling of adding new gems with only a single group to the Gemfile in bundle add (@​agrim123)
• Refactor check for OpenSSL in bundle env (@​voxik)
• Remove an unnecessary assignment in Metadata (@​voxik)

Documentation:

• Update docs to reflect revised guidance to check in Gemfile.lock into version control for gems (#​5879, @​arbonap)
• Add documentation for the --all flag in bundle update (@​agrim123)
• Update README to use bundle add in usage examples (@​hdf1986)

v1.16.5

Compare Source

Enhancements:

• Add support for TruffleRuby (@​eregon)

Bug fixes:

• Avoid printing git errors when checking the version on incorrectly packaged versions of Bundler (#​6453, @​greysteil)
• Fix issue where Bundler does not check the given class when comparing equality in DepProxy (@​ChrisBr)
• Handle RangeNotSatisfiable error in Compact Index (@​MaxLap)
• Check for initialized search variable in LazySpecification (@​voxik)
• Fix LoadError occurring in nested bundle exec calls (#​6537, @​colby-swandale)
• Check that Bundler::Deprecate is not an autoload constant (#​6163, @​eregon)
• Prefer non-pre-release versions when performing a bundle update --patch (#​6684, @​segiddins)

v1.16.4

Compare Source

Enhancements:

• Welcome new members to the Bundler core team (@​indirect)
• Don't mutate original error trees when determining version_conflict_message (@​greysteil)
• Update vendored Molinillo to 0.6.6 (@​segiddins)

Bug fixes:

• Reword bundle update regression message to be more clear to the user when a gem's version is downgraded (#​6584, @​ralphbolo)
• Respect --conservative flag when updating a dependency group (#​6560, @​greysteil)
• Fix issue where a pre-release version was not being selected when it's specified in the Gemfile (#​6449, @​akihiro17)
• Fix issue where Etc was not loaded when getting the user's home dir (#​6640, @​colby-swandale)
• Use UTF-8 for reading files including Gemfile (#​6660, @​eregon)
• Remove unnecessary while loop in path resolver helper (@​ojab)

Documentation:

• Document that bundle show [--paths] sorts results by name (@​kemitchell)

v1.16.3

Compare Source

Features:

• Support URI::File of Ruby 2.6 (@​hsbt)

Bug fixes:

• Expand symlinks during setup to allow Bundler to load correctly when using symlinks in $GEM_HOME (#​6465, @​ojab, @​indirect)
• Dont let Bundler create temporary folders for gem installs which are owned by root (#​6258, @​colby-swandale)
• Don't fallback to using temporary directories when needed directories already exist (#​6546, @​brodock)
• Use SharedHelpers.filesystem_access when reading a Gemfile so friendly error messages can be given to the user (#​6541, @​segiddins)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.