Skip to content

vkononov/package-audit

BranchesTags

Repository files navigation

Package::Audit

Gem Version License Lint Status Test Status

A useful tool for patch management and prioritization, package-audit produces a list of dependencies that are outdated, deprecated or have security vulnerabilities.

"Buy Me A Coffee"

Supported Technologies

  • Ruby
  • Node (using Yarn)

Report Example

Example Output

Understanding the Flags Column

The Flags column shows which risk types apply to each package:

  • ⦗V··⦘ - Vulnerable (has security vulnerabilities)
  • ⦗·O·⦘ - Outdated (newer version available)
  • ⦗··D⦘ - Deprecated (no updates in 2+ years)
  • ⦗VO·⦘ - Both vulnerable and outdated
  • ⦗VOD⦘ - All three risk types apply

The footer uses the same notation (⦗V⦘ulnerable, ⦗O⦘utdated, ⦗D⦘eprecated) as a legend.

Continuous Integration

This gem provides a return code of 0 to indicate success and 1 to indicate failure. It is specifically designed for seamless integration into continuous integration pipelines.

Installation

Add this line to your application's Gemfile:

gem 'package-audit', require: false

And then execute:

bundle

Or install it yourself as:

gem install package-audit

Usage

Basic Report

Run a full audit (DIR defaults to current directory):

package-audit [DIR]

Filtering by Risk Type

Show only specific risk types:

# Show only deprecated packages
package-audit [DIR] --deprecated

# Show only vulnerable packages
package-audit [DIR] --vulnerable

# Show packages that are deprecated and/or vulnerable
package-audit [DIR] --deprecated --vulnerable

Excluding Risk Types

Exclude specific risk types from the report:

# Show everything except deprecated packages
package-audit [DIR] --skip-deprecated

# Show everything except outdated packages
package-audit [DIR] --skip-outdated

# Show only vulnerable packages (exclude deprecated and outdated)
package-audit [DIR] --skip-deprecated --skip-outdated

Important: Packages with multiple risk types are handled intelligently. For example, a package that is both outdated and vulnerable will still appear when using --skip-outdated because it has a vulnerability.

Understanding the Flags Column

The Flags column in the output shows which risk types apply to each package:

  • ⦗V··⦘ - Vulnerable (has security vulnerabilities)
  • ⦗·O·⦘ - Outdated (newer version available)
  • ⦗··D⦘ - Deprecated (no updates in 2+ years)
  • ⦗VO·⦘ - Both vulnerable and outdated
  • ⦗VOD⦘ - All three risk types apply

The footer uses the same notation ⦗V⦘ulnerable, ⦗O⦘utdated, ⦗D⦘eprecated as a legend.

Scoping Options

Filter by technology or group:

# Specific technologies
package-audit [DIR] -t node -t ruby
package-audit [DIR] --technology node --technology ruby

# Specific groups
package-audit [DIR] -g staging -g production
package-audit [DIR] --group staging --group production

Note: Package::Audit will attempt to automatically detect the technologies used by the project.

Configuration

Use a custom configuration file (see Configuration File for details):

package-audit [DIR] --config .package-audit.yml

Include packages normally ignored by configuration:

package-audit [DIR] --include-ignored

Output Formats

# CSV format
package-audit [DIR] --format csv

# Markdown format
package-audit [DIR] --format md

Other Commands

# Show how risk is calculated
package-audit risk

# Show version
package-audit version

Getting Help

package-audit help
package-audit help [COMMAND]

Configuration File

The package-audit gem automatically searches for .package-audit.yml in the current directory or in the specified DIR if available. However, you have the option to override the default configuration file location by using the --config (or -c) flag.

Below is an example of a configuration file:

technology:
  node:
    nth-check:
      version: 1.0.2
      vulnerable: false
  ruby:
    devise-async:
      version: 1.0.0
      deprecated: false
    puma:
      version: 6.3.0
      deprecated: false
    selenium-webdriver:
      version: 4.1.0
      outdated: false

This configuration file allows you to specify the following exclusions:

  • Ignore all security vulnerabilities associated with nth-check@1.0.2.
  • Suppress messages regarding potential deprecations for device-async@1.0.0 and puma@6.3.0.
  • Disable warnings about newer available versions of selenium-webdriver@4.1.0

Note: If the installed package version differs from the expected package version specified in the configuration file, the exclusion settings will not apply to that particular package.

Note: If a package is reported for multiple reasons (e.g. vulnerable and outdated), it will still be reported unless the exclusion criteria match every reason for being on the report.

By design, wildcard (*) version exclusions are not supported to prevent developers from inadvertently overlooking crucial messages when packages are updated.

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

License

The gem is available as open source under the terms of the MIT License.

About

Package audit is a patch management tool for deprecated, outdated and vulnerable dependencies.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases 13

v0.8.1 Latest
Jan 3, 2026
+ 12 releases

Packages

 
 
 

Contributors

Languages