bundle-patch 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e963f237bf1d991d0654cc32c1b70cecc98029e3a553cd0b5aeeb183aeac80c
-  data.tar.gz: f84762b82d02ff168f56b82de3ea4680eac772f8f937caace1f5be38ea70e59a
+  metadata.gz: e0903e6a807f6bdab47f3b7b4872424fd5bad54c4c84b66033c2d398f793dbb5
+  data.tar.gz: b9956c73baf2f0fe592b348af500641e00f540faeb00c91f00d35fe5cfa4c432
 SHA512:
-  metadata.gz: cbf5c83c3e1e2a4ac162203cc06a9ed04e8eb0bac24f4afa2ef5dc024c85ef6bd6a66cae6b846c2880dc3921cbfdbe6913e0ba7963541a33bfc5634f0f7c9c5f
-  data.tar.gz: fae818ce5b5bc0cf74a095911beeee2d80edac1b474fbad89c0d12c4d08aca50407a587d9fc5ec763e805b8fa9c10b1f618cd7c42bc927e9882d0602b34e7183
+  metadata.gz: 6bb2038b986f0552bfaa5b7c3ec5f205ba590ecd9e3940270e535a88ab790a9a4374ce6c24298f0024dc6e96c53eecbc9a99d6608e662386e960cc2e64b88d7b
+  data.tar.gz: 1cf395cc171ff075e7665db75d2196638e2cdb17867c6cdf68c565ac9e00419afd538f5ac7739d63e348143a5d36af840a6a27768e08ce38735e836461ca7107

data/README.md

@@ -14,17 +14,56 @@ It parses audit output, finds the **best patchable version** for each vulnerable
 - Supports patch/minor/major upgrade strategies
 - Handles indirect dependencies by explicitly adding them
 - Has a dry-run mode
+- Creates backup of your Gemfile before changes
 
 ---
 
-## 💡 Example
+## 📋 Requirements
+
+- Ruby 2.6 or later
+- Bundler installed
+- bundler-audit installed (will be installed automatically if missing)
+
+---
+
+## 📦 Installation
+
+Add this gem to your system:
 
 ```bash
-bundle-patch --mode=minor
+gem install bundle-patch
 ```
 
-Example output
+Or add it to your project's Gemfile for use in development:
 
+```ruby
+# Gemfile
+group :development do
+  gem 'bundle-patch'
+end
+```
+
+And then:
+
+```bash
+bundle install
+```
+
+---
+
+## 💡 Examples
+
+### Basic Usage
+```bash
+bundle-patch
+```
+This will run in patch mode (default) and update only patch versions.
+
+### Minor Version Updates
+```bash
+bundle-patch --mode=minor
+```
+Example output:
 ```
 🔍 Running `bundle-audit check --format json`...
 🔒 Found 2 vulnerabilities:
@@ -40,43 +79,77 @@ Example output
 ✅ bundle install completed successfully
 ```
 
-## ⚙️ Options
-
-| Option                  | Description                                                               |
-| ----------------------- | ------------------------------------------------------------------------- |
-| `--mode=patch`          | Only allow patch-level updates (default)                                  |
-| `--mode=minor`          | Allow minor version updates                                               |
-| `--mode=all`            | Allow all updates including major versions                                |
-| `--dry-run`             | Only print what would be changed, don’t touch the Gemfile or install gems |
-| `--skip_bundle_install` | Modify the Gemfile, but skip `bundle install`                             |
-
-## 📦 Installation
-
-Add this gem to your system:
-
+### Dry Run Mode
 ```bash
-gem install bundle-patch
+bundle-patch --dry-run
 ```
+This will show what would be changed without making any actual changes.
 
-Or add it to your project's Gemfile for use in development:
+### Skip Bundle Install
+```bash
+bundle-patch --skip-bundle-install
+```
+This will update the Gemfile but skip running `bundle install`.
 
+### Major Version Updates
 ```bash
-# Gemfile
-group :development do
-  gem 'bundle-patch'
-end
+bundle-patch --mode=all
 ```
+This will allow updates to any version that fixes the vulnerability.
 
-And then:
+---
 
-```
-bundle install
-```
+## ⚙️ Options
+
+| Option                  | Description                                                               | Default |
+| ----------------------- | ------------------------------------------------------------------------- | ------- |
+| `--mode=patch`          | Only allow patch-level updates (e.g., 1.0.0 → 1.0.1)                     | ✓       |
+| `--mode=minor`          | Allow minor version updates (e.g., 1.0.0 → 1.1.0)                        |         |
+| `--mode=all`            | Allow all updates including major versions (e.g., 1.0.0 → 2.0.0)         |         |
+| `--dry-run`             | Only print what would be changed, don't touch the Gemfile or install gems | false   |
+| `--skip-bundle-install` | Modify the Gemfile, but skip `bundle install`                             | false   |
+
+---
 
 ## 🧼 How it works
 
 1. Runs `bundle audit check --format json`
 2. Groups advisories by gem
 3. Determines the best patchable version for each gem based on `--mode`
-4. Ensures the gem is either updated or explicitly added to the `Gemfile`
-5. Optionally runs `bundle install` (unless `--skip_bundle_install` or `--dry-run` is used)
+4. Creates a backup of your Gemfile (Gemfile.bak)
+5. Ensures the gem is either updated or explicitly added to the `Gemfile`
+6. Optionally runs `bundle install` (unless `--skip-bundle-install` or `--dry-run` is used)
+
+---
+
+## 🔍 Troubleshooting
+
+### Bundle Install Fails
+If `bundle install` fails after updating:
+1. Check the error message
+2. You can revert to the backup: `cp Gemfile.bak Gemfile`
+3. Try running `bundle install` manually to see more detailed errors
+
+### Gem Can't Be Patched
+If a gem can't be patched in your chosen mode:
+1. Try running with `--mode=all` to see all possible updates
+2. Check if there are any version conflicts in your Gemfile
+3. Consider manually updating the gem to a specific version
+
+### Security Considerations
+- Always review the changes made to your Gemfile
+- Test your application after applying updates
+- Consider running your test suite after updates
+- Check the changelog of updated gems for breaking changes
+
+---
+
+## 🤝 Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/yourusername/bundle-patch.
+
+---
+
+## 📄 License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/lib/bundle/patch/version.rb

@@ -2,6 +2,6 @@
 
 module Bundle
   module Patch
-    VERSION = "0.3.0"
+    VERSION = "0.4.0"
   end
 end

data/lib/bundle/patch.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require_relative "patch/version"
-require_relative "patch/bundler_audit_installer"
 require_relative "patch/audit/parser"
 require_relative "patch/gemfile_editor"
 require_relative "patch/gemfile_updater"
@@ -11,7 +10,6 @@ require_relative "patch/config"
 module Bundle
   module Patch
     def self.start(config = Config.new)
-      BundlerAuditInstaller.ensure_installed!
       advisories = Audit::Parser.run
 
       if advisories.empty?
@@ -23,34 +21,16 @@ module Bundle
       patchable = []
 
       advisories.group_by { |adv| adv.to_h.dig("gem", "name") }.each do |name, gem_advisories|
-        current = gem_advisories.first.to_h.dig("gem", "version")
-        current_version = Gem::Version.new(current)
-
-        # Collect all requirements from advisories
-        all_requirements = gem_advisories.flat_map do |adv|
-          adv.to_h.dig("advisory", "patched_versions").map do |req|
-            Gem::Requirement.new(req) rescue nil
-          end
-        end.compact
-
-        # Find versions that satisfy all requirements
-        candidate_versions = all_requirements
-          .map { |req| best_version_matching(req) }
-          .compact
-          .uniq
-          .select { |v| config.allow_update?(current_version, v) }
-          .sort
-
-        if candidate_versions.any?
-          best_patch = candidate_versions.first
+        result = process_gem_advisories(name, gem_advisories, config)
+        
+        if result
           title_list = gem_advisories.map { |a| a.to_h.dig("advisory", "title") }.uniq
-          puts "- #{name} (#{current}):"
+          puts "- #{name} (#{gem_advisories.first.to_h.dig("gem", "version")}):"
           title_list.each { |t| puts "  • #{t}" }
-          puts "  ✅ Patchable → #{best_patch}"
-
-          patchable << { "name" => name, "required_version" => best_patch.to_s }
+          puts "  ✅ Patchable → #{result[:required_version]}"
+          patchable << { "name" => name, "required_version" => result[:required_version] }
         else
-          puts "- #{name} (#{current}):"
+          puts "- #{name} (#{gem_advisories.first.to_h.dig("gem", "version")}):"
           gem_advisories.each do |adv|
             puts "  • #{adv.to_h.dig("advisory", "title")}"
           end
@@ -79,9 +59,49 @@ module Bundle
       end
     end
 
-    def self.best_version_matching(req)
-      # Approximate best patch version using upper bound from requirement
-      req.requirements.map { |_, v| v }.compact.min rescue nil
+    def self.process_gem_advisories(name, advisories, config)
+      current = advisories.first.to_h.dig("gem", "version")
+      current_version = Gem::Version.new(current)
+
+      # Collect all requirements from advisories
+      all_requirements = advisories.flat_map do |adv|
+        adv.to_h.dig("advisory", "patched_versions").map do |req|
+          Gem::Requirement.new(req) rescue nil
+        end
+      end.compact
+
+      # Find versions that satisfy all requirements
+      candidate_versions = all_requirements
+        .flat_map { |req| versions_satisfying(req) }
+        .compact
+        .uniq
+        .select { |v| config.allow_update?(current_version, v) }
+        .sort
+
+      if candidate_versions.any?
+        {
+          name: name,
+          required_version: candidate_versions.last.to_s
+        }
+      end
+    end
+
+    def self.versions_satisfying(req)
+      # Get all versions that satisfy the requirement
+      req.requirements.map do |op, version|
+        case op
+        when ">="
+          # For >= requirements, we need to find all versions >= this version
+          # We'll approximate by using the version itself
+          version
+        when "~>"
+          # For ~> requirements, we need to find all versions in the range
+          # We'll approximate by using the upper bound
+          version
+        else
+          version
+        end
+      end.compact
     end
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bundle-patch
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - rishijain
 bindir: exe
 cert_chain: []
-date: 2025-04-12 00:00:00.000000000 Z
+date: 2025-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -23,6 +23,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
 description: bundle-patch is a CLI tool that detects vulnerable gems in your Gemfile
   and automatically upgrades them to a patchable version based on your configured
   strategy (patch/minor/all). Uses bundler-audit under the hood.
@@ -44,7 +58,6 @@ files:
 - lib/bundle/patch.rb
 - lib/bundle/patch/audit/advisory.rb
 - lib/bundle/patch/audit/parser.rb
-- lib/bundle/patch/bundler_audit_installer.rb
 - lib/bundle/patch/config.rb
 - lib/bundle/patch/gemfile_editor.rb
 - lib/bundle/patch/gemfile_updater.rb

data/lib/bundle/patch/bundler_audit_installer.rb

@@ -1,16 +0,0 @@
-module Bundle
-  module Patch
-    class BundlerAuditInstaller
-      def self.ensure_installed!
-        return if system("bundle-audit --version > /dev/null 2>&1")
-
-        puts "🔍 bundler-audit not found. Installing..."
-        success = system("gem install bundler-audit")
-
-        unless success
-          abort "❌ Failed to install bundler-audit. Please check your RubyGems setup."
-        end
-      end
-    end
-  end
-end