Earlier today the JRuby team was informed of a low-severity vulnerability in the bcrypt-ruby gem. We worked with the library's maintainers to arrange a fix and disclosure. The issue is now fixed in versions 3.1.22 and higher. Exposure risk is low, but upgrading is recommended.
CVE-2026-33306: Integer Overflow Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby
https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954
JRuby 10.0.3.0 is released! Over 80 issues and pull requests and 13 external contributors combined to help further stabilize our 10.0 series! There's lots of compatibility fixes, a few performance enhancements, and a number of library updates. Upgrading is recommended!
New post: Warbled Sidekiq: Zero-install Executable for JVM
In my previous post, I showed how to use Warbler to package a simple image-processing tool as an executable jar. This post will demonstrate how to “warble” a larger project: the Sidekiq background job server!
New post: "Packaging Ruby Apps with Warbler: Executable JAR Files"
Warbler is the JRuby ecosystem’s tool for packaging up Ruby apps with all dependencies in a single deployable file. We’ve just released an update, so let’s explore how to use Warbler to create all-in-one packaged Ruby apps!
https://blog.headius.com/2025/10/packaging-ruby-apps-with-warbler-jar-files.html
Warbler 2.1.0 has been released! Warbler allows you to package JRuby applications as a single binary, either a .jar file you can run directly or a .war file you can deploy to any Java application server. There's even options to precompile your code to obfuscate it... many users out there ship commercial JRuby apps this way. Blog post coming!
At the end of my post on JRuby and JDK 25 startup time features, I teased a bit of the unreleased improvements from Project Leyden. It turns out the latest commits improve startup time even more, so it seems worth posting a quick follow-up!
https://www.reddit.com/r/ruby/comments/1nr630x/jruby_and_leyden_even_better_startup/
New post: JRuby and JDK 25: Startup Time with AOTCache
Let's take a look at JRuby's startup time journey, all the way up to using JDK 25's AOTCache and Project Leyden features coming to a JDK near you soon.
https://blog.headius.com/2025/09/jruby-jdk25-startup-time-with-aotcache.html
JDK 25 is the newest LTS release since JDK 21, and it ships with a gaggle of amazing VM-level features. This post will cover one of the most important improvements for command-line ecosystems like JRuby’s: the AOTCache (ahead-of-time cache) and its ability to pre-optimize code for future runs.
Charles Oliver Nutter