This help site has been deprecated. Please send your requests to

please remove the active_support gem

Matt Aimonetti's Avatar

Matt Aimonetti

07 Feb, 2013 04:31 AM is a metagem that is meant for people who mistype the activesupport gem.

There are a few problems with this gem:

  • The gem isn't maintained so it points to an ancient version of activesupport 3.0.0
  • The gem could contain evil code and users could run this code without realizing it
  • The gem has almost 120k downloads

For security reason and for better user experience I would recommend to remove this gem. I would also suggest to setup some sort of redirect or message when users try to install the gem with the typo in it (I do realize it probably would mean opening a can of worms, but AS is one of Ruby's most popular gems so maybe it can be treated as an exception).


  • Matt
  1. Support Staff 1 Posted by Eric Hodel on 07 Feb, 2013 04:41 AM

    Eric Hodel's Avatar

    I've added mkristian who pushed this gem to this discussion.

    We have not yanked a gem for these reasons before so I don't want to discuss this properly.

    Modern RubyGems suggests other names when you typo so we don't need to worry about redirects for gem install.

    Since we now have typo suggestions in RubyGems I think the reasons for releasing this gem are no longer valid.

    I'm concerned that active_support is confusingly similar to activesupport. It infringes on the real gem's namespace.

    I'm concerned that the gem is unmaintained. I don't think a maintained version is particularly better, especially when the real gem is very popular (near 20 million downloads, near 800k for its current version) and a security release in activesupport could cause users to be out of date, even if only by a few critical hours.

    I think this gem should be removed.

  2. 2 Posted by Matt Aimonetti on 07 Feb, 2013 05:24 AM

    Matt Aimonetti's Avatar

    Someone pointed out that GitHub is full of projects, probably mistakenly referencing this gem:

    21,418 code references as of right now and with some really recent commits

  3. 3 Posted by me on 07 Feb, 2013 11:15 AM

    me's Avatar

    Just thought I'd jump in and point out that is very similar in goal.

  4. 4 Posted by kristian on 07 Feb, 2013 12:31 PM

    kristian's Avatar

    since my reply over the webgui did not reach: the reason for me to add
    that "redirect" gem was that depends on it.
    for maven to install rails_config without explicit version works only
    if the dependencies can be resolved.

    by now there is a way to mark gems as broken for the
    or so from my side to
    yank active_support is no problem. actually I will do it unless there
    are some objections here in this discussion.

  5. 5 Posted by Matt Aimonetti on 07 Feb, 2013 05:04 PM

    Matt Aimonetti's Avatar

    Kristian, thanks for the quick response.

    My guess is that in most cases, the authors would agree to remove the gem since we now have typo suggestions. However, should we black list some gem names so potential attackers wouldn't use common typos to potentially make users' machines vulnerable?

  6. 6 Posted by Christian Meier on 17 Aug, 2015 08:41 PM

    Christian Meier's Avatar

    the gem got yanked a while ago: <>

    not sure what else I can do to improve the situation.

  7. Support Staff 7 Posted by Nick Quaranto on 18 Aug, 2015 02:08 PM

    Nick Quaranto's Avatar

    We're working on a set of policies that hopefully will deal with "typo" gems that sound like or are close to the real gem names. More on that soon at the rubygems mailing lists/blog. Marking this one as closed for now.

  8. Nick Quaranto closed this discussion on 18 Aug, 2015 02:08 PM.

Discussions are closed to public comments.
If you need help with please start a new discussion.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac