Security vulnerabilities are found everyday in all kinds of software, and your Ruby on Rails project dependencies are no different. Here's how to check which gems in your Gemfile.lock file have security vulnerabilities.
Even if you haven't touched the code recently you should still check periodically if any of the gems that you're using has been found to have security vulnerabilities.
You can check your Gemfile.lock file against the Ruby Advisory Database, a community effort to compile all security advisories that are relevant to Ruby libraries, with the bundler-audit gem.
First, install it:
gem install bundler-audit
And then run it from your project directory (where the Gemfile.lock is located):
bundle-audit
You'll get an output similar to this telling you which of the gems in your Gemfile.lock have known security vulnerabilities and if there's a newer and more secure version:
Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1
Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2
Vulnerabilities found!
To not having to do it manually everytime and forget about it you could set it up as a step/task in your CI enviroment.