{"id":"doc_l3Q5HO2cUOzGNK0XsQmkiT09vVYo","version":1,"filename":"gem-audit.md","description":"The Gemfile contains 87 direct dependencies. Bundler resolves these to 847 total gems. Of these:. Do not attempt to preserve the existing gem ecosystem. ...","title":"Gem Dependency Audit","content":"# Gem Dependency Audit\n\n## Summary\n\nThe Gemfile contains 87 direct dependencies. Bundler resolves these to 847 total gems. Of these:\n\n- 211 gems no longer exist on RubyGems\n- 134 gems have not been updated since 2015\n- 43 gems have known security vulnerabilities\n- 12 gems are forks of forks of gems that were abandoned\n- 1 gem (`tomltech-utils`) appears to be a gem Gary published. It has 3 downloads, all from this server.\n\n## Critical Issues\n\n| Gem | Version | Issue |\n|-----|---------|-------|\n| rails | 3.2.22 | 8 major versions behind. 247 known CVEs. |\n| devise | 2.2.8 | Authentication. Cannot upgrade without Rails upgrade. |\n| paperclip | 4.1.1 | File uploads. Gem officially abandoned. Use Active Storage. |\n| will_paginate | 3.0.5 | Pagination. Actually this one is fine. It never changes. It will never change. It is eternal. |\n| therubyracer | 0.12.3 | Embeds V8 in Ruby. Nobody remembers why. Causes segfaults on M1 Macs. |\n| coffee-rails | 4.0.1 | CoffeeScript compilation. The CoffeeScript website now redirects to the TypeScript website. |\n| jquery-rails | 3.1.2 | jQuery. The app has 47 `$('.class').click()` handlers in a single file. |\n| protected_attributes | 1.1.4 | Mass assignment protection. The Rails 3 way. Incompatible with Rails 4+. |\n| dynamic_form | 1.1.4 | Form error display. Last commit: 2013. |\n| tomltech-utils | 0.0.1 | Gary's gem. Contains one method: `String#to_boolean`. It converts \"true\" to true and everything else to false. Including \"yes\", \"1\", and \"TRUE\". |\n\n## Gems That Can Be Replaced\n\n| Old Gem | Replacement | Notes |\n|---------|------------|-------|\n| paperclip | Active Storage | Built into Rails 5.2+ |\n| coffee-rails | esbuild | Or just write JavaScript. It's fine now. |\n| therubyracer | Node.js | Or remove entirely if we stop using CoffeeScript |\n| protected_attributes | Strong Parameters | Built into Rails 4+ |\n| tomltech-utils | inline code | It's one method. We can just write it. |\n\n## Gems That Cannot Be Replaced\n\n| Gem | Reason |\n|-----|--------|\n| mystery_connector | Connects to the unknown SMTP server. No documentation. No source code. The gem was published by an account called \"gary_temp\" that no longer exists. |\n| legacy_bridge | Appears to transform data between two formats. Both formats are undocumented. Removing it causes the `MysteryWorker` to crash. |\n\n## Recommendation\n\nDo not attempt to preserve the existing gem ecosystem. Start fresh with Rails 7 defaults and add dependencies as needed. Accept that `mystery_connector` and `legacy_bridge` will require reverse engineering.\n\nBudget 2 days for reverse engineering. Budget 2 more days for when that estimate turns out to be wrong.\n","url":"/tomltech/rails-3-upgrade/gem-audit.md.json","account":{"id":"acct_Xt3PcFnov6BzMDisOIF8U7jQL7ue","name":"TomlTech Consulting Group","url":"/tomltech.json","slug":"tomltech"},"tags":[],"urls":{"diff":"/api/tomltech/rails-3-upgrade/gem-audit.md/diff","versions":"/api/tomltech/rails-3-upgrade/gem-audit.md/versions"},"project":{"id":"proj_VpGMc8mp4jpXrxzcJUvpyXB9gGiQ","name":"Rails 3 Upgrade","url":"/tomltech/rails-3-upgrade.json","slug":"rails-3-upgrade"},"version_count":1,"locked_at":null,"locked_by":null,"uploaded_by":{"id":"user_hQp38LQMwmY6pwukXbVDUbc9ePHp","username":"tom_tomltech","display_name":"Tom Vance"},"uploaded_at":"2026-02-24T00:00:00Z"}