CVE-2025-61771 (rack): Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
CVE-2025-61772 (rack): Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
This blog post is part of a series called “Hanami for Rails Developers”.
- Part 1: Models
- Part 2: Controllers
- Part 3: Forms (you are here)
In the first two parts of this guide, we covered off the familiar concepts of models and controllers, and saw how Hanami approached these designs. We saw that Hanami split the responsibilities of models between repositories, relations and structs, and we saw that the responsibilities of a controller and its views were split between actions, views and templates.
In this part, we’re going to continue building on our application’s foundation by introducing a form that lets us add further books to our application. In a Rails app, we would handle…

Join me on a breathtaking journey as we add a client-side search to an SSG docs-first site, built with Astro!
Building static sites with Astro is a dream (especially for documentation). But what to do when your growing docs need full-text search, but you don’t want to give up that static delight? In this post, see how to bring powerful, fuzzy, and accessible search to Astro-generated sites. (This means no external crawlers and no remote APIs.) We’ll also look at the limits of AI-based and third-party search, demonstrate how to generate a build-time JSON index with Astro’s endpoints, and fine-tune the…
Who Owns RubyGems? Inside the Ruby Central Controversy
In this episode of Remote Ruby, Chris is on paternity leave celebrating the birth of his son, so Andrew brings in Drew Bragg and Rachael Wright-Munn (aka ChaelCodes), to discuss recent controversies surrounding Ruby Central and its alleged takeover of Ruby Gems and Bundler. They dive into the timeline of events, conflicting narratives, communication failures, and the underlying security concerns. They address theories and facts, scrutinize the governance of Ruby Central, and discuss the implications for the Ruby community. The episode emphasizes the importance of asking questions and seeking clarity, while advocating for a balanced and constructive approach to resolving the community's…
Direct link to podcast audio file
Jared Norman interviewed me after he wrote about the order in which programmers choose to write their code and I offered this response. In this episode, we touch on this before launching into a more expansive discussion on why the agile movement fizzled out and what we can reclaim from a developer workflow perspective now that we're experiencing our first major market upheaval since then with the rise of coding agents.
Appearing on: Dead Code
Published on: 2025-09-09
Original URL: https://shows.acast.com/dead-code/episodes/fear-driven-everything-with-justin-searls
Comments? Questions? Suggestion of a podcast I should guest on? podcast@searls.co
Delete your old migrations, today
We get attached to code - sometimes to a fault. Old migrations are exactly that. They’re digital hoarding at its finest, cluttering up your codebase with files that serve absolutely no purpose other than to make you feel like you’re preserving some kind of historical record.
But here’s the brutal truth: your old migrations are utterly useless. They’re worse than useless - they’re actively harmful. They’re taking up space, they are confusing (both for you and new developers on the project), and they give you a false sense of security about your database’s evolution.
If your database is out-of-sync with schema.rb
you need to solve that problem anyway, and - if anything - the migrations make…
This is our second threat intelligence post. Each week, if appropriate, we will aim to share some wider industry news that might impact our clients.
What we cover will depend on what has been happening the previous week, this week, for example, is a much shorter update.
Ruby
Some of the folk that previously maintained and operated RubyGems.org have started a new server for hosting gems https://gem.coop.
No action needed unless your team feels they want to migrate away from RubyGems (which is understandable).
Github
Github recently rolled out sign in with Apple. Unless your organisation specifically requires this, I would recommend against employees tying log in to Apple IDs.
They are…
Voice for Inclusive Efficiency: How AI-Powered Voice Banking is Transforming Financial Inclusion in FinTech
I’ve thought deeply about building CLIs and built a
lot of them over the years. I’ve used Rake, Thor, my own gem GLI and many others. After all that, the venerable OptionParser
—part of
Ruby’s standard library—is the best choice for scripting and sub-command (git-like) CLIs. I want to show you how.
What is a Sub-Command CLI?
At first glance, OptionParser
doesn’t seem to support a sub-command CLI, like so (I’ll explain what each part is below):
> bin/test --verbose audit --type Component specs/front_end
Yes, you could configure --verbose
and --type TYPE
, then figure out that the first thing left over in ARGV
was a command, but it gets very cumbersome when things get beyond trivial,…
Ruby 3.4.7 Released
Ruby 3.4.7 has been released.
This release includes an update to the uri gem addressing CVE-2025-61594, along with other bug fixes. Please refer to the release notes on GitHub for further details.
We recommend updating your version of the uri gem. This release has been made for the convenience of those who wish to continue using it as a default gem.
Release Schedule
We intend to release the latest stable Ruby version (currently Ruby 3.4) every two months following the most recent release. Ruby 3.4.8 is scheduled for December and 3.4.9 for February.
If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift…
Lost in Minitest? Start here!
I have a confession to make: I have never used Minitest in the seven years I’ve been a professional programmer.
I’ve always used the other framework.
But earlier this year, I started working with a client whose application relied solely on Q&A instead of automated tests. In an effort to bring the team peace of mind during releases, I started adding tests to the most critical parts of the application.
Lured by the promise of speed and wide adoption, I suggested we try Minitest.
As I started working on writing my first tests, I hit an unexpected roadblock.
Minitest (lack of) onboarding
After writing several hundred tests, I can confidently say that Minitest’s biggest weakness is its…

Open source, talks around the world and prepping SFRuby for Nov 2025. Catch up Evil Martians' blog, open source, podcast, and get ready as we head for SFRuby Conference in San Francisco.
Summer has ended! In this post, we recap Martian posts, talks, open source + more you might have missed.
CVE-2025-61594 (uri): CVE-2025-61594 - URI Credential Leakage Bypass over CVE-2025-27221
Go straight to the site: forge.railsdesigner.com.
Announcing Forge: a minimal, self-hosted community app with channels, threads, and more. Pay once, no monthly fees, and customize everything you need.
Forge is a forum-like (think Slack/Discord) platform to build your paid community. You provide a Stripe payment link, and after payment your new member gets an invite link to your community. It has all the typical community features, like: channel-based organization, threads, user profiles and moderation tools.
It is, of course, built with the latest Rails (including the new rich-text editor Lexxy!) and as vanilla as possible. The only extra gems added are: Courrier, Rails Icons, Perron…
Designed…
My previous article about timezones turned out to be useful for quite a few folks, which makes me happy. One candle lights another.
Ben Sheldon asked about then actually doing something with those converted times. How do you actually send a newsletter every morning on every working day, regardless of what the user’s time zone is?
There are a number of approaches to this - once you know the UTC time of the delivery. I will cover a few of them, including the one I prefer. Let’s wind the clocks!
I am currently available for contract work. Hire meto help make your Rails app better!
Approach 1: Anything can be done in Postgres
Remember how I told you that you…
477: Change Management
Time to plan an upgrade as Joël and Aji talk about the hurdles involved with various change management in their projects.
The pair lay out some different approaches to protecting your data when planning a migration, the risks of code and data changes, the elements that will and won’t be affect in the process, and Joël gives his experience on a tough migration project and what he learnt from it.
—
If you’ve not used Merge before you can learn more about it here.
Thanks to our sponsors for this episode Judoscale - Autoscale the Right Way (check the link for your free gift!), and Scout Monitoring.
Your hosts for this episode have been thoughtbot’s own Joël Quenneville and Aji…
If you…
We published security advisory for CVE-2025-61594.
CVE-2025-61594: URI Credential Leakage Bypass over CVE-2025-27221
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
This vulnerability has been assigned the CVE identifier CVE-2025-61594. We recommend upgrading the uri gem.
Details
When using the +
operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
Please update URI gem to version 0.12.5, 0.13.3, 1.0.4 or later.
Affected versions
- uri gem versions < 0.12.5, 0.13.0 to 0.13.2 and 1.0.0 to 1.0.3.
Credits
…Assuming you haven’t been living under a rock these past few weeks, the Ruby community has been embroiled in quite a bit of drama. I won’t recap it here…there are plenty of other sources to go (Joel Drapper for one), and I also have my own pointed take on the matter on my personal blog. But here on Fullstack Ruby I like to maintain a positive, can-do attitude, and to that end, let’s talk about some very exciting developments!
Most Rubyists are familiar with rubygems.org and the reason that you see source "https://rubygems.org"
at the top of every Gemfile
is so Bundler can download and install gems from the rubygems server.
What I, and I suspect most of you, never considered is that source
…
Notes from building a “who is doing what right now on our website?” presence feature with Action Cable
I recently was heads down building a “presence” feature for the case and communications management part of my startup’s admin dashboard. The idea being that our internal staff can see what their colleagues are working on, better collaboarate together as a team of overlapping responsibility, and reduce duplicative work.
The follow is more my notes than a cohesive narrative. But maybe you’ll get something out of it.
Big props
In building this feature, I got a lot of value from:
- Basecamp’s Campfire app, recently open sourced, which has a sorta similar feature.
- Rob Race’s Developer Notes about building a Presence Feature
- AI slop, largely Jetbrains Junie agent.…
I recently started using ViewComponent. I’ve been gradually removing non-omikase libraries from my Rails applications over the past decade, but ViewComponent is alright. I was strongly motivated by Boring Rails’ “Hotwire components that refresh themselves”, cause matching up all the dom ids and stream targets between views/partials and… wherever you put your Stream and Broadcast renderers is a pain.
You might also know me as the GoodJob author. So of course I wanted to have my Hotwire components refresh themselves later and move stream broadcast rendering into a background job. I to simply call MessagesComponent.add_message(message)
and broadcasts an update later to…
The little Random that could
Sometimes, after a few pints in a respectable gathering of Rubyists, someone will ask me “what is the most undervalued module in the Ruby standard library?”
There are many possible answers, of course, and some favoritism is to be expected. Piotr Szotkowski, who untimely passed away this summer, did a wonderful talk on the topic a wee while back.
My personal answer to that question, however, would be Random
. To me, Random
is a unsung hero of a very large slice of the work we need to do in web application, especially so when we need things to be deterministic and testable. So, let’s examine this little jewel a bit closer.
I am currently available for contract work. Hire meto…
The team behind the last ten years of rubygems.org, including @deivid-rodriguez, @duckinator, @martinemde, @segiddins, @simi, and myself, is very pleased to announce a new gem server for the Ruby community: gem.coop.
The new server’s governance policies are being prepared in coordination with Mike McQuaid of Homebrew, and will be released later this week.
The current versions of RubyGems and Bundler work with this new server already, and any Ruby developer is welcome to switch to using this new server immediately.
We have exciting plans to add new features and functionality in the coming days. Join us!
Week 40 - How does Turbo listen for Turbo Streams, detect Safari and iOS version, and more!

Welcome to Hotwire Weekly!
Welcome to another, sligthy shorter, issue of Hotwire Weekly! Happy reading! 🚀✨
📚 Articles, Tutorials, and Videos
How does Turbo listen for Turbo Streams? - Sid Krishnan explains how Turbo automatically detects and applies Turbo Stream updates when a response includes <turbo-stream>
tags.
How to elegantly update other UI when a Turbo Frame is updated - Radan Skorić shares a Rails trick to update UI elements outside a Turbo Frame from a frame update. His turbo_aware_content_for
helper switches between content_for
and a matching Turbo Stream replacement to keep extra frame content in sync.
How to detect Safari and iOS versions with ease in 2025 - Evgeniy Valyaev…
Frequently Played 🔗
I tend to listen to the same songs or albums on repeat that are evocative of how I’m feeling or what’s going on with me. Here is what I’m currently listening to over, and over, and over, and over, again.
Halloween 🔗
‘Tis the season.
Well I think I saw you for the flash of a moment
Your broken heart and the body that holds it
I lost your scent in the flash of the party
The big bright lights, baby, constantly haunt me
I’ve never been right, have you ever been lied to?
I think I just saw the same scars upon you
Is this a disguise? Or a masquerade for me?
Quiet 🔗
I’ve been listening to a lot of Siamese Dream.
Behind me the grace of falling snow
Cover up everything…
Hanami on Papercraft
Lately I’ve been really excited about Papercraft and the possibilities it brings to developing web apps with Ruby. Frankly, the more I use it, the more I see how simple and joyful it can be to write beautiful HTML templates in plain Ruby.
Now that the Papercraft website is up, I’d like to concentrate on making it easier for everyone to use Papercraft in their apps, whatever their web framework. So this is exactly what I set out to do this weekend. First on my list: Hanami, an established Ruby web framework with a substantial following.
Since I never used Hanami, I decided to follow the Getting Started guide and then started to peek under the hood to see how I could replace the ERB…
Omarchy
Continuations, 2025/40: Popping off
The big achievement this week: I released Hanami 2.3 beta1!
It had been a while since we cut a release (a lot of work had gone into setting up our sponsorship and preparing our upcoming site), so I’m very happy to have this out.
This release included contributions from a whopping nineteen contributors! This is one of the surest signs of our growing success, and I’m very thankful for everyone’s help!This was also a whopping week for the Hanami Discord, which as Kyle aptly put it, is popping off. A slew of new people have joined (both old friends and new!) and are sharing ideas and questions. It’s exciting to see! And since a lot of the chat happens while I’m still asleep in Australia, I’m…
This blog post is part of a series called “Hanami for Rails Developers”.
- Part 1: Models (you are here)
- Part 2: Controllers
There’s plenty of writing out there for why you should use Hanami, and so this post won’t cover that. If you want those thoughts, see my Hanami 2.0 thoughts and my earlier thoughts on Hanami posts.
This post covers off how to get started with Hanami, with a focus on those who are familiar with Rails and the MVC structure it provides. I’m unashamedly going to crib parts of this from the Hanami Getting Started Guide, but explain them in a different way.
With a Rails app, you’ll be familiar with the Model-View-Controller pattern. Hanami has adopted this pattern…
This blog post is part of a series called “Hanami for Rails Developers”.
- Part 1: Models
- Part 2: Controllers (you are here)
In the first part we saw how to interact with a database by using Hanami’s repositories and relations. In this part, we continue that by serving that data out through routes of our Hanami application.
To get started here, we can run the Hanami server (and its asset compilation step) by running:
hanami dev
This will run a server on localhost:2300 and once you come back to the browser to figure out why your muscle-memory’d localhost:3000 didn’t work, change that 3000 to a 2300.
Routing
In a Hanami application, you can find the routes in the familiar location…

This article isn’t specifically about Solid Cache or encouraging you to use it. Recently, I read the source code of the solid_cache gem and learned some interesting things that I’m going to share here. As a disclaimer: what you read is based on my understanding and might differ from the actual reasoning behind certain decisions.
Solid Cache is a database-backed cache storage system. In simple words, it lets you use your hard disk instead of RAM for caching. Solid Cache was introduced at the RailsWorld 2023 Conference’s Keynote, and Donal McBreen, the main contributor, provided more details about it. I highly recommend watching the presentation if you want to understand the reasoning behind…
Before…
Added dock navigation, navbar, sidebar, and toast notifications.
Components in this release:
Hi, it’s Claudio Baccigalupo. Let’s explore this week’s changes in the Rails codebase.
Bump PostgreSQL client version to 18
The PostgreSQL client version in the devcontainer now points to the latest release of PostgreSQL, which is great because…
Support virtual generated columns on PostgreSQL 18+
PostgreSQL 18 supports virtual (not persisted) columns, which can be added in Rails migrations with stored: false
. For instance:
create_table :users do |t|
t.string :name
t.virtual :lower_name, type: :string, as: "LOWER(name)", stored: false
t.virtual :name_length, type: :integer, as: "LENGTH(name)"
end
Fix Enumerable#sole when element is a tuple
Restores the original behavior…
Weekly Update — Friday, October 3

Thanks for holding us to a regular cadence. I’m liking being able to share with you all regularly.
Today’s Friday update is brief, as we shared a comprehensive status on Tuesday, and much of that work is still in motion. Here’s where things stand:
Production services (rubygems.org operations)
- We remain on track to finalize and execute operator agreements on the schedule we set.
- Service is stable; publishing and installing gems continue as normal with on-call coverage active.
Code & repositories (Ruby Gems/Bundler and rubygems.org source)
- A narrow set of elevated permissions remains under the temporary procedural hold while roles are confirmed and least-privilege + MFA are verified. This matches…
I’ve been working quite a bit on Papercraft these last few weeks. Yesterday I released Papercraft version 2.16, and here are some of the notable changes introduced since the last update:
- Emit
DOCTYPE
forhtml
tag by default. Before this change, you needed to use thehtml5
tag to include theDOCTYPE
at the top of the generated markup. Now you can just usehtml
. This is important since this way you avoid quirks mode. - Do not content of
style
andscript
tags. This makes it easier to write inline CSS and Javascript. - Add
Papercraft.markdown_doc
convenience method which returns aKramdown::Document
instance for further processing of Markdown content. - Add support for rendering of…
New Papercraft Website
I’ve also been working on a website for Papercraft and it’s finally online. Check it out:
Like the noteflakes.com website, which you’re currently reading, the Papercraft website is made using Syntropy. All of the documentation pages are written using Markdown. Let’s look at some examples of how Papercraft is used on its…
Blastoff Rails with Travis Dockter
In this episode of Remote Ruby, Chris and Andrew chat with Travis Dockter, the founder of a brand-new Ruby conference, Blastoff Rails. They dive deep into Travis’s journey from business school to bootcamp, his love for conferences, and why he decided to organize one of his own in Albuquerque, New Mexico. From planning venues and sponsors to shaping a unique conference philosophy, Travis shares both the behind-the-scenes challenges and the excitement of creating a new community space for Rails developers.
Links
- Travis Dockter LinkedIn
- Travis Dockter X
- Blastoff Rails X
- Blastoff Rails-June 11-12, 2026, Albuquerque New Mexico
- Albuquerque Museum
- Pirates of Silicon Valley
- Kieran Klaassen X
- Ruby Conference…
Honeybadger is an application health…
Announcing Hanami 2.3 beta1
After getting set up for sponsorship (we still want to hear from you!), we’re back with a new Hanami release. Today we’re pleased to announce the first beta of Hanami 2.3.
Rack 3 support
This one goes up to eleven three.
With this release, we introduce Rack 3 support to Hanami!
We now support Rack versions 2 and 3, so you can use whichever version suits your situation. We still encourage you to upgrade Rack when you can, and we’re happy that Hanami is no longer a blocker on this path.
To upgrade your app to Rack 3, update your Hanami gems to this beta release, then bundle update rack
. You should also check out the Rack 3 upgrade guide. Most changes will…
jj part 2: commands & revsets
Now, let’s take a look at the most common jj commands, with a special focus on the way arguments are generally consistent and switches don’t hide totally different additional commands.
jj log
The log command is the biggest consumer of revsets, which are passed using -r
or --revisions
. With @
, which is the jj version of HEAD
, you can build a revset for exactly the commits you want to see. The git operator ..
is supported, allowing you to log commits after A and up to B with -r A..B
, but that’s just the start. Here’s a quick list of some useful revsets to give you the flavor:
-
@-
the parent of the current commit -
kv+
the first child of the change namedkv
-
..A & ..B
changes in the intersection…
#769 — October 2, 2025
Ruby Weekly

The Ruby Association's Call For Grant Proposals — Each year, the Ruby Association, chaired by Ruby’s creator Matz, puts out a call for proposals for Ruby related projects that they can give a grant (of 750,000 Yen - roughly $5000) to assist further development. The deadline for this run is October 6, next Monday.
Ruby Association

Tuple - What Core Contributors Use to Pair on Ruby and Rails — 4 out of the 10 top contributors to Ruby use Tuple to pair on code. Tired of verbally steering on Zoom? Discerning developers choose Tuple.
Tuple sponsor
…I made this yesterday by typing a few words and uploading a couple of pictures to Sora:
When Sora 2 was announced on Tuesday, I immediately saw it as exactly what I've wanted from AI ever since I first saw Stable Diffusion in the Summer of 2022. For years, I've fantasized about breaking free from the extremely limited vocabulary of stock video libraries (as a Descript subscriber, I've long had access to Storyblocks' library). Stitching together stock content to make explainer videos like this one is fun, but the novelty wears off as you quickly burn through all three clips for "child throws spaghetti at family member." Stock video is great if you only talk about mundane household and…
When you use Turbo Frames on your page you can set an initial loading state. Something like Loading…
. This text then will then be replaced once the request’s body is injected into the frame element. That works great for loading parts of your app asynchronous.
But what if you have a turbo frame element permanently on your page? For example for an overlay or modal component? And what if it is a bit slow? By default it will show nothing (except the progressbar at the top after ~500ms) until the resource is loaded. This makes for a poor UX. Ideally you want to give feedback, even if it is a “loading” text, right away. This is better and tells the user something is happening.
See this GIF:
…
We have fun here.
Ruby on Rails has always moved at a steady, thoughtful pace: each new version brings not only features and performance improvements but also important security hardening. But with every release cycle, older versions reach the end of their lifespan. When a version is officially End-of-Life (EOL), it no longer receives bug fixes or security patches — leaving applications increasingly vulnerable as new threats emerge.
In this post we will talk about why continuing to use EOL Rails versions can be dangerous, and how ignoring upgrade timelines can put your business at risk — not just technically, but legally and contractually.
Rails Maintenance Policy
The Rails core team has a clear mainten…
Self-Made is a Myth Podcast
I'm never one to turn down being on a podcast, especially since acquiring Fireside.fm, a podcast host. So yesterday, I hopped on a call with Tim Campsall to chat about running Box Out and Very Good. And the crazy thing is it's already out on Youtube. I wasn't in my home office so my background was bleak and my audio was subpar but still a great conversation.
Highlights
- Shortest path between builders and users is critical.
- Hire “batteries included” people who are self-driven.
- I’m not really good at anything specific. I’m just good at being glue.
- Measure progress (time tracking) and celebrate wins to avoid burnout.
- Design products to save people time. Design your business to free your own time.
- Peop…

Learn how to build a dedicated API documentation repository that becomes your team's single source of truth, enabling true contract-first development.
Learn how to build a dedicated API documentation repository that becomes your team's single source of truth, enabling true contract-first development. We'll focus on the frontend tech stack approach and demonstrate exactly how I set up a contract-first environment.
Hanami Containers

This article assumes you have familiarity with Hanami and want to dive deeper into how dependencies work, are organized, and managed via containers. At a high level, containers allow you to define your dependencies once (and optionally memoize them) so you can quickly reference and use them throughout your application.
There are two primary categories to be aware of when thinking about containers in Hanami: Injectables and Providers. For example, here’s a quick and dirty way to see the differences:
# demo/app/aspects/demo.rb
module Demo
module Aspects
class Demo
end
end
end
# demo/config/providers/demo.rb
Hanami.app.register_provider :demo do
st…
With the above, we have a Demo
application that has a core Demo
component and a demo
…
Reading a lot of code from very senior engineers is probably one of the best ways to level up as a Ruby on Rails developer. By doing so, we can learn new tips and techniques that we can reuse in our jobs. Thanks to open source, we can read code written by the best developers from all over the world, and for free!
However, reading code from a Ruby gem or a Rails engine for the first time without being guided can be daunting. There are so many files; how do we even know where to start?
In this three-part series, we are going to read the source code from the Showcase Rails engine.
We will learn about:
- The main files in a Rails engine
- How to read source code without getting lost
In this first…
✂️ Will code for 🙌's
It's true, you catch more bugs with honey than vinegar.
Clipped from my conversation with José Valim about how little we know about the future of coding agents (and, as in the case of this video, also their present).

Dear Rubyists,
Thank you for giving me this opportunity to share with you. We take our stewardship of the Ruby Gems ecosystem seriously. Our mission is clear: keep the language and the infrastructure you rely on stable, safe, and trustworthy. Before we get to what the next steps will be, here is a quick recap from the video that we shared last week.
Moving parts:
- We recognize there is confusion between some of the moving parts in this conversation, and we would like to add some clarity around that.
- The rubygems client and bundler source code both live in the
rubygems/rubygems
Github monorepo - Similarly, the source code for the rubygems.org service lives in the
rubygems/rubygems.org
Github repo - La…
Well my Ruby friends, a new day has dawned with the release of the Ruby web framework Bridgetown 2, and that means I can start to enjoy the fruits of our labor by sharing useful code examples and architectural explanations here on Fullstack Ruby. Yay! 🎉
(BTW…how cool is this custom artwork by Adrian Valenzuela??)
Now onto today’s little batch of snippets.
Swapping Video Links with Embeds
On a Bridgetown client project, we wanted to be able to drop in links to the client’s many videos hosted on Vimeo. I didn’t want to have to deal with the hassle of grabbing <iframe>
tags for every single video, so my first inclination was to write a helper method and use those calls in the markup…
A catalog of coding challenges
- Some types of coding challenges
- Other activities that are not exactly coding challenges
- Are coding challenges worthwhile?
- If not coding challenges, then what?
To many developers, “coding challenge” evokes technical interview trauma.
But there are many kinds of coding challenges, not all of them dehumanizing. I’ve been making a list of of them over the…
The Case for Generalism in Tech
This is our first threat intelligence post. Each week, if appropriate, we will aim to share some wider industry news that might impact our clients.
We will be covering; Ruby, JavaScript, Postgres, Heroku, Render, Cloudflare, and Github, as well as wider geo-political points.
Ruby
The Ruby community has never looked more uneasy. No issues that require immediate attention, but worth knowing there is a lot of energy being spent on several topics, and there are a lot of folk disenfrancised with the language.
DHH has went, pardon the pun, off the Rails. The Ruby Community has a DHH Problem explains the core issues with DHH (creator of Rails) making xenophobic claims about London. This has…

Read how to accurately detect Safari and iOS versions using WebKit feature checks, behavioral tests, and selective UA hints to gate features safely and avoid breaking UX.
Why is accurately detecting the version of Safari and iOS you're dealing with so important for modern web development? The reasons are seriously many: applying fixes/enhancements only where needed, preventing confusion for users on other browsers, displaying the right prompts for actions or installations, enabling or disabling features, providing accurate analytics, and support users with tailored instructions,…
476: Green Flags for Code
Joël and Sally sit down to discuss their green and red flags when it comes to PR review.
Joël breaks down the different ways humans review code vs AI, how they both break down large projects into smaller digestible PRs and clarifying your reasoning for certain decisions, as well as discussing the most common red flags they’ve encountered when looking over code.
—
Take a break from coding to brush up on your Roman History.
Thanks to our sponsors for this episode Judoscale - Autoscale the Right Way (check the link for your free gift!), and Scout Monitoring.
Your hosts for this episode have been thoughtbot’s own Joël Quenneville and Sally Hall.
If you would like to support the…
🎙️ Breaking Change podcast v44.0.1 - José Valim: It's a time for builders
Direct link to podcast audio file
If you know who José Valim is, then you know he probably made a mistake by joining me for our third installment of 🔥Hotfix🔥. The inventor of the Elixir programming language is at it again with his colleagues at Dashbit and they've got a new product called Tidewave. It's a coding agent with a twist: it has such a deep level of integration with your web framework that it can get the executable feedback it needs to tackle the entire feature development lifecycle.
I do eventually let him plug the tool (and our conversation genuinely makes me want to try it—I logged a todo and everything!), but to be on Hotfix you gotta bring a thorny problem to the…
Rails and Ruby Compatibility in 2025: Which Setups Will Be Unsupported After October 1st?
Rails 7.1 has been a dependable workhorse since its release in 2023. But on October 1, 2025, Rails 7.1.x will lose official security support. That means no more patches for new vulnerabilities, no more backports, and no safety net if a zero-day exploit lands in your stack.
If you’re running Rails 7.1, your risk level depends heavily on which Ruby version you pair it with. Some Rails and Ruby combinations will be doubly unsupported after October 1st, creating “dangerous pairings” that should be upgraded immediately.
In this post, we’ll break down:
- Which Ruby on Rails setups will lose support after October 1, 2025.
- Why those combinations are risky.
- How to quickly check your…
The State of Rails…

Welcome to Hotwire Weekly!
Welcome to another issue of Hotwire Weekly! Happy reading! 🚀✨
📚 Articles, Tutorials, and Videos
Hotwire Caching Problem - Amanda Klusmeyer published a blog post on the Flagrant blog about a bug where session-based tab state clashes with Turbo’s navigation cache.
How to install the Bridge Components library - Joe Masilotti published a new video in which he's showing how to install his bridge-components
library in a Rails application, alongside the iOS and Android Hotwire Native apps.
View Components Over Turbo Streams with Hotwire - Juan Ferrari shows how to render ViewComponents directly in Turbo Streams, replacing partials.
stupid jj tricks
This post was originally given as a talk for JJ Con. The slides are also available.
Welcome to “stupid jj tricks”. Today, I’ll be taking you on a tour through many different jj configurations that I have collected while scouring the internet. Some of what I’ll show is original research or construction created by me personally, but a lot of these things are sourced from blog post, gists, GitHub issues, Reddit posts, Discord messages, and more.
To kick things off, let me introduce myself. My name is André Arko, and I’m probably best known for spending the last 15 years maintaining the Ruby language dependency manager, Bundler. In the jj
world, though, my claim to fame is completely…
The boss of it all
The recent Ruby Central tragedy has me in shambles, honestly. It cuts deep at the very spot where I am feeling the most insecurity and the most disenfranchisement.
The crux of the issue is creative control. Writing software is a creative endeavor, and we are just now barely getting to the understanding that even though free software promises open source, it does not promise open governance or shared ownership. Something made by a person is their creation, and in the world of pervasive corporate grift and endless growth-at-any-cost it remains one of the few, and - to my view - purest - forms of being attached to what you produce. Having creative control and exercising it is the ultimate…
We are in the midst of a Ruby drama for the ages. I'm sure a bunch of people figured we were all too old for this shit, but apparently we are not.
This debate has been eating at me ever since the news first broke, but I've tried to keep the peace by staying out of it. Unlike most discourse about what's going on, my discomfort stems less from the issue at hand—what Ruby Central did, how they did it, and how poorly it was communicated—and more to do with how one-sided the public discussion has been. Beneath the surface of this story are the consequences of a decade-old conflict that was never fully resolved. Then and now, one side—Andre Arko and many people associated with him—has availed…
jj part 1: what is it
I’ve been working on a blog post about migrating to jj for two months now. Rather than finish my ultimate opus and smother all of you in eight thousand words, I finally realized I could ship incrementally and post as I finish each section. Here’s part 1: what is jj and how do I start using it?
pls, I just want to use jj
with GitHub
Sure, you can do that. Convert an existing git repo with jj git init --colocate
or clone a repo with jj git clone
. Work in the repo like usual, but with no add
needed, changes are staged automatically.
Commit with jj commit
, mark what you want to push with jj bookmark set NAME
, and then push it with jj git push
. If you make any additional changes to that branch,…
I’ve been watching the recent drama within the Ruby community slowly devolve in the last few days into name-calling and virtue-signalling, and frankly just plain silliness. I won’t repeat here the details of the disagreement, and I won’t link to any posts written about what’s happened.
It is clear to me that some of this has to do with business interests of the different parties involved, some of this has to do with political views, and some of this apparently also has to with a clash of personalities. But what really troubles me is not the details of the disagreements themselves, however strongly each of us may feel about them, but rather how people have come to treat each other over…
CVE-2025-59830 (rack): Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
Happy Friday! After three weeks of conferencing, this is Greg, bringing you the news about the latest changes in your favorite framework. It was a busy week with a lot of changes, let’s dive in.
Rails Version 8.0.3 has been released!
A new version of Rails has been released. Read the CHANGELOG for the list of changes.
Deprecate usage of custom ActiveJob serializers without public #klass methods
With this change, custom Active Job serializers must have a public #klass
method, the previous behavior is deprecated.
Make engine routes filterable in bin/rails routes, improve engine formatting
This pull request adds engine route filtering and better formatting in bin/rails routes
.
At the end of my post on JRuby and JDK 25 startup time features, I teased a bit of the unreleased improvements from Project Leyden. It turns out the latest commits improve startup time even more, so it seems worth posting a quick follow-up!
Project Leyden is LIT
Of the many OpenJDK projects I follow, Leyden has been near the top as far as activity and interest. In the past month, there’s been 527 commits to all branches… over 15 commits per day. And this doesn’t include commits being done by contributors on their own repositories. It’s exciting to watch!
After my recent post, Aleksey Shipilëv reached out to me on Bluesky:
If you know Aleksey, you know to listen when he makes a…
Wow, what a big week in Ruby land…
…that’s because I got to merge a whopping SIX new PRs into Hanami and Dry, all from community contributors!! Subdomain methods on requests, improved file collision handling in generators, avoiding RuboCop RSpec issues in our default files, Dry Logger payloads with blocks, better logging performance for your log level, conventional Rake task support. Thank you to Aaron Allen, and an extra thank you to brand new contributors stephannv, wout, Petrik de Heus, and Alexander Zagaynov! 🥰
Checked out Sean’s great work examining the impact of memoizing container components. In short: things can get a whole lot faster. This has been low-hanging fruit for a long…
T…
Per-slice sessions in Hanami
One of the things I do in Hanami-land is provide support. I love doing this because it helps me understand all the contours of our framework as it meets the real world. Bringing your questions is seriously one of the most helpful things you can do for Hanami right now. (At this moment, Aaron would be telling you to join our Discord!)
A question that came up this week was about how to have separate Rack cookie sessions per slice.
You can achieve this by using the session middleware inside each slice in your routes:
# config/routes.rb
module MyApp
class Routes < Hanami::Routes
slice :main, at: "/main" do
use Rack::Session::Cookie,
key: "my_app.session.main",
s…
Doing something at a time convenient for the user is a recurring (sic!) challenge with web applications. And the more users you have across a multitude of time zones, the more pressing it becomes to do it well.
It is actually not that hard, but it does have a few fiddly bits which can be challenging to put together. So, let’s do some time traveling.
I am currently available for contract work. Hire meto help make your Rails app better!
What makes time zones so tricky?
Time zones are tricky because they change over time. There is a global UTC clock, which has leap seconds – that’s already a bit tricky, but not that tricky. Timezones are tricky because they are d…
Rails World 2025 Recap
In this episode, Chris and Andrew reflect on their recent trip to Rails World 2025 in Amsterdam, sharing travel adventures, highlights from the conference, and insights into major Rails announcements. From slide-heavy talks to new features like ReActionView, Action Push, Kamal Geo Proxy, Hotwire Native, and Action Text Lexxy, they explore how the Rails ecosystem continues to push developer experience forward. Hit download now to hear more!
Links
- Chris Oliver X
- Andrew Mason Bluesky
- Judoscale- Remote Ruby listener gift
- Rails World 2025- Amsterdam Talks (YouTube)
- ReActionView
- Lexxy
- Kamal Proxy
- Hotwire Native
- STRAAT Museum
Honeybadger is an application health monitoring tool built by developers…
Passenger 6.1.0

Version 6.1.0 of the Passenger application server has been released. This release adds rpm packages for EL10 (RHEL, Rocky, Alma), as well as Debian 13 Trixie. Compatibility with Rack 2&3 is also improved.
Passenger 6 introduced Generic Language Support, or: the ability to support any and all arbitrary apps.
Rack Compatibility
Pass enger should now be compatible with both Rack 2 and Rack 3 apps when installed via a Gemfile.
Updates & improvements
- [Ruby] Fix compatibility with Rackup while maintaining compatibility with Rack 3. Closes GH-2602.
- A C++14 compiler is now required to compile Passenger.
- Add rpm packages for EL10 (RHEL, Rocky, Alma).
- [Standalone] Fixes security update checker with…
Installing 6.1.0
Please see the installation guide for advice on getting started with Passenger. Coming from a language…
#768 — September 25, 2025
The top item in today's issue focuses on a complex issue that has arisen around the RubyGems and Bundler projects. These matters are of importance to Ruby's packaging ecosystem but skip to our 'In Brief' section if the inner workings and ownership of these projects aren't of interest to you.
__
Peter Cooper, your editor
Ruby Weekly

Last Friday, Ellen Dash, a long-time RubyGems maintainer, posted a PDF titled 'Ruby Central's Attack on RubyGems' explaining how the RubyGems GitHub organization was renamed, a new maintainer was…
Components in Rails without gems
Quite often I work with various clients that don’t, or want, or can’t use a third-party library like ViewComponent or similar. That leaves me with partials. Which, granted, often brings me really far early on. But then I hit a wall with maintainability and clean code (mostly too much logic in views which really triggers me). When you read up about this topic, you will often find things like helpers mentioned. The global scope of helpers is my biggest gripe with them. I only reach for one if a helper can truly be used throughout parts of the app.
In this article I want to lay out the various techniques I use for apps I started myself and for others that need more than vanilla Rails partials…
Rails 8 upgrade story: duplicate keys sneaking into our JSON responses
The upgrade from Rails 7.2.2.2 to 8.0.2.1 went surprisingly smoothly.
After deployment, we didn’t notice any new exceptions, and the application seemed stable.
At least at first…
First reports
After a while, we started receiving complaints from an external application consuming our JSON API.
Identifiers that were supposed to be strings suddenly started arriving as integers. 🤔
We rolled back the changes and began debugging.
The suspicious line
It turned out the problem originated in the code responsible for serializing an ActiveRecord object.
We had something like this:
attributes.merge(id: public_id)
The intention was…
Bundler belongs to the Ruby community
I’ve spent 15 years of my life working on Bundler. When I introduce myself, people say “oh, the Bundler guy?”, and I am forced to agree.
I didn’t come up with the original idea for Bundler (that was Yehuda). I also didn’t work on the first six months worth of prototypes. That was all Carl and Yehuda together, back when “Carlhuda” was a super-prolific author of Ruby libraries, including most of the work to modularize Rails for version 3.
I joined the team at a pivotal moment, in February 2010, as the 0.9 prototype was starting to be re-written yet another time into the shape that would finally be released as 1.0. By the time Carl, Yehuda, and I released version 1.0 together in August 2010,…
JDK 25 is the newest LTS release since JDK 21, and it ships with a gaggle of amazing VM-level features. This post will cover one of the most important improvements for command-line ecosystems like JRuby’s: the AOTCache (ahead-of-time cache) and its ability to pre-optimize code for future runs.
We’ll explore how AOTCache can speed up your JRuby workflow, starting with a discussion of JRuby startup time challenges and finishing with “coming soon” features that didn’t quite make it into the JDK 25 release.
The Challenge of Fast Startup on the JVM
It’s worth taking a quick look at why startup time has been such a difficult challenge for JRuby, and how we’ve worked to improve it over the…
My Thoughts on Euruko
I’ve just got back home from Euruko last night. The conference ended on Friday, but I decided to stay two more nights in Portugal and visit Porto. In between walking all over the city, eating great food and enjoying the dancing and music making in the street, I’ve also had time to think about all the wonderful people I met at the conference (and even some I’ve met and talked to by chance on the streets of Viana do Castelo and Porto), and the incredible experiences I’ve had at Euruko.
First, I’d like to express my deep appreciation for the organizers, headed by Henrique. This was my first ever programming conference that I go to, so I had no idea how it was going to go. But it was obvious…
Adventures in CPU contention
Recently on this blog, I wrote about in-memory filesystems in Rust, and concluded that I wasn’t able to detect a difference between any form of in-memory filesystem and using a regular SSD on macOS. I also asked anyone who found a counterexample to please let me know.
Last week, David Barsky of ERSC sent me an extremely compelling counter-example, and I spent several days running benchmarks to understand it better.
The top level summary is that the test suite for the jj VCS exhibits an absolutely huge difference between running on an SSD and running against a ramdisk. In my first reproduction attempt, I found the SSD took 239 seconds, while the ramdisk took just 37 seconds. That’s bananas!…
Recently I’m finding myself leaning towards writing some Elixir code in a bit different way than the community standard. I call it, perhaps unjustly and a bit tongue-in-cheek, “OCaml-flavoured Elixir”. Now, I don’t really write OCaml well (or: at all), but I spent last 3 years working with a frontend written in ReScript. And I think in recent months it started to affect how I think about the Elixir code.
But to start the conversation, let me show you what I actually mean:
def close_ticket(ticket_id, actor_id) do
fetch_ticket = fn ->
Repo.get(Ticket, ticket_id)
|> Result.wrap_not_nil(:ticket_not_found)
end
fetch_user = fn ->
Repo.get(User, actor_id)
|> Result.wrap_no…
"Tidy First" by Kent Beck - Asking the Right Questions About Software Change
A frequent request from listeners of my Breaking Change podcast has been for chapter support. At one point, I tried to manually incorporate this into my (extremely light) editing workflow, but it was fiddly and error-prone to do manually.
That is, until yesterday, when I had the thought, "what if I had a script that could detect each time the audio switched from mono to stereo?"
See, like most podcasts, I record my voice in mono, but the music jingles (or "stingers") are all in stereo. And because each mono segment is punctuated by a stereo stinger, the resulting timestamps would indicate exactly where the chapter markers ought to go.
So, an hour later, some new shovelware was born! I call…
The Ruby community experienced significant turbulence in September 2025 when Ruby Central forcibly took control of the RubyGems GitHub organization, removing long-standing maintainers without warning. As someone who has worked extensively on RubyGems security - first independently and later with Mend.io - protecting our ecosystem from supply chain attacks and handling vulnerability reports, I found myself caught between understanding the business necessities and being deeply disappointed by the execution.
I should clarify: I'm not affiliated with Ruby Central, but I've been working behind the scenes to keep RubyGems secure for years. Most people don't realize the constant vigilance…

Flaky tests got you down? The Evil Martians formula stops chronic CI retry irritation! Clinically proven on ClickFunnels' massive test suite and dozens of developers!
Every developer knows this pain: your test suite passes locally but fails on CI. You click "Retry" and hold your breath. It passes! But was it a real fix or just luck? Well now, no luck needed! We've helped dozens of developers from ClickFunnels, a leading sales funnel platform, go from flaky tests with ~80% success rates to 100%* reliability across their massive test suite (9k+ unit, 1k+ feature…
Dev Containers are a lightweight, semi-standardized way to provision robust development environments for applications. They can be run locally, or in a cloud environment like Github Codespaces.
Rails itself provides dev container images and features, and even a tool to create a Rails application without any prerequisites on your machine besides Docker being installed (rails-new). Additionally, you can pass --devcontainer
to rails new
when starting out with a greenfield Rails app.
So let’s go and see what it’s all about.
What Are Dev Containers?
In a nutshell, dev containers provide a standardized way to define portable, reproducible development environments using (Docker) containers. To…
475: Invisible Mentorship
Sally and Aji discuss their experiences with invisible mentorship when it comes to code review.
Together they question when is the right time to have conversations with your team in a bid to chase improvement, the importance of understanding your co-workers perspectives, as well as the best ways to initiate a mentoring moment.
—
Check out some of the things mentioned in this episode - The Coding Train - Sarah Mel’s Livable Code
Thanks to our sponsors for this episode Judoscale - Autoscale the Right Way (check the link for your free gift!), and Scout Monitoring.
Your hosts for this episode have been thoughtbot’s own Sally Hall and Aji Slater
If you would like to support the…
Hi everyone,
I am happy to announce that Rails 8.0.3 has been released.
CHANGES since 8.0.2
To see a summary of changes, please read the release on GitHub:
8.0.3 CHANGELOG To view the changes for each gem, please read the changelogs on GitHub:
- Action Cable CHANGELOG
- Action Mailbox CHANGELOG
- Action Mailer CHANGELOG
- Action Pack CHANGELOG
- Action Text CHANGELOG
- Action View CHANGELOG
- Active Job CHANGELOG
- Active Model CHANGELOG
- Active Record CHANGELOG
- Active Storage CHANGELOG
- Active Support CHANGELOG
- Railties CHANGELOG
Full listing
To see the full list of changes, check out all the commits on GitHub.
SHA-256
If you’d like to verify that your gem is the same as…
As the opening keynote on Day 2 of Rails World 2025, I had the chance to host a panel with three people who’ve been shaping the direction of both Ruby and Rails from deep within the internals.
-
Aaron Patterson (
@tenderlove
) -
Hiroshi Shibata (
@hsbt
) -
Jean Boussier (
@byroot
)
We covered a lot in an hour:
- What they’ve been working on behind the scenes
- Which areas of Ruby and Rails could use more community support
- The evolving release process for the language
- Why Hiroshi’s focused on improving the experience for developers on Windows
- How security fixes are coordinated across multiple versions
- Performance work related to YJIT and ZJIT
- JSON parsing performance and…
There’s even a moment where Aaron and Jean get into a friendly disagreement about performance and priorities. If you enjoy technical nuance and sharp perspectives, you’ll appreciate that exchange.
And yes… I asked Aaron about his favorite Regular…
Classic performance optimization strategies in a Ruby on Rails application involve moving slow or expensive logic to background jobs, looking at slow queries and adding missing indexes, or tracking and fixing N+1 query issues. The view layer, most of the time overlooked, should also be a target for performance improvements. In this post, we will do a quick recap of the different rendering strategies in Rails, benchmark them to set the base, and analyze them to decide when to use them (or when not to).
Rendering strategies in Rails
In Rails, we can render a template in many ways. To illustrate the different rendering strategies, we’re going to use a simple Rails 8 app, like the one in the…
Ruby Triathlon 2025
September is conferencing season for me, and this year, I decided to do the Ruby Triathlon, so I attended Rails World in Amsterdam, FriendlyRb in Bucharest, and EuRuKo in Viana do Castelo.
Direct link to podcast audio file
Hey, look! Breaking Change now has chapter support for each segment! More on how I did that while still upholding my commitment to laziness later.
I didn't get a good job connecting this version's release to what I was referencing, so to be clear I was referring to my heart rate as opposed to any other bodily functions. The other ones are getting up just fine, thank you. Get your head out of the gutter.
Thanks for all the great e-mails the last couple weeks! Throw yours on the pile at podcast@searls.co. Hopefully Fastmail won't lose it.
For the folks who pronounce URLs like Earls:

Welcome to Hotwire Weekly!
Welcome to another, slightly delayed, issue of Hotwire Weekly! Happy reading! 🚀✨
📚 Articles, Tutorials, and Videos
Rails World 2025 talk recordings - The Rails Foundation published the recordings for Rails World 2025. Here are direct links to the Hotwire-adjection talks:
Hotwire Native is extremely future proof - Dennis Paagman explains how iOS 26's…
Continuations, 2025/38: Tutorial style
A light week for me. My usual Hanami Friday was spent at a work retreat. As no small consolation, I got to visit beautiful Hamilton Island and spend a good amount of time in the ocean.
I did start the week by finishing and posting my Rodauth tutorial: Rodauth, meet Hanami. I hadn’t written a tutorial-style post in a long time, and I really enjoyed putting this one together! I hope it’s a valuable resource to Hanami users looking for authentication in their apps.
I hope to share more material like this in the future. It squarely addresses “Help our users be more successful with Hanami” from our 2025 goals. While I’m happy to bootstrap this, I also think posts like this are perfect…
On RubyCentral and Rubygems
I finally had a little time to look more into the Rubygems drama. I don’t know anything else than what you can publicly read and it looks like that information is also hard to trust.