Project

package-audit

0.0
No release in over a year
package-auditvkononov/package-auditHomepageDocumentationSource CodeBug Tracker
A useful tool for patch management and prioritization, package-audit produces a list of dependencies that are outdated, deprecated or have security vulnerabilities.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
11,127
Stars
1
Forks
1
Watchers
1
 Releases
Current version
0.8.0
Total releases
13
First release
1980-01-02
Latest release
2024-02-03
 Issues
Open Issues
0
Closed Issues
3
Total Issues
3
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
12
Merged Pull Requests
68
Pull Request Acceptance Rate
85%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2024-10-29
Reverse Dependencies
0

 Dependencies

Runtime

bundler-audit
~> 0.8
thor
~> 1.2
 Project Readme

Package::Audit

Gem Version License Lint Status Test Status

A useful tool for patch management and prioritization, package-audit produces a list of dependencies that are outdated, deprecated or have security vulnerabilities.

"Buy Me A Coffee"

Supported Technologies

  • Ruby
  • Node (using Yarn)

Report Example

Example Output

Understanding the Flags Column

The Flags column shows which risk types apply to each package:

  • ⦗V··⦘ - Vulnerable (has security vulnerabilities)
  • ⦗·O·⦘ - Outdated (newer version available)
  • ⦗··D⦘ - Deprecated (no updates in 2+ years)
  • ⦗VO·⦘ - Both vulnerable and outdated
  • ⦗VOD⦘ - All three risk types apply

The footer uses the same notation (⦗V⦘ulnerable, ⦗O⦘utdated, ⦗D⦘eprecated) as a legend.

Continuous Integration

This gem provides a return code of 0 to indicate success and 1 to indicate failure. It is specifically designed for seamless integration into continuous integration pipelines.

Installation

Add this line to your application's Gemfile:

gem 'package-audit', require: false

And then execute:

bundle

Or install it yourself as:

gem install package-audit

Usage

Basic Report

Run a full audit (DIR defaults to current directory):

package-audit [DIR]

Filtering by Risk Type

Show only specific risk types:

# Show only deprecated packages
package-audit [DIR] --deprecated

# Show only vulnerable packages
package-audit [DIR] --vulnerable

# Show packages that are deprecated and/or vulnerable
package-audit [DIR] --deprecated --vulnerable

Excluding Risk Types

Exclude specific risk types from the report:

# Show everything except deprecated packages
package-audit [DIR] --skip-deprecated

# Show everything except outdated packages
package-audit [DIR] --skip-outdated

# Show only vulnerable packages (exclude deprecated and outdated)
package-audit [DIR] --skip-deprecated --skip-outdated

Important: Packages with multiple risk types are handled intelligently. For example, a package that is both outdated and vulnerable will still appear when using --skip-outdated because it has a vulnerability.

Understanding the Flags Column

The Flags column in the output shows which risk types apply to each package:

  • ⦗V··⦘ - Vulnerable (has security vulnerabilities)
  • ⦗·O·⦘ - Outdated (newer version available)
  • ⦗··D⦘ - Deprecated (no updates in 2+ years)
  • ⦗VO·⦘ - Both vulnerable and outdated
  • ⦗VOD⦘ - All three risk types apply

The footer uses the same notation ⦗V⦘ulnerable, ⦗O⦘utdated, ⦗D⦘eprecated as a legend.

Scoping Options

Filter by technology or group:

# Specific technologies
package-audit [DIR] -t node -t ruby
package-audit [DIR] --technology node --technology ruby

# Specific groups
package-audit [DIR] -g staging -g production
package-audit [DIR] --group staging --group production

Note: Package::Audit will attempt to automatically detect the technologies used by the project.

Configuration

Use a custom configuration file (see Configuration File for details):

package-audit [DIR] --config .package-audit.yml

Include packages normally ignored by configuration:

package-audit [DIR] --include-ignored

Output Formats

# CSV format
package-audit [DIR] --format csv

# Markdown format
package-audit [DIR] --format md

Other Commands

# Show how risk is calculated
package-audit risk

# Show version
package-audit version

Getting Help

package-audit help
package-audit help [COMMAND]

Configuration File

The package-audit gem automatically searches for .package-audit.yml in the current directory or in the specified DIR if available. However, you have the option to override the default configuration file location by using the --config (or -c) flag.

Below is an example of a configuration file:

technology:
  node:
    nth-check:
      version: 1.0.2
      vulnerable: false
  ruby:
    devise-async:
      version: 1.0.0
      deprecated: false
    puma:
      version: 6.3.0
      deprecated: false
    selenium-webdriver:
      version: 4.1.0
      outdated: false

This configuration file allows you to specify the following exclusions:

  • Ignore all security vulnerabilities associated with nth-check@1.0.2.
  • Suppress messages regarding potential deprecations for device-async@1.0.0 and puma@6.3.0.
  • Disable warnings about newer available versions of selenium-webdriver@4.1.0

Note: If the installed package version differs from the expected package version specified in the configuration file, the exclusion settings will not apply to that particular package.

Note: If a package is reported for multiple reasons (e.g. vulnerable and outdated), it will still be reported unless the exclusion criteria match every reason for being on the report.

By design, wildcard (*) version exclusions are not supported to prevent developers from inadvertently overlooking crucial messages when packages are updated.

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

License

The gem is available as open source under the terms of the MIT License.