UPDATE: Fix Released for RubyGems Dependencies API Removal
With Sonatype Nexus Repository 3.53.0, we provide important updates to ensure those using RubyGems repositories will not encounter errors. If you are using RubyGems, you must upgrade to Sonatype Nexus Repository 3.53.0 by May 10 to avoid encountering errors caused by the dependency API deprecation.
----------------------------------------------------------------------------------------------
We are reaching out to let you know about a change made by RubyGems.org that could affect Nexus Repository customers.
If you’re a Nexus Repository customer who has configured a proxy repository to access RubyGems.org, you may experience dependency download (and, therefore, build) failures due to the planned deprecation of the RubyGems.org dependency API.
Leading up to the deprecation of the RubyGems.org dependency API on May 10, 2023, 24-hour API brownouts are scheduled on April 17th & 24th and May 1st, 3rd, & 5th, resulting in potential build failures for gem clients.
Possible Mitigations When Proxying rubygems.org when the dependencies API has been removed
-
Configure rubygems clients with sources of either hosted or proxy repo types only, instead of a group repository.
-
At the reverse proxy level, make all inbound requests to Nexus rubygems group repos ( not hosted or proxy ) at paths matching /repository/REPLACE_WITH_YOUR_GROUP_REPO_NAME/api/v1/dependencies/.* return a 404 not found instead of 200 response. This will trigger the bundler client to try an alternate slower mechanism to retrieve the same information
-
Add to bundler client an additional source of the Nexus Repo Proxy repo of remote https://rubygems.org. When accessing the proxy repo directly from the client, it will return a 404 and then this will trigger different client behaviour
-
Explicitly give bundler install the --full-index option
This public JIRA ticket contains additional mitigation ideas from Nexus Repository customers, which may be useful to some users.
Is there a permanent fix?
Sonatype is working diligently on a permanent fix to help mitigate this change for our Nexus Repository customers. Obtaining the fix will require upgrading to the latest version of Nexus Repository 3 containing the fix—3.53.0—which is currently targeted to be delivered by May 2, 2023.
This situation is subject to change; as we learn more, we encourage you to stay updated on suggested mitigation steps and developments by following this community post.