Safeguard
Tag

ruby

Safeguard articles tagged "ruby" — guides, analysis, and best practices for software supply chain and application security.

24 articles

Best Practices

Securing Your Ruby Dev Environment on macOS: rbenv, rvm, and Checksums

60 malicious RubyGems downloaded ~275,000 times went undetected for years — here's how to actually verify what rbenv or rvm installs on your Mac.

Jul 13, 20265 min read
Open Source Security

Bundler dependency resolution and safe Gemfile upgrade strategies

In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.

Jul 11, 20266 min read
Supply Chain Attacks

How malicious Gemfile.lock entries redirect Ruby installs to attacker servers

A single unreviewed remote: line in Gemfile.lock can silently reroute a bundle install — here's how Ruby lockfile injection works and how to stop it.

Jul 11, 20266 min read
Security Guides

Auditing RubyGems Dependencies with bundler-audit

bundler-audit checks your Gemfile.lock against the ruby-advisory-db and flags insecure gem sources. Here is how to run it in Ruby and Rails projects — and beyond.

Jul 6, 20265 min read
Supply Chain Attacks

RubyGems Suspends New Signups After a 500-Package Malicious Flood (May 2026)

On 12-13 May 2026, RubyGems was hit by a coordinated spam-publishing flood that pushed 500+ malicious packages from newly-registered bot accounts. The registry paused new signups and re-enabled them on 16 May after tightening rate limiting with Fastly.

May 14, 20269 min read
Engineering

Ruby Gems Security: Signing, Yanking and Trusted Publishing

Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.

Mar 20, 20266 min read
Application Security

Reachability Analysis for Ruby and RubyGems in 2026

Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.

Mar 19, 20265 min read
Open Source Security

RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...

CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.

Dec 5, 20258 min read
Open Source Security

RubyGems Escape Sequence Injection in Gem Owner Command (...

CVE-2019-8323 shows how RubyGems' gem owner command echoed unsanitized API response data to the terminal, enabling escape sequence injection attacks.

Dec 4, 20257 min read
Open Source Security

RubyGems Malicious Gem Arbitrary Code Execution via Missi...

CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.

Dec 4, 20257 min read
Industry Analysis

SQL Injection Prevention in Ruby with exec_params Binding

Ruby's pg gem makes SQL injection preventable with one method change. Here's how exec_params binds parameters, why Rails CVEs keep recurring, and how to migrate safely.

Oct 26, 20257 min read
Industry Analysis

Path Traversal Prevention in Ruby with File.realpath

How File.realpath stops path traversal in Ruby apps, why File.expand_path alone fails, and what real CVEs like Sprockets' CVE-2018-3760 reveal about secure file handling.

Oct 23, 20258 min read
ruby — Safeguard Blog