The ‘mimemagic’ rubygem recently yanked (unpublished) several versions last week. Versions 0.3.3, 0.3.4, 0.3.5, 0.3.6 and 0.4.0 were yanked as a result of a licensing issue which affected “millions of projects”.
Our Nexus Repository Manager v3 will not provide us these versions, although we have them in our nexus proxy. We can download them manually via the Nexus Repository UI but that is insufficient. The most important reason for us using the Nexus Repository is exactly for this use case: yanked rubygems would not interrupt CI/CD.
I tried several settings on the nexus ruby-gems-org repository proxy configuration, even blocked outbound connections to rubygems.org, but nothing allowed me to download the yanked gem versions even though nexus has them. Maybe nexus checks a cached spec index, which may or may not include metadata of the yanked versions, and that ultimately prevents it. We would consider this a bug.
gem install mimemagic --version 0.3.5 --verbose
HEAD https://[REMOVED]/repository/all-gems/api/v1/dependencies
200 OK
GET https://[REMOVED]/repository/all-gems/api/v1/dependencies?gems=mimemagic
200 OK
ERROR: Could not find a valid gem 'mimemagic' (= 0.3.5) in any repository
GET https://[REMOVED]/repository/all-gems/latest_specs.4.8.gz
304 Not Modified
ERROR: Possible alternatives: mimemagic
Has anyone else experienced this or have it working?