Security News
Follow-up and Clarification on Recent Malicious Ruby Gems Campaign
A clarification on our recent research investigating 60 malicious Ruby gems.
By Sarah Gooding - Aug 22, 2025
git-meta
git-meta
A less than freeform way of storing some metadata in git commit objects.
What is this?
It's a way to store data along with a git commit object that is less freeform than something like "Close gh-11" but more freeform than having to add extra data structures to the git commit object.
It is also completely compatible for people wanting to read this metadata directly from an interface like git-log or github.
Syntax
In your git commit, you just need a few yaml-like structures like the following:
foo: bar
Signed-Off-By: Me!
Currently the only way of setting this metadata is writing the YAML by hand in the commit message. The Regex that i use (no longer a YAML parser for simplification) will catch all non-whitespace before each colon and the rest of the line afterwards.
The change where I have removed YAML means that we can no longer have hierarchal data structures, which both makes it easier to use with small amounts of data but harder to use with larger amounts of data.
If you want to re-implement this in another language, I ask that you please use the following regular expression to parse the git messages (we make a call to the git-cat-file utility to get the messages):
/(\S+):\s*(.+)$/
Usage
Getting
You can use git-meta get [ sha | ref ] to return all keys and values. [ sha | ref ] can be anything that git-cat-file will understand.
You can also use git-meta get [ sha | ref ] --get foo to return "bar" from the earlier example. Will return an empty string if nothing is returned for that piece of metadata.
I am aware that this is open to shenanigans including something like git-meta get 'HEAD && echo "foo: baz"' but really, I don't care. I don't foresee this being used anywhere that would be a problem - ie i guess it will mostly be used by a person wanting the data, or a computer processing the data with other values like commit shas or refs that it has deduced itself.
Setting
I have not yet got this sorted. A solution will be forthcoming in a compatible release, but at the moment i have not yet thought enough about how it's going to be implemented.
Installation
As easy as gem install git-meta (as long as you have gemcutter as a source)
Requirements
Only shoulda and mocra for testing. I have tried to keep this as lean as possible.
Copyright
Copyright (c) 2009 Sam Elliott. See LICENSE for details. (MIT Licence)
FAQs
Unknown package
We found that git-meta demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 13 Feb 2010
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ESLint Adds Support for Parallel Linting, Closing 10-Year-Old Feature Request
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.
By Sarah Gooding - Aug 22, 2025
Research
/Security News
Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
A malicious Go module posing as an SSH brute forcer exfiltrates stolen credentials to a Telegram bot controlled by a Russian-speaking threat actor.
By Kirill Boychenko - Aug 21, 2025