bundler-audit 0.9.2 → 0.9.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 91fab22bb836ac9e1b56f525051f80003c4c0515a8d01e779b9ba71f079ba05d
-  data.tar.gz: f312f73a62453f2002d58465002ab7bb8396f53ba5d51ca363e84b422f0216a1
+  metadata.gz: 2e40ebbca24535f65142ee863e6a2acb44802481243959ea75dbaa1f7ab5e33c
+  data.tar.gz: 41d763068c36318312395dfacfd626b95928939d4358a682984aab3fc26287dd
 SHA512:
-  metadata.gz: 2067a4b037050d7f928e805335ea6cf053a83978888477af56d3e44199409bbf9923f46dec0963bf40906c6e8afeec39aba32722daecdfe8576410d1431733a7
-  data.tar.gz: 88c4b7e6c8a5d390743706dafb90ce3431df698bca07348185f0ebf0d28c3842b922d52936e743911bd56d9c4db373cdf19e309f955a44e0d1c7d7b388c7eb31
+  metadata.gz: 00cee5ad01c98a6933e65b2823ff09ca89b7a2b69a01b0192468c871469121b95df622faa871ac1b62764838f9c263a86eb8180b2f47eab0a94f2823231ba965
+  data.tar.gz: 646566832c37e1a4b65502832bae8452b2c061b24f9caefae55f74b326d2f3f13ac88c742fffcb824d65a48f73f9e667634b86c94fc2c063e30b45225f397630

data/.github/workflows/ruby.yml

@@ -13,8 +13,16 @@ jobs:
           - '3.1'
           - '3.2'
           - '3.3'
+          - '3.4'
+          - '3.5'
+          - '4.0'
           - jruby
           - truffleruby
+        include:
+          - ruby: '3.0'
+            rubygems_version: '3.5.23'
+          - ruby: '3.1'
+            rubygems_version: '3.6.9'
     name: Ruby ${{ matrix.ruby }}
     steps:
       - uses: actions/checkout@v2
@@ -22,6 +30,12 @@ jobs:
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
+      - name: Update RubyGems
+        env:
+          RUBYGEMS_VERSION: ${{ matrix.rubygems_version }}
+        run: |
+            gem update --system ${RUBYGEMS_VERSION:-}
+            gem -v
       - name: Install dependencies
         run: bundle install --jobs 4 --retry 3
       - name: Run tests

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  NewCops: enable
+  NewCops: disable
   SuggestExtensions: false
   TargetRubyVersion: 2.7
   Exclude:
@@ -65,6 +65,9 @@ Style/WordArray: { Enabled: false } # Offense count: 1
 Style/Lambda: { Enabled: false } # Offense count: 2
 Style/SafeNavigation: { Enabled: false } # Offense count: 2
 Lint/IneffectiveAccessModifier: { Enabled: false } # Offense count: 1
+Gemspec/RequireMFA:
+  Exclude:
+    - 'bundler-audit.gemspec'
 Gemspec/DuplicatedAssignment:
   Exclude:
     - 'bundler-audit.gemspec'

data/ChangeLog.md

@@ -1,3 +1,14 @@
+### 0.9.3 / 2025-11-28
+
+* Officially support Ruby 3.4, 3.5, and 4.0.
+* Added support for Bundler 4.x.
+* Fixed typos in API documentation.
+
+#### CLI
+
+* Ensure that the `bundler-audit check` command honors the
+  `BUNDLER_AUDIT_DB` environment variable.
+
 ### 0.9.2 / 2024-08-22
 
 * Officially support Ruby 3.2 and 3.3.

data/Gemfile

@@ -4,7 +4,7 @@ gemspec
 
 group :development do
   gem 'rake'
-  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rubygems-tasks', '~> 0.3'
 
   gem 'rubocop',        '~> 1.18'
 

data/README.md

@@ -24,90 +24,94 @@ Patch-level verification for [bundler].
 
 Audit a project's `Gemfile.lock`:
 
-    $ bundle-audit
-    Name: actionpack
-    Version: 3.2.10
-    Advisory: OSVDB-91452
-    Criticality: Medium
-    URL: http://www.osvdb.org/show/osvdb/91452
-    Title: XSS vulnerability in sanitize_css in Action Pack
-    Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-    Name: actionpack
-    Version: 3.2.10
-    Advisory: OSVDB-91454
-    Criticality: Medium
-    URL: http://osvdb.org/show/osvdb/91454
-    Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
-    Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-    Name: actionpack
-    Version: 3.2.10
-    Advisory: OSVDB-89026
-    Criticality: High
-    URL: http://osvdb.org/show/osvdb/89026
-    Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
-    Solution: update to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-
-    Name: activerecord
-    Version: 3.2.10
-    Advisory: OSVDB-91453
-    Criticality: High
-    URL: http://osvdb.org/show/osvdb/91453
-    Title: Symbol DoS vulnerability in Active Record
-    Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-    Name: activerecord
-    Version: 3.2.10
-    Advisory: OSVDB-90072
-    Criticality: Medium
-    URL: http://direct.osvdb.org/show/osvdb/90072
-    Title: Ruby on Rails Active Record attr_protected Method Bypass
-    Solution: update to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-
-    Name: activerecord
-    Version: 3.2.10
-    Advisory: OSVDB-89025
-    Criticality: High
-    URL: http://osvdb.org/show/osvdb/89025
-    Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-    Solution: update to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-
-    Name: activesupport
-    Version: 3.2.10
-    Advisory: OSVDB-91451
-    Criticality: High
-    URL: http://www.osvdb.org/show/osvdb/91451
-    Title: XML Parsing Vulnerability affecting JRuby users
-    Solution: update to ~> 3.1.12, >= 3.2.13
-
-    Unpatched versions found!
+```
+$ bundle-audit
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-91452
+Criticality: Medium
+URL: http://www.osvdb.org/show/osvdb/91452
+Title: XSS vulnerability in sanitize_css in Action Pack
+Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-91454
+Criticality: Medium
+URL: http://osvdb.org/show/osvdb/91454
+Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-89026
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89026
+Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
+Solution: update to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-91453
+Criticality: High
+URL: http://osvdb.org/show/osvdb/91453
+Title: Symbol DoS vulnerability in Active Record
+Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-90072
+Criticality: Medium
+URL: http://direct.osvdb.org/show/osvdb/90072
+Title: Ruby on Rails Active Record attr_protected Method Bypass
+Solution: update to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-89025
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89025
+Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+Solution: update to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activesupport
+Version: 3.2.10
+Advisory: OSVDB-91451
+Criticality: High
+URL: http://www.osvdb.org/show/osvdb/91451
+Title: XML Parsing Vulnerability affecting JRuby users
+Solution: update to ~> 3.1.12, >= 3.2.13
+
+Unpatched versions found!
+```
 
 Update the [ruby-advisory-db] that `bundle audit` uses:
 
-    $ bundle-audit update
-    Updating ruby-advisory-db ...
-    remote: Counting objects: 44, done.
-    remote: Compressing objects: 100% (24/24), done.
-    remote: Total 39 (delta 19), reused 29 (delta 10)
-    Unpacking objects: 100% (39/39), done.
-    From https://github.com/rubysec/ruby-advisory-db
-     * branch            master     -> FETCH_HEAD
-    Updating 5f8225e..328ca86
-    Fast-forward
-     CONTRIBUTORS.md                    |  1 +
-     gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
-     gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
-     gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
-     gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
-     gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
-     6 files changed, 73 insertions(+)
-     create mode 100644 gems/actionmailer/OSVDB-98629.yml
-     create mode 100644 gems/cocaine/OSVDB-98835.yml
-     create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
-     create mode 100644 gems/sounder/OSVDB-96278.yml
-     create mode 100644 gems/wicked/OSVDB-98270.yml
-    ruby-advisory-db: 64 advisories
+```
+$ bundle-audit update
+Updating ruby-advisory-db ...
+remote: Counting objects: 44, done.
+remote: Compressing objects: 100% (24/24), done.
+remote: Total 39 (delta 19), reused 29 (delta 10)
+Unpacking objects: 100% (39/39), done.
+From https://github.com/rubysec/ruby-advisory-db
+ * branch            master     -> FETCH_HEAD
+Updating 5f8225e..328ca86
+Fast-forward
+ CONTRIBUTORS.md                    |  1 +
+ gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
+ gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
+ gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
+ gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
+ gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
+ 6 files changed, 73 insertions(+)
+ create mode 100644 gems/actionmailer/OSVDB-98629.yml
+ create mode 100644 gems/cocaine/OSVDB-98835.yml
+ create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
+ create mode 100644 gems/sounder/OSVDB-96278.yml
+ create mode 100644 gems/wicked/OSVDB-98270.yml
+ruby-advisory-db: 64 advisories
+```
 
 Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
@@ -159,7 +163,7 @@ Bundler::Audit::Task.new
 
 The following `rake` tasks will then become available:
 
-```bash
+```
 $ rake -T
 rake bundle:audit
 rake bundle:audit:update

data/bundler-audit.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |gem|
   gem.authors     = Array(gemspec['authors'])
   gem.email       = gemspec['email']
   gem.homepage    = gemspec['homepage']
+  gem.metadata    = gemspec['metadata'] if gemspec['metadata']
 
   glob = lambda { |patterns| gem.files & Dir[*patterns] }
 

data/gemspec.yml

@@ -8,9 +8,9 @@ homepage: https://github.com/rubysec/bundler-audit#readme
 
 metadata:
   documentation_uri: https://rubydoc.info/gems/bundler-audit
-  source_code_uri:   https://github.com/rubysec/bundler-audit.rb
-  bug_tracker_uri:   https://github.com/rubysec/bundler-audit.rb/issues
-  changelog_uri:     https://github.com/rubysec/bundler-audit.rb/blob/master/ChangeLog.md
+  source_code_uri:   https://github.com/rubysec/bundler-audit
+  bug_tracker_uri:   https://github.com/rubysec/bundler-audit/issues
+  changelog_uri:     https://github.com/rubysec/bundler-audit/blob/master/ChangeLog.md
   rubygems_mfa_required: 'true'
 
 required_ruby_version: ">= 2.0.0"
@@ -18,4 +18,4 @@ required_rubygems_version: ">= 1.8.0"
 
 dependencies:
   thor: "~> 1.0"
-  bundler: ">= 1.2.0, < 3"
+  bundler: ">= 1.2.0"

data/lib/bundler/audit/cli.rb

@@ -39,7 +39,7 @@ module Bundler
       method_option :ignore, type: :array, aliases: '-i'
       method_option :update, type: :boolean, aliases: '-u'
       method_option :database, type: :string, aliases: '-D',
-                               default: Database::USER_PATH
+                               default: Database::DEFAULT_PATH
       method_option :format, type: :string, default: 'text', aliases: '-F'
       method_option :config, type: :string, aliases: '-c', default: '.bundler-audit.yml'
       method_option :gemfile_lock, type: :string, aliases: '-G',
@@ -91,7 +91,7 @@ module Bundler
       desc 'stats', 'Prints ruby-advisory-db stats'
       method_option :quiet, type: :boolean, aliases: '-q'
 
-      def stats(path=Database.path)
+      def stats(path=Database::DEFAULT_PATH)
         database = Database.new(path)
 
         puts "ruby-advisory-db:"
@@ -106,7 +106,7 @@ module Bundler
       desc 'download', 'Downloads ruby-advisory-db'
       method_option :quiet, type: :boolean, aliases: '-q'
 
-      def download(path=Database.path)
+      def download(path=Database::DEFAULT_PATH)
         if Database.exists?(path)
           say "Database already exists", :yellow
           return
@@ -127,7 +127,7 @@ module Bundler
       desc 'update', 'Updates the ruby-advisory-db'
       method_option :quiet, type: :boolean, aliases: '-q'
 
-      def update(path=Database.path)
+      def update(path=Database::DEFAULT_PATH)
         unless Database.exists?(path)
           download(path)
           return

data/lib/bundler/audit/database.rb

@@ -103,7 +103,7 @@ module Bundler
       # @option options [Boolean] :quiet
       #   Specify whether `git` should be `--quiet`.
       #
-      # @return [Dataase]
+      # @return [Database]
       #   The newly downloaded database.
       #
       # @raise [DownloadFailed]

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.9.2'
+    VERSION = '0.9.3'
   end
 end

data/spec/integration_spec.rb

@@ -11,7 +11,14 @@ describe "bin/bundler-audit" do
   subject { sh(command) }
 
   it "must invoke the CLI class" do
-    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
+    expected = "bundler-audit #{Bundler::Audit::VERSION}#{$/}"
+
+    if RUBY_VERSION.start_with?("3.0") || RUBY_ENGINE == "truffleruby"
+      # Allow `WARN: Unresolved or ambiguous specs during Gem::Specification.reset:` for Ruby 3.0.x and TruffleRuby
+      expect(subject).to include(expected)
+    else
+      expect(subject).to eq(expected)
+    end
   end
 end
 
@@ -26,6 +33,13 @@ describe "bin/bundle-audit" do
   subject { sh(command) }
 
   it "must invoke the CLI class" do
-    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
+    expected = "bundler-audit #{Bundler::Audit::VERSION}#{$/}"
+
+    if RUBY_VERSION.start_with?("3.0") || RUBY_ENGINE == "truffleruby"
+      # Allow `WARN: Unresolved or ambiguous specs during Gem::Specification.reset:` for Ruby 3.0.x and TruffleRuby
+      expect(subject).to include(expected)
+    else
+      expect(subject).to eq(expected)
+    end
   end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.9.2
+  version: 0.9.3
 platform: ruby
 authors:
 - Postmodern
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-22 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -31,9 +30,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -41,9 +37,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
 description: bundler-audit provides patch-level verification for Bundled apps.
 email: postmodern.mod3@gmail.com
 executables:
@@ -129,8 +122,11 @@ homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
 - GPL-3.0-or-later
 metadata:
+  documentation_uri: https://rubydoc.info/gems/bundler-audit
+  source_code_uri: https://github.com/rubysec/bundler-audit
+  bug_tracker_uri: https://github.com/rubysec/bundler-audit/issues
+  changelog_uri: https://github.com/rubysec/bundler-audit/blob/master/ChangeLog.md
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -145,8 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.0
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Patch-level verification for Bundler
 test_files: []