by Eric Hodel

RubyGems 2.1.0 includes several new features and a security update to fix CVE-2013-4287

To update to the latest RubyGems you can run:

gem update --system

If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page.

Security fixes:

RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a backtracking in Gem::Version validation. See CVE-2013-4287 for full details including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and 1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.

Major enhancements:

RubyGems uses a new dependency resolver for gem installation which works similar to the bundler resolver. The new resolver can resolve conflicts the previous resolver could not and offers improved diagnostics when conflicts are discovered.

Minor enhancements:

RubyGems now has improved platform matching for the ARM architecture. Gems built with a CPU of “arm” will match any specific ARM CPU. See gem help platform for further details. Fixes #532 by Kim Burgestrand.

for further details. Fixes #532 by Kim Burgestrand. The –version option now accepts compound requirements the same as in a gem dependency. The following invocation will install rails between 4.0.0.beta and 4.2: gem install rails -v '>= 4.0.0.beta, < 4.2' Fixes #531 by Gary S. Weaver

gem clean now allows -n as an alias for --dryrun . Pull Request #517 by Gastón Ramos

now allows as an alias for . Pull Request #517 by Gastón Ramos Added gem update --system to gem help . Pull Request #514 by Vince Wadhwani

to . Pull Request #514 by Vince Wadhwani Added PATH to gem env output. Pull Request #490 by Michal Papis

output. Pull Request #490 by Michal Papis Added –host option to gem owner to match other commands using the gemcutter API. Pull Request #462 and issue #461 by Hugo Lopes Tavares

to match other commands using the gemcutter API. Pull Request #462 and issue #461 by Hugo Lopes Tavares Added –abort-on-dependent to gem uninstall . This will abort instead of asking to uninstall a gem that is depended upon by another gem. Pull request #549 by Philip Arndt.

. This will abort instead of asking to uninstall a gem that is depended upon by another gem. Pull request #549 by Philip Arndt. RubyGems no longer alters Gem::Specification.dirs when installing. Based on Pull Request #452 by Vít Ondruch

RubyGems uses MAKE or make environment variables over rbconfig.rb’s make if present. Pull Request #443 by Erik Hollensbe

or environment variables over rbconfig.rb’s make if present. Pull Request #443 by Erik Hollensbe RubyGems can now save remote source cache files in an alternate directory controlled by ENV["GEM_SPEC_CACHE"] . Pull Request #489 by Michal Papis

. Pull Request #489 by Michal Papis Generated private keys are now encrypted. Pull Request #453 by pietro

Separated Gem::Request from Gem::RemoteFetcher. Pull Request #283 by Steve Klabnik.

RubyGems indicates when a .gem’s content is corrupt while verifying. Bug #519 by William T Nelson.

Refactored common installer setup. Pull request #520 by Gastón Ramos

Moved activation tests to Gem::Specification. Pull request #521 by Gastón Ramos

When a –version option with a prerelease version is given RubyGems automatically enables prerelease versions but only the last version is used. If the first version is a prerelease version this is no longer sticky unless an explicit --prerelease or --no-prerelease was also given. Fixes part of #531.

or was also given. Fixes part of #531. RubyGems now supports an SSL client certificate. Pull request #550 by Robert Kenny.

RubyGems now suggests how to fix permission errors. Pull request #553 by Odin Dutton.

Added support for installing a gem as default gems for alternate ruby implementations. Pull request #566 by Charles Nutter.

Improved performance of Gem::Specification#load by caching the loaded gemspec. Pull request #569 by Charlie Somerville.

RubyGems now warns when an unsigned gem is verified if -P was given during installation even if the security policy allows unsigned gems and warns when an untrusted certificate is seen even if the security policy allows untrusted certificates. Issue #474 by Grant Olson

RubyGems can now rewrite executables with or without a shebang of /usr/bin/env via gem pristine --all --only-executables --env-shebang (or --no-env-shebang ). Issue #579 by Paul Annesley.

(or ). Issue #579 by Paul Annesley. RubyGems can now run its tests without OpenSSL. Ruby Bug #8557 by nobu.

Improved performance by caching Gem::Version objects and avoiding method_missing in Gem::Specification. Pull request #447 by Jon Leighton.

Files in a .gem now preserve their modification times. Pull request #582 by Jesse Bowes

Improved speed of looking up dependencies in SpecFetcher through Array#bsearch (when present). Pull request #595 by Andras Suller

Added --all option to gem uninstall which removes all gems in GEM_HOME. Pull request #584 by Shannon Skipper.

option to which removes all gems in GEM_HOME. Pull request #584 by Shannon Skipper. Added Gem.find_latest_files which is equivalent to Gem.find_files but only returns matching files from the latest version of each gem. Issue #186 by Ryan Davis.

Improved performance of gem outdated by reducing duplicate work (it is still slow, but I see a near 50% improvement for 250 gems on a fast connection). See also Gem::Specification::outdated_and_latest_version

Bug fixes: