bundler
Safeguard articles tagged "bundler" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Bundler dependency resolution and safe Gemfile upgrade strategies
In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.
How malicious Gemfile.lock entries redirect Ruby installs to attacker servers
A single unreviewed remote: line in Gemfile.lock can silently reroute a bundle install — here's how Ruby lockfile injection works and how to stop it.
RubyGems and Bundler's Cooldown Discussion: Soak Windows as a First-Class Defender Policy
After the 2025 supply-chain waves, the ruby/rubygems community opened Discussion #9113 to evaluate a built-in cooldown feature for bundle update. Here is the defender argument and how to implement it today.
Ruby Gems Security: Signing, Yanking and Trusted Publishing
Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.
Reachability Analysis for Ruby and RubyGems in 2026
Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.
bundler-audit Production Setup
A practical guide to running bundler-audit in production CI pipelines, including advisory database updates, exception handling, and integration with remediation workflows.
Bundler Lockfile Security Practices
How to use Gemfile.lock as a real security artifact: checksums, frozen mode, reproducible resolves, and what changed in Bundler 2.5's expanded lockfile format.
Ruby Gems Supply Chain Security
Protecting your Ruby applications from gem-based supply chain attacks with Bundler security features, gem signing, and auditing.