A little tool to read lockfiles in a project and get information from each dependency's repo and get newer changes that aren't used by the project (hopefully containing a vulnerability or behaviour that was recently changed/fixed upstream but can still be exploited on said project).
ruby (Gemfile.lock)
GitHub
You can install from crates.io using cargo:
cargo install goblin_prospector
Or download a prebuilt binary from the releases.
You can also just clone the repo and build the tool with cargo:
git clone https://gitlab.com/bea_stung/goblin_prospector.git
cd goblin_prospector
cargo install --path=.
goblin_prospector -d ~/repos/gitlab --github-token GITHUB_TOKEN_HERE -c 40
Example Output: ``` GitHub (KaTeX/KaTeX): git+https://github.com/KaTeX/KaTeX.git
More recent releases:
[v0.16.8]:
0.16.8 (2023-06-24)
Features
expose error length and raw error message on ParseError (#3820) (710774a)
[v0.16.7]:
0.16.7 (2023-04-28)
Bug Fixes
docs/support_table.md: delete redundant "varPsi" (#3814) (33a1b98)
..... ```
goblin_prospector --help
Example Output: ``` Goblin goes and gets information about new dependancy features introduced after the versions used by a project. Point me at a project directory and watch me go boss, yeehaw! Supports: Lockfiles: - yarn (yarn.lock) - npm (package-lock.json) - ruby (Gemfile.lock) Releases from repositories: - GitHub - GitLab
Usage: goblin_prospector [OPTIONS] --dir
Options: -d, --dir