Rubyland

news, opinion, tutorials, about ruby, aggregated
Sources About
RubySec 

CVE-2024-28862 (rotp): ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files.

The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.
RubySec 

GHSA-vcc3-rw6f-jv97 (nokogiri): Use-after-free in libxml2 via Nokogiri::XML::Reader

### Summary Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 libxml2 v2.11.7 and v2.12.5 address the following vulnerability: CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you…
BigBinary Blog 

Building a web based screen recorder

This is part 1 of our blog on how we are buildingneetoRecord, a Loom alternative. Here arepart 2andpart 3.

At neeto, the product team, developers and the UI teamoften communicate using short videos and screen recordings. We relied on popularsolutions like Loom and Bubbles. But they allowed only a small number ofrecordings in their free versions and Soon, they presented us with the upgradedscreens - upgrades were quite expensive for our team due to our team size andthe number of recordings we made daily.

So, we thought of building a solution of our own. We found the browser'sMediaStream Recording API.

MediaStream Recording API

The MediaStream Recording API, sometimes called the MediaRecorder…

BigBinary Blog 

Efficient uploading and persistent storage of neetoRecord videos using AWS S3

This is part 2 of our blog on how we are buildingneetoRecord, a Loom alternative. Here arepart 1andpart 3.

In the previous blog, we learned how to use the Browser APIs to record screenand generate a WEBM file. We now need to upload this file to persistent storageto have a URL to share our recording with our audience.

Uploading a large file all at once is time-consuming and prone to failure due tonetwork errors. The recording is generated in parts, each part pushed to anarray and joined together. So it would be ideal if we could upload these smallerparts as and when they are generated, and then join together in the backend oncethe recording is completed. AWS'sSimple Storage Service (S3) made a…

BigBinary Blog 

Universal playback and streaming support using MP4 and Range request headers

This is part 3 of our blog on how we are buildingneetoRecord, a Loom alternative. Here arepart 1andpart 2.

In the part 1 of our blog, we uploaded the recording from the browser to S3 insmall parts and stitched them together to get the final WEBM video file. Wecould use this WEBM file to share our recording with our audience, but it has afew drawbacks:

  1. WEBM is not universally supported. Though most modern browsers support WEBM,a few browsers, especially devices in the Apple ecosystem, do not play WEBMreliably.

  2. Metadata for timestamps and duration are not present in WEBM videos. So,these videos are not "seekable." It means these videos do not show the videolength, and we cannot move back and…

Hence, we needed to convert the WEBM videos to a…

BigBinary Blog 

Building a web based screen recorder

At neeto, the product team, developers and the UI teamoften communicate using short videos and screen recordings. We relied on popularsolutions like Loom and Bubbles. But they allowed only a small number ofrecordings in their free versions and Soon, they presented us with the upgradedscreens - upgrades were quite expensive for our team due to our team size andthe number of recordings we made daily.

So, we thought of building a solution of our own. We found the browser'sMediaStream Recording API.

MediaStream Recording API

The MediaStream Recording API, sometimes called the MediaRecorder API, isclosely affiliated with theMedia Capture and Streams APIand theWebRTC API. TheMediaStream Recording…

BigBinary Blog 

Efficient uploading and persistent storage of neetoRecord videos using AWS S3

In the previous blog, we learned how to use the Browser APIs to record screenand generate a WEBM file. We now need to upload this file to persistent storageto have a URL to share our recording with our audience.

Uploading a large file all at once is time-consuming and prone to failure due tonetwork errors. The recording is generated in parts, each part pushed to anarray and joined together. So it would be ideal if we could upload these smallerparts as and when they are generated, and then join together in the backend oncethe recording is completed. AWS'sSimple Storage Service (S3) made a perfect fit asit provides cheap persistent storage, along withMultipart Uploadsfeature.

S3 Multipart…

BigBinary Blog 

Universal playback and streaming support using MP4 and Range request headers

This is part 2 of our blog on how we are buildingneetoRecord.

In the part 1 of our blog, we uploaded the recording from the browser to S3 insmall parts and stitched them together to get the final WEBM video file. Wecould use this WEBM file to share our recording with our audience, but it has afew drawbacks:

  1. WEBM is not universally supported. Though most modern browsers support WEBM,a few browsers, especially devices in the Apple ecosystem, do not play WEBMreliably.

  2. Metadata for timestamps and duration are not present in WEBM videos. So,these videos are not "seekable." It means these videos do not show the videolength, and we cannot move back and forth using the seek bar. The videostarts…

Hence, we needed to convert the WEBM videos to a universally supported format tosolve the…

Short Ruby Newsletter 

Short Ruby News - Edition #83

A Monday summary of the articles, discussions, and news from the Ruby community
Saeloun Blog 

Rails 8 adds allow_browser to set minimum browser version

Browser compatibility is critical for ensuring that a website displays and performs properly across several web browsers. Every browser renders code differently, thus compatibility testing is critical for reaching a larger audience. It involves evaluating how a website appears in several browsers such as Chrome, Firefox, Safari, and Internet Explorer.

As the number of mobile users grows, interoperability with mobile platforms becomes increasingly important.

Before

Before Rails 8, browser compatibility was detected using the browser gem

gem "browser"

To detect whether a browser can be considered as modern or not, we create a method that abstracts our versioning constraints.

def modern_…
RubySec 

CVE-2024-28121 (stimulus_reflex): StimulusReflex arbitrary method call

### Summary More methods than expected can be called on reflex instances. Being able to call some of them has security implications. ### Details To invoke a reflex a websocket message of the following shape is sent: ```json { "target": "[class_name]#[method_name]", "args": [] } ``` The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments [ref]: [ref]: https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83 ```ruby method = reflex.method…
Dhaval Singh's Blog 

Tech Tradeoffs #1: Django or Rails? MySQL or MongoDB?

Context:

I started working at Seezo, where we are building a product for security design reviews. At this point, we are on the 0 to 1 journey and all the technical decisions we make might have a large impact on the future of our company.

Personally, I have always been curious about why did someone pick X framework over Y or should you build a feature in this way or that...

Now that I am in a place where I get to be close to this decision-making process, I'll try to document it here. Some of the tradeoffs might actually come through a mix of research, previous experience, and discussions while some are just made in the moment(relying on our gut feeling).

Which framework?

Okay, this is the most…

RubySec 

CVE-2024-28181 (turbo_boost-commands): TurboBoost Commands vulnerable to arbitrary method invocation

### Impact TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. #### Details Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more…
Aha! Engineering Blog 

Building a dynamic Canvas rendering engine using JSX

img { max-height: 400px; margin-right: auto; margin-left: auto; } table, th, td { font-family: Red Hat Display, "Helvetica Neue", Arial, "Noto Sans", sans-serif; border: 1px solid var(--aha-gray-400); } th { background-color: var(--aha-gray-100); color: var(--aha-gray-900); text-align: left; } td img { margin: 0.5em auto !important; }
by Percy Hanna

Our product team is busy adding many great new features to Aha! Whiteboards and Aha! Knowledge — including wireframes, voting, and improvements to viewing Aha! Roadmaps data within a whiteboard. We added all of this functionality in just the last few months, and we are busy building…

RubyGems Blog 

Password Reset Vulnerabilities, Hacker One and Humility

Have you ever thrown actual spaghetti at a wall? It’s funny, sticky and barely induces any panic. HackerOne reports, on the other hand, have the opposite effect. Unlike wet spaghetti, the clean-up job is far more work for our security team.

Running a bug bounty program means a stream of incoming reports, not all of them correct, that must be reviewed. After receiving enough dire-sounding reports that ultimately lead nowhere, it can look like thrown spaghetti (a see-what-sticks approach). Though we try to give each report a thorough, unbiased evaluation, it’s difficult to keep an open mind about any given report.

Dead-end reports cost the RubyGems security team time, and slow down our…

Posts on Kevin Murphy 

Tracks Not At RailsConf 2024

RailsConf 2024 🔗

I’m on the RailsConf 2024 Program Committee. We just released the program for this year’s event, and I hope you’ll join us!

One thing we don’t have are formally-themed tracks. In past years, our CFP might have included prompts for different topics. Or we’d group some talks in publicly-shared and advertised ways.

We aren’t doing that this year. That lets us focus on the overall conference theme: building with Rails. However, that didn’t stop me from brainstorming a list of possible tracks, in case we did want to add them in.

The following is a list of what could have been, but will not be: tracks that are not part of the RailsConf 2024 program.

Lend an Enginear 🔗

Story Time!…

Hi, we're Arkency 

How to get burned by 16 years old hack in 2024

There’s a project I’m consulting on where programmers develop predominantly in cloud environment. This setup simplifies a lot of moving parts and has the benefit of providing everyone homogenous containers to run code. If it runs on my box — it will run on everyone’s box. In that case, that box is Linux-based. It has the drawback of having greater latency and being more resource-constrained than a beefy local machine a developer is equipped with, i.e. MacBook Pro running on Apple Silicon.

Recently we’ve upgraded this development environment from Ruby 3.2.2 to Ruby 3.3.0. The process was smooth and predictable in the cloud environment. It worked on my box and by definition on everyone’s…

Once a Maintainer 

Once a Maintainer: Ralf Gommers

Welcome to Once a Maintainer, where we interview open source maintainers and tell their story.

This week we’re talking to Ralf Gommers, Co-Director of Quansight Labs and leading contributor to NumPy, the fundamental package for scientific computing in Python, as well as SciPy, meson-python, and the Array API Standard. NumPy published the first pre-release version of their upcoming 2.0 release in public beta this week. This is the first new major version of NumPy in 16 years.

Once a Maintainer is written by the team at Infield, a platform for managing open source dependency upgrades. Ralf spoke to us from Norway.

How did you get into software engineering?

To begin, I trained as an experimental…

Ruby on Rails 

Active Record Basics Guide Refresh, Encrypted Attributes Re-Optimization, and more…

Hi, it’s zzak. Let’s explore this week’s changes in the Rails codebase.

The Rails World CFP will close in just one week on March 21.
Submit your talk in time!

Active Record Basics Guide
This PR refreshes the guide covering the basics of Active Record.

Do not try to alias on key update when raw SQL is supplied
A bug was found when updating duplicates with raw SQL.

Memoize “key_provider” from “key” or deterministic “key_provider” if any
Previously, this memoization was removed which lead to a performance hit for encrypted attributes.

Updating Astana with a Western Kazakhstan timezone
On March 1, 2024, Kazakhstan (all parts) switched to a single time zone UTC+5.
Using the latest tzinfo-da…

Remote Ruby 

Struggles and Strategies-Dev Dilemmas

Join Chris and Andrew in this episode as they discuss their recent experiences and
challenges with software development projects. They cover a range of topics including
the impact of ADHD on productivity, troubleshooting coding issues, the intricacies of
working with React, caching problems, and the dilemmas faced when debugging and
deploying. They also dive into the variations of using Docker, optimizing CI/CD
pipelines, the potential of Rust for CLI applications, and reflect on their journey with
various programming tools and environments. Additionally, they touch upon the
development of Rails applications, the utilization of Docker containers for development
without installing Ruby or Rails, and…

Giant Robots Smashing Into Other Giant Robots 

Numeric data types in Ruby and when to use them

In programming, we usually deal with numbers daily, sometimes without even noticing it. There is a nice offer of numeric types in Ruby, each serving a purpose, supporting features and having different behaviours.

Let’s have a look at what these types are, what performance and precision they provide and how to use them properly in our programs.

Numbers are Numeric objects

The core parent class of all core numeric types is Numeric, itself inheriting from Object. It includes the Comparable module and provides methods for querying (e.g. #positive?), comparing (e.g. #<=>) or converting (e.g. #floor).

We don’t directly use this class, but those which inherit from it.

Numeric…

Awesome Ruby Newsletter 

💎 Issue 408 - Maps of Ruby Jobs in Linkedin around the world

Write Software, Well 

Understanding Ruby's defined? Keyword

Understanding Ruby's defined? Keyword

Ruby provides a handy defined?(arg) keyword that returns a string describing its argument.

language = 'Ruby'

defined? language               # 'local-variable'
defined? @instance_var          # 'instance-variable'
defined? @@class_var            # 'class variable'

defined? nil                    # 'nil'

defined? 1                      # 'expression'
defined? 'Ruby'                 # 'expression'
defined? String                 # 'constant'

You can use defined? to test if the expression refers to anything recognizable. The expression can be an object, a variable, a method name, etc.

Note that a variable set to nil is still initialized and recognized by ruby as a local-variable.

framework =…
Hi, we're Arkency 

How to add a loading animation to your turbo frame with TailwindCSS

How to add a loading animation to your turbo frame with TailwindCSS

Ever been working on a project and hit a snag? That’s what happened to me recently. I came across a turbo frame that was slow to load and didn’t show any signs of loading. Talk about confusing!

Waiting a few eternities for the historic transactions tab to load.

The busy attribute of the turbo frame

The easiest way to add a loading state to the turbo frame is to insert the loader inside the frame tag. Problem is that it only works on the very first load, after that you’ll see the old content until the new one fully loads.

I did some digging and found out that turbo frames actually have states, which can be useful: one…

Ruby Weekly 

Turbocharging Puma with Thruster

#​694 — March 14, 2024

Read on the Web

Ruby Weekly

37signals Open Sources Thruster — First seen in Campfire, Thruster is a minimal HTTP/2 proxy for production Rails deployments – it runs alongside Puma and offers HTTP/2, Caching, SSL via LetsEncrypt, and static file serving with compression, filling a similar role to Traefik or Caddy (like them, it’s written in Go).

37signals

IRB 1.12.0 Released — One advantage to various parts of Ruby being turned into separate gems is you can upgrade them without upgrading Ruby itself, and IRB is certainly worth upgrading frequently. v1.12 introduces enhancements to…

Test Double 

Product 101: What does a good product manager do?

What is a product? How does a product manager improve software teams and lead to stronger return on investments? How does a product manager reduce risk by focus on learning and validating assumptions?

Over the last decade, schools like Harvard Business School, Cornell University’s Johnson Graduate School of Management and Northwestern University’s Kellogg School of Management all rolled out new courses and programs aimed at teaching Product Management.

And yet, despite the rapidly growing industry of product management, many businesses still don’t fully understand how to leverage product managers to support the bottom line.

“There are probably more misconceptions about product…

RubySec 

CVE-2024-28199 (phlex): Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. ### Impact If you render an `` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. ```ruby a(href: user_profile) { "Profile" } ``` If you splat user-provided attributes when rendering any HTML or SVG tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. ```ruby h1(**JSON.parse(user_attributes)) ``` ###…
Everyday Rails 

Notes from migrating from Minitest to RSpec, with help from GitHub Copilot

Artificial intelligence hasn't replaced us yet, but how does it handle the boring parts of our jobs?
Ruby Central 

A Technical and Practical Program: RailsConf 2024 Speakers Announced!

A Technical and Practical Program: RailsConf 2024 Speakers Announced!

This year’s line-up celebrates everyday developers that build with Ruby on Rails

PASADENA, C.A. (March. 13, 2024) – RailsConf 2024 is the world's largest gathering of Rails developers, brought together to further discussion and learning about building, managing, and testing Rails applications. Long-time conference organizers, Ruby Central, Inc., have just announced the program for the 19th annual RailsConf. Forty speakers have been chosen to present talks or workshops at the conference, which takes place from Tuesday, May 7 to Thursday, May 9 in Detroit, MI. 

“This year’s speakers have been selected to give attendees real-life, practical, insights into building and running Rails apps and…

Jardo.dev: Blog 

In Defence of Gerrit

The first team I joined in the tech industry was not doing what I understood modern software development to be. There was no CI/CD. There wasn’t a single automated test. They’d only recently adopted Git, but were using it primarily as a big save button. Some project histories were just a long string of arbitrary commits with the message “EOD”.

I was in my early twenties. I’d been programming actively for about ten years, but only as a hobbyist or in school. I had no industry experience. I’d been consuming all the programming material I could find to help me land a job. I was alarmed by the complete absence of “best practices”, but in no position to lobby for changes.

I eventually pushed…

DEV Community: Masataka Pocke Kuwabara 

I released activerecord-originator!

This article is translated from a Japanese article written by me.

Hello, I'm Pocke.

Today, I created a gem called activerecord-originator, and I'd like to introduce it to you.

ActiveRecord::Originator

Add SQL comments to indicate the origin of the SQL.

This gem adds SQL comments indicating the origin of the part of the query. This is useful for debugging large queries.

Rails tells us where the SQL is executed, but it doesn't tell us where the SQL is constructed This gem lets you know where the SQL is constructed! For example:

Article Load (0.1ms)  SELECT "articles…
Ruby Rogues 

Homebrew Unleashed: Diving into the Fast and Efficient Packaging Process - RUBY 628

Mike McQuaid is the CTO and cofounder at Workbrew. They dive into the world of Homebrew, an open-source package manager for macOS and Linux. They explore the history and development of Homebrew, from its origins in the Ruby community to its evolution into a widely-used tool for installing and managing software.

The conversation delves into the intricacies of building and maintaining packages, the introduction of binary packages and a new JSON API, and the creation of Workbrew, a company focused on commercializing features for Homebrew. They also touch on the latest developments in Ruby, the differences between Homebrew Cask and Homebrew Core, and the complexities of handling a large number…

The Ruby on Rails Podcast 

Episode 511: WebAssembly with Benjamin Eckel

You may have heard about WebAssembly. It’s an open standard that aims to help developers create high performance applications on the web. It’s a portable binary execution format traditionally used on the front end, but there are also other ways to use it. I am completely new to WebAssembly, so today we have a guest to talk about it with us.

Show Notes

Sponsors
Honeybadger

As an Engineering Manager or an engineer, too much of your time gets sucked up with downtime issues,…

Ruby Magic by AppSignal 

Turbo Streaming Modals in Ruby on Rails

In part one of this series, we used Hotwire's Stimulus and Turbo Frames to present modals in Rails.

Now, we'll dive into another method we can use to present modals: Turbo Streams.

What Are Turbo Streams in Ruby on Rails?

Turbo Streams is a subset of Turbo. It allows us to make fine-grained, targeted updates to a page. By default, it contains seven CRUD actions, but we're free to add more actions within our applications.

Now, we'll create a show_remote_modal action which renders and presents the <dialog> from our previous post.

Creating a Custom Action

Create a folder to place all custom Stream Actions in:

$ mkdir app/javascript/stream_actions
$ touch app/javascript/stream_actions/index.js
Sam Saffron 

Claude 3 Opus - First impressions

Disclaimers and technical details

If you are looking for comprehensive benchmarks, head over the Anthropic announcement blog post, or to the fantastic LMSYS leaderboard.

My goal with this blog post is to provide anecdote only. Here are a limited number of tests and examples pitting Claude 3 Opus against the current (as of 08-03-2024) flagship model by Open AI, GPT-4 Turbo version 0125-preview.

I hope to provide entertainment and a glimpse into the capabilities of both of these impressive models.

I performed all my testing using Discourse AI which provides consistent tool (the ability to invoke functions) and persona support across a wide…

RailsNotes, the Ruby on Rails guides you wished you had. 

Using Rails debugger/rdbg with VS Code

A short introduction to the rdbg/debugger extension for VS Code, plus a guide on how to set it up correctly to debug your Ruby on Rails applications, as well as your RSpec specs. The VS Code extension takes 5 minutes to setup and it's great!
Giant Robots Smashing Into Other Giant Robots 

How to approach a reduce problem

Ruby’s reduce (aka inject) can be intimidating. It can be hard to both read and to write. This handy two-step approach has helped me write reduce code without tying my brain in knots.

Two-step process

Here are the two steps:

  1. Figure out how to combine 2 items
  2. Use reduce to scale up to n items

They derive from a helpful mental model I have:

reduce is a tool for scaling a method that combines 2 items into a method that combines n items.

Problem: Aggregating T-shirt inventory

Consider some code that models multiple warehouses that hold inventory of various sized t-shirts. We might want to find the total inventory across all warehouses. Aggregation problems…

Gusto Engineering - Medium 

Gusto Eng Spotlight Series: Hugo Rodriguez

This blog series is dedicated to celebrating our Black, Latino/a/e/x, and Women Engineers who are making an impact in the lives of our Gusties and Gustomers (Gusto customers) every day.

Today, we’re spotlighting Hugo Rodriguez, who works out of Mexico and has been with Gusto for 1.5 years and is now on the Payroll Experiences team. He also has 12 years of experience teaching Computer Science at the UNAM (Universidad Nacional Autonoma de Mexico).

Hugo wearing a concert T-shirt for Helloween & Hammerfall

Abby: Tell us a little about how you got to Gusto.

Hugo: Before Gusto, I was working for an energy company for 5 years building their frontend and backend systems for energy-price forecasting.…

Super Good Blog 

Introducing Dead Code

As software consultants, we bring more than Solidus expertise to the organizations we work with. We’re also specialists in iterative software development, which we believe is necessary for success in the eCommerce industry. We do our best to help shape the organizations we work with to make them better at delivering software.

In a sense, we’re undercover Extreme Programming consultants. We use our unique position as outsiders to the organization to facilitate healthy changes that push them towards iterative planning and incremental delivery. Different organizations are more or less receptive to this, but even when we collaborate with a more rigid organization, we do what we can to help make…

Jardo.dev: Blog 

Introducing Dead Code

It was only a matter of time before the disease that gets everyone in my demographic got me too. I’ve started a podcast. I know, I know, but the software industry needs me. I couldn't help myself.

One team’s best practices are another’s anti-patterns. The TDD debate continues with no end in sight. Agile might be dead, but it might still be alive and well, just divorced from its name. Computer science academia is totally disconnected from software development, and bootcamps have tried to improve on that by, uh, exploiting market conditions or something.

That’s where Dead Code comes in. Through conversations with people across the software world, we’re going hunting for our industry’s best…

BigBinary Blog 

Automating Case Conversion in Axios for Seamless Frontend-Backend Integration

In the world of web development, conventions often differ between backend andfrontend technologies. This becomes evident when comparing variable naming caseconventions used in Ruby on Rails (snake case) and JavaScript (camel case). Atneeto, this difference posed a major hurdle: the requirement for manual caseconversion between requests and responses. As a result, there was a significantamount of repetitive code needed to handle this conversion.

Heres a snippet illustrating the issue faced by our team:

// For requests, we had to manually convert camelCase values to snake_case.const createUser = ({ userName, fullName, dateOfBirth }) =>  axios.post("/api/v1/users", {    user_name: userName,   …
Evil Martians 

Martian Kubernetes Kit: unboxing our toolkit's technical secrets

Authors: Ilya Cherepanov, Site Reliability Engineer, Kirill Kuznetsov, Head of SRE, and Travis Turner, Tech EditorTopics: Ops, Site Reliability Engineering, Full Cycle Software Development, Backend Development, Kubernetes, Prometheus, Docker, Amazon Web Services, Google Cloud Platform, Terraform, Continuous Integration, Grafana, Heroku, Helm

We’ve been shipping Kubernetes to clients since 2015, and over the years, we realized it would be nice to have a setup that referred to some core distribution for our Kubernetes configuration. Read about our efforts creating a toolkit for our clients that make adopting it easy and affordable, transforming it from potential headache into just another…

Hashrocket - Ruby Posts 

Using a hash of data for string replacement in Ruby

Ruby string substitution using the % operator is a way to format strings in Ruby, enabling you to insert variables or expressions within a string. This technique can make it easier to build strings dynamically, particularly when you need to include variable content.

When you pass a hash of values for string substitution in Ruby, you can use named placeholders within the string. This approach is more readable and maintainable, especially with many variables or when the order of variables is only sometimes apparent. Here's how it works:

Syntax with Hash

To use a hash for string substitution, you specify symbols in the format string corresponding to the hash keys. Then, you pass the…

Radan Skorić's personal site 

How to customize Rails console setup without modifying the project

When working on projects with other developers you might (like me) find yourself wanting to customize the project console in a way that’s not useful as a default but it is useful for you. And ideally, I don’t want to modify the project, these are just my configurations. I deserve some privacy. My friend Nikola Topalović shared with me a setup that makes this possible in an elegant way. Set it...
Jardo.dev: Blog 

Goodbye, Pivotal Tracker

I just learned (through this article) that Pivotal Tracker is shutting down for everyone except enterprise customers. I’ve been using Pivotal Tracker for only slightly less time than I’ve been working with Rails. In the beginning I didn’t appreciate it. It was ugly. I didn’t understand the words it used. It was rigid. Eventually that changed.

Bugs didn’t get pointed, which made the team extremely aware of the cost of defects. Chores didn’t either, and that urged our team to break things down into user-oriented functionality, so that it would “count”. The “automatic” sprint planning was imperfect, but it tempered our unrealistic expectations of what we could get done. You could even create…

The Bike Shed 

418: Mental Models For Reduce Functions

Joël talks about his difficulties optimizing queries in ActiveRecord, especially with complex scopes and unions, resulting in slow queries. He emphasizes the importance of optimizing subqueries in unions to boost performance despite challenges such as query duplication and difficulty reusing scopes. Stephanie discusses upgrading a client's app to Rails 7, highlighting the importance of patience, detailed attention, and the benefits of collaborative work with a fellow developer.

The conversation shifts to Ruby's reduce method (inject), exploring its complexity and various mental models to understand it. Joël and Stephanie discuss when it's preferable to use reduce over other…

Honeybadger Developer Blog (Ruby Articles) 

Let's build a Hanami app

Hanami is a full-stack Ruby web framework. Unlike Rails, which has many default assumptions about how an app should be built, Hanami promises developer freedom by not imposing too many such defaults.

The framework is also blazingly fast due to its low memory footprint and focus on minimalism. Combine that with a focus on strict abstractions, and you get a fully-featured Ruby framework that could rival Rails for building some applications, such as APIs and micro-services.

In this tutorial, we'll learn about the framework's structure and features as we go through the steps of building a simple blog application.

Let's get started.

Prerequisites

In order to follow along with this tutorial,…

The RubyMine Blog : Intelligent Ruby and Rails IDE | The JetBrains Blog 

RubyMine 2024.1 Beta is Out!

Hello everyone!

We’re back with the latest update on the RubyMine 2024.1 Early Access Program.

You can download the Beta build from our website or via the free Toolbox App.

Here are the highlights:

Full Line Code Completion

RubyMine 2024.1 comes with the Full Line code completion (FLCC) feature for Ruby code. It is available as part of the Full Line Code Completion plugin, which is bundled with your IDE. 

The plugin enriches your code completion with multi-token proposals, employs a deep learning model, and operates on your local machine, ensuring that no data is transmitted over the internet. As a result, the functionality remains accessible even when you don’t have an…

Short Ruby Newsletter 

Short Ruby News - Edition #82

This edition has new sections for Ruby code: Code Samples, Code Design, and Around Code. This way, you can go quickly to what is of interest to you!
Ruby on Rails 

Illustrator file preview, deprecations and more!

Hi, it’s Greg. Let’s explore this week’s changes in the Rails codebase.

Feedback for structuring the Active Record Query Guide
The Active Record Querying Guide is getting restructured and the team working on it requests feedback from the community.

Rails World CFP closes in 2 weeks
2 more weeks left to submit your talk to Rails World 2024!

Railties: configure sanitizer vendor in 7.1 defaults more robustly
In apps where rails-html-sanitizer was not eagerly loaded, the sanitizer default could end up being Rails::HTML4::Sanitizer when it should be set to Rails::HTML5::Sanitizer. This change requires rails-html-sanitizer immediately before it’s needed, and avoids the possibly-incorrect…

Illustrator .ai files are previewable as PDFs
This happened…

Julia Evans 

How HEAD works in git

Hello! The other day I ran a Mastodon poll asking people how confident they were that they understood how HEAD works in Git. The results (out of 1700 votes) were a little surprising to me:

  • 10% “100%”
  • 36% “pretty confident”
  • 39% “somewhat confident?”
  • 15% “literally no idea”

I was surprised that people were so unconfident about their understanding – I’d been thinking of HEAD as a pretty straightforward topic.

Usually when people say that a topic is confusing when I think it’s not, the reason is that there’s actually some hidden complexity that I wasn’t considering. And after some follow up conversations, it turned out that HEAD actually was a bit more complicated than I’d appreciated!

GoRails Screencasts 

ActionController Modules in Rails

Ever wondered how Rails controllers get their functionality? Let's see how we can add translation support to Rails API controllers by looking at the Rails source
Giant Robots Smashing Into Other Giant Robots 

Introducing props_template: A Jbuilder alternative

I like Jbuilder. It’s been part of every Rails project every time I run rails new and the first thing I reach for when I want to create JSON responses. It’s as synonymous with JSON as ERB is with HTML.

But I wanted a version of Jbuilder that had layouts, didn’t merge hashes, had faster caches, directly used OJ’s StringWriter instead of building a hash, and allowed me to dig into a structure using a key path. Sometimes it makes sense to contribute to an open source project and submit pull requests for the features you want; sometimes we diverge so much that it makes sense to start anew.

Introducing props_template. A JSON builder with a Jbuilder-like DSL that has support for all of the…

Awesome Ruby Newsletter 

💎 Issue 407 - What Does the Frozen String Literal Comment Do in Ruby?

Ruby Weekly 

DHH's Windows odyssey

#​693 — March 7, 2024

Read on the Web

Ruby Weekly

A Cookbook of Ruby One-Liners — Ruby is a fantastic language for one-liners, whether in IRB or from the command line. We’ve linked to this cookbook before but it continues to prove very useful and Sundeep has released a new version of it, along with PDF/EPUB builds, and ▶️ a video explaining the project.

Sundeep Agarwal

Better Know a Ruby Thing: Keyword Arguments — Noel continues a series digging deep into specific Ruby features with a look at keyword arguments, from the basics through to fun stuff like using **nil to prevent keyword arguments being…

Saeloun Blog 

Rails 7.1.2 now ignores implicitly passed locals in templates that use strict local definitions

Templates have always been a powerful way to organize and reuse view elements. Rails 7.1 introduced strict local definitions in templates. This means that templates can now define a strict list of locals that they accept. This is useful for catching typos and other errors.

For example, to render a profile card with strict locals, a template might look like this:

# app/views/_profile.html.erb

<%# locals: (name:, avatar:) -%>

<div>
  <%= image_tag avatar %>
  <%= name %>
</div>

The magic comment locals: (name:, avatar:) defines the locals that this template accepts. If a local that is not defined is passed to this template, an exception will be raised.

#…
Evil Martians 

How to make complex serverless file processing a piece of cake

Authors: Valentin Kiselev, Backend Engineer, and Travis Turner, Tech EditorTopics: Backend, Serverless, Google Cloud Platform, TypeScript, Node.js

Complex file processing can be easy with serverless solutions, but to perform manipulations on the uploaded files, you also need an easy-to-integrate system. Learn file processing tools and techniques with a real case and see an example serverless app for Google Cloud Platform.

Complex file processing can be made easy with serverless solutions, but when it comes to performing various manipulations on the uploaded files, you also need a robust system that’s easy to integrate. Yet, if you want to create a complex service, you'll need to know some…

The Ruby on Rails Podcast 

Episode 510: Burnout with Dr. Katy Cook

Burnout is a common occurrence in the tech industry. And the recent onslaught of layoffs have left many stressed about their job search, or overworked from the increased demands of the smaller teams. I know some of my listeners have experienced burnout. I myself have had a recent experience with burnout that took months to recover from. Dr. Katy Cook joins the show to teach us more about Burnout.

Show Notes
The Psychology of Silicon Valley (2019)

APA Studies on Burnout

Have a comment on this episode? Send an email to comments@therubyonrailspodcast.com

Ruby Magic by AppSignal 

Active Record or Sequel: Which Best Fits The Needs of Your Ruby App?

When it comes to choosing an object-relational mapping (ORM) library for your Ruby application, Active Record is usually the favorite choice. It's an easy-to-use ORM library that allows for lots of data wrangling without resorting to SQL. All the same, you might wonder: "Is Active Record the only Ruby ORM library I can use?"

In this article, we'll compare some Active Record features to its lesser-known but powerful cousin, Sequel. There are too many points of comparison to cover everything (such as how each library handles CRUD operations, table joins, associations, database replication and sharding, etc). Instead, we'll scratch the surface of a few database operations — namely, filtering,…

Shopify Engineering - Shopify Engineering 

Improving Shopify App’s Performance

Write Software, Well 

Honeybadger Now Supports Logging and Event Monitoring

💡
Disclaimer: This is not a sponsored post. Honeybadger has not paid me anything to write it.
Honeybadger Now Supports Logging and Event Monitoring

I've been using Honeybadger for a while now on my Rails applications (both personal, hobby projects and for clientwork). I mainly use it for error and uptime monitoring. Both features work really great, and I really like their simple offerings and intuitive UI.

For a long time, I've been waiting for a simple hosted log management solution from them, and I recently stumbled across it while reading their docs. It's called Insights and you can read the docs here. I really like the following marketing copy, which helped clear some confusion I had about the related jargon.

Honeybadger Now Supports Logging and Event MonitoringLogging Events

The setup is…

Test Double 

Rapid skill acquisition: Tips to quickly adapt to new career opportunities

“We need some help with SQL Server work. Can you start Monday?”

It was Friday afternoon. I had taken a class in Microsoft SQL Server years before, on a version years out of date. I’d never really used it in any real projects. And this phone call came from five hours away, in another state.

But I was unemployed. So I said, “Sure thing. See you Monday morning!”

Microsoft SQL Server Version 6.5 logo The SQL Server Logo in its tribal tattoo phase

Then I ended the call, got in my car, and drove an hour to the nearest Borders bookstore. I purchased two promising books on Microsoft SQL Server, went to the bookstore’s in-house Starbucks, purchased a venti iced coffee, sat down with those two books and a…

Rails, PostgreSQL Performance Audit and Tuning Consultant for Hire 

How learning Rust changed my Ruby Workflow

For the last few months, I’ve been working semi-full-time on my first Rust project. After the first painful weeks of struggling against The Compiler, I feel I’m now spoiled by Rust development experience. In this blog post, I’ll describe improvements to my Ruby workflow that originate from what I’ve seen in the Rust ecosystem.

“Mom, can we have a Ruby compiler?”

Despite similar syntax, Rust and Ruby are vastly different. Compiled vs. interpreted, rigid type system vs. “If it quacks…“.

The initial learning curve is relatively steep, with the simplest implementations requiring type-related annotations. This “syntax overhead” might initially seem pointless for someone with a Ruby…

BigBinary Blog 

How we migrated from Sidekiq to Solid Queue

BigBinary is building a suite of products under neeto. Wecurrently have around 22 products under development and all of the products areusing Sidekiq. After thelaunch of Solid Queue, wedecided to migrate neetoForm from Sidekiq toSolid Queue.

Please note that Solid Queue currently doesn't support cron-style or recurringjobs. There is a PR openregarding this issue. We have only partially migrated to Solid Queue. Forrecurring jobs, we are still using Sidekiq. Once the PR is merged, we willmigrate completely to Solid Queue.

Migrating to Solid Queue from Sidekiq

Here is a step-by-step migration guide you can use to migrate your Railsapplication from Sidekiq to Solid Queue.

1. Installation

  • Add gem…
The Bike Shed 

417: Module Docs

Stephanie shares about her vacation at Disney World, particularly emphasizing the technological advancements in the park's mobile app that made her visit remarkably frictionless. Joël had a conversation about a topic he loves: units of measure, and he got to go deep into the idea of dimensional analysis with someone this week.

Together, Joël and Stephanie talk about module documentation within software development. Joël shares his recent experience writing module docs for a Ruby project using the YARD documentation system. He highlights the time-consuming nature of crafting good documentation for each public method in a class, emphasizing that while it's a demanding task, it…

Honeybadger Developer Blog (Ruby Articles) 

How to deploy a Rails app to Render

There are many ways to deploy a Ruby on Rails application to the internet. Between hosting on your own hardware, renting a virtual machine, using a cloud provider, and using a platform, the opportunities are endless. The low-hassle way to host a Rails application is to use a Platform as a Service (PaaS). In this article, we'll show you how to deploy a Rails Application to Render.com, and as a bonus, monitor it with Honeybadger! You can find the final project here on Github.

Going a step further than cloud hosting and using a platform to deploy your web apps provides incredible convenience at a cost. Under the hood, platforms such as Render and Heroku use Amazon Web Services or other cloud…

The Ruby Dispatch 

Execute Third Party Code in a Rails App

Imagine inviting random strangers from the internet to bring along their code and run it on your servers in a Rails app. Sounds like a security nightmare, doesn’t it? Where do you even start?

If you run into a person at Fly.io, they might be saying something about “Fast booting VMs”, but what does that mean outside of faster deployment times?

Turns out when an entire machine can be boot in 2 seconds or less, it becomes possible to boot a server via a Rails background job, analyze a strangers code from within the confines of a virtual machine, and shut it down when the job is complete.

Sounds complicated right? It is, but Fly.io built the Machines API to manage all that complexity so you…

Gusto Engineering - Medium 

Spaghetti Model Part 5: Safely Remove ActiveSupport Concerns

Note: This is one part of my journey to tame a spaghetti model or god object. Start with Post 1: Unraveling a Spaghetti Model to see how I chose to tackle this problem.

Your spaghetti model has been a dumping ground of methods and associations for years. In our case, it’s the company model. We know we need to add functionality to the system, so we place the new capability on the company because it’s convenient. We may rationalize it with “Besides, the company should know whether it has active medical benefits.”

Overview

To deal with models with way too many methods, Rails 4 introduced ActiveSupport Concerns as a way of partitioning and reusing model code. Methods and associations that worked…

Short Ruby Newsletter 

Short Ruby News - Edition #81

A Monday summary of the articles, discussions, and news from the Ruby community
Write Software, Well 

Announcing: Rails Companion - Build a WebApp in Ruby Without Rails

Announcing: Rails Companion - Build a WebApp in Ruby Without Rails

Last year, I started writing a series of articles called Ruby no Rails on building a web application in Ruby, without using the Rails framework.

Part of the reason was to understand how frameworks like Ruby on Rails work. Like what really happens when your application receives a request? How does it invokes an action on a controller? How does it create the view? What? How? When? Why? So many questions...

Another reason was to demystify some of the magic that's typically associated with Rails, and try to explain in simple words the fundamentals of web applications, like HTTP, controllers, views, middleware, routing, and much more.

In all, I wrote 8 posts, and they were received very well by the…

a-chacon 

Exploring the Possibilities of WebAssembly: Ruby in the Browser

WebAssembly (abbreviated as Wasm) is a binary instruction format designed to be interpreted by stack-based virtual machines.
Drifting Ruby Screencasts 

Streaming LLM Responses

In this episode, we look at running a self hosted Large Language Model (LLM) and consuming it with a Rails application. We will use a background to make API requests to the LLM and then stream the responses in real-time to the browser.
Tom Dalling 

High Performance Requires Process

Processes are a prerequisite for high-performance in software engineering teams due to their ability to amplify the skill of the team. I believe there exists no team, given that there is little to no process to begin with, whose performance could not be improved by adding appropriate process.

RubySec 

CVE-2023-51774 (json-jwt): json-jwt allows bypass of identity checks via a sign/encryption confusion attack

The json-jwt (aka JSON::JWT) gem versions 1.16.5 and below sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
Mike Perham 

Serializing Ruby datatypes in JSON

Ruby’s JSON library allows you to convert Ruby datatypes into a JSON document, as long as those types are native to JSON: String, bool, int, float, nil, Hash and Array. Everything else converts to a String by default; if you use any other core datatypes, they will not survive a JSON.generate/JSON.parse round trip. Here I pass a Range, Symbol and Time; notice how the end result is three Strings instead of the actual types:
Write Software, Well 

What Does the Frozen String Literal Comment Do in Ruby?

What Does the Frozen String Literal Comment Do in Ruby?

When working with Ruby programs, you must have come across the following comment at the top of the file:

# frozen_string_literal: true

print "Let's learn Ruby on Rails"

# frozen_string_literal: true is a magic comment in Ruby, which tells the Ruby interpreter that all the string literals must be frozen and memory should be allocated only once for each string literal.

💡
What's a magic comment?

A magic comment is a special type of comment in Ruby that's defined at the top of the Ruby script. It affects how the Ruby code is executed. You can think of them as "directives" or "instructions" for the Ruby interpreter.

Magic comments must always be in the first comment section in the file. Their scope…
naildrivin5.com - David Bryant Copeland's Website 

Methods Don't Succeed our Fail: they Have Outcomes

On Matstodon, Peter Solnica posted some Ruby pattern-matching code, asking what Rails devs think about it. While pattern matching is interesting, I think I still prefer if statements based on return objects. But, I also think the “success/failure” dichotomy is unnecessary, confusing, and often a modeling error.

Peter’s code example is as follows:

def create
  create_user = Commands:: CreateUser.new

  case create_user.call(params[:user].to_unsafe_h)
  in Success(User => user)
    redirect_to users_url, notice: "User was successfully created."
  in Failure(user: user, errors: errors)
    render :new, locals: 1 user: user, errors: errors }
  in Failure(type: :exception, reason: :database

In follow up comments, there were ideas expressed that the method “succeeded or had various failures”, or that you can in theory compose such results and execute more logic only on success.

I find that treating both “the…

Alchemists - Articles 

XDG Base Directory Specification

Cover
XDG Base Directory Specification

The XDG Base Directory Specification defines an organized folder and file structure for applications to store associated user configuration, cache, data, state, and runtime information on UNIX-like systems. This allows for consistency across different programs and desktops. Consistency is key because, without the specification, we end up with messy and disorganized dotfiles.

The goal of this article is to explain what XDG Base Directory Specification is, why the specification is important, and how you can make use of it.

History

Version 0.1.0 of the…

Ruby Rogues 

Revolutionizing Ruby Deployment with Falcon Web Server and Async Concurrency Framework - RUBY 627

Samuel Williams is a Ruby Core Committer and the creator of Async & Falcon. They delve deep into the technical intricacies of Falcon, a cutting-edge application container that leverages the Async gem for event-driven concurrency. Additionally, they discuss the challenges and triumphs of deploying Ruby applications with Falcon and share insights into the evolution of async programming in Ruby. From the nitty-gritty of platform internals to the fascinating integration of async job execution in Rails, this episode is a must-listen for developers seeking to unravel the complexities of modern software deployment and concurrency.


Sponsors


Links

Ruby on Rails 

Added fixture method and bugfixes

Hi, Wojtek from this side. Let’s explore this week’s few changes in the Rails codebase.

Rails security update releases
Rails Versions 6.1.7.7, 7.0.8.1, and 7.1.3.2 have been released last week which contain fixes for security issues.

Expose a generic “fixture” method in tests
To avoid conflicting methods, in example with Minitest, it is possible now to load fixtures like this:

assert_equal "Ruby on Rails", web_sites(:rubyonrails).name
assert_equal "Ruby on Rails", fixture(:web_sites, :rubyonrails).name

Introduce assert_initializer
Compliments the existing initializer generator action.

Set default_url_options values in development/test environments
Prior to this commit, new Rails…

Awesome Ruby Newsletter 

💎 Issue 406 - 🌸 Hanami 2.1: Views that are a sight to see

Gusto Engineering - Medium 

Optimizing R&D Tax Credits

Accelerating Operations Through Automated Data Loading and Population with Optical Character Recognition (OCR)

Traditionally, R&D Tax Credits has been operationally intensive. Gusto leads the way in simplifying access to these credits for small and medium-sized businesses (SMBs) through automated, self-service solutions. To ensure compliance with IRS standards, we request relevant documentation from our customers, including business owners and accountants, regarding their business operations.

Problem: The human cost

For our Operations team, extracting and populating crucial data from provided documents demands a substantial amount of time when serving our customers.

This includes information…

Ruby Weekly 

Sidekiq, under the hood

#​692 — February 29, 2024

Read on the Web

Ruby Weekly

The Art of Forking: Unlocking Scalability in RubyKarafka (a Ruby processing framework for Apache Kafka) requires concurrency and parallelism, which can present challenges in Ruby. The explanations here of how Karafka uses Ruby’s constructs is informative and shows that you don’t necessarily need to use another language to address issues of concurrency.

Maciej Mensfeld

How Does Sidekiq Work?Sidekiq is the most heavily used background job system in the Ruby space, and this post digs into how it works, its architecture, and what’s going on under…

Test Double 

How to calculate the real ROI of offshore consulting

Ever wondered if offshore software consulting could be a magical shortcut to solve your software issues without burning a hole in your budget?

Offshore development centers are now sprawled across China, Malaysia, Pakistan, the Philippines, Mexico, Chile, and beyond. The promise: low-cost services from an army of programmers.

But is it truly a budget-friendly savior?

The price tag on software development goes far beyond the developers’ hourly rate. There’s the cost of time spent on communication, management, and approvals. There’s the quality of the software developed, the time it takes to develop and its impact on the business objectives. The maintenance costs required to support the…

RubySec 

CVE-2024-27285 (yard): YARD's default template vulnerable to Cross-site Scripting in generated frames.html

### Summary The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. ### Details The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the "frames.erb" template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs. Snippet from…
Evil Martians 

The complete guide to multi-tenant SaaS, part 1: collaboration

Authors: Anton Lovchikov, Sr. Product Designer, Irina Nazarova, CEO, and Travis Turner, Tech EditorTopics: Business, Full Cycle Software Development, Product Design

An experience-backed overview on adding a multiplayer/multi-tenant SaaS mode to an existing product with a focus on collaboration: conflict resolution, history management, and offline modes.

Until recently, realtime collaboration was just this shiny new thing: some of our consulting clients wanted it, but it was expensive to implement and the payoff wasn’t always crystal clear to them. In any case, the projects we had that saw us implementing collaborative features inspired us enough to go deep into building realtime tooling (see…

The Ruby on Rails Podcast 

Episode 509: The Future Of Ruby Central with Adarsh Pandit

Recently, Ruby Central named a new executive director, Adarsh Pandit. Ruby Central has been a force in the Ruby community for years, organizing conferences and contributing to the community. The recent changes in governance have led t some exciting things on the horizon. Adarsh joined the show to talk about what's going to happen with Ruby Central in 2024.

Show Notes
Ruby Central Website - https://rubycentral.org/
Ruby Conf Musical Number Video - https://www.youtube.com/watch?v=8WhbX6dS6x0
RubyConf Recap Survey Results - https://rubycentral.org/p/c9897883-2135-4704-b53a-a4111ca272f3/
Ruby Central Get Involved Page - https://rubycentral.org/leadership/
Ruby Central contact page - c…

Test Double 

Running Rails on AWS Elastic Beanstalk

Recently, I got a Rails app running on AWS Elastic Beanstalk for the first time. I wanted to share the steps to do so here. Although there are other tutorials, AWS and Rails both change over time, so some of these steps here are updated compared to other tutorials. Since AWS is so complex, a lot of tutorials assume prior AWS knowledge as well; this one walks you through everything you need step by step.

In this tutorial, we’ll:

I say “optionally” for the last two steps because if you aren’t ready to register a custom domain or set up SSL, you can stop before that point and the…

solnic.dev 

Speed Up Your Elixir Testing with Custom Tasks and Key Bindings in Visual Studio Code

Testing is an integral part of software development that ensures your code works as expected. However, running tests can sometimes be a slow and cumbersome process, especially when you're looking to quickly iterate on your code. I use a "secret" method that allows me to quickly run tests using custom tasks and key bindings in Visual Studio Code (VS Code). This approach is much faster and lighter than other solutions I've tried.

Custom Tasks in VS Code

The first step in speeding up your test runs is to set up custom tasks in VS Code. These tasks can be configured to run specific test commands, such as "test current line" or "debug current line.". All you need to do is to create .vscode/tasks.j…

Super Good Blog 

Debugging The Zeitwerk Migration

Rails 6 introduces a new way of autoloading, integrating the gem Zeitwerk. Rails 7 drops support for classic autoloading, so it’s necessary to switch to Zeitwerk if you ever want to upgrade to Rails 7.

For those not familiar: autoloading in Rails provides access to all your classes and modules automatically, without having to use require. Making the switch to Zeitwerk-based autoloading can be tricky, because it changes how your application looks up source code files. It’s easy to run into problems if you’re not aware of Zeitwerk’s conventions, and how it differs from the classic autoloader.

How are constants resolved in Ruby

module Admin
  class ProductsController < ApplicationController
  …
RubySec 

CVE-2024-27456 (rack-cors): Rack CORS Middleware has Insecure File Permissions

rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for the .rb files.
Ruby Central 

February 2024 Newsletter

Hello! Welcome to the February newsletter. Read on for announcements from Ruby Central and a report of the OSS work we’ve done from the previous month. In January, Ruby Central's open-source work was supported by 29 different companies, including Fastly,  Sentry, Ruby Shield sponsor Shopify, and Partner-level member Contributed Systems, the company behind Mike Perham’s Sidekiq. In total, we were supported by 178 members. Thanks to all of our members for making everything that we do possible. <3

Ruby Central News

Ruby Meet-ups

  • Directory coming soon! We’re creating a directory of ALL active Ruby meetups to help us connect with one another, and so we can offer resources and support. Click to fill…
BigBinary Blog 

Streamlining translation resource loading in React apps with babel-plugin-preval

At Neeto, our product development involves reusing common components, utilities,and initializers across various projects. To maintain a cohesive andstandardized codebase, we've created specialized packages, or "nanos" such asneeto-commons-frontend, neeto-fields-nano, and neeto-team-members-nano.

neeto-commons-frontend houses utility functions, components, hooks,configuration settings etc. neeto-fields-nano manages dynamic fieldcomponents, while neeto-team-members-nano handles team member managementfunctionalities.

These nanos, along with others, reduce redundancy and promote consistencyacross our products.

Translation Challenges

Many of our packages export components with text that requires…

Radan Skorić's personal site 

How to debug issues with Turbo Morphing

Turbo’s morphing feature can look magical. There’s a lot of pieces moving behind the scenes to make it come alive. That’s great when it works but when it doesn’t you might be left staring at the screen unsure where to start to debugging it. Maybe you made a mistake in your code. Maybe it’s all working as expected but it caught you by surprise. Maybe you ran into a bug in Turbo itself. Yes, that...
Ruby on Rails 

Rails Foundation and Doximity to Sponsor Rails Girls São Paulo 2024

(Portuguese below)

The Rails Foundation and Doximity are teaming up with Rails Girls São Paulo and Tropical.rb to co-host the return of the Rails Girls São Paulo in 2024.

Name: Rails Girls São Paulo
Date: April 6, 2024
Location: Le Wagon São Paulo

Scheduled for the weekend following Tropical.rb, Rails Girls São Paulo aims to bring together 30 individuals in teams of 6, each guided by dedicated Portuguese-speaking mentors, for a weekend of learning, coding, and community building.

Rails Girls took place regularly in São Paulo from 2015 to 2019, introducing nearly 300 local students to Rails in that time. Inspired by the current momentum in the Rails community and the return of…

Hanami 

Hanami 2.1: Views that are a sight to see

After a year of work, Hanami 2.1 is here! This release introduces our view layer and front-end assets support, and brings Hanami a big step closer to our full stack vision.

It all starts with hanami dev

Working on your app’s front-end now starts with a single new command: hanami dev.

Running hanami dev starts the familiar Hanami web server alongside our new front-end assets watcher and compiler.

From there, you’re ready to open http://localhost:2300 and take in our gorgeous new welcome screen, in both light and dark mode.

Welcome screen in light mode

Welcome screen in dark mode

Welcome (back!) to Hanami. We’ve been building something special for you!

You’ll love our view on views

Test Double 

Flipping the script on Black history: Transforming challenges into career superpowers

I think about our journey as Black business leaders every February. Black History Month is a time to honor and celebrate the strength we’ve summoned to overcome the obstacles in our path.

This year, my focus is on the skills and strategies Black business leaders develop in response to challenges. Adversity becomes a platform for us to enhance our capabilities and become even stronger. Our trials force us to cultivate superpowers.

I want to emphasize that I am not diminishing the impact of racism on our history. It’s been a horrible stain on our country since the first Africans arrived on this continent. We were considered property until 1865. Legal segregation continued until 1964.…

The Bike Shed 

416: Multi-Dimensional Numbers

Joël discusses the challenges he encountered while optimizing slow SQL queries in a non-Rails application. Stephanie shares her experience with canary deploys in a Rails upgrade. Together, Stephanie and Joël address a listener's question about replacing the wkhtml2pdf tool, which is no longer maintained.

The episode's main topic revolves around the concept of multidimensional numbers and their applications in software development. Joël introduces the idea of treating objects containing multiple numbers as single entities, using the example of 2D points in space to illustrate how custom classes can define mathematical operations like addition and subtraction for complex data types.…

Giant Robots Smashing Into Other Giant Robots 

Linear Regression using dataframes in Ruby

This article will introduce data science by presenting an essential method: linear regression.

It’s a method used when two types of continuous numeric data correlate. Typical examples of data that correlate are the size of a flat and its price, the amount of time spent studying and test scores, the number of years at work and the salary, the sales of a product and the amount spent on advertising.

So, we have two types of values, one of which will help predict the other. Standard terms used are dependent variables, the variables we’re trying to find, and independent variables for the variables that help us predict it. When thinking about mathematical functions, the x is the independent…

Saeloun Blog 

Rails 8 adds Brakeman by default to new applications

What is Brakeman?

Brakeman is a security scanner for the Rails application. It statically analyzes the source code and looks for security issues at any stage of development.

Brakeman requires no configuration, once it is installed, we can just run it.

It scans the application code and produces a report of all the security issues it has found.

Brakeman helps in early security issues detection, Developers are better aware of any security vulnerabilities with the help of Brakeman.

It can identify a wide range of security vulnerabilities like SQL injection, Cross-site scripting(XSS), and Cross-site request forgery(CSRf).

It also checks for code that allows users to bypass security checks…

Short Ruby Newsletter 

Short Ruby News - Edition #80

A Monday summary of the articles, discussions, and news from the Ruby community
Rémi Mercier 

Domain complexity vs applicative complexity

For years, code would fall into two categories: easy (good!) and hard (bad!).

Recently, I’ve realized that not every piece of hard code is created equal. Complex code often encompasses two kinds of complexity: domain complexity and applicative complexity.

And I often failed to identify which is which.

Domain complexity

Domain complexity is what we refer to when we talk about “rocket science”. Building actual spaceships, forecasting extreme meteorological events, studying the human genome, etc… You know, hard stuff.

But any domain where programming happens has inbuilt complexity.

I once worked for a real estate company. The regulations were abstruse enough that our codebase reflected…

Andy Croll 

Validate Email Addresses

Ensuring you have data that makes sense is why Rails provides validations through the Active Model library, which underpins Active Record.

Making sure you can email your users is one of the most important things to get right in your application, so you probably already have validation checks around your User#email attribute.

Instead of…

…inventing your own regular expression, or using this one from the older Rails docs:

class User < ApplicationRecord
  validates :email,
    format: { with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i },
    presence: true,
    uniqueness: { case_insensitive: true }
end

Use…

…one of these several better options:

Devise

A reasonable choice, if…

Closer to Code 

The Art of Forking: Unlocking Scalability in Ruby

Introduction

The journey towards efficient parallelization in library development has often been based on using threads. As Karafka celebrates its eighth anniversary, it's become clear that while threads have served us well for many tasks, there's room to explore further. That's why I've decided to introduce forking capabilities into Karafka, aiming to offer another dimension of parallelization to its users. This move isn't about replacing threads but about providing options to cover a broader spectrum of use cases than before.

For those who wonder what Karafka is, Karafka is a Ruby and Rails multi-threaded efficient Kafka processing framework designed for building efficient and scalable…

RubySec 

CVE-2024-25126 (rack): Denial of Service Vulnerability in Rack Content-Type Parsing

There is a possible denial of service vulnerability in the content type parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2024-25126. Versions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1 # Impact Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack’s media type parser to parse content type headers. This code will look like below: ``` request.media_type ## OR request.media_type_params ## OR Rack::MediaType.type(content_type) ``` Some frameworks (including Rails) call this code…
RubySec 

CVE-2024-26141 (rack): Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141. Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1 # Impact Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). # Releases The fixed releases are available at the normal locations. # Workarounds There are no feasible workarounds for this…
RubySec 

CVE-2024-26142 (actionpack): Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1 # Impact Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. # Releases The fixed releases are available at the…
RubySec 

CVE-2024-26143 (actionpack): Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers (`translate`, `t`, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143. Versions Affected: >= 7.0.0 Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1 # Impact Applications using translation methods like `translate`, or `t` on a controller, with a key ending in “_html”, a `:default` key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. For example, impacted code will look something like this: ``` class ArticlesController < ApplicationController def show @message = t("message_html",…
RubySec 

CVE-2024-26144 (activestorage): Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user’s session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the `Set-Cookie`, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 # Impact A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker’s session or vice versa. This was patched in 7.1.0 but not previously identified as…
RubySec 

CVE-2024-26146 (rack): Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146. Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 # Impact Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. `Accept` and `Forwarded` headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. # Releases The fixed releases are available at the normal locations. # Workarounds There are no feasible workarounds for this issue.