bundle-safe-update 1.0.14

data/lib/bundle_safe_update/audit_checker.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require 'bundler'
+require 'open3'
+
+module BundleSafeUpdate
+  class AuditChecker
+    AuditResult = Struct.new(:available, :vulnerabilities, :error, keyword_init: true)
+    Vulnerability = Struct.new(:gem_name, :cve, :title, :solution, keyword_init: true)
+
+    AUDIT_COMMAND = %w[bundle audit check --update].freeze
+
+    def initialize(executor: nil)
+      @executor = executor || method(:execute_command)
+    end
+
+    def check
+      return unavailable_result unless audit_available?
+
+      stdout, stderr, status = @executor.call(AUDIT_COMMAND)
+      parse_result(stdout, stderr, status)
+    end
+
+    def audit_available?
+      Bundler.with_unbundled_env do
+        _stdout, _stderr, status = Open3.capture3('bundle', 'audit', '--version')
+        status.success?
+      end
+    rescue Errno::ENOENT
+      false
+    end
+
+    private
+
+    def execute_command(command)
+      Bundler.with_unbundled_env do
+        Open3.capture3(*command)
+      end
+    end
+
+    def unavailable_result
+      AuditResult.new(available: false, vulnerabilities: [], error: nil)
+    end
+
+    def parse_result(stdout, stderr, status)
+      if status.success?
+        AuditResult.new(available: true, vulnerabilities: [], error: nil)
+      elsif stdout.include?('Vulnerabilities found!')
+        AuditResult.new(available: true, vulnerabilities: parse_vulnerabilities(stdout), error: nil)
+      else
+        AuditResult.new(available: true, vulnerabilities: [], error: stderr.strip)
+      end
+    end
+
+    def parse_vulnerabilities(output)
+      vulnerabilities = []
+      current = {}
+
+      output.each_line do |line|
+        current, completed = parse_vulnerability_line(line, current)
+        vulnerabilities << completed if completed
+      end
+
+      vulnerabilities
+    end
+
+    def parse_vulnerability_line(line, current)
+      key, value = extract_field(line)
+      return [current, nil] unless key
+
+      current[key] = value
+      return [{}, Vulnerability.new(**current)] if key == :solution
+
+      [current, nil]
+    end
+
+    def extract_field(line)
+      case line
+      when /^Name:\s+(.+)$/ then [:gem_name, ::Regexp.last_match(1).strip]
+      when /^CVE:\s+(.+)$/ then [:cve, ::Regexp.last_match(1).strip]
+      when /^Title:\s+(.+)$/ then [:title, ::Regexp.last_match(1).strip]
+      when /^Solution:\s+(.+)$/ then [:solution, ::Regexp.last_match(1).strip]
+      end
+    end
+  end
+end

data/lib/bundle_safe_update/cli/options.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module BundleSafeUpdate
+  class CLI
+    module Options
+      def build_option_parser(options)
+        OptionParser.new do |opts|
+          opts.banner = 'Usage: bundle-safe-update [options] [gem1 gem2 ...]'
+          define_config_options(opts, options)
+          define_output_options(opts, options)
+          define_info_options(opts)
+        end
+      end
+
+      def define_config_options(opts, options)
+        define_basic_config_options(opts, options)
+        define_skip_options(opts, options)
+      end
+
+      def define_basic_config_options(opts, options)
+        opts.on('--config PATH', 'Path to config file') { |path| options[:config] = path }
+        opts.on('--cooldown DAYS', Integer, 'Minimum age in days') { |days| options[:cooldown] = days }
+        opts.on('--update', 'Update gems that pass the cooldown check') { options[:update] = true }
+        opts.on('--lock-only', 'Update Gemfile.lock without installing gems') { options[:lock_only] = true }
+        opts.on('--warn-only', 'Report violations but exit with success') { options[:warn_only] = true }
+        opts.on('--dry-run', 'Show configuration without checking') { options[:dry_run] = true }
+      end
+
+      def define_skip_options(opts, options)
+        opts.on('--no-audit', 'Skip vulnerability audit') { options[:audit] = false }
+        opts.on('--no-risk', 'Skip risk signal checking') { options[:risk] = false }
+        opts.on('--refresh-cache', 'Refresh owner cache without warnings') { options[:refresh_cache] = true }
+      end
+
+      def define_output_options(opts, options)
+        opts.on('--json', 'Output in JSON format') { options[:json] = true }
+        opts.on('--verbose', 'Enable verbose output') { options[:verbose] = true }
+      end
+
+      def define_info_options(opts)
+        opts.on('-v', '--version', 'Show version') do
+          puts("bundle-safe-update #{VERSION}")
+          exit(EXIT_SUCCESS)
+        end
+        opts.on('-h', '--help', 'Show this help') do
+          puts(opts)
+          exit(EXIT_SUCCESS)
+        end
+      end
+    end
+  end
+end

data/lib/bundle_safe_update/cli/output.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+module BundleSafeUpdate
+  class CLI
+    module Output
+      def dry_run_output(config)
+        puts('Configuration (dry-run):')
+        config_lines(config).each { |line| puts(line) }
+      end
+
+      def config_lines(config)
+        config_values(config).map { |label, value| "  #{label}: #{value}" }
+      end
+
+      def config_values(config)
+        { 'Cooldown days' => config.cooldown_days, 'Ignored gems' => format_list(config.ignore_gems),
+          'Ignored prefixes' => format_list(config.ignore_prefixes),
+          'Trusted sources' => format_list(config.trusted_sources),
+          'Trusted owners' => format_list(config.trusted_owners), 'Max threads' => config.max_threads,
+          'Audit' => config.audit, 'Update' => config.update, 'Lock only' => config.lock_only,
+          'Warn only' => config.warn_only,
+          'Verbose' => config.verbose }
+      end
+
+      def format_list(items)
+        items.empty? ? '(none)' : items.join(', ')
+      end
+
+      def output_json(results, blocked, config)
+        puts(JSON.pretty_generate(build_json_output(results, blocked, config)))
+      end
+
+      def build_json_output(results, blocked, config)
+        {
+          ok: blocked.empty?,
+          cooldown_days: config.cooldown_days,
+          checked: results.length,
+          blocked: blocked.map { |r| { name: r.name, version: r.version, age_days: r.age_days } }
+        }
+      end
+
+      def output_human(results, blocked, config)
+        results.each { |result| print_result(result, config) }
+        print_summary(blocked)
+      end
+
+      def print_result(result, config)
+        if result.allowed
+          puts(green("OK: #{result.name} (#{result.version}) - #{result.reason}"))
+        else
+          puts(yellow("BLOCKED: #{result.name} (#{result.version}) - #{blocked_reason(result, config)}"))
+        end
+      end
+
+      def blocked_reason(result, config)
+        age_info = result.age_days ? "published #{result.age_days} days ago" : result.reason
+        "#{age_info} (< #{config.cooldown_days} required)"
+      end
+
+      def print_summary(blocked)
+        puts
+        if blocked.empty?
+          puts(green('All gem versions satisfy minimum age requirements.'))
+        else
+          puts(yellow("#{blocked.length} gem(s) violate minimum release age"))
+        end
+      end
+
+      def output_audit_result(result)
+        return print_audit_unavailable unless result.available
+        return print_audit_error(result.error) if result.error
+
+        print_audit_results(result.vulnerabilities)
+      end
+
+      def print_audit_unavailable
+        warn(yellow('Warning: bundler-audit not installed. Run: gem install bundler-audit'))
+      end
+
+      def print_audit_error(error)
+        warn(red("Audit error: #{error}"))
+      end
+
+      def print_audit_results(vulnerabilities)
+        puts
+        puts(cyan('Checking for vulnerabilities...'))
+
+        if vulnerabilities.empty?
+          puts(green('No vulnerabilities found.'))
+        else
+          vulnerabilities.each { |v| print_vulnerability(v) }
+          puts
+          puts(yellow("#{vulnerabilities.length} vulnerability(ies) found"))
+        end
+      end
+
+      def print_vulnerability(vuln)
+        puts(red("VULNERABLE: #{vuln.gem_name} (#{vuln.cve}) - #{vuln.title}"))
+        puts("  Solution: #{vuln.solution}") if vuln.solution
+      end
+
+      def output_risk_results(risk_results, options)
+        return if risk_results.empty? || options[:json]
+
+        puts
+        puts(cyan('Risk signals:'))
+        risk_results.each { |result| print_risk_result(result) }
+        print_risk_summary(risk_results)
+      end
+
+      def print_risk_result(result)
+        result.signals.each { |signal| print_risk_signal(result, signal) }
+      end
+
+      def print_risk_signal(result, signal)
+        prefix = signal.mode == 'block' ? red('BLOCKED') : yellow('WARNING')
+        puts("#{prefix}: #{result.gem_name} (#{result.version}) - #{signal.message}")
+      end
+
+      def print_risk_summary(risk_results)
+        warnings = risk_results.sum { |r| r.signals.count { |s| s.mode == 'warn' } }
+        blocks = risk_results.count(&:blocked)
+
+        puts
+        puts(yellow("#{blocks} gem(s) blocked by risk signals")) if blocks.positive?
+        puts(yellow("#{warnings} risk warning(s)")) if warnings.positive?
+      end
+
+      def print_update_start(gem_names, lock_only: false)
+        puts
+        if lock_only
+          puts(cyan("Updating lock file for #{gem_names.length} gem(s): #{gem_names.join(', ')}"))
+          puts(cyan("Running: bundle lock --update #{gem_names.join(' ')}"))
+        else
+          puts(cyan("Updating #{gem_names.length} gem(s): #{gem_names.join(', ')}"))
+          puts(cyan("Running: bundle update #{gem_names.join(' ')}"))
+        end
+      end
+
+      def print_update_result(success)
+        puts(success ? green('Bundle updated successfully.') : red('Bundle update failed.'))
+      end
+
+      def print_skipped(blocked, risk_blocked_names)
+        total_skipped = blocked.length + risk_blocked_names.length
+        return if total_skipped.zero?
+
+        cooldown_names = blocked.map(&:name)
+        all_skipped = (cooldown_names + risk_blocked_names).uniq.join(', ')
+        puts
+        puts(yellow("Skipped #{total_skipped} blocked gem(s): #{all_skipped}"))
+      end
+    end
+  end
+end

data/lib/bundle_safe_update/cli.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+require 'bundler'
+require 'optparse'
+require 'json'
+require_relative 'cli/options'
+require_relative 'cli/output'
+
+module BundleSafeUpdate
+  class CLI
+    include ColorOutput
+    include Options
+    include Output
+
+    EXIT_SUCCESS = 0
+    EXIT_VIOLATIONS = 1
+    EXIT_ERROR = 2
+
+    def self.run(args)
+      new.run(args)
+    end
+
+    def run(args)
+      options, gems = parse_options(args)
+      config = Config.new(options)
+      return dry_run(config) if options[:dry_run]
+
+      results = check_gems(config, options[:verbose], gems)
+      process_results(results, config, options)
+    rescue StandardError => e
+      handle_error(e, options[:verbose])
+      EXIT_ERROR
+    end
+
+    private
+
+    def parse_options(args)
+      options = {}
+      build_option_parser(options).parse!(args)
+      [options, args]
+    end
+
+    def dry_run(config)
+      dry_run_output(config)
+      EXIT_SUCCESS
+    end
+
+    def check_gems(config, verbose, gems = [])
+      puts(cyan('Checking gem versions...')) if verbose
+      outdated_gems = OutdatedChecker
+                      .new(gems:)
+                      .outdated_gems
+      return log_empty_result(verbose) if outdated_gems.empty?
+
+      puts(cyan("Found #{outdated_gems.length} outdated gem(s)")) if verbose
+      GemChecker
+        .new(config:, max_threads: config.max_threads)
+        .check_all(outdated_gems)
+    end
+
+    def log_empty_result(verbose)
+      puts(green('No outdated gems found.')) if verbose
+      []
+    end
+
+    def process_results(results, config, options)
+      allowed, blocked = partition_results(results)
+      output_results(results, blocked, config, options)
+      risk_results = run_risk_check(results, config, options)
+      perform_update(allowed, blocked, risk_results, config) if config.update && allowed.any?
+      determine_exit_code(config, blocked, risk_results, run_audit(config, options))
+    end
+
+    def run_risk_check(results, config, options)
+      return [] if options[:risk] == false
+
+      risk_checker = RiskChecker.new(config: config)
+      risk_results = options[:refresh_cache] ? [] : risk_checker.check_all(results)
+      output_risk_results(risk_results, options) unless options[:json]
+      risk_checker.save_cache
+      risk_results
+    end
+
+    def partition_results(results)
+      [results.select(&:allowed), results.reject(&:allowed)]
+    end
+
+    def output_results(results, blocked, config, options)
+      options[:json] ? output_json(results, blocked, config) : output_human(results, blocked, config)
+    end
+
+    def determine_exit_code(config, blocked, risk_results, audit_result)
+      return EXIT_SUCCESS if config.warn_only
+      return EXIT_SUCCESS unless violations?(blocked, risk_results, audit_result)
+
+      EXIT_VIOLATIONS
+    end
+
+    def violations?(blocked, risk_results, audit_result)
+      blocked.any? || risk_results.any?(&:blocked) || audit_result&.vulnerabilities&.any?
+    end
+
+    def run_audit(config, options)
+      return nil unless config.audit
+
+      audit_result = AuditChecker.new.check
+      output_audit_result(audit_result) unless options[:json]
+      audit_result
+    end
+
+    def perform_update(allowed, blocked, risk_results, config)
+      risk_blocked_names = risk_results.select(&:blocked).map(&:gem_name)
+      updatable = allowed.reject { |r| risk_blocked_names.include?(r.name) }
+      return if updatable.empty?
+
+      gem_names = updatable.map(&:name)
+      run_bundle_update(gem_names, config.lock_only)
+      print_skipped(blocked, risk_blocked_names)
+    end
+
+    def run_bundle_update(gem_names, lock_only)
+      print_update_start(gem_names, lock_only:)
+      result = Bundler.with_unbundled_env { system(*update_command(gem_names, lock_only)) }
+      print_update_result(result)
+    end
+
+    def update_command(gem_names, lock_only)
+      if lock_only
+        %w[bundle lock --update] + gem_names
+      else
+        %w[bundle update] + gem_names
+      end
+    end
+
+    def handle_error(error, verbose)
+      warn(red("Error: #{error.message}"))
+      warn(error.backtrace.join("\n")) if verbose
+    end
+  end
+end

data/lib/bundle_safe_update/color_output.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module BundleSafeUpdate
+  module ColorOutput
+    COLORS = {
+      green: "\e[32m",
+      yellow: "\e[33m",
+      red: "\e[31m",
+      cyan: "\e[36m",
+      reset: "\e[0m"
+    }.freeze
+
+    def colorize(text, color)
+      return text unless tty?
+
+      "#{COLORS[color]}#{text}#{COLORS[:reset]}"
+    end
+
+    def green(text)
+      colorize(text, :green)
+    end
+
+    def yellow(text)
+      colorize(text, :yellow)
+    end
+
+    def red(text)
+      colorize(text, :red)
+    end
+
+    def cyan(text)
+      colorize(text, :cyan)
+    end
+
+    private
+
+    def tty?
+      $stdout.tty?
+    end
+  end
+end

data/lib/bundle_safe_update/config.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module BundleSafeUpdate
+  class Config
+    DEFAULT_COOLDOWN_DAYS = 14
+    CONFIG_FILENAME = '.bundle-safe-update.yml'
+
+    DEFAULT_MAX_THREADS = 32
+
+    DEFAULT_RISK_SIGNALS = {
+      'low_downloads' => { 'mode' => 'warn', 'threshold' => 1000 },
+      'stale_gem' => { 'mode' => 'warn', 'threshold_years' => 3 },
+      'new_owner' => { 'mode' => 'warn', 'threshold_days' => 90 },
+      'version_jump' => { 'mode' => 'warn' }
+    }.freeze
+
+    DEFAULTS = {
+      'cooldown_days' => DEFAULT_COOLDOWN_DAYS,
+      'ignore_prefixes' => [],
+      'ignore_gems' => [],
+      'trusted_sources' => [],
+      'trusted_owners' => [],
+      'max_threads' => DEFAULT_MAX_THREADS,
+      'audit' => true,
+      'verbose' => false,
+      'update' => false,
+      'lock_only' => false,
+      'warn_only' => false,
+      'risk_signals' => DEFAULT_RISK_SIGNALS
+    }.freeze
+
+    attr_reader :cooldown_days, :ignore_prefixes, :ignore_gems, :trusted_sources, :trusted_owners,
+                :max_threads, :audit, :verbose, :update, :lock_only, :warn_only, :risk_signals
+
+    def initialize(options = {})
+      config = merge_configs(options)
+      assign_basic_options(config)
+      assign_risk_options(config)
+    end
+
+    def risk_signal_mode(signal_name)
+      @risk_signals.dig(signal_name.to_s, 'mode') || 'off'
+    end
+
+    def risk_signal_enabled?(signal_name)
+      risk_signal_mode(signal_name) != 'off'
+    end
+
+    def risk_signal_threshold(signal_name, key)
+      @risk_signals.dig(signal_name.to_s, key.to_s)
+    end
+
+    def ignored?(gem_name)
+      return true if @ignore_gems.include?(gem_name)
+
+      @ignore_prefixes.any? { |prefix| gem_name.start_with?(prefix) }
+    end
+
+    def trusted_source?(source_url)
+      return false if source_url.nil? || @trusted_sources.empty?
+
+      @trusted_sources.any? { |pattern| source_url.include?(pattern) }
+    end
+
+    private
+
+    def assign_basic_options(config)
+      @cooldown_days = config['cooldown_days']
+      @ignore_prefixes = config['ignore_prefixes']
+      @ignore_gems = config['ignore_gems']
+      @trusted_sources = config['trusted_sources']
+      @trusted_owners = config['trusted_owners']
+      @max_threads = config['max_threads']
+    end
+
+    def assign_risk_options(config)
+      @audit = config['audit']
+      @verbose = config['verbose']
+      @update = config['update']
+      @lock_only = config['lock_only']
+      @warn_only = config['warn_only']
+      @risk_signals = config['risk_signals']
+    end
+
+    def merge_configs(cli_options)
+      config = DEFAULTS.dup
+      config = deep_merge(config, load_global_config)
+      config = deep_merge(config, load_local_config)
+      config = deep_merge(config, load_custom_config(cli_options[:config]))
+      apply_cli_overrides(config, cli_options)
+    end
+
+    def load_global_config
+      global_path = File.join(Dir.home, CONFIG_FILENAME)
+      load_config_file(global_path)
+    end
+
+    def load_local_config
+      local_path = File.join(Dir.pwd, CONFIG_FILENAME)
+      load_config_file(local_path)
+    end
+
+    def load_custom_config(path)
+      return {} unless path
+
+      load_config_file(path)
+    end
+
+    def load_config_file(path)
+      return {} unless File.exist?(path)
+
+      YAML.safe_load_file(path) || {}
+    rescue Psych::SyntaxError => e
+      warn("Warning: Invalid YAML in #{path}: #{e.message}")
+      {}
+    end
+
+    def apply_cli_overrides(config, options)
+      config['cooldown_days'] = options[:cooldown] if options[:cooldown]
+      apply_boolean_overrides(config, options)
+      config
+    end
+
+    def apply_boolean_overrides(config, options)
+      %i[audit verbose update lock_only warn_only].each do |key|
+        config[key.to_s] = options[key] if options.key?(key)
+      end
+    end
+
+    def deep_merge(base, override)
+      base.merge(override) do |_key, old_val, new_val|
+        if old_val.is_a?(Hash) && new_val.is_a?(Hash)
+          deep_merge(old_val, new_val)
+        else
+          new_val
+        end
+      end
+    end
+  end
+end