Data

Tools

Indexes

Applications

Experiments

Ruby

A summary of data about the Ruby ecosystem.

https://github.com/rubysec/bundler-audit

Patch-level verification for Bundler
https://github.com/rubysec/bundler-audit

Keywords

bundler-audit dependency-checker patch-management ruby ruby-advisory-db security security-audit security-tools

Keywords from Contributors

activerecord mvc activejob rubygems rack rspec sinatra rubocop crash-reporting static-code-analysis

Last synced: about 3 hours ago
JSON representation

Repository metadata

Patch-level verification for Bundler

README.md

bundler-audit

CI
Gem Version

Description

Patch-level verification for bundler.

Features

  • Checks for vulnerable versions of gems in Gemfile.lock.
  • Checks for insecure gem sources (http:// and git://).
  • Allows ignoring certain advisories that have been manually worked around.
  • Prints advisory information.
  • Does not require a network connection.

Synopsis

Audit a project's Gemfile.lock:

$ bundle-audit
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91452
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/91452
Title: XSS vulnerability in sanitize_css in Action Pack
Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91454
Criticality: Medium
URL: http://osvdb.org/show/osvdb/91454
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-89026
Criticality: High
URL: http://osvdb.org/show/osvdb/89026
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
Solution: update to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-91453
Criticality: High
URL: http://osvdb.org/show/osvdb/91453
Title: Symbol DoS vulnerability in Active Record
Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-90072
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Solution: update to ~> 2.3.17, ~> 3.1.11, >= 3.2.12

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-89025
Criticality: High
URL: http://osvdb.org/show/osvdb/89025
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
Solution: update to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activesupport
Version: 3.2.10
Advisory: OSVDB-91451
Criticality: High
URL: http://www.osvdb.org/show/osvdb/91451
Title: XML Parsing Vulnerability affecting JRuby users
Solution: update to ~> 3.1.12, >= 3.2.13

Unpatched versions found!

Update the ruby-advisory-db that bundle audit uses:

$ bundle-audit update
Updating ruby-advisory-db ...
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 19), reused 29 (delta 10)
Unpacking objects: 100% (39/39), done.
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Updating 5f8225e..328ca86
Fast-forward
 CONTRIBUTORS.md                    |  1 +
 gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
 gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
 gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
 gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
 gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
 6 files changed, 73 insertions(+)
 create mode 100644 gems/actionmailer/OSVDB-98629.yml
 create mode 100644 gems/cocaine/OSVDB-98835.yml
 create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
 create mode 100644 gems/sounder/OSVDB-96278.yml
 create mode 100644 gems/wicked/OSVDB-98270.yml
ruby-advisory-db: 64 advisories

Update the ruby-advisory-db and check Gemfile.lock (useful for CI runs):

$ bundle-audit check --update

Checking the Gemfile.lock without updating the ruby-advisory-db:

$ bundle-audit check --no-update

Ignore specific advisories:

$ bundle-audit check --ignore OSVDB-108664

Checking a custom Gemfile.lock file:

$ bundle-audit check --gemfile-lock Gemfile.custom.lock

Output the audit's results in JSON:

$ bundle-audit check --format json

Output the audit's results in JSON, to a file:

$ bundle-audit check --format json --output bundle-audit.json

Rake Tasks

Bundler-audit provides rake tasks for checking the code and for updating
its vulnerability database.

Simply add the following code to the Rakefile:

require 'bundler/audit/task'
Bundler::Audit::Task.new

The following rake tasks will then become available:

$ rake -T
rake bundle:audit
rake bundle:audit:update

Configuration File

bundler-audit also supports a per-project configuration file:

.bundler-audit.yml:

---
ignore:
  - CVE-YYYY-XXXX
  - ...
  • ignore: [Array<String>] - A list of advisory IDs to ignore.

You can provide a path to a config file using the --config flag:

$ bundle-audit check --config bundler-audit.custom.yaml

Requirements

Install

$ [sudo] gem install bundler-audit

Git

  • Debian / Ubuntu:
$ sudo apt install git
  • RedHat / Fedora:
$ sudo dnf install git
  • Alpine Linux:
$ apk add git
  • macOS:
$ brew install git

Contributing

  1. https://github.com/rubysec/bundler-audit/fork
  2. git clone YOUR_FORK_URI
  3. cd bundler-audit/
  4. bundle install
  5. bundle exec rake spec
  6. git checkout -b YOUR_FEATURE
  7. Make your changes
  8. bundle exec rake spec
  9. git commit -a
  10. git push origin YOUR_FEATURE

Policy on Generative AI Contributions

To safeguard project security and respect our maintainers' volunteer time, a human-in-the-loop is strictly required for all submissions. While AI tools are permitted as assistants, contributors must personally review, understand, and take full responsibility for their work. Any contributions that appear to be unreviewed machine output will be closed immediately, and repeat offenders will be banned from the project and reported.

License

Copyright (c) 2013-2026 Hal Brodigan (postmodern.mod3 at gmail.com)

bundler-audit is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

bundler-audit is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with bundler-audit. If not, see https://www.gnu.org/licenses/.

Owner metadata

GitHub Events

Total
Last Year

Committers metadata

Last synced: about 7 hours ago

Total Commits: 630
Total Committers: 69
Avg Commits per committer: 9.13
Development Distribution Score (DDS): 0.256

Commits in past year: 27
Committers in past year: 10
Avg Commits per committer in past year: 2.7
Development Distribution Score (DDS) in past year: 0.704

Name Email Commits
Postmodern p****3@g****m 469
dependabot[bot] 4****] 34
Jon Frisby j****y@m****m 11
Reed Loden r****d@h****m 10
Mike Dalessio m****e@3****m 8
grosser g****l@g****m 7
Robert Schultheis r****s@g****m 7
woodbusy w****y@g****m 3
retornam r****m 3
Peter Goldstein p****n@g****m 3
JuanitoFatas k****0@g****m 3
Eliot Sykes e****s@g****m 3
Martin Baum m****m@d****e 3
Muhammad Rizal Muthi r****i@g****m 2
Popa Marius Adrian m****a@g****m 2
Mikhail Doronin m****n@t****m 2
Mark Borcherding m****g@g****m 2
Jared Beck j****d@j****m 2
Jacob Evans j****b@d****t 2
Dmytro Shteflyuk k****k@k****o 2
Andrius Miasnikovas a****s@v****m 2
Paul B p****l@b****r 2
Ryan Bigg g****t@r****m 2
Adrian Macneil a****n@c****m 1
Alex Hamlin a****n@n****m 1
Andrey Korobkov k****v@f****o 1
Christos Zisopoulos c****s@m****m 1
Garllon p****t@g****m 1
Jan Rusnacko r****j@g****m 1
Al Snow 4****w 1
and 39 more...

Committer domains:

Issue and Pull Request metadata

Last synced: about 7 hours ago

Total issues: 49
Total pull requests: 106
Average time to close issues: about 1 year
Average time to close pull requests: 8 months
Total issue authors: 40
Total pull request authors: 48
Average comments per issue: 2.92
Average comments per pull request: 1.22
Merged pull request: 47
Bot issues: 0
Bot pull requests: 44

Past year issues: 7
Past year pull requests: 21
Past year average time to close issues: 12 days
Past year average time to close pull requests: 18 days
Past year issue authors: 7
Past year pull request authors: 13
Past year average comments per issue: 1.29
Past year average comments per pull request: 0.95
Past year merged pull request: 11
Past year bot issues: 0
Past year bot pull requests: 4

More stats: https://issues.ecosyste.ms/repositories/lookup?url=https://github.com/rubysec/bundler-audit

Top Issue Authors

  • postmodern (9)
  • G-Rath (2)
  • reedloden (1)
  • nello (1)
  • TomNaessens (1)
  • GolovkoStepan (1)
  • chabgood (1)
  • eliotsykes (1)
  • byroot (1)
  • peter-mtso (1)
  • so87 (1)
  • fatkodima (1)
  • rslhdyt (1)
  • dssjoblom (1)
  • lopopolo (1)

Top Pull Request Authors

  • dependabot[bot] (44)
  • kallal79 (4)
  • kpumuk (3)
  • onshi (2)
  • lovro-bikic (2)
  • GoutamSingired (2)
  • neumayr (2)
  • paulRbr (2)
  • oz-tal (2)
  • rrothenberger (2)
  • Earlopain (2)
  • andriusm (2)
  • viktorianer (2)
  • misdoro (1)
  • jasnow (1)

Top Issue Labels

  • feature (15)
  • bug (11)
  • needs-info (5)
  • chore (4)
  • enhancement (4)
  • upstream (2)
  • specs (2)
  • Ready to Review (2)
  • help-wanted (1)
  • Ready to Close (1)
  • json (1)
  • cannot-repro (1)
  • discussion (1)
  • documentation (1)
  • rubygems (1)

Top Pull Request Labels

  • dependencies (44)
  • github_actions (3)
  • Ready to Merge (3)
  • Ready to Review (3)
  • feature (2)
  • ruby (2)
  • enhancement (1)
  • discussion (1)

Package metadata

gem.coop: bundler-audit

bundler-audit provides patch-level verification for Bundled apps.

  • Homepage: https://github.com/rubysec/bundler-audit#readme
  • Documentation: http://www.rubydoc.info/gems/bundler-audit/
  • Licenses: GPL-3.0-or-later
  • Latest release: 0.9.3 (published 7 months ago)
  • Last Synced: 2026-06-15T07:07:49.536Z (about 23 hours ago)
  • Versions: 20
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 133,464,144 Total
  • Docker Downloads: 466,004,988
  • Rankings:
    • Dependent repos count: 0.0%
    • Dependent packages count: 0.0%
    • Average: 0.108%
    • Downloads: 0.209%
    • Docker downloads count: 0.222%
  • Maintainers (1)
rubygems.org: bundler-audit

bundler-audit provides patch-level verification for Bundled apps.

  • Homepage: https://github.com/rubysec/bundler-audit#readme
  • Documentation: http://www.rubydoc.info/gems/bundler-audit/
  • Licenses: GPL-3.0-or-later
  • Latest release: 0.9.3 (published 7 months ago)
  • Last Synced: 2026-06-15T05:00:53.798Z (1 day ago)
  • Versions: 20
  • Dependent Packages: 368
  • Dependent Repositories: 5,894
  • Downloads: 133,453,398 Total
  • Docker Downloads: 466,004,988
  • Rankings:
    • Dependent packages count: 0.124%
    • Downloads: 0.205%
    • Docker downloads count: 0.299%
    • Dependent repos count: 0.417%
    • Average: 0.632%
    • Stargazers count: 0.989%
    • Forks count: 1.755%
  • Maintainers (1)
proxy.golang.org: github.com/rubysec/bundler-audit

  • Homepage:
  • Documentation: https://pkg.go.dev/github.com/rubysec/bundler-audit#section-documentation
  • Licenses: gpl-3.0
  • Latest release: v0.9.3 (published 7 months ago)
  • Last Synced: 2026-06-15T23:23:27.005Z (about 7 hours ago)
  • Versions: 16
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Rankings:
    • Stargazers count: 1.312%
    • Forks count: 1.821%
    • Average: 5.877%
    • Dependent packages count: 9.576%
    • Dependent repos count: 10.802%
nixpkgs-24.11: bundler-audit

Patch-level verification for Bundler

nixpkgs-24.05: bundler-audit

Patch-level verification for Bundler

gentoo-portage: dev-ruby/bundler-audit

Provides patch-level verification for Bundled apps

  • Homepage: https://github.com/rubysec/bundler-audit
  • Documentation: https://packages.gentoo.org/packages/dev-ruby/bundler-audit
  • Licenses: GPL-3
  • Latest release: 0.9.3 (published about 2 months ago)
  • Last Synced: 2026-05-27T02:44:04.154Z (20 days ago)
  • Versions: 2
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Rankings:
    • Dependent repos count: 0.0%
    • Dependent packages count: 0.0%
    • Average: 100%
nixpkgs-23.11: bundler-audit

Patch-level verification for Bundler

nixpkgs-unstable: bundler-audit

Patch-level verification for Bundler

nixpkgs-23.05: bundler-audit

Patch-level verification for Bundler

Dependencies

.github/workflows/ruby.yml actions
  • actions/checkout v2 composite
  • ruby/setup-ruby v1 composite
Gemfile rubygems
  • kramdown ~> 2.0 development
  • rake >= 0 development
  • redcarpet >= 0 development
  • rspec ~> 3.0 development
  • rubocop ~> 1.18 development
  • rubygems-tasks ~> 0.2 development
  • simplecov ~> 0.7 development
  • yard ~> 0.9 development
  • yard-spellcheck >= 0 development
spec/bundle/insecure_sources/Gemfile rubygems
  • jquery-rails >= 0
  • rails >= 0
spec/bundle/insecure_sources/Gemfile.lock rubygems
  • actioncable 6.1.3.2
  • actionmailbox 6.1.3.2
  • actionmailer 6.1.3.2
  • actionpack 6.1.3.2
  • actiontext 6.1.3.2
  • actionview 6.1.3.2
  • activejob 6.1.3.2
  • activemodel 6.1.3.2
  • activerecord 6.1.3.2
  • activestorage 6.1.3.2
  • activesupport 6.1.3.2
  • builder 3.2.4
  • concurrent-ruby 1.1.8
  • crass 1.0.6
  • erubi 1.10.0
  • globalid 0.4.2
  • i18n 1.8.10
  • jquery-rails 4.4.0
  • loofah 2.19.1
  • mail 2.7.1
  • marcel 1.0.1
  • method_source 1.0.0
  • mini_mime 1.0.3
  • mini_portile2 2.8.0
  • minitest 5.14.4
  • nio4r 2.5.7
  • nokogiri 1.13.10
  • racc 1.6.1
  • rack 2.2.3
  • rack-test 1.1.0
  • rails 6.1.3.2
  • rails-dom-testing 2.0.3
  • rails-html-sanitizer 1.4.4
  • railties 6.1.3.2
  • rake 13.0.3
  • sprockets 4.0.2
  • sprockets-rails 3.2.2
  • thor 1.1.0
  • tzinfo 2.0.4
  • websocket-driver 0.7.4
  • websocket-extensions 0.1.5
  • zeitwerk 2.4.2
spec/bundle/secure/Gemfile rubygems
  • rails ~> 5.2
  • rails-html-sanitizer ~> 1.4.4
spec/bundle/secure/Gemfile.lock rubygems
  • actioncable 5.2.8
  • actionmailer 5.2.8
  • actionpack 5.2.8
  • actionview 5.2.8
  • activejob 5.2.8
  • activemodel 5.2.8
  • activerecord 5.2.8
  • activestorage 5.2.8
  • activesupport 5.2.8
  • arel 9.0.0
  • builder 3.2.4
  • concurrent-ruby 1.1.10
  • crass 1.0.6
  • erubi 1.10.0
  • globalid 1.0.0
  • i18n 1.10.0
  • loofah 2.19.1
  • mail 2.7.1
  • marcel 1.0.2
  • method_source 1.0.0
  • mini_mime 1.1.2
  • mini_portile2 2.8.0
  • minitest 5.15.0
  • nio4r 2.5.8
  • nokogiri 1.13.10
  • racc 1.6.1
  • rack 2.2.4
  • rack-test 1.1.0
  • rails 5.2.8
  • rails-dom-testing 2.0.3
  • rails-html-sanitizer 1.4.4
  • railties 5.2.8
  • rake 13.0.6
  • sprockets 4.0.3
  • sprockets-rails 3.4.2
  • thor 1.2.1
  • thread_safe 0.3.6
  • tzinfo 1.2.9
  • websocket-driver 0.7.5
  • websocket-extensions 0.1.5
spec/bundle/unpatched_gems/Gemfile rubygems
  • activerecord = 3.2.10
spec/bundle/unpatched_gems/Gemfile.lock rubygems
  • activemodel 3.2.10
  • activerecord 3.2.10
  • activesupport 3.2.10
  • arel 3.0.3
  • builder 3.0.4
  • concurrent-ruby 1.1.7
  • i18n 0.9.5
  • multi_json 1.15.0
  • tzinfo 0.3.58
spec/bundle/unpatched_gems_with_dot_configuration/Gemfile rubygems
  • activerecord = 3.2.10
spec/bundle/unpatched_gems_with_dot_configuration/Gemfile.lock rubygems
  • activemodel 3.2.10
  • activerecord 3.2.10
  • activesupport 3.2.10
  • arel 3.0.3
  • builder 3.0.4
  • concurrent-ruby 1.1.7
  • i18n 0.9.5
  • multi_json 1.15.0
  • tzinfo 0.3.58
bundler-audit.gemspec rubygems

Score: 33.07653725990846