Tired of spending hours looking for what has changed in your dependencies?

Save your time! Gemnasium brings you 1-click changelogs!

For each of your project’s dependencies you can now quickly check what has changed. Just click on the Changelog viewer icon and start reading!

Gemnasium will automatically aggregate changelog data and scope it to what matters to you: the changes between your current version and the latest stable!

No changelog? We can still help you.

When package’s changelog is not available, Gemnasium still try to make it easier for you. It will indeed try to fall back to a nicely displayed list of commit messages.

At any time you can click on a commit from the list to see it on Github. You can also check the full compare view following the link provided in the header.

Pricing?

Our Changelog viewer is already included in all paid plans without any extra cost and is available to free users during their 30 days trial period.

For all existing free users, you’ll also be able to try it until june, 15th, enjoy!

We hope you’ll appreciate it and your feedback is welcome!

Cheers, Gemnasium Team

We’ve released a bunch a small fixes and improvements to make Gemnasium better! Let’s review them.

Manual monitoring

You now can choose exactly which projects you want to monitor and which one you don’t care about.

Gemnasium will still try to automatically add/remove projects when syncing with Github, but as soon as you manually start or stop monitoring a project, it won’t override your choice anymore.

So you now can freely choose which projects you want to track, and drop the others.

To make it more clear, we’ve also cleaned up the profile view and you’ll now only see the monitored projects there. This will drastically reduce the signal to noise ratio so that you can focus on what matters to you.

You can retrieve all your profile’s projects in the Project’s management page in your settings. There you’ll be able to start/stop monitoring and edit projects settings to fine tune them.

Offline projects

First introduced with our Gemnasium Gem, the offline projects can now be totally managed on Gemnasium.

You can create projects from your profile settings and upload dependency files directly from the UI.

New platinum plan!

As required by our users who have a lot of private stuff, here comes the Platinum plan. It allows to track up to 125 private projects for $100/month!

Improved settings

We’ve changed a bit the settings to make account management easier.

The Settings home now displays the list of your Gemnasium profiles. Here you can manage them and add new ones.

The Github Permissions feature has been improved to give more granularity and now tells you how it affects your Gemnasium account.

Thanks for your support and your feedback that help us improving Gemnasium!

Cheers, Gemnasium Team

Rails 3.2.13 was released just a week ago. Since it fixes 4 important security breaches (CVE-2013-1854 for activerecord, CVE-2013-1855 for actionpack, CVE-2013-1856 for activesupport and CVE-2013-1857 for actionpack), you may want to upgrade it asap.
Yet, performance regressions and major bugs has been discovered in this new version of Rails.

What are the risks ?

Upgrading your application to Rails 3.2.13 will make bugs and performance issues popping out.

• action_missing function will be broken
• ActiveRecord chained scopes will cause bugs such as the one GitHub experienced lately
• Assets and views loading time will drastically increase

How to remain safe without upgrading to 3.2.13?

We recommend you to not upgrade to Rails 3.2.13 and to wait for 3.2.14 to be released. But how to do so having in mind the 4 security breaches that still exists ?
Well, that’s simple, first of all, you might not be impacted by all of those issues and second, some monkey patches have been released to help you keep your application secure without upgrading.
So keep calm, create a temporary hotfix branch until 3.2.14 is out and apply the patches you need.

Fixing Symbol DoS vulnerability in Active Record (CVE-2013-1854)

Your application does not use params as a find value for a query? You’re safe!

Impacted code will look like User.where(:name => params[:name]). To fix this issue, you should call to_s method on params used as a find value. Basically, you’ll need to change code that looks like

User.where(:name => params[:name]) 

to:

User.where(:name => params[:name].to_s)

Patch provided by Rails team

Fixing XSS vulnerability in sanitize_css in Action Pack (CVE-2013-1855)

You don’t use sanitize_css method using user input as parameter? You’re safe!

Impacted code will look like sanitize_css(user_input). The following patch will fix the issue:

module HTML 
  class WhiteListSanitizer 
    # Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute 
    def sanitize_css(style) 
      # disallow urls 
      style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') 

      # gauntlet 
      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ 
        return '' 
      end 

      clean = [] 
      style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| 
        if allowed_css_properties.include?(prop.downcase) 
          clean <<  prop + ': ' + val + ';' 
        elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
          unless val.split().any? do |keyword| 
            !allowed_css_keywords.include?(keyword) && 
            keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ 
          end 
          clean << prop + ': ' + val + ';' 
        end 
      end 
    end 
    clean.join(' ') 
  end 
end 

Patch provided by Rails team

Fixing XML Parsing Vulnerability affecting JRuby users (CVE-2013-1856)

Your application does not use JRuby? Your JRuby application does not use the JDOM backend? You’re safe!

To fix this issue, place this code in an application initializer:

ActiveSupport::XmlMini.backend="REXML"

Patch provided by Rails team

Fixing XSS Vulnerability in the sanitize helper (CVE-2013-1857)

Your app doesn’t use sanitize method helper with user input? You’re safe!

To fix this issue, place the following code into a file in your config/initializers folder.

module HTML
  class WhiteListSanitizer
    self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i

    def contains_bad_protocols?(attr_name, value)
      uri_attributes.include?(attr_name) &&
      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i &&
      !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
    end
  end
end

Patch provided by Rails team

Nothing is more important for us than your data safety, and we’d like to really thank our customers for their trust so far! Anyway, as we are very concerned with security, we find unacceptable to be forced asking you for a full access on your projects. We had a lot of complains regarding this problem, and we fully agree with you:** you should never grant access to your work.**

That’s why we’re proud to unveil today a new way to keep your projects in shape, without lowering your security requirements.

Why did we need a full access to your private repos?

Gemnasium is fully integrated with Github: it automatically fetches your repositories and gets notified about code updates (pushes). But for that, you need to authorize Gemnasium to access your code through Oauth.

Unfortunately, Github only provides a “Read + Write” access for private repos (the “repo” scope), which implies a full trust in the third party service. For freelancers, and agencies, it meant sharing their customer code with us, which is often forbidden by contracts or NDAs (and it’s a good thing!).

If you don’t trust this gem either, keep calm and relax, the source code is fully available: https://github.com/gemnasium/gemnasium-gem

How does it work?

Dependencies can be tracked now without authorizing any access to your application code, just by using that tiny gem!

Drop it in your project (or just install the gem), run install command, fill in the config file and you’re ready to go in a few seconds!

You can also use the provided post-commit Git hook to automatically push updates to Gemnasium when you commit changes on your dependency files.

Alternatively, you can use the “gemnasium” command, the rake task or even call directly Gemnasium’s gem classes from your code. See readme for more details.

Finally, using the Rake task, a CI server can be in charge of pushing the changes for you.

Behind the scene

When executed, Gemnasium gem will calculate SHAs for your dependency files (the same way Git does it) and send them to Gemnasium API to compare with remote ones. If anything changed in the files, SHAs will be different and then Gemnasium gem will upload updated files.

The after-commit Git hook we provide is even smarter as it will only fire SHAs check if your commit contains changes about your dependency files. It’s even faster than with our Github service hook!

One great thing with this gem is that you can check dependencies updates without pushing to the repository! Just update the dependency files, run “gemnasium push” and everything gets updated on gemnasium.com.

Gemnasium Gem is published under the MIT license. It’s compatible with all ruby projects, not only rails app. We’ve made it as light as possible and it doesn’t require any other dependency. Though, it’s only compatible with ruby >=1.9 for now (yes, that mean ruby 2.0 too!).

For Node.js projects owners, please note that this gem is also able to upload package.json and npm-shrinkwrap.json files, as long as you have a running ruby. For others don’t worry, a Npm module is coming!

Please also note that for now the gem only works with existing Gemnasium profiles. So you still need to link your Gemnasium account with Github after registration (with read-only public access at least) and order a plan for one of your Github profiles. You’ll then be able to add your offline projects to the profile of your choice. Offline private projects are taken into account for your plan’s private slots limit.

We’re also working on fully offline profiles to allow non-Github setup. This will come a bit later. Stay tuned!

How to migrate existing project?

If you have already setup your projects to be synchronized automatically with Github, you can switch them to use the gem. Just follow the readme to complete the setup and use the “gemnasium create —force” command. The “—force” option will override the existing setup on gemnasium.com, updating your projects origin attribute from “github” to “offline”. Warning: there is currently no easy way to switch back to Github origin (need to contact support). Use with caution.

You can then update your Github permissions in your settings to use the read-only public access.

No more excuses to not track your dependencies and keep your projects in shape with Gemnasium!

Cheers, Gemnasium Team

As announced last week, we are pleased to release today the new features focusing on security.

Remember: since Gemnasium-2.0 we monitor popular packages, looking for security or critical updates. Once something is detected, all impacted versions are tagged accordingly which ends up to a red color on the projects depending on it.

It’s time to put some steroids in this! Let’s review the new features:

Security advisories

To bring you more information on these critical and security updates, Gemnasium now displays advisories right on the package’s page.

Advisories provide useful informations about security issues or critical updates: description, affected versions, fixed versions, available solutions etc…

Advisories are displayed on each affected versions of a package and also on the ones that fix it.

Alerts

But that’s not enough… Keep calm and let the Security Coach tell you what’s wrong with your projects!

Right from your project page you now can check the security and critical advisories affecting your dependencies.

Open alerts just hang here until your project become safe! They are closed automatically when the dependency is updated to a non-affected version.

If your app has been fixed with a patch, a workaround or is simply not affected by the advisory, you can tell Gemnasium it’s okay and just close the alert.

Notifications and reminder

Gemnasium’s Security Coach will warn you immediately when an advisory is created and will remind you every day until the alert is closed (by an update or using the close button). But if you feel bothered by the reminder and still haven’t fixed the issue, you can acknowledge the alert to stop the notifications. This can be done on the project page or directly from your alert email.

To avoid spamming you when you have a lot of affected projects, notifications are grouped by advisory. Here is a sample alert email:

The security reminder takes your notifications settings into account. So you only receive security emails for projects and packages that have notifications enabled and you won’t be notified at all if you have totally disabled notifications in your settings.

Please note that all old alerts have been automatically acknowledged to avoid spamming you. Feel free to reopen them if you want to be reminded.

The notifications and reminder features are included in all plans starting from Bonzaï (see pricing), and also available as trial during the 1st month of registration for Free plans. As an exceptional offer, the security reminder is also available to all existing Free users until March, 31st!

Side notes

Gemnasium is still growing its changelogs base and advocates for a common format. Your opinion is welcome and you can contribute on the Vandamme open source project to help us defining a convention.

As always, we hope you’ll appreciate these new features and your feedback is welcome!

Cheers, Gemnasium Team

There are thousands of different changelogs (if any) out there, with dozens of different names. It’s almost impossible to fetch and parse them automatically… Gemnasium is using Vandamme to keep each changelog specificities (changelog location, version format, file format).

We really believe in changelogs. Following changes in dependencies is a hard task, and almost impossible by reading commits only.

The open-source world would be so much nicer with full, readable and comprehensive changelogs. As a solution to this problem, we propose a simple set of rules and requirements to follow in order to have a Standard Changelog. Please see the specs here:

https://github.com/tech-angels/vandamme/blob/master/README.md#changelogs-convention

Feedback is welcome!

Gemnasium loves you, thank you so much for your support! We are proud today to announce a new exciting release.

We have worked hard in the last months to improve the code base and features, it was also time to put in place a fresh and optimized UI. Each page has been lovingly handcrafted into an amazing new design. Here is an quick insight:

The new UI also comes with a new Dashboard page with gathered statistics about profiles and some info about a pushed package each week, and live events scoped to your account.

We also have lots of surprises for you, so let’s jump right in!

NPM Support

Gemnasium is now able to read your NPM dependencies and monitor them. If your Github profile contains projects with a “package.json” or a “npm-shrinkwrap.json” file, Gemnasium will be able to track the dependencies for you!

This feature is included in all plans (including free plans), with no extra fee! And Gemnasium already monitors more than 22.000 node packages.                  

Your personal security coach

Need some help to follow important changes and security announcements? Let us introduce you the new “Watchmen” team. Everyday, we’ll be tracking important changelogs and security advisories for you, and will mark as “red” dangerous or broken versions. Don’t spend more time to wonder if your projects are vulnerable because you forgot to update them, let us ping you when we think you should worry about something!

“Watched” packages and each “Checked”versions are marked with these labels:        

“Watched” means the project is being manually checked every day. “Checked” is an acknowledge on the package version you are browsing.

The Watchmen feature will evolve continuously to provide better and smarter security announcements so that you can relax and stay focus on your work. Expect a release dedicated to this topic next week!

Packages Improvements

Gemnasium now provides tons of metadata for both Rubygems and Npms packages (owners, maintainers, useful links, etc.). You can also find the dependencies of a package and discover the other packages depending on it.

For those who maintain a changelog, Gemnasium is also able to provide its content for each versions. Though, as there is no standard yet, this feature requires the changelog to be in a supported format. We’ll write more about this soon, stay tuned!

New badges

We’re taking part in the new “Shields” project, and provide clean, consistent and more readable badges for your Readmes. Your project badge can be copied/pasted on your github Readme page in seconds. Just click on the badge on your Gemnasium’s project page and follow instructions!

We still have a lot of terrific ideas to come, stay tuned!

Ho, one more thing

We have a lovely gift for you! As you can see, a lot has changed in the new Gemnasium and the response we’ve gotten from community has been amazing. We’d like to welcome new subscribers with a 50% discount for 3 months (with the 1st month 100% free!)

While creating your subscription on gatekeeper (our account platform), just enter the coupon : VALENTINESDEP

<3<3<3 from the Gemnasium Team

As part of our continuous effort to give you a better experience, we have just migrated our customer support processes to Freshdesk. We strive to take full advantage of the powerful capabilities and best-practices in Freshdesk, to give you a better support experience.

How does this make a difference to you ?

Not a lot changes in terms of how you get in touch with us. You can shoot us an email to support@tech-angels.com, and our support system will automatically create a ticket on your behalf. You will also be notified of our responses and status changes to your tickets via email as well, and you can send out your replies directly.

The first time you send us a support query, you will receive an email with activation instructions to login to our support portal at http://support.tech-angels.com. Going forward, you can check the status or add comments to your support queries here.

We are actively populating our support portal with FAQs and solutions in our knowledge base, so you can help yourself to how-tos and instructions. You can also discuss your ideas and share tips in our community forums.

Each product has now its own support portal

In addition to the top-level support portal http://support.tech-angels.com, each product now features its own support, with online forums and knowledge base:

• Gemnasium : http://support.gemnasium.com (support@gemnasium.com)
• Spectorus : http://support.spectorus.com (support@spectorus.com)
• Jagan : http://support.jagan.io (support@jagan.io)

Talk to us on Social too

Our support team is now listening to conversations on our Twitter handle (@techangels) and Facebook page (facebook.com/TechAngels). In addition to email and through our website, feel free to reach us here as well.

We love hearing from you

We strive to give you an awesome support experience with every query, and your feedback will help us get there faster. We will be sending out satisfaction surveys for you to rate your support experience with us periodically. If you have any doubts or queries regarding our new support tools and policies, please drop us a line at support@tech-angels.com, and we’ll be glad to assist you. And make sure you visit our new support portal at http://support.tech-angels.com.

Tech-Angels is a Gold Sponsor @la_conf

We’re very proud and excited to announce today our participation to La-Conf in Paris, France, next 9-10 May 2013! The conference will be held in the heart of Paris, at the four-star Westin Paris - Vendôme (3 Rue de Castiglione, 75001 Paris).

You will find us easily with our t-shirts / sweatshirts:

Please come and meet us, we will surely be good advisors regarding the wine and cheese!

More info: http://2013.la-conf.org/

As requested, here is a new feature to allow you to choose which branch of your projects you want to monitor.

This setting can be found on the new Projects page of your Settings.

When the branch for a project is changed, Gemnasium automatically syncs with its GitHub’s repository and updates the dependencies as needed.