bundle_update_interactive 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9c9585ae537745fcca9df3d3c56bf670b9c89c76e6a8764f06cded19facf8f56
+  data.tar.gz: 25cda618302b78573e94cf4551d82cf05ac13dca1be5c70d1dd9f10f4e1cc78b
+SHA512:
+  metadata.gz: 233ff8af81ceb4810b121bd8d603318b5ee8e966b0ef7f11ea3d4bd1c40f4c70d679fa2cc4ec34510d2a70ba0dc3d4dbf6ce2b7f7a9315dc328fdf10e4540238
+  data.tar.gz: 1d5d043af5822a8764696e8e1a959ba603400ef5b6ff63785fd7a10728ecb09df6f490b58a296870a98b3c7ecdc82cc8abb1e5a7e05e02408ea3a952a00084c2

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Matt Brictson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+# bundle_update_interactive
+
+[![Gem Version](https://img.shields.io/gem/v/bundle_update_interactive)](https://rubygems.org/gems/bundle_update_interactive)
+[![Gem Downloads](https://img.shields.io/gem/dt/bundle_update_interactive)](https://www.ruby-toolbox.com/projects/bundle_update_interactive)
+[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/mattbrictson/bundle_update_interactive/ci.yml)](https://github.com/mattbrictson/bundle_update_interactive/actions/workflows/ci.yml)
+[![Code Climate maintainability](https://img.shields.io/codeclimate/maintainability/mattbrictson/bundle_update_interactive)](https://codeclimate.com/github/mattbrictson/bundle_update_interactive)
+
+This gem adds an `update-interactive` command to [Bundler](https://bundler.io).
+
+https://github.com/user-attachments/assets/3ec11073-b365-4f92-be76-60c9ac73d1be
+
+---
+
+- [Quick start](#quick-start)
+- [Support](#support)
+- [License](#license)
+- [Code of conduct](#code-of-conduct)
+- [Contribution guide](#contribution-guide)
+
+## Quick start
+
+Install the gem:
+
+```
+gem install bundle_update_interactive
+```
+
+Now you can use:
+
+```
+bundle update-interactive
+```
+
+Or the shorthand:
+
+```
+bundle ui
+```
+
+## Support
+
+If you want to report a bug, or have ideas, feedback or questions about the gem, [let me know via GitHub issues](https://github.com/mattbrictson/bundle_update_interactive/issues/new) and I will do my best to provide a helpful answer. Happy hacking!
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).
+
+## Code of conduct
+
+Everyone interacting in this project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](CODE_OF_CONDUCT.md).
+
+## Contribution guide
+
+Pull requests are welcome!

data/exe/bundler-ui

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundle_update_interactive"
+BundleUpdateInteractive::CLI.start(ARGV)

data/exe/bundler-update-interactive

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundle_update_interactive"
+BundleUpdateInteractive::CLI.start(ARGV)

data/lib/bundle_update_interactive/bundler_commands.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "shellwords"
+
+module BundleUpdateInteractive
+  module BundlerCommands
+    class << self
+      def update_gems_conservatively(*gems)
+        system "bundle update --conservative #{gems.flatten.map(&:shellescape).join(' ')}"
+      end
+
+      def read_updated_lockfile
+        `bundle lock --print --update`.tap do
+          raise "bundle lock command failed" unless Process.last_status.success?
+        end
+      end
+    end
+  end
+end

data/lib/bundle_update_interactive/changelog_locator.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "json"
+
+GITHUB_PATTERN = %r{^(?:https?://)?github\.com/([^/]+/[^/]+)(?:\.git)?/?}.freeze
+URI_KEYS = %w[source_code_uri homepage_uri bug_tracker_uri wiki_uri].freeze
+FILE_PATTERN = /(?:changelog|changes|history|news|release)/.freeze
+EXT_PATTERN = /(?:md|txt|rdoc)/.freeze
+
+module BundleUpdateInteractive
+  class ChangelogLocator
+    # TODO: refactor
+    def find_changelog_uri(name:, version: nil) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      if version
+        response = Faraday.get("https://rubygems.org/api/v2/rubygems/#{name}/versions/#{version}.json")
+        version = nil unless response.success?
+      end
+
+      response = Faraday.get("https://rubygems.org/api/v1/gems/#{name}.json") if version.nil?
+
+      return nil unless response.success?
+
+      data = JSON.parse(response.body)
+
+      version ||= data["version"]
+      changelog_uri = data["changelog_uri"]
+      github_repo = guess_github_repo(data)
+
+      if changelog_uri.nil? && github_repo
+        file_list = Faraday.get("https://github.com/#{github_repo}")
+        if file_list.status == 301
+          github_repo = file_list.headers["Location"][GITHUB_PATTERN, 1]
+          file_list = Faraday.get(file_list.headers["Location"])
+        end
+        match = file_list.body.match(%r{/(#{github_repo}/blob/[^/]+/#{FILE_PATTERN}(?:\.#{EXT_PATTERN})?)"}i)
+        changelog_uri = "https://github.com/#{match[1]}" if match
+      end
+
+      if changelog_uri.nil? && github_repo
+        releases_uri = "https://github.com/#{github_repo}/releases"
+        changelog_uri = releases_uri if Faraday.head("#{releases_uri}/tag/v#{version}").success?
+      end
+
+      changelog_uri
+    end
+
+    private
+
+    def guess_github_repo(data)
+      data.values_at(*URI_KEYS).each do |uri|
+        return Regexp.last_match(1) if uri&.match(GITHUB_PATTERN)
+      end
+      nil
+    end
+  end
+end

data/lib/bundle_update_interactive/cli/multi_select.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "pastel"
+require "tty/prompt"
+require "tty/screen"
+
+class BundleUpdateInteractive::CLI
+  class MultiSelect
+    class List < TTY::Prompt::MultiList
+      def initialize(prompt, **options)
+        defaults = {
+          cycle: true,
+          help_color: :itself.to_proc,
+          per_page: [TTY::Prompt::Paginator::DEFAULT_PAGE_SIZE, TTY::Screen.height.to_i - 3].max,
+          quiet: true,
+          show_help: :always
+        }
+        super(prompt, **defaults.merge(options))
+      end
+
+      def selected_names
+        ""
+      end
+    end
+
+    def self.prompt_for_gems_to_update(outdated_gems)
+      table = Table.new(outdated_gems)
+      title = "#{outdated_gems.length} gems can be updated."
+      chosen = new(title: title, table: table).prompt
+      outdated_gems.slice(*chosen)
+    end
+
+    def initialize(title:, table:)
+      @title = title
+      @table = table
+      @tty_prompt = TTY::Prompt.new(
+        interrupt: lambda {
+          puts
+          exit(130)
+        }
+      )
+      @pastel = BundleUpdateInteractive.pastel
+    end
+
+    def prompt
+      choices = table.gem_names.to_h { |name| [table.render_gem(name), name] }
+      tty_prompt.invoke_select(List, title, choices, help: help)
+    end
+
+    private
+
+    attr_reader :pastel, :table, :tty_prompt, :title
+
+    def help
+      [
+        pastel.dim("\nPress <space> to select, ↑/↓ move, <ctrl-a> all, <ctrl-r> reverse, <enter> to finish."),
+        "\n    ",
+        table.render_header
+      ].join
+    end
+  end
+end

data/lib/bundle_update_interactive/cli/row.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "delegate"
+require "pastel"
+
+class BundleUpdateInteractive::CLI
+  class Row < SimpleDelegator
+    SEMVER_COLORS = {
+      major: :red,
+      minor: :yellow,
+      patch: :green
+    }.freeze
+
+    def initialize(outdated_gem)
+      super
+      @pastel = BundleUpdateInteractive.pastel
+    end
+
+    def to_a
+      [
+        formatted_gem_name,
+        formatted_current_version,
+        "→",
+        formatted_updated_version,
+        formatted_gemfile_groups,
+        formatted_changelog_uri
+      ]
+    end
+
+    def formatted_gem_name
+      vulnerable? ? pastel.white.on_red(name) : apply_semver_highlight(name)
+    end
+
+    def formatted_current_version
+      [current_version.to_s, current_git_version].compact.join(" ")
+    end
+
+    def formatted_updated_version
+      version = semver_change.format { |part| apply_semver_highlight(part) }
+      git_version = apply_semver_highlight(updated_git_version)
+
+      [version, git_version].compact.join(" ")
+    end
+
+    def formatted_gemfile_groups
+      gemfile_groups&.map(&:inspect)&.join(", ")
+    end
+
+    def formatted_changelog_uri
+      pastel.blue(changelog_uri)
+    end
+
+    def apply_semver_highlight(value)
+      color = git_version_changed? ? :cyan : SEMVER_COLORS.fetch(semver_change.severity)
+      pastel.decorate(value, color)
+    end
+
+    private
+
+    attr_reader :pastel
+  end
+end

data/lib/bundle_update_interactive/cli/table.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "pastel"
+
+class BundleUpdateInteractive::CLI
+  class Table
+    HEADERS = ["name", "from", nil, "to", "group", "url"].freeze
+
+    def initialize(outdated_gems)
+      @pastel = BundleUpdateInteractive.pastel
+      @headers = HEADERS.map { |h| pastel.dim.underline(h) }
+      @rows = outdated_gems.transform_values { |gem| Row.new(gem).to_a.map(&:to_s) }
+      @column_widths = calculate_column_widths
+    end
+
+    def gem_names
+      rows.keys
+    end
+
+    def render_header
+      render_row(headers)
+    end
+
+    def render_gem(name)
+      row = rows.fetch(name)
+      render_row(row)
+    end
+
+    def render
+      lines = [render_header]
+      rows.each_key { |name| lines << render_gem(name) }
+      lines.join("\n")
+    end
+
+    private
+
+    attr_reader :column_widths, :pastel, :rows, :headers
+
+    def render_row(row)
+      row.zip(column_widths).map do |value, width|
+        padding = width && (" " * (width - pastel.strip(value).length))
+        "#{value}#{padding}"
+      end.join("  ")
+    end
+
+    def calculate_column_widths
+      rows_with_header = [headers, *rows.values]
+      Array.new(headers.length - 1) do |i|
+        rows_with_header.map { |values| pastel.strip(values[i]).length }.max
+      end
+    end
+  end
+end

data/lib/bundle_update_interactive/cli/thor_ext.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "bundler"
+
+class BundleUpdateInteractive::CLI
+  module ThorExt
+    # Configures Thor to behave more like a typical CLI, with better help and error handling.
+    #
+    # - Passing -h or --help to a command will show help for that command.
+    # - Unrecognized options will be treated as errors (instead of being silently ignored).
+    # - Error messages will be printed in red to stderr, without stack trace.
+    # - Full stack traces can be enabled by setting the VERBOSE environment variable.
+    # - Errors will cause Thor to exit with a non-zero status.
+    #
+    # To take advantage of this behavior, your CLI should subclass Thor and extend this module.
+    #
+    #   class CLI < Thor
+    #     extend ThorExt::Start
+    #   end
+    #
+    # Start your CLI with:
+    #
+    #   CLI.start
+    #
+    # In tests, prevent Kernel.exit from being called when an error occurs, like this:
+    #
+    #   CLI.start(args, exit_on_failure: false)
+    #
+    module Start
+      def self.extended(base)
+        super
+        base.check_unknown_options!
+      end
+
+      def start(given_args=ARGV, config={})
+        config[:shell] ||= Thor::Base.shell.new
+        handle_help_switches(given_args) do |args|
+          dispatch(nil, args, nil, config)
+        end
+      rescue Exception => e # rubocop:disable Lint/RescueException
+        handle_exception_on_start(e, config)
+      end
+
+      private
+
+      def handle_help_switches(given_args)
+        yield(given_args.dup)
+      rescue Thor::UnknownArgumentError => e
+        retry_with_args = []
+
+        if given_args.first == "help"
+          retry_with_args = ["help"] if given_args.length > 1
+        elsif e.unknown.intersect?(%w[-h --help])
+          retry_with_args = ["help", (given_args - e.unknown).first]
+        end
+        raise unless retry_with_args.any?
+
+        yield(retry_with_args)
+      end
+
+      def handle_exception_on_start(error, config)
+        case error
+        when Errno::EPIPE
+          # Ignore
+        when Thor::Error, Interrupt, Bundler::Dsl::DSLError
+          raise unless config.fetch(:exit_on_failure, true)
+
+          config[:shell]&.say_error(error.message, :red)
+          exit(false)
+        else
+          raise
+        end
+      end
+    end
+  end
+end

data/lib/bundle_update_interactive/cli.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require "thor"
+
+module BundleUpdateInteractive
+  class CLI < Thor
+    autoload :MultiSelect, "bundle_update_interactive/cli/multi_select"
+    autoload :Row, "bundle_update_interactive/cli/row"
+    autoload :Table, "bundle_update_interactive/cli/table"
+    autoload :ThorExt, "bundle_update_interactive/cli/thor_ext"
+
+    extend ThorExt::Start
+
+    default_command :ui
+    map %w[-v --version] => "version"
+
+    desc "version", "Display bundle_update_interactive version", hide: true
+    def version
+      say "bundle_update_interactive/#{VERSION} #{RUBY_DESCRIPTION}"
+    end
+
+    desc "ui", "Update Gemfile.lock interactively", hide: true
+    def ui # rubocop:disable Metrics/AbcSize
+      report = generate_report
+      say("No gems to update.") && return if report.updateable_gems.empty?
+
+      say
+      say legend
+      say
+      selected_gems = MultiSelect.prompt_for_gems_to_update(report.updateable_gems)
+      say("No gems to update.") && return if selected_gems.empty?
+
+      say "\nUpdating the following gems."
+      say
+      say Table.new(selected_gems).render
+      say
+      BundlerCommands.update_gems_conservatively(*selected_gems.keys)
+    end
+
+    private
+
+    def legend
+      pastel = BundleUpdateInteractive.pastel
+      <<~LEGEND
+        Color legend:
+        #{pastel.white.on_red('<inverse>')} Known security vulnerability
+        #{pastel.red('<red>')}     Major update; likely to have breaking changes, high risk
+        #{pastel.yellow('<yellow>')}  Minor update; changes and additions, moderate risk
+        #{pastel.green('<green>')}   Patch update; bug fixes, low risk
+        #{pastel.cyan('<cyan>')}    Possibly unreleased git commits; unknown risk
+      LEGEND
+    end
+
+    def generate_report
+      whisper "Resolving latest gem versions..."
+      report = Report.generate
+      updateable_gems = report.updateable_gems
+      return report if updateable_gems.empty?
+
+      whisper "Checking for security vulnerabilities..."
+      report.scan_for_vulnerabilities!
+
+      progress "Finding changelogs", updateable_gems.values, &:changelog_uri
+      report
+    end
+
+    def whisper(message)
+      $stderr.puts(message) # rubocop:disable Style/StderrPuts
+    end
+
+    def progress(message, items, &block)
+      $stderr.print(message)
+      items.each_slice([1, items.length / 12].max) do |slice|
+        slice.each(&block)
+        $stderr.print(".")
+      end
+      $stderr.print("\n")
+    end
+  end
+end

data/lib/bundle_update_interactive/gemfile.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "bundler"
+
+module BundleUpdateInteractive
+  class Gemfile
+    def self.parse(path="Gemfile")
+      dsl = Bundler::Dsl.new
+      dsl.eval_gemfile(path)
+      dependencies = dsl.dependencies.to_h { |d| [d.name, d] }
+      new(dependencies)
+    end
+
+    def initialize(dependencies)
+      @dependencies = dependencies.freeze
+    end
+
+    def [](name)
+      @dependencies[name]
+    end
+  end
+end

data/lib/bundle_update_interactive/lockfile.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require "bundler"
+
+module BundleUpdateInteractive
+  class Lockfile
+    # TODO: refactor
+    def self.parse(lockfile_contents=File.read("Gemfile.lock")) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      parser = Bundler::LockfileParser.new(lockfile_contents)
+      specs_by_name = {}
+      exact = Set.new
+      exact_children = {}
+
+      parser.specs.each do |spec|
+        specs_by_name[spec.name] = spec
+
+        spec.dependencies.each do |dep|
+          next unless dep.requirement.exact?
+
+          exact << dep.name
+          (exact_children[spec.name] ||= []) << dep.name
+        end
+      end
+
+      entries = specs_by_name.transform_values do |spec|
+        exact_dependencies = Set.new
+        traversal = exact_children[spec.name]&.dup || []
+        until traversal.empty?
+          name = traversal.pop
+          next if exact_dependencies.include?(name)
+
+          exact_dependencies << name
+          traversal.push(*exact_children.fetch(name, []))
+        end
+
+        LockfileEntry.new(spec, exact_dependencies, exact.include?(spec.name))
+      end
+
+      new(entries)
+    end
+
+    def initialize(entries)
+      @entries = entries.freeze
+    end
+
+    def entries
+      @entries.values
+    end
+
+    def [](gem_name)
+      @entries[gem_name]
+    end
+  end
+end

data/lib/bundle_update_interactive/lockfile_entry.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module BundleUpdateInteractive
+  class LockfileEntry
+    attr_reader :spec, :exact_dependencies
+
+    def initialize(spec, exact_dependencies, exact_dependency)
+      @spec = spec
+      @exact_dependencies = exact_dependencies
+      @exact_dependency = exact_dependency
+    end
+
+    def name
+      spec.name
+    end
+
+    def version
+      spec.version
+    end
+
+    def older_than?(updated_entry)
+      return false if updated_entry.nil?
+
+      if git_source? && updated_entry.git_source?
+        version <= updated_entry.version && git_version != updated_entry.git_version
+      else
+        version < updated_entry.version
+      end
+    end
+
+    def exact_dependency?
+      @exact_dependency
+    end
+
+    def git_version
+      spec.git_version&.strip
+    end
+
+    def git_source_uri
+      spec.source.uri if git_source?
+    end
+
+    def git_source?
+      !!git_version
+    end
+
+    def rubygems_source?
+      return false if git_source?
+
+      source = spec.source
+      source.respond_to?(:remotes) && source.remotes.map(&:to_s).include?("https://rubygems.org/")
+    end
+  end
+end

data/lib/bundle_update_interactive/outdated_gem.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module BundleUpdateInteractive
+  class OutdatedGem
+    attr_reader :current_lockfile_entry, :updated_lockfile_entry, :gemfile_groups
+    attr_writer :vulnerable
+
+    def initialize(current_lockfile_entry:, updated_lockfile_entry:, gemfile_groups:)
+      @current_lockfile_entry = current_lockfile_entry
+      @updated_lockfile_entry = updated_lockfile_entry
+      @gemfile_groups = gemfile_groups
+      @changelog_locator = ChangelogLocator.new
+      @vulnerable = nil
+    end
+
+    def name
+      current_lockfile_entry.name
+    end
+
+    def semver_change
+      @semver_change ||= SemverChange.new(current_version, updated_version)
+    end
+
+    def vulnerable?
+      @vulnerable
+    end
+
+    def changelog_uri
+      return @changelog_uri if defined?(@changelog_uri)
+
+      @changelog_uri =
+        if git_version_changed?
+          "https://github.com/#{github_repo}/compare/#{current_git_version}...#{updated_git_version}"
+        elsif updated_lockfile_entry.rubygems_source?
+          changelog_locator.find_changelog_uri(name: name, version: updated_version.to_s)
+        else
+          begin
+            Gem::Specification.find_by_name(name)&.homepage
+          rescue Gem::MissingSpecError
+            nil
+          end
+        end
+    end
+
+    def current_version
+      current_lockfile_entry.version
+    end
+
+    def updated_version
+      updated_lockfile_entry.version
+    end
+
+    def current_git_version
+      current_lockfile_entry.git_version
+    end
+
+    def updated_git_version
+      updated_lockfile_entry.git_version
+    end
+
+    def git_version_changed?
+      current_git_version && updated_git_version && current_git_version != updated_git_version
+    end
+
+    private
+
+    attr_reader :changelog_locator
+
+    def github_repo
+      return nil unless updated_git_version
+
+      updated_lockfile_entry.git_source_uri.to_s[%r{^(?:git@github.com:|https://github.com/)([^/]+/[^/]+?)(:?\.git)?(?:$|/)}i,
+                                                 1]
+    end
+  end
+end

data/lib/bundle_update_interactive/report.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "bundler"
+require "bundler/audit"
+require "bundler/audit/scanner"
+require "set"
+
+module BundleUpdateInteractive
+  class Report
+    class << self
+      def generate
+        gemfile = Gemfile.parse
+        current_lockfile = Lockfile.parse
+        updated_lockfile = Lockfile.parse(BundlerCommands.read_updated_lockfile)
+
+        new(gemfile: gemfile, current_lockfile: current_lockfile, updated_lockfile: updated_lockfile)
+      end
+    end
+
+    attr_reader :outdated_gems
+
+    def initialize(gemfile:, current_lockfile:, updated_lockfile:)
+      @current_lockfile = current_lockfile
+      outdated_names = current_lockfile.entries.each_with_object([]) do |current_entry, arr|
+        updated_entry = updated_lockfile[current_entry.name]
+        arr << current_entry.name if current_entry.older_than?(updated_entry)
+      end
+      @outdated_gems ||= outdated_names.sort.each_with_object({}) do |name, hash|
+        hash[name] = OutdatedGem.new(
+          current_lockfile_entry: current_lockfile[name],
+          updated_lockfile_entry: updated_lockfile[name],
+          gemfile_groups: gemfile[name]&.groups
+        )
+      end.freeze
+    end
+
+    def [](gem_name)
+      outdated_gems[gem_name]
+    end
+
+    def updateable_gems
+      outdated_gems.reject { |_, gem| gem.current_lockfile_entry.exact_dependency? }
+    end
+
+    def expand_gems_with_exact_dependencies(*gem_names)
+      gem_names.flatten!
+      gem_names.flat_map { [_1, *outdated_gems[_1].current_lockfile_entry.exact_dependencies] }.uniq
+    end
+
+    def scan_for_vulnerabilities!
+      return false if outdated_gems.empty?
+
+      Bundler::Audit::Database.update!(quiet: true)
+      audit_report = Bundler::Audit::Scanner.new.report
+      vulnerable_gem_names = Set.new(audit_report.vulnerable_gems.map(&:name))
+
+      outdated_gems.each do |name, gem|
+        gem.vulnerable = vulnerable_gem_names.intersect?([name, *current_lockfile[name].exact_dependencies])
+      end
+      true
+    end
+
+    def bundle_update!(*gem_names)
+      expanded_names = expand_gems_with_exact_dependencies(*gem_names)
+      BundlerCommands.update_gems_conservatively(*expanded_names)
+    end
+
+    private
+
+    attr_reader :current_lockfile
+  end
+end

data/lib/bundle_update_interactive/semver_change.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module BundleUpdateInteractive
+  class SemverChange
+    SEVERITIES = %i[major minor patch].freeze
+
+    def initialize(old_version, new_version)
+      old_segments = old_version.to_s.split(".")
+      new_segments = new_version.to_s.split(".")
+
+      @same_segments = new_segments.take_while.with_index { |seg, i| seg == old_segments[i] }
+      @diff_segments = new_segments[same_segments.length..]
+    end
+
+    def severity
+      return nil if diff_segments.empty?
+
+      SEVERITIES[same_segments.length] || :patch
+    end
+
+    SEVERITIES.each do |level|
+      define_method(:"#{level}?") { severity == level }
+    end
+
+    def none?
+      severity.nil?
+    end
+
+    def any?
+      !!severity
+    end
+
+    def format
+      parts = []
+      parts << same_segments.join(".") if same_segments.any?
+      parts << yield(diff_segments.join(".")) if diff_segments.any?
+      parts.join(".")
+    end
+
+    private
+
+    attr_reader :same_segments, :diff_segments
+  end
+end

data/lib/bundle_update_interactive/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module BundleUpdateInteractive
+  VERSION = "0.1.0"
+end

data/lib/bundle_update_interactive.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "pastel"
+
+module BundleUpdateInteractive
+  autoload :BundlerCommands, "bundle_update_interactive/bundler_commands"
+  autoload :ChangelogLocator, "bundle_update_interactive/changelog_locator"
+  autoload :CLI, "bundle_update_interactive/cli"
+  autoload :Gemfile, "bundle_update_interactive/gemfile"
+  autoload :Lockfile, "bundle_update_interactive/lockfile"
+  autoload :LockfileEntry, "bundle_update_interactive/lockfile_entry"
+  autoload :OutdatedGem, "bundle_update_interactive/outdated_gem"
+  autoload :Report, "bundle_update_interactive/report"
+  autoload :SemverChange, "bundle_update_interactive/semver_change"
+  autoload :VERSION, "bundle_update_interactive/version"
+
+  class << self
+    attr_accessor :pastel
+  end
+
+  self.pastel = Pastel.new
+end

metadata

@@ -0,0 +1,167 @@
+--- !ruby/object:Gem::Specification
+name: bundle_update_interactive
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Matt Brictson
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-07-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.8.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.8.0
+- !ruby/object:Gem::Dependency
+  name: pastel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.0
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: tty-prompt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.23.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.23.1
+- !ruby/object:Gem::Dependency
+  name: tty-screen
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.2
+description:
+email:
+- opensource@mattbrictson.com
+executables:
+- bundler-ui
+- bundler-update-interactive
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- exe/bundler-ui
+- exe/bundler-update-interactive
+- lib/bundle_update_interactive.rb
+- lib/bundle_update_interactive/bundler_commands.rb
+- lib/bundle_update_interactive/changelog_locator.rb
+- lib/bundle_update_interactive/cli.rb
+- lib/bundle_update_interactive/cli/multi_select.rb
+- lib/bundle_update_interactive/cli/row.rb
+- lib/bundle_update_interactive/cli/table.rb
+- lib/bundle_update_interactive/cli/thor_ext.rb
+- lib/bundle_update_interactive/gemfile.rb
+- lib/bundle_update_interactive/lockfile.rb
+- lib/bundle_update_interactive/lockfile_entry.rb
+- lib/bundle_update_interactive/outdated_gem.rb
+- lib/bundle_update_interactive/report.rb
+- lib/bundle_update_interactive/semver_change.rb
+- lib/bundle_update_interactive/version.rb
+homepage: https://github.com/mattbrictson/bundle_update_interactive
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/mattbrictson/bundle_update_interactive/issues
+  changelog_uri: https://github.com/mattbrictson/bundle_update_interactive/releases
+  source_code_uri: https://github.com/mattbrictson/bundle_update_interactive
+  homepage_uri: https://github.com/mattbrictson/bundle_update_interactive
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.7'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.11
+signing_key:
+specification_version: 4
+summary: Adds an update-interactive command to Bundler
+test_files: []