All Versions
Latest Version
Avg Release Cycle
226 days
Latest Release
503 days ago

Changelog History
Page 1

  • v0.9.1 Changes

    May 19, 2022
    • ๐Ÿ’Ž Opt into MFA requirement.


    • ๐Ÿ‘Œ Improve the readability of the suggested gem versions to upgrade to (pull #331).

    Rake Task

    • ๐Ÿ›  Fixed a regression introduced in 0.9.0 where the bundler:audit rake task was not exiting with an error status code if vulnerabilities were found. Now when the bundler-audit command fails, the rake task will also exit with the bundler-audit command's error code.
    • If the bundler-audit command could not be found for some reason raise the {Bundler::Audit::Task::CommandNotFound} exception.
  • v0.9.0 Changes

    August 31, 2021
    • ๐Ÿ“‡ Load advisory metadata using YAML.safe_load. (issue #302)
      • Explicitly permit the Date class for Psych >= 4.0.0 and Ruby >= 3.1.0.
    • โž• Added {Bundler::Audit::Advisory#to_h}. (pull #310)
    • โž• Added {Bundler::Audit::Database#commit_id}.


    • โž• Added the --config option. (pull #306)
    • โž• Added the junit output format (ex: --format junit). (pull #314)
    • โž• Add missing output for CVSSv3 criticality information. (pull #302)
      • Include criticality information in the JSON output as well. (pull #310)
    • ๐Ÿ–จ bundle-audit stats now prints the commit ID of the ruby-advisory-db.
    • ๐Ÿ›  Fixed a deprecation warning from Thor. (issue #317)

    Rake Task

    • โž• Add the bundle:audit:update task for updating the [ruby-advisory-db]. (pull #296)
    • Aliased bundle:audit to bundle:audit:check.
    • Aliased bundler:audit:* to bundle:audit:*.
    • Rake tasks now execute bundle-audit command as a subprocess to ensure isolation.
  • v0.9.0.1 Changes

    August 31, 2021
    • โž• Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6. (issue #319)
      • Although, Ruby 2.5 and prior have all reached [End-of-Life] and are no longer receiving security updates. It is strongly advised that you should upgrade to a currently supported version of Ruby.

    ๐Ÿ’Ž [End-of-Life]:

  • v0.8.0 Changes

    March 10, 2021
    • ๐Ÿ’Ž No longer vendor [ruby-advisory-db].
    • โž• Added {Bundler::Audit::Configuration}.
      • Supports loading YAML configuration data from a .bundler-audit.yml file.
    • โž• Added {Bundler::Audit::Results}.
    • โž• Added {Bundler::Audit::Report}.
    • โž• Added {Bundler::Audit::CLI::Formats}.
    • โž• Added {Bundler::Audit::CLI::Formats::Text}.
    • โž• Added {Bundler::Audit::CLI::Formats::JSON}.
    • โž• Added {Bundler::Audit::Database::DEFAULT_PATH}.
    • โž• Added {Bundler::Audit::Database.exists?}.
    • โž• Added {Bundler::Audit::Database#git?}.
    • โž• Added {Bundler::Audit::Database#update!}.
      • Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed} exception, if the git pull command fails.
    • โšก๏ธ Added {Bundler::Audit::Database#last_updated_at}.
    • โž• Added {Bundler::Audit::Scanner#report}.
    • {Bundler::Audit::Database::USER_PATH} is now Gem.user_home aware.
      • Gem.user_home will try to infer HOME, even if it is not set.
    • {Bundler::Audit::Database#download} will now raise a {Bundler::Audit::Database::DownloadFailed DownloadFailed} exception, if the git clone command fails.
    • {Bundler::Audit::Scanner#initialize}:
      • Now accepts an additional database and config_dot_file arguments.
      • Will now raise a Bundler::GemfileLockNotFound exception, if the given Gemfile.lock file cannot be found.
    • {Bundler::Audit::Scanner#scan_sources} will now ignore any source with a or ::1/128 IP address.
    • {Bundler::Audit::Scanner#scan_specs} will ignore any advisories listed in {Bundler::Audit::Configuration#ignore}, which is loaded from the .bundler-audit.yml file.
    • โšก๏ธ Deprecated {Bundler::Audit::Database.update!} in favor of {Bundler::Audit::Database#update! #update!}.
    • โœ‚ Removed Bundler::Audit::Database::VENDORED_PATH.
    • โœ‚ Removed Bundler::Audit::Database::VENDORED_TIMESTAMP.


    • Require [thor] ~> 1.0.
    • โž• Added bundler-audit stats.
    • โž• Added bundler-audit download.
    • bundler-audit check:
      • Now accepts a optional DIR argument for the project directory.
      • bundler-audit check will now print an explicit error message and exit, if the given DIR does not exist.
      • Will now auto-download [ruby-advisory-db] to ensure the latest advisory information is used on first run.
      • Now supports a --database option for specifying a path to an alternative [ruby-advisory-db] copy.
      • Now supports a --gemfile-lock option for specifying a custom Gemfile.lock file within the project directory.
      • Now supports a --format option for specifying the desired format. text and json are supported, but other custom formats can be loaded. See {Bundler::Audit::CLI::Formats}.
      • Now supports a --output option for writing the report output to a file.
      • Prints both CVE and GHSA IDs.
    • ๐Ÿ–จ Print all error messages to stderr.
    • ๐Ÿ–จ No longer print number of advisories in bundler-audit version.
  • v0.7.0 Changes

    June 12, 2020
    • Require [thor] >= 0.18, < 2.
    • โž• Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
    • โž• Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
    • โž• Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
    • ๐Ÿš‘ Updated {Bundler::Audit::Advisory#criticality} ranges (@reedloden).
    • โšก๏ธ Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
    • ๐Ÿ›  Fixed issue with Bundler 2.x where source URIs are no longer parsed as URI::HTTP objects, but as Bundler::URI::HTTP objects. (@milgner)
    • โšก๏ธ Make it more explicit that git is required for database updates (@fatkodima)
  • v0.7.0.1 Changes

    June 12, 2020
    • ๐Ÿ’Ž Forgot to populate data/ruby-advisory-db.
  • v0.6.1 Changes

    January 18, 2019
    • ๐Ÿ‘ Require bundler >= 1.2.0, < 3 to support [bundler] 2.0.
  • v0.6.0 Changes

    July 18, 2017
    • โž• Added --quiet option to check and update commands (@jaredbeck).
    • โž• Added bin/bundler-audit which will be executed when bundle audit is ran (@vassilevsky).
  • v0.5.0 Changes

    February 29, 2016
    • โž• Added {Bundler::Audit::Task}.
    • โž• Added {Bundler::Audit::Advisory#date}.
    • โž• Added {Bundler::Audit::Advisory#cve_id}.
    • โž• Added {Bundler::Audit::Advisory#osvdb_id}.
    • ๐Ÿ‘ Allow insecure gem sources (http:// and git://), if they are hosted on a private network.


    • โž• Added the --update option to bundler-audit check.
    • โšก๏ธ bundler-audit update now returns a non-zero exit status on error.
    • โšก๏ธ bundler-audit update only updates ~/.local/share/ruby-advisory-db, if it is a git repository.
  • v0.4.0 Changes

    June 30, 2015
    • ๐Ÿ—„ Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
    • โž• Added {Bundler::Audit::Advisory#osvdb}.
    • Resolve the IP addresses of gem sources and ignore intranet gem sources. (PR #90)
    • ๐Ÿ’Ž Use ISO8601 date format when querying the git timestamp of ruby-advisory-db. (PR #92)


    • ๐Ÿ–จ Print the CVE or OSVDB id.
    • ๐Ÿ–จ No longer print "Unpatched versions found!" when an insecure gem source is detected. (PR #84)