1. 15

  2. 4

    Im still confused why a (largely) CSS library that’s written SCSS has any ruby (or python or anything) included?

    It’s not like it’s less - there are heaps of language bindings to SCSS, and even a standalone cli tool written in C that will parse and compile the final CSS.

    1. 1

      I thought that rubygems had a signature mechanism that would make this kind of attack way harder in practice.

      1. 1

        it doesn’t but there may be some companies willing to build the infrastructure for it: https://github.com/rubygems/rubygems.org/issues/1943#issuecomment-480237013 (https://dependabot.com)

        1. 1

          oops can’t edit my comment but you are right, there is not signing option, not that it’s used very much as far as I know: https://guides.rubygems.org/security/

        2. 1

          I know this has been discussed a lot, but this is the perspective from the person who found the vulnerability, which I find quite insightful (e.g. why was the gem yanked? why no version on github? why no mention of the new version anywhere? etc.)