Analyses your Gemfile.lock for dependency health across the full transitive graph: whether each gem is actively maintained (last activity on GitHub, GitLab, or Codeberg/Forgejo, plus release recency), outdated versions, archived repos, OpenSSF Scorecard scores, known vulnerabilities (deps.dev merged with ruby-advisory-db), and libyear drift. Ruby version freshness with EOL detection. Handles rubygems, git, path, GitHub Packages, and JFrog Artifactory sources. Outputs coloured terminal tables, markdown, JSON (with a versioned, contract-tested schema), SARIF for GitHub code scanning, and a CycloneDX SBOM. CI quality gates (--fail-if-critical / -warning / -vulnerable / -outdated) with granular, committed suppression via .still_active.yml. A comprehensive alternative to running bundle outdated, bundler-audit, and libyear-bundler separately.

Required Ruby Version

>= 3.3.0

Authors

Sean Floyd

Versions

  1. 2.0.0 June 14, 2026 (76 KB)
  2. 1.6.0 June 08, 2026 (48.5 KB)
  3. 1.5.0 May 23, 2026 (45 KB)
  4. 1.4.2 May 22, 2026 (36 KB)
  5. 1.4.1 May 22, 2026 (35.5 KB)
Show all versions (19 total)

Pushed by

GitHub

SHA 256 checksum

Provenance