[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-7919":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":17,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":31,"readmeContent":32,"aiSummary":33,"trendingCount":16,"starSnapshotCount":16,"syncStatus":34,"lastSyncTime":35,"discoverSource":36},7919,"bundler-audit","rubysec\u002Fbundler-audit","rubysec","Patch-level verification for Bundler","",null,"Ruby",2755,245,39,23,0,1,7,29.17,"GNU General Public License v3.0",false,"master",[5,24,25,26,27,28,29,30],"dependency-checker","patch-management","ruby","ruby-advisory-db","security","security-audit","security-tools","2026-06-12 02:01:46","# bundler-audit\n\n[![CI](https:\u002F\u002Fgithub.com\u002Frubysec\u002Fbundler-audit\u002Factions\u002Fworkflows\u002Fruby.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Frubysec\u002Fbundler-audit\u002Factions\u002Fworkflows\u002Fruby.yml)\n[![Code Climate](https:\u002F\u002Fcodeclimate.com\u002Fgithub\u002Frubysec\u002Fbundler-audit.svg)](https:\u002F\u002Fcodeclimate.com\u002Fgithub\u002Frubysec\u002Fbundler-audit)\n[![Gem Version](https:\u002F\u002Fbadge.fury.io\u002Frb\u002Fbundler-audit.svg)](https:\u002F\u002Fbadge.fury.io\u002Frb\u002Fbundler-audit)\n\n* [Homepage](https:\u002F\u002Fgithub.com\u002Frubysec\u002Fbundler-audit#readme)\n* [Issues](https:\u002F\u002Fgithub.com\u002Frubysec\u002Fbundler-audit\u002Fissues)\n* [Documentation](http:\u002F\u002Frubydoc.info\u002Fgems\u002Fbundler-audit\u002Fframes)\n\n## Description\n\nPatch-level verification for [bundler].\n\n## Features\n\n* Checks for vulnerable versions of gems in `Gemfile.lock`.\n* Checks for insecure gem sources (`http:\u002F\u002F` and `git:\u002F\u002F`).\n* Allows ignoring certain advisories that have been manually worked around.\n* Prints advisory information.\n* Does not require a network connection.\n\n## Synopsis\n\nAudit a project's `Gemfile.lock`:\n\n```\n$ bundle-audit\nName: actionpack\nVersion: 3.2.10\nAdvisory: OSVDB-91452\nCriticality: Medium\nURL: http:\u002F\u002Fwww.osvdb.org\u002Fshow\u002Fosvdb\u002F91452\nTitle: XSS vulnerability in sanitize_css in Action Pack\nSolution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13\n\nName: actionpack\nVersion: 3.2.10\nAdvisory: OSVDB-91454\nCriticality: Medium\nURL: http:\u002F\u002Fosvdb.org\u002Fshow\u002Fosvdb\u002F91454\nTitle: XSS Vulnerability in the `sanitize` helper of Ruby on Rails\nSolution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13\n\nName: actionpack\nVersion: 3.2.10\nAdvisory: OSVDB-89026\nCriticality: High\nURL: http:\u002F\u002Fosvdb.org\u002Fshow\u002Fosvdb\u002F89026\nTitle: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution\nSolution: update to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11\n\nName: activerecord\nVersion: 3.2.10\nAdvisory: OSVDB-91453\nCriticality: High\nURL: http:\u002F\u002Fosvdb.org\u002Fshow\u002Fosvdb\u002F91453\nTitle: Symbol DoS vulnerability in Active Record\nSolution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13\n\nName: activerecord\nVersion: 3.2.10\nAdvisory: OSVDB-90072\nCriticality: Medium\nURL: http:\u002F\u002Fdirect.osvdb.org\u002Fshow\u002Fosvdb\u002F90072\nTitle: Ruby on Rails Active Record attr_protected Method Bypass\nSolution: update to ~> 2.3.17, ~> 3.1.11, >= 3.2.12\n\nName: activerecord\nVersion: 3.2.10\nAdvisory: OSVDB-89025\nCriticality: High\nURL: http:\u002F\u002Fosvdb.org\u002Fshow\u002Fosvdb\u002F89025\nTitle: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass\nSolution: update to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11\n\nName: activesupport\nVersion: 3.2.10\nAdvisory: OSVDB-91451\nCriticality: High\nURL: http:\u002F\u002Fwww.osvdb.org\u002Fshow\u002Fosvdb\u002F91451\nTitle: XML Parsing Vulnerability affecting JRuby users\nSolution: update to ~> 3.1.12, >= 3.2.13\n\nUnpatched versions found!\n```\n\nUpdate the [ruby-advisory-db] that `bundle audit` uses:\n\n```\n$ bundle-audit update\nUpdating ruby-advisory-db ...\nremote: Counting objects: 44, done.\nremote: Compressing objects: 100% (24\u002F24), done.\nremote: Total 39 (delta 19), reused 29 (delta 10)\nUnpacking objects: 100% (39\u002F39), done.\nFrom https:\u002F\u002Fgithub.com\u002Frubysec\u002Fruby-advisory-db\n * branch            master     -> FETCH_HEAD\nUpdating 5f8225e..328ca86\nFast-forward\n CONTRIBUTORS.md                    |  1 +\n gems\u002Factionmailer\u002FOSVDB-98629.yml  | 17 +++++++++++++++++\n gems\u002Fcocaine\u002FOSVDB-98835.yml       | 15 +++++++++++++++\n gems\u002Ffog-dragonfly\u002FOSVDB-96798.yml | 13 +++++++++++++\n gems\u002Fsounder\u002FOSVDB-96278.yml       | 13 +++++++++++++\n gems\u002Fwicked\u002FOSVDB-98270.yml        | 14 ++++++++++++++\n 6 files changed, 73 insertions(+)\n create mode 100644 gems\u002Factionmailer\u002FOSVDB-98629.yml\n create mode 100644 gems\u002Fcocaine\u002FOSVDB-98835.yml\n create mode 100644 gems\u002Ffog-dragonfly\u002FOSVDB-96798.yml\n create mode 100644 gems\u002Fsounder\u002FOSVDB-96278.yml\n create mode 100644 gems\u002Fwicked\u002FOSVDB-98270.yml\nruby-advisory-db: 64 advisories\n```\n\nUpdate the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):\n\n```shell\n$ bundle-audit check --update\n```\n\nChecking the `Gemfile.lock` without updating the [ruby-advisory-db]:\n\n```shell\n$ bundle-audit check --no-update\n```\n\nIgnore specific advisories:\n\n```shell\n$ bundle-audit check --ignore OSVDB-108664\n```\n\nChecking a custom `Gemfile.lock` file:\n\n```shell\n$ bundle-audit check --gemfile-lock Gemfile.custom.lock\n```\n\nOutput the audit's results in JSON:\n\n```shell\n$ bundle-audit check --format json\n```\n\nOutput the audit's results in JSON, to a file:\n\n```shell\n$ bundle-audit check --format json --output bundle-audit.json\n```\n\n## Rake Tasks\n\nBundler-audit provides `rake` tasks for checking the code and for updating\nits vulnerability database.\n\nSimply add the following code to the `Rakefile`:\n\n```ruby\nrequire 'bundler\u002Faudit\u002Ftask'\nBundler::Audit::Task.new\n```\n\nThe following `rake` tasks will then become available:\n\n```\n$ rake -T\nrake bundle:audit\nrake bundle:audit:update\n```\n\n## Configuration File\n\nbundler-audit also supports a per-project configuration file:\n\n`.bundler-audit.yml`:\n\n```yaml\n---\nignore:\n  - CVE-YYYY-XXXX\n  - ...\n```\n\n* `ignore:` \\[Array\\\u003CString\\>\\] - A list of advisory IDs to ignore.\n\nYou can provide a path to a config file using the `--config` flag:\n\n```shell\n$ bundle-audit check --config bundler-audit.custom.yaml\n```\n\n## Requirements\n\n* [git]\n* [ruby] >= 2.0.0\n* [rubygems] >= 1.8\n* [thor] ~> 1.0\n* [bundler] >= 1.2.0, \u003C 3\n\n## Install\n\n```shell\n$ [sudo] gem install bundler-audit\n```\n\n### Git\n\n* Debian \u002F Ubuntu:\n\n```shell\n$ sudo apt install git\n```\n\n* RedHat \u002F Fedora:\n\n```shell\n$ sudo dnf install git\n```\n\n* Alpine Linux:\n\n```shell\n$ apk add git\n```\n\n* macOS:\n\n```shell\n$ brew install git\n```\n\n## Contributing\n\n1. https:\u002F\u002Fgithub.com\u002Frubysec\u002Fbundler-audit\u002Ffork\n2. `git clone YOUR_FORK_URI`\n3. `cd bundler-audit\u002F`\n4. `bundle install`\n5. `bundle exec rake spec`\n6. `git checkout -b YOUR_FEATURE`\n7. Make your changes\n8. `bundle exec rake spec`\n9. `git commit -a`\n10. `git push origin YOUR_FEATURE`\n\n## License\n\nCopyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)\n\nbundler-audit is free software: you can redistribute it and\u002For modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nbundler-audit is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with bundler-audit.  If not, see \u003Chttps:\u002F\u002Fwww.gnu.org\u002Flicenses\u002F>.\n\n[git]: https:\u002F\u002Fgit-scm.com\n[ruby]: https:\u002F\u002Fruby-lang.org\n[rubygems]: https:\u002F\u002Frubygems.org\n[thor]: http:\u002F\u002Fwhatisthor.com\u002F\n[bundler]: https:\u002F\u002Fbundler.io\n\n[OSVDB]: http:\u002F\u002Fosvdb.org\u002F\n[ruby-advisory-db]: https:\u002F\u002Fgithub.com\u002Frubysec\u002Fruby-advisory-db\n","bundler-audit 是一个用于 Bundler 的补丁级别验证工具。它能够检查 Gemfile.lock 文件中是否存在已知的安全漏洞版本的 gem，同时也能检测不安全的 gem 源（如 http:\u002F\u002F 和 git:\u002F\u002F）。该工具允许用户忽略某些已经手动解决的安全建议，并且在没有网络连接的情况下也能工作。此外，bundler-audit 还能打印出具体的安全建议信息。此工具非常适合 Ruby 开发者在项目开发过程中定期检查依赖库的安全性，确保应用不受已知漏洞的影响。",2,"2026-06-11 03:15:05","top_language"]