We introduced breaking changes in RubyGems/Bundler 4 in order to improve usability, security, and maintainability of the tool.

I’ve upgraded a few projects and not noticed any issues so far. Restoring the default command to be install is nice for my muscle memory locally, but elsewhere, like in a Dockerfile, I already use bundle install explicitly.

And while new lockfiles include checksums by default, you have to manually add them to existing lockfiles via bundle lock --add-checksums.

I found the problem and it’s really bad. Looking at your log, here’s the catastrophic command that was run: rm -rf tests/ patches/ plan/ ~/

Not that it’s a foolproof solution, but I’ve aliased rm to a trash command for almost ten years now to move files to the trash instead of deleting them. A trash command is built into macOS Sequoia and newer.

The one downside is the command doesn’t support the -f or -r arguments, so it often causes issues with Claude Code. Sometimes it’ll switch to using rmdir, so I’m also aliasing that now.

I’m not sure how much moving the home directory to the trash would have helped, since the trash command does completely remove files and directories prefixed with a period.