๐Ÿ” Public Audit Report ยท 2026-05-25

State of Rails
Maintenance

We ran Keepalive's health scanner against 8 of the most popular open source Rails applications. Here's what we found.

โšก Scan your own Gemfile.lock โ†’
8
Apps Audited
4
Avg Months Behind
18
CVEs Found
3
Still on Rails 7

Audit Results

Scanned: 2026-05-25 ยท Rails latest: 8.1.3
Mastodon
Decentralized social network. 47k+ stars.
84
score
Rails 8.1.3
โœ“ Up to date
12 outdated
2 security-critical
CVE-2024-26143 CVE-2024-41128
โ†’ Update 2 security-flagged gems (actionpack, loofah). Lock actioncable to patch version.
View full audit โ†’
Decidim
Participatory democracy platform. 2k+ stars.
85
score
Rails 8.1.3
โœ“ Up to date
18 outdated
1 security-critical
CVE-2024-32464
โ†’ Patch actiontext CVE immediately. Run bundler-audit in CI. 17 cosmetic updates can batch.
View full audit โ†’
Chatwoot
Open source customer support platform. 22k+ stars.
49
score
Rails 7.1.5.2
6 months behind
31 outdated
3 security-critical
CVE-2024-26143 CVE-2023-22795 CVE-2024-41128
โ†’ Upgrade from Rails 7.1 โ†’ 7.2 first (smaller jump), then plan 8.0 migration. Fix 3 CVEs now.
View full audit โ†’
Forem
Platform powering DEV.to. 22k+ stars.
0
score
Rails 7.0.8.7
15 months behind
52 outdated
5 security-critical
CVE-2024-26143 CVE-2023-22795 CVE-2024-28103 CVE-2023-28362 CVE-2024-41128
โ†’ Critical: upgrade from Rails 7.0 โ†’ 7.1 to close 3 high-risk CVEs. 52 outdated gems shows stale CI.
View full audit โ†’
Sharetribe
Marketplace platform. 2k+ stars.
92
score
Rails 8.1.2
2 months behind
8 outdated
0 security-critical
โœ“ No known CVEs in lockfile
โ†’ Patch to Rails 8.1.3 (point release). All 8 outdated gems are cosmetic โ€” safe to batch update.
View full audit โ†’
Discourse
Modern discussion forum platform. 43k+ stars.
70
score
Rails 8.0.5
1 months behind
22 outdated
2 security-critical
CVE-2024-32464 CVE-2024-41128
โ†’ Upgrade Rails 8.0 โ†’ 8.1 (well-maintained, should be straightforward). Patch 2 CVEs first.
View full audit โ†’
Spree Commerce
Headless eCommerce platform. 15k+ stars.
73
score
Rails 8.1.2
2 months behind
16 outdated
2 security-critical
CVE-2024-41128 CVE-2024-32464
โ†’ Patch to Rails 8.1.3 (closes active CVEs). 14 cosmetic gems can batch-update safely.
View full audit โ†’
Solidus
Open source eCommerce framework. 5k+ stars.
36
score
Rails 7.2.0
8 months behind
29 outdated
3 security-critical
CVE-2024-26143 CVE-2024-28103 CVE-2024-41128
โ†’ Upgrade from Rails 7.2 โ†’ 8.0 (Solidus v4.7 supports < 8.2). Fixes 2 actionpack CVEs immediately. Ruby 3.2 โ†’ 3.4 next.
View full audit โ†’

Want this for your Rails app?

Keepalive continuously monitors your Rails app's maintenance health โ€” gems, CVEs, upgrade paths โ€” and tells you exactly what to fix first.

โœ“ You're in. We'll reach out when Keepalive opens up.

How this was generated

Keepalive fetches the public Gemfile.lock from each repository and runs its Rails health scanner: checking the locked Rails and Ruby versions against the latest stable releases, counting outdated gems, cross-referencing the lockfile against known CVEs, and computing a maintenance score. This report was generated on 2026-05-25. Rails latest stable: 8.1.3.

Learn more about Keepalive โ†’