James Adam @james@ruby.social

Wish Ruby had a String#each_sub method that returned each string with each matching substring replaced, individually

"A1A2A3".each_sub('A','X')
# => ["X1A2A3", "A1X2A3", "A1A2X3"]

Or String#all_indexes(substring) or String#all_matches(regexp) methods to find all occurrences of a substring or regexp.

Having some fun with Ruby https://jsrn.net/questionable-ruby

Hi everyone!
It's time for a belated #introduction :)
I'm Judith, living in the south of Germany and I love photography, forests, building things (mostly on the web), and ruby.
I'm also an introvert and not used to posting on social media because I dislike all the tracking and analysis of data. But mastodon is different, so I'm hoping to find like-minded people here and good conversations about software development, linux, ruby, ...
Maybe also I'm going to post a picture or two. Let's see.

So what's the state of VSCode Intellisense, but for ruby gems? Can it automatically scan the RI index of all installed gems, or do projects have to generate their own API index file for VSCode?

RT @euruko@twitter.com

We're now accepting applications for diversity/scholarship tickets! These are mostly virtual tickets but we do also have some in-person tickets available too. (1/3) https://2022.euruko.org/tickets/

🐦🔗: https://twitter.com/euruko/status/1527619869361029120

It's only fitting that Bridgetown, which is open source, have a presence on ruby.social, which uses an open sourse platform written in Ruby (Mastodon ). Rubies all the way down! 😁

We were still learning about the security issue for rubygems when yet another vulnerability was discovered: CVE-2022-29218

https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w

This time Maciel also got another excellent piece of Impact Analysis:

https://www.whitesourcesoftware.com/resources/blog/impact-analysis-cve-2022-29218-allows-unauthorized-takeover-of-new-gem-versions-via-cache-poisoning/

But big Mensfeld didn't stop there, he actually created a tool (a gem in the whole extent of the word) to help you figure out if your bundle was compromised:

https://rubygems.org/gems/bundler-integrity

Please boost this toot for visibility.

I often hear that the increased hosting costs associated with Ruby on Rails' larger than average footprint is more than offset by the increased dev productivity. It follows that Rails salaries being pretty high at the moment is offset by being able to maintain a smaller, more productive team.

Does anyone know of any case studies where someone's actually done the numbers on that?

It "feels right" to me, but I'd be interested to read other's experiences.

Finally a writeup for the http://rubygems.org vuln, CVE-2022-29176. Such a simple mistake. I feel like the take away lessons are:

1. do not query/trust composite columns. Query individual columns.
2. do not trust arbitrary user Strings.

https://greg.molnar.io/blog/rubygems-cve-2022-29176/
#ruby #infosec

P.S.A: Rails have released a new version fixing some issues added on the last security release.

https://rubyonrails.org/2022/5/9/Rails-7-0-3-6-1-6-6-0-5-and-5-2-8-have-been-released

The new stable versions have been pushed to these

- 7.0.3
- 6.1.6
- 6.0.5
- 5.2.8

These are some of the problems I note in my review:

https://ruby.social/@esparta/108211719637031175

As usual, it's recommended to test thoughtfully on your staging environments before proceeding to deploy to production.

In a code review i suggested extracting a well named function. They replied that it does not add any value to introduce a new function. They're right in the worst way, the computer doesn't care and they don't value the readers.

Do you have suggestions on how to respond to that?

RT @RubyInside@twitter.com

What Do You Think of 'Scoped Gems'? https://github.com/rubygems/rfcs/pull/40

🐦🔗: https://twitter.com/RubyInside/status/1521866493826375682