still_active 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4f584514824888d1b457c3b3662c449d5aa5ef8244cb31760ed005afc2204d3
-  data.tar.gz: 9e2c109064b073de04025c36730a171760beae79866e97bff44d4008d7cf1187
+  metadata.gz: ebdc7af759c1dfe0bf4172000aab61f100e7dc8463374c5cf12458c69a3ff7ad
+  data.tar.gz: 5988d28e7fa84d686786ddf56e7da557d4935d8c5c305c33105593e859216941
 SHA512:
-  metadata.gz: 00a1c67f51fc48961185bfcab6f6ec1a30cfa15f417a8feec70606d673f2ac7278d7dd267376af27e6670d88316ba31ae7d8d63ad3f470f94b5c483e03cbbd1e
-  data.tar.gz: bb4bc6f91c96a3f24381179cc295ea21f3f9545ef9a148f95fc53525195e6cda4111887c8d247c1bf50e59f2edd9e94ac5987609ab588300f3a612aae5228e5c
+  metadata.gz: a0c5bd6fabfc32a72dcb6169b89bfe3ffb93879117be4b3489705844f4d84ffc226ed4ba42b1bc86a2d253416de94503ffd3263777d172b1fb9d2fbc85ff687b
+  data.tar.gz: 05be629f02347fe1594351884a06135acf34d843a8611e073bce41fbae29164492bd343468cac5c6ed95651c775e2d93ea58d408c5879fd3f7253f2724954318

data/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## [1.1.0] - 2026-02-20
+
+### Added
+
+- `--ignore=GEM,GEM2,...` flag to exclude gems from pass/fail checks while keeping them in output
+- `--fail-below-score=SCORE` flag for health-based CI gating (exit 1 if any gem scores below threshold)
+- Yanked version detection: flags pinned versions that have been pulled from RubyGems
+- Archived repo detection via GitHub and GitLab APIs, treated as critical for exit checks
+- Libyear metric: years between installed and latest release per gem, total in summary
+- Advisory enrichment: CVSS scores, titles, and IDs from deps.dev per vulnerability
+- Composite health score (0-100) combining version freshness, activity, OpenSSF Scorecard, and vulnerabilities
+- Health column in terminal and markdown output, system average in terminal summary
+- Ruby version freshness: reports current Ruby version, EOL status, and libyear behind latest via endoflife.date API
+- Source detection: identifies gem source type (rubygems, git, path) from Bundler lockfile
+- Non-rubygems gem handling: git/path-sourced gems show gracefully with source indicator instead of failing silently
+- GitHub Packages registry support: fetches versions from `rubygems.pkg.github.com` using existing `--github-oauth-token` (requires `read:packages` scope)
+- CVSS v2 fallback: older advisories without v3 scores now show severity using v2 scores from deps.dev
+
+### Changed
+
+- Vulnerability column shows count with highest severity label (e.g. "3 (critical)")
+- Markdown vulnerability column shows advisory IDs
+- Markdown table adds libyear and health columns
+- Terminal summary includes libyear total and health average
+- JSON output wrapped in `{ "gems": ..., "ruby": ... }` structure
+- Version string validation guards against malformed versions from git-sourced gems
+- Progress counter on stderr during gem checking so large Gemfiles don't appear frozen
+- Actionable rate limit message when GitHub API quota is exhausted
+- `--fail-below-score` now validates range (0-100) at parse time
+- `--gems` option stores structured data from the start instead of mutating mid-run
+- API failures (timeouts, HTTP errors, malformed responses) now warn on stderr instead of degrading silently
+- Vulnerability count based on successfully fetched advisories so count and severity always agree
+
+### Fixed
+
+- Vulnerability counts now checked against installed version, not latest (was masking CVEs in older pinned versions)
+- `GitlabClient.archived?` returned `false` on API failure instead of `nil`, incorrectly asserting repos were not archived
+- `repo_archived?` rescued all `StandardError`, masking bugs; now catches only `Octokit::Error` and `Faraday::Error`
+- `last_commit_date` had no error handling; any failure dropped the entire gem from results
+- Malformed date strings from GitHub/GitLab APIs no longer raise unhandled `ArgumentError`
+
+## [1.0.2] - 2026-02-19
+
+### Changed
+
+- Reduce gem package from 2.4MB to essentials only (lib/, bin/still_active, LICENSE, README, CHANGELOG, gemspec)
+
 ## [1.0.1] - 2026-02-19
 
 ### Changed

data/README.md

@@ -2,7 +2,7 @@
 
 **How do you know if your Ruby dependencies are still maintained?**
 
-`bundle outdated` tells you version drift. `bundler-audit` catches known CVEs. Neither tells you whether anyone is still working on the thing. `still_active` checks maintenance activity, version freshness, security scores, and vulnerabilities for every gem in your Gemfile -- in one pass.
+`bundle outdated` tells you version drift. `bundler-audit` catches known CVEs. Neither tells you whether anyone is still working on the thing. `still_active` checks maintenance activity, version freshness, security scores, vulnerabilities, libyear drift, and archived repos for every gem in your Gemfile -- with a composite health score per gem.
 
 [![Gem Version](https://badge.fury.io/rb/still_active.svg)](https://badge.fury.io/rb/still_active)
 ![Code Quality analysis](https://github.com/SeanLF/still_active/actions/workflows/codeql-analysis.yml/badge.svg)
@@ -10,16 +10,17 @@
 ![Rubocop analysis](https://github.com/SeanLF/still_active/actions/workflows/rubocop-analysis.yml/badge.svg)
 
 ```
-Name                   Version          Activity  OpenSSF  Vulns
-──────────────────────────────────────────────────────────────────
-code-scanning-rubocop  0.6.1 (latest)   stale     3.1/10   0
-debug                  1.11.1 (latest)  ok        5.2/10   0
-faker                  3.6.0 (latest)   ok        7.4/10   0
-rake                   13.3.1 (latest)  ok        5.3/10   0
-rspec                  3.13.2 (latest)  ok        6.9/10   0
-rubocop                1.84.2 (latest)  ok        5.9/10   0
-
-12 gems: 12 up to date, 0 outdated · 11 active, 1 stale · 0 vulnerabilities
+Name                   Version          Activity  OpenSSF  Vulns  Health
+───────────────────────────────────────────────────────────────────────────
+code-scanning-rubocop  0.6.1 (latest)   stale     3.1/10   0      71/100
+debug                  1.11.1 (latest)  ok        5.2/10   0      90/100
+faker                  3.6.0 (latest)   ok        7.4/10   0      95/100
+rake                   13.3.1 (latest)  ok        5.3/10   0      91/100
+rspec                  3.13.2 (latest)  ok        6.9/10   0      94/100
+rubocop                1.84.2 (latest)  ok        5.9/10   0      92/100
+
+12 gems: 11 up to date, 0 outdated · 11 active, 1 stale · 0 vulnerabilities · health 93/100
+Ruby 4.0.1 (latest)
 ```
 
 ## Why `still_active`?
@@ -29,11 +30,17 @@ Most dependency tools answer one question. `still_active` answers all of them at
 |                              | `bundle outdated` | `bundler-audit` | `libyear-bundler` | **`still_active`**           |
 | ---------------------------- | ----------------- | --------------- | ----------------- | ---------------------------- |
 | Outdated versions            | Yes               | -               | Yes               | **Yes**                      |
-| Known vulnerabilities (CVEs) | -                 | Yes             | -                 | **Yes**                      |
+| Known vulnerabilities (CVEs) | -                 | Yes             | -                 | **Yes** (with severity)      |
 | OpenSSF Scorecard            | -                 | -               | -                 | **Yes**                      |
 | Last commit activity         | -                 | -               | -                 | **Yes**                      |
+| Libyear drift                | -                 | -               | Yes               | **Yes**                      |
+| Composite health score       | -                 | -               | -                 | **Yes** (0-100)              |
+| Archived repo detection      | -                 | -               | -                 | **Yes**                      |
+| Yanked version detection     | -                 | -               | -                 | **Yes**                      |
+| Ruby version freshness       | -                 | -               | -                 | **Yes** (EOL + libyear)      |
+| Git/path/GH Packages sources | -                 | -               | -                 | **Yes**                      |
 | GitLab support               | -                 | -               | -                 | **Yes**                      |
-| CI quality gates             | -                 | Exit code       | -                 | **Yes**                      |
+| CI quality gates             | -                 | Exit code       | -                 | **Yes** (4 modes)            |
 | Multiple output formats      | -                 | -               | -                 | **Terminal, JSON, Markdown** |
 | Single command               | Yes               | Yes             | Yes               | **Yes**                      |
 
@@ -54,8 +61,11 @@ still_active
 # check specific gems
 still_active --gems=rails,nokogiri,sidekiq
 
-# CI pipeline: fail if any gem is critically stale
-still_active --fail-if-critical
+# CI pipeline: fail if any gem is critically stale or has low health
+still_active --fail-if-critical --fail-below-score=50
+
+# ignore specific gems in CI checks
+still_active --fail-if-warning --ignore=legacy_gem,internal_gem
 
 # markdown table for pull requests or documentation
 still_active --markdown
@@ -86,6 +96,8 @@ Usage: still_active [options]
         --warning-range-end=YEARS    maximum years since last activity that triggers a warning (beyond this is critical)
         --fail-if-critical           Exit 1 if any gem has critical activity warning
         --fail-if-warning            Exit 1 if any gem has warning or critical activity warning
+        --fail-below-score=SCORE     Exit 1 if any gem health score is below threshold
+        --ignore=GEM,GEM2,...        Exclude gems from pass/fail checks (still shown in output)
         --critical-warning-emoji=EMOJI
         --futurist-emoji=EMOJI
         --success-emoji=EMOJI
@@ -107,27 +119,33 @@ still_active --json --gems=rails,nokogiri
 
 ```json
 {
-  "rails": {
-    "latest_version": "8.1.2",
-    "latest_version_release_date": "2026-01-08 20:18:51 UTC",
-    "latest_pre_release_version": "8.1.0.rc1",
-    "latest_pre_release_version_release_date": "2025-10-15 00:52:14 UTC",
-    "repository_url": "https://github.com/rails/rails",
-    "last_commit_date": "2026-02-19 09:39:03 UTC",
-    "scorecard_score": 5.7,
-    "vulnerability_count": 0,
-    "ruby_gems_url": "https://rubygems.org/gems/rails"
+  "gems": {
+    "rails": {
+      "source_type": "rubygems",
+      "latest_version": "8.1.2",
+      "repository_url": "https://github.com/rails/rails",
+      "last_commit_date": "2026-02-19 09:39:03 UTC",
+      "archived": false,
+      "scorecard_score": 5.7,
+      "vulnerability_count": 0,
+      "health_score": 88
+    },
+    "nokogiri": {
+      "source_type": "rubygems",
+      "latest_version": "1.19.1",
+      "repository_url": "https://github.com/sparklemotion/nokogiri",
+      "last_commit_date": "2026-02-17 19:13:22 UTC",
+      "archived": false,
+      "scorecard_score": 6.5,
+      "vulnerability_count": 0,
+      "health_score": 90
+    }
   },
-  "nokogiri": {
-    "latest_version": "1.19.1",
-    "latest_version_release_date": "2026-02-16 23:31:21 UTC",
-    "latest_pre_release_version": "1.18.0.rc1",
-    "latest_pre_release_version_release_date": "2024-12-16 17:48:44 UTC",
-    "repository_url": "https://github.com/sparklemotion/nokogiri",
-    "last_commit_date": "2026-02-17 19:13:22 UTC",
-    "scorecard_score": 6.5,
-    "vulnerability_count": 0,
-    "ruby_gems_url": "https://rubygems.org/gems/nokogiri"
+  "ruby": {
+    "version": "4.0.1",
+    "eol": false,
+    "latest_version": "4.0.1",
+    "libyear": 0.0
   }
 }
 ```
@@ -138,18 +156,30 @@ still_active --json --gems=rails,nokogiri
 still_active --markdown
 ```
 
-| activity | up to date? | OpenSSF | vulns | name                  | version used     | latest version   | latest pre-release  | last commit |
-| -------- | ----------- | ------- | ----- | --------------------- | ---------------- | ---------------- | ------------------- | ----------- |
-| ⚠️       | ✅          | 3.1/10  | ✅    | code-scanning-rubocop | 0.6.1 (2022/02)  | 0.6.1 (2022/02)  | ❓                  | 2024/06     |
-|          | ✅          | 5.2/10  | ✅    | debug                 | 1.11.1 (2025/12) | 1.11.1 (2025/12) | 1.0.0.rc2 (2021/09) | 2025/12     |
-|          | ✅          | 7.4/10  | ✅    | faker                 | 3.6.0 (2026/01)  | 3.6.0 (2026/01)  | ❓                  | 2026/02     |
+| activity | up to date? | OpenSSF | vulns | name     | version used | latest version   | latest pre-release   | last commit | libyear | health |
+| -------- | ----------- | ------- | ----- | -------- | ------------ | ---------------- | -------------------- | ----------- | ------- | ------ |
+|          | ❓          | 5.2/10  | ✅    | debug    | ❓           | 1.11.1 (2025/12) | 1.0.0.rc2 (2021/09)  | 2025/12     | -       | 86/100 |
+|          | ❓          | 6.5/10  | ✅    | nokogiri | ❓           | 1.19.1 (2026/02) | 1.18.0.rc1 (2024/12) | 2026/02     | -       | 90/100 |
+|          | ❓          | 5.7/10  | ✅    | rails    | ❓           | 8.1.2 (2026/01)  | 8.1.0.rc1 (2025/10)  | 2026/02     | -       | 88/100 |
+
+**Ruby 4.0.1** (latest) ✅
 
 ### CI quality gating
 
-Use `--fail-if-critical` or `--fail-if-warning` to fail CI pipelines when dependencies exceed activity thresholds:
+Use exit-code flags to fail CI pipelines based on dependency health:
 
 ```bash
-still_active --gemfile=Gemfile --fail-if-warning --json
+# fail on critically stale or archived gems
+still_active --fail-if-critical --json
+
+# fail on any stale, critical, or archived gem
+still_active --fail-if-warning --json
+
+# fail if any gem's health score drops below a threshold
+still_active --fail-below-score=50 --json
+
+# combine flags and exclude known exceptions
+still_active --fail-if-warning --fail-below-score=50 --ignore=legacy_gem --json
 ```
 
 ### Activity thresholds
@@ -162,9 +192,10 @@ Activity is determined by the most recent signal across last commit date, latest
 
 ### Data sources
 
-- **Versions and release dates** from [RubyGems.org](https://rubygems.org)
-- **Last commit date** from the [GitHub](https://docs.github.com/en/rest) or [GitLab](https://docs.gitlab.com/ee/api/) API
-- **OpenSSF Scorecard** and **vulnerability counts** from Google's [deps.dev](https://deps.dev) API
+- **Versions and release dates** from [RubyGems.org](https://rubygems.org) or [GitHub Packages](https://docs.github.com/en/packages)
+- **Last commit date and archived status** from the [GitHub](https://docs.github.com/en/rest) or [GitLab](https://docs.gitlab.com/ee/api/) API
+- **OpenSSF Scorecard**, **vulnerability counts**, and **CVSS severity** from Google's [deps.dev](https://deps.dev) API
+- **Ruby version freshness** from [endoflife.date](https://endoflife.date)
 
 ### Configuration defaults
 

data/lib/helpers/activity_helper.rb

@@ -8,8 +8,10 @@ module StillActive
 
     using StillActive::CoreExt
 
-    # Returns :ok, :stale, :critical, or :unknown
+    # Returns :archived, :ok, :stale, :critical, or :unknown
     def activity_level(gem_data)
+      return :archived if gem_data[:archived]
+
       most_recent = [
         gem_data[:last_commit_date],
         gem_data[:latest_version_release_date],

data/lib/helpers/bundler_helper.rb

@@ -12,7 +12,36 @@ module StillActive
         .locked_gems
         .specs
         .select { |spec| gemfile_gems.include?(spec.name) }
-        .each_with_object([]) { |spec, array| array << { name: spec.name, version: spec.version.version } }
+        .map do |spec|
+          {
+            name: spec.name,
+            version: spec.version.version,
+            source_type: detect_source_type(spec),
+            source_uri: detect_source_uri(spec),
+          }
+        end
+    end
+
+    private
+
+    def detect_source_type(spec)
+      case spec.source
+      when ::Bundler::Source::Rubygems then :rubygems
+      when ::Bundler::Source::Git then :git
+      when ::Bundler::Source::Path then :path
+      else :unknown
+      end
+    end
+
+    def detect_source_uri(spec)
+      case spec.source
+      when ::Bundler::Source::Rubygems
+        spec.source.remotes&.first&.to_s
+      when ::Bundler::Source::Git
+        spec.source.uri
+      when ::Bundler::Source::Path
+        spec.source.path&.to_s
+      end
     end
   end
 end

data/lib/helpers/emoji_helper.rb

@@ -10,7 +10,7 @@ module StillActive
       case ActivityHelper.activity_level(result_hash)
       when :ok then ""
       when :stale then StillActive.config.warning_emoji
-      when :critical then StillActive.config.critical_warning_emoji
+      when :archived, :critical then StillActive.config.critical_warning_emoji
       when :unknown then StillActive.config.unsure_emoji
       end
     end

data/lib/helpers/health_score_helper.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require_relative "activity_helper"
+
+module StillActive
+  module HealthScoreHelper
+    extend self
+
+    WEIGHTS = {
+      version_freshness: 30,
+      activity: 25,
+      scorecard: 20,
+      vulnerabilities: 25,
+    }.freeze
+
+    def gem_score(gem_data)
+      components = {
+        version_freshness: version_freshness_score(gem_data),
+        activity: activity_score(gem_data),
+        scorecard: scorecard_score(gem_data),
+        vulnerabilities: vulnerability_score(gem_data),
+      }
+
+      available = components.compact
+      return if available.empty?
+
+      total_weight = available.keys.sum { |k| WEIGHTS[k] }
+      weighted_sum = available.sum { |k, v| WEIGHTS[k] * v }
+      (weighted_sum.to_f / total_weight).round
+    end
+
+    def system_average(result)
+      scores = result.each_value.filter_map { |d| d[:health_score] }
+      return if scores.empty?
+
+      (scores.sum.to_f / scores.size).round
+    end
+
+    private
+
+    def version_freshness_score(gem_data)
+      return 0 if gem_data[:version_yanked]
+
+      libyear = gem_data[:libyear]
+      return if libyear.nil?
+
+      [100 - (libyear * 20), 0].max.round
+    end
+
+    def activity_score(gem_data)
+      return 0 if gem_data[:archived]
+
+      level = ActivityHelper.activity_level(gem_data)
+      case level
+      when :ok then 100
+      when :stale then 40
+      when :critical then 10
+      when :unknown then nil
+      end
+    end
+
+    def scorecard_score(gem_data)
+      score = gem_data[:scorecard_score]
+      return if score.nil?
+
+      (score * 10).round
+    end
+
+    def vulnerability_score(gem_data)
+      count = gem_data[:vulnerability_count]
+      return if count.nil?
+
+      case count
+      when 0 then 100
+      when 1 then 40
+      when 2 then 20
+      else 0
+      end
+    end
+  end
+end

data/lib/helpers/http_helper.rb

@@ -21,10 +21,17 @@ module StillActive
       headers.each { |key, value| request[key] = value }
 
       response = http.request(request)
-      return unless response.is_a?(Net::HTTPSuccess)
+      unless response.is_a?(Net::HTTPSuccess)
+        $stderr.puts("warning: #{uri.host}#{uri.path} returned HTTP #{response.code}") unless response.is_a?(Net::HTTPNotFound)
+        return
+      end
 
       JSON.parse(response.body)
-    rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED, JSON::ParserError
+    rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED => e
+      $stderr.puts("warning: #{uri.host}#{uri.path} failed: #{e.class} (#{e.message})")
+      nil
+    rescue JSON::ParserError => e
+      $stderr.puts("warning: #{uri.host}#{uri.path} returned invalid JSON: #{e.message}")
       nil
     end
   end

data/lib/helpers/libyear_helper.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../still_active/core_ext"
+
+module StillActive
+  module LibyearHelper
+    extend self
+
+    def gem_libyear(version_used_release_date:, latest_version_release_date:)
+      return if version_used_release_date.nil? || latest_version_release_date.nil?
+
+      diff = latest_version_release_date - version_used_release_date
+      [diff / CoreExt::SECONDS_PER_YEAR, 0.0].max.round(1)
+    end
+
+    def total_libyear(result)
+      result.each_value.sum { |d| d[:libyear] || 0.0 }
+    end
+  end
+end

data/lib/helpers/markdown_helper.rb

@@ -1,12 +1,33 @@
 # frozen_string_literal: true
 
+require_relative "vulnerability_helper"
+
 module StillActive
   module MarkdownHelper
     extend self
 
+    def ruby_line(ruby_info)
+      version = ruby_info[:version]
+      latest = ruby_info[:latest_version]
+      libyear = ruby_info[:libyear]
+      eol = ruby_info[:eol]
+      eol_date = ruby_info[:eol_date]
+
+      return "**Ruby #{version}** (latest) #{StillActive.config.success_emoji}" if version == latest
+
+      libyear_part = libyear ? "#{libyear} libyears behind #{latest}" : "behind #{latest}"
+
+      if eol
+        eol_part = eol_date ? "EOL #{eol_date.strftime("%Y-%m-%d")}" : "EOL"
+        "**Ruby #{version}** (#{eol_part}, #{libyear_part}) #{StillActive.config.critical_warning_emoji}"
+      else
+        "**Ruby #{version}** (#{libyear_part}) #{StillActive.config.warning_emoji}"
+      end
+    end
+
     def markdown_table_header_line
-      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit |\n" \
-        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- |"
+      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear | health |\n" \
+        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- | ------ |"
     end
 
     def markdown_table_body_line(gem_name:, data:)
@@ -18,11 +39,17 @@ module StillActive
 
       formatted_name = markdown_url(text: gem_name, url: repository_url)
 
-      formatted_version_used = version_with_date(
-        text: data[:version_used],
-        url: version_url(ruby_gems_url, data[:version_used]),
-        date: data[:version_used_release_date],
-      )
+      formatted_version_used = if [:git, :path].include?(data[:source_type])
+        data[:version_used] ? "#{data[:version_used]} (#{data[:source_type]})" : "(#{data[:source_type]})"
+      elsif data[:version_yanked]
+        "#{data[:version_used]} (YANKED #{StillActive.config.critical_warning_emoji})"
+      else
+        version_with_date(
+          text: data[:version_used],
+          url: version_url(ruby_gems_url, data[:version_used]),
+          date: data[:version_used_release_date],
+        )
+      end
 
       formatted_latest_version = version_with_date(
         text: data[:latest_version],
@@ -44,12 +71,14 @@ module StillActive
         inactive_repository_emoji || unsure,
         using_latest_version_emoji || unsure,
         format_scorecard(data[:scorecard_score]),
-        format_vulns(data[:vulnerability_count]),
+        format_vulns(data),
         formatted_name,
         formatted_version_used || unsure,
         formatted_latest_version || unsure,
         formatted_latest_pre_release || unsure,
         formatted_last_commit || unsure,
+        format_libyear(data[:libyear]),
+        format_health(data[:health_score]),
       ]
 
       "| #{cells.join(" | ")} |"
@@ -79,11 +108,30 @@ module StillActive
       "#{score}/10"
     end
 
-    def format_vulns(count)
+    def format_health(score)
+      return "-" if score.nil?
+
+      "#{score}/100"
+    end
+
+    def format_libyear(value)
+      return "-" if value.nil?
+
+      "#{value}y"
+    end
+
+    def format_vulns(data)
+      count = data[:vulnerability_count]
       return StillActive.config.unsure_emoji if count.nil?
       return StillActive.config.success_emoji if count.zero?
 
-      count.to_s
+      vulnerabilities = data[:vulnerabilities] || []
+      severity = VulnerabilityHelper.highest_severity(vulnerabilities)
+      ids = vulnerabilities.flat_map { |v| [v[:id], *v[:aliases]] }.compact.uniq.first(3)
+
+      parts = [severity ? "#{count} (#{severity})" : count.to_s]
+      parts << ids.join(", ") unless ids.empty?
+      parts.join(" ")
     end
 
     def markdown_url(text:, url:)

data/lib/helpers/ruby_helper.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require "time"
+require_relative "http_helper"
+require_relative "libyear_helper"
+
+module StillActive
+  module RubyHelper
+    extend self
+
+    ENDOFLIFE_URI = URI("https://endoflife.date/")
+
+    def ruby_freshness
+      return unless standard_ruby?
+
+      cycles = fetch_cycles
+      return if cycles.nil?
+
+      current = current_ruby_version
+      current_cycle = find_cycle(cycles, current)
+      latest_cycle = cycles.first
+
+      return if latest_cycle.nil?
+
+      latest_version = latest_cycle["latest"]
+      latest_release_date = parse_date(latest_cycle["releaseDate"])
+      current_release_date = parse_date(current_cycle&.dig("releaseDate"))
+      eol_value = current_cycle&.dig("eol")
+
+      {
+        version: current,
+        release_date: current_release_date,
+        eol_date: parse_eol(eol_value),
+        eol: eol_reached?(eol_value),
+        latest_version: latest_version,
+        latest_release_date: latest_release_date,
+        libyear: LibyearHelper.gem_libyear(
+          version_used_release_date: current_release_date,
+          latest_version_release_date: latest_release_date,
+        ),
+      }
+    end
+
+    private
+
+    def standard_ruby?
+      RUBY_ENGINE == "ruby"
+    end
+
+    def current_ruby_version
+      RUBY_VERSION
+    end
+
+    def fetch_cycles
+      HttpHelper.get_json(ENDOFLIFE_URI, "/api/ruby.json")
+    end
+
+    def find_cycle(cycles, version)
+      major_minor = version.split(".")[0..1].join(".")
+      cycles.find { |c| c["cycle"] == major_minor }
+    end
+
+    def parse_date(date_string)
+      return if date_string.nil?
+
+      Time.parse(date_string)
+    end
+
+    def parse_eol(value)
+      case value
+      when String then parse_date(value)
+      end
+    end
+
+    def eol_reached?(value)
+      case value
+      when true then true
+      when false then false
+      when String then Time.parse(value) <= Time.now
+      end
+    end
+  end
+end