Your local changes to the following files would be overwritten by merge

[saigkill]

I tried a bundle_audit:update and got:
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db

• branch master -> FETCH_HEAD
  Updating be85e28..614dea0
  error: Your local changes to the following files would be overwritten by merge:
  README.md
  gems/passenger/CVE-2016-10345.yml
  Please commit your changes or stash them before you merge.
  Aborting

How can i fix it?

[Gasparila]

Any update to this?

[paranoicsan]

I've got the same sporadical errors 😞 Any update or workaround?

Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
* branch            master     -> FETCH_HEAD
error: Your local changes to the following files would be overwritten by merge:
[...]
Please commit your changes or stash them before you merge.
Aborting
Updating c7e3e48..8ad6d62
Failed updating ruby-advisory-db!

[paranoicsan]

Solved.

Found that line to detect where gem stores the DB. Removed all data and updated all from scratch.

[sandipsubedi]

@paranoicsan can you explain what you mean by this:

Removed all data and updated all from scratch.

Also, is there any release coming soon for this ?

[paranoicsan]

@sandipsubedi I just deleted my local copy of the advisory database. And the next update went smoothly.

[postmodern]

I'm not sure where these local changes are coming from, but maybe we could force git to wipe out any local changes? git reset --hard HEAD && git clean -f -d before git pull maybe?

[bbugh]

I have noticed that this happens when using git worktrees and not being in the primary source directory. For example, I have a master folder which is the original repository, and a develop folder that is a worktree of master. If I run the audit in the develop directory, it appears to try to update the master folder instead of the ruby-advisory-db itself.

Example, breaking in a worktree folder:

~/project_folder/develop(some_branch*) » git push --set-upstream origin $(git_current_branch)
husky > pre-push (node v14.5.0)
Auditing bundle for security issues...
Updating ruby-advisory-db ...
From https://github.com/my_organization/my_repo ⁉️⁉️
 * branch                master     -> FETCH_HEAD
error: Your local changes to the following files would be overwritten by merge:
	Gemfile
	Gemfile.lock
Please commit your changes or stash them before you merge.
Aborting
❌ Failed updating ruby-advisory-db!
husky > pre-push hook failed (add --no-verify to bypass)
error: failed to push some refs to 'https://github.com/my_organization/my_repo'

Works fine:

~/project_folder/master(master) » git push --set-upstream origin $(git_current_branch)
husky > pre-push (node v14.5.0)
Auditing bundle for security issues...
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db 👍👍
 * branch            master     -> FETCH_HEAD
Already up to date.
✅ Updated ruby-advisory-db
ruby-advisory-db: 484 advisories
No vulnerabilities found
Branch 'master' set up to track remote branch 'master' from 'origin'.
Everything up-to-date

[abaldwin88]

Deleting the advisory database worked for me. In case you're wondering where that database is located like I was, you can pop open irb and enter the following:

File.expand_path(File.join(Gem.user_home,'.local','share','ruby-advisory-db'))

Taken from:
https://github.com/rubysec/bundler-audit/blob/master/lib/bundler/audit/database.rb#L41

[postmodern]

@bbugh Database#update always ran the git pull command within a Dir.chdir block. However, the Database.download method runs git pull with the path to ~/.local/share/ruby-advisory-db. Still not sure how git is screwing with ~/.local/share/ruby-advisory-db local repo.