Planet Ruby

Lisp's Influence on Ruby

The latest issue of the Awesome Ruby newsletter explores the influence of Lisp on Ruby's design, alongside a curated collection of the week's best Ruby and Rails links, tools, and tutorials.

No Node

Learn how to use Bun's standalone binary to compile Rails assets, eliminating the need to install Node.js and manage multiple version managers for a faster, simpler setup.

Build a Reusable Before/After Image Slider with Stimulus

Learn how to build a simple, reusable Stimulus controller to create an interactive before-and-after image slider. This lightweight solution uses a wrapper, two images, and a draggable slider handle with dynamic clipping.

Build a Reusable Before/After Image Slider with Stimulus

Learn how to build a simple, reusable Stimulus controller to create an interactive before-and-after image slider. Using just a wrapper, two images, and a slider handle, this lightweight solution dynamically clips the images as you drag.

Ruby 4.0 Is Here. Why Is AI Still Writing Ruby 3.0?

Artificial intelligence has become an indispensable tool for Ruby developers, assisting with writing methods, refactoring services, and generating RSpec tests. However, despite the release of Ruby 4.0, AI assistants often remain stuck writing older Ruby 3.0 code.

Meet Thoughtbot at Brighton Ruby 2026

Brighton Ruby 2026 is just two weeks away. Members of the Thoughtbot team will be attending and speaking at the event, offering a great opportunity to connect and discuss Ruby development.

Ruby Weekly #805: 41M Requests/Hour on Rails

This issue of the Ruby Weekly newsletter highlights a progress update on rv, a fast Ruby installer and project manager inspired by Python's uv. It also features a retrospective on scaling Rails to handle a peak load of 41 million requests per hour.

GitLab 19.1 Released

RubyConf 2026 Is Where Ruby's Next Chapter Begins

Ruby Central shifts its focus from past discussions on governance and sustainability toward the future of the community. This upcoming RubyConf aims to kick off a new chapter, centering conversations on what lies ahead for the Ruby ecosystem.

Your JetBrains IDE Expertise, Now on LinkedIn

A collaboration between JetBrains and LinkedIn allows developers to easily showcase their IDE expertise. This integration helps highlight the workflows, debugging skills, and hands-on experience built up using RubyMine and other JetBrains tools directly on professional profiles.

Travis Dockter and Blastoff Rails

In this podcast episode, Travis Dockter discusses the ups and downs of organizing Blastoff Rails, a brand-new Rails conference, and the journey of creating a community event closer to home.

Apps That Make Our Work Go

In this podcast episode, hosts Sally Hall and Aji Slater discuss the productivity apps they use to streamline their workflows and manage task lists. The conversation covers Notion calendar integration, using Jira for personal organization, and the benefits of Alfred for developers with ADHD.

Ingress Is Not the Owner of the Invariant

A response to Brandon Weaver's 'Callbacks Are Not Invariants' article, focusing on ActiveRecord and Rails callbacks. The discussion explores where business invariants should live, arguing that ingress points are not the correct place, using pure ActiveRecord reasoning to make the case.

Help Test the Hanami 3.0 Release Candidate

The release candidate for Hanami 3.0 is feature-complete and ready for testing. Key updates in this major release include built-in i18n support, integrated mailers with SMTP delivery, and a new hanami-minitest gem for first-class Minitest support.

How to Parallelize Your RSpec Test Suite Locally

A guide on setting up local parallel testing in Rails using the turbo_tests gem. Learn how to configure worker-specific databases and automate database preparation to significantly speed up your RSpec test suites.

Verify Faster

An exploration of techniques to speed up test verification and shorten feedback loops. Key improvements include optimizing Docker build caching to reduce startup times and immediately addressing flaky specs rather than deferring them.

Shopify Joins the Ruby Alliance

Shopify has joined the Ruby Alliance, reinforcing its commitment to the ecosystem. As a major player powering millions of businesses, Shopify continues to invest in Ruby's future through engineering leadership and community support.

Build a Workflow-Priority Ticket Queue with Rails' in_order_of Array Grouping

A recent Rails addition allows inorderof to group several values into a single sort position. Learn how to build a support queue that floats active work to the top and sinks finished tickets, all within a single query.

Ideas Are Cheap. But Glass? Not So Much

The second issue of a pop-up newsletter documenting the creation of a stained-glass panel celebrating Ruby. This edition covers the process of choosing glass and draws parallels between stained-glass design and the open-closed principle of software development.

Software as Craft: A First Look at Syntropy

An exploration of software development as a craft, focusing on the satisfaction of the writing process over automation. This post introduces Syntropy, an experimental Ruby web framework designed around these craft-centric principles.

rv: Plan and Progress Update

An update on rv, a next-generation Ruby version and dependency manager. This post recaps the vision of combining Ruby version management with Bundler, installing pre-compiled Rubies, and making it trivial to run any Ruby script or tool.

This Week in Rails: June 12, 2026

A weekly summary of the latest updates, bug fixes, and feature discussions in the Rails codebase.

Small PRs, Big Speedups: The Ruby Performance Work You Almost Missed

The latest issue of the Awesome Ruby newsletter highlights recent small pull requests that bring significant performance improvements to Ruby, alongside a curated selection of the latest community articles, tools, and updates.

The Ruby JRuby Was Built to Run

An exploration of how compiling Rails with Roundhouse benefits JRuby. By removing interpretive layers, the resulting static Ruby becomes highly optimizable for the JVM JIT, yielding a 5 to 6 times performance boost where stock Rails gains at most double.

Building a Quiz with Stimulus

Learn how to build an interactive quiz using Stimulus. The quiz loads questions from a Rails endpoint, tracks answers in real-time, calculates results, and submits them back to the server. It serves as a great starting point for customer onboarding or marketing.

Building a Quiz with Stimulus

A guide to building an interactive quiz using Stimulus. Learn how to load questions from a Rails endpoint, track answers in real-time, calculate results, and submit them back to the server, complete with a structured data class to manage the quiz logic.

GitLab Patch Release: 19.0.2, 18.11.5, and 18.10.8

Finding the Slow Query Killing Your Rails App

A guide on identifying and resolving slow database queries in Rails applications. It explores utilizing AppSignal's Slow Queries feature, event timelines, and other diagnostic tools to improve performance.

JRuby 10.0.6.0 Released

The JRuby community has released version 10.0.6.0, targeting Ruby 3.4 compatibility. This release updates erb to address CVE-2026-41316, updates jruby-openssl to resolve long-standing SSLSocket issues, and improves performance when passing blocks or procs to Java interfaces.

Small PRs, Big Ruby Speedups

Issue 804 of the Ruby Weekly newsletter highlights recent Ruby performance pull requests covering strings, file handling, GC, concurrency, Prism, and JITs. It also covers Ruby Central's newly modernized bylaws and upcoming steering committees.

Strengthening Security for the Ruby Ecosystem: A Team of Security Engineers in Residence

Ruby Central has received a grant from Alpha-Omega to enhance the security of the Ruby open-source ecosystem. This funding supports a team of Security Engineers in Residence dedicated to identifying and resolving vulnerabilities in popular Ruby gems.

RubyConf Austria and the Future of Ruby Conferences

A look back at RubyConf Austria, starting with the Vienna Ruby Meetup and leading into a broader reflection on the current state and future direction of Ruby community conferences.

Expanding Participation in Ruby Central

Following a recent bylaw modernization, the Ruby Central Board is exploring new ways to increase participation across the Ruby ecosystem. The initiative aims to create more opportunities for contributors, community members, and sponsors while maintaining the accountability required to run the non-profit organization.

Tropical on Rails 2026 Highlights

A look at some of the standout talks and highlights from the Tropical on Rails 2026 conference, exploring key takeaways and why this event remains a must-attend for the Rails community.

A Heartfelt Thank You to GitLab: Our Longtime Coffee & Lanyard Sponsor

A warm acknowledgment of GitLab's long-standing support as the coffee and lanyard sponsor for RubyConf. Their contributions help foster the community connections, collaboration, and morning energy that define the conference experience year after year.

Episode 538: A New Host Has Appeared!

In this podcast episode, Rachael interviews the new host of the show, David Hill, to discuss his history with Ruby, his passion for podcasting, and his love for community meetups and conferences.

The Hidden DSL Inside Every Rails Model

An exploration of the internal domain-specific language (DSL) used within Rails models. While developers frequently use macros like belongsto, hasmany, and validates, these are not native Ruby keywords, but rather dynamically evaluated class methods.

RubyGems 4.0.14 Released

The official RubyGems blog announces the release of RubyGems and Bundler 4.0.14. This update introduces security enhancements, such as stripping C1 control characters from displayed gem text, alongside various bug fixes and installer validations.

Passenger 6.1.5

A maintenance release of the Passenger application server that addresses an ABI compatibility break in Ubuntu's Nginx packages. This release contains no other changes.

CVE-2026-47240: Command Injection in Net::IMAP via Non-Synchronizing Literal

A security vulnerability in the net-imap gem allows command injection via raw data arguments. When a server lacks support for non-synchronizing literals, arbitrary IMAP commands can be injected because server capabilities are not verified before sending.

CVE-2026-47241: Net::IMAP Denial of Service via Incomplete Raw Argument Validation

A security advisory for the net-imap gem details a Denial of Service vulnerability (CVE-2026-47241) caused by incomplete validation of raw string arguments. An attacker can exploit this to force commands to hang. Patches are available in versions 0.6.4, 0.5.14, and 0.4.24.

CVE-2026-47242: Net::IMAP Command Injection via ID Command Argument

A security advisory for Net::IMAP detailing a command injection vulnerability (CVE-2026-47242). The #id and #enable commands fail to validate arguments, potentially allowing arbitrary IMAP command injection. Impact is expected to be low, as passing untrusted input to these commands is uncommon.

This Idea Cost Me an Ice Cream

The inaugural episode of Ruby Stained Glass Notes, a pop-up newsletter documenting the creative process of designing and building a physical stained-glass panel to celebrate the Ruby programming language.

Greenfield to MVP in Four Weeks: Agentic Coding on Rails

A look at how a designer and an engineer shipped a production MVP in four weeks using Rails and Inertia. This case study shares their agentic coding stack, the skills they developed, and why the combination clicked.

RubyLLM 1.16: Concurrent Tool Execution, Rails-Style Instrumentation, and api_base for Every Provider

An overview of the RubyLLM 1.16 release, which introduces concurrent tool execution using threads or fibers, observable instrumentation without monkey patching, and proxy support for every native provider via api_base.

How to Leverage PurgeCSS in Your Rails App for Faster Stylesheets

Large Rails applications often ship CSS bloated with unused framework classes. This guide demonstrates how to integrate PurgeCSS into the asset pipeline to strip dead styles and speed up page loads.

How to Leverage PurgeCSS in Your Rails App for Faster Stylesheets

Large Rails applications often ship CSS bloated with unused framework classes. This guide demonstrates how to integrate PurgeCSS into the Rails asset pipeline to strip out dead styles and significantly improve page load times.

Continuations 2026/23: En Fuego

A status update on upcoming open-source Ruby project releases. Preparations are underway for an upcoming release candidate, with significant progress made on final features and testing over the past week.

Ruby’s Ancestor Chain: Why Prepend Cuts the Line

When Ruby receives a method call, it follows a well-defined search path to find the implementation. While inheritance is common knowledge, understanding the complete ancestor chain and how prepend alters it can simplify debugging and clarify how Rails works under the hood.

How I Think About Tests: Skips

An exploration of testing philosophy, focusing on the use of skipped tests in a codebase. Learn when to skip tests, how to manage them, and why they can be a useful tool in a Rails developer's workflow.

JRuby 9.4.15.0 Released

The JRuby community has released JRuby 9.4.15.0, targeting Ruby 3.4 compatibility. This release marks the end-of-life for the JRuby 9.4 series, meaning future 9.4.x updates will only be provided as needed for commercial users. It resolves 38 issues and pull requests.

Protocol-Relative Redirect in OAuth2 Gem Leaks Bearer Authorization

A security advisory for the oauth2 gem. When using OAuth2::Client, a protocol-relative redirect can override the authority of the base URL. This causes the client to re-send the request, leaking the bearer Authorization header to an attacker-controlled host.

Cross-Origin OAuth Token-Request Redirects in oauth Gem Can Expose Signed Request Metadata

A security vulnerability in the oauth gem's OAuth::Consumer#token_request method allows cross-origin signed-request disclosure. When following redirects, the client can re-sign token requests and expose sensitive metadata, including signatures and nonces, to attacker-controlled hosts.

Polling for New Records

While WebSockets are great, they are not always the right approach. This video episode explores how to implement long polling for new records as an alternative to keep your application simple.

Exploring Automatic Buffer Management with io_uring

An update on UringMachine, a Ruby gem for asynchronous I/O using io_uring on Linux. This project, supported by the Ruby Association, provides a low-level API and a Fiber Scheduler implementation to bring high-performance, fiber-concurrent I/O to the Ruby ecosystem.

Beyond Mocked Payloads: End-to-End Stripe Webhook Testing

A guide on using Stripe Test Clocks and the Stripe CLI to run real, end-to-end payment failure webhook tests locally, moving beyond simple mocked payloads.

Modernizing Ruby Central's Bylaws and Officer Updates

Ruby Central shares updates on the future of the organization, focusing on sustainability, governance, infrastructure stewardship, and community participation. This includes modernizing their bylaws and establishing new steering committees for volunteer leadership.

Small PRs, Big Speedups: The Ruby Performance Work You Almost Missed

A roundup of notable Ruby performance pull requests that might have flown under the radar. This collection highlights impactful optimizations and speedups contributed to the Ruby core, showcasing the ongoing efforts to make the language faster.

Better Guides, Better Framework

This week's roundup of activity in the Rails codebase highlights improvements to the official guides alongside various framework updates and bug fixes.

Cooldown Support for Bundler

The latest issue of the Awesome Ruby newsletter, featuring cooldown support for Bundler alongside the week's top Ruby and Rails news, tools, and tutorials.

I Deleted WebSockets and Haven't Looked Back

A look at swapping Turbo Stream broadcasts for polling in a Rails application after a paying customer got stuck with an infinite spinner. The post details the reliability issues of WebSockets and the simplicity of HTTP polling.

Meet Mata: Live Reload for Rack Apps

Mata is a lightweight live reload solution for Rack apps, including Rails, Sinatra, Hanami, and Roda. Using Server-Sent Events and Idiomorph, it offers smart reloading without requiring ActionCable, WebSockets, or JavaScript bundling.

Meet Mata: live reload for Rack Apps

I build quite a few sites. For my own products or I help others . Since I released Perron that is my go-to static site generator now. But it was missing one feature for a speedy development cycle: live reload. Not just a page refresh, but more like hot reloading. Most live reload solutions either require ActionCable (overkill when using Perron) or just do full-page reloads (annoying/too minimal). I wanted something in between. Meet Mata : a lightweight live reload solution for Rack apps. It uses Server-Sent Events (SSE) and idiomorph . You can install Mata simply by running bundle add mata --group=development . Then configure the middleware with watch and skip paths. That’s it. No JavaScript bundling. No ActionCable. No WebSockets. Just smart live reloading! ✨ But Mata isn’t just for Perron. It works with any Rack-based framework, like Rails: Sinatra, Hanami or Roda. 🚀 See the GitHub README for set up examples. Look, mom, no hands: So why the name? It’s named after the legendary...

CVE-2026-44476: Doorkeeper OpenID Connect Creates Public Clients with Client Secret

A security vulnerability in the doorkeeper-openidconnect gem allows attackers to authenticate as dynamically registered clients using only the public clientid. This issue affects projects with the opt-in Dynamic Client Registration feature enabled, as it incorrectly creates public clients with a client secret.

Spree: CSV Formula Injection in Customer Export

A security vulnerability in Spree allows CSV formula injection via customer exports. When an administrator opens a crafted export in spreadsheet software, embedded formulas can execute on their desktop, potentially exfiltrating data or executing OS commands.

Bundler's New Dependency Cooldown Feature

Issue 803 of the Ruby Weekly newsletter highlights Bundler's new opt-in 'cooldown' feature to hold back newly released gems for vetting. Other featured topics include legacy software in the age of AI and building stateful sliding windows beyond the Enumerable module.

Gem Packed with Gratitude: Thank You, 84codes

RubyGems.org is the quiet backbone of the Ruby world. It processes over 1,500 gem requests per second, serves billions of downloads every month, and keeps the tools developers rely on available, secure, and free. It s the kind of infrastructure you only notice when something goes wrong.

Cool down before you install: give new gems a few days to be vetted

Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown , a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window. The feature was designed in the open , drawing on how other ecosystems approach the same problem . It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing. Cooldown reads the per-version createdat timestamp that rubygems.org’s v2 compact index now serves. A version whose source does not expose createdat , such as older gem servers, historical entries from before the v2 cutover, or private registries still on the v1 format, is treated as outside the window and stays resolvable. Cooldown never...

4.0.13 Released

RubyGems 4.0.13 includes enhancements and Bundler 4.0.13 includes enhancements, bug fixes and security. To update to the latest RubyGems you can run: gem update --system [--pre] To update to the latest Bundler you can run: gem install bundler [--pre] bundle update --bundler=4.0.13 RubyGems Release Notes Enhancements: Prevent extraction from escaping destination_dir via pre-existing symlinks. Pull request #9493 by thesmartshadow Close stdin immediately when using popen2e. Pull request #9540 by rwstauner Fallback to copy symlinks on Windows. Pull request #9296 by larskanis Installs bundler 4.0.13 as a default gem. Bundler Release Notes Enhancements: Do not hard-code permissions for new gem directories during bundle install. Pull request #9557 by maxfelsher-cgi Clear gem specification cache after acquiring process lock. Pull request #9310 by ngan Show release date with bundle outdated. Pull request #9337 by hsbt Bug fixes: Apply cooldown to locally installed gem versions. Pull request...

Build Native Autocomplete in Rails Forms with f.datalist (No JavaScript)

Rails 8.2 adds f.datalist to FormBuilder, so you can wire a text input to a native HTML autocomplete list with zero JavaScript and no derived-id bookkeeping.

Upcoming Changes in Rails Rate Limiter

Rails 7.2 introduced built-in rate limiting, and the upcoming release of Rails has several improvements lined up. Explore the new features and configuration options coming to the rate limiting API.

CVE-2026-54171 (Excon): Redact Additional Sensitive Headers When Following Redirects

A security vulnerability in the Excon HTTP client library's redirect follower middleware could cause inadvertent leakage of sensitive data. The middleware previously failed to strip sensitive headers when following redirects. Users are advised to upgrade to version 1.5.0.

Passenger 6.1.4

Version 6.1.4 of the Passenger application server has been released. This release bumps the version of the builtin Nginx engine used in Standalone mode and adds prebuilt binaries for ruby 4.0.5.

Welcome Back, Typesense!

Two years in a row, we love to see it. A huge thank you to Jason Bosco and the Typesense team for coming back and continuing to invest in this community. It genuinely means a lot to us. You might not know their name yet, but trust me you

501: What makes for good technical writing?

Sally and Joël get technical as they lay out their thoughts on blog posts. Our hosts pick apart what makes a good technical blog post, why consistent terms are more important than you might think when communicating with your audience, and how to improve your own writing to ensure your reader remains engaged. — There’s still time to secure your place at thoughtbot’s upcoming UK meet ups over the next month. London Tech Leader Meetup - Tuesday June 23rd Brighton Tech Leader Meetup - Wednesday June 24th Brighton Ruby - Thursday June 25th Evolve - Friday June 26th Your hosts for this episode have been thoughtbot’s own Joël Quenneville and Sally Hall . If you would like to support the show, head over to our GitHub page , or check out our website . Got a question or comment about the show? Why not write to our hosts: hosts@bikeshed.fm This has been a thoughtbot podcast. Stay up to date by following us on social media - YouTube - LinkedIn - Mastodon - BlueSky © 2026 thoughtbot, inc.

How to Choose a Gem Wisely to Prevent a Maintenance Nightmare

A guide on deciding whether to add a Ruby gem dependency or build the functionality yourself, featuring five key factors to check for sustainable, maintainable, and secure Rails applications.

How to Choose A Gem Wisely (To Prevent a Maintenance Nightmare)

How to decide whether to add a Ruby gem dependency or build it yourself: five factors to check for sustainable, maintainable, and secure Rails applications.

The Original Sin, the Scorpion, and Local AI

The Original Sin, the Scorpion, and Local AI June 1, 2026 For the last few weeks, I have been experimenting with local AI models to help me develop and maintain Ruby projects. Built for Ruby on Rails Build Maps WithoutGoogle APIs Generate beautiful production-ready maps directly from your Rails backend. Fast rendering, zero external dependencies, Continue reading The Original Sin, the Scorpion, and Local AI

Code with Jason: People Buy From People

I went on Code with Jason for the second time. Jason and I got into the Fireside acquisition, how to actually find and finance a business to buy, why support is a product, and where I think developer tools are headed in the AI era. Some of the highlights: Why

Proactive Engineering

Proactive Engineering Proactive engineering is the practice and rigor of staying atop new technologies, designs, and changes in order to keep your software stack healthy, minimize risks, and keep technical debt low. This allows you to build a healthy team and well maintained code base that is a joy to work with. Proactive engineering is also the exact opposite of reactive engineering (a.k.a. move fast and break things). The problem is most teams don t have this kind of rigor. They work in a constant state of fire fighting, dealing with on-call issues, bombarded with interrupts, and/or sheer neglect. The goal is to get you into a healthy state in which you have time for Deep Work with the ability to maintain your application, research solutions, and focus on delivering a high quality product your customers enjoy. Table of Contents Notifications News Weekly Upkeep Daily Habits Culture Conclusion Notifications First and foremost turn off all notifications or, at a minimum, silence them...

Continuations 2026/22: Integrated mailers

• This week I got the last big piece done before we can make the next Hanami release. Mailers now fully integrate into Hanami apps, with zero necessary boilerplate, just...

Frequently Played June 2026

Frequently Played 🔗 I tend to listen to the same songs or albums on repeat that are evocative of how I m feeling or what s going on with me. Here is what I m currently listening to over, and over, and over, and over, again. Not Bad For New Jersey 🔗 A signature Tele AND two new tunes from Brian? Yes, please. Full Lyrics I can t say I had a good time But after all this crazy, I think we did alright Make You Feel My Love 🔗 Thanks to K-Pop Demon Hunters, my daughter assumes any song lyrics she doesn t understand are in Korean. But sometimes I get to say no, that s just Bob Dylan singing. Full Lyrics The storms are raging on the rolling sea And on the highway of regret The winds of change are blowing wild and free You ain t seen nothing like me yet

Turning Years of Ruby Knowledge Into a Local Coding Assistant

Turning Years of Ruby Knowledge Into a Local Coding Assistant June 1, 2026 Introduction Over the years, most Ruby developers accumulate a vast amount of knowledge. Not just source code, but articles, documentation, experiments, bug fixes, pull requests, design decisions, and lessons learned from maintaining production systems. The problem is that this knowledge often remains Continue reading Turning Years of Ruby Knowledge Into a Local Coding Assistant

I m making a collectible limited-edition Ruby stained glass

After talking with Jeremy Smith and Jess Brown on the IndieRails podcast about stained glass and how I transitioned to programming in Ruby, I’ve had this crazy idea that I could tie the two together in a weird project. Well, here goes nothing!

Storing data as a sequence of events - RubyConfAt lightning talk supplement

Storing data as a sequence of events - RubyConfAt lightning talk supplement This post originated from the lightning talk and the discussions I had afterward at RubyConfAt . It was a great conference. Especially the music part was amazing. Big kudos and applause to the organizers, once again! The Lightning Talk During my lightning talk I discussed an alternative way of storing data in Ruby applications. The alternative way is to store data as a sequence of events. It all starts with admitting the fact that an update of data causes information loss . We do know what it is now - we see the current state in a database column. But we don’t know how we got there. Context is lost. Event sourcing solves that problem by storing each change as an event in our database. What is an event? An event represents a fact, something that happened in our system. It’s immutable - once persisted, it cannot be changed. An event consists of a name, event_id, data, and metadata. An example of an event is...

Adding account-specific rate limits in a Rails app

We can easily configure global rate limits, but how can we make them dynamic?

Welcome, SerpApi!

We’re thrilled to welcome SerpApi as a new silver-tier Hanakai sponsor! SerpApi is the world’s leading provider of search data, pioneering APIs that turn search engine results into structured, developer-ready information. Founded in 2017, the company enables developers and organizations around the world to integrate live search insights from sources like Google, Bing, and YouTube. SerpApi comes on board as we near the first anniversary of our sponsorship program . Support like this has been instrumental in everything we’ve achieved this past year: shipping Hanami 2.3 , launching Hanakai , and cooking up a very special Hanami 3.0 release—more on that one soon! SerpApi is proud to sponsor open source community initiatives and support the continued development of the Hanakai projects. At SerpApi, we are Rubyists at heart and want to see our ecosystem grow. — Josef Strzibny, Ruby Developer Advocate, SerpApi Thank you to Josef and the SerpApi team for reaching out to us and making this...

Running AI Locally for Ruby Development: A Practical Guide with Ollama, Aider, and Your Own Codebase

Running AI Locally for Ruby Development: A Practical Guide with Ollama, Aider, and Your Own Codebase May 28, 2026 Ruby Stack News — by Germán Silva There's a quiet revolution happening in developer tooling, and it doesn't require a cloud subscription, an API key, or sending your proprietary code to someone else's server. Over the Continue reading Running AI Locally for Ruby Development: A Practical Guide with Ollama, Aider, and Your Own Codebase

What if Hanami had templateless views?

In the new glorous website of Hanakai there are two “getting started” guides for Hanami: one for a “web app” (meaning, a fullstack app) and one for an API app. Even though those two guides follow building the same application (bookshelf), they differ quite a bit in places. Sometimes it’s absolutely justified (you don’t have HTML templates in API app), sometimes it feels justified, but can also provoke a thought. This is one of these thoughts. Let’s look about 30% in the guide at “Fetching books from database” subsection. It demonstrates how to get a books index page, paginated. This is how is looks for a fullstack app (combined into one listing for clarity): # action module Bookshelf module Actions module Home class Index Bookshelf :: Action def handle ( request , response ) end end end end end # view module Bookshelf module Views module Books class Index Bookshelf :: View include Deps [ "repos.bookrepo" ] expose :books do bookrepo . allbytitle end end end end end # template h1...

Action Cable adapterization and more

Hi, Wojtek here. Let’s see a huge list of this week’s changes in the Rails codebase.

Great company cultures hold people accountable

Codified to enculturated: The accountability gap In my previous post on codifying culture, I closed with a deliberate boundary: Deciding who you are and how you will operate Naming your principles Articulating your trade-offs Cascading this into behavior is something different. It’s the slower, less legible change management work that is harder to declare “finished.” The organizations I worry about most are not the ones that skipped codification. They at least have an honest problem to solve. The ones I worry about completed the workshops, published the principles, and now find themselves six to twelve months later unable to tell whether any of it stuck. Principles exist. The language lives in documents. But decisions are still being made the way they always were. No one knows what to do next. That uncertainty — the mid-transformation pause — is what this post is about. Culture without accountability is decoration Most organizations implement the first two of the three enculturation...

💎 Issue 523 - From Rust to Ruby

Ruby Native works

A paid app, approved in the App Store and Google Play, built without opening Xcode or Android Studio.

Sidekiq & Ruby Compatibility Table

A comprehensive reference table showing the compatibility between Sidekiq and Ruby across different versions. Use this guide to check your upgrade options and determine the latest compatible versions of Sidekiq and Ruby for your application.

Sidekiq amp; Ruby Compatibility Table

A complete table showing the compatibility between Sidekiq and Ruby across each version, check your upgrade options and know what's the latest version of Sidekiq or Ruby you can use.

Building User-Customizable Themes with Tailwind CSS

A guide to building a white-label theme system using Tailwind CSS and the OKLCH color space. This approach generates an entire color palette from a single runtime CSS variable, avoiding the need to manage multiple color stops manually in your Rails application.

Building user-customizable themes with Tailwind CSS

A little while ago I was asked to to build a “white-label” feature into an existing app. Their customers can now customize the app to match their brand without touching code. It will look a little something like this: This article walks through how I build a custom theme system using Tailwind CSS and the OKLCH color space. The basics for this feature I extracted and is available on GitHub . The approach I took generates an entire color palette from a single value, instead of managing eleven different color stops manually. Sounds complicated? It really is quite simple. Let me show you. Tailwind allows defining custom colors using the @theme directive (these can then be used normally, e.g. text-brand-500 and bg-brand-50/60 ). Rather than hardcoding hex values, use CSS variables that change at runtime. Here is the setup in app/assets/tailwind/application.css : @ import " tailwindcss "; @theme { -- color-brand-50 : oklch( 0.99 0.01 var (-- color-value ) ); -- color-brand-100 : oklch( 0.98...

Next.js vs React: What’s the difference and which should you use?

Next.js and React are often compared, but they solve different problems. React focuses on building user interfaces, while Next.js adds structure, rendering strategies, and back-end capabilities. Read this article to see how we break down their differences.

Exploring Ruby’s OpenSSL stdlib internals: from C bindings to Ruby APIs

Exploring Ruby’s OpenSSL stdlib internals: from C bindings to Ruby APIs May 27, 2026 Ruby ships with a standard library gem named openssl, responsible for exposing cryptographic primitives, TLS/SSL sockets, certificates, digests, encryption, and secure communication APIs directly to Ruby developers. Under the hood, this is not a pure Ruby implementation. The openssl gem is Continue reading Exploring Ruby’s OpenSSL stdlib internals: from C bindings to Ruby APIs

GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7

Claude Opus 4.8 on GitLab: Complex agentic work, less disruption

Anthropic s latest model on GitLab is built for precise execution across complex multi-step agent work. Agents fail most often on complex, multi-step work: tasks that span multiple tools and go from intent to production without losing track of the project goal. Claude Opus 4.8, Anthropic s latest model for coding and agentic tasks, is built for that work, and now available in GitLab Duo Agent Platform via model selection in Agentic Chat and across agent workflows in your GitLab instance. Opus 4.8 delivers more precise execution across complex agentic sequences where agents run autonomously over extended time periods. With more comprehensive reasoning and planning, teams can expect cleaner end-state results with fewer interventions to redirect agents along the way. Improved long-horizon agentic execution For teams with established agent workflows, Opus 4.8 interprets instructions more precisely than prior models. Agents handling extended sequences complete each step as specified, which...

A Unix shell powered by Ruby

#​802 — May 28, 2026 Read on the Web Ruby Weekly A New Register Allocator For ZJIT — Deep-in-the-engine-room stuff, but the kind that makes Ruby faster for us all. Tenderlove’s walkthrough of ZJIT ’s new register allocator shows how processing an entire method at once lets the JIT keep more values in CPU registers and lays the groundwork for bigger optimizations to come, including method inlining. Aaron Patterson Hone Your Postgres Skills - Choose from 44 POSETTE 2026 Talks — Pick from talks about PostgreSQL-backed app development, Postgres performance, scaling, graph data, AI agents, Postgres 19 and more in the Ultimate Guide to POSETTE: An Event for Postgres . This free virtual developer event is happening 16-18 June. Microsoft | AMD sponsor Extending Ruby LSP with Prism — The author adds ‘Go To Definition’ for render calls in Rails templates via a Ruby LSP add-on, though it could be a useful starting point for any Ruby LSP extension. Janko Marohnić ⚡️ IN BRIEF: Mike Perham reports...

Agentic coding is only as good as its context

Every week, another coding agent demo shows a prompt turning into a pull request in under five minutes. These demos often highlight a narrow use case not yet in production, and they skip everything that happens after the commit. The pull request doesn’t include a link to the issue it was supposed to fix. The CI/CD pipeline fails because the agent didn t know about a recently added linter rule. A security scan flags a dependency the agent pulled in without checking the project s approved list. These are context failures, and they determine whether agentic coding accelerates delivery or creates rework. But when development teams use coding agents with GitLab, the agents draw on the issues, pipelines, and security policies already in the platform, catching problems and remediating them within the developer flow. This article walks through what changes when you give a coding agent progressively more lifecycle context from repository-only to full platform visibility, using two recent...

Welcome Back, Mudflap!

We re thrilled to announce that Mudflap is returning as a sponsor of RubyConf for the second year in a row. Their continued investment in the Ruby community means a lot to us, and we couldn t be more excited to have them back. If you&

Ruby on Rails for MLOps: A Complete Guide to ML Deployment

Machine Learning is one of the forces that drives contemporary digital transformation. Machine learning models are being leveraged by businesses across industries to scale operations, enhance customer experiences, optimize business decisions and derive predictive insights from enormous amounts of data. But a model is only one step in the process of building a machine learning Ruby on Rails for MLOps: A Complete Guide to ML Deployment Read More The post Ruby on Rails for MLOps: A Complete Guide to ML Deployment appeared first on RailsCarma - Ruby on Rails Development Company specializing in Offshore Development .

What Your CI Bill Is Telling You About Your AI Readiness

Agents iterate fast; your CI pipeline may not be ready for what that actually costs. More throughput means more test runs, a growing suite, and infrastructure spend that compounds in ways most teams don t catch until someone asks about more than token spend. Continue Reading

Understanding Ruby Proc Internals Through proc.c

May 26, 2026 Ruby’s elegance hides an extremely sophisticated runtime underneath. Features like blocks, lambdas, closures, binding, method(:foo), and even :to_s rely on a dense set of VM internals implemented in CRuby’s proc.c. This file is one of the best entry points for understanding how Ruby models executable code objects. The source analyzed here comes Continue reading Understanding Ruby Proc Internals Through proc.c

CVE-2026-47736: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion

A security vulnerability in Puma's PROXY protocol v1 parser allows remote memory exhaustion. When enabled, an attacker can send continuous bytes without a CRLF, causing unbounded memory growth and high CPU usage. Only servers with proxy_protocol: :v1 enabled are affected.

CVE-2026-47737: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

A security vulnerability in Puma allows source IP spoofing when PROXY protocol v1 is enabled on persistent connections. An attacker can inject a second PROXY header to overwrite REMOTE_ADDR, potentially bypassing rate limits or access controls. Only non-default configurations are affected.

GitLab Patch Release: 18.9.8, 18.8.10, 18.7.7, 18.6.8, 18.5.7

A new Register Allocator for ZJIT

We recently landed a new register allocator in ZJIT. Learn about lifetimes, interference graphs, and linear scan — and why a global allocator unlocks features like method inlining.

CVE-2026-44587 (carrierwave): CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

### Summary CarrierWave's contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. Note: CarrierWave is aware #contenttypedenylist is deprecated for the security reason, but it still used by developers, and the problem here isn't denylist allows any filetype, and thats not a vulnerability in carrierwave, its an implementation problem in developers using CarrierWave, the problem is its denylist entries are interpolated directly into a regex without Regexp.quote or anchoring. The denylist is still useful when developers want to ban specific content types but allow everything else. ### Details In lib/carrierwave/uploader/contenttypedenylist.rb:57, string denylist entries are interpolated directly into a regex without Regexp.quote or anchoring: ```ruby def denylistedcontenttype?(denylist, contenttype) Array(denylist).any? { |item| contenttype =~ /#{item}/ }...

500: Celebrating with past hosts

The Bike Shed celebrates its 500th episode with hosts new and old as they reflect on the show’s history and ask, what’s new in your world? Our past hosts look back at their time on the show, their favourite moments while hosting, what they took away from producing the Bike Shed, and what they might do today if they were still in the hosting chair. — Your hosts for this special episode of The Bike Shed have been Joël Quenneville , Sally Hall and Aji Slater . Joining them have been our returning hosts Derek Prior , Sage Griffin , Stephanie Viccari , Chris Toomey and Stephanie Minn . Listen back to some of our guest’s highlighted episodes Bike Shed 14: An Acceptable Level of Hassle with David Heinemeier Hanson Bike Shed 172: What I Believe About Software Bike Shed 180: A Citizen of the Internet with John Resig Bike Shed 302: Observability with Charity Majors Bike Shed 325: Pranting Bike Shed 404: Estimation If you would like to support the show, head over to our GitHub page , or check...

LLM layer for a Rails application

A pragmatic pattern for wiring LLMs into a Rails app: base class, ERB prompts, two-level tests, and context strategies.

Why Duck Typer?

Some say interface tests are fragile and shouldn't be written. I disagree. Here's why I think they're worth writing.

Full security scanner coverage of your codebase in minutes

Across the industry, every CI/CD platform faces the same challenge: As organizations grow, manually configuring scanners to run across every pipeline definition file isn t scalable. AI is accelerating how fast teams ship code, and with this comes more projects, more pipelines, and more surface area to secure. What starts as a deliberate security decision becomes inherited configuration that nobody owns, coverage that was never backfilled, and gaps that are invisible until they aren t. Security teams need to apply scanners at scale, not chase scanner coverage project by project with manual YAML files. A security configuration profile is a centralized setting in the UI where security teams can define how and when security scanners run across your projects, without manually configuring scanners across pipeline definition files. With GitLab 19.0, teams can use security configuration profiles to enable static application security testing (SAST), dependency scanning, and secret detection...

Reduce supply chain risk with SBOM-based dependency scanning

Third-party code dominates most codebases, and four recent supply chain incidents show how a single compromised package can ripple into every project that depends on it. AI is compounding this problem: Research suggests nearly half of AI-generated code contains vulnerabilities . Traditional dependency scanners, including GitLab s Gemnasium analyzer, were engineered to answer one question: Which of my declared packages have known CVEs? When dependency trees weren’t as deep and release cycles weren’t as fast, that approach worked. Today’s application security teams must answer harder questions: How did a vulnerable package end up in the project? What else came with it? And which dependencies does your code actually reach? With GitLab 19.0, dependency scanning using a software bill of materials (SBOM) becomes generally available to help answer these questions. This feature inventories every direct and transitive dependency in your project and tells you which vulnerable packages your...

Stop writing rules in AGENTS.md: use agent hooks and nano-staged instead

Move LLM safeguards out of AGENTS.md: how agent hooks plus nano-staged run linters on changed files only, cut tokens, and tighten the agent's feedback loop

Rails 8 Solid Queue: Database-Backed Background Jobs

Background job processing has always required external dependencies like Redis or Memcached in Rails applications. With Rails 8, that changes. Solid Queue is now the default Active Job backend, and it stores jobs directly in the database. This eliminates the need for Redis in many applications, simplifying deployment and reducing infrastructure costs. In this post, we will explore Solid Queue in depth, covering installation, configuration, real world usage patterns, and important caveats to consider. Why Solid Queue? Traditional job backends like Sidekiq and Resque rely on Redis for job storage. While Redis is fast, it adds operational complexity: Additional infrastructure to manage Memory constraints limiting job history Separate backup and monitoring requirements Extra costs for managed Redis services Solid Queue leverages modern SSD performance and database features like FOR UPDATE SKIP LOCKED to achieve comparable throughput without Redis. Installation Solid Queue comes...

Rails 8 Solid Cache: Database-Backed Cache Store

Caching in Rails has traditionally meant choosing between Redis or Memcached. Both are fast but expensive when we need large caches. Memory costs add up quickly. Rails 8 introduces Solid Cache as the default production cache store. It stores cache entries in the database, leveraging modern SSD performance to provide larger caches at significantly lower costs. In this post, we will explore how Solid Cache works, how to configure it for production, and important tradeoffs to consider. The Case for Database Backed Caching Traditional memory based caches have a fundamental limitation: RAM is expensive. A 10GB Redis cache costs significantly more than 10GB of SSD storage. Modern NVMe SSDs have changed the performance equation. Read latencies are now measured in microseconds, making disk based caching viable for most use cases. Solid Cache takes advantage of this shift. We can now maintain caches measured in hundreds of gigabytes at a fraction of the cost of equivalent memory based...

Rails 8 SolidCable: Database-Backed WebSockets Guide

ActionCable brought WebSocket support to Rails, but it traditionally required Redis as a message broker. This added complexity and cost to deployments. Rails 8 introduces SolidCable as the default ActionCable adapter. It stores messages in the database and uses polling to deliver them to subscribers. This eliminates Redis as a dependency for real time features. In this post, we will explore how SolidCable works, how to configure it for production, and important considerations for the application. How SolidCable Works Traditional ActionCable with Redis uses pub/sub: when a message is broadcast, Redis immediately pushes it to all subscribers. SolidCable takes a different approach. Messages are written to a database table and subscribers poll for new messages. Despite the polling mechanism, performance is comparable to Redis for most use cases. This database-driven approach was not practical in the past. Modern infrastructure with NVMe SSDs has made it viable due to extremely fast...

Numbers Without Conclusions

Follow-up to Show Your Work : preliminary benchmark numbers across eight target surfaces, with an honest accounting of what the numbers do and don't tell you. The mechanism post argued for browseable code over benchmark trust; this one shows the measurements anyway, with enough caveats that nobody should overread them.

Continuations 2026/21: Big cake to walk

• I finished off Hanami’s streamlined i18n support this week! I had built the core functionality quite a while ago, and thought that adding view helpers would be a cakewalk....

Don’t let AI burn you out

AI made me faster, then it made me chaotic. Here's how I learned to run multiple agents without burning out.

From a Sample of One

Thoughtworks published a thoughtful synthesis from a senior-practitioner retreat on the future of software engineering. From a sample of one — a retired developer working on a single project with an LLM co-author — three of its conclusions look different from where I sit. Not wrong; different. Probably because we are observing different regimes.

Blue Ridge Ruby 2026 Video

The videos from Blue Ridge Ruby 2026 are now available on YouTube . Check them all out!

Safer to_i coercion, custom to_fs formats, and more!

Hi, I’m Emmanuel Hayford. Rails had a busy week, so grab a tea and let’s get into it.

The Drucker Inversion

In 1959, Peter Drucker observed that knowledge workers know more about their work than their managers do, and that this required a different management discipline: managing by objective rather than by method . The relationship between a software developer and a coding agent has the same shape — inverted. The principal knows less than the worker. Drucker's prescription still applies.

Inside Ruby’s Object Model

May 21, 2026 How MRI Really Implements include, prepend, extend, Singleton Classes and Method Lookup Ruby’s object model looks elegant from the outside: module Logging def call puts before super end end class Service prepend Logging def call puts service end end But internally, MRI/CRuby performs a surprising amount of machinery to make this work. Continue reading Inside Ruby’s Object Model

Engineering Is Not Dead, Because Accountability Isn’t

Models can generate the code. They cannot be accountable for it. The real distinction is whether the result is owned.

Rails 8.1 Adds Native Markdown Rendering Support

Introduction Markdown has become the lingua franca of AI. Large language models output markdown by default, documentation lives in markdown files, and developers think in markdown. Why AI “Speaks” Markdown Markdown’s rise in the age of AI comes down to a few key factors: Simplicity and Structure : Its minimalist, plain text syntax ( # for headings, * for lists) creates a clear, predictable structure that AI models are trained on and can easily interpret. Enhanced Comprehension : AI struggles with complex formats like PDFs or Word documents due to visual clutter and metadata. Markdown strips this away, letting AI focus on meaningful content. Improved Prompting and Output : Markdown in prompts provides a clear roadmap for AI, reducing ambiguity. AI systems generate responses in Markdown to ensure clear presentation with lists, code blocks, and tables. Efficiency : Markdown’s conciseness saves tokens, allowing more information within an AI’s context window and reducing processing...

💎 Issue 522 - Why Ruby Still Feels Like Home After All These Years

Welcome Back, Judoscale!

Welcome Back, Judoscale! We re excited to welcome Judoscale back as a Silver Sponsor of RubyConf for the second year in a row. If you ve ever lost sleep wondering whether your Rails app could handle a sudden traffic spike, Judoscale is probably already on

I used to own a tiny niche

The code is a commodity. The decisions around it are not.

Inbound Email in Rails Apps with Fuik

An introduction to using Fuik, a Rails engine for handling webhooks, to process inbound emails. While Action Mailbox requires ActiveStorage and ActionMailer, Fuik offers an alternative by capturing incoming webhooks from transactional email providers, storing them in the database, and processing them via event classes.

Inbound email in Rails apps with Fuik

Fuik is a Rails engine for handling webhooks that I launched recently. But it can also be used to process inbound emails! 💡 When working with inbound email in Rails using Action Mailbox, there’s a key requirement: managing EML files and blob storage. Once an email arrives at your domain, your email provider captures it and sends the data to you via webhook. You then extract what you need and process (or store) it. Action Mailbox requires: ActiveStorage ánd ActionMailer. But what if you don’t have a need for ActiveStorage (including its cloud storage setup) or ActionMailer (because you use Courrier ). Most transactional email providers send their inbound emails as webhooks: Postmark, SendGrid, Mailgun and Mailpace. They all POST the email data to a webhook URL you configure. Fuik is great at capturing just that: it captures those incoming webhooks, stores them in the database and calls your event class to process them. You see all your webhooks in at /webhooks . You can inspect and...

SIEM alerts: everything you need to know

SIEM alerts help you detect suspicious behavior before it becomes a breach. But security monitoring can quickly turn into noisy dashboards and missed threats without the right approach. Read this article to learn how to design effective SIEM alerts and implement real-time security monitoring.

Improving Accessibility in JetBrains IDEs: What’s New and What’s Next in 2026

Making software accessible often comes down to removing small but repeated points of friction in everyday workflows. Today, on Global Accessibility Awareness Day, we’re sharing recent improvements in JetBrains IDEs across several areas: compatibility with assistive technologies on various platforms, keyboard navigation, and non-visual feedback. Some of these improvements are already available, and some are [ ]

More AI models for GitLab Duo Agent Platform Self-Hosted

Customers running GitLab Duo Agent Platform Self-Hosted operate under constraints many software teams don t face: data residency mandates, air-gapped networks, and compliance regulations that prohibit sending source code to third-party APIs. Those constraints also come with a trade-off. The most capable models tend to land in cloud-first deployments, leaving regulated and isolated environments a step behind on AI capability, and forcing teams into a single-model setup that s either overkill for routine work or underpowered for complex agentic tasks. GitLab 19.0 narrows that gap by expanding self-hosted open source model support. Customers can match the right model to the right workflow, even for teams running their own GPUs in fully isolated or air-gapped environments. Whether your focus is data residency, network isolation, or regulatory compliance, you now have more capable options. Air-gapped deployments get more open source model choice For teams in fully isolated environments —...

Manage CI/CD credentials with GitLab Secrets Manager

Many credential leaks start with a developer who needs a credential, doesn’t have a good place to put it, and improvises. It lands in an over-scoped CI/CD variable, a config file, or a .env committed “just for a moment.” GitLab Secrets Manager, now in public beta with GitLab 19.0, keeps credentials in the same platform that runs your code and pipelines. Each secret is scoped to the jobs that need it and governed by the access controls you already use. Fewer secrets end up in the wrong place, and if one leaks, security and engineering teams can experience less disruption. Where secrets usually land Developers often default to placing secrets in CI/CD variables. Set the variable at the project or group level, mask the value, and update the pipeline. From there, the value is injected into every job, and anyone with pipeline access can read it. This pattern inverts least privilege but keeps the build running. The usual fix is a standalone vault. While this approach gets the secrets out of...

Track CI component usage across your organization

If your platform team publishes standardized pipeline components, you ve probably encountered this: once they re out in the wild, you lose visibility. You can t see if anyone’s actually using it, who s on which version, or which projects are still running outdated versions that open your organization up to security risks. Now with GitLab 19.0 s new Components Analytics view in the CI/CD Catalog, your team gets visibility and important adoption data about how CI/CD components are being utilized across the organization. Usage counts and adoption data is available across all tiers; with Ultimate, drill into any component to see exactly which projects are using which versions. As AI generates more of the pipelines hitting production, this visibility matters more than ever. The visibility gap in shared CI The GitLab CI/CD Catalog gives DevSecOps and platform engineering teams a central place to publish versioned, reusable pipeline components that any project can pull in with a single...

GitLab 19.0: Transform MRs from manual tasks to an automated workflow

AI made writing code dramatically faster, but the work between opening a merge request and merging it has stayed almost entirely manual. Assigning reviewers, addressing feedback round after round, untangling conflicts, rebasing before merge — each step still requires a developer s attention. The bottleneck moved but the tools didn t adapt. GitLab 19.0 changes that. Developer Flow now extends across the full MR lifecycle: a single AI agent that addresses reviewer feedback, resolves conflicts on long-running branches, researches unfamiliar codebases, and splits MRs that grew too large. Paired with autonomous merge conflict resolution and one-click rebase and merge, it cuts the manual work between opening an MR and merging it. Developer Flow is part of a new category of AI coding tools. The first wave accelerated the next line of code. The second wave gave developers a chat window. What s emerging now is different: agents that participate across the work, not for a fixed moment....

GitLab 19.0 released

Why Ruby still feels like home

#​801 — May 21, 2026 Read on the Web Ruby Weekly 🛠️   One Year of Ruby on Rails Configuration — The creator of GoodJob shares a tour of the monkey patches, extensions, and appwide behaviors that have accumulated in his Rails app’s /config directory. It’s heavy on examples and things you might want to steal be inspired by. Ben Sheldon Ruby 4.0.5 Released — An off-schedule release to address a critical use-after-free race condition in the getaddrinfo timeout handler . It also resolves a build system regression under the C locale introduced in 4.0.4. Takashi Kokubun 🤖 Claude Skills Built Around Your Engineering Process — We created an open-source Claude Code skill for Rails upgrades , leveraging 60,000+ hours of experience. Individual, general skills can only go so far; we build skills that understand your process. Take the next step into AI-assisted development. Custom Solutions | Ombulabs.ai sponsor ⚡️ IN BRIEF: thoughtbot has joined the Ruby Alliance – nothing to do with Star Wars but...

Safely Dropping Columns in Rails

In this post, we'll learn how you can safely drop important columns from a table without breaking production, using the ignored_columns feature in Rails.

Ruby 4.0.5 Released

Ruby 4.0.5 has been released. This release only contains a security fix for CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler and a build system regression in Ruby 4.0.4 under C locale [Bug #22065] . Please see the GitHub releases for further details. Release Schedule We intend to release the latest stable Ruby version (currently Ruby 4.0) every two months following the most recent regular release. Ruby 4.0.6 will be released in July, 4.0.7 in September, and 4.0.8 in November. If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift accordingly. Download https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.5.tar.gz SIZE: 23818557 SHA1: efa77332e323c15a86e1a25a3ae53bd21972672c SHA256: 7d6149079a63f8ae1d326c9fa65c6019ba2dc3155eae7b39159817911c88958e SHA512: ce50c8dda1479f5a84771df37cdb23f0183bba900494e7492bb90d4b0a3e60ff28b799f3c469977f5f7c1335a6c1f3400a9ca52cd4acfcbed08f016d352943f4...

4.0.12 Released

RubyGems 4.0.12 includes enhancements and bug fixes and Bundler 4.0.12 includes enhancements and bug fixes. To update to the latest RubyGems you can run: gem update --system [--pre] To update to the latest Bundler you can run: gem install bundler [--pre] bundle update --bundler=4.0.12 RubyGems Release Notes Enhancements: Remove cygwin from WINPATTERNS. Pull request #9527 by fd00 Installs bundler 4.0.12 as a default gem. Bug fixes: Fall back to lockfile version when BUNDLEVERSION is “lockfile”. Pull request #9545 by hsbt Read BUNDLE_VERSION env var in BundlerVersionFinder . Pull request #9538 by hsbt Bundler Release Notes Enhancements: Make bundle config get return status 1 when the value is not set. Pull request #9505 by willnet Use Pathname#absolute?. Pull request #9529 by nobu Deprecate parsing non-lockfile content in LockfileParser. Pull request #9502 by kurotaky Print a warning for a potential confusion from the indirect dependencies. Pull request #5029 by junaruga Respect...

CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler

A use-after-free vulnerability has been discovered in the pthread-based getaddrinfo timeout handler of Ruby. This vulnerability has been assigned the CVE identifier CVE-2026-46727 . This issue has been fixed in Ruby 4.0.5. We recommend upgrading Ruby. Details A race condition exists in the timeout cancellation path of rbgetaddrinfo used by Addrinfo.getaddrinfo(..., timeout:) and Socket.tcp(..., resolvtimeout:) . A remote attacker who can delay DNS responses near the specified timeout may cause the Ruby process to dereference freed memory and crash. Recommended action Please update to Ruby 4.0.5 or later. Workaround If you cannot upgrade immediately, avoid passing timeout: to Addrinfo.getaddrinfo and resolv_timeout: to Socket.tcp . Affected versions Ruby 4.0.0 through 4.0.4 Ruby 4.1.0-dev (master) before the fix Ruby 3.4 series and earlier are not affected. Credits Thanks to cantina-security for discovering this issue. Also thanks to shioimm for creating the patch. History Originally...

Why thoughtbot is joining the Ruby Alliance

thoughtbot is joining the Ruby Alliance, a coalition of companies investing in the long-term sustainability of Ruby infrastructure and the broader ecosystem. Here’s why we believe shared stewardship matters for Ruby’s future.