Description
Steps To Reproduce
In a fresh directory:
$ bundle init
$ bundle add nokogiri --version 1.19.3
$ bundler-audit check --update
Expected Behavior
nokogiri 1.19.4 fixed 9 security advisories, even though only 8 seem to be registered in the database (GHSA-g9g8-vgvw-g3vf is not showing).
The output of bundler-audit check should print 8 vulnerabilities, one for each database entry.
Actual Behaviour
The output of bundler-audit check prints 64 vulnerabilities.
This can be confirmed by running:
$ irb -r bundler/audit/scanner/
scanner = Bundler::Audit::Scanner.new
scanner.report.advisories.length
=> 64
The reason for this behaviour is because scanner.lockfile.specs contains a spec for each arch of nokogiri registered in the lockfile. In my case:
scanner.lockfile.specs
=>
[#<Bundler::LazySpecification @name="nokogiri" (1.19.3-aarch64-linux-gnu)>,
#<Bundler::LazySpecification @name="nokogiri" (1.19.3-aarch64-linux-musl)>,
#<Bundler::LazySpecification @name="nokogiri" (1.19.3-arm-linux-gnu)>,
#<Bundler::LazySpecification @name="nokogiri" (1.19.3-arm-linux-musl)>,
#<Bundler::LazySpecification @name="nokogiri" (1.19.3-arm64-darwin)>,
#<Bundler::LazySpecification @name="nokogiri" (1.19.3-x86_64-darwin)>,
#<Bundler::LazySpecification @name="nokogiri" (1.19.3-x86_64-linux-gnu)>,
#<Bundler::LazySpecification @name="nokogiri" (1.19.3-x86_64-linux-musl)>,
#<Bundler::LazySpecification @name="racc" (1.8.1)>]
So each vulnerability on the database is declared once for each nokogiri spec.
Environment
$ bundler-audit --version
bundler-audit 0.9.3
$ bundle --version
4.0.14
$ ruby --version
ruby 3.3.11 (2026-03-26 revision 1f2d15125a) [x86_64-linux]
$ git --version
git version 2.34.1
Description
Steps To Reproduce
In a fresh directory:
$ bundle init$ bundle add nokogiri --version 1.19.3$ bundler-audit check --updateExpected Behavior
nokogiri 1.19.4fixed 9 security advisories, even though only 8 seem to be registered in the database (GHSA-g9g8-vgvw-g3vf is not showing).The output of
bundler-audit checkshould print 8 vulnerabilities, one for each database entry.Actual Behaviour
The output of
bundler-audit checkprints 64 vulnerabilities.This can be confirmed by running:
$ irb -r bundler/audit/scanner/ scanner = Bundler::Audit::Scanner.new scanner.report.advisories.length => 64The reason for this behaviour is because
scanner.lockfile.specscontains a spec for each arch of nokogiri registered in the lockfile. In my case:So each vulnerability on the database is declared once for each nokogiri spec.
Environment