bundle-safe-update 1.0.14

data/lib/bundle_safe_update/gem_checker.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module BundleSafeUpdate
+  class GemChecker
+    CheckResult = Struct.new(:name, :version, :current_version, :age_days, :allowed, :reason, keyword_init: true)
+
+    DEFAULT_MAX_THREADS = 32
+
+    def initialize(config:, api: nil, lockfile_parser: nil, max_threads: nil)
+      @config = config
+      @api = api || RubygemsApi.new
+      @lockfile_parser = lockfile_parser || LockfileParser.new
+      @max_threads = max_threads || DEFAULT_MAX_THREADS
+    end
+
+    def check_gem(gem_info)
+      return ignored_result(gem_info) if @config.ignored?(gem_info.name)
+      return trusted_source_result(gem_info) if trusted_source?(gem_info.name)
+      return trusted_owner_result(gem_info) if trusted_owner?(gem_info.name)
+
+      age_days = @api.version_age_days(gem_info.name, gem_info.newest_version)
+      return not_found_result(gem_info) if age_days.nil?
+
+      age_check_result(gem_info, age_days)
+    end
+
+    def check_all(outdated_gems)
+      return [] if outdated_gems.empty?
+
+      check_all_parallel(outdated_gems)
+    end
+
+    private
+
+    def check_all_parallel(outdated_gems)
+      results = Array.new(outdated_gems.size)
+      queue = Queue.new
+      outdated_gems.each_with_index { |gem_info, idx| queue << [gem_info, idx] }
+
+      threads = spawn_worker_threads(queue, results)
+      threads.each(&:join)
+
+      results
+    end
+
+    def spawn_worker_threads(queue, results)
+      thread_count = [@max_threads, queue.size].min
+      Array.new(thread_count) do
+        Thread.new do
+          process_queue(queue, results)
+        end
+      end
+    end
+
+    def process_queue(queue, results)
+      loop do
+        gem_info, idx = queue.pop(true)
+        results[idx] = check_gem(gem_info)
+      rescue ThreadError
+        break
+      end
+    end
+
+    def trusted_source?(gem_name)
+      source_url = @lockfile_parser.source_for(gem_name)
+      @config.trusted_source?(source_url)
+    end
+
+    def trusted_owner?(gem_name)
+      return false if @config.trusted_owners.empty?
+
+      owners = @api.fetch_owners(gem_name)
+      @config.trusted_owners.intersect?(owners)
+    end
+
+    def ignored_result(gem_info)
+      build_result(gem_info, age_days: nil, allowed: true, reason: 'ignored')
+    end
+
+    def trusted_source_result(gem_info)
+      build_result(gem_info, age_days: nil, allowed: true, reason: 'trusted source')
+    end
+
+    def trusted_owner_result(gem_info)
+      build_result(gem_info, age_days: nil, allowed: true, reason: 'trusted owner')
+    end
+
+    def not_found_result(gem_info)
+      build_result(gem_info, age_days: nil, allowed: false, reason: 'version not found')
+    end
+
+    def age_check_result(gem_info, age_days)
+      allowed = age_days >= @config.cooldown_days
+      reason = allowed ? 'satisfies minimum age' : 'too new'
+      build_result(gem_info, age_days: age_days, allowed: allowed, reason: reason)
+    end
+
+    def build_result(gem_info, age_days:, allowed:, reason:)
+      CheckResult.new(
+        name: gem_info.name,
+        version: gem_info.newest_version,
+        current_version: gem_info.current_version,
+        age_days: age_days,
+        allowed: allowed,
+        reason: reason
+      )
+    end
+  end
+end

data/lib/bundle_safe_update/lockfile_parser.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module BundleSafeUpdate
+  class LockfileParser
+    LOCKFILE_NAME = 'Gemfile.lock'
+    GEM_SECTION_START = /^GEM$/
+    SECTION_HEADER = /^[A-Z]+$/
+    REMOTE_LINE = /^\s+remote:\s+(.+)$/
+    GEM_LINE = /^\s{4}(\S+)\s+\(/
+
+    def initialize(lockfile_path: nil)
+      @lockfile_path = lockfile_path || File.join(Dir.pwd, LOCKFILE_NAME)
+    end
+
+    def gem_sources
+      return @gem_sources if defined?(@gem_sources)
+
+      @gem_sources = parse_lockfile
+    end
+
+    def source_for(gem_name)
+      gem_sources[gem_name]
+    end
+
+    private
+
+    def parse_lockfile
+      return {} unless File.exist?(@lockfile_path)
+
+      content = File.read(@lockfile_path)
+      extract_gem_sources(content)
+    rescue StandardError => e
+      warn("Warning: Could not parse #{@lockfile_path}: #{e.message}")
+      {}
+    end
+
+    def extract_gem_sources(content)
+      sources = {}
+      state = { in_gem_section: false, current_remote: nil }
+
+      content.each_line do |line|
+        process_line(line, state, sources)
+      end
+
+      sources
+    end
+
+    def process_line(line, state, sources)
+      case line
+      when GEM_SECTION_START then state[:in_gem_section] = true
+      when SECTION_HEADER then reset_section(state)
+      when REMOTE_LINE then update_remote(state, ::Regexp.last_match(1))
+      when GEM_LINE then add_gem_source(sources, state, ::Regexp.last_match(1))
+      end
+    end
+
+    def reset_section(state)
+      state[:in_gem_section] = false
+      state[:current_remote] = nil
+    end
+
+    def update_remote(state, remote)
+      state[:current_remote] = remote.strip if state[:in_gem_section]
+    end
+
+    def add_gem_source(sources, state, gem_name)
+      return unless state[:in_gem_section] && state[:current_remote]
+
+      sources[gem_name] = state[:current_remote]
+    end
+  end
+end

data/lib/bundle_safe_update/outdated_checker.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'bundler'
+require 'open3'
+
+module BundleSafeUpdate
+  class OutdatedChecker
+    OutdatedGem = Struct.new(:name, :current_version, :newest_version, keyword_init: true)
+
+    BUNDLE_COMMAND = %w[bundle outdated --parseable].freeze
+
+    def initialize(gems: [], executor: nil)
+      @gems = gems
+      @executor = executor || method(:execute_command)
+    end
+
+    def outdated_gems
+      command = BUNDLE_COMMAND + @gems
+      output = @executor.call(command)
+      parse_output(output)
+    end
+
+    private
+
+    def execute_command(command)
+      stdout, stderr, status = Bundler.with_unbundled_env do
+        Open3.capture3(*command)
+      end
+      check_for_errors(stderr, status)
+      stdout
+    end
+
+    def check_for_errors(stderr, status)
+      return if status.success? || status.exitstatus == 1
+
+      raise stderr.strip if stderr.include?('Your Ruby version is')
+
+      raise "bundle outdated failed with exit code #{status.exitstatus}: #{stderr.strip}"
+    end
+
+    def parse_output(output)
+      output
+        .lines
+        .map(&:strip)
+        .select { |line| line.include?('(newest') }
+        .map { |line| parse_line(line) }
+        .compact
+    end
+
+    def parse_line(line)
+      match = line.match(/^(\S+)\s+\(newest\s+([\d.]+),?\s*installed\s+([\d.]+)/)
+      return nil unless match
+
+      OutdatedGem.new(
+        name: match[1],
+        newest_version: match[2],
+        current_version: match[3]
+      )
+    end
+  end
+end

data/lib/bundle_safe_update/risk_cache.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'yaml'
+require 'time'
+
+module BundleSafeUpdate
+  class RiskCache
+    CACHE_FILENAME = 'bundle-safe-update-cache.yml'
+    CACHE_VERSION = 1
+
+    OwnerChange = Struct.new(:gem_name, :previous_owners, :current_owners, keyword_init: true)
+
+    def initialize(cache_path: nil)
+      @cache_path = cache_path || default_cache_path
+      @data = load_cache
+    end
+
+    def owners_for(gem_name)
+      @data['owners'][gem_name] || []
+    end
+
+    def owner_changed?(gem_name, current_owners)
+      cached = owners_for(gem_name)
+      return false if cached.empty?
+
+      cached.sort != current_owners.compact.sort
+    end
+
+    def detect_owner_change(gem_name, current_owners)
+      cached = owners_for(gem_name)
+      sanitized = current_owners.compact
+      return nil if cached.empty? || cached.sort == sanitized.sort
+
+      OwnerChange.new(
+        gem_name: gem_name,
+        previous_owners: cached,
+        current_owners: sanitized
+      )
+    end
+
+    def update_owners(gem_name, owners)
+      @data['owners'][gem_name] = owners.compact.sort
+    end
+
+    def save
+      @data['updated_at'] = Time.now.iso8601
+      File.write(@cache_path, YAML.dump(@data))
+    end
+
+    def exists?
+      File.exist?(@cache_path)
+    end
+
+    private
+
+    def load_cache
+      return default_cache unless File.exist?(@cache_path)
+
+      loaded = YAML.safe_load_file(@cache_path) || {}
+      return default_cache unless loaded['version'] == CACHE_VERSION
+
+      loaded
+    rescue Psych::SyntaxError
+      default_cache
+    end
+
+    def default_cache
+      {
+        'version' => CACHE_VERSION,
+        'updated_at' => nil,
+        'owners' => {}
+      }
+    end
+
+    def default_cache_path
+      bundle_dir = File.join(Dir.pwd, '.bundle')
+      FileUtils.mkdir_p(bundle_dir)
+      File.join(bundle_dir, CACHE_FILENAME)
+    end
+  end
+end

data/lib/bundle_safe_update/risk_checker.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+require 'time'
+
+module BundleSafeUpdate
+  class RiskChecker
+    RiskResult = Struct.new(:gem_name, :version, :signals, :blocked, keyword_init: true)
+    RiskSignal = Struct.new(:type, :message, :mode, keyword_init: true)
+
+    SECONDS_PER_YEAR = 365.25 * 24 * 60 * 60
+
+    def initialize(config:, api: nil, cache: nil, lockfile_parser: nil, max_threads: nil)
+      @config = config
+      @api = api || RubygemsApi.new
+      @cache = cache || RiskCache.new
+      @lockfile_parser = lockfile_parser || LockfileParser.new
+      @max_threads = max_threads || @config.max_threads
+    end
+
+    def check_all(gem_results)
+      return [] if gem_results.empty?
+
+      check_all_parallel(gem_results)
+    end
+
+    def save_cache
+      @cache.save
+    end
+
+    private
+
+    def check_all_parallel(gem_results)
+      results = Array.new(gem_results.size)
+      queue = Queue.new
+      gem_results.each_with_index { |result, idx| queue << [result, idx] }
+
+      threads = spawn_worker_threads(queue, results)
+      threads.each(&:join)
+
+      results.compact
+    end
+
+    def spawn_worker_threads(queue, results)
+      thread_count = [@max_threads, queue.size].min
+      Array.new(thread_count) do
+        Thread.new { process_queue(queue, results) }
+      end
+    end
+
+    def process_queue(queue, results)
+      loop do
+        gem_result, idx = queue.pop(true)
+        results[idx] = check_gem(gem_result)
+      rescue ThreadError
+        break
+      end
+    end
+
+    def check_gem(gem_result)
+      signals = []
+      signals.concat(check_low_downloads(gem_result))
+      signals.concat(check_stale_gem(gem_result))
+      signals.concat(check_new_owner(gem_result))
+      signals.concat(check_version_jump(gem_result))
+
+      return nil if signals.empty?
+
+      blocked = signals.any? { |s| s.mode == 'block' }
+      RiskResult.new(gem_name: gem_result.name, version: gem_result.version, signals: signals, blocked: blocked)
+    end
+
+    def check_low_downloads(gem_result)
+      return [] unless @config.risk_signal_enabled?(:low_downloads)
+      return [] unless from_rubygems?(gem_result.name)
+
+      gem_info = @api.fetch_gem_info(gem_result.name)
+      return [] unless gem_info
+
+      threshold = @config.risk_signal_threshold(:low_downloads, :threshold)
+      return [] if gem_info.downloads >= threshold
+
+      [build_signal(:low_downloads, "low downloads (#{gem_info.downloads} total)")]
+    end
+
+    def check_stale_gem(gem_result)
+      return [] unless @config.risk_signal_enabled?(:stale_gem)
+      return [] unless from_rubygems?(gem_result.name)
+
+      gem_info = @api.fetch_gem_info(gem_result.name)
+      return [] unless gem_info&.version_created_at
+
+      age_years = calculate_age_years(gem_info.version_created_at)
+      threshold_years = @config.risk_signal_threshold(:stale_gem, :threshold_years)
+      return [] if age_years < threshold_years
+
+      [build_signal(:stale_gem, "stale gem (last release #{age_years.round(1)} years ago)")]
+    end
+
+    def check_new_owner(gem_result)
+      return [] unless @config.risk_signal_enabled?(:new_owner)
+      return [] unless from_rubygems?(gem_result.name)
+
+      current_owners = @api.fetch_owners(gem_result.name)
+      return [] if current_owners.empty?
+
+      change = @cache.detect_owner_change(gem_result.name, current_owners)
+      @cache.update_owners(gem_result.name, current_owners)
+      return [] unless change
+
+      [build_signal(:new_owner, owner_change_message(change))]
+    end
+
+    def from_rubygems?(gem_name)
+      source = @lockfile_parser.source_for(gem_name)
+      source.nil? || source.include?('rubygems.org')
+    end
+
+    def check_version_jump(gem_result)
+      return [] unless @config.risk_signal_enabled?(:version_jump)
+      return [] unless major_version_jump?(gem_result)
+
+      [build_signal(:version_jump, "major version jump (was #{gem_result.current_version})")]
+    end
+
+    def build_signal(type, message)
+      RiskSignal.new(type: type, message: message, mode: @config.risk_signal_mode(type))
+    end
+
+    def calculate_age_years(timestamp)
+      (Time.now - timestamp) / SECONDS_PER_YEAR
+    end
+
+    def owner_change_message(change)
+      new_owners = change.current_owners.join(', ')
+      old_owners = change.previous_owners.join(', ')
+      "ownership changed (new: #{new_owners}, was: #{old_owners})"
+    end
+
+    def major_version_jump?(gem_result)
+      return false unless gem_result.respond_to?(:current_version) && gem_result.current_version
+
+      current = parse_version(gem_result.current_version)
+      newest = parse_version(gem_result.version)
+      current && newest && newest[:major] > current[:major]
+    end
+
+    def parse_version(version_string)
+      parts = version_string.to_s.split('.')
+      return nil if parts.empty?
+
+      { major: parts[0].to_i, minor: parts[1].to_i, patch: parts[2].to_i }
+    end
+  end
+end

data/lib/bundle_safe_update/rubygems_api.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+require 'time'
+
+module BundleSafeUpdate
+  class RubygemsApi
+    VERSIONS_API_BASE = 'https://rubygems.org/api/v1/versions'
+    OWNERS_API_BASE = 'https://rubygems.org/api/v1/gems'
+    GEM_API_BASE = 'https://rubygems.org/api/v1/gems'
+    SECONDS_PER_DAY = 86_400
+    HTTP_OPEN_TIMEOUT = 10
+    HTTP_READ_TIMEOUT = 30
+
+    class ApiError < StandardError; end
+
+    GemInfo = Struct.new(:downloads, :version_created_at, keyword_init: true)
+
+    def initialize(http_client: nil)
+      @http_client = http_client
+    end
+
+    def fetch_version_info(gem_name, version)
+      versions = fetch_versions(gem_name)
+      versions.find { |v| v['number'] == version }
+    end
+
+    def fetch_versions(gem_name)
+      uri = URI("#{VERSIONS_API_BASE}/#{gem_name}.json")
+      response = perform_request(uri)
+
+      unless response.is_a?(Net::HTTPSuccess)
+        raise ApiError, "Failed to fetch versions for #{gem_name}: #{response.code}"
+      end
+
+      JSON.parse(response.body)
+    rescue JSON::ParserError => e
+      raise ApiError, "Invalid JSON response for #{gem_name}: #{e.message}"
+    end
+
+    def version_age_days(gem_name, version)
+      info = fetch_version_info(gem_name, version)
+      return nil unless info
+
+      created_at = Time.parse(info['created_at'])
+      ((Time.now - created_at) / SECONDS_PER_DAY).to_i
+    end
+
+    def fetch_owners(gem_name)
+      uri = URI("#{OWNERS_API_BASE}/#{gem_name}/owners.json")
+      response = perform_request(uri)
+
+      return [] unless response.is_a?(Net::HTTPSuccess)
+
+      JSON
+        .parse(response.body)
+        .filter_map { |owner| owner['handle'] }
+    rescue JSON::ParserError
+      []
+    end
+
+    def fetch_gem_info(gem_name)
+      uri = URI("#{GEM_API_BASE}/#{gem_name}.json")
+      response = perform_request(uri)
+
+      return nil unless response.is_a?(Net::HTTPSuccess)
+
+      data = JSON.parse(response.body)
+      GemInfo.new(
+        downloads: data['downloads'],
+        version_created_at: parse_time(data['version_created_at'])
+      )
+    rescue JSON::ParserError
+      nil
+    end
+
+    private
+
+    def parse_time(time_string)
+      return nil unless time_string
+
+      Time.parse(time_string)
+    rescue ArgumentError
+      nil
+    end
+
+    def perform_request(uri)
+      return @http_client.call(uri) if @http_client
+
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      http.open_timeout = HTTP_OPEN_TIMEOUT
+      http.read_timeout = HTTP_READ_TIMEOUT
+      http.get(uri.request_uri)
+    end
+  end
+end

data/lib/bundle_safe_update/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module BundleSafeUpdate
+  VERSION = '1.0.14'
+end

data/lib/bundle_safe_update.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require_relative 'bundle_safe_update/version'
+require_relative 'bundle_safe_update/config'
+require_relative 'bundle_safe_update/color_output'
+require_relative 'bundle_safe_update/rubygems_api'
+require_relative 'bundle_safe_update/lockfile_parser'
+require_relative 'bundle_safe_update/outdated_checker'
+require_relative 'bundle_safe_update/gem_checker'
+require_relative 'bundle_safe_update/audit_checker'
+require_relative 'bundle_safe_update/risk_cache'
+require_relative 'bundle_safe_update/risk_checker'
+require_relative 'bundle_safe_update/cli'
+
+module BundleSafeUpdate
+end

metadata

@@ -0,0 +1,70 @@
+--- !ruby/object:Gem::Specification
+name: bundle-safe-update
+version: !ruby/object:Gem::Version
+  version: 1.0.14
+platform: ruby
+authors:
+- Denis Sablic
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+description: A CLI tool that prevents installation of gem versions that are too new
+  (e.g., <14 days old), helping protect against supply chain attacks.
+email:
+- denis.sablic@gmail.com
+executables:
+- bundle-safe-update
+extensions: []
+extra_rdoc_files: []
+files:
+- CLAUDE.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/install-hooks
+- bin/setup
+- bundle-safe-update.gemspec
+- exe/bundle-safe-update
+- lib/bundle_safe_update.rb
+- lib/bundle_safe_update/audit_checker.rb
+- lib/bundle_safe_update/cli.rb
+- lib/bundle_safe_update/cli/options.rb
+- lib/bundle_safe_update/cli/output.rb
+- lib/bundle_safe_update/color_output.rb
+- lib/bundle_safe_update/config.rb
+- lib/bundle_safe_update/gem_checker.rb
+- lib/bundle_safe_update/lockfile_parser.rb
+- lib/bundle_safe_update/outdated_checker.rb
+- lib/bundle_safe_update/risk_cache.rb
+- lib/bundle_safe_update/risk_checker.rb
+- lib/bundle_safe_update/rubygems_api.rb
+- lib/bundle_safe_update/version.rb
+homepage: https://github.com/dsablic/bundle-safe-update
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+  source_code_uri: https://github.com/dsablic/bundle-safe-update
+  changelog_uri: https://github.com/dsablic/bundle-safe-update/releases
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.6
+specification_version: 4
+summary: Enforce minimum release age for Ruby gems during updates
+test_files: []