Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

bundler-stats

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

bundler-stats

  • 2.4.0
  • Rubygems
  • Socket score

Version published
Maintainers
1
Created
Source

Bundler Stats

You remember that time someone yanked their library and the entire Node universe fell apart? Yeah, me too. And all the thinkpieces that came out just afterward were right: you should be careful about what dependencies you include in your project.

This project gives you some tools you can use with an existing Gemfile to determine which gems are including long trees of their own dependencies, and which you can potentially remove.

This is an exploratory tool, and I'd be interested to hear what other criteria would be useful in determining what tools to remove.

Installation

You don't need to include bundler-stats in your Gemfile, just gem install bundler-stats. Unless you wanted to build automation around its usage, in which case, add it to your Gemfile instead.

Usage

> bundle-stats help
  Commands:
    bundle-stats help [COMMAND]   # Describe available commands or one specific command
    bundle-stats show TARGET      # Prints the dependency tree for a single gem in your Gemfile
    bundle-stats stats            # Displays basic stats about the gems in your Gemfile
    bundle-stats version          # Prints the bundler-stats version
    bundle-stats versions TARGET  # Shows versions requirements for target in other dependencies

Auditing Your Gemfile

The most obvious thing to do is run the command by itself, which should help identify problem areas.

> bundle-stats

+----------------------------|------------|----------------+
|                       Name | Total Deps | 1st Level Deps |
+----------------------------|------------|----------------+
|                rails_admin | 60         | 12             |
|                      rails | 40         | 12             |
|              compass-rails | 35         | 3              |
|                 haml-rails | 29         | 5              |
|                rspec-rails | 27         | 7              |
|                 sass-rails | 26         | 5              |
|                     devise | 26         | 5              |
|                     scenic | 25         | 2              |
|               coffee-rails | 25         | 2              |
|              guard-rubocop | 24         | 2              |
|                 versionist | 23         | 3              |
|          factory_bot_rails | 23         | 2              |
| ... omitted stuff here ...                               |
+----------------------------|------------|----------------+

      Declared Gems   56
         Total Gems   170
  Unpinned Versions   54
        Github Refs   0

It looks like rails_admin is a huge problem. Use show to investigate.

> bundle-stats show rails_admin
bundle-stats for rails_admin

+--------------------------------|----------------------------------------+
|           Depended Upon By (0) |                                        |
|                Depends On (60) | builder, coffee-rails                  |
|                                | font-awesome-rails, haml, jquery-rails |
|                                | jquery-ui-rails, kaminari, nested_form |
|                                | rack-pjax, rails, remotipart           |
|                                | sass-rails, coffee-script, railties    |
|                                | coffee-script-source, execjs           |
|                                | actionpack, activesupport              |
|                                | method_source, rake, thor, actionview  |
|                                | rack, rack-test, rails-dom-testing     |
|                                | rails-html-sanitizer, erubi            |
|                                | concurrent-ruby, i18n, minitest        |
|                                | tzinfo, thread_safe, nokogiri          |
|                                | mini_portile2, loofah, crass, temple   |
|                                | tilt, kaminari-actionview              |
|                                | kaminari-activerecord, kaminari-core   |
|                                | activerecord, activemodel, arel        |
|                                | actioncable, actionmailer, activejob   |
|                                | activestorage, bundler                 |
|                                | sprockets-rails, nio4r                 |
|                                | websocket-driver, websocket-extensions |
|                                | mail, globalid, mini_mime, marcel      |
|                                | mimemagic, sprockets, sass             |
|             Unique to This (9) | font-awesome-rails, kaminari           |
|                                | nested_form, rack-pjax, remotipart     |
|                                | kaminari-actionview                    |
|                                | kaminari-activerecord, kaminari-core   |
|                                | bundler                                |
+--------------------------------|----------------------------------------+

Skipping Common Dependencies

Let's take a look at another common gem to rails codebases. In this case, we have some unique dependencies, but also many dependencies on rails, and on its constituent gems.

> bundle-stats show compass-rails
bundle-stats for compass-rails

+--------------------------------|----------------------------------------+
|           Depended Upon By (0) |                                        |
|                Depends On (35) | compass, sass-rails, sprockets         |
|                                | chunky_png, compass-core               |
|                                | compass-import-once, rb-fsevent        |
|                                | rb-inotify, sass, multi_json, ffi      |
|                                | railties, sprockets-rails, tilt        |
|                                | actionpack, activesupport, method_source |
|                                | rake, thor, actionview, rack, rack-test |
|                                | rails-dom-testing, rails-html-sanitizer |
|                                | builder, erubi, concurrent-ruby, i18n  |
|                                | minitest, tzinfo, thread_safe, nokogiri |
|                                | mini_portile2, loofah, crass           |
|             Unique to This (3) | compass, compass-core                  |
|                                | compass-import-once                    |
+--------------------------------|----------------------------------------+

We're not looking to remove rails, so there's not much point in including it within this output. Instead, we can use the nofollow flag to skip it in all output lists.

> bundle-stats show compass-rails --nofollow="railties,activeupport,actionview,actionpack"
bundle-stats for compass-rails

+--------------------------------|----------------------------------------+
|           Depended Upon By (0) |                                        |
|                Depends On (20) | compass, sass-rails, sprockets         |
|                                | chunky_png, compass-core               |
|                                | compass-import-once, rb-fsevent        |
|                                | rb-inotify, sass, multi_json, ffi      |
|                                | sprockets-rails, tilt, concurrent-ruby |
|                                | rack, activesupport, i18n, minitest    |
|                                | tzinfo, thread_safe                    |
|             Unique to This (3) | compass, compass-core                  |
|                                | compass-import-once                    |
+--------------------------------|----------------------------------------+

This is better, but for other codebases it's common for gems to depend on each of the many many child gems of rails individually. Rather than specifying each by itself, we can use wildcards to remove them in bulk.

> bundle-stats show compass-rails --nofollow="rail*,action*,active*"
bundle-stats for compass-rails

+--------------------------------|----------------------------------------+
|           Depended Upon By (0) |                                        |
|                Depends On (15) | compass, sass-rails, sprockets         |
|                                | chunky_png, compass-core               |
|                                | compass-import-once, rb-fsevent        |
|                                | rb-inotify, sass, multi_json, ffi      |
|                                | sprockets-rails, tilt, concurrent-ruby |
|                                | rack                                   |
|             Unique to This (3) | compass, compass-core                  |
|                                | compass-import-once                    |
+--------------------------------|----------------------------------------+

Showing Required Versions

Sometimes you try to upgrade a gem, you ask bundler very nicely, but you find that the version hasn't changed. When that happens, sometimes it's not clear why the gem version isn't changing.

In that case, use versions to list all required dependencies on your gem.

> bundle-stats versions actionpack
version dependencies for actionpack

Depended Upon By   24
Resolved Version   5.2.0

+----------------------------|------------------+
|                       Name | Required Version |
+----------------------------|------------------+
|                  webpacker | = 5.2.0          |
|               actionmailer | = 5.2.0          |
|              activestorage | = 5.2.0          |
|               coffee-rails | = 5.2.0          |
|              compass-rails | = 5.2.0          |
|                     devise | = 5.2.0          |
|          factory_bot_rails | = 5.2.0          |
|         font-awesome-rails | = 5.2.0          |
|                rails_admin | = 5.2.0          |
|                   railties | = 5.2.0          |
|                 sass-rails | = 5.2.0          |
|                     scenic | = 5.2.0          |
|                 versionist | = 5.2.0          |
|                actioncable | = 5.2.0          |
|               jquery-rails | = 5.2.0          |
|            jquery-ui-rails | = 5.2.0          |
| jquery_file_download-rails | = 5.2.0          |
|                      rails | = 5.2.0          |
|                rspec-rails | >= 3.0           |
|            sprockets-rails | >= 4.0           |
|                 haml-rails | >= 4.0.1         |
|                 responders | >= 4.2.0, < 5.3  |
|                simple_form | >= 5.0           |
|   rails-controller-testing | ~> 5.x, >= 5.0.1 |
+----------------------------|------------------+

Output Formats

To consume information with a build job or somesuch, all commands can emit JSON.

> bundle-stats show sass-rails --nofollow="railties,activesupport,actionpack" -f json
{
  "name": "sass-rails",
  "total_dependencies": 9,
  "first_level_dependencies": 5,
  "top_level_dependencies": {
    "compass-rails": "compass-rails (3.1.0)",
    "rails_admin": "rails_admin (1.3.0)"
  },
  "transitive_dependencies": [
    "railties (< 6, >= 4.0.0)",
    "sass (~> 3.1)",
    "sprockets (< 4.0, >= 2.8)",
    "sprockets-rails (< 4.0, >= 2.0)",
    "tilt (< 3, >= 1.1)",
    "concurrent-ruby (~> 1.0)",
    "rack (< 3, > 1)",
    "actionpack (>= 4.0)",
    "activesupport (>= 4.0)"
  ],
  "potential_removals": [

  ]
}

Custom Gemfile path

This gem by default attempts to locate the Gemfile and Gemfile.lock files in parent directories. If you want to specify a specific location for your Gemfile/gems.rb file, you can use the --gemfile_path option.

> bundle-stats show sass-rails --gemfile_path=/Users/user/project/Gemfile

Keep in mind that the location of the Gemfile.lock/gems.locked file will be inferred from the location of the Gemfile/gems.rb file.

Contributing

Contributions are very welcome. Fork, fix, submit pulls.

Contribution is expected to conform to the Contributor Covenant.

Credits

Thanks to the many kind people at RailsCamp East 2016 for the help, the ideas, and the support.

Also, many other folks for their feature / fix contributions. ❤️

License

This software is released under the MIT License.

FAQs

Package last updated on 01 Jul 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc