๐ bundle-patch
A command-line tool to automatically patch vulnerable gems in your Gemfile using bundler-audit under the hood.
It parses audit output, finds the best patchable version for each vulnerable gem, and updates your Gemfile accordingly.
โจ Features
- Runs
bundle auditand parses vulnerabilities - Computes the minimal patchable version required
- Updates your
Gemfile(and optionally runsbundle install) - Supports patch/minor/major upgrade strategies
- Handles indirect dependencies by explicitly adding them
- Has a dry-run mode
- Creates backup of your Gemfile before changes
๐ Requirements
- Ruby 2.6 or later
- Bundler installed
- bundler-audit installed (will be installed automatically if missing)
๐ฆ Installation
Add this gem to your system:
gem install bundle-patchOr add it to your project's Gemfile for use in development:
# Gemfile
group :development do
gem 'bundle-patch'
endAnd then:
bundle install๐ก Examples
Basic Usage
bundle-patchThis will run in patch mode (default) and update only patch versions.
Minor Version Updates
bundle-patch --mode=minorExample output:
๐ Running `bundle-audit check --format json`...
๐ Found 2 vulnerabilities:
- sidekiq (5.2.10): sidekiq Denial of Service vulnerability
โ
Patchable โ 6.5.10
- actionpack (6.1.4.1): XSS vulnerability
โ
Patchable โ 6.1.7.7
๐ Backing up Gemfile to Gemfile.bak...
๐ง Updating existing gem: actionpack to '6.1.7.7'
โ Gem sidekiq is a dependency. Adding it explicitly to Gemfile with version 6.5.10.
โ
Gemfile updated!
๐ฆ Running `bundle install`...
โ
bundle install completed successfully
Dry Run Mode
bundle-patch --dry-runThis will show what would be changed without making any actual changes.
Skip Bundle Install
bundle-patch --skip-bundle-installThis will update the Gemfile but skip running bundle install.
Major Version Updates
bundle-patch --mode=allThis will allow updates to any version that fixes the vulnerability.
โ๏ธ Options
| Option | Description | Default |
|---|---|---|
--mode=patch |
Only allow patch-level updates (e.g., 1.0.0 โ 1.0.1) | โ |
--mode=minor |
Allow minor version updates (e.g., 1.0.0 โ 1.1.0) | |
--mode=all |
Allow all updates including major versions (e.g., 1.0.0 โ 2.0.0) | |
--dry-run |
Only print what would be changed, don't touch the Gemfile or install gems | false |
--skip-bundle-install |
Modify the Gemfile, but skip bundle install
|
false |
๐งผ How it works
- Runs
bundle audit check --format json - Groups advisories by gem
- Determines the best patchable version for each gem based on
--mode - Creates a backup of your Gemfile (Gemfile.bak)
- Ensures the gem is either updated or explicitly added to the
Gemfile - Optionally runs
bundle install(unless--skip-bundle-installor--dry-runis used)
๐ Troubleshooting
Bundle Install Fails
If bundle install fails after updating:
- Check the error message
- You can revert to the backup:
cp Gemfile.bak Gemfile - Try running
bundle installmanually to see more detailed errors
Gem Can't Be Patched
If a gem can't be patched in your chosen mode:
- Try running with
--mode=allto see all possible updates - Check if there are any version conflicts in your Gemfile
- Consider manually updating the gem to a specific version
Security Considerations
- Always review the changes made to your Gemfile
- Test your application after applying updates
- Consider running your test suite after updates
- Check the changelog of updated gems for breaking changes
๐ค Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/yourusername/bundle-patch.
๐ License
The gem is available as open source under the terms of the MIT License.