2013 in review

2013 has been a tremendous year for the OSS community and especially the Ruby one:

  • Ruby 2.1 was released
  • Ruby on Rails 4.0 (and 4.1.0-beta1) was released
  • Devise reached version 3.0 (3.2.2 as of today)
  • and many more updates!

The biggest change being probably rails 4, with lots of new features and updates:

Rails 4 changes Source: http://edgeguides.rubyonrails.org/4_0_release_notes.html

Since we monitor a lot of projects (more than 50.000 ruby projects now, 100.000 total), we were wondering what was the update ratio to rails 4 in the community. As we were querying our DB, we decided to gather more information about updates, and especially affected projects. As you probably know, we offer for our paid plans live notifications when a project dependency (1st or deeper level) is affected by an advisory.

Today, we are proud to share with you what we found, and some stats were a bit unexpected!

Gemnasium 2013

(Download from GitHub: https://github.com/gemnasium/2013-statistics)

We took into account only 2013 data to generate this poster.

The most amazing stat is the potential number of affected projects. 24% were affected in 2013 by a security alert. Most of the time (81% to be precise), the advisory is deeply hidden in Gemfile.lock file, not Gemfiles. Because we often don’t realize that a dependency declared in a Gemfile will install a bunch of other gems. Between 500 and 1000 gems are installing between 5 and 10 dependencies.

Hopefully, most of security holes discovered are kept secret until the very last minute, and zero-days advisories are generally fixed with the release of the advisory.

Extra stats

We didn’t include everything in the poster, we had the select the most relevant information. Nevertheless, we kept some funny stats:

Top 10 Packages having pre-realeases:

(with number of pre-release versions)

  • Sass (221)
  • pry (159)
  • vmc (129)
  • chef (109)
  • autoproj (105)
  • lalala-development (100)
  • lalala (100)
  • lalala-assets (100)
  • lalala-tests (100)
  • active-fedora (88)


Packages having changelogs (not necessarily up-to-date :))

  • 55% (27600)

Pre-stable packages

Packages haven’t reached 1.0 yet:

  • 85% (42548)

That’s a huge number of 0.x.y gems!

“En route pour” 2014

We’d like to take time to wish you, a bit late, a great 2014 year, and to thank our customers for making this possible. Please feel free to share this poster and statistics.

We are currently working on a full Gemnasium API, stay tuned on this blog!