Safeguard
Tag

bundler

Safeguard articles tagged "bundler" — guides, analysis, and best practices for software supply chain and application security.

8 articles

Open Source Security

Bundler dependency resolution and safe Gemfile upgrade strategies

In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.

Jul 11, 20266 min read
Supply Chain Attacks

How malicious Gemfile.lock entries redirect Ruby installs to attacker servers

A single unreviewed remote: line in Gemfile.lock can silently reroute a bundle install — here's how Ruby lockfile injection works and how to stop it.

Jul 11, 20266 min read
Supply Chain

RubyGems and Bundler's Cooldown Discussion: Soak Windows as a First-Class Defender Policy

After the 2025 supply-chain waves, the ruby/rubygems community opened Discussion #9113 to evaluate a built-in cooldown feature for bundle update. Here is the defender argument and how to implement it today.

May 15, 20267 min read
Engineering

Ruby Gems Security: Signing, Yanking and Trusted Publishing

Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.

Mar 20, 20266 min read
Application Security

Reachability Analysis for Ruby and RubyGems in 2026

Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.

Mar 19, 20265 min read
Vulnerability Management

bundler-audit Production Setup

A practical guide to running bundler-audit in production CI pipelines, including advisory database updates, exception handling, and integration with remediation workflows.

Jul 2, 20247 min read
Open Source Security

Bundler Lockfile Security Practices

How to use Gemfile.lock as a real security artifact: checksums, frozen mode, reproducible resolves, and what changed in Bundler 2.5's expanded lockfile format.

Jun 14, 20248 min read
Dependency Security

Ruby Gems Supply Chain Security

Protecting your Ruby applications from gem-based supply chain attacks with Bundler security features, gem signing, and auditing.

Jun 20, 20224 min read
bundler — Safeguard Blog