Skip to content

Don't Bundle Foreman

David Dollar edited this page Aug 29, 2019 · 3 revisions

This usually comes up in the context of someone submitting a PR wanting to update thor.

I highly suggest that you do not include foreman in your Gemfile. Foreman is not a library, and should not affect the dependency tree of your application. Updating one of foreman's dependencies just to satisfy your project's dependency matrix. This in turn could break older applications that are doing the same thing.

The only reason that foreman will update a dependency is to acquire a new, desired feature or to remove a vulnerability

Foreman is very stable at this point, and upgrading its dependencies for any other reason introduces potential bugs (or worse) for virtually no gain.

In addition, adding foreman to your Gemfile causes foreman to be loaded into your application as a dependency which is, at best, an unnecessary vulnerability vector for your application.

Hopefully this clears things up! Happy hacking.

Clone this wiki locally