Bundler: A more secure bundler: We fixed our source priorities.

Last week an article about “Dependency Confusion” hit the news, where a developer was able to make thousands of dollars on bug bounty programs from big tech companies, by pushing libraries to public repositories that ended up unintentionally being installed into these companies servers.The developer was able to expose (in a non-malicious way) a vulnerability present in well-known dependency managers, where given a library name they will end up preferring installing it from a public source rather than from a private source. This is not secure because the name in the public source is controlled by the first person claiming it, whereas the name in the private source is controlled by the private source owner.Unfortunately, Bundler had this vulnerability.