Security News
Follow-up and Clarification on Recent Malicious Ruby Gems Campaign
A clarification on our recent research investigating 60 malicious Ruby gems.
By Sarah Gooding - Aug 22, 2025
graphql-smart_select
Advanced tools
graphql-smart_select
GraphQL::SmartSelect
Plugin for graphql-ruby which helps to select only the required fields from the database.
Installation
Add this line to your application's Gemfile:
gem 'graphql-smart_select'
Problem explanation
Consider the following query:
query {
posts {
id
title
}
}
Ruby interface for serve this query:
module GraphqlAPI
module Types
class Query < GraphQL::Schema::Object
field :posts, Types::Post, null: false
def posts
Post.all
end
end
end
end
In the default case, this will lead to the query: SELECT * FROM posts. But we need only id and title.
For tables with a large number of columns, this has a negative effect on performance.
Usage
Let's use our plugin:
module GraphqlAPI
module Types
class Query < GraphQL::Schema::Object
# use plugin
field_class.prepend(GraphQL::SmartSelect)
# activate plugin
field :posts, Types::Post, null: false, smart_select: true
# You can also explicitly specify which fields
# will be added
field :posts, Types::Post, null: false, smart_select: [:id]
def posts
Post.all
end
end
class Post < GraphQL::Schema::Object
field_class.prepend(GraphQL::SmartSelect)
field :id, ID
field :title, String
field :raw_content, String
field :another_content, String
# We'll tell the plugin which fields are needed
# for resolve this field
field :contents, db_columns: [:raw_content, :another_content]
# For one_to_one AR assosiation we include foreign_key
field :user, Types::User
# For has_many AR assosiation we include primary_key
field :comments, [Types::Comment]
def contents
[object.id, object.title].join
end
end
end
end
For this example query:
query {
posts {
title
contents
user { name }
comments { id }
}
}
It perform following request:
SELECT id, title, raw_content, another_content, user_id FROM posts
Notes
Custom Resolvers feature not supported.
Tested for activerecord version >= 4.2
Development
For regression testing, run the following
# install Appraisals dependencies
bundle exec appraisal install
# run test suit through all dependencies listed in Appraisals file
bundle exec appraisal rake spec
License
The gem is available as open source under the terms of the MIT License.
FAQs
Unknown package
We found that graphql-smart_select demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 07 Nov 2018
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ESLint Adds Support for Parallel Linting, Closing 10-Year-Old Feature Request
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.
By Sarah Gooding - Aug 22, 2025
Research
/Security News
Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
A malicious Go module posing as an SSH brute forcer exfiltrates stolen credentials to a Telegram bot controlled by a Russian-speaking threat actor.
By Kirill Boychenko - Aug 21, 2025