Gemnasium tracks the registries where the packages are listed:
Gemnasium has various strategies to stay in sync with a registry:
- it parses the RSS feeds every few minutes
- it downloads the entire package index every few hours
- if the source code is on GitHub, it lists the git tags of the repo
These different strategies are implemented where it's possible. For instance, npmjs.com makes it possible to download the entire package index and it has a RSS feed too. At the opposite, bower.io gives no information on the versions that are available, so Gemnasium has to connect to the source repository and list the git tags (these are the package versions).