From a script to a gem

So, I’m gonna start from this ruby script quickly hacked up and pasted in a gist :).

Create a .gemspec, e.g. safe-bundle-update.gemspec: do |s|        = 'safe-bundle-update'
  s.version     = '0.0.1'        = '2017-02-28'
  s.summary     = 'Update gems one by one, running tests and commiting changes'
  s.description = '`bundle update` updates all your gems, this safely updates yours gems one by one'
  s.authors     = ['Dorian Marié']       = [email protected]'
  s.files       = ['lib/safe-bundle-update.rb', 'bin/safe-bundle-update']
  s.homepage    = ''
  s.license     = 'MIT'

Make some lib/safe-bundle-update.rb with just enough to make it work (short version):

class SafeBundleUpdate
  def self.start(*commands)
    puts commands.join(' ')

Make a bin directory with your executable script:

mkdir bin
touch bin/safe-bundle-update
chmod +x bin/safe-bundle-update

Use your gem in this executable:

#!/usr/bin/env ruby

require 'safe-bundle-update'

Some manual testing for now:

cp Gemfile.lock.old Gemfile.lock; bundle install; ruby -Ilib bin/safe-bundle-update "echo 1"

Some actual testing :) :

# Rakefile
require 'rake/testtask' do |t|
  t.libs << 'test'

desc 'Run tests'
task default: :test
# test/test_safe-bundle-update.rb

require 'minitest/autorun'
require 'safe-bundle-update'

class SafeBundleUpdateTest < Minitest::Test
  def test_empty
    assert_nil(SafeBundleUpdate.start("echo 1"))

And then rake to run it.

Pushing that to rubygems:

gem build safe-bundle-update.gemspec
gem install safe-bundle-update-0.0.1.gem
gem push safe-bundle-update-0.0.1.gem

And that’s it:


The story behind safe-bundle-update


So, I’m there with my Rails app, a lot of gems are outdated (like ~50% of them) and of course everybody on the internet is like: “Just run bundle install you fool”. Except that running bundle install updates every single outdated gems and breaks my build in many ways. And I’m not the kind of person who want to keep outdated fixed versions around.

So, why not just update the gems one by one:

Sounds simple right? And yes it works very well.

So I hacked together a small script I called safe-bundle-install, and it worked well:

safe updating gems

Then this happens:

rake task?

So, let’s do something even better, an open-source gem ;)

List of affected Cloudbleed domains

if ( ++p == pe ) // ☁️ 💔

Technically any Cloudflare-controlled domain could be affected but those are the ones that had public leaked data even after the disclosure:

Found in the wild: 29

Found in the wild by other people: 1


Sources’s sources

Sweet karma


Verified commits

verified commit
gpg tools
gpg tools - change password

Want moar? @bydorian or

Not happy about something? Any ideas of improvements? Create an issue