Introducing RubyGems Support for deps.dev

Eve Martin-Jones, Max Fisher, Open Source Insights Team

April 7, 2025

I’m happy to announce that today deps.dev is launching support for RubyGems, the Ruby package manager. We have 184k gems and 1.8 million versions available through our API, website and BigQuery dataset.

Deps.dev already supports npm, Go, Maven, PyPI, Cargo and NuGet and we’re excited to add support for RubyGems as another major open source package management ecosystem. We hope that Ruby developers will be able to use deps.dev to gain insight into the software they use and help tackle the ever-increasing number of open software supply chain attacks.

How can I use the data?

RubyGems data is available via the deps.dev website, API and BigQuery dataset.

The
deps.dev webpage for the RubyGems rails gem. — The deps.dev webpage for the RubyGems rails gem.

The data that’s available is:

Advisories: You can check whether a gem is directly affected by an advisory, and if so, whether there is an unaffected version you could use. For example, compare versions 7.0.0 and 8.0.2 of the rails gem.
Hashes: You can use the Query API endpoint to query for the name of a mystery gem using its hash.
Version metadata: You can see gem metadata like license, publish date, description and reference links.
Requirements: RubyGems allows gem developers to declare runtime and development dependencies on other gems in the gemspec. The dependency gem names and version requirements for gems are served via: the requirements tab on the deps.dev website, the GetRequirements API endpoint and the RubyGemsRequirements table in the BigQuery dataset.

deps.dev sources all RubyGems data from the RubyGems v2 API and the RubyGems Compact Index API.

What’s next?

Data is currently only served for gem versions with the default platform “ruby”. In the future, we plan to serve data for all gem versions regardless of platform.

We also plan to add support for RubyGems Sigstore attestations, which users can use to verify the integrity of a gem version published to RubyGems. This follows on from our existing support for PyPI digital attestations and npm SLSA provenance attestations.

We’d love to hear what you think about our RubyGems support. Get in touch via email at depsdev@google.com or file an issue in our GitHub repository.