Security Fails at the Edges
We are at Cyber War and many developers live as though we are at peace.
There are lots of good people working to keep our technologies from being exploited, and often it's the gullible human who causes the breech, not the software. And I don't want to discount their efforts. I want to make security people's jobs better. An important part of how modern programmers think is in this "Secure by default" idea that marketing people love. It's a lie that's slapped onto all manner of software in an attempt to convey that this is not something you need to worry about with our software.
Even with the resources of Rails, they still can't do anything about the kids of attacks possible with the rest of the stack being compromised as it is by Specter. But the people who wrote a particular piece of software, they don't have to know how to keep their code as secure as they can. And we have no audits in place. The problems are reported by white hats or volunteers or just people who know more about security than the author. Hopefully they can be corrected. Often they are by responsible maintainers. NPM has an automated audit process where they check their database of known exploits, and warn you after you've install all of them. Then they say they can fix or patch them, which, sounds like an informal patch version for a lot of these packages. I give it to NPM, that is a very hard problem to solve.
When the ecosystem is born from volunteers doing their own pet project and releasing, we have an inherent problem. Software professionals who need more of a guarantee should do their own audits of the code of every package in their projects. Make sure they understand what these vulnerabilities actually are, and perhaps switch the package or mitigate it as a company. You have to do this or your company will be next in line for the invasion.