Update bundler-audit: 0.8.0 → 0.9.1 (major)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ bundler-audit (0.8.0 → 0.9.1) · Repo · Changelog

Release Notes

0.9.1 (from changelog)

• Opt into rubygems.org MFA requirement.

CLI

• Improve the readability of the suggested gem versions to upgrade to (pull #331).

Rake Task

• Fixed a regression introduced in 0.9.0 where the bundler:audit rake task was not exiting with an error status code if vulnerabilities were found. Now when the bundler-audit command fails, the rake task will also exit with the bundler-audit command's error code.
• If the bundler-audit command could not be found for some reason raise the {Bundler::Audit::Task::CommandNotFound} exception.

0.9.0.1 (from changelog)

• Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6. (issue #319)
  • Although, Ruby 2.5 and prior have all reached End-of-Life and are no longer receiving security updates. It is strongly advised that you should upgrade to a currently supported version of Ruby.

0.9.0 (from changelog)

• Load advisory metadata using YAML.safe_load. (issue #302)
  • Explicitly permit the Date class for Psych >= 4.0.0 and Ruby >= 3.1.0.
• Added {Bundler::Audit::Advisory#to_h}. (pull #310)
• Added {Bundler::Audit::Database#commit_id}.

CLI

• Added the --config option. (pull #306)
• Added the junit output format (ex: --format junit). (pull #314)
• Add missing output for CVSSv3 criticality information. (pull #302)
  • Include criticality information in the JSON output as well. (pull #310)
• bundle-audit stats now prints the commit ID of the ruby-advisory-db.
• Fixed a deprecation warning from Thor. (issue #317)

Rake Task

• Add the bundle:audit:update task for updating the ruby-advisory-db. (pull #296)
• Aliased bundle:audit to bundle:audit:check.
• Aliased bundler:audit:* to bundle:audit:*.
• Rake tasks now execute bundle-audit command as a subprocess to ensure isolation.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.1.0 → 1.2.1) · Repo · Changelog

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #25.