Analyses your Gemfile.lock for dependency health across the full transitive graph: whether each gem is actively maintained (last activity on GitHub, GitLab, or Codeberg/Forgejo, plus release recency), outdated versions, archived repos, OpenSSF Scorecard scores, known vulnerabilities (deps.dev and OSV, merged with ruby-advisory-db, flagging advisories with no fix and pins that sit below the fix), poison-pill compatibility ceilings, and libyear drift. Ruby version freshness with EOL detection. The same maintenance lens travels cross-ecosystem: point --sbom at a CycloneDX SBOM to assess npm, PyPI, Cargo, Go, Maven, and NuGet packages via deps.dev and ecosyste.ms. Handles rubygems, git, path, GitHub Packages, and JFrog Artifactory sources. Outputs coloured terminal tables, markdown, JSON (with a versioned, contract-tested schema), SARIF for GitHub code scanning, and a CycloneDX SBOM. CI quality gates (--fail-if-critical / -warning / -vulnerable / -outdated / -poison / -language-ceiling) with granular, committed suppression via .still_active.yml. Complements bundle outdated, bundler-audit, and libyear-bundler by adding the maintenance signal they don't, and folds their version, CVE, and libyear checks into one report.
Required Ruby Version
>= 3.3.0
Authors
Sean Floyd
Versions
- 3.0.0.rc1 July 05, 2026 (136 KB)
- 2.0.0 June 14, 2026 (76 KB)
- 1.6.0 June 08, 2026 (48.5 KB)
- 1.5.0 May 23, 2026 (45 KB)
- 1.4.2 May 22, 2026 (36 KB)
Pushed by
SHA 256 checksum
Provenance
Source Commit
Build File