how do you keep up to date on gems ?

I was asked an interview question on how I would keep an app’s gems up to date. Suppose there was a new gem because of some security issue for instance ?

Where I worked before, we locked the gems in the gem file with a particular version with the notation of something like:
gem ‘multi_json’ , ‘~> 1.8.2’

That way we would not get surprises when we updated the gems as changes could occur without our being able to know what they where and the app would be unstable. I’ve also found when some one gives you an app to work on and it has not been used for several months, if the gemfile has no versions on the gems then you will have a hard time figuring out why everything is broken or what gem version it used to work in.

I did not find there to be an easy answer to this question given that a gem file can contain many gems and knowing when to go to a new version is not clear. At a certain point in time between projects, we might try to update the gems. Is there a simple way to tell how far out of date the gems in the gemfile are using a command of some kind ?

bundle outdated

Check this:
https://gemnasium.com/features

For instance Capybara project on github shows the status of dependencies with a green button in Readme file.

https://github.com/jnicklas/capybara

A couple of things. First, when you initially install gems, the system automatically locks the version of the gem, whether you specify a version in the Gemfile or not. If you inherit an old application, the file Gemfile.lock will tell you what gems it is using and what versions of those gems. When you run bundle install, it will stick to those versions, even if a newer version is available.

If you want to see if there are newer versions of the gem than the ones the application is using, run “bundle outdated” as the above post indicates. That will list all of the gems used by your application that are outdated.

If you want to update a gem to a newer version, you run “bundle update [gemname]” If you don’t include a gem name with the command, it will update everything (in other words, ignore the Gemfile.lock).

Hope this helps.