Rubyland

I released kamal-backup today.

I run Chat with Work on Kamal, and I needed backups. There are already Kamal accessories for database backups. None of them also back up Active Storage. None use restic, so encryption, deduplication, and repository checks are on you. None ship a CLI with restores and drills. None produce evidence you can hand a security reviewer.

So I built one.

A gem and a Docker image

kamal-backup is two pieces: a Ruby gem you add to your Rails app, and a Docker image you boot as a Kamal accessory. They point at a restic repository you bring yourself.

The gem is your CLI. Local commands run directly on your machine using restic. Production-side commands shell out…

Introduction

Ship small nonroot images, scan for CVEs, and let Kamal gate traffic. Rails 8.1 gives us that path by default.

• Pin Ruby and keep it synced with .ruby-version
• Use multistage builds
• Precompile gems, app code, and assets during build
• Run production containers as a nonroot user
• Fail CI on high and critical CVEs

While our previous guide covered Rails 8 adds Kamal by default, this post focuses on containerization best practices, security hardening, and production optimization techniques.

The examples below use Rails 8.1, Ruby 3.4.9, and Kamal 2.11.0.

Understanding Rails Docker Setup

When we create a new Rails 8.1 application, it generates several Docker related…

A while back I decided to stop using Tailwind for new projects and to just write vanilla CSS instead.

But one thing I missed about Tailwind was the colour palette (here as CSS). If I wanted a light blue I could just use blue-100 and if I didn’t like it maybe try blue-200 or blue-50. I’m not very good with colours so it makes a big difference to me to have a reasonable colour palette that somebody who is better at colour than me has thought about.

But I’m also a little tired of those Tailwind colours, so I asked on Mastodon today what other colour palettes were out there. And then a friend said they wanted links to those colour palettes, so here’s a blog post so my friend can see them, and…

When you need to build HTML outside of a template, it’s tempting to concatenate strings and call html_safe on the result. This bypasses Rails’s built-in XSS protection entirely: any user input in that string goes straight to the browser unescaped.

The good news is you almost never need html_safe. Rails provides three underappreciated tools that handle escaping for you.

Instead of…

…calling html_safe on strings you’ve built by hand:

def status_badge(label, color)
  "<span class=\"badge badge-#{color}\">#{label}</span>".html_safe
end

def formatted_address(user)
  [user.street, user.city, user.postcode].compact.join("<br>").html_safe
end

def render_comment(comment)
  comment.body_html.…

Use…

…the right tool for…

Oh Asheville! How wonderful, weird, and full of art you are! Aside from returning with sore shins (central Ohio isn’t known for its hills…), Adam and I head home from North Carolina with two primary reflections we feel worth sharing here.

Ye old Blue Ridge Mountains

1. “Humans are the X-factor”. There’s something irreplaceable about a gathering of humans in-person; something unmistakably creative and promising. Something you feel more than you can describe; a moment where the whole is indeed greater than its constituent components. Small Ruby conferences ooze this feeling! My point here is simply that there is no replacement for…

Hello! One of my long term projects on here is figuring out how to write frontend Javascript without using Node or any other server JS runtime.

One issue I run into a lot in my frontend JS projects is that I don’t know how to write tests for them. I’ve tried to use Playwright in the past, but it felt slow and unwieldy to be starting these new browser processes all the time, and it involved some Node code to orchestrate the tests.

The result is that I just don’t test my frontend code which doesn’t feel great. Usually I don’t update my projects much either so it doesn’t come up that much, but it would be nice to be able to make changes with more confidence! So a way to do frontend testing…

Chris, Andrew, and David open with some classic confusion over what day it is then dive into Podia’s gradual rollout of a major new app version, including how the team is handling migration, feature flags, dogfooding, and eventual cleanup. From there, the discussion turns to underrated Rails routing features like direct routes and resolve routes, a newly merged Rails query command, observability improvements through Hatchbox’s AppSignal integration, and the ongoing pain of CSS build tooling in Rails apps. They also touch on conference season and their upcoming talks. Press download now to hear more! 

Links

• Judoscale- Remote Ruby listener gift
• Direct Routes
• Instance Public methods-direct (name,…

Hi, it’s Greg, bringing you the latest updates about Rails.

Updated guides await community input
The Asset Pipeline, Layouts & Rendering, Caching, and Active Job Basics Guides have all recently been updated and are open for community input. If you have time and would like to help review, please check the list of pull requests.

Apply for the Rails at Scale Summit
Reminder to apply by May 8 for the Rails at Scale Summit (Sept 22, Austin), a one day, invite-only gathering for engineers working on large-scale Rails applications.

Enable frozen string literal by default
New Rails apps now include a config/bootsnap.rb file that enables frozen string literals. This only impacts the application…

It is also possible to enable…

If you’ve followed Hanami for a while, you’ll know we’re rather fond of flowers. Today our garden has grown: Hanami, Dry, and Rom — three projects that have lived alongside each other across a decade and billions of downloads — are finally coming together as one. Welcome to Hanakai!

With Hanakai, we’re building a single shared community around the gems you know and love. The gems will carry on, now cared for by a bigger, unified team. And with our beautiful new website, now you can discover our vision for Ruby more easily than ever.

Loosely translated from the Japanese 花会, Hanakai means “flower fellowship”, sharing its first character 花 with Hanami, “flower viewing”. With…

Two weeks ago, the NPM endpoint that yarn audit from Yarn v1 uses, decided to stop working:

I imagine this won't be fixed (unfortunately), but it looks like npm has silently deprecated the security audit API that Yarn 1 uses:

yarn audit v1.22.22
error Error: https://registry.yarnpkg.com/-/npm/v1/security/audits: Request "https://registry.yarnpkg.com/-/npm/v1/security/audits" returned a 410
    at params.callback [as _callback] (/usr/share/yarn/lib/cli.js:66689:18)
    at self.callback (/usr/share/yarn/lib/cli.js:141410:22)
    at Request.emit (node:events:517:28)
    at Request.<anonymous> (/usr/share/yarn/lib/cli.js:142382:10)
    at Request.emit (node:events:517:28)
    at…

For years, our way of taking over legacy systems was simple: start small.

A client would come to us with an existing application and a list of things they needed done. Sometimes that list was mostly bugs. Sometimes it was features. Sometimes it was a mix of vague product wishes, or urgent production issues.

So we would begin with the safest tickets.

Fix a small bug. Change a minor behavior. Add a low-risk feature. Read the code around it. Ask questions. Ship. Repeat.

Starting with low-risk work lets us deliver value to the client while we build confidence and learn the codebase we’re working on.

As the weeks went by, we would move toward more complex parts of the system. By then, we…

Software consultancy and Rails Foundation member Planet Argon is once again collecting real-world insights from Rails developers and turning them into something the whole community can learn from.

The survey takes a deep look at how Rails is actually used today, including the tools people rely on, how teams and workflows are set up, how apps are built and deployed, and the challenges developers face. It also explores how AI is finding its place in everyday Rails work.

All results are shared openly, giving the community a clear, data-driven view of where things stand.

At RubyMine, we’re genuinely glad to see work like this continue. It takes real effort to run a survey at this…

The meetup took place last Friday, April 24th, at the FaHCE (Facultad de Humanidades y Ciencias de la Educación) in La Plata. The talks came from different places: empirical software engineering, custom coding agents, and multi-agent systems. The conversations continued afterward over beers and food provided by the organization.

Empirical software engineering: the scientific compass in the age of LLMs

The first talk was “Ingeniería de software empírica: La brújula científica en la era de los LLMs” (“Empirical software engineering: the scientific compass in the age of LLMs”) by Florencia Riva, a sociologist working at LIFIA.

Florencia’s talk pushed against a common temptation: asking LLMs…

Nine months ago, I introduced Perron, an OSS Rails-based static site generator. 190 commits and 18 releases later, lots of bugfixes and many new features—by yours truly and a few others—have been added. Today I am thrilled to announce Perron 1.0. 🥳

Want to check it out right away? Check out the docs, star it on GitHub or explore the showcase to see what others have built. 😻

Programmatic SEO

One of the most exciting features has been the ability to generate content programmatically. Whether you are building a SaaS directory, product comparison pages or anything else that mixes data with thousands of pages, with Perron this is now super easy.

Learn more about programmatic content creation.

…

RubyGems 4.0.11 includes enhancements and Bundler 4.0.11 includes enhancements, bug fixes and documentation.

To update to the latest RubyGems you can run:

gem update --system [--pre]

To update to the latest Bundler you can run:

gem install bundler [--pre]
bundle update --bundler=4.0.11

RubyGems Release Notes

Enhancements:

• Add commented-out rubygems_mfa_required to bundle gem template. Pull request #9487 by MatheusRich
• Clarify the name and meaning of the first argument to gem spec. Pull request #9476 by eregon
• Installs bundler 4.0.11 as a default gem.

Bundler Release Notes

Enhancements:

• Update gem creation guide URL to rubygems.org. Pull request #9500 by nissyi-gh
• Lo…

On April 23rd, we submitted a vulnerability report to the Nokogiri maintainers. It was the first one our team has filed using AI-assisted scanning. The maintainers accepted the report and published it as GHSA-c4rq-3m3g-8wgx.

The same week, news broke that Mythos, Anthropic’s most capable security model, had been accessed by unauthorized users through a third-party vendor. According to Anthropic, Mythos has identified thousands of zero-day vulnerabilities across every major operating system and web browser, including a 17-year-old remote code execution flaw in FreeBSD and a 27-year-old bug in OpenBSD. Two stories on the same shift, one from each side of it. The capability gap between…

Like a lot of developers right now, I’m figuring out how to support a “supervising several parallel development efforts at once” workflow. If you look for information on the web about how to implement a workflow like this, you’ll see a lot about git worktrees—where a single .git directory serves multiple working checkouts on different branches in different base directories.

But worktrees have some significant limitations. Not least of which is that their dependence on hardcoded fully-qualified paths written into configuration files not only makes worktrees non-portable, but also makes them DOA for any kind of containerized development environment. The worktree.useRelativePaths option…

Owning your server stack shouldn't be a source of anxiety. Unfortunately, it often is, especially if you only pay attention to the problems you can feel in your gut: Is the app running? Is it throwing exceptions? Does it seem fast enough? These are great intuitive measurements, but just as a doctor uses diagnostics to catch high blood pressure before it becomes a crisis, you need deeper visibility to detect memory leaks, CPU spikes, and disk consumption before they bring your project to a halt.

Hatchbox and AppSignal give you that "deeper visibility." They simplify infrastructure management by replacing manual monitoring with automated, real-time feedback. Together, they transform complex…

Mission: remove friction, not gates.

Use AI to speed research, produce better first drafts, and surface facts.

Never skip CI or reviewer sign-off.

• safer Rails changes
• repeatable reviews
• fewer context losses
• private memory that keeps improving

If it does not reduce mistakes, turn it off.

The Old Way

The old workflow was simple:

ask a model a question
copy the answer
paste into editor
manually fix context gaps
repeat

That works for small tasks.

It breaks down for real Rails work.

The missing context is predictable:

• repo conventions
• ownership mapping
• migration review expectations
• mandatory checks before merge

The result is familiar:

• good first draft
• wrong…

People focus so much on <h1> and alt attributes that they forget about usability.

Introduction

When discussing accessibility (a11y), we all focus on the structure of our <h1>/<h2>, the alt image texts, the contrast, and all the necessary rules to be covered. The problem is that during the process, we forget to think about usability: Is the page saying what it is supposed to be saying? Does the image description reflect what you can see there? Or take link text as an example: Does “Read More” explain what content the user is about to access?

Most of the time, usability is overshadowed by a focus on compliance with accessibility standards. As a result, we end up with a site that passes…

Take a trip through Joël and Aji’s YouTube recommended list as they go over the media that has inspired their work the most over the course of their careers.

Our hosts highlight different creators that feature regularly in their YouTube rotation, the long standing channels that have had the most impact on them, the video essays that inspire their work, as well as a small detour Into the world of history videos.

—

Here’s a handful of Joël and Ali’s personal recommendations:
VSauce - Veritasium - Jet Lag the Game - The Coding Train - Tom Scott - Kings and Generals - Daniel Steiner - Assassin’s Creed: Echoes of History - Jay Foreman / Map Men - Practical Engineering - Hannah…

Your hosts for this episode have been thoughtbot’s own Joël Quenneville and Aji Slater.

If you would like to support the show, head over to our Gi…

Abstract 🔗

Congrats on joining Hours Unlimited. The Math and Numbers team is excited to have you join us on our journey to redefine the importance of numerals. This introductory session will provide tips and tricks for best interacting with powerfuLLMachine, the next-level platform we use to unlock productivity and effectiveness.

Presentation Resources 🔗

• Slides
• Proposal

When my Sidekiq job starts failing or slowing down, I often feel frustrated, especially if I don’t know how to fix it.

If you’re using Sidekiq to run your background jobs, you know what I’m talking about. It’s a vital element of your stack, handling everything from data exports to password reset requests. It runs silently in the background, and most of the time, you’re not even giving it a second thought.

However, when things go wrong, like pages loading slowly, emails never being sent, or exports failing, the impact can be huge. Getting to the bottom of the issue can be like finding a needle in a haystack.

That’s where AppSignal comes in. It can monitor your Sidekiq jobs, alert you when…

Authentication proves identity. Authorization enforces rules.

Most production authorization bugs in Rails are not syntax mistakes. They are missing tenant scopes, global find calls, or new controller actions that shipped without a policy check.

Rails 8.1.3 is current as of April 28, 2026, and Rails 8 ships with a good authentication generator. That solves only the first half. After sign in, we still need a clear rule for every sensitive read and write.

TL;DR

• Authentication is not authorization.
• Scope collections before loading records.
• Treat Model.find(params[:id]) as suspicious in multi-tenant code.
• Use view checks only for display. Controllers and APIs still need policy…

The…

I built a private local AI brain so assistants start with my defaults, not a blank prompt.

Generic assistants help, but they do not know how I review Rails, what I call risky, or why I choose boring over clever.

It has three parts:

• a Karpathy-style LLM Wiki for durable knowledge
• gbrain for my trained and distilled work signals
• gstack for using that memory inside day-to-day coding workflows

The important part: the private corpus stays private. I distill repeated patterns from my own data signals. I am not retraining a public model on private work. The raw work history, private comments, internal repo names, client names, server paths, credentials, and customer details are not…

Rails gives us a strong security baseline. It does not make an application secure by itself.

That distinction matters. Most real Rails security issues are not caused by Rails forgetting to escape HTML. They come from stale versions, missing authorization checks, exposed secrets, unsafe admin workflows, weak session handling, and business logic that trusts the wrong user.

This guide covers what Rails protects by default, what newer Rails versions add, and what every production Rails app still needs to own.

TL;DR

• As of April 2026, Rails 8.1.3 is the latest Rails release.
• Rails 8.1 adds local CI and credential fetching that make security checks easier to standardize.
• Rails protects…

Spinel in Practice: What Works and What Breaks April 27, 2026 Built for Ruby on Rails Build Maps WithoutGoogle APIs Generate beautiful production-ready maps directly from your Rails backend. Fast rendering, zero external dependencies, full control. View Live Demo → Read Docs ✓ No API fees ✓ Self-hosted ✓ Rails Native ✓ Fast Rendering Why … Continue reading Spinel in Practice: What Works and What Breaks →

Since I wrote about async Ruby and patched Solid Queue to support fibers, people keep asking the same questions. What happens when a fiber blocks? Don’t you still need threads? What about database transactions? What about Ractors?

This post answers all of it. From the ground up.

The four primitives

Ruby gives you four concurrency primitives: processes, threads, fibers, and Ractors. They nest. Every process has an implicit “main Ractor” where your code runs by default, so you never have to think about Ractors unless you explicitly create one. Without Ractors, the hierarchy is simply process – threads – fibers. With Ractors, it becomes:

I recently joined ShopTalk Show… episode 711 to be exact. Which… now has me thinking I should probably go get myself a Slurpee.

A few things we got into…

• Oh My Zsh started as shared aliases for teammates… and turned into a plugin ecosystem that keeps growing.
• Ruby on Rails in 2026… scaling isn’t the question anymore. Teams are wrestling with restraint and keeping systems understandable.
• LLMs and contribution… more people can open meaningful PRs now. Conventions and structure matter more than ever.
• Dependencies… every one feels small when added. Over time… they stack up and stick around longer than expected.

If you haven’t listened to ShopTalk Show… go subscribe.

Every two years, the team at Planet Argon runs the Rails Developer Survey. And every two years, I go through the same process… a long list of questions, a hard look at how much time we’re asking of respondents, and a lot of cutting.

If you’ve filled it out before, thank you. If this is new to you, here’s the short version: it’s an open survey for Rails developers at all experience levels and across all kinds of organizations. We compile the results and share everything publicly. No paywalls. No vendor spin. Just a snapshot of what the community is actually doing.

We first ran this in 2009… back when ”should I use Rails?” was still a serious question… and have been doing it every two years…

It’s become…

AI is everywhere right now. New models, agents, and tools appear almost daily, each promising to transform how companies work. But when teams come to us asking for help with AI, the challenge is rarely how to build something; instead, the question is what to build, and whether AI is even the right tool in the first place.

I was listening to an episode of the Super Data Podcast where Jon Krohn interviewed John Roese, Global CTO and Chief AI Officer at Dell, and one moment stuck with me. They were discussing why so many AI projects fail to move the needle inside organizations, and Roese put it succinctly: in many cases, AI is being used to automate work that was essentially BS to begin with.

Let's talk about what's really going on.

Continue Reading

13 years ago today I released the very first version of Mustermann.

It allows you to create Regexp-like pattern objects:

require "mustermann"

pattern = Mustermann.new("/hello/:name")

pattern =~ "/hello/world"      # => 0
pattern.params("/hello/world") # => {"name" => "world"}

This is what Sinatra uses to match routes and extract parameters from the request path.

Since then other projects besides Sinatra have started using Mustermann, which I think is fantastic, and it has been maintained by a great community of contributors over the years. I myself took a break from Mustermann from 2017 until two weeks ago!

Performance, performance, performance!

You can find the full list of…

The Rails Way in 2026

We had an interesting discussion at the Arkency weekly call today. The topic was how to define “the Rails Way” in 2026. The discussion branched in many directions, but I want to capture the result here.

We get to see a lot of Rails repositories. There’s a pattern that shows up so consistently that I think it now deserves to be called “the Rails Way” of 2026:

A fat model with a callback. The callback triggers a service object. The service object is executed as a background job.

That’s the clue of this post. If you zoom out across the Rails applications written or maintained in 2026, that’s the shape.

The disclaimer

A word about where we’re coming from. Arkency is a…

Hi, it’s Claudio Baccigalupo. Let’s explore what happened this week in Ruby on Rails.

Apply as a speaker for Rails World
Don’t miss out on the opportunity to join 1,200+ Rails developers this year at the Palmer Center, Austin, TX. Corporate Support tickets are on sale now. General admission tickets will be released on May 12.

How do you use Ruby on Rails?
The 2026 Ruby on Rails Community Survey is open! Takes just a few minutes. Please fill out and share with your team!

Bump required PostgreSQL version to 10.0
Until now Rails claimed support for PostgreSQL 9.3, which is incompatible with PostgreSQL 18 (released in 2025). The pg gem v1.6 already raised its minimum required PostgreSQL.…

This BREAKING NEWS episode is a candid reaction to Ruby Central’s latest shakeup, with Chris, Andrew, and David unpacking leadership departures, financial strain, the cancelled gala, and what all of it says about the organization’s direction. The conversation moves beyond the headlines into bigger questions about trust, transparency, community values, conference strategy, RubyGems sustainability, and whether Ruby Central can rebuild credibility by involving more of the community in what happens next. Hit download now to hear more! 

Links

• Judoscale- Remote Ruby listener gift
• A New Chapter for Ruby Central
• RubyConf 2026- July 14-16, Las Vegas, NV

Your hesitation before a big software project might be the strategy.

Continue Reading

You gave a handful of your devs access to Claude Code Max… and things moved fast. Output went up. Then things started to drift. Not just formatting or naming. Structure. Approach. Assumptions. One developer builds guardrails around it. Another uses it like autocomplete. A third treats it like a thinking partner. Same tool, same codebase… different results. The code starts to reflect how each person uses the tool, not how the team builds software together.

There’s a tension here that most teams are sidestepping. You can feel the inconsistency creeping in, but saying “we should align on how we use this” sounds heavy-handed. So it gets framed as experimentation. Let people figure it out. Give…

Hi everyone! Rails World is back heading to Austin, Texas on September 23-24, 2026 for the largest Rails World yet, with space for 1,200 developers, founders, and teams building with Rails, and we have a huge Rails World update for you!

First: The Rails World website is finally live thanks to our website sponsor WyeWorks, and the amazing work of developers Jessica Ferreira and Lucas Troncoso and designer Jomiro Eming. Big thanks to the team!

Check it out.

Apply to speak at Rails World 2026

Most of all, we’re excited to announce that the CFP for Rails World 2026 is officially open.

Submit your talk by May 16: https://sessionize.com/rails-world-2026/

What we’re looking for in 2026…

JavaScript errors (either vanilla or with Stimulus controllers) often happen silently in the browser, leaving your users confused about what went wrong. “Why did nothing happen?”. “I just did click the button!” “Let’s try again…”. Still nothing… Starts furiously clicking the button now.

This poor user experience can be frustrating and can lead to more support tickets that could have been prevented. In this article I want to show how to build a simple class that catches unhandled JavaScript errors and displays them to the user in a friendly banner. It’s a small but meaningful improvement to your app’s user experience.

As always, the code can be found on GitHub.

The silence of the errors

Whe…

MapView Flyers are at RubyKaigi 2026 – Here's the Must-Watch Talk Schedule April 22, 2026 Scan to try Live Demo Available Introducing MapView Render beautiful, production-ready maps directly from your Ruby backend. No external APIs. No dependencies. Just pure speed and control. ✓ Zero external dependencies ✓ Lightning-fast rendering ✓ Production-ready & battle-tested Try … Continue reading MapView Flyers are at RubyKaigi 2026 – Here’s the Must-Watch Talk Schedule →

If you haven't yet seen the statement from the Ruby Central Board, the organization has been preparing for some significant changes. RubyConf, our flagship annual event, is also moving and adapting with these transitions.

This year, we ambitiously envisioned several exciting new programs designed to reimagine RubyConf and bring new energy, new voices, and new opportunities to the conference. We took a step back, reevaluated each of these programs, and took fresh creative approaches to bringing a clearer vision for what RubyConf can and should be. 

Here’s what some of the new programming will look like going forward.

Steering Committees and Town Hall Sessions

This year, we want to try something…

The agent-led growth playbook: how to make AI agents discover, use, and pay for your developer tool, and defend against the ones you didn't invite. LLM discoverability, agent-first onboarding, agent payments, AX security.

In early 2025, Matt Biilmann, CEO of Netlify, coined the term "agent experience" or AX: how AI agents experience your product as a user. AX extends developer experience and drives agent-led growth: adoption that happens because agents recommend, set up, and integrate your tool without a human in the loop. Three things to get right: make agents discover your tool. Make agents use your…

How much of your day to day life is based on using digital tools?

95% of U.S. adults use the internet, 91% own a smartphone, and 78% subscribe to high-speed internet at home. 41% report being online “almost constantly.” Americans now average over 5 hours a day on their phones, a 14% jump from the prior year, not including time spent working or other types of screen time. (Pew Research Center, survey conducted Feb. 5 to June 18, 2025.)

Of the adult population, more than 7 million Americans are living with uncorrectable vision loss, including over 1 million who are blind. Broader survey data shows that nearly 50 million adults report some difficulty seeing, even when wearing glasses.

In an…

The JRuby community is pleased to announce the release of JRuby 10.1.0.0.

• Homepage: https://www.jruby.org/
• Download: https://www.jruby.org/download

JRuby 10.1.0.x targets Ruby 4.0 compatibility.

Thank you to our contributors this release, you help keep JRuby moving forward!

JRuby 10.1: Experimenting and Evolving

JRuby 10.1.0.0 is our first major release since catching up with Ruby compatibility. We have used this opportunity to explore many experimental optimizations and improvements we have been chasing for many years. Ruby 4.0 compatibility is largely complete, but there will be additional features added in update releases. We also plan to continue with large scale experiments…

Ruby 4.0.3 has been released.

This release only contains ERB 6.0.1.1, which fixes CVE-2026-41316.

If your application calls Marshal.load on untrusted data AND has both erb and activesupport loaded, please update your ERB to 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later. You may use this Ruby 4.0.3 release to do so.

Release Schedule

We intend to release the latest stable Ruby version (currently Ruby 4.0) every two months following the most recent regular release. Ruby 4.0.4 will be released in May, 4.0.5 in July, 4.0.6 in September, and 4.0.7 in November.

If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift…

Last year I moved the LLM streaming jobs in Chat with Work to Async::Job. It was fast. Genuinely fast. Fiber-based execution with Redis, thousands of concurrent jobs on a single thread. I was so convinced that I wrote a whole post about why async Ruby is the future for AI apps and recommended it to everyone.

Then I started hitting walls.

Async::Job doesn’t persist jobs. They go into Redis and they’re gone. Mission Control shows nothing. Background jobs in Rails are already quieter than the rest of your application – they fail without anyone noticing unless you go looking. Even with Honeybadger catching exceptions, I still want to see the full picture: which jobs are queued, which are…

We published security advisory for CVE-2026-41316.

CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class

A deserialization vulnerability exists in ERB. This vulnerability has been assigned the CVE identifier CVE-2026-41316. We recommend upgrading the erb gem.

Scope

Any Ruby application that calls Marshal.load on untrusted data AND has both erb and activesupport loaded is vulnerable to arbitrary code execution. This includes:

• Ruby on Rails applications that import untrusted serialized data – any Rails app (every Rails app loads both ActiveSupport and ERB) using Marshal.load for caching, data import, or IPC
• Ruby tools that import untrusted…

Details

ERB…

April 20, 2026 Scan to try Live Demo Available Introducing MapView Render beautiful, production-ready maps directly from your Ruby backend. No external APIs. No dependencies. Just pure speed and control. ✓ Zero external dependencies ✓ Lightning-fast rendering ✓ Production-ready & battle-tested Try the Live Demo → Read Docs In 2025, at the RubyWorld Conference, … Continue reading Generating thousands of maps per minute in Ruby →

A few weeks ago, Axios, the popular HTTP client for JavaScript, suffered a supply chain attack on NPM. An attacker compromised the lead maintainer’s NPM account through social engineering and published two backdoored versions that delivered a cross-platform remote access trojan (RAT) to macOS, Windows, and Linux systems. Axios has over 100 million weekly downloads. The blast radius was enormous.

Not long before that, LiteLLM, a popular Python AI gateway, had a similar incident on PyPI. Compromised credentials were used to push malicious packages that harvested environment variables, SSH keys, cloud credentials, and database passwords.

Both attacks followed the same playbook: gain access…

Over the last few months, there has been a lot of talk about making Bundler faster, both by improving it directly, or by reimplementing it in another language, and while it may surprise some, that didn’t excite me much.

Don’t get me wrong, all other things being equal, faster is better, so if Bundler gets faster without me having to change my toolchain one bit, I’ll happily take it. But I certainly would not bother migrating to something else just for speed.

Instead, there are a number of features I believe Bundler is missing, and that over the years, I tried to convince Bundler’s maintainers to consider them, but without any success.

Why Bundler Is Fast Enough For Me

Given how much I…

Back in November last year, I started a new job at Intercom, and one of the first projects I got to work on was improving the Intercom monolith CI with some of my new colleagues.

Interestingly, I never got around to talking about CI on this blog, even though I consider it to be one of my main areas of expertise. That topic is way beyond the subject I’d like to talk about here, but just to give a bit of context, a key driver in CI performance and user experience is how fast you can get a Ruby process ready to run tests.

When working with very large test suites, it becomes essential to run tests in parallel. If you have a test suite that runs in say, 1 hour, on paper, you can run it in 15…

In this episode of RECORDABLES, we dive into the thinking behind the ONCE open source app server and what it takes to turn self-hosted software into something anyone can run. David Heinemeier Hansson and Kevin McConnell walk through the shift from single-app installs to a console-like system that can run multiple applications on one machine, and the philosophy that guided that evolution.

Along the way, they explore the tradeoffs between simplicity and flexibility, the role of Docker and Kamal in making deployments seamless, and why ease of use matters more than raw capability. This conversation is a look at packaging complexity into something approachable and how ONCE aims to make running…

Chris and David welcome guest John Athayde, who runs the branding and UX consultancy, Meticulous. They dive into John’s unusual path through the Rails world as a designer, front-end developer, consultant, author, and UX thinker. The conversation moves from early Rails history and The Rails View into a broader discussion about why designers need to understand implementation, how AI is changing product and UI work, where component-based design is headed, and why browser support is still one of the messiest parts of modern web development. Hit download now to hear more!

Links

• John Athayde Website
• John Athayde X
• John Athayde Bluesky
• Meticulous
• Build Software Like Pixar Makes Movies with John…

Hi, Wojtek here. Let’s see what’s new in the Rails on this finally sunny day (at least in my corner of the world ;-)

Query command for read-only database queries
Adds rails query — a read-only database query command with structured JSON output.

rails query "Account.where(plan: 'premium').limit(2)"

{
  "columns": ["id", "name", "plan", "created_at"],
  "rows": [
    [1, "Acme", "premium", "2025-01-15T10:30:00Z"],
    [2, "Widgets Co", "premium", "2025-03-22T14:00:00Z"]
  ],
  "meta": {
    "row_count": 2,
    "query_time_ms": 4.2,
    "page": 1,
    "per_page": 100,
    "has_more": false,
    "sql": "SELECT \"accounts\".* FROM \"accounts\" WHERE \"accounts\".\"plan\" = 'premium' LIMIT 2"…

There are many more possibilities and additional subcommands available, such as query schema, query models, and query explain.

Add charset=utf-8 to Content-Type for static CSS and HTML files
ActionDispatch::FileHandler#try_files now appends ; charset=utf-8 to the Content-Type header for CSS and HTML static files. This is consistent with the rest of the Rails stack, which already…

Add offline fallback page to the PWA scaffold
New Rails apps now include an app/views/p…

If you’re building LLM-powered features in a regulated industry, sending unfiltered PII to a third-party provider isn’t just risky, it may violate compliance requirements like HIPAA or GDPR.

That’s why we originally built Top Secret. However, when we first released it, RubyLLM was still in its early days, and I found I was working with provider APIs directly, such as Ruby OpenAI or OpenAI Ruby. This meant I needed to manually orchestrate the filtering and restoration process, which looked something like this:

require "openai"
require "top_secret"

openai = OpenAI::Client.new

original_messages = [
  "Ralph lives in Boston.",
  "You can reach them at ralph@thoughtbot.com or 877-976-2687"
]

…

We have made recent and significant changes to how Ruby Central operates.

We have parted ways with our Executive Director, our PR agency, our CFO, and concluded several contractor engagements. These were not easy decisions, but they were necessary to ensure the long-term sustainability of Ruby Central. Since joining the Board at the beginning of the year, we have seen the organization's finances become overly dependent on the optimistic timing of when funds may be received against fixed timelines for when our expenses are due.

As a result, Ruby Central has found itself in real financial jeopardy. This is a situation we've been working toward resolving by reducing our expenses, renegotiating…

If you’ve ever noticed that your CSS transitions feel a bit… flat, you’re not alone (I seem them a lot! 😭). The default ease timing function works fine, but it’s generic. Real-world motion has character, it bounces, overshoots and feels natural. That is what cubic-bezier is for.

What is cubic-bezier?

In CSS, cubic-bezier is used in the transition-timing-function or animation-timing-function property. It defines how intermediate values are calculated during a transition using a cubic Bézier curve (orly?! 🦉).

The syntax looks like this:

cubic-bezier(x1, y1, x2, y2)

Those four numbers define two control points on a curve. The curve starts at (0,0) and ends at (1,1), representing the…

Every team has a different definition of "ready." Here's how to make sure everyone's aligned before, during, and after launch.

Continue Reading

Most AI SEO advice is unproven. We tested what ChatGPT, Claude, and Perplexity actually read on our own site. Six LLM visibility techniques that worked, eight that didn't, and the metrics to tell the difference.

We recently signed a new client, and they actually found us via Claude. The founders of an SF-based AI startup asked Claude to recommend a dev agency with senior engineers who think about architecture and scale. Evil Martians came back as the top recommendation. That got us thinking: what did we do right?

Last weekend I migrated my Doctor’s App from Heroku to Railway.

It’s a multi-tenant Rails app where each hospital gets its own subdomain, one.doctors.com, two.doctors.com, and so on.

Five hospitals, around 25,000 appointments, 9,700+ patients. Not huge, but not trivial either.

Here’s how it went, including the part where I accidentally broke the database.

The setup

I already had a Railway project running with a test domain (*.juanvasquez.dev) from earlier experiments. The web service was deployed from GitHub and the Postgres 17 instance was co-located in us-east4. Cloudflare R2 handles file storage, that stays the same regardless of where the app runs.

The plan was simple: put…

April 15, 2026 Scan to try Live Demo Available Introducing MapView Render beautiful, production-ready maps directly from your Ruby backend. No external APIs. No dependencies. Just pure speed and control. ✓ Zero external dependencies ✓ Lightning-fast rendering ✓ Production-ready & battle-tested Try the Live Demo → Read Docs Today I created a flyer to … Continue reading Create QR Codes from Scratch with Ruby, ruby-libgd, and rqrcode →

Slow database queries can significantly impact the user experience of any Rails application. Identifying and fixing these performance bottlenecks requires a systematic approach and the right set of tools.

In this post, we will explore various approaches to debugging query performance in Rails, from built in Rails tools to database specific utilities.

Understanding the Problem

Before diving into debugging tools, it’s important to understand what makes a query slow. Common causes include:

• Missing or inefficient indexes
• N+1 query problems
• Full table scans
• Complex joins without proper optimization
• Large result sets being loaded into memory
• Inefficient WHERE clauses

Rails…

rubygems.org has been a busy project. This past year we shipped formal policies for the first time in the registry’s history, launched the Organizations private beta, and made some meaningful security improvements to how gems get validated and how compromised passwords get caught. A lot of that work happened quietly. If you wanted to know where things were headed, you had to catch the right conference talk or subscribe to the right newsletter, and even then you’d only get pieces. The roadmap puts it in one place.

The roadmap covers work at different stages, from Organizations moving toward general availability to longer-horizon work on security tooling, gem archival, and acceptable use…

rubygems.org has been a busy project. This past year we shipped formal policies for the first time in the registry’s history, launched the Organizations private beta, and made some meaningful security improvements to how gems get validated and how compromised passwords get caught. A lot of that work happened quietly. If you wanted to know where things were headed, you had to catch the right conference talk or subscribe to the right newsletter, and even then you’d only get pieces. The roadmap puts it in one place.

The roadmap covers work at different stages, from Organizations moving toward general availability to longer-horizon work on security tooling, gem archival, and acceptable use…

Every design team I’ve worked with has had the same complaint about clients.

“They sent over a PowerPoint with mockups.” Eye rolls. Crossed arms. The unspoken accusation: you’re stepping on my domain.

I got it. The client would shortcut the process. Fall in love with their own wireframes. Hand the designer a solution instead of a problem.

That friction was real.

But here’s what nobody said out loud… the designers were doing the same thing to the developers.

A designer would disappear for a few weeks. Come back with approved comps. Hand them off to a dev team with zero context on the constraints they’d just inherited. The developers would look at the designs and realize that one…

Mobile teams shipping on a weekly cadence need automated confidence that changes won’t break what’s already working. At Gusto, our iOS codebase had unit tests, but coverage was uneven, and we hadn’t yet adopted snapshot testing. Major upgrades and component refactors still required significant manual verification. We wanted a more deliberate, layered approach — one that would scale with the team and the product.

The moment that sharpened our focus: a localization string change wasn’t caught by our existing automation and surfaced just one day before release. The fix took minutes — but the late discovery cost a full release cycle.

Manual testing doesn’t scale with growing teams and faster…

Introducing rails_vite—a new Vite integration for Rails that works with Propshaft, not against it. Drop it into an existing jsbundling app for instant CSS HMR, or use the full gem for manifest-based asset resolution.

Vite is the build tool every frontend developer reaches for. But you won't find it in rails new. Vite runs a dev server. Propshaft—Rails' asset pipeline—expects files on disk. For years, these two have refused to share a stage. rails_vite makes this incompatibility …disappear.

Creating software is complicated. It’s hard to figure out exactly what you need to build without a lot of trial and error. It almost always requires both exploring possible options and refining something until it works really well. But those things aren’t the same! Your research prototype is not a good product that people will happily pay for.

Back in the olden days, when software literally came from BigCo R&D departments, we managed to invent Unix, and the mouse, and GUIs, and Ethernet, and TCP/IP, and a ton of other stuff we all use constantly today. Those research divisions didn’t ship viable consumer products, though. Doug Englebart demoed a mouse-driven GUI in 1968, but you couldn’t…

To deal with secrets and credential handling most Rails apps have ended up with a hotchpotch of ENV.fetch calls and credentials.dig lookups throughout the codebase, depending on where each secret lives.

Rails edge — and the upcoming 8.2 — fixes this.

Instead of…

…mixing ENV and credential lookups:

class StripeChargeService
  def initialize
    @api_key = ENV.fetch("STRIPE_API_KEY")
    @webhook_secret = Rails.application.credentials.dig(:stripe, :webhook_secret)
    @price_id = ENV.fetch("STRIPE_PRICE_ID") { Rails.application.credentials.dig(:stripe, :price_id) }
  end
end

Use…

…the combined credentials API:

class StripeChargeService
  def initialize
    @api_key = Rails.app.creds.r…

MapView: Server-Side Map Rendering for Rails April 12, 2026 After an extensive development journey, MapView has arrived: a powerful API for generating map images directly from your Ruby server. What is MapView? MapView is a Ruby gem that enables you to render maps, routes, points, and polygons with zoom levels ranging from a global world … Continue reading MapView: Server-Side Map Rendering for Rails →

This is a copy of the Searls of Wisdom newsletter delivered to subscribers on April 10, 2026.

I've decided to go on a content hiatus. This will be my last dispatch for a while. I don't know how long I'll be gone.

Why? Because I've been posting to an anonymous audience on the Internet almost every day since I was eleven years old. I posted through Bill Clinton's impeachment, 9/11, the Iraq War, the Deepwater Horizon oil spill, the version of Siri that would tell you where to hide a body, binders full of women, and a pandemic that changed everything and then nothing at all.

Very few of my friends live like I do. They aren't pundits. They don't post takes. They lead normal-looking…

If I’ve sent you this, it’s because I will eventually need to give you constructive feedback. Not necessarily right now, but it is going to happen. If I’m your manager I’m going to be giving you feedback fairly regularly because it’s a requirement of my job. And I want to set your mind at ease about it by explaining the process up front, and hopefully showing you that it’s no big deal.

In April 2025 I wrote Apologizing for My Obsessiveness Over Punctuation, a post about my various organizational compulsions. Near the end, almost as an aside, I mentioned that I obsessively categorize expenses in Monarch, a personal finance app, linking it with my referral code. That post earned me exactly one referral in the nine months that followed.

Then, on January 15th, 2026, I wrote Serving Markdown for AI Agents. The idea is simple: for every post on this blog, there’s now a .md version at the same URL. AI agents can discover and fetch clean markdown instead of parsing HTML. I didn’t think much of it.

Exactly thirty days later - the length of Monarch’s free trial — I started…

Before AI coding assistants, a typical engineering team built expertise with the years: new team members joined, contributed small bug fixes, then were given more ambitious tasks over time as they became more comfortable in a codebase, to ultimately become experts. This process took years.

In contrast, today, almost every engineer, and many non-engineers, have access to tools that can gather context from any codebase, and produce a large volume of high-quality code in a day. This lowers the bar for contributing meaningful changes to the software we build and enables many more individuals without domain or codebase expertise with good ideas to see them to light.

At work, I asked my team to…

Human preface: I’m doing a little side project to see for myself how far AI agents have come and what they’re capable of. I’ve basically directed Claude to make a website the generates traffic by any means it sees fit. Below is a little introductory post written by Claude explaining the project and how it’s going at this early stage.

Building a Complete GIS Stack in Rails: ruby-libgd + libgd-gis + map_view April 10, 2026 See the LIVE DEMO in action MapView Render maps directly from your backend no external APIs required. Fast, controlled, and production-ready. Try the demo → Over the past few months I’ve been working on a small GIS-oriented stack in … Continue reading Building a Complete GIS Stack in Rails: ruby-libgd + libgd-gis + map_view →

Hi, I’m Emmanuel Hayford. Here’s what caught my eye in Rails this week.

Fix GET+JSON+params in integration tests for API-only apps
params: in integration test helpers was ambiguous for GET requests with as: :json — it wasn’t clear whether params should go in the query string or request body. The original workaround converted GET to POST with X-Http-Method-Override, which broke API-only apps that exclude Rack::MethodOverride. New query: and body: kwargs give explicit control: query: always lands in the URL query string, body: always goes into the encoded request body, and params: keeps its existing behavior unchanged.

get  "/search", query: { q: "rails" }, as: :json
post "/search", query: {…

Add…

This episode of Remote Ruby opens with stories of exhaustion from a sleepless week. Then, Chris, Andrew, and David spend most of the episode unpacking two big themes: trust and governance in open source, and the growing mess of software security and AI-assisted development. They dig into the new Ruby Central write-up on the RubyGems/Bundler fracture and question whether it actually clarifies the path forward, then pivot into the Axios npm compromise, supply-chain risk, and how fragile modern package ecosystems can feel. Then, they go into a wide-ranging discussion on AI coding, bloated production apps, image-performance headaches, CSS/rendering quirks, and why teams may need to rethink…

We deployed an existing Laravel application using Docker and Kamal 2 without touching the app. Here's what worked, what didn't, and what we'd do differently.

Continue Reading