Security News
Follow-up and Clarification on Recent Malicious Ruby Gems Campaign
A clarification on our recent research investigating 60 malicious Ruby gems.
By Sarah Gooding - Aug 22, 2025
jruby-lint
JRuby-Lint
See how ready your Ruby code is to run on JRuby.
JRuby-Lint is a simple tool that allows you to check your project code and configuration for common gotchas and issues that might make it difficult to run your code on JRuby.
Usage
JRuby-Lint requires JRuby to run. So, install JRuby first
if you already haven't, then gem install jruby-lint.
Then simply run jrlint in your project to receive a report of
places in your project where you should investigate further.
Checks
Here is a list of the current checks implemented:
- Report usage of ObjectSpace.each_object and ObjectSpace._id2ref which are expensive and disabled by default
- Report usage of Thread.critical, which is discouraged in favor of a plain Mutex.
- Report known gems and libraries that use C extensions and try to provide known alternatives (Live data retrieved from https://github.com/jruby/jruby/wiki/C-Extension-Alternatives).
- Report usage of Kernel#fork (which does not work).
- Report behavior difference when using system('ruby'), which launches the command in-process in a new copy of the interpreter for speed
Reports
JRuby-lint supports text and html reports. Run jrlint with the option --html to generate an html report with the results.
TODO
Here is a list of checks and options we'd like to implement:
- Report on more threading and concurrency issues/antipatterns
- arr.each {|x| arr.delete(x) }
- Try to detect IO/File resource usage without blocks
- Check .gemspec files for extensions and extconf.rb for #create_makefile and warn about compiliing C extensions
- Check whether Rails production.rb contains
config.threadsafe! - Detect ERB files and skip them, or...
- Detect ERB files and pre-process them to Ruby source with Erubis
- Detect Bundler gems that have a
platformsqualifier and ignore "platforms :ruby" - Change to use jruby-parser
- Allow use of a comment marker to suppress individual checks
Further Down the Road
- Arbitrary method/AST search functionality
- Code rewriter: option to change code automatically where it's feasible
- Revive or build an isit.jruby.org site for tracking
- Make JRuby-Lint submit results to tracking site based on lint passes and/or test suite runs
License
JRuby-Lint is Copyright (c) 2007-2013 The JRuby project, and is released under a tri EPL/GPL/LGPL license. You can use it, redistribute it and/or modify it under the terms of the:
Eclipse Public License version 1.0 GNU General Public License version 2 GNU Lesser General Public License version 2.1
See the file LICENSE.txt in distribution for details.
FAQs
Unknown package
We found that jruby-lint demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Mar 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ESLint Adds Support for Parallel Linting, Closing 10-Year-Old Feature Request
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.
By Sarah Gooding - Aug 22, 2025
Research
/Security News
Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
A malicious Go module posing as an SSH brute forcer exfiltrates stolen credentials to a Telegram bot controlled by a Russian-speaking threat actor.
By Kirill Boychenko - Aug 21, 2025