Product SiteDocumentation Site

1.2.1. Outdated Dependencies

Bundler is the de facto standard for managing Ruby application dependencies. Developer can specify required dependencies and their versions in Gemfile and bundler automatically resolves dependencies and prepares environment for application to run in. Bundler freezes exact versions of dependencies in Gemfile.lock and everytime this file is present, depencency resolution step is skipped and exact versions of gems from Gemfile.lock are installed.
Freezing versions of dependencies has a security impact. If a dependency is vulnerable and new version contains the fix, Gemfile.lock has to be updated. Detection of outdated versions of dependencies is something that can be automated and several gems help with this using information provided by rubysec-db.
Rubysec project maintains rubysec-db database of all security advisories related to Ruby libraries. This database covers most of the popular gems and provides data to identify vulnerable and patched versions of dependencies.
bundler-audit is a gem maintainted by rubysec project that automatically scans Gemfile.lock and reports any unpatched dependencies or insecure sources.
gemsurance also works on top of rubysec-db. Unlike bundler-audit it outputs html report and lists outdated gems as well. Another useful feature is possibility to integrate the check with RSpec and make your tests fail whenever vulnerable dependency is detected.
Other gems or services that provide similar functionality include HolePicker and gemcanary.

Important

It is highly recommended to set up automated checks for outdated dependencies.