We treat it as an ordinary problem even if gems/ directory contains malicious code. Please report them to the issue tracker or open a pull request.

Our test runner (bin/test) does not execute any code written in gems/ directory. rbs command and library also do not execute any code from this repository. So it does not cause any security issue even if gems/ directory contains malicious code.

But if an attacker can inject malicious code to bin/test, rbs command or the library, it would be a security issue. Please report the problem with the following steps.

Report from https://github.com/ruby/gem_rbs_collection/security/advisories.