still_active 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ebdc7af759c1dfe0bf4172000aab61f100e7dc8463374c5cf12458c69a3ff7ad
-  data.tar.gz: 5988d28e7fa84d686786ddf56e7da557d4935d8c5c305c33105593e859216941
+  metadata.gz: 8c861ae8a727347f9b276576f3da48d806fbc25ab05020d849e5e92c8de49732
+  data.tar.gz: bc3e5d7429e17adc0b6b0e955f50a6ddb9e7f157f1c656bf8c9044113cd5a97e
 SHA512:
-  metadata.gz: a0c5bd6fabfc32a72dcb6169b89bfe3ffb93879117be4b3489705844f4d84ffc226ed4ba42b1bc86a2d253416de94503ffd3263777d172b1fb9d2fbc85ff687b
-  data.tar.gz: 05be629f02347fe1594351884a06135acf34d843a8611e073bce41fbae29164492bd343468cac5c6ed95651c775e2d93ea58d408c5879fd3f7253f2724954318
+  metadata.gz: e922835a769aeb9817dd27e99bf194c39e21e43794ee66d6d7d1db4c2c9ccaf11cf40d75ac251302f014f3df539998ab4e285f446fb68b6aaa080259421cc1fb
+  data.tar.gz: 932b7e3dbd72cd02492070eced16a77e1a8a1649bb86132f2a7f827339d3f42138633139cbfd5134e31b1c4a92d18b28758afafc74674402f72a9ed2d7512399

data/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## [1.2.0] - 2026-02-20
+
+### Added
+
+- `--fail-if-vulnerable[=SEVERITY]` flag: exit 1 if any gem has known vulnerabilities, optionally filtered by severity (low/medium/high/critical)
+- `--fail-if-outdated=LIBYEARS` flag: exit 1 if any gem exceeds the given libyear threshold
+- Coloured OpenSSF column in terminal output: green for strong practices (7.0+), yellow for notably weak (below 4.0)
+
+### Changed
+
+- Removed composite health score (0-100) and Health column from terminal, markdown, and JSON output; individual columns (vulns, OpenSSF, activity, version) communicate these signals without collapsing them into one number
+- Replaced `--fail-below-score` with `--fail-if-vulnerable` and `--fail-if-outdated` for targeted CI gating
+
+### Fixed
+
+- Repository URLs with `.git` suffix (e.g. `socketry/async.git`) caused 404s against GitHub/GitLab APIs
+- GitLab 301 redirects for renamed projects silently failed; now follows up to 3 redirects with trusted host check
+- Network errors (`ECONNRESET`, timeouts, etc.) during RubyGems version lookup or HTTP API calls dropped the entire gem from results instead of warning
+- GitHub Packages URI check used substring match, allowing crafted URLs to bypass host validation; now parses URI and compares host exactly
+- Tri-state `archived?` predicate renamed to `archived` to honestly reflect `true`/`false`/`nil` return contract
+- Rubocop offences from code scanning (WordArray, IfInsideElse, MultilineHash, frozen_string_literal)
+
 ## [1.1.0] - 2026-02-20
 
 ### Added

data/README.md

@@ -2,7 +2,7 @@
 
 **How do you know if your Ruby dependencies are still maintained?**
 
-`bundle outdated` tells you version drift. `bundler-audit` catches known CVEs. Neither tells you whether anyone is still working on the thing. `still_active` checks maintenance activity, version freshness, security scores, vulnerabilities, libyear drift, and archived repos for every gem in your Gemfile -- with a composite health score per gem.
+`bundle outdated` tells you version drift. `bundler-audit` catches known CVEs. Neither tells you whether anyone is still working on the thing. `still_active` checks maintenance activity, version freshness, security scores, vulnerabilities, libyear drift, and archived repos for every gem in your Gemfile.
 
 [![Gem Version](https://badge.fury.io/rb/still_active.svg)](https://badge.fury.io/rb/still_active)
 ![Code Quality analysis](https://github.com/SeanLF/still_active/actions/workflows/codeql-analysis.yml/badge.svg)
@@ -10,16 +10,17 @@
 ![Rubocop analysis](https://github.com/SeanLF/still_active/actions/workflows/rubocop-analysis.yml/badge.svg)
 
 ```
-Name                   Version          Activity  OpenSSF  Vulns  Health
-───────────────────────────────────────────────────────────────────────────
-code-scanning-rubocop  0.6.1 (latest)   stale     3.1/10   0      71/100
-debug                  1.11.1 (latest)  ok        5.2/10   0      90/100
-faker                  3.6.0 (latest)   ok        7.4/10   0      95/100
-rake                   13.3.1 (latest)  ok        5.3/10   0      91/100
-rspec                  3.13.2 (latest)  ok        6.9/10   0      94/100
-rubocop                1.84.2 (latest)  ok        5.9/10   0      92/100
-
-12 gems: 11 up to date, 0 outdated · 11 active, 1 stale · 0 vulnerabilities · health 93/100
+Name                    Version          Activity  OpenSSF  Vulns
+───────────────────────────────────────────────────────────────────
+async                   2.36.0 (latest)  ok        7.1/10   0
+backbone-rails          1.2.3 (latest)   archived  3.6/10   0
+bootstrap-slider-rails  9.8.0 (latest)   critical  -        0
+gitlab-markup           2.0.0 (latest)   ok        -        0
+local_gem               0.1.0 (path)     -         -        0
+nested_form             0.3.2 (git)      archived  3.3/10   0
+remotipart              1.4.4 (git)      critical  3.1/10   0
+
+7 gems: 4 up to date, 0 outdated · 2 active, 2 stale, 2 archived · 0 vulnerabilities
 Ruby 4.0.1 (latest)
 ```
 
@@ -34,13 +35,12 @@ Most dependency tools answer one question. `still_active` answers all of them at
 | OpenSSF Scorecard            | -                 | -               | -                 | **Yes**                      |
 | Last commit activity         | -                 | -               | -                 | **Yes**                      |
 | Libyear drift                | -                 | -               | Yes               | **Yes**                      |
-| Composite health score       | -                 | -               | -                 | **Yes** (0-100)              |
 | Archived repo detection      | -                 | -               | -                 | **Yes**                      |
 | Yanked version detection     | -                 | -               | -                 | **Yes**                      |
 | Ruby version freshness       | -                 | -               | -                 | **Yes** (EOL + libyear)      |
 | Git/path/GH Packages sources | -                 | -               | -                 | **Yes**                      |
 | GitLab support               | -                 | -               | -                 | **Yes**                      |
-| CI quality gates             | -                 | Exit code       | -                 | **Yes** (4 modes)            |
+| CI quality gates             | -                 | Exit code       | -                 | **Yes** (5 modes)            |
 | Multiple output formats      | -                 | -               | -                 | **Terminal, JSON, Markdown** |
 | Single command               | Yes               | Yes             | Yes               | **Yes**                      |
 
@@ -61,8 +61,8 @@ still_active
 # check specific gems
 still_active --gems=rails,nokogiri,sidekiq
 
-# CI pipeline: fail if any gem is critically stale or has low health
-still_active --fail-if-critical --fail-below-score=50
+# CI pipeline: fail if any gem is critically stale or has vulnerabilities
+still_active --fail-if-critical --fail-if-vulnerable
 
 # ignore specific gems in CI checks
 still_active --fail-if-warning --ignore=legacy_gem,internal_gem
@@ -96,7 +96,9 @@ Usage: still_active [options]
         --warning-range-end=YEARS    maximum years since last activity that triggers a warning (beyond this is critical)
         --fail-if-critical           Exit 1 if any gem has critical activity warning
         --fail-if-warning            Exit 1 if any gem has warning or critical activity warning
-        --fail-below-score=SCORE     Exit 1 if any gem health score is below threshold
+        --fail-if-vulnerable[=SEVERITY]
+                                     Exit 1 if any gem has vulnerabilities (optionally at or above SEVERITY)
+        --fail-if-outdated=LIBYEARS  Exit 1 if any gem exceeds LIBYEARS behind latest
         --ignore=GEM,GEM2,...        Exclude gems from pass/fail checks (still shown in output)
         --critical-warning-emoji=EMOJI
         --futurist-emoji=EMOJI
@@ -114,31 +116,37 @@ Usage: still_active [options]
 **JSON** (default when piped) -- structured data for automation:
 
 ```bash
-still_active --json --gems=rails,nokogiri
+still_active --json --gemfile=spec/still_active/edge_case_gemfile/Gemfile
 ```
 
 ```json
 {
   "gems": {
-    "rails": {
+    "async": {
       "source_type": "rubygems",
-      "latest_version": "8.1.2",
-      "repository_url": "https://github.com/rails/rails",
-      "last_commit_date": "2026-02-19 09:39:03 UTC",
+      "version_used": "2.36.0",
+      "latest_version": "2.36.0",
+      "repository_url": "https://github.com/socketry/async",
+      "last_commit_date": "2026-01-22 04:09:48 UTC",
       "archived": false,
-      "scorecard_score": 5.7,
+      "scorecard_score": 7.1,
       "vulnerability_count": 0,
-      "health_score": 88
+      "libyear": 0.0
     },
-    "nokogiri": {
-      "source_type": "rubygems",
-      "latest_version": "1.19.1",
-      "repository_url": "https://github.com/sparklemotion/nokogiri",
-      "last_commit_date": "2026-02-17 19:13:22 UTC",
-      "archived": false,
-      "scorecard_score": 6.5,
-      "vulnerability_count": 0,
-      "health_score": 90
+    "nested_form": {
+      "source_type": "git",
+      "version_used": "0.3.2",
+      "repository_url": "https://github.com/ryanb/nested_form",
+      "last_commit_date": "2021-12-11 21:47:02 UTC",
+      "archived": true,
+      "scorecard_score": 3.3,
+      "vulnerability_count": 0
+    },
+    "local_gem": {
+      "source_type": "path",
+      "version_used": "0.1.0",
+      "scorecard_score": null,
+      "vulnerability_count": 0
     }
   },
   "ruby": {
@@ -156,17 +164,18 @@ still_active --json --gems=rails,nokogiri
 still_active --markdown
 ```
 
-| activity | up to date? | OpenSSF | vulns | name     | version used | latest version   | latest pre-release   | last commit | libyear | health |
-| -------- | ----------- | ------- | ----- | -------- | ------------ | ---------------- | -------------------- | ----------- | ------- | ------ |
-|          | ❓          | 5.2/10  | ✅    | debug    | ❓           | 1.11.1 (2025/12) | 1.0.0.rc2 (2021/09)  | 2025/12     | -       | 86/100 |
-|          | ❓          | 6.5/10  | ✅    | nokogiri | ❓           | 1.19.1 (2026/02) | 1.18.0.rc1 (2024/12) | 2026/02     | -       | 90/100 |
-|          | ❓          | 5.7/10  | ✅    | rails    | ❓           | 8.1.2 (2026/01)  | 8.1.0.rc1 (2025/10)  | 2026/02     | -       | 88/100 |
+| activity | up to date? | OpenSSF | vulns | name                                                         | version used                                                               | latest version                                                             | latest pre-release | last commit                                           | libyear |
+| -------- | ----------- | ------- | ----- | ------------------------------------------------------------ | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | ------------------ | ----------------------------------------------------- | ------- |
+|          | ✅          | 7.1/10  | ✅    | [async](https://github.com/socketry/async)                   | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | ❓                 | [2026/01](https://github.com/socketry/async)          | 0.0y    |
+| 🚩       | ✅          | 3.6/10  | ✅    | [backbone-rails](https://github.com/aflatter/backbone-rails) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | ❓                 | [2016/02](https://github.com/aflatter/backbone-rails) | 0.0y    |
+| ❓       | ❓          | ❓      | ✅    | local_gem                                                    | 0.1.0 (path)                                                               | ❓                                                                         | ❓                 | ❓                                                    | -       |
+| 🚩       | ❓          | 3.3/10  | ✅    | [nested_form](https://github.com/ryanb/nested_form)          | 0.3.2 (git)                                                                | ❓                                                                         | ❓                 | [2021/12](https://github.com/ryanb/nested_form)       | -       |
 
 **Ruby 4.0.1** (latest) ✅
 
 ### CI quality gating
 
-Use exit-code flags to fail CI pipelines based on dependency health:
+Use exit-code flags to fail CI pipelines based on dependency status:
 
 ```bash
 # fail on critically stale or archived gems
@@ -175,11 +184,17 @@ still_active --fail-if-critical --json
 # fail on any stale, critical, or archived gem
 still_active --fail-if-warning --json
 
-# fail if any gem's health score drops below a threshold
-still_active --fail-below-score=50 --json
+# fail if any gem has known vulnerabilities
+still_active --fail-if-vulnerable --json
+
+# fail only on high/critical severity vulnerabilities
+still_active --fail-if-vulnerable=high --json
+
+# fail if any gem is more than 3 libyears behind
+still_active --fail-if-outdated=3 --json
 
 # combine flags and exclude known exceptions
-still_active --fail-if-warning --fail-below-score=50 --ignore=legacy_gem --json
+still_active --fail-if-warning --fail-if-vulnerable --ignore=legacy_gem --json
 ```
 
 ### Activity thresholds

data/lib/helpers/http_helper.rb

@@ -5,6 +5,9 @@ require "json"
 
 module StillActive
   module HttpHelper
+    TRUSTED_HOSTS = ["github.com", "gitlab.com", "api.deps.dev", "endoflife.date", "rubygems.pkg.github.com"].freeze
+    MAX_REDIRECTS = 3
+
     extend self
 
     def get_json(base_uri, path, headers: {}, params: {})
@@ -12,22 +15,40 @@ module StillActive
       uri.path = path
       uri.query = URI.encode_www_form(params) unless params.empty?
 
-      http = Net::HTTP.new(uri.host, uri.port)
-      http.use_ssl = true
-      http.open_timeout = 10
-      http.read_timeout = 10
+      MAX_REDIRECTS.times do
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.open_timeout = 10
+        http.read_timeout = 10
+
+        request = Net::HTTP::Get.new(uri)
+        headers.each { |key, value| request[key] = value }
+
+        response = http.request(request)
 
-      request = Net::HTTP::Get.new(uri)
-      headers.each { |key, value| request[key] = value }
+        if response.is_a?(Net::HTTPRedirection)
+          redirect_uri = uri + response["Location"]
+          unless TRUSTED_HOSTS.include?(redirect_uri.host)
+            $stderr.puts("warning: #{uri.host}#{uri.path} redirected to untrusted host #{redirect_uri.host}, skipping")
+            return
+          end
+          $stderr.puts("warning: #{uri.host}#{uri.path} redirected to #{redirect_uri.host}#{redirect_uri.path} (stale metadata?)")
+          headers = {} if redirect_uri.host != uri.host
+          uri = redirect_uri
+          next
+        end
 
-      response = http.request(request)
-      unless response.is_a?(Net::HTTPSuccess)
-        $stderr.puts("warning: #{uri.host}#{uri.path} returned HTTP #{response.code}") unless response.is_a?(Net::HTTPNotFound)
-        return
+        unless response.is_a?(Net::HTTPSuccess)
+          $stderr.puts("warning: #{uri.host}#{uri.path} returned HTTP #{response.code}") unless response.is_a?(Net::HTTPNotFound)
+          return
+        end
+
+        return JSON.parse(response.body)
       end
 
-      JSON.parse(response.body)
-    rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED => e
+      $stderr.puts("warning: #{uri.host}#{uri.path} too many redirects")
+      nil
+    rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED, Errno::ECONNRESET => e
       $stderr.puts("warning: #{uri.host}#{uri.path} failed: #{e.class} (#{e.message})")
       nil
     rescue JSON::ParserError => e

data/lib/helpers/markdown_helper.rb

@@ -26,8 +26,8 @@ module StillActive
     end
 
     def markdown_table_header_line
-      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear | health |\n" \
-        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- | ------ |"
+      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear |\n" \
+        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- |"
     end
 
     def markdown_table_body_line(gem_name:, data:)
@@ -78,7 +78,6 @@ module StillActive
         formatted_latest_pre_release || unsure,
         formatted_last_commit || unsure,
         format_libyear(data[:libyear]),
-        format_health(data[:health_score]),
       ]
 
       "| #{cells.join(" | ")} |"
@@ -108,12 +107,6 @@ module StillActive
       "#{score}/10"
     end
 
-    def format_health(score)
-      return "-" if score.nil?
-
-      "#{score}/100"
-    end
-
     def format_libyear(value)
       return "-" if value.nil?
 

data/lib/helpers/terminal_helper.rb

@@ -2,7 +2,6 @@
 
 require_relative "activity_helper"
 require_relative "ansi_helper"
-require_relative "health_score_helper"
 require_relative "libyear_helper"
 require_relative "version_helper"
 require_relative "vulnerability_helper"
@@ -11,7 +10,7 @@ module StillActive
   module TerminalHelper
     extend self
 
-    HEADERS = ["Name", "Version", "Activity", "OpenSSF", "Vulns", "Health"].freeze
+    HEADERS = ["Name", "Version", "Activity", "OpenSSF", "Vulns"].freeze
 
     def render(result, ruby_info: nil)
       rows = result.keys.sort.map { |name| build_row(name, result[name]) }
@@ -36,7 +35,6 @@ module StillActive
         format_activity(data),
         format_scorecard(data[:scorecard_score]),
         format_vulns(data),
-        format_health(data[:health_score]),
       ]
     end
 
@@ -73,7 +71,16 @@ module StillActive
     end
 
     def format_scorecard(score)
-      score.nil? ? AnsiHelper.dim("-") : "#{score}/10"
+      return AnsiHelper.dim("-") if score.nil?
+
+      text = "#{score}/10"
+      if score >= 7.0
+        AnsiHelper.green(text)
+      elsif score < 4.0
+        AnsiHelper.yellow(text)
+      else
+        text
+      end
     end
 
     def format_vulns(data)
@@ -86,17 +93,6 @@ module StillActive
       AnsiHelper.red(label)
     end
 
-    def format_health(score)
-      return AnsiHelper.dim("-") if score.nil?
-
-      text = "#{score}/100"
-      case score
-      when 80..100 then AnsiHelper.green(text)
-      when 50..79 then AnsiHelper.yellow(text)
-      else AnsiHelper.red(text)
-      end
-    end
-
     def column_widths(rows)
       return HEADERS.map { |h| h.length + 2 } if rows.empty?
 
@@ -166,8 +162,6 @@ module StillActive
       parts << "#{vulns} vulnerabilities"
       total_libyear = LibyearHelper.total_libyear(result)
       parts << "#{total_libyear.round(1)} libyears behind" if total_libyear > 0
-      avg = HealthScoreHelper.system_average(result)
-      parts << "health #{avg}/100" if avg
       parts.join(" · ")
     end
   end

data/lib/helpers/vulnerability_helper.rb

@@ -4,6 +4,8 @@ module StillActive
   module VulnerabilityHelper
     extend self
 
+    SEVERITY_ORDER = ["low", "medium", "high", "critical"].freeze
+
     def highest_severity(vulnerabilities)
       return if vulnerabilities.nil? || vulnerabilities.empty?
 
@@ -13,6 +15,13 @@ module StillActive
       severity_label(max_score)
     end
 
+    def severity_at_or_above?(vulnerabilities, threshold)
+      highest = highest_severity(vulnerabilities)
+      return false if highest.nil?
+
+      SEVERITY_ORDER.index(highest) >= SEVERITY_ORDER.index(threshold)
+    end
+
     private
 
     def severity_label(score)

data/lib/still_active/cli.rb

@@ -7,6 +7,7 @@ require_relative "../helpers/emoji_helper"
 require_relative "../helpers/markdown_helper"
 require_relative "../helpers/terminal_helper"
 require_relative "../helpers/version_helper"
+require_relative "../helpers/vulnerability_helper"
 require_relative "workflow"
 
 module StillActive
@@ -73,7 +74,7 @@ module StillActive
 
     def check_exit_status(result)
       config = StillActive.config
-      return unless config.fail_if_critical || config.fail_if_warning || config.fail_below_score
+      return unless config.fail_if_critical || config.fail_if_warning || config.fail_if_vulnerable || config.fail_if_outdated
 
       ignored = config.ignored_gems
       checked = result.reject { |name, _| ignored.include?(name) }
@@ -84,8 +85,17 @@ module StillActive
         exit(1) if config.fail_if_critical && levels.intersect?([:critical, :archived])
       end
 
-      if (threshold = config.fail_below_score)
-        exit(1) if checked.each_value.any? { |d| d[:health_score] && d[:health_score] < threshold }
+      if (vuln_setting = config.fail_if_vulnerable)
+        checked.each_value do |d|
+          next unless d[:vulnerability_count]&.positive?
+
+          exit(1) if vuln_setting == true
+          exit(1) if VulnerabilityHelper.severity_at_or_above?(d[:vulnerabilities], vuln_setting)
+        end
+      end
+
+      if (threshold = config.fail_if_outdated)
+        exit(1) if checked.each_value.any? { |d| d[:libyear] && d[:libyear] > threshold }
       end
     end
   end

data/lib/still_active/config.rb

@@ -13,7 +13,8 @@ module StillActive
       :gems,
       :github_oauth_token,
       :gitlab_token,
-      :fail_below_score,
+      :fail_if_outdated,
+      :fail_if_vulnerable,
       :ignored_gems,
       :output_format,
       :parallelism,
@@ -24,8 +25,9 @@ module StillActive
       :warning_range_end
 
     def initialize
-      @fail_below_score = nil
       @fail_if_critical = false
+      @fail_if_outdated = nil
+      @fail_if_vulnerable = nil
       @fail_if_warning = false
       @gemfile_path = Bundler.default_gemfile.to_s
       @gems = []

data/lib/still_active/gitlab_client.rb

@@ -9,7 +9,7 @@ module StillActive
 
     BASE_URI = URI("https://gitlab.com/")
 
-    def archived?(owner:, name:)
+    def archived(owner:, name:)
       return if owner.nil? || name.nil?
 
       path = "/api/v4/projects/#{encode_project(owner, name)}"

data/lib/still_active/options.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "optparse"
+require_relative "../helpers/vulnerability_helper"
 
 module StillActive
   class Options
@@ -100,10 +101,18 @@ module StillActive
       opts.on("--fail-if-warning", "Exit 1 if any gem has warning or critical activity warning") do
         StillActive.config { |config| config.fail_if_warning = true }
       end
-      opts.on("--fail-below-score=SCORE", Integer, "Exit 1 if any gem's health score is below SCORE (0-100)") do |value|
-        raise ArgumentError, "--fail-below-score must be between 0 and 100 (got #{value})" unless (0..100).cover?(value)
-
-        StillActive.config { |config| config.fail_below_score = value }
+      opts.on("--fail-if-vulnerable[=SEVERITY]", "Exit 1 if any gem has vulnerabilities (optionally at or above SEVERITY: low, medium, high, critical)") do |value|
+        if value
+          valid = VulnerabilityHelper::SEVERITY_ORDER
+          raise ArgumentError, "--fail-if-vulnerable severity must be one of: #{valid.join(", ")} (got #{value})" unless valid.include?(value)
+
+          StillActive.config { |config| config.fail_if_vulnerable = value }
+        else
+          StillActive.config { |config| config.fail_if_vulnerable = true }
+        end
+      end
+      opts.on("--fail-if-outdated=LIBYEARS", Float, "Exit 1 if any gem exceeds LIBYEARS behind latest") do |value|
+        StillActive.config { |config| config.fail_if_outdated = value }
       end
     end
 

data/lib/still_active/repository.rb

@@ -16,7 +16,10 @@ module StillActive
       match = url&.match(REPO_REGEX)
       return { source: :unhandled, owner: nil, name: nil } unless match
 
-      { url: match[1], source: match[2].to_sym, owner: match[3], name: match[4] }
+      url = match[1].delete_suffix(".git")
+      name = match[4].delete_suffix(".git")
+
+      { url: url, source: match[2].to_sym, owner: match[3], name: name }
     end
   end
 end

data/lib/still_active/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module StillActive
-  VERSION = "1.1.0"
+  VERSION = "1.2.0"
 end

data/lib/still_active/workflow.rb

@@ -3,7 +3,6 @@
 require_relative "deps_dev_client"
 require_relative "gitlab_client"
 require_relative "repository"
-require_relative "../helpers/health_score_helper"
 require_relative "../helpers/libyear_helper"
 require_relative "../helpers/ruby_helper"
 require_relative "../helpers/version_helper"
@@ -61,7 +60,7 @@ module StillActive
 
       case source_type
       when :path, :git
-        gem_info_non_rubygems(gem_name: gem_name, result_object: result_object)
+        gem_info_non_rubygems(gem_name: gem_name, gem_version: gem_version, result_object: result_object, source_uri: source_uri)
       else
         gem_info_rubygems(
           gem_name: gem_name,
@@ -70,8 +69,6 @@ module StillActive
           source_uri: source_uri,
         )
       end
-
-      result_object[gem_name][:health_score] = HealthScoreHelper.gem_score(result_object[gem_name])
     end
 
     def gem_info_rubygems(gem_name:, gem_version:, result_object:, source_uri:)
@@ -82,7 +79,7 @@ module StillActive
         repository_owner: repo_info[:owner],
         repository_name: repo_info[:name],
       )
-      archived = repo_archived?(
+      archived = repo_archived(
         source: repo_info[:source],
         repository_owner: repo_info[:owner],
         repository_name: repo_info[:name],
@@ -129,15 +126,19 @@ module StillActive
       end
     end
 
-    def gem_info_non_rubygems(gem_name:, result_object:)
-      repo_info = repository_info_from_installed_gem(gem_name: gem_name)
+    def gem_info_non_rubygems(gem_name:, gem_version:, result_object:, source_uri: nil)
+      repo_info = repository_info_for_non_rubygems(gem_name: gem_name, source_uri: source_uri)
       source, owner, name = repo_info.values_at(:source, :owner, :name)
+      deps_dev = gem_version ? fetch_deps_dev_info(gem_name: gem_name, version: gem_version) : {}
+
+      # Fall back to repo-derived project_id for scorecard when deps.dev doesn't have the version
+      deps_dev[:scorecard_score] ||= DepsDevClient.project_scorecard(project_id: repo_info[:project_id])&.dig(:score)
 
       result_object[gem_name].merge!({
         repository_url: repo_info[:url],
         last_commit_date: last_commit_date(source:, repository_owner: owner, repository_name: name),
-        archived: repo_archived?(source:, repository_owner: owner, repository_name: name),
-        scorecard_score: DepsDevClient.project_scorecard(project_id: repo_info[:project_id])&.dig(:score),
+        archived: repo_archived(source:, repository_owner: owner, repository_name: name),
+        **deps_dev,
       })
     end
 
@@ -161,10 +162,15 @@ module StillActive
       end
     rescue Gems::NotFound
       []
+    rescue Errno::ECONNRESET, Errno::ECONNREFUSED, Net::OpenTimeout, Net::ReadTimeout, SocketError => e
+      $stderr.puts("warning: rubygems.org versions lookup failed for #{gem_name}: #{e.class} (#{e.message})")
+      []
     end
 
     def github_packages_uri?(uri)
-      uri.is_a?(String) && uri.include?("rubygems.pkg.github.com")
+      uri.is_a?(String) && URI(uri).host == "rubygems.pkg.github.com"
+    rescue URI::InvalidURIError
+      false
     end
 
     def fetch_github_packages_versions(gem_name:, source_uri:)
@@ -176,6 +182,17 @@ module StillActive
       HttpHelper.get_json(base, path, headers: headers) || []
     end
 
+    def repository_info_for_non_rubygems(gem_name:, source_uri: nil)
+      valid_repository_url =
+        [source_uri, *installed_gem_urls(gem_name: gem_name)].find { |url| Repository.valid?(url: url) }
+      repo = Repository.url_with_owner_and_name(url: valid_repository_url)
+      project_id = if repo[:url]
+        host = repo[:source] == :gitlab ? "gitlab.com" : "github.com"
+        "#{host}/#{repo[:owner]}/#{repo[:name]}"
+      end
+      repo.merge(project_id: project_id)
+    end
+
     def repository_info_from_installed_gem(gem_name:)
       valid_repository_url =
         installed_gem_urls(gem_name: gem_name).find { |url| Repository.valid?(url: url) }
@@ -223,13 +240,13 @@ module StillActive
       []
     end
 
-    def repo_archived?(source:, repository_owner:, repository_name:)
+    def repo_archived(source:, repository_owner:, repository_name:)
       case source
       when :github
         repo = StillActive.config.github_client.repository("#{repository_owner}/#{repository_name}")
         repo&.archived
       when :gitlab
-        GitlabClient.archived?(owner: repository_owner, name: repository_name)
+        GitlabClient.archived(owner: repository_owner, name: repository_name)
       end
     rescue Octokit::Error, Faraday::Error => e
       $stderr.puts("warning: archived check failed for #{repository_owner}/#{repository_name}: #{e.class}")

data/still_active.gemspec

@@ -12,10 +12,10 @@ Gem::Specification.new do |spec|
   spec.description   = "Analyses your Gemfile for dependency health: checks if gems are actively maintained " \
     "(last commit dates via GitHub and GitLab, release dates), outdated versions, archived repos, " \
     "OpenSSF Scorecard security scores, known vulnerabilities via deps.dev, and libyear drift. " \
-    "Composite health score (0-100) per gem. Ruby version freshness with EOL detection. " \
+    "Ruby version freshness with EOL detection. " \
     "Handles rubygems, git, path, and GitHub Packages sources. " \
     "Outputs coloured terminal tables, markdown, or JSON. " \
-    "CI quality gates with --fail-if-critical, --fail-if-warning, --fail-below-score, and --ignore. " \
+    "CI quality gates with --fail-if-critical, --fail-if-warning, --fail-if-vulnerable, --fail-if-outdated, and --ignore. " \
     "A comprehensive alternative to running bundle outdated, bundler-audit, and libyear-bundler separately."
   spec.homepage      = "https://github.com/SeanLF/still_active"
   spec.license       = "MIT"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: still_active
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Sean Floyd
@@ -166,11 +166,11 @@ dependencies:
 description: 'Analyses your Gemfile for dependency health: checks if gems are actively
   maintained (last commit dates via GitHub and GitLab, release dates), outdated versions,
   archived repos, OpenSSF Scorecard security scores, known vulnerabilities via deps.dev,
-  and libyear drift. Composite health score (0-100) per gem. Ruby version freshness
-  with EOL detection. Handles rubygems, git, path, and GitHub Packages sources. Outputs
-  coloured terminal tables, markdown, or JSON. CI quality gates with --fail-if-critical,
-  --fail-if-warning, --fail-below-score, and --ignore. A comprehensive alternative
-  to running bundle outdated, bundler-audit, and libyear-bundler separately.'
+  and libyear drift. Ruby version freshness with EOL detection. Handles rubygems,
+  git, path, and GitHub Packages sources. Outputs coloured terminal tables, markdown,
+  or JSON. CI quality gates with --fail-if-critical, --fail-if-warning, --fail-if-vulnerable,
+  --fail-if-outdated, and --ignore. A comprehensive alternative to running bundle
+  outdated, bundler-audit, and libyear-bundler separately.'
 email:
 - contact@seanfloyd.dev
 executables:
@@ -186,7 +186,6 @@ files:
 - lib/helpers/ansi_helper.rb
 - lib/helpers/bundler_helper.rb
 - lib/helpers/emoji_helper.rb
-- lib/helpers/health_score_helper.rb
 - lib/helpers/http_helper.rb
 - lib/helpers/libyear_helper.rb
 - lib/helpers/markdown_helper.rb

data/lib/helpers/health_score_helper.rb

@@ -1,81 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "activity_helper"
-
-module StillActive
-  module HealthScoreHelper
-    extend self
-
-    WEIGHTS = {
-      version_freshness: 30,
-      activity: 25,
-      scorecard: 20,
-      vulnerabilities: 25,
-    }.freeze
-
-    def gem_score(gem_data)
-      components = {
-        version_freshness: version_freshness_score(gem_data),
-        activity: activity_score(gem_data),
-        scorecard: scorecard_score(gem_data),
-        vulnerabilities: vulnerability_score(gem_data),
-      }
-
-      available = components.compact
-      return if available.empty?
-
-      total_weight = available.keys.sum { |k| WEIGHTS[k] }
-      weighted_sum = available.sum { |k, v| WEIGHTS[k] * v }
-      (weighted_sum.to_f / total_weight).round
-    end
-
-    def system_average(result)
-      scores = result.each_value.filter_map { |d| d[:health_score] }
-      return if scores.empty?
-
-      (scores.sum.to_f / scores.size).round
-    end
-
-    private
-
-    def version_freshness_score(gem_data)
-      return 0 if gem_data[:version_yanked]
-
-      libyear = gem_data[:libyear]
-      return if libyear.nil?
-
-      [100 - (libyear * 20), 0].max.round
-    end
-
-    def activity_score(gem_data)
-      return 0 if gem_data[:archived]
-
-      level = ActivityHelper.activity_level(gem_data)
-      case level
-      when :ok then 100
-      when :stale then 40
-      when :critical then 10
-      when :unknown then nil
-      end
-    end
-
-    def scorecard_score(gem_data)
-      score = gem_data[:scorecard_score]
-      return if score.nil?
-
-      (score * 10).round
-    end
-
-    def vulnerability_score(gem_data)
-      count = gem_data[:vulnerability_count]
-      return if count.nil?
-
-      case count
-      when 0 then 100
-      when 1 then 40
-      when 2 then 20
-      else 0
-      end
-    end
-  end
-end