Gem Dependency Audit v1
Gem Dependency Audit
Summary
The Gemfile contains 87 direct dependencies. Bundler resolves these to 847 total gems. Of these:
- 211 gems no longer exist on RubyGems
- 134 gems have not been updated since 2015
- 43 gems have known security vulnerabilities
- 12 gems are forks of forks of gems that were abandoned
- 1 gem (
tomltech-utils) appears to be a gem Gary published. It has 3 downloads, all from this server.
Critical Issues
| Gem | Version | Issue |
|---|---|---|
| rails | 3.2.22 | 8 major versions behind. 247 known CVEs. |
| devise | 2.2.8 | Authentication. Cannot upgrade without Rails upgrade. |
| paperclip | 4.1.1 | File uploads. Gem officially abandoned. Use Active Storage. |
| will_paginate | 3.0.5 | Pagination. Actually this one is fine. It never changes. It will never change. It is eternal. |
| therubyracer | 0.12.3 | Embeds V8 in Ruby. Nobody remembers why. Causes segfaults on M1 Macs. |
| coffee-rails | 4.0.1 | CoffeeScript compilation. The CoffeeScript website now redirects to the TypeScript website. |
| jquery-rails | 3.1.2 | jQuery. The app has 47 $('.class').click() handlers in a single file. |
| protected_attributes | 1.1.4 | Mass assignment protection. The Rails 3 way. Incompatible with Rails 4+. |
| dynamic_form | 1.1.4 | Form error display. Last commit: 2013. |
| tomltech-utils | 0.0.1 | Gary's gem. Contains one method: String#to_boolean. It converts "true" to true and everything else to false. Including "yes", "1", and "TRUE". |
Gems That Can Be Replaced
| Old Gem | Replacement | Notes |
|---|---|---|
| paperclip | Active Storage | Built into Rails 5.2+ |
| coffee-rails | esbuild | Or just write JavaScript. It's fine now. |
| therubyracer | Node.js | Or remove entirely if we stop using CoffeeScript |
| protected_attributes | Strong Parameters | Built into Rails 4+ |
| tomltech-utils | inline code | It's one method. We can just write it. |
Gems That Cannot Be Replaced
| Gem | Reason |
|---|---|
| mystery_connector | Connects to the unknown SMTP server. No documentation. No source code. The gem was published by an account called "gary_temp" that no longer exists. |
| legacy_bridge | Appears to transform data between two formats. Both formats are undocumented. Removing it causes the MysteryWorker to crash. |
Recommendation
Do not attempt to preserve the existing gem ecosystem. Start fresh with Rails 7 defaults and add dependencies as needed. Accept that mystery_connector and legacy_bridge will require reverse engineering.
Budget 2 days for reverse engineering. Budget 2 more days for when that estimate turns out to be wrong.