bundle-safe-update 1.0.14

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 92790321156e4545484b954c3f7f0b011172948695a3b7bc7ca74ca0917a3e80
+  data.tar.gz: 2616e43947f8e60e1a5ef20b261724edd0fa63637e31db95a5ba37efa8182700
+SHA512:
+  metadata.gz: 3cb9bdd4de67e98f238653e60d78552d23e454f3e75fcc654954fd1f65bd328e54b7d9376beead9cb9b2135e4eedc9b70fce2401776929f7715482b34ecc97ed
+  data.tar.gz: 4c6ecef10d7c4cdb566d502a52d097b2e99d5d60119f13e752aabe7634acf0235f915969a522152ea9de3db48cb57877b9aacb022604e3ea0405ce0d31285b64

data/CLAUDE.md

@@ -0,0 +1,4 @@
+# Agents Instructions
+
+# currentDate
+Today's date is 2026-02-17.

data/Gemfile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'irb'
+gem 'rake', '~> 13.0'
+gem 'rspec', '~> 3.0'
+gem 'rubocop', '~> 1.21'
+gem 'webmock', '~> 3.0'

data/Gemfile.lock

@@ -0,0 +1,145 @@
+PATH
+  remote: .
+  specs:
+    bundle-safe-update (1.0.14)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    bigdecimal (3.3.1)
+    crack (1.0.1)
+      bigdecimal
+      rexml
+    date (3.5.1)
+    diff-lcs (1.6.2)
+    erb (6.0.0)
+    hashdiff (1.2.1)
+    io-console (0.8.1)
+    irb (1.15.3)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.18.0)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    parallel (1.27.0)
+    parser (3.3.10.0)
+      ast (~> 2.4.1)
+      racc
+    pp (0.6.3)
+      prettyprint
+    prettyprint (0.2.0)
+    prism (1.6.0)
+    psych (5.3.0)
+      date
+      stringio
+    public_suffix (7.0.0)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.3.1)
+    rdoc (6.17.0)
+      erb
+      psych (>= 4.0.0)
+      tsort
+    regexp_parser (2.11.3)
+    reline (0.6.3)
+      io-console (~> 0.5)
+    rexml (3.4.4)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.7)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.6)
+    rubocop (1.81.7)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.48.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    ruby-progressbar (1.13.0)
+    stringio (3.1.9)
+    tsort (0.2.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
+    webmock (3.26.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  arm64-darwin-23
+  ruby
+
+DEPENDENCIES
+  bundle-safe-update!
+  irb
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  rubocop (~> 1.21)
+  webmock (~> 3.0)
+
+CHECKSUMS
+  addressable (2.8.8) sha256=7c13b8f9536cf6364c03b9d417c19986019e28f7c00ac8132da4eb0fe393b057
+  ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
+  bigdecimal (3.3.1) sha256=eaa01e228be54c4f9f53bf3cc34fe3d5e845c31963e7fcc5bedb05a4e7d52218
+  bundle-safe-update (1.0.14)
+  crack (1.0.1) sha256=ff4a10390cd31d66440b7524eb1841874db86201d5b70032028553130b6d4c7e
+  date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
+  diff-lcs (1.6.2) sha256=9ae0d2cba7d4df3075fe8cd8602a8604993efc0dfa934cff568969efb1909962
+  erb (6.0.0) sha256=2730893f9d8c9733f16cab315a4e4b71c1afa9cabc1a1e7ad1403feba8f52579
+  hashdiff (1.2.1) sha256=9c079dbc513dfc8833ab59c0c2d8f230fa28499cc5efb4b8dd276cf931457cd1
+  io-console (0.8.1) sha256=1e15440a6b2f67b6ea496df7c474ed62c860ad11237f29b3bd187f054b925fcb
+  irb (1.15.3) sha256=4349edff1efa7ff7bfd34cb9df74a133a588ba88c2718098b3b4468b81184aaa
+  json (2.18.0) sha256=b10506aee4183f5cf49e0efc48073d7b75843ce3782c68dbeb763351c08fd505
+  language_server-protocol (3.17.0.5) sha256=fd1e39a51a28bf3eec959379985a72e296e9f9acfce46f6a79d31ca8760803cc
+  lint_roller (1.1.0) sha256=2c0c845b632a7d172cb849cc90c1bce937a28c5c8ccccb50dfd46a485003cc87
+  parallel (1.27.0) sha256=4ac151e1806b755fb4e2dc2332cbf0e54f2e24ba821ff2d3dcf86bf6dc4ae130
+  parser (3.3.10.0) sha256=ce3587fa5cc55a88c4ba5b2b37621b3329aadf5728f9eafa36bbd121462aabd6
+  pp (0.6.3) sha256=2951d514450b93ccfeb1df7d021cae0da16e0a7f95ee1e2273719669d0ab9df6
+  prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193
+  prism (1.6.0) sha256=bfc0281a81718c4872346bc858dc84abd3a60cae78336c65ad35c8fbff641c6b
+  psych (5.3.0) sha256=8976a41ae29ea38c88356e862629345290347e3bfe27caf654f7c5a920e95eeb
+  public_suffix (7.0.0) sha256=f7090b5beb0e56f9f10d79eed4d5fbe551b3b425da65877e075dad47a6a1b095
+  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
+  rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
+  rake (13.3.1) sha256=8c9e89d09f66a26a01264e7e3480ec0607f0c497a861ef16063604b1b08eb19c
+  rdoc (6.17.0) sha256=0f50d4e568fc98195f9bb155a9e8dff6c7feabfb515fb22ef6df1d12ad5a02b7
+  regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
+  reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
+  rexml (3.4.4) sha256=19e0a2c3425dfbf2d4fc1189747bdb2f849b6c5e74180401b15734bc97b5d142
+  rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
+  rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
+  rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836
+  rspec-mocks (3.13.7) sha256=0979034e64b1d7a838aaaddf12bf065ea4dc40ef3d4c39f01f93ae2c66c62b1c
+  rspec-support (3.13.6) sha256=2e8de3702427eab064c9352fe74488cc12a1bfae887ad8b91cba480ec9f8afb2
+  rubocop (1.81.7) sha256=6fb5cc298c731691e2a414fe0041a13eb1beed7bab23aec131da1bcc527af094
+  rubocop-ast (1.48.0) sha256=22df9bbf3f7a6eccde0fad54e68547ae1e2a704bf8719e7c83813a99c05d2e76
+  ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
+  stringio (3.1.9) sha256=c111af13d3a73eab96a3bc2655ecf93788d13d28cb8e25c1dcbff89ace885121
+  tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f
+  unicode-display_width (3.2.0) sha256=0cdd96b5681a5949cdbc2c55e7b420facae74c4aaf9a9815eee1087cb1853c42
+  unicode-emoji (4.1.0) sha256=4997d2d5df1ed4252f4830a9b6e86f932e2013fbff2182a9ce9ccabda4f325a5
+  webmock (3.26.1) sha256=4f696fb57c90a827c20aadb2d4f9058bbff10f7f043bd0d4c3f58791143b1cd7
+
+BUNDLED WITH
+  4.0.0.beta1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Denis Sablic
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,314 @@
+# bundle-safe-update
+
+A CLI tool that enforces a minimum release age for Ruby gems during updates, preventing installation of gem versions that are "too new" (e.g., less than 14 days old). This helps protect against supply chain attacks by ensuring gems have had time for community review.
+
+## Installation
+
+```sh
+gem install bundle-safe-update
+```
+
+Or add to your Gemfile:
+
+```ruby
+gem 'bundle-safe-update', group: :development
+```
+
+## Usage
+
+Run in your project directory:
+
+```sh
+bundle-safe-update [options] [gem1 gem2 ...]
+```
+
+Check all outdated gems:
+
+```sh
+bundle-safe-update
+```
+
+Check and update specific gems:
+
+```sh
+bundle-safe-update rails sidekiq
+```
+
+### CLI Options
+
+| Option | Description |
+|--------|-------------|
+| `--config PATH` | Path to config file |
+| `--cooldown DAYS` | Minimum age in days (overrides config) |
+| `--update` | Update gems that pass the cooldown check |
+| `--warn-only` | Report violations but exit with success |
+| `--no-audit` | Skip vulnerability audit |
+| `--no-risk` | Skip risk signal checking |
+| `--refresh-cache` | Refresh owner cache without warnings |
+| `--json` | Output in JSON format for CI systems |
+| `--verbose` | Enable verbose output |
+| `--dry-run` | Show configuration without checking |
+| `-v, --version` | Show version |
+| `-h, --help` | Show help |
+
+### Example Output
+
+Human-readable output:
+
+```
+Checking gem versions...
+OK: rails (7.1.3.2) - satisfies minimum age (42 days)
+BLOCKED: nokogiri (1.16.4) - published 3 days ago (< 14 required)
+
+1 gem(s) violate minimum release age
+```
+
+JSON output (`--json`):
+
+```json
+{
+  "ok": false,
+  "cooldown_days": 14,
+  "checked": 2,
+  "blocked": [
+    { "name": "nokogiri", "version": "1.16.4", "age_days": 3 }
+  ]
+}
+```
+
+### Updating Safe Gems
+
+By default, `bundle-safe-update` only checks gems and reports results. Use `--update` to automatically update gems that pass the cooldown check:
+
+```sh
+bundle-safe-update --update
+```
+
+Example output:
+
+```
+OK: rails (7.1.3.2) - satisfies minimum age
+BLOCKED: nokogiri (1.16.4) - published 3 days ago (< 14 required)
+
+1 gem(s) violate minimum release age
+
+Updating 1 gem(s): rails
+Running: bundle update rails
+Bundle updated successfully.
+
+Skipped 1 blocked gem(s): nokogiri
+```
+
+### Updating Specific Gems
+
+To check and update specific gems, pass their names as arguments:
+
+```sh
+bundle-safe-update --update rails sidekiq
+```
+
+Only the specified gems are checked and updated if they pass the cooldown check. Without `--update`, specific gems are checked but not updated:
+
+```sh
+bundle-safe-update rails sidekiq
+```
+
+### Vulnerability Auditing
+
+By default, bundle-safe-update runs `bundle audit` to check for known security vulnerabilities. This requires the `bundler-audit` gem to be installed:
+
+```sh
+gem install bundler-audit
+```
+
+If `bundler-audit` is not installed, a warning is displayed but the check continues. The audit database is automatically updated before each check.
+
+Example output with vulnerabilities:
+
+```
+OK: rails (7.1.3.2) - satisfies minimum age
+
+Checking for vulnerabilities...
+VULNERABLE: actionpack (CVE-2024-1234) - Possible XSS vulnerability
+  Solution: upgrade to >= 7.0.8.1
+
+1 vulnerability(ies) found
+```
+
+To skip the audit check, use `--no-audit` or set `audit: false` in config.
+
+### Risk Intelligence
+
+Bundle-safe-update analyzes gems for risk signals that may indicate supply chain threats:
+
+| Signal | Description | Default Threshold |
+|--------|-------------|-------------------|
+| Low downloads | Gems with very few total downloads | < 1,000 |
+| Stale gem | Gems not updated recently | > 3 years |
+| New owner | Gems with recent ownership changes | Ownership changed since last run |
+| Version jump | Major version bumps | Any major bump |
+
+Example output with risk warnings:
+
+```
+OK: rails (7.1.3.2) - satisfies minimum age
+
+Risk signals:
+WARNING: tiny-lib (2.0.0) - low downloads (847 total)
+WARNING: old-parser (1.5.0) - stale gem (last release 4.2 years ago)
+BLOCKED: some-gem (5.0.0) - major version jump (was 2.3.1)
+
+1 gem(s) blocked by risk signals
+2 risk warning(s)
+```
+
+Each signal can be set to `warn` (default), `block`, or `off`:
+
+```yaml
+risk_signals:
+  low_downloads:
+    mode: warn           # off | warn | block
+    threshold: 1000      # minimum total downloads
+
+  stale_gem:
+    mode: warn
+    threshold_years: 3   # years since last release
+
+  new_owner:
+    mode: block          # block on ownership changes
+    threshold_days: 90   # (reserved for future use)
+
+  version_jump:
+    mode: warn
+```
+
+Owner changes are detected by caching gem owners locally (`.bundle/bundle-safe-update-cache.yml`). On first run, no warnings are generated - owners are just cached. Subsequent runs detect changes.
+
+Use `--refresh-cache` to rebuild the cache without triggering warnings (useful after intentional ownership changes). Use `--no-risk` to skip risk checking entirely.
+
+## Configuration
+
+Create `.bundle-safe-update.yml` in your project root or home directory:
+
+```yaml
+# Minimum age in days for gem versions (default: 14)
+cooldown_days: 14
+
+# Gems to ignore completely (e.g., internal gems)
+ignore_gems:
+  - rails
+  - sidekiq
+
+# Prefixes to ignore (e.g., company gems)
+ignore_prefixes:
+  - mycompany-
+  - internal-
+
+# Trust gems from specific sources (skip cooldown check)
+# Useful for private gem servers where gems are already vetted
+trusted_sources:
+  - gems.mycompany.com
+  - gemserver.internal.example.com
+
+# Trust gems by RubyGems owner/publisher (skip cooldown check)
+# Useful for well-known publishers like AWS, Google, etc.
+trusted_owners:
+  - awscloud  # AWS SDK gems
+
+# Automatically update gems that pass the cooldown check (default: false)
+update: false
+
+# Run vulnerability audit with bundler-audit (default: true)
+audit: true
+
+# Report violations but always exit with success (default: false)
+warn_only: false
+
+# Enable verbose output
+verbose: false
+```
+
+### Trusted Sources
+
+Gems from trusted sources skip the cooldown check entirely. The source is determined by parsing `Gemfile.lock`. This is useful for:
+
+- Private gem servers (Cloudsmith, Gemfury, self-hosted)
+- Internal gems that are already vetted by your organization
+
+Example output for trusted gems:
+```
+OK: mycompany-auth (1.2.0) - trusted source
+```
+
+### Trusted Owners
+
+Gems owned by trusted RubyGems users skip the cooldown check. The owner is fetched from the RubyGems API. This is useful for:
+
+- Well-known publishers (AWS, Google, Rails core team, etc.)
+- Organizations with strong security practices
+
+Example output for trusted owner gems:
+```
+OK: aws-sdk-s3 (1.180.0) - trusted owner
+```
+
+To find a gem's owner, visit `https://rubygems.org/gems/{gem_name}` and look at the "Owners" section, or use:
+```sh
+curl https://rubygems.org/api/v1/gems/{gem_name}/owners.json
+```
+
+### Config Resolution Order
+
+1. CLI flags (highest priority)
+2. Project `.bundle-safe-update.yml`
+3. Home directory `~/.bundle-safe-update.yml`
+4. Built-in defaults
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | All checks passed |
+| 1 | Blocked by cooldown, risk signals, or vulnerabilities |
+| 2 | Unexpected error |
+
+## CI Integration
+
+### AWS CodeBuild
+
+```yaml
+version: 0.2
+phases:
+  install:
+    commands:
+      - gem install bundle-safe-update
+  build:
+    commands:
+      - bundle-safe-update --json
+```
+
+### GitHub Actions
+
+```yaml
+- name: Check gem versions
+  run: |
+    gem install bundle-safe-update
+    bundle-safe-update --json
+```
+
+## Development
+
+```sh
+# Install dependencies
+bundle install
+
+# Run tests
+bundle exec rspec
+
+# Run linter
+bundle exec rubocop
+```
+
+## License
+
+MIT License. See [LICENSE.txt](LICENSE.txt).

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'bundle_safe_update'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/install-hooks

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Install git hooks for bundle-safe-update development
+
+set -e
+
+HOOKS_DIR=".git/hooks"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+
+if [ ! -d "$PROJECT_DIR/.git" ]; then
+  echo "Error: Not a git repository"
+  exit 1
+fi
+
+# Create post-commit hook
+cat > "$HOOKS_DIR/post-commit" << 'EOF'
+#!/bin/bash
+# Auto-tag when version.rb changes
+
+VERSION_FILE="lib/bundle_safe_update/version.rb"
+
+# Check if version.rb was in the commit
+if git diff-tree --no-commit-id --name-only -r HEAD | grep -q "$VERSION_FILE"; then
+  VERSION=$(grep -o "VERSION = '[^']*'" "$VERSION_FILE" | cut -d"'" -f2)
+  TAG="v$VERSION"
+
+  if [ -z "$VERSION" ]; then
+    echo "Warning: Could not extract version from $VERSION_FILE"
+    exit 0
+  fi
+
+  if ! git tag | grep -q "^$TAG$"; then
+    git tag "$TAG"
+    git push origin "$TAG"
+    echo "Tagged and pushed $TAG"
+  fi
+fi
+EOF
+
+chmod +x "$HOOKS_DIR/post-commit"
+
+echo "Installed post-commit hook"

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/bundle-safe-update.gemspec

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative 'lib/bundle_safe_update/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'bundle-safe-update'
+  spec.version = BundleSafeUpdate::VERSION
+  spec.authors = ['Denis Sablic']
+  spec.email = ['denis.sablic@gmail.com']
+
+  spec.summary = 'Enforce minimum release age for Ruby gems during updates'
+  spec.description = 'A CLI tool that prevents installation of gem versions ' \
+                     'that are too new (e.g., <14 days old), helping protect ' \
+                     'against supply chain attacks.'
+  spec.homepage = 'https://github.com/dsablic/bundle-safe-update'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 3.2.0'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+  spec.metadata['source_code_uri'] = 'https://github.com/dsablic/bundle-safe-update'
+  spec.metadata['changelog_uri'] = 'https://github.com/dsablic/bundle-safe-update/releases'
+
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      f.start_with?('spec/', '.git', '.rspec', '.rubocop', 'TODO.md')
+    end
+  end
+  spec.bindir = 'exe'
+  spec.executables = ['bundle-safe-update']
+  spec.require_paths = ['lib']
+end

data/exe/bundle-safe-update

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundle_safe_update'
+
+exit(BundleSafeUpdate::CLI.run(ARGV))