[astrodust]

Rubygems has been lagging behind other packagers like Apt, RPM, NPM, and even newer things like Rust's Cargo. It's woefully overdue for an update.

That being said, there's great services like GemCanary (https://gemcanary.com/) that will read your Gemfile and produce a list of vulnerable packages for you automatically. It'll even email you alerts when there's problems.

The security story in Rails might not be perfect, but at least there's reporting and tools.

Keep pushing for signed packages, though. Long overdue.