Back
7 min read

bundle outdated is lying to you, sort of

  • Ruby
  • Bundler
  • Dependency Management

TL;DR

bundle outdated shows gemspec runtime dependencies, but mixes them with transitive dependencies. bundle outdated --only-explicit removes the noise, but also drops gemspec runtime dependencies entirely. A practical workaround is to mirror core runtime dependencies in a dedicated :maintenance Gemfile group so explicit-only checks stay useful.

What goes wrong

Bundler is the standard dependency manager for Ruby projects, and bundle outdated is the command most teams reach for first when checking update status.

Without flags, gemspec runtime dependencies do appear, but they are unlabelled and sit beside every transitive dependency in the lock graph. The output gets noisy quickly, and it becomes hard to separate what you own from what your dependencies own.

So you reach for --only-explicit. The output becomes cleaner, but now it is incomplete for gem maintainers. Gemspec runtime dependencies disappear from the report.

Why this happens

Bundler treats the gemspec and Gemfile as separate concerns: runtime requirements are declared in the gemspec, while development and maintenance dependencies are typically managed in the Gemfile[1]. In practice, the gemspec is handled as a path dependency, not a direct Gemfile declaration, so --only-explicit cannot see it in the same way[2][3].

A practical workaround

Add a dedicated :maintenance group to your Gemfile and mirror your core runtime gems there:

# Mirror gemspec runtime dependencies so
# bundle outdated --only-explicit can include them
group :maintenance do
	gem "faraday", ">= 1.0"
	gem "oj", ">= 3.0"
end

This gives you cleaner explicit-only output while keeping the dependencies you actually maintain in scope.

Trade-offs and safeguards

The downside is duplication. You now maintain related declarations in both the gemspec and Gemfile, so drift is possible if updates are not applied in both places.

To reduce that risk:

  • Keep runtime dependencies in the gemspec via add_dependency[4].
  • Mirror only core runtime gems in :maintenance.
  • Use Dependabot to track gemspec updates independently.
  • Use bundler-audit for known vulnerability checks against Gemfile.lock.

Conclusion

bundle outdated is useful, but the default output can hide ownership and --only-explicit can hide runtime gems. The :maintenance mirror pattern is not perfect, but it gives you a practical, low-friction view of what needs attention.

Verified against Bundler v2.7.9 and v4.0.x (v4.0.3, v4.0.9).

References

  1. RubyGems basics
  2. Bundler issue #1096
  3. Bundler issue #5366 comment
  4. RubyGems specification reference
  5. Bundler gemfile man page