rubyPackages: Add command to audit packages (#443737)

2025-11-05 22:26:32 +00:00
parent e4f5d7336d 82c23622c7
commit 711f1d946e
3 changed files with 23 additions and 0 deletions
--- a/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash
+++ b/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash
@@ -0,0 +1,6 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bundler-audit
+
+set -o errexit -o nounset -o pipefail
+
+bundle-audit check "$(nix-build --no-out-link maintainers/scripts/audit-ruby-packages/default.nix)"
--- a/maintainers/scripts/audit-ruby-packages/default.nix
+++ b/maintainers/scripts/audit-ruby-packages/default.nix
@@ -0,0 +1,15 @@
+let
+  pkgs = import ../../.. { };
+  lockFileBody = pkgs.lib.concatStringsSep "\n" (
+    pkgs.lib.mapAttrsToList (name: props: "    ${name} (${props.version})") (
+      pkgs.lib.filterAttrs (name: _props: name != "recurseForDerivations") pkgs.rubyPackages
+    )
+  );
+in
+pkgs.runCommand "bundle-audit" { } ''
+  mkdir "$out"
+  echo 'GEM' > "$out/Gemfile.lock"
+  echo '  remote: https://rubygems.org/' >> "$out/Gemfile.lock"
+  echo '  specs:' >> "$out/Gemfile.lock"
+  echo '${lockFileBody}' >> "$out/Gemfile.lock"
+''