A flaw was found in Katello's of Red Hat Satellite. A content upload
functionality where insufficient authorization checks in the
ContentUploadsController allowed users with the edit_products
permission to query content information for repositories outside
the products they were authorized to manage. An authenticated attacker
could exploit this issue to determine whether specific content
exists within repositories that should otherwise be inaccessible.
This issue does not allow unauthorized modification, import, or
publication of content.
## Summary
A critical missing authorization flaw exists in Avo's association attach
workflow. The UI and `GET /resources/:resource/:id/:related/new` path
can check `attach_?`, but the actual write endpoint,
`POST /resources/:resource/:id/:related`, does not run the same
authorization check before mutating the association.
As a result, an authenticated low-privileged Avo user can bypass
hidden/disabled attach controls and directly attach related records
to a parent record by sending a crafted POST request. In applications
where associations represent teams, tenants, roles, projects, users,
memberships, ownership, or other authorization-bearing relationships,
this can lead to privilege…
Hi, it’s zzak. This week was full of changes, so let’s pull into the station and take a look.
Last Rails World GA tickets available
Heads up: there are now just 100 General Admission tickets available for Rails World 2026. Don’t miss your chance to join the Rails community in Austin this September for two days of talks, code, connection and music.
Rails Foundation documentation guides
The documentation project reworked the Multiple Databases guide, now ready for community review, and reorganized the Internationalization guide from beginner-friendly setup through advanced topics.
Allow query log tags to be configured per connection pool
Database configurations can now override query log…
Navigating Subscription Overhauls and Payments
Chris, Andrew, and David catch up after a missed week of recording and quickly dive into the kind of deeply practical Rails work that only comes from real production pain. Andrew shares the massive subscription and billing migration happening at Podia, including Stripe edge cases, legacy plan preservation, and stress-test tooling built from live scenarios. Chris then goes deep on a Hatchbox email cancellation flow that turns into a Rails internals rabbit hole around Action Mailer callbacks, mail delivery cancellation, and a tiny Rails PR born from production debugging. Hit download now to hear more!
Links
I wrote recently about
Syntropy, a new Ruby web framework
I’m working on (it runs this
site). Syntropy’s design is based
around the idea of file-based routing, which means that the source files for
route handlers (i.e. controllers) that make up the app are organized and named
according to the app’s URL namespace. I also discussed the way Syntropy loads
the different source files (referred to as modules), and I’d like to discuss
this a bit more in detail.
Code Organization in Ruby on Rails
Now, if you’re a Rails developer, you know that Rails’ approach to code
organization is based on auto-loading of the different source files that make up
the app, performed by the Zeitwerk gem.…
Herb and ReActionView: A Glimpse Into the Future of Rails Views June 18, 2026 For years, Rails developers have enjoyed one of the simplest and most productive ways to build web applications: write HTML with ERB, let Action View render the templates, and move on. While the Ruby language, the parser, and the tooling ecosystem … Continue reading Herb and ReActionView: A Glimpse Into the Future of Rails Views →
I’ve had a Comsol 3-in-1 wireless charger sitting on my desk for ages. It has a hardcore 2010s tech aesthetic, with its white plastic and chrome combination. I use it to charge my phone, watch and earbuds all at once. Or at least I did, until it stopped being able to charge the phone. It could still charge a watch and the earbuds, but I used it most for charging the phone.
The device still turned on, but it would flash a solid white light for about a second, then off again, then repeat. I didn’t know what caused this, and googling for the manual turned up no results. But I did find the support email! So I contacted them and asked what it meant and if they had the manual.
They then asked…
The Asset Pipeline has had many changes over the years, from not needing NodeJS when using Sprockets, to supporting NodeJS to manage JS dependencies through npm packages, to requiring NodeJS by default with Webpacker, and to not needing NodeJS by default again with ImportMaps.
ImportMaps is a good way to not have NodeJS as a dependency of the application, but it has many limitations (like the lack of TypeScript support) and it requires a lot of work to migrate to it when upgrading older applications.
In this blog post, we will see how to use Bun to remove the need to install NodeJS system-wide, how to use the standalone binary to not require an installation step, and at the same time keep…
Before and after (image) sliders are great for product showcases, before/after transformations, renovation projects or photo editing results. They’re engaging, interactive, and honestly just fun to use.
Ever thought of building one from scratch? Not complicated at all! In this article, I want to show how to build a simple, reusable Stimulus controller that does just all that. This is how the end result will look like:
As always, the code can be found on GitHub.
It is simple, really
The beauty of this controller is its simplicity. You need three things:
- a wrapper element;
- two images (before and after), and;
- a slider.
That’s it. Here’s it in HTML:
<div data-controller="compare">
<img da…
How SOLID changes when you read it through Ruby’s object model, duck typing, and preference for pragmatic design.
Generative AI dramatically lowers the cost of modification, which creates a dangerous illusion: that everything can change quickly, therefore everything should.
leaflet.pub: Pace Layers and AI Integration
#805 — June 18, 2026
Read on the Web
Ruby Weekly
The Plan for rv and a Progress Update — Inspired by Python’s uv, rv is a fast Ruby install, gem, and project manager built by several prominent Rubyists. v0.6 landed this week, and things are going well. This post shares some history, progress, and where the team is focusing next.
André Arko
⚡ "You can go straight from brew install rv to a Rails app from rvx rails new in 10 seconds flat." – André Arko
Hiring Rails Engineers Takes Months. We Start Next Week! — Since '17, teams have trusted us to upgrade Rails. The same engineers are now available for staff augmentation:…
It’s the **robber barons, rails, rents and defaults** of the next twenty years I worry about, not skynet, the singularity or misaligned paperclip optimizers.
Philipp Markolin, PhD: The AI Race to Reboot Feudalism
I’m mourning the future I grew up and came of age thinking we would have. Fascism, and overbearing type systems, was something my forebearers dealt with so that I wouldn’t have to.
okayfail.com: In Praise of DHH
90% utilization is causing more failure than you realize, not just in burn-out, but in productivity and output.
Jason Cohen: A Smart Bear » Your non-linear problem of 90% utilization
perhaps languages aren’t slowing down so much as *spreading sideways*. They are dissolving into domains like query languages, shader languages, build languages, DSLs for robotics or finance, etc. The langdev shift perhaps is less about one big new paradigm and more about fifty smaller ones, deeply integrated.
Fogus: The Long Season of Langdev
Before and after (image) sliders are great for product showcases, before/after transformations, renovation projects or photo editing results. They’re engaging, interactive, and honestly just fun to use.
Ever thought of building one from scratch? Not complicated at all! In this article, I want to show how to build a simple, reusable Stimulus controller that does just all that. This is how the end result will look like:
As always, the code can be found on GitHub.
It is simple, really
The beauty of this controller is its simplicity. You need three things:
- a wrapper element;
- two images (before and after), and;
- a slider.
That’s it. Here’s it in HTML:
<div data-controller="compare">
<img da…
Ingress is not the owner of the invariant
A polemic with Callbacks Are Not Invariants by Brandon Weaver.
A disclaimer: I’m a RailsEventStore maintainer and this article ends up on the Arkency blog — so cards are on the table. Despite this, I’m keeping the core of my argument in pure ActiveRecord: no step of the reasoning requires RES. I only show the RES version at the end, separately, as “and this is what it looks like when you’re not typing it in manually”. If you’re convinced by the bare-metal AR reasoning, not the library, that’s what matters.
We agree about the disease
I enjoy reading Brandon’s Rails: The Sharp Parts series and sending it to the team — it’s one of the better…
Ruby 4.0 Is Here. Why Is AI Still Writing Ruby 3.0? June 17, 2026 Artificial intelligence has become an indispensable tool for Ruby developers. We ask AI assistants to write methods, refactor services, generate RSpec tests, explain stack traces, and even architect new features. For many developers, AI is no longer an experiment—it's part of … Continue reading Ruby 4.0 Is Here. Why Is AI Still Writing Ruby 3.0? →
Brighton Ruby 2026 will take place in a few days and the thoughtbot team will be
there to meet you all in real life, learn from all the great talks, and enjoy a
day by the English coast.
We love Brighton Ruby and enjoyed it for many years. It is a single-day,
single-track conference packed with great energy and great people.
This year we will have 5 thoughtbotters attending:
Aji will be at Brighton Ruby for the first time! They are always happy to talk
about ruby game development, recent conversations on
The Bike Shed, tracking reading lists on
Storygraph, or (let’s see
what else… ::rummages through bag of hobbies::) linguistic anthropology.
Come say hello!
Chad is thoughtbot’s…
We’ve talked a lot lately about governance, sustainability, accountability, and the future of Ruby Central. Those conversations were necessary, but they were largely conversations about the past.
This year’s RubyConf feels different.
This RubyConf is going to be a conversation about the future.
For the first time, we will be inducting the inaugural class of Ruby Fellows. Leaders from Ruby Alliance companies will gather to discuss how they will be collectively investing in Ruby's future. We'll officially launch Steering Committees that create new opportunities for community members to get directly involved. We'll host Ruby Runway and showcase founders building exciting new businesses on Ruby.
No…
Every developer has tools they rely on daily. The workflows they’ve built around them, the ways they’ve learned to move faster, debug smarter, and write better code – that kind of hands-on experience can be hard to put into words.
We’re collaborating with LinkedIn to make it easier for you to showcase your expertise with JetBrains IDEs on the world’s largest professional network. You can now connect your IDE to LinkedIn and let your real tool usage speak for itself.
Connect your IDE
IntelliJ IDEA, PyCharm, WebStorm, PhpStorm, Rider, GoLand, CLion, RustRover, and RubyMine are already supported via a free plugin, while support for DataGrip is coming soon.
In this blog post, we’ll…
Authors: Camila Mirabal, Tech writer, Arthur Objartel, Product Designer, Anton Senkovskiy, Account Manager, and Travis Turner, Tech Editor
Topics: AI, DX, Design, Figma, LLMs
Coding without design guidelines can leave teams with an inconsistent UI design and a complex feature development process. Here's how we built a design system for Currents that's readable by engineers and AI agents.
AI-assisted coding allows technical founders and lean engineering teams to try new languages and frameworks, write more code, and ship new designs. It's the perfect solution for validating ideas, building PoCs and MVPs. However, as adoption grows, it's time to drastically elevate the UX and UI.
When code can be regenerated faster than it can be understood, preserving it for sentimental or historical reasons no longer makes sense. What matters instead is stewardship: maintaining the system’s behavior, boundaries, and intent over time, regardless of how many times its internals are replaced.
leaflet.pub: The Death and Rebirth of Programming
Travis Dockter wanted a Ruby conference closer to home, so he made one. Today we chat about the ups and downs of putting together a brand new conference.
Show Notes
Sponsors
Lots of teams out there are still overpaying for their hosting and getting tripped up by traffic spikes. If you’re on one of those teams, you need a better autoscaler. Judoscale uses better metrics, gives you more control, and reacts faster than any other autoscaler. Learn more at https://judoscale.com/
Waiting over an hour for a test suite to finish is a productivity killer.
On a recent project, that was our reality.
Running the full local RSpec suite took almost 2 hours, making it difficult to get quick feedback and confidently iterate on changes. While there are many ways to optimize test performance including fixtures, request stubbing, faster tooling, and more, most of these options require significant effort to implement.
Instead, we explored a simpler approach: bringing parallel test execution to local development. The result was a much faster feedback loop (down to 5 minutes) and a significantly better developer experience.
Although our primary goal was to improve the local…
Gusto, like most companies building with LLMs, is amassing a LOT of software: one-off projects, Claude Artifacts, HTML visualizations, dashboards, and my own growing fleet of personal tools.
The agent loop made building 100 times easier, but deployment and operations still assume the old world. Your choices are weirdly binary:
- Static sites with data in the HTML
- A whole app with Dockerfile, Postgres, secrets, CVE mitigation, deploy pipeline, PagerDuty, and sharp edges.
When software was hard, most things were #2. Now, most things sit in the middle: stuff that’s real enough to need a database, but not real enough to deserve an app stack.
Neither fits, and this isn’t about engineers vs.…
Aji and Sally are back together again, this time to discuss the different apps they use to make their workflows and To Do lists easier and quicker to achieve.
Sally dives into the Notion calendar system which she uses to coordinate her many Google calendars, Aji looks back on using Jira to co-ordinate their international move, before they both reminisce about the benefits of using Alfred as people with ADHD.
—
There’s still time to secure your place at thoughtbot’s upcoming UK meet ups over the next month.
London Tech Leader Meetup - Tuesday June 23rd
Brighton Tech Leader Meetup - Wednesday June 24th
Brighton Ruby - Thursday June 25th
Evolve - Friday June 26th
Your hosts for…
Today we’re sharing the release candidate for Hanami 3.0, feature-complete and ready for testing. We’d love your help to give it a good workout before our final release—which, all going well, will be in just a couple of weeks!
What’s coming in 3.0
There’s a lot I’m excited for in 3.0, but I’ll save the full announcement for when it ships. For now, here’s where we’d love your help with testing.
Built-in i18n
Internationalization is now a built-in feature. Bundle the i18n gem and Hanami loads your translations and makes translation and localization helpers available across your views and actions. See Previewing i18n integration in Hanami 3.0 for details.
First-class mailers
We’ve rebuilt H…
We’ve been working to a pretty tight deadline as a team recently. We had a period of relative stability with a few concurrent projects on the go, and then we had this new elephant-sized project dropped on us. The entire team has rallied around it and everyone’s contributing exceedingly well to their own parts.
During the last few months of this project, I’ve been taking a look at how we can get to the point of verifying our changes faster after reading Accelerate for the second time. Trying to find answers for how we from “push” to knowing something works, and then shipping that with less time passing between all of those points.
A few things that our team has worked on to fix this has…
Quizzes are a fun! Well… I do think they are. Always up to learn new things. So how can you create one in with your favorite frameworks? In this article, I want to show how you can build a quiz witg Stimulus. It can be a good starting point for learn about a new customer in your SaaS or as a smart, little marketing tool (keep readers engaged/on your page). 💡
The quiz loads questions from a Rails endpoint, tracks answers in real-time, calculates results and submits them to your server. As always, the code can be found on GitHub.
This will be the result. Time to dust off that good ol’ computer science knowledge… 🤓
Building the data class
Here’s the QuizData class that handles the quiz…
jj’s whole deal is that it collapses many Git concepts (stashes, staging, fixups, in-progress rebases, conflicts) into a single unified model of working with history, which then lets you use the same tools to do all of those things. For example, to fix up an old commit you jump to it, edit it, and jump back to where you were; to fix a rebase conflict you jump to the conflicting commit, edit it, and jump back to where you were, using the same commands.
– Understanding Jujutsu bookmarks
This is such a good summary, I’m probably going to steal it when I try to explain jj in the future.
We’re excited to share that Shopify has joined the Ruby Alliance.
Shopify is a leader in the Ruby ecosystem, powering millions of businesses around the world and demonstrating what is possible when Ruby is trusted at global scale.
For years, Shopify has invested in Ruby through engineering leadership, open source contributions, performance improvements, and a deep commitment to the technologies that help power the community. Their work has benefited not only Shopify, but Ruby developers everywhere.
Their participation in the Ruby Alliance represents a meaningful investment in the long-term health, resilience, and sustainability of the Ruby ecosystem and the critical infrastructure it depends…
Some people are drawn to software engineering, and not everyone is like that. But a common characteristic among engineers (myself included) is the thrill of building something and seeing it work. Maybe it is not the whole system, but some piece of i
A recent Rails addition lets in_order_of group several values into one sort position. Build a support queue that floats active work to the top and sinks finished tickets, all in one query.
This is episode #02 of the Ruby Stained Glass Notes, a pop-up newsletter in which I write about the process of building a stained-glass panel celebrating Ruby. Today, we talk about how to choose glass, and how stained glass windows should follow the open-closed principle too.
This post was originally given as a talk at Rubycon IT 2026. The slides are also available.
It’s been a while since I first talked about rv, a Ruby manager for the future. I’d like give an update on what we’ve done since then, but I’m going to recap some of that earlier post first to give context for the updates. If you still remember what I said back then, you can jump to the new stuff right away. Either way, I’m excited to update you about the work that we’ve been doing, and show exactly how far we’ve gotten.
bundler isn’t enough
For the last ten years or so of working on Bundler, I’ve had a wish rattling around: I want a bigger, better dependency manager. It doesn’t just manage your…
I’ve always been interested in coding as a craft - a thing to do with your
hands, your eyes and your mind. In many ways, I feel that a lot of the
satisfaction and accomplishment I get from making software comes from the
process itself, the doing of it, and not necessarily the end result. To quote
one of my favorite musicians:
Most vagabonds I knowed don’t ever want to find the culprit
That remains the object of their long relentless quest,
The obsession’s in the chasing and not the apprehending,
The pursuit you see and never the arrest.
This is also one of the reasons why the recent AI “revolution” doesn’t really
resonate with me. They say…
Several Net::IMAP commands accept a "raw data" argument that is sent
verbatim after validation to prevent command injection. However,
if a server does not support non-synchronizing literals, it may
still be possible to inject arbitrary IMAP commands inside
non-synchronizing literals.
### Details
Raw data arguments support embedded literal values, both synchronizing
and non-synchronizing. Non-synchronizing literals can only be safely
sent when the server advertises any of the `LITERAL+`, `LITERAL-`, or
`IMAP4rev2` capabilities. But raw data arguments do not verify server
support for non-synchronizing literals prior to sending.
Servers without support for non-synchronizing literals…
### Summary
Several Net::IMAP commands accept a raw string argument which is only
validated to prevent CRLF injection and then sent verbatim. If this
string is derived from user-controlled input, an attacker can force
the next command to be absorbed as a continuation of the first command.
This will cause the first command to eventually fail, but also prevents
it from returning until another command is sent (from another thread).
That other command will not return until the connection is closed.
### Details
`Net::IMAP::RawData` was hardened in v0.6.4, v0.5.14, and v0.4.24 to
reject string arguments that would smuggle an invalid literal-continuation
marker onto the wire (CVE-2026-42257,…
### Summary
Two `Net::IMAP` commands, `#id` and `#enable`, do not validate their
arguments. Arguments to either command could be used by an attacker
to inject arbitrary IMAP commands.
Please note that passing untrusted inputs to these commands is usually
inappropriate and expected to be uncommon.
### Details
When `Net::IMAP#id` is called with a hash argument, although the ID
field value strings are correctly quoted (escaping quoted specials),
they were not validated to prohibit CRLF sequences.
While `Net::IMAP#enable` does process its arguments for aliases, it
does not validate them as valid atoms (or as a list of valid atoms).
The `#to_s` value is sent verbatim.
### Impact
This is…
Hi, it’s Greg, bringing you this week’s changes in the Rails codebase.
Fix increment! with explicit query constraints
This pull request fix increment! / decrement! on models with query
constraints to include every query constraint column in the counter update.
self.class.update_counters(id, attribute => change, touch: touch)
Support a single composite primary key id in delete
This change aligns the class level delete method with destroy and now they both accept a single ID of a composite primary key.
Return an empty array from find([]) on a composite primary key
With this fix, Model.find([]) returns [] for a model with a composite primary key, the same as it does with a single primary…
Introduce a new mechanism for applications to prepare for ractor safety
…
[The lost episode 259] All Right, Rant Time - Debugging
[This episode from February 2024 was never published and recently discovered]
In today’s episode, Andrew kicks things off with a rant about tackling developer experience tasks at Podia, wrestling with GitHub actions, and Heroku deployment woes. Then the conversation takes a turn to the importance of debugging, the power of bash scripting, and the challenges of naming in programming, with Chris mentioning DHH’s insights from a live stream. They discuss Chris’s travel plans for RubyConf in Australia, other conferences coming up, and reminisce about their childhood love for trains and Thomas the Tank Engine. The episode wraps up with Chris and Andrew sharing advice and tips on writing…
It’s common for Rails applications to serve massive CSS files filled with unused Bootstrap, Tailwind, or custom utility classes as projects grow. This bloat isn’t just a developer annoyance—it has a real impact on your users. Every unused kilobyte adds milliseconds to page load time. In this post, we’ll explore what PurgeCSS is and how your Rails project can benefit from it.
What Is PurgeCSS and Why Should You Care?
PurgeCSS is a tool that analyzes your content and CSS, then removes unused CSS selectors, stripping away dead weight to leave you with lean, optimized stylesheets.
For example, if you’re using the full Bootstrap CSS framework (approximately 200KB) but only utilizing 30% of…
"How many yoga classes are booked today?"
Neeti answered straight away: 23.
It was confident. And it was wrong.
The real number was 62.
This gap is a good place to start, because it says a lot about what it takes toput an AI assistant on top of real production data. Everyone is worried about AImaking things up, and that's a real worry. In this case, 23 was a real count ofreal bookings in some sense. Neeti had simply counted the number of bookings ofthe first page.
Neeti is an AI assistant we built into NeetoCal.NeetoCal is the most affordable Calendly alternative. This blog is about howNeeti works, how we fixed the above-mentioned bug, and how we made it fast. Youdon't need to know anything…
The JRuby community is pleased to announce the release of JRuby 10.0.6.0.
JRuby 10.0.6.x targets Ruby 3.4 compatibility.
Thank you to our contributors this release, you help keep JRuby moving forward! @chadlwilson, @kares, @sampokuokkanen
Notable Changes:
Standard Library
- erb has been updated to 4.0.4.1 to address CVE-2026-41316. (#9389)
- jruby-openssl has been updated to 0.16.0, fixing many long-standing issues with SSLSocket. (#6455, #8935, #9390)
Java Integration
- Performance and consistency improvements for passing a block or proc as the implementation of a Java interface. (#1401, #9401, #9424)
…
23 Issues and PRs resolved for 10.0.6.0
#804 — June 11, 2026
Read on the Web
Ruby Weekly
📈 Small PRs, Big Speedups: The Ruby Performance Work You Almost Missed — A roundup of recent Ruby performance PRs covering strings, file handling, GC, concurrency, Prism, JITs, and more. It’s a neat snapshot of how much incremental performance work has landed in CRuby in the past year.
Maciej Mensfeld
Stop Juggling 5 Tools to Monitor One Rails App — Errors, performance, logs, uptime, host metrics — AppSignal covers your whole Rails stack. Auto-instruments Active Record, Sidekiq, Puma, and ActionView out of the box. Request-based pricing, unlimited seats. Free 30-day…
AppSignal sponsor
…
Performance problems in Rails applications are sneaky. Generally speaking, nobody opens tickets that say “my application is slower than it was last month (about 20%)”. What you do get instead are vague complaints from team members about a p95 latency that is climbing every week or a background job that used to take 2 seconds now taking 40 seconds to finish.
Nine times out of ten, the problem is going to be a query that used to be fast, and now it’s not. When that query was first written, it had 500 records in the table. Now, it’s got 500K records, and it’s running a full table scan on every page load. Each new row means slightly more scan time and latency. This increase in time continues…
To get from Zagreb, where I live, to Vienna, where RubyConf Austria was happening: drive 173km to Graz, take a right and go for another 198km. Sure, I’ve glossed over two country borders and some other details, but that’s mostly it. It’s pretty straightforward, unlike how the conference got me thinking about the future of Ruby conferences. But I’ll get to that. Day 1: The Vienna Ruby Meetup ...
Quizzes are a fun! Well… I do think they are. Always up to learn new things. So how can you create one in with your favorite frameworks? In this article, I want to show how you can build a quiz witg Stimulus. It can be a good starting point for learn about a new customer in your SaaS or as a smart, little marketing tool (keep readers engaged/on your page). 💡
The quiz loads questions from a Rails endpoint, tracks answers in real-time, calculates results and submits them to your server. As always, the code can be found on GitHub.
This will be the result. Time to dust off that good ol’ computer science knowledge… 🤓
Building the data class
Here’s the QuizData class that handles the quiz…
Recently, we had a crash in our NeetoCRMapplication.
As we can see in the screenshot, it looks like the error happened inneeto-widget-replay.js file.
At Neeto we have built an internal tool called NeetoReplaywhich captures users' activities in the browser. This helps us in debugging whenusers contact us for support or in investigating bugs. This is built on top ofrrweb. Just want to add that admins of theworkspace can completely opt out of NeetoReplay.
We had not changed anything in NeetoReplay for a while, so the error happeningin NeetoReplay was perplexing. Upon investigation, I found that the consoleindeed pointed to the neeto-widget-replay.js file. But I also knew that thefilename only…
We’re excited to announce that Ruby Central has been awarded a grant from Alpha-Omega to help improve the security of the Ruby open source ecosystem. With this support, Ruby Central is funding a team of Security Engineers in Residence to find real vulnerabilities in the gems the community depends on most, verify them, and bring maintainers reports worth their time.
The same AI tooling that helps developers ship faster has made finding vulnerabilities cheap. An attacker can act on a raw signal the moment a tool surfaces it. A responsible reporter cannot. Someone has to confirm the vulnerability is real, work out what it means in practice, and decide it is worth a maintainer's time. That work…
As part of our recent bylaw modernization, the Ruby Central Board has been exploring new ways to increase participation across the Ruby ecosystem while maintaining the accountability required to effectively operate a nonprofit organization.
Our goal in 2026 is to create more opportunities for contributors, community members, sponsors, and ecosystem leaders to help shape Ruby Central's future while preserving the Board's responsibility for stewarding the organization. And to do this as quickly as possible.
Ruby Central governs its own suite of voluntary programs, infrastructure, education, and initiatives that support the Ruby ecosystem. It does not govern the Ruby language itself.
Guiding…
Our Rails developer, Jaison Coelho, shares some of his favorite talks from the Tropical on Rails conference this year and why he keeps going back.
Continue Reading
How ActiveModel::Attributes gives tableless Rails objects type casting, defaults, and a Rails-native attribute system, and where the API still needs more support.
There's a moment at every RubyConf that we quietly look forward to: the smell of fresh coffee drifting through the venue as attendees start their mornings, and the sight of a room full of name badges swaying from lanyards as people connect, collaborate, and find their people. For years, that moment has been made possible by GitLab.
GitLab has been a steadfast supporter of the Ruby community as both our coffee sponsor and name badge lanyard sponsor, and we don't take that for granted. Sponsorships like these are easy to overlook; they don't come with a keynote slot or a giant booth, but they are woven into the fabric of the conference experience in ways that matter deeply.
Every cup of coffee…
Rachael interviews the new host of the show, David Hill, to discuss his history with Ruby, his love for podcasting, and how much he loves meetups and conferences.
Show Notes
Sponsors
Lots of teams out there are still overpaying for their hosting and getting tripped up by traffic spikes. If you’re on one of those teams, you need a better autoscaler. Judoscale uses better metrics, gives you more control, and reacts faster than any other autoscaler. Learn more at https://judoscale.com/
The Hidden DSL Inside Every Rails Model June 10, 2026 Most Rails developers use belongs_to, has_many, scope, and validates every day. We type them almost without thinking. class User < ApplicationRecord belongs_to :company validates :email, presence: true scope :active, -> { where(active: true) } end But here's something interesting: None of those are Ruby keywords. … Continue reading The Hidden DSL Inside Every Rails Model →
RubyGems 4.0.14 includes enhancements and Bundler 4.0.14 includes bug fixes.
To update to the latest RubyGems you can run:
gem update --system [--pre]
To update to the latest Bundler you can run:
gem install bundler [--pre]
bundle update --bundler=4.0.14
RubyGems Release Notes
Enhancements:
- Add executables and bindir validation to the gem installer. Pull request #9595 by hsbt
- Strip C1 control characters from displayed gem text. Pull request #9597 by hsbt
- Installs bundler 4.0.14 as a default gem.
Bundler Release Notes
Bug fixes:
- Preserve per-source cooldown when converging sources from the lockfile. Pull request #9601 by bryanwoods
- Don’t exclude the locked version…
Manual Installation
To install RubyGems…
## Summary
When an application uses OAuth2::Client (typically via an
OAuth2::AccessToken) and the configured authorization server returns
a redirect whose Location header is a protocol-relative URI of the
form //attacker.example/leak, OAuth2::Client#request resolves the
redirect with response.response.env.url.merge(location). Per
RFC 3986 §5.2, an input that starts with // is a network-path reference
and replaces the authority of the base URL:
URI("http://idp.trusted/userinfo").merge("//attacker.example/leak")
returns http://attacker.example/leak. The recursive request(verb,
full_location, req_opts) call then re-sends the request to the attacker
host while preserving the Authorization:…
## Summary
When an application uses OAuth::Consumer to request OAuth 1.0 request
tokens or access tokens, the token request helper follows 300..399
redirects returned by the OAuth server. In affected versions,
OAuth::Consumer#token_request parses the raw Location header, follows
the redirect recursively, and can mutate the consumer's configured
site when the redirect points to a different host with the same path.
The result is a cross-origin signed-request disclosure primitive: if an OAuth
server token endpoint returns a redirect whose target an attacker controls,
the client can re-sign the token request and send OAuth 1.0 request metadata,
including the OAuth signature, nonce, timestamp,…
Version 6.1.5 of the Passenger application server has been released. This release contains no changes and addresses an ABI break in Ubuntu's Nginx packages.
Installing 6.1.5
Please see the installation guide for advice on getting started with Passenger. Coming from a language other than Ruby, Python, Meteor or Node? Even if we didn't write a specific tutorial for your language, we made a generic guide that shows you the steps.
Upgrading to 6.1.5
We strongly advise staying up to date with the latest version.
Check out our upgrade guides for the different platforms:
Please be aware that you can enjoy enterprise features and sponsor the open…
When you first reach for an LLM library, the only question is whether it works. Can it call the model, parse the response, run a tool. Once your app is actually in production, the questions change. Is it fast? Can I see what it’s doing when something goes wrong? Can I send its traffic through my own infrastructure instead of straight out to the provider?
I released RubyLLM 1.16 today. It answers these production questions.
The three headline features are about speed, visibility, and control: tools that run concurrently, structured events for everything RubyLLM does, and a configurable base URL for every native provider. None of them change how you write your app. All of them matter the…
Authors: Gleb Stroganov, Product Designer, Varya Nekhina, Account Manager, and Travis Turner, Tech Editor
Topics: Case Study, Developer Products, Product development, Developer marketing, Google Analytics
A designer and an engineer shipped a production MVP in four weeks on Rails + Inertia. In this post, we share our agentic coding stack, the skills we built, and why it clicked.
We shipped a full production MVP in 4 weeks with a team of two Martians: a designer and an engineer. In this post, we're sharing the experience, lessons learned, the open source skills we developed, and why Rails + Inertia is now our go-to stack for agentic coding.
This is episode #01 of the Ruby Stained Glass Notes, a pop-up newsletter in which I write about the process of building a stained-glass panel celebrating Ruby.
It’s common for Rails applications to serve massive CSS files filled with unused Bootstrap, Tailwind, or custom utility classes as projects grow. This bloat isn’t just a developer annoyance—it has a real impact on your users. Every unused kilobyte adds milliseconds to page load time. In this post, we’ll explore what PurgeCSS is and how your Rails project can benefit from it.
What Is PurgeCSS and Why Should You Care?
PurgeCSS is a tool that analyzes your content and CSS, then removes unused CSS selectors, stripping away dead weight to leave you with lean, optimized stylesheets.
For example, if you’re using the full Bootstrap CSS framework (approximately 200KB) but only utilizing 30% of…
If you’ve ever written a test for your code, you’re probably familiar with
typical test framework methods: test/it to define test cases, and
assert/expect to make assertions about the behavior of your code.
However, I want to highlight a less commonly used method: in other languages or
frameworks it goes by other names, but in Ruby’s minitest it’s called skip.
In this post, I’ll cover what skip does, when it may be useful, and, most
importantly, when you should probably use something else.
Just skip to the good stuff
Okay, so what does skip do? Put simply, it allows you to not run a test.
More concretely: in minitest, none of the test code after skip is run, an
S will be printed…
The JRuby community is pleased to announce the release of JRuby 9.4.15.0.
JRuby 9.4.15.x targets Ruby 3.1 compatibility.
Thank you to our contributors this release, you help keep JRuby moving forward!
With this release, JRuby 9.4 moves into end-of-life (“EOL”). This means that future releases of 9.4.x will only be provided as needed by commercial JRuby users.
Get in touch with us if you require long-term support options for the JRuby 9.4.x series.
38 Issues and PRs resolved for 9.4.15.0
A practical mental model for choosing symbols vs strings in Ruby.
I’ve well and truly entered release prep mode. Lots of stuff done this week, and I expect about another week or so until I can get a release candidate out the door.
My most notable accomplishment this week was writing overviews of two big features that will be landing soon: Previewing mailers in Hanami 3.0 and Previewing i18n integration in Hanami 3.0. I hope these will help our users kick the tyres — let me know how you go, I’m keen for feedback!
I upgraded decafsucks to the latest Hanami main branches and discovered that our default component memoization conflicted with the container stubbing I was using in the app. So to preserve that functionality, I disabled container memoization…
For a brief…
June 7, 2026 When Ruby receives a method call, it follows a well-defined search path to determine where that method is implemented. Most developers learn inheritance early, but fewer take the time to understand the complete method lookup path, also known as the ancestor chain. Understanding this mechanism can make debugging easier, clarify how Rails … Continue reading Ruby’s Ancestor Chain: Why prepend Cuts the Line →
Websockets are great, but they are not always the right approach. In this episode, we will look at implementing a long polling for new records.
In the last year or so I’ve been working on
UringMachine, a Ruby gem for
doing I/O with io_uring, and I’ve been reporting on my progress on my website,
as part of my grant work for the Ruby Association.
A Quick Recap
Here’s a quick recap of what UringMachine does: UringMachine provides a
low-level API for performing I/O operations using io_uring, which is an
interface for performing I/O operations asynchronously on recent Linux kernels.
UringMachine also provides a Fiber
Scheduler
implementation that allows it to integrate nicely with the rest of the Ruby
ecosystem and be used in any Ruby application that supports fiber concurrency.
In my work on this project I’ve been looking to find…
### Impact
The `DynamicClientRegistrationController#register` action hard-codes
`confidential: false` when creating applications
(dynamic_client_registration_controller.rb:18-25), yet the response
includes a client_secret and advertises `token_endpoint_auth_methods_supported:
["client_secret_basic", "client_secret_post"]`.
Because Doorkeeper's `Application.by_uid_and_secret` treats a
blank/missing secret as valid for non-confidential (public) clients, an
attacker who knows only the client_id (which is public information)
can authenticate as the dynamically-registered client at the token endpoint.
**Note** that Dynamic Client Registration is opt-in feature which is
disabled by default so…
CSV formula injection (also known as formula injection or CSV injection)
affects customer export. User-controlled values customer names, email
addresses, and shipping addresses. When an administrator opens a
crafted Export in Microsoft Excel or LibreOffice Calc, formulas
embedded in user data execute in the context of the administrator's
desktop, potentially exfiltrating data or executing OS commands
via DDE (Dynamic Data Exchange).
## Impact
Vulnerability class: CSV / Formula Injection (CWE-1236)
## Who is impacted
Administrators who download and open export files in spreadsheet
software are the direct victims. Administrative accounts have
access to all store data, payment method…
How to use Stripe Test Clocks and the Stripe CLI to run a real end-to-end payment failure webhook test locally.
Hi, it’s Claudio. Let’s explore this week’s changes in the Rails codebase.
The revamped Active Job guide is live
Check out the new Active Jobs Basics guide to learn everything about background jobs in Rails, from Solid Queue to bulk enqueueing, from testing to debugging.
The API-only guide is ready for community review
Using Rails for API-only applications? Leave your feedback on this PR which is bound to update the existing API-only guide.
Update Active Storage for ImageProcessing 2.0
The new version requires adding ruby-vips and/or mini_magick gems to the Gemfile and blocks untrusted formats by default on libvips 8.13+ (BPM, PSD and ICO among others).
Reimplement Action Cable redis…
Since our last Board message that announced the launch of Steering Committees and making an open call for volunteer leadership, we have spent a significant amount of time discussing the future of our organization.
Those conversations covered sustainability, governance, infrastructure stewardship, community participation, membership, sponsorship, and the role Ruby Central should play in supporting the Ruby ecosystem for years to come.
As those discussions evolved, it became clear that our bylaws no longer reflected how Ruby Central operates today, nor how we want it to operate in the future.
Many of the governing documents that served Ruby Central well in the past were written for a smaller…
A small Rails debugging note about why redirect_to performs a response but does not stop Ruby control flow.
Siri doesn’t understand Argentinian Spanish.
I have to pronounce some words in a neutral accent, which sounds weird here, and my toddlers learn it as local, or write them out, navigating the awkward iOS cursor, or tap each letter and then correct typos.
I use calendar, timers, notes, and reminders as anyone else, and I’ve been a “tech person” since my early years.
So I was surprised by my own surprise when Fede, my brother-in-law, repeated my ask to his Telegram agent: “remind me to pick up the kids at 11:30”. Well that was simple, and it wouldn’t rely on our memory. He didn’t write or pronounce how Siri expects, he just said my words to his phone. I’ve long wanted to schedule calendar…
Normally I just fire off a tweet when I spot a nice performance PR landing in Ruby. Lately I've been catching up on a backlog of Ruby performance work I'd bookmarked and never gotten around to - so some of what's below isn't brand new, with a few PRs dating back to 2025. There were so many of them - some headline-grabbing, some small but delightfully clever - that a thread won't cut it. So here's a roundup instead, both the recent landings and the ones I'm late to.
A few ground rules: every PR below ships a concrete benchmark number, so when I say "Nx faster" it's the author's own measurement, not vibes. Numbers come from different machines and workloads, so treat them as "here's the win on…
Revise Auth and Podcasting Plans
Chris and David cover a lot of ground in this episode, starting with Chris’s experience teaching a Rails workshop for Frontend Masters in Minneapolis. Along the way, they dive deep into Rails authentication, Devise, Authlogic migrations, Chris’s ReviseAuth gem, password security, session handling, and the hard tradeoffs of maintaining open source tools. The episode wraps with big podcasting news: David is taking over The Ruby on Rails Podcast! Hit download now to hear more!
Links
We scoped a client spike at 20 hours. Our Software Delivery Manager built it in five. Here's what made that possible.
Continue Reading
A quick look at new rate-limiter features in the upcoming Rails version.
I build quite a few sites. For my own products or I help others. Since I released Perron that is my go-to static site generator now. But it was missing one feature for a speedy development cycle: live reload. Not just a page refresh, but more like hot reloading.
Most live reload solutions either require ActionCable (overkill when using Perron) or just do full-page reloads (annoying/too minimal). I wanted something in between.
Meet Mata: a lightweight live reload solution for Rack apps. It uses Server-Sent Events (SSE) and idiomorph.
You can install Mata simply by running bundle add mata --group=development. Then configure the middleware with watch and skip paths. That’s it. No JavaScript…
I build quite a few sites. For my own products or I help others. Since I released Perron that is my go-to static site generator now. But it was missing one feature for a speedy development cycle: live reload. Not just a page refresh, but more like hot reloading.
Most live reload solutions either require ActionCable (overkill when using Perron) or just do full-page reloads (annoying/too minimal). I wanted something in between.
Meet Mata: a lightweight live reload solution for Rack apps. It uses Server-Sent Events (SSE) and idiomorph.
You can install Mata simply by running bundle add mata --group=development. Then configure the middleware with watch and skip paths. That’s it. No JavaScript…
RubyGems.org is the quiet backbone of the Ruby world. It processes over 1,500 gem requests per second, serves billions of downloads every month, and keeps the tools developers rely on available, secure, and free. It's the kind of infrastructure you only notice when something goes wrong. Which, thanks to supporters like 84codes, it rarely does.
84codes has long believed that great developer tools deserve to be sustained. As a company built around making infrastructure invisible, whether through CloudAMQP (their managed service) or LavinMQ (their open-source message broker), 84codes knows firsthand how much trust gets placed in shared services every single day. Supporting RubyGems.org isn't a…
Rails 8.2 adds f.datalist to FormBuilder, so you can wire a text input to a native HTML autocomplete list with zero JavaScript and no derived-id bookkeeping.
RubyGems 4.0.13 includes enhancements and Bundler 4.0.13 includes enhancements, bug fixes and security.
To update to the latest RubyGems you can run:
gem update --system [--pre]
To update to the latest Bundler you can run:
gem install bundler [--pre]
bundle update --bundler=4.0.13
RubyGems Release Notes
Enhancements:
- Prevent extraction from escaping destination_dir via pre-existing symlinks. Pull request #9493 by thesmartshadow
- Close stdin immediately when using popen2e. Pull request #9540 by rwstauner
- Fallback to copy symlinks on Windows. Pull request #9296 by larskanis
- Installs bundler 4.0.13 as a default gem.
Bundler Release Notes
Enhancements:
Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window.
The feature was designed in the open, drawing on how other ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.
Cooldown reads the per-version created_at…
## Impact
The redirect follower middleware previously failed to strip a number of
headers that are known to be sensitive and did not provide a way to
provide a custom list of headers to strip.
## What kind of vulnerability is it? Who is impacted?
This could cause inadvertent leakage of sensitive data for users of the
RedirectFollower middleware in cases where the initial request includes
header information that is not intended for the new target.
## Patches
Patch exists and is released in v1.5.0
## Workarounds
Users can backport the fix (commit below) to a custom
redirect follower middleware.
Imagine this scenario: a developer added a pub/sub gem built on top of Sidekiq to handle background event broadcasting
in your company’s Rails app. At the time, it was a huge win: instead of building a custom job orchestration system,
they could drop in the gem, wire up a few events, and ship a feature in days instead of weeks.
Fast forward a few years: Sidekiq needed an update. You find out the gem wasn’t actively maintained anymore. But by
then, the entire application depended on it. Core features like sending notifications, syncing with third-party APIs,
and triggering billing logic all ran through this pub/sub layer.
Now you face a painful choice: either keep running on an…
This post walks the whole Agile process: why it needs structure, the four nested loops it runs on, and a single example traced from a raw idea down to buildable stories.
Contents
- Why process?
- The process on one picture
- Four nested loops
- The planning cycle is a tree
- The six stages
-
Example for a cleaning business
Why process?
It is tempting to jump straight to coding: we know what we want, and we’ll…
For The Agile Process I recreated the cohesive cycle figure from LaunchSchool’s Process Overview: four feedback loops drawn as rings, where each loop opens into the next.
What I compared
Tool
Circular layout?
Why it did not work
Mermaid
No
Ranked straight lines, no radial layout; needs a runtime CDN script
PlantUML
No
Renders through Graphviz
dot, same straight lines; needs Java and a render step
Graphviz circo
Partly
One ring is great; four chained rings cascade in a line, and closing the loop merges all nodes into one giant ring
Custom Python + SVG
…
Version 6.1.4 of the Passenger application server has been released. This release bumps the version of the builtin Nginx engine used in Standalone mode and adds prebuilt binaries for ruby 4.0.5.
Updates & improvements
- [Nginx] Upgrades preferred Nginx to 1.30.2 from 1.30.1.
- Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache: 4.13.4 -> 4.13.6
- cmake: 4.3.2 -> 4.3.3
- gnupg: 2.5.19 -> 2.5.20
- libgpg_error: 1.60 -> 1.61
- libksba: 1.6.8 -> 1.8.0
- rubygems: 4.0.10 -> 4.0.12
- rubies:
Installing 6.1.4
Please see the installation guide for advice on getting started with Passenger. Coming from a language other than Ruby, Python, Meteor or Node? Even if we…
Two years in a row, we love to see it. A huge thank you to Jason Bosco and the Typesense team for coming back and continuing to invest in this community. It genuinely means a lot to us.
You might not know their name yet, but trust me you're about to. Typesense is an open-source search engine that's blazing fast, typo-tolerant, and actually a joy to work with. Think of it as everything you wished Algolia was (including open source), without the Elasticsearch therapy bills. They're self-funded and building for developers, not investors, and it shows in every line of their docs.
Oh, and one more thing: Typesense is your WiFi sponsor this year. That's right every Slack message you send from the…
Sally and Joël get technical as they lay out their thoughts on blog posts.
Our hosts pick apart what makes a good technical blog post, why consistent terms are more important than you might think when communicating with your audience, and how to improve your own writing to ensure your reader remains engaged.
—
There’s still time to secure your place at thoughtbot’s upcoming UK meet ups over the next month.
London Tech Leader Meetup - Tuesday June 23rd
Brighton Tech Leader Meetup - Wednesday June 24th
Brighton Ruby - Thursday June 25th
Evolve - Friday June 26th
Your hosts for this episode have been thoughtbot’s own Joël Quenneville and Sally Hall.
If you would like to…
Imagine this scenario: a developer added a pub/sub gem built on top of Sidekiq to handle background event broadcasting
in your company’s Rails app. At the time, it was a huge win: instead of building a custom job orchestration system,
they could drop in the gem, wire up a few events, and ship a feature in days instead of weeks.
Fast forward a few years: Sidekiq needed an update. You find out the gem wasn’t actively maintained anymore. But by
then, the entire application depended on it. Core features like sending notifications, syncing with third-party APIs,
and triggering billing logic all ran through this pub/sub layer.
Now you face a painful choice: either keep running on an…
Frequently Played 🔗
I tend to listen to the same songs or albums on repeat that are evocative of how I’m feeling or what’s going on with me. Here is what I’m currently listening to over, and over, and over, and over, again.
Not Bad For New Jersey 🔗
A signature Tele AND two new tunes from Brian? Yes, please.
Full Lyrics
I can’t say I had a good time
But after all this crazy, I think we did alright
Make You Feel My Love 🔗
Thanks to K-Pop Demon Hunters, my daughter assumes any song lyrics she doesn’t understand are in Korean. But sometimes I get to say no, that’s just Bob Dylan singing.
Full Lyrics
The storms are raging on the rolling sea
And on the highway of regret
The winds of change are blowing wild…
The Original Sin, the Scorpion, and Local AI June 1, 2026 For the last few weeks, I have been experimenting with local AI models to help me develop and maintain Ruby projects. Built for Ruby on Rails Build Maps WithoutGoogle APIs Generate beautiful production-ready maps directly from your Rails backend. Fast rendering, zero external dependencies, … Continue reading The Original Sin, the Scorpion, and Local AI →
I went on Code with Jason for the second time. Jason and I got into the Fireside acquisition, how to actually find and finance a business to buy, why support is a product, and where I think developer tools are headed in the AI era.
Some of the highlights:
Why I Bought Fireside. Complete happenstance. I was already paying Garrett Dimon to push Flipper forward, and Garrett had worked on Fireside for Dan Benjamin back in the day. Dan had lost interest and was trying to sell, but it was too big for the small players and too small for the big ones. The math was simple: if I bought it, the profit could pay for Garrett to work on both Fireside and Flipper instead of it coming out of my pocket every…
After talking with Jeremy Smith and Jess Brown on the IndieRails podcast about stained glass and how I transitioned to programming in Ruby, I’ve had this crazy idea that I could tie the two together in a weird project. Well, here goes nothing!
This week I got the last big piece done before we can make the next Hanami release. Mailers now fully integrate into Hanami apps, with zero necessary boilerplate, just like all our other essential components.
This integration piece was the first real usage test of Hanami Mailer itself, and it drove a couple little improvements: keeping test delivery state at the instance-level, and allowing for a configurable view class for each mailer.
With that done, there’s not a whole lot left before we can ship a release candidate! I’m hoping to get to that in the next ~7-10 days. I want to get some decent docs sorted first, so folks can easily test out all the new things.
With release prep in…
Proactive engineering is the practice — and rigor — of staying atop new technologies, designs, and changes in order to keep your software stack healthy, minimize risks, and keep technical debt low. This allows you to build a healthy team and well maintained code base that is a joy to work with.
Proactive engineering is also the exact opposite of reactive engineering (a.k.a. move fast and break things). The problem is most teams don’t have this kind of rigor. They work in a constant state of fire fighting, dealing with on-call issues, bombarded with interrupts, and/or sheer neglect. The goal is to get you into a healthy state in which you have time for Deep Work…
Turning Years of Ruby Knowledge Into a Local Coding Assistant June 1, 2026 Introduction Over the years, most Ruby developers accumulate a vast amount of knowledge. Not just source code, but articles, documentation, experiments, bug fixes, pull requests, design decisions, and lessons learned from maintaining production systems. The problem is that this knowledge often remains … Continue reading Turning Years of Ruby Knowledge Into a Local Coding Assistant →
