RubyGems依赖治理（required_ruby_version-签名-来源）最佳实践

实现示例type Gem = { name: string; version: string; requiredRuby: string; sha256: string; source: string }

const allowHosts = new Set<string>(['rubygems.org','gems.example.com'])

function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) }

function validSource(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowHosts.has(x.host) } catch { return false } }

function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) }

function rubyCompat(req: string, env: string): boolean { const m = /^(\^|~)?(\d+)\.(\d+)/.exec(req); if (!m) return false; const R = { M: parseInt(m[2],10), m: parseInt(m[3],10) }; const E = env.split('.').map(x => parseInt(x,10)); if (m[1] === '^') return E[0] === R.M && E[1] >= R.m; if (m[1] === '~') return E[0] === R.M && E[1] === R.m; return E[0] === R.M && E[1] === R.m }

function evaluate(list: Gem[], envRuby: string): { ok: boolean; errors: string[] } {

const errors: string[] = []

for (const g of list) {

if (!g.name || !semverLike(g.version)) errors.push(`id:${g.name}`)

if (!rubyCompat(g.requiredRuby, envRuby)) errors.push(`ruby:${g.name}`)

if (!hex64(g.sha256)) errors.push(`hash:${g.name}`)

if (!validSource(g.source)) errors.push(`source:${g.name}`)

}

return { ok: errors.length === 0, errors }

}

审计与CI门禁审计版本与 Ruby 兼容、来源与哈希；不合规阻断并回退。变更需审批与记录，支持回溯。