Removing an accidentally pushed gem

Here are the steps you should follow when you have accidentally pushed a gem with passwords or other private content.

  1. Yank the gem using gem yank which will prevent installs using gem install. The gem will still be downloadable using the download link on rubygems.org.

  2. If the gem contained passwords, or private keys immediately change them. Due to webhooks on rubygems.org your gem has already been downloaded by third parties.

  3. Create a private removal request using the start discussion form.

  4. Add the allowed_push_host metadata to your gemspec so future gems cannot be pushed to rubygems.org by mistake.

Note that it make take some time to remove your gem entirely from rubygems.org

Recent Discussions

23 Oct, 2014 05:37 PM
21 Oct, 2014 10:47 AM
18 Oct, 2014 08:39 PM
16 Oct, 2014 12:41 PM
06 Oct, 2014 02:30 PM