A command-line tool to automatically patch vulnerable gems in your Gemfile using bundler-audit under the hood.
It parses audit output, finds the best patchable version for each vulnerable gem, and updates your Gemfile accordingly.
- Runs
bundle auditand parses vulnerabilities - Computes the minimal patchable version required
- Updates your
Gemfile(and optionally runsbundle install) - Supports patch/minor/major upgrade strategies
- Handles indirect dependencies by explicitly adding them
- Has a dry-run mode
- Creates backup of your Gemfile before changes
- Ruby 2.6 or later
- Bundler installed
- bundler-audit installed (will be installed automatically if missing)
Add this gem to your system:
gem install bundle-patchOr add it to your project's Gemfile for use in development:
# Gemfile
group :development do
gem 'bundle-patch'
endAnd then:
bundle installbundle-patchThis will run in patch mode (default) and update only patch versions.
bundle-patch --mode=minorExample output:
🔍 Running `bundle-audit check --format json`...
🔒 Found 2 vulnerabilities:
- sidekiq (5.2.10): sidekiq Denial of Service vulnerability
✅ Patchable → 6.5.10
- actionpack (6.1.4.1): XSS vulnerability
✅ Patchable → 6.1.7.7
📝 Backing up Gemfile to Gemfile.bak...
🔧 Updating existing gem: actionpack to '6.1.7.7'
➕ Gem sidekiq is a dependency. Adding it explicitly to Gemfile with version 6.5.10.
✅ Gemfile updated!
📦 Running `bundle install`...
✅ bundle install completed successfully
bundle-patch --dry-runThis will show what would be changed without making any actual changes.
bundle-patch --skip-bundle-installThis will update the Gemfile but skip running bundle install.
bundle-patch --mode=allThis will allow updates to any version that fixes the vulnerability.
| Option | Description | Default |
|---|---|---|
--mode=patch |
Only allow patch-level updates (e.g., 1.0.0 → 1.0.1) | ✓ |
--mode=minor |
Allow minor version updates (e.g., 1.0.0 → 1.1.0) | |
--mode=all |
Allow all updates including major versions (e.g., 1.0.0 → 2.0.0) | |
--dry-run |
Only print what would be changed, don't touch the Gemfile or install gems | false |
--skip-bundle-install |
Modify the Gemfile, but skip bundle install |
false |
- Runs
bundle audit check --format json - Groups advisories by gem
- Determines the best patchable version for each gem based on
--mode - Creates a backup of your Gemfile (Gemfile.bak)
- Ensures the gem is either updated or explicitly added to the
Gemfile - Optionally runs
bundle install(unless--skip-bundle-installor--dry-runis used)
If bundle install fails after updating:
- Check the error message
- You can revert to the backup:
cp Gemfile.bak Gemfile - Try running
bundle installmanually to see more detailed errors
If a gem can't be patched in your chosen mode:
- Try running with
--mode=allto see all possible updates - Check if there are any version conflicts in your Gemfile
- Consider manually updating the gem to a specific version
- Always review the changes made to your Gemfile
- Test your application after applying updates
- Consider running your test suite after updates
- Check the changelog of updated gems for breaking changes
Bug reports and pull requests are welcome on GitHub at https://github.com/yourusername/bundle-patch.
The gem is available as open source under the terms of the MIT License.