Why are so many Gems yanked and what do you do about dependencies?

Question

I've run into a situation today where a gem in use in an app I'm maintaining was yanked.

I hadn't seen a yanked gem before, though I had heard of it, and thought it was a bad practice.

I've tried updating the gems, but the app starts failing when using previous or older versions.

Seeing as gems are freely hosted, and possibly in use by applications, what is the logic in yanking them? How do you manage gems that have been yanked?

Answer 1

For each gem you decide to use on your project you should have an ideia of an alternative (either another gem or an implementation of your own). I see people using gem compulsively without caring less about its quality, author, update frequency. It is dangerous to be blindly depending on one gem and the decision to add another line to the Gemfile should not be taken lightly.

Regarding yanked gems, if even the authors remove the gems from the interwebz you probably should be thinking about doing the same with it on your project. That or if you really love the gem, host a fork, give credits and keep evolving it. :)

Answer 2

Rubygem's doc suggests that yanking is here to :

• fix accidental pushes of incomplete versions
• prevent users from cluelessly pulling a gem that has known security issues

I never had to manage such a case, but I see three options :

• upgrade the gem if a later version exists
• download the gem (the doc says the gem is still available for download, unless it has been entirely removed after a discussion process for good reasons) and point to the local version in your gemfile
• refactor your code around another gem or custom code

All in all, it seems that yanking a gem is an extreme measure always made for good reasons, so you should prefer upgrading / refactoring over sticking with a potentially dangerous or deprecated gem... I guess.