How to perform security updates for Ruby application

Many times while doing/developing the ruby application we all ignore the security checks/updates for our packages/code/modules.
And we don’t even realize how quickly time flies from our hand. A lot of ruby gems are released all this time and our current applications are left with the gems which have known vulnerabilities/bugs

Bundler has very easy to use utilities for us to check the newer version for the installed gem:
we just need to run bundle outdated in our application.

# list installed the gem with the newer version available
bundle outdated

# it will output some like this
Fetching gem metadata from https://rubygems.org/..............
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...

Outdated gems included in the bundle:
  * parallel (newest 1.17.0, installed 1.14.0)
  * rack (newest 2.0.7, installed 2.0.6)
  * zeitwerk (newest 2.1.2, installed 1.4.0)

It lists the information about installed gems newer versions availability. Now It’s our call how early we can perform these gems update.
I personally prefer updating gem one at a time. That’s the recommended one by experts too.
And you can use bundle’s very helpful option while doing gem update

# restrict the gem update and don't update 
# any shared dependencies as most gems have 
# other gems as a dependency and updating them 
# can lead to trouble
bundle update GEM_NAME --conservative

or

bundle update --source GEM_NAME

We should be upgrading our application gems as early as possible and we can avoid the pain to upgrade the application later in the future.

If you are not buying the above statements which you should 😞

another reason to do the gem upgrade to fix security issues within them and can make your application vulnerable to hackers.
We have bundle-audit tool to check our gem versions against a database of known security vulnerabilities ruby advisory database

# install bundler-audit
gem install bundler-audit

#check and report insecure gem source and 
# version for known vulnerabilities
bundle audit

# out No vulnerabilities found if nothing found
No vulnerabilities found

bundle audit command audit the project’s Gemfile.lock for

i) Checks for vulnerable versions of gems in Gemfile.lock
ii) Checks for insecure gem sources (http://)

DevLearnings: we can try to put an automated task which could check the gems updates on a regular basis (daily/weekly/monthly/quarterly..)