Recently I found I needed to update a few patch versions of rails-related libraries in a project, due to some security updates available. However, they were not reported when running overcommit with bundle-audit enabled.

From my understanding the issue is that bundle-audit was running against an outdated list of vulnerabilities. It can be fixed by passing the --update flag when running the check, as documented here.

In my opinion, this should be the default behavior. Is it worth it to open a PR that sets that flag by default in https://github.com/sds/overcommit/blob/master/config/default.yml?

By the way, thanks for the great work! 👏 We've been using overcommit across a variety of projects for a long time now, it improved our workflow a lot.