Im still confused why a (largely) CSS library that’s written SCSS has any ruby (or python or anything) included?
It’s not like it’s less - there are heaps of language bindings to SCSS, and even a standalone cli tool written in C that will parse and compile the final CSS.
I thought that rubygems had a signature mechanism that would make this kind of attack way harder in practice.
it doesn’t but there may be some companies willing to build the infrastructure for it: https://github.com/rubygems/rubygems.org/issues/1943#issuecomment-480237013 (https://dependabot.com)
oops can’t edit my comment but you are right, there is not signing option, not that it’s used very much as far as I know: https://guides.rubygems.org/security/
I know this has been discussed a lot, but this is the perspective from the person who found the vulnerability, which I find quite insightful (e.g. why was the gem yanked? why no version on github? why no mention of the new version anywhere? etc.)