bundler-audit 0.9.0.1 → 0.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83898613996d764bcb4e3ed517da59a95132049e29e7e8afa25698d4a03f6276
-  data.tar.gz: e931b427480a4bbdaeaa4bf381141780e04d26cbd2a98c60e60f3a0431c3b4d6
+  metadata.gz: 762980c9b274b19e477ee0be0ae021e452a1e7d63796ceb6da0d667de704dad9
+  data.tar.gz: 3e0fae808a027e677f3d218949c092d8189fc124bb34f61b57fdf982b5ffd6b1
 SHA512:
-  metadata.gz: fcd29c11e7cee080390e9dc3b6356fc74817835a8b9f8621d230d27ea497b81ba63abcf880799f948de6eb4768747a01dc46a0aa29841c1bd76d92cd990c2659
-  data.tar.gz: f41ece9bf750bddcf632be46f240f079074ce26c7cb69e24184002929f041ed326e1b383a3649ec680bb3d42e03c25a167b65eb93219511065c05622bee1bef3
+  metadata.gz: faa37304223ab40fd5678b6a4fcc1f9edb6d112c418c3a80a38aff6dbfbfacd416481f32f402998ece370d4646fe416e8f9453a5cec98d634845ff7bfd1abc6f
+  data.tar.gz: 7fbd39c761fdee364266207e4f0b52be6347b480b8447d31688428b8d3b5337c7f7403142ef0b2da0bc293ddfbe1ea5df93750b3a70be3920eff37af1d6a7884

data/.github/ISSUE_TEMPLATE/feature-request.md

@@ -0,0 +1,14 @@
+---
+name: Feature Request
+about: Request a new Feature
+title: ''
+labels: feature
+assignees: ''
+
+---
+
+## Description
+
+<!-- Explain how the desired feature would work. -->
+<!-- Explain why the desired feature is needed. -->
+<!-- Explain who would use the desired feature. -->

data/.github/workflows/ruby.yml

@@ -12,7 +12,8 @@ jobs:
           - 2.5
           - 2.6
           - 2.7
-          - 3.0
+          - '3.0'
+          - 3.1
           - jruby
           - truffleruby-head
     name: Ruby ${{ matrix.ruby }}

data/.rubocop.yml

@@ -65,6 +65,9 @@ Style/WordArray: { Enabled: false } # Offense count: 1
 Style/Lambda: { Enabled: false } # Offense count: 2
 Style/SafeNavigation: { Enabled: false } # Offense count: 2
 Lint/IneffectiveAccessModifier: { Enabled: false } # Offense count: 1
+Gemspec/DuplicatedAssignment:
+  Exclude:
+    - 'bundler-audit.gemspec'
 
 #
 # Rules that may be disabled in the future.

data/ChangeLog.md

@@ -1,7 +1,28 @@
+### 0.9.1 / 2022-05-19
+
+#### CLI
+
+* Improve the readability of the suggested gem versions to upgrade to
+  (pull #331).
+
+#### Rake Task
+
+* Fixed a regression introduced in 0.9.0 where the `bundler:audit` rake task
+  was not exiting with an error status code if vulnerabilities were found.
+  Now when the `bundler-audit` command fails, the rake task will also exit with
+  the `bundler-audit` command's error code.
+* If the `bundler-audit` command could not be found for some reason raise the
+  {Bundler::Audit::Task::CommandNotFound} exception.
+
 ### 0.9.0.1 / 2021-08-31
 
 * Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6.
   (issue #319)
+  * Although, Ruby 2.5 and prior have all reached [End-of-Life] and
+  are no longer receiving security updates. It is strongly advised that you
+  should upgrade to a currently supported version of Ruby.
+
+[End-of-Life]: https://www.ruby-lang.org/en/downloads/branches/
 
 ### 0.9.0 / 2021-08-31
 

data/Gemfile

@@ -12,6 +12,7 @@ group :development do
   gem 'simplecov',      '~> 0.7', require: false
 
   gem 'kramdown',       '~> 2.0'
+  gem 'redcarpet',       platform: :mri
   gem 'yard',           '~> 0.9'
   gem 'yard-spellcheck', require: false
 end

data/README.md

@@ -111,27 +111,39 @@ Update the [ruby-advisory-db] that `bundle audit` uses:
 
 Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
-    $ bundle-audit check --update
+```shell
+$ bundle-audit check --update
+```
 
 Checking the `Gemfile.lock` without updating the [ruby-advisory-db]:
 
-    $ bundle-audit check --no-update
+```shell
+$ bundle-audit check --no-update
+```
 
 Ignore specific advisories:
 
-    $ bundle-audit check --ignore OSVDB-108664
+```shell
+$ bundle-audit check --ignore OSVDB-108664
+```
 
 Checking a custom `Gemfile.lock` file:
 
-    $ bundle-audit check --gemfile Gemfile.custom.lock
+```shell
+$ bundle-audit check --gemfile-lock Gemfile.custom.lock
+```
 
 Output the audit's results in JSON:
 
-    $ bundle-audit check --format json
+```shell
+$ bundle-audit check --format json
+```
 
 Output the audit's results in JSON, to a file:
 
-    $ bundle-audit check --format json --output bundle-audit.json
+```shell
+$ bundle-audit check --format json --output bundle-audit.json
+```
 
 ## Rake Tasks
 
@@ -149,16 +161,20 @@ bundler-audit also supports a per-project configuration file:
 
 `.bundler-audit.yml`:
 
-    ---
-    ignore:
-      - CVE-YYYY-XXXX
-      - ...
+```yaml
+---
+ignore:
+  - CVE-YYYY-XXXX
+  - ...
+```
 
 * `ignore:` \[Array\<String\>\] - A list of advisory IDs to ignore.
 
 You can provide a path to a config file using the `--config` flag:
 
-    $ bundle-audit check --config bundler-audit.custom.yaml
+```shell
+$ bundle-audit check --config bundler-audit.custom.yaml
+```
 
 ## Requirements
 
@@ -170,25 +186,35 @@ You can provide a path to a config file using the `--config` flag:
 
 ## Install
 
-    $ [sudo] gem install bundler-audit
+```shell
+$ [sudo] gem install bundler-audit
+```
 
 ### Git
 
 * Debian / Ubuntu:
 
-      $ sudo apt install git
+```shell
+$ sudo apt install git
+```
 
 * RedHat / Fedora:
 
-      $ sudo dnf install git
+```shell
+$ sudo dnf install git
+```
 
 * Alpine Linux:
 
-      $ apk add git
+```shell
+$ apk add git
+```
 
 * macOS:
 
-      $ brew install git
+```shell
+$ brew install git
+```
 
 ## Contributing
 
@@ -205,7 +231,7 @@ You can provide a path to a config file using the `--config` flag:
 
 ## License
 
-Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/bundler-audit.gemspec

@@ -21,9 +21,8 @@ Gem::Specification.new do |gem|
 
   glob = lambda { |patterns| gem.files & Dir[*patterns] }
 
-  gem.files = if gemspec['files'] then glob[gemspec['files']]
-              else                     `git ls-files`.split($/)
-              end
+  gem.files = `git ls-files`.split($/)
+  gem.files = glob[gemspec['files']] if gemspec['files']
 
   gem.executables = gemspec.fetch('executables') do
     glob['bin/*'].map { |path| File.basename(path) }
@@ -31,7 +30,7 @@ Gem::Specification.new do |gem|
   gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
 
   gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
-  gem.test_files       = glob[gemspec['test_files'] || '{test/{**/}*_test.rb']
+  gem.test_files       = glob[gemspec['test_files'] || 'spec/{**/}*_spec.rb']
   gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
 
   gem.require_paths = Array(gemspec.fetch('require_paths') {
@@ -56,4 +55,5 @@ Gem::Specification.new do |gem|
       gem.add_development_dependency(name,split[versions])
     end
   end
+  gem.metadata['rubygems_mfa_required'] = 'true'
 end

data/gemspec.yml

@@ -6,6 +6,13 @@ authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
 
+metadata:
+  documentation_uri: https://rubydoc.info/gems/bundler-audit
+  source_code_uri:   https://github.com/rubysec/bundler-audit.rb
+  bug_tracker_uri:   https://github.com/rubysec/bundler-audit.rb/issues
+  changelog_uri:     https://github.com/rubysec/bundler-audit.rb/blob/master/ChangeLog.md
+  rubygems_mfa_required: 'true'
+
 required_ruby_version: ">= 2.0.0"
 required_rubygems_version: ">= 1.8.0"
 

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -15,6 +15,7 @@
 # along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
+require 'date'
 require 'yaml'
 
 module Bundler

data/lib/bundler/audit/cli/formats/json.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli/formats/junit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -101,7 +101,7 @@ module Bundler
 
           def advisory_solution(advisory)
             unless advisory.patched_versions.empty?
-              "upgrade to #{advisory.patched_versions.join(', ')}"
+              "upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}"
             else
               "remove or disable this gem until a patch is available!"
             end

data/lib/bundler/audit/cli/formats/text.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -105,7 +105,7 @@ module Bundler
 
             unless advisory.patched_versions.empty?
               say "Solution: upgrade to ", :red
-              say advisory.patched_versions.join(', ')
+              say advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')
             else
               say "Solution: ", :red
               say "remove or disable this gem until a patch is available!", [:red, :bold]

data/lib/bundler/audit/cli/formats.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -75,8 +75,10 @@ module Bundler
 
         report = scanner.report(ignore: options.ignore)
 
-        output = if options[:output] then File.new(options[:output],'w')
-                 else                     $stdout
+        output = if options[:output]
+                   File.new(options[:output],'w')
+                 else
+                   $stdout
                  end
 
         print_report(report,output)

data/lib/bundler/audit/configuration.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -34,18 +34,20 @@ module Bundler
       class UpdateFailed < RuntimeError
       end
 
-      # Git URL of the ruby-advisory-db
+      # Git URL of the ruby-advisory-db.
       URL = 'https://github.com/rubysec/ruby-advisory-db.git'
 
-      # Path to the user's copy of the ruby-advisory-db
+      # Path to the user's copy of the ruby-advisory-db.
       USER_PATH = File.expand_path(File.join(Gem.user_home,'.local','share','ruby-advisory-db'))
 
-      # Default path to the ruby-advisory-db
+      # Default path to the ruby-advisory-db.
       #
       # @since 0.8.0
-      DEFAULT_PATH = ENV['BUNDLER_AUDIT_DB'] || USER_PATH
+      DEFAULT_PATH = ENV.fetch('BUNDLER_AUDIT_DB',USER_PATH)
 
-      # The path to the advisory database
+      # The path to the advisory database.
+      #
+      # @return [String]
       attr_reader :path
 
       #

data/lib/bundler/audit/results/insecure_source.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/results.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/scanner.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -36,7 +36,7 @@ module Bundler
     #
     class Scanner
 
-      # The advisory database
+      # The advisory database.
       #
       # @return [Database]
       attr_reader :database
@@ -44,12 +44,13 @@ module Bundler
       # Project root directory
       attr_reader :root
 
-      # The parsed `Gemfile.lock` from the project
+      # The parsed `Gemfile.lock` from the project.
       #
       # @return [Bundler::LockfileParser]
       attr_reader :lockfile
 
-      # The configuration loaded from the `.bundler-audit.yml` file from the project
+      # The configuration loaded from the `.bundler-audit.yml` file from the
+      # project.
       #
       # @return [Hash]
       attr_reader :config
@@ -217,8 +218,10 @@ module Bundler
       def scan_specs(options={})
         return enum_for(__method__,options) unless block_given?
 
-        ignore = if options[:ignore] then Set.new(options[:ignore])
-                 else                     config.ignore
+        ignore = if options[:ignore]
+                   Set.new(options[:ignore])
+                 else
+                   config.ignore
                  end
 
         @lockfile.specs.each do |gem|

data/lib/bundler/audit/task.rb

@@ -6,6 +6,9 @@ module Bundler
     # Defines the `bundle:audit` rake tasks.
     #
     class Task < Rake::TaskLib
+      class CommandNotFound < RuntimeError
+      end
+
       #
       # Initializes the task.
       #
@@ -23,12 +26,12 @@ module Bundler
           namespace :audit do
             desc 'Checks the Gemfile.lock for insecure dependencies'
             task :check do
-              system 'bundler-audit', 'check'
+              bundler_audit 'check'
             end
 
             desc 'Updates the bundler-audit vulnerability database'
             task :update do
-              system 'bundler-audit', 'update'
+              bundler_audit 'update'
             end
           end
 
@@ -39,6 +42,33 @@ module Bundler
         task 'bundler:audit:check'  => 'bundle:audit:check'
         task 'bundler:audit:update' => 'bundle:audit:update'
       end
+
+      #
+      # Runs the `bundler-audit` command with the additional arguments.
+      #
+      # @param [Array<String>] arguments
+      #   Additional command-line arguments for `bundler-audit`.
+      #
+      # @return [true]
+      #   The `bundler-audit` command successfully exited.
+      #
+      # @raise [CommandNotFound]
+      #   The `bundler-audit` command could not be executed or was not found.
+      #
+      # @note
+      #   If the `bundler-audit` command exits with an error, the rake task
+      #   will also exit with the same error code.
+      #
+      def bundler_audit(*arguments)
+        case system('bundler-audit',*arguments)
+        when false
+          exit $?.exitstatus || 1
+        when nil
+          raise(CommandNotFound,"bundler-audit could not be executed")
+        else
+          return true
+        end
+      end
     end
   end
 end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.9.0.1'
+    VERSION = '0.9.1'
   end
 end

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/spec/advisory_spec.rb

@@ -45,7 +45,16 @@ describe Bundler::Audit::Advisory do
   end
 
   describe "load" do
-    let(:data) { YAML.load_file(path) }
+    let(:data) do
+      File.open(path) do |yaml|
+        if Psych::VERSION >= '3.1.0'
+          YAML.safe_load(yaml, permitted_classes: [Date])
+        else
+          # XXX: psych < 3.1.0 YAML.safe_load calling convention
+          YAML.safe_load(yaml, [Date])
+        end
+      end
+    end
 
     describe '#id' do
       subject { super().id }

data/spec/bundle/insecure_sources/Gemfile.lock

@@ -85,15 +85,15 @@ GEM
     marcel (1.0.1)
     method_source (1.0.0)
     mini_mime (1.0.3)
-    mini_portile2 (2.5.1)
+    mini_portile2 (2.8.0)
     minitest (5.14.4)
     nio4r (2.5.7)
-    nokogiri (1.11.6)
-      mini_portile2 (~> 2.5.0)
+    nokogiri (1.13.6)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.11.6-x86_64-linux)
+    nokogiri (1.13.6-x86_64-linux)
       racc (~> 1.4)
-    racc (1.5.2)
+    racc (1.6.0)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)

data/spec/bundle/secure/Gemfile.lock

@@ -1,113 +1,113 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.6)
-      actionpack (= 5.2.6)
+    actioncable (5.2.8)
+      actionpack (= 5.2.8)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.6)
-      actionpack (= 5.2.6)
-      actionview (= 5.2.6)
-      activejob (= 5.2.6)
+    actionmailer (5.2.8)
+      actionpack (= 5.2.8)
+      actionview (= 5.2.8)
+      activejob (= 5.2.8)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.6)
-      actionview (= 5.2.6)
-      activesupport (= 5.2.6)
+    actionpack (5.2.8)
+      actionview (= 5.2.8)
+      activesupport (= 5.2.8)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.6)
-      activesupport (= 5.2.6)
+    actionview (5.2.8)
+      activesupport (= 5.2.8)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.6)
-      activesupport (= 5.2.6)
+    activejob (5.2.8)
+      activesupport (= 5.2.8)
       globalid (>= 0.3.6)
-    activemodel (5.2.6)
-      activesupport (= 5.2.6)
-    activerecord (5.2.6)
-      activemodel (= 5.2.6)
-      activesupport (= 5.2.6)
+    activemodel (5.2.8)
+      activesupport (= 5.2.8)
+    activerecord (5.2.8)
+      activemodel (= 5.2.8)
+      activesupport (= 5.2.8)
       arel (>= 9.0)
-    activestorage (5.2.6)
-      actionpack (= 5.2.6)
-      activerecord (= 5.2.6)
+    activestorage (5.2.8)
+      actionpack (= 5.2.8)
+      activerecord (= 5.2.8)
       marcel (~> 1.0.0)
-    activesupport (5.2.6)
+    activesupport (5.2.8)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
     builder (3.2.4)
-    concurrent-ruby (1.1.8)
+    concurrent-ruby (1.1.10)
     crass (1.0.6)
     erubi (1.10.0)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
-    i18n (1.8.10)
+    globalid (1.0.0)
+      activesupport (>= 5.0)
+    i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.9.1)
+    loofah (2.18.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (1.0.1)
+    marcel (1.0.2)
     method_source (1.0.0)
-    mini_mime (1.1.0)
-    mini_portile2 (2.5.1)
-    minitest (5.14.4)
-    nio4r (2.5.7)
-    nokogiri (1.11.6)
-      mini_portile2 (~> 2.5.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.8.0)
+    minitest (5.15.0)
+    nio4r (2.5.8)
+    nokogiri (1.13.6)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.11.6-x86_64-linux)
+    nokogiri (1.13.6-x86_64-linux)
       racc (~> 1.4)
-    racc (1.5.2)
+    racc (1.6.0)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.6)
-      actioncable (= 5.2.6)
-      actionmailer (= 5.2.6)
-      actionpack (= 5.2.6)
-      actionview (= 5.2.6)
-      activejob (= 5.2.6)
-      activemodel (= 5.2.6)
-      activerecord (= 5.2.6)
-      activestorage (= 5.2.6)
-      activesupport (= 5.2.6)
+    rails (5.2.8)
+      actioncable (= 5.2.8)
+      actionmailer (= 5.2.8)
+      actionpack (= 5.2.8)
+      actionview (= 5.2.8)
+      activejob (= 5.2.8)
+      activemodel (= 5.2.8)
+      activerecord (= 5.2.8)
+      activestorage (= 5.2.8)
+      activesupport (= 5.2.8)
       bundler (>= 1.3.0)
-      railties (= 5.2.6)
+      railties (= 5.2.8)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.6)
-      actionpack (= 5.2.6)
-      activesupport (= 5.2.6)
+    railties (5.2.8)
+      actionpack (= 5.2.8)
+      activesupport (= 5.2.8)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (13.0.3)
-    sprockets (4.0.2)
+    rake (13.0.6)
+    sprockets (4.0.3)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.2.2)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
+    sprockets-rails (3.4.2)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    thor (1.1.0)
+    thor (1.2.1)
     thread_safe (0.3.6)
     tzinfo (1.2.9)
       thread_safe (~> 0.1)
-    websocket-driver (0.7.4)
+    websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
 
@@ -120,4 +120,4 @@ DEPENDENCIES
   rails-html-sanitizer (~> 1.0.3)
 
 BUNDLED WITH
-   2.2.0
+   2.3.6

data/spec/cli/formats/junit_spec.rb

@@ -241,7 +241,7 @@ describe Bundler::Audit::CLI::Formats::Junit do
 
         context "when Advisory#patched_versions is not empty" do
           it 'must print "Solution: upgrade to ..."' do
-            expect(output).to include("Solution: upgrade to #{CGI.escapeHTML(advisory.patched_versions.join(', '))}")
+            expect(output).to include("Solution: upgrade to #{CGI.escapeHTML(advisory.patched_versions.map { |v| "'#{v}'" }.join(', '))}")
           end
         end
 

data/spec/cli/formats/text_spec.rb

@@ -230,7 +230,7 @@ describe Bundler::Audit::CLI::Formats::Text do
 
         context "when Advisory#patched_versions is not empty" do
           it 'must print "Solution: upgrade to ..."' do
-            expect(output_lines).to include("Solution: upgrade to #{advisory.patched_versions.join(', ')}")
+            expect(output_lines).to include("Solution: upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}")
           end
         end
 

data/spec/database_spec.rb

@@ -292,7 +292,7 @@ describe Bundler::Audit::Database do
       let(:last_commit) { Fixtures::Database::COMMIT }
       let(:last_commit_timestamp) do
         Dir.chdir(Fixtures::Database::PATH) do
-          Time.parse(`git log --date=iso8601 --pretty="%cd" #{last_commit}`)
+          Time.parse(`git log -n 2 --date=iso8601 --pretty="%cd" #{last_commit}`)
         end
       end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.9.0.1
+  version: 0.9.1
 platform: ruby
 authors:
 - Postmodern
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-31 00:00:00.000000000 Z
+date: 2022-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -58,6 +58,7 @@ files:
 - ".document"
 - ".github/FUNDING.yml"
 - ".github/ISSUE_TEMPLATE/bug-report.md"
+- ".github/ISSUE_TEMPLATE/feature-request.md"
 - ".github/workflows/ruby.yml"
 - ".gitignore"
 - ".rspec"
@@ -126,7 +127,8 @@ files:
 homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
 - GPL-3.0+
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -142,8 +144,23 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.0
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: Patch-level verification for Bundler
-test_files: []
+test_files:
+- spec/advisory_spec.rb
+- spec/audit_spec.rb
+- spec/cli/formats/json_spec.rb
+- spec/cli/formats/junit_spec.rb
+- spec/cli/formats/text_spec.rb
+- spec/cli/formats_spec.rb
+- spec/cli_spec.rb
+- spec/configuration_spec.rb
+- spec/database_spec.rb
+- spec/integration_spec.rb
+- spec/report_spec.rb
+- spec/results/insecure_source_spec.rb
+- spec/results/result_spec.rb
+- spec/results/unpatched_gem_spec.rb
+- spec/scanner_spec.rb