Ruby — Bundler
Bundler / RubyGems (Gemfile.lock)
# Gemfile
gem "rails", "~> 7.1.0"
gem "nokogiri", ">= 1.16.5" # explicit pin to coerce transitive
bundle update nokogiri
bundle install --frozen
Bundler doesn’t expose a separate transitive-coercion mechanism — to coerce a transitive, declare it explicitly in the Gemfile. The BUNDLED WITH line at the bottom of Gemfile.lock pins the Bundler version; mismatches across the team cause subtle resolution drift.
Gotcha: bundle update without args re-resolves everything; always pass the gem name.
Developer gotchas — written for people who live in the code
requireandGemnamespacing are loose.gem "nokogiri"lets yourequire "nokogiri"; nothing preventsrequire "nokogiri/xml"from triggering autoloads of vulnerable submodules. Reachability requires reading thelib/tree of the gem, not just yourGemfile.- Native extensions are compiled on install. A CVE in
libxml2linked into thenokogirigem isn’t inGemfile.lock. Scanners that readGemfile.lockmiss it; image scanners (Grype) catch it. Always pair Bundler scans with a container scan if you care about C dep CVEs. bundle install --deploymentvsbundle install. Deployment mode installs gems intovendor/bundle/and refuses to update the lockfile. CI should use--deployment; dev iteration uses regularbundle install. CVE counts can differ if dev installs newer versions outside the lockfile.Gemfile.lockgroup sections.group :development, :test do ... end— gems in those groups don’t ship to prod unlessBUNDLE_WITHOUTis unset. CVE inpryis dev-only; runtime not-affected.Bundler.require(:default)in yourGemfile.rbboot sequence excludes test/dev groups.- Rails autoloading (Zeitwerk) makes reachability fuzzy. Code in
app/services/is only loaded when referenced. A CVE in a gem that’s only used by one rarely-invoked controller may be loaded lazily — runtime reachability depends on traffic patterns. Gemfile.lockBUNDLED WITHmismatch causes silent re-resolution. If your CI installs Bundler 2.5.x and the lock says 2.4.x, Bundler re-resolves. Resolved versions may drift. Pin Bundler in CI.
Reachability
bundle vizproduces a Graphviz of the gem graph.bundle show --pathslists every gem’s source location.- For call analysis:
ruby-static-analyzer, or runtime tracing withTracePoint. - Runtime: SimpleCov.