still_active 1.0.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4f584514824888d1b457c3b3662c449d5aa5ef8244cb31760ed005afc2204d3
-  data.tar.gz: 9e2c109064b073de04025c36730a171760beae79866e97bff44d4008d7cf1187
+  metadata.gz: 8c861ae8a727347f9b276576f3da48d806fbc25ab05020d849e5e92c8de49732
+  data.tar.gz: bc3e5d7429e17adc0b6b0e955f50a6ddb9e7f157f1c656bf8c9044113cd5a97e
 SHA512:
-  metadata.gz: 00a1c67f51fc48961185bfcab6f6ec1a30cfa15f417a8feec70606d673f2ac7278d7dd267376af27e6670d88316ba31ae7d8d63ad3f470f94b5c483e03cbbd1e
-  data.tar.gz: bb4bc6f91c96a3f24381179cc295ea21f3f9545ef9a148f95fc53525195e6cda4111887c8d247c1bf50e59f2edd9e94ac5987609ab588300f3a612aae5228e5c
+  metadata.gz: e922835a769aeb9817dd27e99bf194c39e21e43794ee66d6d7d1db4c2c9ccaf11cf40d75ac251302f014f3df539998ab4e285f446fb68b6aaa080259421cc1fb
+  data.tar.gz: 932b7e3dbd72cd02492070eced16a77e1a8a1649bb86132f2a7f827339d3f42138633139cbfd5134e31b1c4a92d18b28758afafc74674402f72a9ed2d7512399

data/CHANGELOG.md

@@ -1,5 +1,74 @@
 # Changelog
 
+## [1.2.0] - 2026-02-20
+
+### Added
+
+- `--fail-if-vulnerable[=SEVERITY]` flag: exit 1 if any gem has known vulnerabilities, optionally filtered by severity (low/medium/high/critical)
+- `--fail-if-outdated=LIBYEARS` flag: exit 1 if any gem exceeds the given libyear threshold
+- Coloured OpenSSF column in terminal output: green for strong practices (7.0+), yellow for notably weak (below 4.0)
+
+### Changed
+
+- Removed composite health score (0-100) and Health column from terminal, markdown, and JSON output; individual columns (vulns, OpenSSF, activity, version) communicate these signals without collapsing them into one number
+- Replaced `--fail-below-score` with `--fail-if-vulnerable` and `--fail-if-outdated` for targeted CI gating
+
+### Fixed
+
+- Repository URLs with `.git` suffix (e.g. `socketry/async.git`) caused 404s against GitHub/GitLab APIs
+- GitLab 301 redirects for renamed projects silently failed; now follows up to 3 redirects with trusted host check
+- Network errors (`ECONNRESET`, timeouts, etc.) during RubyGems version lookup or HTTP API calls dropped the entire gem from results instead of warning
+- GitHub Packages URI check used substring match, allowing crafted URLs to bypass host validation; now parses URI and compares host exactly
+- Tri-state `archived?` predicate renamed to `archived` to honestly reflect `true`/`false`/`nil` return contract
+- Rubocop offences from code scanning (WordArray, IfInsideElse, MultilineHash, frozen_string_literal)
+
+## [1.1.0] - 2026-02-20
+
+### Added
+
+- `--ignore=GEM,GEM2,...` flag to exclude gems from pass/fail checks while keeping them in output
+- `--fail-below-score=SCORE` flag for health-based CI gating (exit 1 if any gem scores below threshold)
+- Yanked version detection: flags pinned versions that have been pulled from RubyGems
+- Archived repo detection via GitHub and GitLab APIs, treated as critical for exit checks
+- Libyear metric: years between installed and latest release per gem, total in summary
+- Advisory enrichment: CVSS scores, titles, and IDs from deps.dev per vulnerability
+- Composite health score (0-100) combining version freshness, activity, OpenSSF Scorecard, and vulnerabilities
+- Health column in terminal and markdown output, system average in terminal summary
+- Ruby version freshness: reports current Ruby version, EOL status, and libyear behind latest via endoflife.date API
+- Source detection: identifies gem source type (rubygems, git, path) from Bundler lockfile
+- Non-rubygems gem handling: git/path-sourced gems show gracefully with source indicator instead of failing silently
+- GitHub Packages registry support: fetches versions from `rubygems.pkg.github.com` using existing `--github-oauth-token` (requires `read:packages` scope)
+- CVSS v2 fallback: older advisories without v3 scores now show severity using v2 scores from deps.dev
+
+### Changed
+
+- Vulnerability column shows count with highest severity label (e.g. "3 (critical)")
+- Markdown vulnerability column shows advisory IDs
+- Markdown table adds libyear and health columns
+- Terminal summary includes libyear total and health average
+- JSON output wrapped in `{ "gems": ..., "ruby": ... }` structure
+- Version string validation guards against malformed versions from git-sourced gems
+- Progress counter on stderr during gem checking so large Gemfiles don't appear frozen
+- Actionable rate limit message when GitHub API quota is exhausted
+- `--fail-below-score` now validates range (0-100) at parse time
+- `--gems` option stores structured data from the start instead of mutating mid-run
+- API failures (timeouts, HTTP errors, malformed responses) now warn on stderr instead of degrading silently
+- Vulnerability count based on successfully fetched advisories so count and severity always agree
+
+### Fixed
+
+- Vulnerability counts now checked against installed version, not latest (was masking CVEs in older pinned versions)
+- `GitlabClient.archived?` returned `false` on API failure instead of `nil`, incorrectly asserting repos were not archived
+- `repo_archived?` rescued all `StandardError`, masking bugs; now catches only `Octokit::Error` and `Faraday::Error`
+- `last_commit_date` had no error handling; any failure dropped the entire gem from results
+- Malformed date strings from GitHub/GitLab APIs no longer raise unhandled `ArgumentError`
+
+## [1.0.2] - 2026-02-19
+
+### Changed
+
+- Reduce gem package from 2.4MB to essentials only (lib/, bin/still_active, LICENSE, README, CHANGELOG, gemspec)
+
 ## [1.0.1] - 2026-02-19
 
 ### Changed

data/README.md

@@ -2,7 +2,7 @@
 
 **How do you know if your Ruby dependencies are still maintained?**
 
-`bundle outdated` tells you version drift. `bundler-audit` catches known CVEs. Neither tells you whether anyone is still working on the thing. `still_active` checks maintenance activity, version freshness, security scores, and vulnerabilities for every gem in your Gemfile -- in one pass.
+`bundle outdated` tells you version drift. `bundler-audit` catches known CVEs. Neither tells you whether anyone is still working on the thing. `still_active` checks maintenance activity, version freshness, security scores, vulnerabilities, libyear drift, and archived repos for every gem in your Gemfile.
 
 [![Gem Version](https://badge.fury.io/rb/still_active.svg)](https://badge.fury.io/rb/still_active)
 ![Code Quality analysis](https://github.com/SeanLF/still_active/actions/workflows/codeql-analysis.yml/badge.svg)
@@ -10,16 +10,18 @@
 ![Rubocop analysis](https://github.com/SeanLF/still_active/actions/workflows/rubocop-analysis.yml/badge.svg)
 
 ```
-Name                   Version          Activity  OpenSSF  Vulns
-──────────────────────────────────────────────────────────────────
-code-scanning-rubocop  0.6.1 (latest)   stale     3.1/10   0
-debug                  1.11.1 (latest)  ok        5.2/10   0
-faker                  3.6.0 (latest)   ok        7.4/10   0
-rake                   13.3.1 (latest)  ok        5.3/10   0
-rspec                  3.13.2 (latest)  ok        6.9/10   0
-rubocop                1.84.2 (latest)  ok        5.9/10   0
-
-12 gems: 12 up to date, 0 outdated · 11 active, 1 stale · 0 vulnerabilities
+Name                    Version          Activity  OpenSSF  Vulns
+───────────────────────────────────────────────────────────────────
+async                   2.36.0 (latest)  ok        7.1/10   0
+backbone-rails          1.2.3 (latest)   archived  3.6/10   0
+bootstrap-slider-rails  9.8.0 (latest)   critical  -        0
+gitlab-markup           2.0.0 (latest)   ok        -        0
+local_gem               0.1.0 (path)     -         -        0
+nested_form             0.3.2 (git)      archived  3.3/10   0
+remotipart              1.4.4 (git)      critical  3.1/10   0
+
+7 gems: 4 up to date, 0 outdated · 2 active, 2 stale, 2 archived · 0 vulnerabilities
+Ruby 4.0.1 (latest)
 ```
 
 ## Why `still_active`?
@@ -29,11 +31,16 @@ Most dependency tools answer one question. `still_active` answers all of them at
 |                              | `bundle outdated` | `bundler-audit` | `libyear-bundler` | **`still_active`**           |
 | ---------------------------- | ----------------- | --------------- | ----------------- | ---------------------------- |
 | Outdated versions            | Yes               | -               | Yes               | **Yes**                      |
-| Known vulnerabilities (CVEs) | -                 | Yes             | -                 | **Yes**                      |
+| Known vulnerabilities (CVEs) | -                 | Yes             | -                 | **Yes** (with severity)      |
 | OpenSSF Scorecard            | -                 | -               | -                 | **Yes**                      |
 | Last commit activity         | -                 | -               | -                 | **Yes**                      |
+| Libyear drift                | -                 | -               | Yes               | **Yes**                      |
+| Archived repo detection      | -                 | -               | -                 | **Yes**                      |
+| Yanked version detection     | -                 | -               | -                 | **Yes**                      |
+| Ruby version freshness       | -                 | -               | -                 | **Yes** (EOL + libyear)      |
+| Git/path/GH Packages sources | -                 | -               | -                 | **Yes**                      |
 | GitLab support               | -                 | -               | -                 | **Yes**                      |
-| CI quality gates             | -                 | Exit code       | -                 | **Yes**                      |
+| CI quality gates             | -                 | Exit code       | -                 | **Yes** (5 modes)            |
 | Multiple output formats      | -                 | -               | -                 | **Terminal, JSON, Markdown** |
 | Single command               | Yes               | Yes             | Yes               | **Yes**                      |
 
@@ -54,8 +61,11 @@ still_active
 # check specific gems
 still_active --gems=rails,nokogiri,sidekiq
 
-# CI pipeline: fail if any gem is critically stale
-still_active --fail-if-critical
+# CI pipeline: fail if any gem is critically stale or has vulnerabilities
+still_active --fail-if-critical --fail-if-vulnerable
+
+# ignore specific gems in CI checks
+still_active --fail-if-warning --ignore=legacy_gem,internal_gem
 
 # markdown table for pull requests or documentation
 still_active --markdown
@@ -86,6 +96,10 @@ Usage: still_active [options]
         --warning-range-end=YEARS    maximum years since last activity that triggers a warning (beyond this is critical)
         --fail-if-critical           Exit 1 if any gem has critical activity warning
         --fail-if-warning            Exit 1 if any gem has warning or critical activity warning
+        --fail-if-vulnerable[=SEVERITY]
+                                     Exit 1 if any gem has vulnerabilities (optionally at or above SEVERITY)
+        --fail-if-outdated=LIBYEARS  Exit 1 if any gem exceeds LIBYEARS behind latest
+        --ignore=GEM,GEM2,...        Exclude gems from pass/fail checks (still shown in output)
         --critical-warning-emoji=EMOJI
         --futurist-emoji=EMOJI
         --success-emoji=EMOJI
@@ -102,32 +116,44 @@ Usage: still_active [options]
 **JSON** (default when piped) -- structured data for automation:
 
 ```bash
-still_active --json --gems=rails,nokogiri
+still_active --json --gemfile=spec/still_active/edge_case_gemfile/Gemfile
 ```
 
 ```json
 {
-  "rails": {
-    "latest_version": "8.1.2",
-    "latest_version_release_date": "2026-01-08 20:18:51 UTC",
-    "latest_pre_release_version": "8.1.0.rc1",
-    "latest_pre_release_version_release_date": "2025-10-15 00:52:14 UTC",
-    "repository_url": "https://github.com/rails/rails",
-    "last_commit_date": "2026-02-19 09:39:03 UTC",
-    "scorecard_score": 5.7,
-    "vulnerability_count": 0,
-    "ruby_gems_url": "https://rubygems.org/gems/rails"
+  "gems": {
+    "async": {
+      "source_type": "rubygems",
+      "version_used": "2.36.0",
+      "latest_version": "2.36.0",
+      "repository_url": "https://github.com/socketry/async",
+      "last_commit_date": "2026-01-22 04:09:48 UTC",
+      "archived": false,
+      "scorecard_score": 7.1,
+      "vulnerability_count": 0,
+      "libyear": 0.0
+    },
+    "nested_form": {
+      "source_type": "git",
+      "version_used": "0.3.2",
+      "repository_url": "https://github.com/ryanb/nested_form",
+      "last_commit_date": "2021-12-11 21:47:02 UTC",
+      "archived": true,
+      "scorecard_score": 3.3,
+      "vulnerability_count": 0
+    },
+    "local_gem": {
+      "source_type": "path",
+      "version_used": "0.1.0",
+      "scorecard_score": null,
+      "vulnerability_count": 0
+    }
   },
-  "nokogiri": {
-    "latest_version": "1.19.1",
-    "latest_version_release_date": "2026-02-16 23:31:21 UTC",
-    "latest_pre_release_version": "1.18.0.rc1",
-    "latest_pre_release_version_release_date": "2024-12-16 17:48:44 UTC",
-    "repository_url": "https://github.com/sparklemotion/nokogiri",
-    "last_commit_date": "2026-02-17 19:13:22 UTC",
-    "scorecard_score": 6.5,
-    "vulnerability_count": 0,
-    "ruby_gems_url": "https://rubygems.org/gems/nokogiri"
+  "ruby": {
+    "version": "4.0.1",
+    "eol": false,
+    "latest_version": "4.0.1",
+    "libyear": 0.0
   }
 }
 ```
@@ -138,18 +164,37 @@ still_active --json --gems=rails,nokogiri
 still_active --markdown
 ```
 
-| activity | up to date? | OpenSSF | vulns | name                  | version used     | latest version   | latest pre-release  | last commit |
-| -------- | ----------- | ------- | ----- | --------------------- | ---------------- | ---------------- | ------------------- | ----------- |
-| ⚠️       | ✅          | 3.1/10  | ✅    | code-scanning-rubocop | 0.6.1 (2022/02)  | 0.6.1 (2022/02)  | ❓                  | 2024/06     |
-|          | ✅          | 5.2/10  | ✅    | debug                 | 1.11.1 (2025/12) | 1.11.1 (2025/12) | 1.0.0.rc2 (2021/09) | 2025/12     |
-|          | ✅          | 7.4/10  | ✅    | faker                 | 3.6.0 (2026/01)  | 3.6.0 (2026/01)  | ❓                  | 2026/02     |
+| activity | up to date? | OpenSSF | vulns | name                                                         | version used                                                               | latest version                                                             | latest pre-release | last commit                                           | libyear |
+| -------- | ----------- | ------- | ----- | ------------------------------------------------------------ | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | ------------------ | ----------------------------------------------------- | ------- |
+|          | ✅          | 7.1/10  | ✅    | [async](https://github.com/socketry/async)                   | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | ❓                 | [2026/01](https://github.com/socketry/async)          | 0.0y    |
+| 🚩       | ✅          | 3.6/10  | ✅    | [backbone-rails](https://github.com/aflatter/backbone-rails) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | ❓                 | [2016/02](https://github.com/aflatter/backbone-rails) | 0.0y    |
+| ❓       | ❓          | ❓      | ✅    | local_gem                                                    | 0.1.0 (path)                                                               | ❓                                                                         | ❓                 | ❓                                                    | -       |
+| 🚩       | ❓          | 3.3/10  | ✅    | [nested_form](https://github.com/ryanb/nested_form)          | 0.3.2 (git)                                                                | ❓                                                                         | ❓                 | [2021/12](https://github.com/ryanb/nested_form)       | -       |
+
+**Ruby 4.0.1** (latest) ✅
 
 ### CI quality gating
 
-Use `--fail-if-critical` or `--fail-if-warning` to fail CI pipelines when dependencies exceed activity thresholds:
+Use exit-code flags to fail CI pipelines based on dependency status:
 
 ```bash
-still_active --gemfile=Gemfile --fail-if-warning --json
+# fail on critically stale or archived gems
+still_active --fail-if-critical --json
+
+# fail on any stale, critical, or archived gem
+still_active --fail-if-warning --json
+
+# fail if any gem has known vulnerabilities
+still_active --fail-if-vulnerable --json
+
+# fail only on high/critical severity vulnerabilities
+still_active --fail-if-vulnerable=high --json
+
+# fail if any gem is more than 3 libyears behind
+still_active --fail-if-outdated=3 --json
+
+# combine flags and exclude known exceptions
+still_active --fail-if-warning --fail-if-vulnerable --ignore=legacy_gem --json
 ```
 
 ### Activity thresholds
@@ -162,9 +207,10 @@ Activity is determined by the most recent signal across last commit date, latest
 
 ### Data sources
 
-- **Versions and release dates** from [RubyGems.org](https://rubygems.org)
-- **Last commit date** from the [GitHub](https://docs.github.com/en/rest) or [GitLab](https://docs.gitlab.com/ee/api/) API
-- **OpenSSF Scorecard** and **vulnerability counts** from Google's [deps.dev](https://deps.dev) API
+- **Versions and release dates** from [RubyGems.org](https://rubygems.org) or [GitHub Packages](https://docs.github.com/en/packages)
+- **Last commit date and archived status** from the [GitHub](https://docs.github.com/en/rest) or [GitLab](https://docs.gitlab.com/ee/api/) API
+- **OpenSSF Scorecard**, **vulnerability counts**, and **CVSS severity** from Google's [deps.dev](https://deps.dev) API
+- **Ruby version freshness** from [endoflife.date](https://endoflife.date)
 
 ### Configuration defaults
 

data/lib/helpers/activity_helper.rb

@@ -8,8 +8,10 @@ module StillActive
 
     using StillActive::CoreExt
 
-    # Returns :ok, :stale, :critical, or :unknown
+    # Returns :archived, :ok, :stale, :critical, or :unknown
     def activity_level(gem_data)
+      return :archived if gem_data[:archived]
+
       most_recent = [
         gem_data[:last_commit_date],
         gem_data[:latest_version_release_date],

data/lib/helpers/bundler_helper.rb

@@ -12,7 +12,36 @@ module StillActive
         .locked_gems
         .specs
         .select { |spec| gemfile_gems.include?(spec.name) }
-        .each_with_object([]) { |spec, array| array << { name: spec.name, version: spec.version.version } }
+        .map do |spec|
+          {
+            name: spec.name,
+            version: spec.version.version,
+            source_type: detect_source_type(spec),
+            source_uri: detect_source_uri(spec),
+          }
+        end
+    end
+
+    private
+
+    def detect_source_type(spec)
+      case spec.source
+      when ::Bundler::Source::Rubygems then :rubygems
+      when ::Bundler::Source::Git then :git
+      when ::Bundler::Source::Path then :path
+      else :unknown
+      end
+    end
+
+    def detect_source_uri(spec)
+      case spec.source
+      when ::Bundler::Source::Rubygems
+        spec.source.remotes&.first&.to_s
+      when ::Bundler::Source::Git
+        spec.source.uri
+      when ::Bundler::Source::Path
+        spec.source.path&.to_s
+      end
     end
   end
 end

data/lib/helpers/emoji_helper.rb

@@ -10,7 +10,7 @@ module StillActive
       case ActivityHelper.activity_level(result_hash)
       when :ok then ""
       when :stale then StillActive.config.warning_emoji
-      when :critical then StillActive.config.critical_warning_emoji
+      when :archived, :critical then StillActive.config.critical_warning_emoji
       when :unknown then StillActive.config.unsure_emoji
       end
     end

data/lib/helpers/http_helper.rb

@@ -5,6 +5,9 @@ require "json"
 
 module StillActive
   module HttpHelper
+    TRUSTED_HOSTS = ["github.com", "gitlab.com", "api.deps.dev", "endoflife.date", "rubygems.pkg.github.com"].freeze
+    MAX_REDIRECTS = 3
+
     extend self
 
     def get_json(base_uri, path, headers: {}, params: {})
@@ -12,19 +15,44 @@ module StillActive
       uri.path = path
       uri.query = URI.encode_www_form(params) unless params.empty?
 
-      http = Net::HTTP.new(uri.host, uri.port)
-      http.use_ssl = true
-      http.open_timeout = 10
-      http.read_timeout = 10
+      MAX_REDIRECTS.times do
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.open_timeout = 10
+        http.read_timeout = 10
+
+        request = Net::HTTP::Get.new(uri)
+        headers.each { |key, value| request[key] = value }
+
+        response = http.request(request)
 
-      request = Net::HTTP::Get.new(uri)
-      headers.each { |key, value| request[key] = value }
+        if response.is_a?(Net::HTTPRedirection)
+          redirect_uri = uri + response["Location"]
+          unless TRUSTED_HOSTS.include?(redirect_uri.host)
+            $stderr.puts("warning: #{uri.host}#{uri.path} redirected to untrusted host #{redirect_uri.host}, skipping")
+            return
+          end
+          $stderr.puts("warning: #{uri.host}#{uri.path} redirected to #{redirect_uri.host}#{redirect_uri.path} (stale metadata?)")
+          headers = {} if redirect_uri.host != uri.host
+          uri = redirect_uri
+          next
+        end
 
-      response = http.request(request)
-      return unless response.is_a?(Net::HTTPSuccess)
+        unless response.is_a?(Net::HTTPSuccess)
+          $stderr.puts("warning: #{uri.host}#{uri.path} returned HTTP #{response.code}") unless response.is_a?(Net::HTTPNotFound)
+          return
+        end
 
-      JSON.parse(response.body)
-    rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED, JSON::ParserError
+        return JSON.parse(response.body)
+      end
+
+      $stderr.puts("warning: #{uri.host}#{uri.path} too many redirects")
+      nil
+    rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED, Errno::ECONNRESET => e
+      $stderr.puts("warning: #{uri.host}#{uri.path} failed: #{e.class} (#{e.message})")
+      nil
+    rescue JSON::ParserError => e
+      $stderr.puts("warning: #{uri.host}#{uri.path} returned invalid JSON: #{e.message}")
       nil
     end
   end

data/lib/helpers/libyear_helper.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../still_active/core_ext"
+
+module StillActive
+  module LibyearHelper
+    extend self
+
+    def gem_libyear(version_used_release_date:, latest_version_release_date:)
+      return if version_used_release_date.nil? || latest_version_release_date.nil?
+
+      diff = latest_version_release_date - version_used_release_date
+      [diff / CoreExt::SECONDS_PER_YEAR, 0.0].max.round(1)
+    end
+
+    def total_libyear(result)
+      result.each_value.sum { |d| d[:libyear] || 0.0 }
+    end
+  end
+end

data/lib/helpers/markdown_helper.rb

@@ -1,12 +1,33 @@
 # frozen_string_literal: true
 
+require_relative "vulnerability_helper"
+
 module StillActive
   module MarkdownHelper
     extend self
 
+    def ruby_line(ruby_info)
+      version = ruby_info[:version]
+      latest = ruby_info[:latest_version]
+      libyear = ruby_info[:libyear]
+      eol = ruby_info[:eol]
+      eol_date = ruby_info[:eol_date]
+
+      return "**Ruby #{version}** (latest) #{StillActive.config.success_emoji}" if version == latest
+
+      libyear_part = libyear ? "#{libyear} libyears behind #{latest}" : "behind #{latest}"
+
+      if eol
+        eol_part = eol_date ? "EOL #{eol_date.strftime("%Y-%m-%d")}" : "EOL"
+        "**Ruby #{version}** (#{eol_part}, #{libyear_part}) #{StillActive.config.critical_warning_emoji}"
+      else
+        "**Ruby #{version}** (#{libyear_part}) #{StillActive.config.warning_emoji}"
+      end
+    end
+
     def markdown_table_header_line
-      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit |\n" \
-        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- |"
+      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear |\n" \
+        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- |"
     end
 
     def markdown_table_body_line(gem_name:, data:)
@@ -18,11 +39,17 @@ module StillActive
 
       formatted_name = markdown_url(text: gem_name, url: repository_url)
 
-      formatted_version_used = version_with_date(
-        text: data[:version_used],
-        url: version_url(ruby_gems_url, data[:version_used]),
-        date: data[:version_used_release_date],
-      )
+      formatted_version_used = if [:git, :path].include?(data[:source_type])
+        data[:version_used] ? "#{data[:version_used]} (#{data[:source_type]})" : "(#{data[:source_type]})"
+      elsif data[:version_yanked]
+        "#{data[:version_used]} (YANKED #{StillActive.config.critical_warning_emoji})"
+      else
+        version_with_date(
+          text: data[:version_used],
+          url: version_url(ruby_gems_url, data[:version_used]),
+          date: data[:version_used_release_date],
+        )
+      end
 
       formatted_latest_version = version_with_date(
         text: data[:latest_version],
@@ -44,12 +71,13 @@ module StillActive
         inactive_repository_emoji || unsure,
         using_latest_version_emoji || unsure,
         format_scorecard(data[:scorecard_score]),
-        format_vulns(data[:vulnerability_count]),
+        format_vulns(data),
         formatted_name,
         formatted_version_used || unsure,
         formatted_latest_version || unsure,
         formatted_latest_pre_release || unsure,
         formatted_last_commit || unsure,
+        format_libyear(data[:libyear]),
       ]
 
       "| #{cells.join(" | ")} |"
@@ -79,11 +107,24 @@ module StillActive
       "#{score}/10"
     end
 
-    def format_vulns(count)
+    def format_libyear(value)
+      return "-" if value.nil?
+
+      "#{value}y"
+    end
+
+    def format_vulns(data)
+      count = data[:vulnerability_count]
       return StillActive.config.unsure_emoji if count.nil?
       return StillActive.config.success_emoji if count.zero?
 
-      count.to_s
+      vulnerabilities = data[:vulnerabilities] || []
+      severity = VulnerabilityHelper.highest_severity(vulnerabilities)
+      ids = vulnerabilities.flat_map { |v| [v[:id], *v[:aliases]] }.compact.uniq.first(3)
+
+      parts = [severity ? "#{count} (#{severity})" : count.to_s]
+      parts << ids.join(", ") unless ids.empty?
+      parts.join(" ")
     end
 
     def markdown_url(text:, url:)

data/lib/helpers/ruby_helper.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require "time"
+require_relative "http_helper"
+require_relative "libyear_helper"
+
+module StillActive
+  module RubyHelper
+    extend self
+
+    ENDOFLIFE_URI = URI("https://endoflife.date/")
+
+    def ruby_freshness
+      return unless standard_ruby?
+
+      cycles = fetch_cycles
+      return if cycles.nil?
+
+      current = current_ruby_version
+      current_cycle = find_cycle(cycles, current)
+      latest_cycle = cycles.first
+
+      return if latest_cycle.nil?
+
+      latest_version = latest_cycle["latest"]
+      latest_release_date = parse_date(latest_cycle["releaseDate"])
+      current_release_date = parse_date(current_cycle&.dig("releaseDate"))
+      eol_value = current_cycle&.dig("eol")
+
+      {
+        version: current,
+        release_date: current_release_date,
+        eol_date: parse_eol(eol_value),
+        eol: eol_reached?(eol_value),
+        latest_version: latest_version,
+        latest_release_date: latest_release_date,
+        libyear: LibyearHelper.gem_libyear(
+          version_used_release_date: current_release_date,
+          latest_version_release_date: latest_release_date,
+        ),
+      }
+    end
+
+    private
+
+    def standard_ruby?
+      RUBY_ENGINE == "ruby"
+    end
+
+    def current_ruby_version
+      RUBY_VERSION
+    end
+
+    def fetch_cycles
+      HttpHelper.get_json(ENDOFLIFE_URI, "/api/ruby.json")
+    end
+
+    def find_cycle(cycles, version)
+      major_minor = version.split(".")[0..1].join(".")
+      cycles.find { |c| c["cycle"] == major_minor }
+    end
+
+    def parse_date(date_string)
+      return if date_string.nil?
+
+      Time.parse(date_string)
+    end
+
+    def parse_eol(value)
+      case value
+      when String then parse_date(value)
+      end
+    end
+
+    def eol_reached?(value)
+      case value
+      when true then true
+      when false then false
+      when String then Time.parse(value) <= Time.now
+      end
+    end
+  end
+end