chore(deps): update dependency bundler to v4 [security]

[sc-renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
bundler (source, changelog)	"~> 1.0" → "~> 4.0"

GitHub Vulnerability Alerts

CVE-2016-7954

Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.

---

Release Notes

ruby/rubygems (bundler)

v4.0.15

Compare Source

Enhancements:

• Rubygems: Fix Gem::Request for PQC support, adding integration connection tests. Pull request #​9615 by junaruga
• Reduce peak memory usage of full index loading and bundle install. Pull request #​9618 by hsbt
• Installs bundler 4.0.15 as a default gem.

Bug fixes:

• Forward security policy to old-format gems. Pull request #​9611 by hsbt

v4.0.14

Compare Source

Enhancements:

• Add executables and bindir validation to the gem installer. Pull request #​9595 by hsbt
• Strip C1 control characters from displayed gem text. Pull request #​9597 by hsbt
• Installs bundler 4.0.14 as a default gem.

v4.0.13

Compare Source

Enhancements:

• Prevent extraction from escaping destination_dir via pre-existing symlinks. Pull request #​9493 by thesmartshadow
• Close stdin immediately when using popen2e. Pull request #​9540 by rwstauner
• Fallback to copy symlinks on Windows. Pull request #​9296 by larskanis
• Installs bundler 4.0.13 as a default gem.

v4.0.12

Compare Source

Enhancements:

• Remove cygwin from WIN_PATTERNS. Pull request #​9527 by fd00
• Installs bundler 4.0.12 as a default gem.

Bug fixes:

• Fall back to lockfile version when BUNDLE_VERSION is "lockfile". Pull request #​9545 by hsbt
• Read BUNDLE_VERSION env var in BundlerVersionFinder. Pull request #​9538 by hsbt

v4.0.11

Compare Source

Enhancements:

• Add commented-out rubygems_mfa_required to bundle gem template. Pull request #​9487 by MatheusRich
• Clarify the name and meaning of the first argument to gem spec. Pull request #​9476 by eregon
• Installs bundler 4.0.11 as a default gem.

v4.0.10

Compare Source

Enhancements:

• Ignore warnings with spec different platforms. Pull request #​8508 by hsbt
• Better algorithm for sorting gem version. Pull request #​9421 by Edouard-chin
• Update SPDX license list as of 2026-02-20. Pull request #​9434 by hsbt
• Installs bundler 4.0.10 as a default gem.

Bug fixes:

• Register native extension files in default spec map. Pull request #​9431 by hsbt
• Fix NoMethodError in Gem.try_activate when activation conflicts occur. Pull request #​9404 by hsbt

v4.0.9

Compare Source

Enhancements:

• Fix: include owner role in gem owner. Pull request #​9403 by gjtorikian
• Installs bundler 4.0.9 as a default gem.

Bug fixes:

• Fix: Ensure trailing slash is added to source URIs added via gem sources. Pull request #​9055 by zirni

Documentation:

• [DOC] Fix link. Pull request #​9409 by BurdetteLamar

v4.0.8

Compare Source

Enhancements:

• Use JSON for cargo metadata parsing. Pull request
  #​9373 by hsbt
• Fix NameError in Gem::Request.get_proxy_from_env when requiring
  rubygems/request directly. Pull request
  #​9362 by afurm
• Installs bundler 4.0.8 as a default gem.

Documentation:

• Unify Compact Index API naming. Pull request
  #​9372 by simi

v4.0.7

Compare Source

Enhancements:

• Add Gem.disable_system_update_message in setup.rb. Pull request
  #​9020 by hyuraku
• Print message when signing in with an existing API key. Pull request
  #​9312 by hsbt
• Installs bundler 4.0.7 as a default gem.

Documentation:

• Document gemspecs must be deterministic. Pull request
  #​9321 by fxn
• Remove "##" from a comment to require. Pull request
  #​9306 by tompng

v4.0.6

Compare Source

Enhancements:

• Update vendored resolv to 0.7.0. Pull request
  #​9298 by hsbt
• Installs bundler 4.0.6 as a default gem.

v4.0.5

Compare Source

Enhancements:

• Removed unused deprecate loading. Pull request
  #​9266 by hsbt
• Validate executable names for invalid characters. Pull request
  #​9257 by hsbt
• Installs bundler 4.0.5 as a default gem.

Bug fixes:

• Fix RubyGems not able to require the right gem:. Pull request
  #​9246 by Edouard-chin
• Remove special behavior for rake. Pull request
  #​9245 by JasonLunn

Documentation:

• Added another usage of pristine command. Pull request
  #​9255 by hsbt

v4.0.4

Compare Source

Enhancements:

• Remove date require from rebuild command. Pull request
  #​9232 by jeremyevans
• Installs bundler 4.0.4 as a default gem.

Bug fixes:

• Add a missing "require 'etc'" statement:. Pull request
  #​9242 by Edouard-chin

v4.0.3

Compare Source

Enhancements:

• Installs bundler 4.0.3 as a default gem.

Documentation:

• Fix broken documentation links. Pull request
  #​9208 by eileencodes

v4.0.2

Compare Source

Enhancements:

• Support single quotes in mise format ruby version #​9183
• Tweak the Bundler's "X gems now installed message": #​9194

Bug fixes:

• Allow to show cli_help with bundler executable #​9198
• Allow bundle pristine to work for git gems in the same repo #​9196

v4.0.1

Compare Source

Enhancements:

• Do not hard-code permissions for new gem directories during bundle install. Pull request #​9557 by maxfelsher-cgi
• Clear gem specification cache after acquiring process lock. Pull request #​9310 by ngan
• Show release date with bundle outdated. Pull request #​9337 by hsbt

Bug fixes:

• Apply cooldown to locally installed gem versions. Pull request #​9582 by hsbt

Security:

• Add cooldown to delay newly published gem. Pull request #​9576 by hsbt

v4.0.0

Compare Source

Features:

• Support bundle install --lockfile option #​9111
• Add support for lockfile in Gemfile and bundle install --no-lock #​9059
• Add --ext=go to bundle gem #​8183
• Update Bundler::CurrentRuby::ALL_RUBY_VERSIONS #​9058
• Introduce bundle list --format=json #​8728

Performance:

• Run git operations in parallel to speed things up: #​9100
• Replace instance method look up in plugin installer #​9094
• Adjust the API_REQUEST_LIMIT to make less network roundtrip #​9071

Enhancements:

• Make BUNDLE_LOCKFILE environment variable have precedence over lockfile method in Gemfile #​9146
• Improve banner message for the default command #​9145
• Introduce install_or_cli_help and use it default bundle command #​9136
• Add go_gem/rake_task for Go native extension gem skeleton #​9105
• Warn users that bundle now display the help: #​9092
• Use DidYouMean::SpellChecker for gem suggestions in Bundler #​3857
• Update all vendored libraries to latest version #​9089
• We don't need to allow some warning now #​9074
• Support to embedded Pathname #​9056
• Enforce activation of irb when running with bundle console #​9033
• Update Magnus version in Rust extension gem template #​9025
• Add checksum of gems hosted on private servers: #​9004
• Loading support on Windows #​8254
• Improve error message when the same source is specified through gemspec and path #​8460
• Raise an error in frozen mode if some registry gems have empty checksums #​8888
• Bump vendored thor to 1.4.0 #​8883
• Delay default path and global cache changes to Bundler 5 #​8867
• Fix spacing in bundle gem newgem.gemspec.tt #​8865
• Add some missing deprecation messages #​8844

Bug fixes:

• Fixed checksums generation issue when no source is specified #​9133
• Check for file existence before deletion from cache #​9095
• Use method_defined?(:method, false) #​9098
• Handle BUNDLER_VERSION being set to an empty string #​6928
• Fix bundle install when the Gemfile contains "install_if" git gems: #​8992
• Fix installation issue related to path sources and precompiled gems #​8973
• Fix outdated lockfile during bundle lock when source changes #​8962
• Raise error on missing version file #​8963
• Fix bundle cache --frozen and bundle cache --no-prune not printing a deprecation message #​8926
• Fix local installation incorrectly forced if there's a vendor/cache directory and frozen mode is set #​8925
• Fix bundle lock --update <gem> with --lockfile flag updating all gems #​8922
• Fix bundle show --verbose and recommend it as an alternative to bundle show --outdated #​8915
• Fix bundle cache --no-all not printing a deprecation warning #​8912
• Fix bundle update foo unable to update foo in an edge case #​8897
• Fix Bundler printing more flags than actually passed in verbose mode #​8914
• Fix bundler failing to install sorbet-static in truffleruby when there's no lockfile #​8872
• Cancel deprecation of --force flag to bundle install and bundle update #​8843

Security:

• Bump up vendored URI to 1.0.4 #​9031

Breaking changes:

• Fix triple spacing when generating lockfile #​9076
• Hide patchlevel from lockfile #​7772
• Remove bundler_4_mode #​9038
• Pick and add extra changes for 4.0.0 version #​9018
• Replaced Bundler::SharedHelpers.major_deprecation to feature_removed! or feature_deprecated! #​9016
• Removed legacy_check option from SpecSet#for #​9015
• Make update_requires_all_flag to settings #​9011
• Make default cli command settings #​9010
• Make global_gem_cache flag to settings #​9009
• Consolidate removal of Bundler.rubygems.all_specs #​9008
• Consolidate removal of Bundler::SpecSet#- and Bundler::SpecSet#<< #​9007
• Replaced Bundler.feature_flag.plugins? to Bundler.settings #​9006
• Make bundle show --outdated raise an error #​8980
• Make --local-git flag to bundle plugin install raise an error #​8979
• Switch cache_all to be true by default #​8975
• Completely forbid passing --ext to bundle gem without a value #​8976
• Switch lockfile_checksums to be true by default #​8981
• Make bundle install --binstubs raise an error #​8978
• Make bundle remove --install raise an error #​8977
• Remove support for multiple global sources in Gemfile & lockfile #​8968
• Remove allow_offline_install setting #​8969
• Completely remove --rubocop flag to bundle gem, and related configuration #​8967
• Completely remove all remembered CLI flags #​8958
• Remove implementation of deployment, capistrano and vlad entrypoints #​8957
• Remove deprecated Bundler.*clean*, and Bundler.environment helpers #​8924
• Remove deprecated bundle viz and bundle inject commands #​8923
• Removed to workaround for Bundler 2.2 #​8903

Documentation:

• Unified UPGRADING.md and extract blog.rubygems.org #​9148
• Remove italic formatting from changelog section headers #​9128
• Small clarifications to Bundler 4 upgrade docs #​8964
• Improve documentation of bundle doctor, bundle plugin, and bundle config #​8919
• Make sure all CLI flags and subcommands are documented #​8861
• Clarify documentation about new default gem installation directory in Bundler 4 #​8857
• Use mailto link in Code of Conduct #​8849
• Update Code of Conduct email to conduct@rubygems.org #​8848
• Add missing link to irb repo in DEBUGGING.md #​8842

v2.7.2

Compare Source

Enhancements:

• Improve error message when the same source is specified through gemspec and path #​8460
• Raise an error in frozen mode if some registry gems have empty checksums #​8888
• Bump vendored thor to 1.4.0 #​8883
• Delay default path and global cache changes to Bundler 5 #​8867
• Fix spacing in bundle gem newgem.gemspec.tt #​8865

Bug fixes:

• Fix bundle cache --frozen and bundle cache --no-prune not printing a deprecation message #​8926
• Fix local installation incorrectly forced if there's a vendor/cache directory and frozen mode is set #​8925
• Fix bundle lock --update <gem> with --lockfile flag updating all gems #​8922
• Fix bundle show --verbose and recommend it as an alternative to bundle show --outdated #​8915
• Fix bundle cache --no-all not printing a deprecation warning #​8912
• Fix bundle update foo unable to update foo in an edge case #​8897
• Fix Bundler printing more flags than actually passed in verbose mode #​8914
• Fix bundler failing to install sorbet-static in truffleruby when there's no lockfile #​8872

Documentation:

• Improve documentation of bundle doctor, bundle plugin, and bundle config #​8919
• Make sure all CLI flags and subcommands are documented #​8861

v2.7.1

Compare Source

Enhancements:

• Add some missing deprecation messages #​8844

Bug fixes:

• Cancel deprecation of --force flag to bundle install and bundle update #​8843

Documentation:

• Clarify documentation about new default gem installation directory in Bundler 4 #​8857
• Use mailto link in Code of Conduct #​8849
• Update Code of Conduct email to conduct@rubygems.org #​8848
• Add missing link to irb repo in DEBUGGING.md #​8842

v2.7.0

Compare Source

Breaking changes:

• Stop allowing calling #gem on random objects #​8819
• Remove path_relative_to_cwd setting #​8815
• Remove the default_install_uses_path and auto_clean_without_path settings #​8814
• Remove print_only_version_number setting #​8799
• Drop support for Ruby 3.1 #​8634
• Raise an error if incompatible or merge if compatible when a gemspec development dep is duplicated in Gemfile #​8556
• Remove MD5 digesting of compact index responses #​8530
• Stop generating binstubs for Bundler itself #​8345

Deprecations:

• Deprecate unused Bundler::SpecSet methods #​8777
• Deprecate x64-mingw32 in favour of x64-mingw-ucrt #​8733
• Deprecate legacy windows platforms (:mswin, :mingw) in Gemfile DSL in favor of :windows #​8447
• Deprecate CurrentRuby#maglev? and other related maglev methods #​8452

Features:

• Allow simulating "Bundler 4 mode" more easily #​6472

Performance:

• Cache git sources with commit SHA refs #​8741

Enhancements:

• Load RubyGems extensions in the first place #​8835
• Update gemspec based on provided github username when exists #​8790
• Fail fast when connection errors happen #​8784
• Introduce a verbose setting to enable verbose output for all commands #​8801
• Introduce gem.bundle setting to run bundle install automatically after bundle gem, and make it the default #​8671
• Handle Errno::EADDRNOTAVAIL errors gracefully #​8776
• Use persist-credentials: false in workflow generated by bundle gem #​8779
• Recognize JRuby loaded from a classloader, not just any JAR #​8567
• Validate lockfile dependencies with bundle install #​8666
• Ignore local specifications if they have incorrect dependencies #​8647
• Move most of Bundler::GemHelpers to Gem::Platform #​8703
• Improve spec.files in the .gemspec template #​8732

Bug fixes:

• Fix double bundle gem prompts #​8825
• Fix date displayed in bundle version help text #​8806
• Fix bundle console printing bug report template on NameError during require #​8804
• Fix Bundler.original_env['GEM_HOME'] when Bundler is trampolined #​8781
• Fix rdoc issues when running gem commands in a bundle exec context #​8770
• Never ignore gems from path sources during activation #​8766
• Fix bundle install after pinning a git source with subgems #​8745
• Let bundle update --bundler upgrade bundler even if restarts are disabled #​8729

Documentation:

• Rewrite and complete UPGRADING document #​8817
• Document that global_gem_cache also caches compiled extensions #​8823
• Add default_cli_command documentation #​8816
• Add a root CONTRIBUTING.md file #​8822
• Add a SECURITY.md file #​8812
• Update man pages for the bundle doctor ssl subcommand #​8803
• Remove duplicate documentation for --changelog flag #​8756
• Fix typos making some lists in documentation render incorrectly #​8759
• Fix heading ranks in documentation #​8711
• Clarify differences between frozen and deployment settings, and other bundle-config documentation improvements #​8715

v2.6.9

Compare Source

Enhancements:

• Fix doctor command parsing of otool output #​8665
• Add SSL troubleshooting to bundle doctor #​8624
• Let bundle lock --normalize-platforms remove invalid platforms #​8631

Bug fixes:

• Fix bundle lock sometimes allowing invalid platforms into the lockfile #​8630
• Fix false positive warning about insecure materialization in frozen mode #​8629

v2.6.8

Compare Source

Enhancements:

• Refine bundle update --verbose logs #​8627
• Improve bug report instructions #​8607

Bug fixes:

• Fix bundle update crash in an edge case #​8626
• Fix bundle lock --normalize-platforms regression #​8620

v2.6.7

Compare Source

Enhancements:

• Fix crash when server compact index API implementation only lists versions #​8594
• Fix lockfile when a gem ends up accidentally under two different sources #​8579
• Refuse to install and print an error in frozen mode if some entries are missing in CHECKSUMS lockfile section #​8563
• Support git 2.49 #​8581
• Improve wording of a few messages #​8570

Bug fixes:

• Fix bundle add sometimes generating invalid lockfiles #​8586

Performance:

• Implement pub_grub strategy interface #​8589
• Update vendored pub_grub #​8571

v2.6.6

Compare Source

Enhancements:

• Fix ENAMETOOLONG error when creating compact index cache #​5578
• Use shorthand hash syntax for bundle add #​8547
• Update vendored uri to 1.0.3 #​8534
• Retry gracefully on blank partial response in compact index #​8524
• Give a better error when trying to write the lock file on a read-only filesystem #​5920
• Improve log messages when lockfile platforms are added #​8523
• Allow noop bundle install to work on read-only or protected folders #​8519

Bug fixes:

• Detect partial gem installs from a git source so that they are reinstalled on a successive run #​8539
• Modify bundle doctor to not report issue when files aren't writable #​8520

Performance:

• Optimize resolution by removing an array allocation from Candidate#<=> #​8559

Documentation:

• Update docs for with/without consistency #​8555
• Recommend non-deprecated methods in bundle exec documentation #​8537
• Hint about default group when using only configuration option #​8536

v2.6.5

Compare Source

Enhancements:

• Fix lockfile platforms inconveniently added on JRuby #​8494

Bug fixes:

• Fix resolver issue due to ill-defined version ranges being created #​8503
• Make sure empty gems are not reinstalled every time #​8502

v2.6.4

Compare Source

Enhancements:

• Make Bundler never instantiate development dependencies #​8486
• Fix some invalid options to gem DSL not getting reported as invalid #​8480
• Add irb to a Gemfile for a newly created gem #​8467
• Auto-heal empty installation directory #​8457
• Fix bundle console unnecessarily trying to load IRB twice #​8443
• Add ruby_34 and ruby_35 as valid platform: #​8430
• Consider gems under platform: :windows filter in Gemfile when running on Windows with ARM architecture #​8428

Bug fixes:

• Fix regression when running bundle update <foo> would sometimes downgrade a top level dependency #​8491
• Fix dependency locking when Bundler finds incorrect lockfile dependencies #​8489
• Raise error when lockfile is missing deps in frozen mode #​8483
• Fix bundle install --prefer-local sometimes installing very old versions #​8484
• Fix incorrect error message when running bundle update in frozen mode #​8481
• Keep platform variants in vendor/cache even if incompatible with the current Ruby version #​8471
• Fix bundle console printing bug report template incorrectly #​8436
• Fix --prefer-local not respecting default gems #​8412

Performance:

• Improve resolution performance #​8458

Documentation:

• Fix more broken links #​8416

v2.6.3

Compare Source

Enhancements:

• Don't fallback to evaluating YAML gemspecs as Ruby code #​8404
• Print message when blocking on file locks #​8299
• Add support for mise version manager file #​8356
• Add Ruby 3.5 to Gemfile DSL platform values #​8365

Bug fixes:

• Revert RubyGems plugins getting loaded on Bundler.require #​8410
• Fix platform specific gems sometimes being removed from the lockfile #​8401
• Serialize gemspec when caching git source #​8403
• Fix crash on read-only filesystems in Ruby 3.4 #​8372
• Fix bundle outdated <GEM> failing if not all gems are installed #​8361
• Fix bundle install crash on Windows #​8362

Documentation:

• Fix broken links in the documents #​8389

v2.6.2

Compare Source

Bug fixes:

• Restart using Process.argv0 only if $PROGRAM_NAME is not a script #​8343

Documentation:

• Fix typo in bundle lock man page synopsis (--add-checkums → --add-checksums) #​8350

v2.6.1

Compare Source

Bug fixes:

• Fix missing Gem::Uri.redact on some Ruby 3.1 versions #​8337
• Fix bundle lock --add-checksums when gems are already installed #​8326

v2.6.0

Compare Source

Security:

• Fix gemfury credentials written to logs in verbose mode #​8283
• Fix private registry credentials being written to logs #​8222

Breaking changes:

• Drop ruby 3.0 support #​8091
• Remove client-side MD5 ETag transition from compact index client #​7677

Deprecations:

• Cancel bundle console deprecation #​8218
• Warn when platform of installed gem differs from platform in the lockfile #​8029
• Cancel deprecation of Gemfiles without a global source #​8213

Features:

• Add a lockfile_checksums configuration to include checksums in fresh lockfiles #​8219
• Add bundle lock --add-checksums to add checksums to an existing lockfile #​8214

Performance:

• Enable a couple of performance cops #​8261
• Remove override of worker jobs for bundle install --local #​8248

Enhancements:

• Support bundle exec <relative-path-to-script> when Kernel.exec is used under the hood #​8294
• Improve working with different rubies using the same lockfile #​8251
• Define a few inspect methods to help debugging #​8266
• Include original error when openssl fails to load #​8232
• Automatically fix lockfile when it's missing dependencies #​8103
• Fix some JRuby warnings when using bundler/setup with Ruby's -w flag #​8205
• Add a --normalize-platforms flag to bundle lock #​7896
• Add plugin hooks for Bundler.require #​3439

Bug fixes:

• Fix restarting with locked version when $PROGRAM_NAME has been changed #​8320
• Restore the previous cache format for git sources #​8296
• Fix installs of subdependencies of unlocked dependencies to be conservative #​8281
• Fix test task name on generated readme when using test-unit #​8291
• Fix bundle exec executable detection on windows #​8276
• Fix bundle remove sometimes not removing gems #​8278
• Fix issue with git gems locking incorrect specs sometimes #​8269

Documentation:

• Normalize command flag documentation and make sure all flags are documented #​8313
• Add missing man pages for bundle env and bundle licenses #​8315
• Add man page for 'bundle issue' command #​8271
• Add man page for 'bundle fund' command #​8258
• Move pry-related contents to debugging.md #​8263
• Add debugging instruction on Windows #​8236
• Unify rubygems and bundler docs directory #​8159

v2.5.23

Compare Source

Enhancements:

• Add useful error message for plugin load #​7639
• Indent github workflow steps for generated gems #​8193
• Improve several permission errors #​8168
• Add bundle add --quiet option #​8157

Bug fixes:

• Fix incompatible encodings error when paths with UTF-8 characters are involved #​8196
• Update --ext=rust to support compiling the native extension from source #​7610
• Print a proper error when there's a previous empty installation path with bad permissions #​8169
• Fix running bundler (with a final r) in a bundle exec context #​8165
• Handle two gemspec usages in same Gemfile with same dep and compatible requirements #​7999
• Fix bundle check sometimes locking gems under the wrong source #​8148

Documentation:

• Remove confusing bundle config documentation #​8177
• Rename bundler inline's install parameter and clarify docs #​8170
• Clarify bundle install --quiet documentation #​8163

v2.5.22

Compare Source

Enhancements:

• Update vendored uri and net-http #​8112

Bug fixes:

• Fix bundler sometimes crashing because of trying to use a version of psych compiled for a different Ruby #​8104

v2.5.21

Compare Source

Bug fixes:

• Fix bug report template printed when changing a path source to a git source in frozen mode #​8079
• Fix stub.activated? sometimes returning false after activation under bundler #​8073
• Fix old cache format detection when application is not source controlled #​8076
• Fix bundler/inline resetting ENV changes #​8059

v2.5.20

Compare Source

Enhancements:

• Don't try to auto-install dev versions of Bundler not available remotely #​8045
• Don't try to install locked bundler when --local is passed #​8041

Bug fixes:

• Fix bundler/inline overwriting lockfiles #​8055
• Ensure refs directory in cached git source #​8047
• Fix bundle outdated with --group option #​8052

v2.5.19

Compare Source

Enhancements:

• Raise original errors when unexpected errors happen during Gemfile evaluation #​8003
• Make an exe file executable when generating new gems #​8020
• Gracefully handle gem activation conflicts in inline mode #​5535
• Don't include hook templates in cached git source #​8013
• Fix some errors about a previous installation folder that's unsafe to remove, when there's no need to remove it #​7985
• Emit progress to stderr during bundle outdated --parseable #​7966
• Reject unknown platforms when running bundle lock --add-platform #​7967
• Emit progress to stderr when --print is passed to bundle lock #​7957

Bug fixes:

• Fix bundle install --local hitting the network when default gems are included #​8027
• Remove temporary .lock files unintentionally left around by gem installer #​8022
• Fix bundle exec rake install failing when local gem has extensions #​7977
• Load gemspecs in the context of its parent also when using local overrides #​7993
• Fix bundler/inline failing in Ruby 3.2 due to conflicting securerandom versions #​7984
• Don't blow up when explicit version is removed from some git sources #​7973
• Fix gem exec rails new project failing on Ruby 3.2 #​7960

Documentation:

• Improve bundle add man page #​5903
• Add some documentation about backwards compatibility #​7964

v2.5.18

Compare Source

Enhancements:

• Don't remove existing platform gems when PLATFORMS section is badly indented #​7916

Bug fixes:

• Fix error message when Bundler refuses to install due to frozen being set without a lockfile #​7955
• Fix several issues with the --prefer-local flag #​7951
• Restore support for passing relative paths to git: sources #​7950
• Regenerate previous git application caches that didn't include bare repos #​7926
• Fix bundle update <indirect_dep> failing to upgrade when versions present in two different sources #​7915

Documentation:

• Change new gem README template to have copyable code blocks #​7935

v2.5.17

Compare Source

Enhancements:

• Print better log message when current platform is not present in the lockfile #​7891
• Explicitly encode Gem::Dependency to yaml #​7867
• Enable lockfile checksums on future Bundler 3 when there's no previous lockfile #​7805

Bug fixes:

• Fix truffleruby removing gems from lockfile #​7795
• Fix bundle check exit code when gem git source is not checked out #​7894
• Generate gems.rb from Gemfile.tt template for bundle-gem #​7853
• Fix git source cache being used as the install location #​4469
• Fix bundle exec gem uninstall #​7886

v2.5.16

Compare Source

Bug fixes:

• Fix platform removal regression when platforms: used in the Gemfile #​7864
• Fix standalone script when default gems with extensions are used #​7870
• Fix another case of bundle lock --add-platform doing nothing #​7848
• Fix bad error messages when using bundle add with frozen mode set #​7845
• Fix generic platform gems getting incorrectly removed from lockfile #​7833

Performance:

• Use caller_locations instead of splitting caller #​7708

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.