Skip to content

RubyGems: Use of --source should not fallback to other sources#9627

Open
williantenfen wants to merge 1 commit into
ruby:masterfrom
williantenfen:install-source-no-fallback
Open

RubyGems: Use of --source should not fallback to other sources#9627
williantenfen wants to merge 1 commit into
ruby:masterfrom
williantenfen:install-source-no-fallback

Conversation

@williantenfen

@williantenfen williantenfen commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What was the end-user or developer problem that led to this PR?

--source is only appended to the source list, so if the requested source is
unreachable or doesn't carry the gem, gem install silently falls back to the
default sources and installs from there with a success exit code:

$ gem install paint --source https://example.com/
WARNING:  Unable to pull data from 'https://example.com/': Bad response Not Found 404
Successfully installed paint-2.3.0     # ← from rubygems.org, not the requested source

This is a source-substitution / dependency-confusion risk: if a private gem shares
a name with a public one, an attacker squatting that name can have their code
installed whenever the private source is down (flagged as "technically a security
issue" in the original report).

Refs #2313

What is your fix for the problem, implemented in this PR?

Gems named on the command line are now resolved only from the explicitly requested
--source(s), failing if not found there. Their dependencies still resolve from
all configured sources, so private gems that depend on public ones keep working.

--source records its URLs in options[:sources], which are passed to the resolver
as explicit_sources; InstallerSet#add_always_install then resolves the named
gems against a set built only from those sources, leaving dependency resolution
untouched.

The thread also suggested phasing this in via a deprecation warning first — happy to
do that instead if preferred.

Make sure the following tasks are checked

  • Describe the problem / feature
  • Write tests for features and bug fixes
  • Write code to solve the problem
  • Make sure you follow the current code style and write meaningful commit messages without tags

@williantenfen @cursoragent
Resolve gems named on the command line only from --source
9aa5cf2 
When `--source` is passed to `gem install`, the gems named on the command
line are now resolved exclusively from the explicitly requested sources
instead of silently falling back to the default sources. Their
dependencies may still come from the default sources.

Previously, an explicit `--source` was merely appended to the source
list, so a private or broken source would silently fall back to
rubygems.org and could install an unexpected gem of the same name.

Co-authored-by: Cursor <cursoragent@cursor.com>
@williantenfen williantenfen force-pushed the install-source-no-fallback branch from 8592736 to 9aa5cf2 Compare June 16, 2026 20:43
@williantenfen williantenfen changed the title Resolve gems named on the command line only from --source rubyGems: Use of --source should not fallback to other sources Jun 16, 2026
@williantenfen williantenfen marked this pull request as ready for review June 16, 2026 21:23
@hsbt hsbt changed the title rubyGems: Use of --source should not fallback to other sources RubyGems: Use of --source should not fallback to other sources Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@williantenfen