Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
September 25, 2024
The 2024 Ruby on Rails Community Survey results have been published with insights into the tools, practices, and trends that are shaping the Rails ecosystem. This year’s survey, conducted by Rails agency Planet Argon, had 2,709 Ruby on Rails developers participating, the highest number of responses they have ever received.
The data was published ahead of the annual Rails World conference, which is celebrating the 20th anniversary of the Rails framework this year. It offers a birds-eye view of the ecosystem, and highlights the mature developer community, challenges in attracting new talent, and current patterns in open-source contributions.
A significant portion of Rails developers have substantial experience. Over 70% have been developing with Rails for 7+ years, and more than half of those surveyed have over 10 years of experience. This is a mature and experienced developer community. The distribution of experience levels is relatively consistent, with a gradual decline in the percentage of developers with less experience. That’s where the challenge lies - Rails developers with 0-3 years of experience represent just 14% of the community.
Unlike the Python ecosystem, where 1 in 4 developers is brand new to the language, Rails doesn’t have a lot of newcomers. This could indicate that Rails is a well-established framework with a learning curve that might deter newcomers, which is one of the reasons they formed the Rails Foundation in 2022:
On the technical side, we’ve also never stood stronger than we do with Rails 7. The Rails Core Team, together with thousands of contributors, have steered us forward with fixes, enhancements, and improvements in release after release. The code we all depend on is in great condition and under great care.
But after all these years, it’s also become clear that building a strong ecosystem depends on more than just great code. There have never been more options for new web developers than there are today, and if we want to continue to celebrate the success of Rails in another two decades from now, we need to make the best case possible for why someone should come join us. Right now, that case isn’t being made as well as it could be.
With these demographics, it’s no surprise that the Rails community, which emerged in the golden age of the open web, prefers learning via blog posts, guides, and technical documentation.
It would be interesting to see these results segmented by years of experience to determine if those newer to the Rails community have the same learning preferences as those who have been developing with it for more than a decade. The Rails Foundation is working to deliver educational materials designed for the community’s learning strengths, and they may need to offer a different format for those in the lesser experienced demographic.
By nearly every measure, Rails is a successful open source project, 20 years running, with widespread adoption and commercial usage still going strong. It’s surprising that the majority of respondents report infrequent contribution to open source.
A few insights from this data:
Majority Contribute Infrequently: A significant portion of respondents (36%) contribute to open source projects rarely or a few times a year. This suggests that while open source development is valued, it's often a part-time or occasional activity for many developers.
Consistent Contributors: A smaller but dedicated group contributes a few times a month (17%) or annually (10%). This indicates a core group of developers who are actively involved in open-source projects.
Daily Contributors: A small percentage (3%) contribute daily. This suggests the existence of a dedicated subset of developers who are heavily involved in open-source development.
Respondents identified their favorite gems, with several that also overlapped into the “most frustrating” gems category (rails, rubocop, rspec, devise, etc). The top 10 most loved gems include:
Stimulus.js has experienced a significant rise in popularity in 2024, overtaking React as the most used JavaScript library/framework alongside Rails. This suggests a growing preference for lightweight and unobtrusive frontend solutions. React remains a dominant choice. Other frameworks like Vue.js, Angular.js, and Alpine.js have also maintained a presence, indicating a growing diversity of options for Rails developers.
Approximately 1 in 4 (22%) of respondents report they do not use JavaScript in testing frameworks. Those who do prefer Jest (22%) and Cypress (16%).
Rails developers use a wide variety of tools to maintain their JavaScript libraries, with yarn (48%), npm (25%), and infomaps (19%) being the most popular, followed by pnpn, bun, and other libraries.
Over the years, there has been a general trend towards more frequent deployments of Rails applications, with 37% of respondents reporting that they deploy to production multiple times per day. The percentage of developers deploying multiple times a day has increased significantly since 2009, which may reflect a growing adoption of continuous delivery and agile development methodologies. GitHub Actions remains the most popular CI server, followed by Circle CI, and Gitlab.
Participants shared the tools they are using to track security vulnerabilities. This is of particular interest to us at Socket as we will soon be officially launching support for Ruby, enabling developers to automatically detect and block supply chain threats.
In 2024, GitHub Dependabot is the most popular tool for tracking security vulnerabilities among Rails developers, with 41% of respondents using it. Brakeman (31%) and bundle-audit (18%) also continue to be popular choices.
The data suggests that Rails developers are increasingly aware of the importance of security vulnerability tracking and are actively adopting tools to address this critical need. GitHub Dependabot has emerged as the leading choice, but other tools like Brakeman and bundle-audit remain relevant.
These are a few of the highlights from the 2024 Ruby on Rails Community Survey Results. The majority of respondents feel the Rails core team is shepherding the project in the right direction (83%) and feel confident security vulnerabilities are being addressed in new Rails releases (93%). For more insights, check out the full survey results on railsdeveloper.com
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.