RubyGems · rubygems.org

sqlite3

Rb Install Time Backticks: Backtick / %x() shell-out paired with eval/dynamic-require/network/deserialize.

Why PkgRadar flagged 2.9.5

Severity	Signal	Evidence
high	Rb Install Time Backticks	Backtick / %x() shell-out paired with eval/dynamic-require/network/deserialize. · ext/sqlite3/extconf.rb
high	Rb Install Time Unsafe Deserialize	Marshal.load / YAML.unsafe_load — RCE if attacker-controlled. · ext/sqlite3/extconf.rb

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.9.5`	Review	30	2026-06-07

Block this in CI

PkgRadar gates sqlite3 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem rubygems [email protected]