ruby
Safeguard articles tagged "ruby" — guides, analysis, and best practices for software supply chain and application security.
24 articles
Securing Your Ruby Dev Environment on macOS: rbenv, rvm, and Checksums
60 malicious RubyGems downloaded ~275,000 times went undetected for years — here's how to actually verify what rbenv or rvm installs on your Mac.
Bundler dependency resolution and safe Gemfile upgrade strategies
In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.
How malicious Gemfile.lock entries redirect Ruby installs to attacker servers
A single unreviewed remote: line in Gemfile.lock can silently reroute a bundle install — here's how Ruby lockfile injection works and how to stop it.
Auditing RubyGems Dependencies with bundler-audit
bundler-audit checks your Gemfile.lock against the ruby-advisory-db and flags insecure gem sources. Here is how to run it in Ruby and Rails projects — and beyond.
RubyGems Suspends New Signups After a 500-Package Malicious Flood (May 2026)
On 12-13 May 2026, RubyGems was hit by a coordinated spam-publishing flood that pushed 500+ malicious packages from newly-registered bot accounts. The registry paused new signups and re-enabled them on 16 May after tightening rate limiting with Fastly.
Ruby Gems Security: Signing, Yanking and Trusted Publishing
Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.
Reachability Analysis for Ruby and RubyGems in 2026
Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.
RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...
CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.
RubyGems Escape Sequence Injection in Gem Owner Command (...
CVE-2019-8323 shows how RubyGems' gem owner command echoed unsanitized API response data to the terminal, enabling escape sequence injection attacks.
RubyGems Malicious Gem Arbitrary Code Execution via Missi...
CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.
SQL Injection Prevention in Ruby with exec_params Binding
Ruby's pg gem makes SQL injection preventable with one method change. Here's how exec_params binds parameters, why Rails CVEs keep recurring, and how to migrate safely.
Path Traversal Prevention in Ruby with File.realpath
How File.realpath stops path traversal in Ruby apps, why File.expand_path alone fails, and what real CVEs like Sprockets' CVE-2018-3760 reveal about secure file handling.