Docs header transparent bg

What's New in each Release

What's New in v1.7

Bundler 1.7 is a security release, addressing a vulnerability where a gem might be installed from an unintended source server. The changes are limited to fixes for this vulnerability. Full 1.7 changelog


Bundler has always supported fetching gems from multiple gem servers, but it isn't always clear what gems come from what source. Complicating this, Bundler has not been consistent about source priority ordering from one version to another.

Because of this, a Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. This might result in installation of gem code from an unexpected source.

Applications that only have a single source in their Gemfile are not affected.

Source Selection

You can explicitly select an alternate RubyGems repository for one or more gems in your Gemfile using the :source option or a source block. Using multiple top-level gem sources is now deprecated.
Learn More: Gemfiles

Ambiguous Source Detection

If a Gemfile does have multiple top-level gem sources, bundle install now warns when a gem is found in more than one source. This is designed to prevent a situation where a gem that is expected to be found on one gem server is "hijacked" by another server. For backwards compatibility, the gem is still installed, but Bundler prints a warning detailing the gem server URL that was used, and listing others where a gem with the same name was found. Using explicit source selection suppresses this warning.

Global Source Ordering

The order that top-level sources are searched is documented as last added to first added, but prior to version 1.7.0, there was not an automated test for this ordering, and it was inadvertently reversed in versions 1.5.0 through 1.6.5. The documented ordering is restored in this version, and is now included in the test suite to prevent regression.


Bundler adheres strictly to semantic versioning, and version 1.7.0 is fully backwards compatible with any Gemfile that worked with earlier versions. If you have an application that uses multiple gem servers in its Gemfile, you may see warnings about ambiguous gem sources after upgrading. Whether or not you see these warnings, the Bundler team highly recommends that users of multiple gem servers update your Gemfile to use the new syntax.
Use of the new source syntax will cause your Gemfile to become incompatible with Bundler versions earlier than 1.7.0. You should only perform this change after updating Bundler in all of your environments.
  1. Choose your primary gem source (usually and keep that at the top of the Gemfile
  2. For each additional gem source, add a block to the source line and move the relevant gem declarations inside it.

    For example, this Gemfile:

    source ''
    source ''
    gem 'rails', '4.1.4'
    gem 'sqlite3'
    gem 'my_gem', '1.0'
    gem 'another_gem', '1.2.1'

    might change to this:

    source ''
    gem 'rails', '4.1.4'
    gem 'sqlite3'
    source '' do
      gem 'my_gem', '1.0'
      gem 'another_gem', '1.2.1'


If you are unable to upgrade all of your environments to 1.7 immediately, there are other ways to mitigate this risk by changing your Gemfile to remove the additional sources:
  • First, re-evaluate whether the extra gem sources are even needed. If your application is using a legacy public gem server such as or, all of your required gems should now be synced to Try removing these sources.
  • If you do use gems that aren't available on, but are available from a git source, you can use the :git option in the gem declaration and it will be guaranteed to come from that git repository rather than a gem server.
  • If neither of these situations apply, you can unpack the gem into your vendor directory and use the :path option when declaring the gem in your Gemfile to point it to the unpacked gem directory. In this case, you should commit the vendored gem to your source control system.
Edit this document on GitHub if you caught an error or noticed something was missing.