All Versions
16
Latest Version
Avg Release Cycle
226 days
Latest Release
878 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v0.9.1 Changes
May 19, 2022- 💎 Opt into rubygems.org MFA requirement.
CLI
- 👌 Improve the readability of the suggested gem versions to upgrade to (pull #331).
Rake Task
- 🛠 Fixed a regression introduced in 0.9.0 where the
bundler:audit
rake task was not exiting with an error status code if vulnerabilities were found. Now when thebundler-audit
command fails, the rake task will also exit with thebundler-audit
command's error code. - If the
bundler-audit
command could not be found for some reason raise the {Bundler::Audit::Task::CommandNotFound} exception.
-
v0.9.0 Changes
August 31, 2021- 📇 Load advisory metadata using
YAML.safe_load
. (issue #302)- Explicitly permit the
Date
class for Psych >= 4.0.0 and Ruby >= 3.1.0.
- Explicitly permit the
- ➕ Added {Bundler::Audit::Advisory#to_h}. (pull #310)
- ➕ Added {Bundler::Audit::Database#commit_id}.
CLI
- ➕ Added the
--config
option. (pull #306) - ➕ Added the
junit
output format (ex:--format junit
). (pull #314) - ➕ Add missing output for CVSSv3 criticality information. (pull #302)
- Include criticality information in the JSON output as well. (pull #310)
- 🖨
bundle-audit stats
now prints the commit ID of the ruby-advisory-db. - 🛠 Fixed a deprecation warning from Thor. (issue #317)
Rake Task
- ➕ Add the
bundle:audit:update
task for updating the [ruby-advisory-db]. (pull #296) - Aliased
bundle:audit
tobundle:audit:check
. - Aliased
bundler:audit:*
tobundle:audit:*
. - Rake tasks now execute
bundle-audit
command as a subprocess to ensure isolation.
- 📇 Load advisory metadata using
-
v0.9.0.1 Changes
August 31, 2021- ➕ Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6.
(issue #319)
- Although, Ruby 2.5 and prior have all reached [End-of-Life] and are no longer receiving security updates. It is strongly advised that you should upgrade to a currently supported version of Ruby.
💎 [End-of-Life]: https://www.ruby-lang.org/en/downloads/branches/
- ➕ Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6.
(issue #319)
-
v0.8.0 Changes
March 10, 2021- 💎 No longer vendor [ruby-advisory-db].
- ➕ Added {Bundler::Audit::Configuration}.
- Supports loading YAML configuration data from a
.bundler-audit.yml
file.
- Supports loading YAML configuration data from a
- ➕ Added {Bundler::Audit::Results}.
- ➕ Added {Bundler::Audit::Report}.
- ➕ Added {Bundler::Audit::CLI::Formats}.
- ➕ Added {Bundler::Audit::CLI::Formats::Text}.
- ➕ Added {Bundler::Audit::CLI::Formats::JSON}.
- ➕ Added {Bundler::Audit::Database::DEFAULT_PATH}.
- ➕ Added {Bundler::Audit::Database.exists?}.
- ➕ Added {Bundler::Audit::Database#git?}.
- ➕ Added {Bundler::Audit::Database#update!}.
- Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed}
exception, if the
git pull
command fails.
- Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed}
exception, if the
- ⚡️ Added {Bundler::Audit::Database#last_updated_at}.
- ➕ Added {Bundler::Audit::Scanner#report}.
- {Bundler::Audit::Database::USER_PATH} is now
Gem.user_home
aware.Gem.user_home
will try to inferHOME
, even if it is not set.
- {Bundler::Audit::Database#download} will now raise a
{Bundler::Audit::Database::DownloadFailed DownloadFailed} exception, if the
git clone
command fails. - {Bundler::Audit::Scanner#initialize}:
- Now accepts an additional
database
andconfig_dot_file
arguments. - Will now raise a
Bundler::GemfileLockNotFound
exception, if the givenGemfile.lock
file cannot be found.
- Now accepts an additional
- {Bundler::Audit::Scanner#scan_sources} will now ignore any source with a
127.0.0.0/8
or::1/128
IP address. - {Bundler::Audit::Scanner#scan_specs} will ignore any advisories listed in
{Bundler::Audit::Configuration#ignore}, which is loaded from the
.bundler-audit.yml
file. - ⚡️ Deprecated {Bundler::Audit::Database.update!} in favor of {Bundler::Audit::Database#update! #update!}.
- ✂ Removed
Bundler::Audit::Database::VENDORED_PATH
. - ✂ Removed
Bundler::Audit::Database::VENDORED_TIMESTAMP
.
CLI
- Require [thor] ~> 1.0.
- ➕ Added
bundler-audit stats
. - ➕ Added
bundler-audit download
. bundler-audit check
:- Now accepts a optional
DIR
argument for the project directory. bundler-audit check
will now print an explicit error message and exit, if the givenDIR
does not exist.- Will now auto-download [ruby-advisory-db] to ensure the latest advisory information is used on first run.
- Now supports a
--database
option for specifying a path to an alternative [ruby-advisory-db] copy. - Now supports a
--gemfile-lock
option for specifying a customGemfile.lock
file within the project directory. - Now supports a
--format
option for specifying the desired format.text
andjson
are supported, but other custom formats can be loaded. See {Bundler::Audit::CLI::Formats}. - Now supports a
--output
option for writing the report output to a file. - Prints both CVE and GHSA IDs.
- Now accepts a optional
- 🖨 Print all error messages to stderr.
- 🖨 No longer print number of advisories in
bundler-audit version
.
-
v0.7.0 Changes
June 12, 2020- Require [thor] >= 0.18, < 2.
- ➕ Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
- ➕ Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
- ➕ Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
- 🚑 Updated {Bundler::Audit::Advisory#criticality} ranges (@reedloden).
- ⚡️ Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
- 🛠 Fixed issue with Bundler 2.x where source URIs are no longer parsed as
URI::HTTP
objects, but asBundler::URI::HTTP
objects. (@milgner) - ⚡️ Make it more explicit that git is required for database updates (@fatkodima)
-
v0.7.0.1 Changes
June 12, 2020- 💎 Forgot to populate
data/ruby-advisory-db
.
- 💎 Forgot to populate
-
v0.6.1 Changes
January 18, 2019- 👍 Require bundler
>= 1.2.0, < 3
to support [bundler] 2.0.
- 👍 Require bundler
-
v0.6.0 Changes
July 18, 2017- ➕ Added
--quiet
option tocheck
andupdate
commands (@jaredbeck). - ➕ Added
bin/bundler-audit
which will be executed whenbundle audit
is ran (@vassilevsky).
- ➕ Added
-
v0.5.0 Changes
February 29, 2016- ➕ Added {Bundler::Audit::Task}.
- ➕ Added {Bundler::Audit::Advisory#date}.
- ➕ Added {Bundler::Audit::Advisory#cve_id}.
- ➕ Added {Bundler::Audit::Advisory#osvdb_id}.
- 👍 Allow insecure gem sources (
http://
andgit://
), if they are hosted on a private network.
CLI
- ➕ Added the
--update
option tobundler-audit check
. - ⚡️
bundler-audit update
now returns a non-zero exit status on error. - ⚡️
bundler-audit update
only updates~/.local/share/ruby-advisory-db
, if it is a git repository.
-
v0.4.0 Changes
June 30, 2015- 🗄 Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
- ➕ Added {Bundler::Audit::Advisory#osvdb}.
- Resolve the IP addresses of gem sources and ignore intranet gem sources. (PR #90)
- 💎 Use ISO8601 date format when querying the git timestamp of ruby-advisory-db. (PR #92)
CLI
- 🖨 Print the CVE or OSVDB id.
- 🖨 No longer print "Unpatched versions found!" when an insecure gem source is detected. (PR #84)