Filter on dependencies - exclude dev and test

[so87]

Description

other tools like npm-audit can filter on production dependencies with "--prod". This cuts down on findings in general, but allows developers to focus on the most important issues.

[postmodern]

Bundler does support dependency groups, however those are only used to activate specific sets of dependencies. The information isn't stored in the Gemfile.lock. We'd need to load the Gemfile, filter by dependency group, then parse the Gemfile.lock and filter the gems that belong to that group.

[so87]

@postmodern ok so i should do a build command then audit on that gemfile.lock.

Last question - do you guys support any type of audit fix command, or plan to in the future?

[postmodern]

@postmodern ok so i should do a build command then audit on that gemfile.lock.

bundle-audit is designed to audit the current versions in Gemfile.lock, which represents the versions that will be installed and ran in production.

Last question - do you guys support any type of audit fix command, or plan to in the future?

That already exists in the form of bundle update. Most security advisories can be solved by simply upgrading to the latest version of the effected gem. Unless you have specifically locked down a gem's version to ~> X.Y.Z in the Gemfile (~> X.Y is a safer dependency range), it should be possible to upgrade to the latest patch-version with bundle up gem-name-here.