Details

Summary

The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json.

Other editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.

Details

The branch CLI argument passed to the ruby-lsp server was interpolated in the generated .ruby-lsp/Gemfile without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: .vscode/settings.json) that gets automatically applied open the possibility to craft a malicious repository that once opened and trusted in the editor would run arbitrary code.

Impact

Code execution with the privileges of the user who opens the malicious project. Ruby LSP assumes workspace code is trusted and so opening the editor on an untrusted workspace can lead to executing potentially dangerous code.

Remediation

The rubyLsp.branch setting has been removed entirely. VS Code extensions auto-update by default, so most users will receive the fix without action. Users who have disabled auto-updates should update to extension version >= 0.10.2.

The branch CLI flag was also entirely removed from the ruby-lsp gem. For users that don't add ruby-lsp to their Gemfiles, the server should auto-update. Users with the ruby-lsp in the Gemfile and locked to a specific version should update to >= 0.26.9.

Severity

• CVSS Score: 7.1 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93
• https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-lsp/CVE-2026-34060.yml
• https://nvd.nist.gov/vuln/detail/CVE-2026-34060
• https://github.com/advisories/GHSA-c4r5-fxqw-vh93

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

v0.26.9

v0.26.9

🐛 Bug Fixes

• Prevent workspace_dependencies failing if directory gets removed during execution (#​3980) by @​vinistock
• Fix semantic token defaultLibrary modifier casing (#​4005) by @​a-lavis
• Fix document links for source comments above sig blocks (#​4018) by @​KaanOzkan

v0.26.8

v0.26.8

🐛 Bug Fixes

• Fix send_log_message ignoring type parameter (#​3969) by @​vinistock
• Properly reset state after leaving a regex capture (#​3970) by @​vinistock
• Clean up cancelled requests after processing them (#​3971) by @​vinistock
• Apply lower bound ruby-lsp version constraint in composed bundle (#​3985) by @​st0012
• Ensure the original CLI arguments are used when updating (#​3986) by @​vinistock
• Ensure bundle is re-composed when CLI arguments change (#​3987) by @​vinistock

📦 Other Changes

• Start accepting --beta flag to install beta server version (#​3976) by @​vinistock

v0.26.7

v0.26.7

🐛 Bug Fixes

• Skip disable line action for self-resolving cops (#​3945) by @​sucicfilip
• Fix test runner silent failure on dual-stack IPv4/IPv6 systems (#​3953) by @​Copilot
• Fix Bundler::GemNotFound error introduced in 0.26.5 (#​3961) by @​jesse-shopify
• Fix incompatible addon version activation when Bundler.setup fails after retry (#​3963) by @​KaanOzkan
• Avoid failing if needs_update file is deleted by concurrent process (#​3964) by @​vinistock

📦 Other Changes

• Support IPv4 and IPv6 for LSP reporter connection (#​3965) by @​vinistock
• Decouple test reporter IO from test execution (#​3962) by @​alexcrocha

v0.26.6

v0.26.6

🐛 Bug Fixes

• Fix infinite loop when collecting transitive excluded gems (#​3913) by @​rafaelfranca
• Don't include test files in the gem package (#​3916) by @​rafaelfranca
• Add rbs to composed bundle update commands (#​3938) by @​modille
• Extract GEMS_TO_UPDATE constant and fix missing prism in command path (#​3939) by @​st0012

📦 Other Changes

• [DOC] Add security documentation (#​3928) by @​st0012

v0.26.5

v0.26.5

✨ Enhancements

• Sync URI::Source with Tapioca (#​3891) by @​amomchilov
• Enable "toggle block style" refactor when there's no selection (#​3818) by @​rolandcrosby-columntax
• Implement goto definition for send and public send (#​3882) by @​sucicfilip

🐛 Bug Fixes

• Exclude magic comments from documentation (#​3844) by @​thomasmarshall
• Skip adding documentation for require completions (#​3874) by @​vinistock
• Use URI instead of path for read more keyword read more links (#​3873) by @​vinistock

📦 Other Changes

• Upgrade Bundler to v4.0.0.beta2 (#​3840) by @​vinistock
• Add detection reasons to auto-detection log messages (#​3859) by @​adam12

v0.26.4

v0.26.4

🐛 Bug Fixes

• Revert "Reuse the prism result again" (#​3826) by @​vinistock

v0.26.3

v0.26.3

✨ Enhancements

• Add support for Package URL format for source links (#​3807) by @​paracycle

🐛 Bug Fixes

• Restore request cancellation with correct implementation (#​3791) by @​janko
• Ensure binmode and sync on LSP reporter socket (#​3820) by @​vinistock
• Run bundle update only on the composed bundle (#​3819) by @​vinistock

📦 Other Changes

• Speed up workspace symbol search by filtering before fuzzy matching (#​3792) by @​janko

v0.26.2

v0.26.2

✨ Enhancements

• Add highlight for Do Nodes (#​3710) by @​vicocamacho
• Reuse the prism result again (#​3729) by @​Earlopain
• Improve go to relevant file performance (#​3731) by @​domingo2000
• Support multiple test file matches in go to relevant file (#​3790) by @​alexcrocha

🐛 Bug Fixes

• Consider extra Minitest spec descriptions (#​3688) by @​vinistock
• Allow running tests without a bundle (#​3689) by @​vinistock
• Account for module wrapping Minitest specs (#​3715) by @​vinistock
• Fix infinite recursion in constant alias resolution (#​3783) by @​pkondzior
• Refresh diagnostics on .rubocop_todo.yml change (#​3800) by @​vinistock
• Fix stack StackLevelError during self referential constant resolution (#​3799) by @​pkondzior
• Escape file paths for test command resolution (#​3802) by @​vinistock
• Add missing kinds for indexer entries (#​3803) by @​vinistock

📦 Other Changes

• Handle Bundler::Fetcher::NetworkDownError during Bundler setup (#​3697) by @​egiurleo
• Handle Bundler::HTTPErrors during bundle install (#​3699) by @​egiurleo

v0.26.1

v0.26.1

🐛 Bug Fixes

• Avoid keeping empty arrays inside constant completion candidates (#​3680) by @​vinistock

📦 Other Changes

• Avoid sending invalid location errors to telemetry (#​3682) by @​vinistock

v0.26.0

v0.26.0

🚧 Breaking Changes

• Use -r instead of RUBYOPT to require LSP reporters (#​3661) by @​vinistock

🐛 Bug Fixes

• Avoid writing error file if client is closed during bundle compose (#​3649) by @​vinistock
• Prevent workspace dependencies from failing if there's no bundle (#​3655) by @​vinistock
• Prevent relative require completion for unsaved files (#​3656) by @​vinistock
• Filter constant completion suggestions to only include constants (#​3654) by @​vinistock
• Avoid requiring add-ons that are copied into the workspace (#​3669) by @​vinistock
• Stop reusing the Prism result for RuboCop for now (#​3672) by @​vinistock

📦 Other Changes

• Remove excessive mutex synchronization (#​3637) by @​vinistock
• Remove RUBYOPT from ruby-lsp-test-exec (#​3673) by @​vinistock

v0.25.0

v0.25.0

🚧 Breaking Changes

• Remove sorbet-runtime dependency (#​3556) by @​vinistock

✨ Enhancements

• Reuse Prism parse result for RuboCop (#​3584) by @​vinistock
• Move server update after launching server (#​3555) by @​vinistock
• Support Windsurf for setting cursor position in snippets (#​3634) by @​ttilberg
• Allow users to disable test related code lenses (#​3632) by @​vinistock

📦 Other Changes

• Upgrade Tapioca (#​3622) by @​vinistock
• Move feature configuration to global state (#​3613) by @​vinistock
• Replace LanguageServer::Protocol::Transport with our own implementation (#​3533) by @​vinistock

v0.24.2

v0.24.2

✨ Enhancements

• Add hover documentation for 'break' keyword (#​3587) by @​mikeygough

🐛 Bug Fixes

• Fix minitest reporter crash with parallel testing (#​3602) by @​alexcrocha
• Advance scanner position by byte length while searching for line (#​3612) by @​vinistock
• Avoid loading incorrect add-on versions when bundle path is inside project (#​3620) by @​vinistock
• Prevent add-ons from exiting the server process (#​3617) by @​vinistock

v0.24.1

v0.24.1

🐛 Bug Fixes

• Update collect_references to use Prism::LexResult (#​3590) by @​st0012

v0.24.0

v0.24.0

🚧 Breaking Changes

• Use parse_lex instead of parse for Ruby and ERB documents (#​3252) by @​vinistock
• Register all test discovery listener events in one go (#​3582) by @​vinistock

🐛 Bug Fixes

• Do not collect trailing comments of previous lines (#​3563) by @​jesse-shopify
• Handle attr with true argument for writer (#​3579) by @​vinistock
• Utf 8 encoding issue (#​3583) by @​ChallaHalla

v0.23.24

v0.23.24

✨ Enhancements

• find instance variable references with matched scopes (#​3377) by @​monkeyWzr

🐛 Bug Fixes

• Prevent outdated Bundler errors from crashing launcher (#​3552) by @​vinistock
• Index attr (#​3544) by @​vinistock
• Pick most specific parent class during linearization (#​3572) by @​vinistock
• Complete writer methods with self receiver when receiver is self (#​3550) by @​antw

📦 Other Changes

• Move all abstract methods to RBS syntax (#​3534) by @​vinistock

v0.23.23

v0.23.23

✨ Enhancements

• Cache tests discovered during code lens request (#​3525) by @​vinistock

🐛 Bug Fixes

• Escape example names for shell execution (#​3522) by @​vinistock
• Ignore examples defined in random modules and classes for spec (#​3521) by @​vinistock

v0.23.22

v0.23.22

🐛 Bug Fixes

• Use a number regex for running spec examples (#​3514) by @​vinistock
• Prevent Minitest reporters from being mutated after LSP hooks (#​3518) by @​vinistock
• Fix commands for groups inside class in minitest spec style (#​3517) by @​domingo2000
• Ignore methods that look like tests inside other namespaces (#​3512) by @​vinistock

📦 Other Changes

• Fix upcoming RBS breaking changes (#​3520) by @​vinistock

v0.23.21

v0.23.21

🐛 Bug Fixes

• Handle spec example name normalization (#​3490) by @​vinistock
• Apply correct nesting structure for nested tests (#​3497) by @​vinistock
• Add spec to load path when running Minitest specs (#​3500) by @​vinistock
• Apply correct hierarchy and IDs to Minitest spec items (#​3501) by @​vinistock
• Use a custom executable to hook to test explorer (#​3499) by @​vinistock
• Use a workspace to port map instead of single value file (#​3502) by @​vinistock

📦 Other Changes

• Stop mutating the test terminal's environment (#​3496) by @​vinistock

v0.23.20

v0.23.20

🐛 Bug Fixes

• Use framework callback instead of at_exit (#​3485) by @​st0012
• Ensure that tests that crash before running emit finish event (#​3487) by @​vinistock
• Ensure that Test Unit's finish summary is printed (#​3486) by @​vinistock

v0.23.19

v0.23.19

🐛 Bug Fixes

• Bring back extend T::Generic for add-on API classes (#​3482) by @​vinistock

v0.23.18

v0.23.18

🐛 Bug Fixes

• Improve support for hovering over a gem in Gemfile (#​3344) by @​andyw8
• Fix pushing incorrect test item as code lens (#​3460) by @​vinistock
• Request code lens refresh after finishing indexing (#​3461) by @​vinistock

📦 Other Changes

• Include line numbers when reporting test start event (#​3429) by @​vinistock
• Only load from cgi what is required (#​3469) by @​Earlopain
• Exclude non-workspace coverage data (#​3472) by @​vinistock
• Better handle cgi changes (#​3473) by @​Earlopain
• Resolve test code lenses lazily for better performance (#​3470) by @​vinistock

v0.23.17

v0.23.17

✨ Enhancements

• Hook code lens with the new test discovery (#​3449) by @​vinistock

🐛 Bug Fixes

• Ensure finish event is emitted on test crashes (#​3445) by @​vinistock
• Show full constant names on hover (#​3457) by @​vinistock
• Fix Index.constant_name crashing on dynamic constant paths (#​3453) by @​vinistock

📦 Other Changes

• Remove T::Enum from code action resolve (#​3439) by @​vinistock
• Migrate T.cast to RBS comment syntax (#​3440) by @​vinistock
• Remove T::Enum for entry visibility (#​3442) by @​vinistock
• Remove T::Enum for SorbetLevel (#​3447) by @​vinistock
• Remove T::Enum for language ID (#​3454) by @​vinistock
• Log full backtrace on diagnostic and formatting crashes (#​3458) by @​vinistock

v0.23.16

v0.23.16

🐛 Bug Fixes

• Escape $ characters for test command regexes (#​3427) by @​vinistock
• Only emit shutdown event after processing coverage (#​3431) by @​vinistock

📦 Other Changes

• Replace T.unsafe with comment based RBS syntax (#​3412) by @​vinistock

v0.23.15

v0.23.15

✨ Enhancements

• Add color to the test explorer's output (#​3409) by @​vinistock

🐛 Bug Fixes

• Read initialize request from a file when retrying (#​3413) by @​vinistock

📦 Other Changes

• Use a TCP socket to stream results to the extension (#​3387) by @​vinistock
• Organize test reporters into their own directory (#​3398) by @​vinistock
• Replace T.must with comment based syntax (#​3400) by @​vinistock
• Avoid recursion when collecting prefix tree node values (#​3401) by @​vinistock

v0.23.14

v0.23.13

v0.23.13

✨ Enhancements

• Support VSCodium as a client when moving cursor (#​3302) by @​shanecav84
• Hook server and extension test execution (#​3309) by @​vinistock
• Capture test output for Minitest reporter (#​3286) by @​andyw8
• Allow add-ons to resolve test commands (#​3351) by @​vinistock
• Add coverage data collection to the test reporter (#​3360) by @​vinistock

🐛 Bug Fixes

• Fix paths to custom test reporters (#​3322) by @​vinistock
• Ignore non Minitest or Test Unit items for resolve command (#​3350) by @​vinistock
• Use no-cache option when bundle installing (#​3342) by @​vinistock
• Handle changing visibility post method definition (#​3339) by @​vinistock
• Expand test directory command resolution with requires (#​3335) by @​vinistock

📦 Other Changes

• Append custom reporter rather than replacing all (#​3324) by @​vinistock
• Prefix framework tags with framework: (#​3340) by @​vinistock

v0.23.12

v0.23.12

✨ Enhancements

• Exclude RBS comments from on-type formatting (#​3220) by @​st0012
• Add basic resolve test command request (#​3234) by @​vinistock
• Add support for specify in Code Lens (#​3228) by @​andyw8
• Add test discovery support for Minitest spec style syntax (#​3223) by @​alexcrocha
• Add test-unit reporter (#​3238) by @​andyw8
• Resolve Minitest commands for test items (#​3249) by @​vinistock
• Tag Test Unit and Minitest spec test items (#​3268) by @​vinistock
• Resolve commands for test unit items (#​3264) by @​vinistock
• Allow add-ons to extend test discovery (#​3271) by @​alexcrocha
• Add JSON test reporter for minitest (#​3187) by @​andyw8
• Add GoToRelevantFile functionality (#​2985) by @​jenny-codes

🐛 Bug Fixes

• Avoid reading from deleted file (#​3218) by @​andyw8
• Try to relaunch if gems are modified between install and setup (#​3231) by @​vinistock
• Avoid raising on duplicate test item IDs (#​3237) by @​vinistock
• Include tags in TestItem#to_hash (#​3239) by @​vinistock
• Prevent race condition when saving file during initial indexing (#​3269) by @​vinistock
• Exclude certain Bundler settings when composing bundle (#​3277) by @​vinistock

📦 Other Changes

• Ensure we index non test files under test directories (#​3188) by @​vinistock

v0.23.11

v0.23.11

✨ Enhancements

• Add custom request to return LSP internal state (#​3194) by @​vinistock
• Add test items collection builder (#​3169) by @​vinistock
• Add discover tests custom request (#​3180) by @​vinistock

🐛 Bug Fixes

• Fix backward compatibility for Bundler versions < 2.2.17 (#​3152) by @​Artes02
• Fix off by one error when fetching lazy comments (#​3167) by @​vinistock
• Fix composed bundle reference to gemfile in higher-level directory (#​3135) by @​mckeed

📦 Other Changes

• Update Kate editor regarding incremental text updates (#​3164) by @​larskanis
• Accept nil name for actual nesting (#​3182) by @​vinistock
• Accept module/class node's constant path for constant name (#​3183) by @​vinistock

v0.23.10

v0.23.10

🐛 Bug Fixes

• Prevent relative require completion from failing on permissions (#​3151) by @​vinistock
• Avoid indexing client managed documents twice (#​3159) by @​vinistock
• Rescue failing add-on watched files handlers (#​3160) by @​vinistock

📦 Other Changes

• Pass machine ID to server for telemetry (#​3157) by @​vinistock

v0.23.9

v0.23.9

✨ Enhancements

• Enhance log message and server action for new releases (#​3126) by @​Hungle2911
• Code actions for attribute accessor creation (#​2739) by @​rogancodes

🐛 Bug Fixes

• Handle invalid URIs in magic source links (#​3132) by @​vinistock
• Avoid collecting duplicates in reference finder (#​3098) by @​vicocamacho
• Prevent workspace dependencies from failing when gems aren't installed (#​3138) by @​vinistock
• Use unique IDs for registering watchers (#​3144) by @​vinistock

v0.23.8

v0.23.8

🐛 Bug Fixes

• Avoid failing if file is quickly created and deleted (#​3105) by @​vinistock
• Account for missing bundle or lockfile in compose bundle request (#​3104) by @​vinistock
• Allow snippets for Cursor editor (#​3109) by @​vinistock
• Prefer exact matches when guessing types (#​3112) by @​vinistock
• Search for class variables completion candidates in attached namespace (#​3100) by @​vinistock

v0.23.7

v0.23.7

✨ Enhancements

• Check if lockfile is valid before composing bundle (#​3077) by @​vinistock

🐛 Bug Fixes

• Remove server side document selectors (#​3074) by @​vinistock
• Fix file paths for exec launcher on Windows (#​3073) by @​vinistock

v0.23.6

v0.23.6

✨ Enhancements

• Add references support for instance variables (#​2787) by @​monkeyWzr

🐛 Bug Fixes

• Return early if magic source link URI has no path (#​3056) by @​vinistock
• Fix singleton indexing under compact namespaces (#​3062) by @​vinistock
• Update GUESSED_TYPES_URL (#​3068) by @​csjh
• Change our internal RuboCop integration identifier (#​3067) by @​vinistock
• Request diagnostic refresh when RuboCop configs change (#​3041) by @​vinistock
• Check if RuboCop is available before searching for add-on (#​3071) by @​vinistock

v0.23.5

v0.23.5

🐛 Bug Fixes

• Only load install error instance after requiring Bundler (#​3043) by @​vinistock
• Use top level namespace operand on Rubocop (#​3044) (#​3045) by @​abrisse

v0.23.4

v0.23.4

🐛 Bug Fixes

• Avoid trying to acquire lock twice when shutting down (#​3036) by @​vinistock

v0.23.3

v0.23.3

🐛 Bug Fixes

• Stop running cancel request in the main thread (#​3028) by @​vinistock
• Synchronize store operations in server instead (#​3029) by @​vinistock
• Ensure requests are not assuming the presence of file paths for entries (#​3030) by @​vinistock
• Fix visibility stack handling for private_class_method (#​3032) by @​vinistock
• Avoid reporting the same Bundler install error twice (#​3033) by @​vinistock
• Always apply workspace URI configuration to indexer (#​3034) by @​vinistock

v0.23.2

v0.23.2

✨ Enhancements

• Infer types for method calls on immediately instantiated objects (#​3007) by @​vinistock
• Move RuboCop file watching to the server (#​2982) by @​vinistock
• Index documents on modification (#​2941) by @​vinistock
• Handle module_function with no arguments (#​3018) by @​vinistock
• Only reindex documents if declarations are being modified (#​2942) by @​vinistock

🐛 Bug Fixes

• Locate targets under mutex lock (#​2976) by @​vinistock
• Go back to returning nil for cancelled requests (#​3024) by @​vinistock

v0.23.1

v0.23.1

🐛 Bug Fixes

• Fix Bundler default bindir on Windows (#​3014) by @​vinistock

v0.23.0

v0.23.0

🚧 Breaking Changes

• Start accepting any URI scheme in the index (#​2934) by @​vinistock

✨ Enhancements

• Add Prepare Rename Request (#​2894) by @​rogancodes
• Add glyph for 'Run' code lenses (#​2973) by @​andyw8
• feat: Handle instance variable target nodes in document symbol (#​2981) by @​Hungle2911
• Add test helper methods from Rails add-on (#​2991) by @​andyw8
• Support Hover, Completion, Go to definition for Class Variables (#​2944) by @​rogancodes

🐛 Bug Fixes

• Fix minitest spec code lens load path (#​2706) by @​thomasmarshall
• Avoid excluding transitive dependencies of default dependencies (#​2937) by @​vinistock
• Fail requests that are searching for a non existing position (#​2938) by @​vinistock
• Use correct error response for cancellations (#​2939) by @​vinistock
• Fix folding ranges when a line is surrounded by comments and contains code (#​2954) by @​Earlopain
• Pass Ruby interpreter path when replacing process by launcher (#​2979) by @​vinistock
• Fully unload add-ons under a mutex when shutting down (#​2970) by @​vinistock
• Fix debug platform inclusion for Windows (#​2978) by @​vinistock
• Recover from uninstalled gems in launcher mode (#​2975) by @​vinistock
• Handle missing specs when listing transitive dependencies (#​3012) by @​vinistock
• Use original Bundler binstub from RubyGems to avoid version argument issues (#​2987) by @​vinistock

📦 Other Changes

• Move URI extension to indexer (#​2915) by @​vinistock
• Add note to docs about unsaved files (#​2923) by @​andyw8
• Replace IndexablePath with URI (#​2916) by @​vinistock
• Store URIs in entries instead of file paths (#​2926) by @​vinistock
• Use Entry#uri where possible instead of file path (#​2927) by @​vinistock

v0.22.1

v0.22.1

✨ Enhancements

• Support private_class_method in the indexer (#​2858) by @​kcdragon

🐛 Bug Fixes

• Retry composing bundle if it's modified during setup (#​2890) by @​vinistock
• Create textDocument/documentSymbol to instance variables using shorthand assignment (#​2834) by @​vinibispo

📦 Other Changes

• Use field instead of variable for instance variable symbol kinds (#​2898) by @​vinistock

v0.22.0

v0.22.0

🚧 Breaking Changes

• Remove deprecated experimental features from global state (#​2829) by @​vinistock
• Allow indexing enhancements to create namespaces (#​2857) by @​vinistock

✨ Enhancements

• Prevent full indexing (index_all) from being called multiple times (#​2864) by @​andyw8
• Add support for extend self to handle_module_operation (#​2855) by @​tlemburg

🐛 Bug Fixes

• Ensure top level scripts are indexed (#​2849) by @​vinistock
• Check target precision for call node in hover and definition (#​2870) by @​vinistock
• Fix documentation reference when methods are too close (#​2806) by @​IgnacioFan

📦 Other Changes

• Log when trying to format files outside of workspace (#​2853) by @​vinistock
• Add Sorbet troubleshooting note (#​2871) by @​andyw8
• Start returning composed bundle environment from initialize request (#​2880) by @​vinistock

v0.21.3

v0.21.3

✨ Enhancements

• Highlight definition and control block structures (#​2779) by @​rogancodes
• Add feature flag support to GlobalState (#​2826) by @​vinistock

v0.21.2

v0.21.2

✨ Enhancements

• Move supports_progress to global state (#​2815) by @​vinistock

🐛 Bug Fixes

• Ensure we're handling client responses for window show message (#​2814) by @​vinistock

📦 Other Changes

• Extract progress notifications to helpers (#​2816) by [@​vinistock](https://redi