rubygems
Safeguard articles tagged "rubygems" — guides, analysis, and best practices for software supply chain and application security.
24 articles
Bundler dependency resolution and safe Gemfile upgrade strategies
In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.
Better Ruby Gemfile security: a step-by-step guide
A step-by-step guide to auditing your Gemfile.lock, spotting RubyGems supply chain attacks, and locking down Ruby dependencies before they ship.
RubyGems and Bundler's Cooldown Discussion: Soak Windows as a First-Class Defender Policy
After the 2025 supply-chain waves, the ruby/rubygems community opened Discussion #9113 to evaluate a built-in cooldown feature for bundle update. Here is the defender argument and how to implement it today.
RubyGems Suspends New Signups After a 500-Package Malicious Flood (May 2026)
On 12-13 May 2026, RubyGems was hit by a coordinated spam-publishing flood that pushed 500+ malicious packages from newly-registered bot accounts. The registry paused new signups and re-enabled them on 16 May after tightening rate limiting with Fastly.
Ruby Gems Security: Signing, Yanking and Trusted Publishing
Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.
Reachability Analysis for Ruby and RubyGems in 2026
Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.
Ruby Security Explained
Ruby security in one place: the 2019 rest-client hijack, CVE-2022-32224's RCE, RubyGems' MFA mandate, and 2025's credential-stealing gem campaign.
Case study: RubyGems account takeover incidents and their...
A look at real RubyGems account takeover incidents, including the rest-client hijack, and what they reveal about Ruby supply chain risk.
RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...
CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.
RubyGems Escape Sequence Injection via Gem Name Output (C...
A look at CVE-2019-8321, the RubyGems escape sequence injection flaw in gem CLI output: affected versions, severity, and how to remediate it.
RubyGems Escape Sequence Injection via Crafted API Respon...
CVE-2019-8322 is a RubyGems flaw where crafted API responses could inject terminal escape sequences, spoofing gem output. Here's what to know and how to fix it.
RubyGems Escape Sequence Injection in Gem Owner Command (...
CVE-2019-8323 shows how RubyGems' gem owner command echoed unsanitized API response data to the terminal, enabling escape sequence injection attacks.