-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webrick dependency necessary? #12
Comments
This is now made worse by the fact that Webrick has a CVE filed against it: https://nvd.nist.gov/vuln/detail/CVE-2024-47220 |
Indeed! Let's see if we can see some changes soon as a fix seems to be ready and one of the maintainers has been tagged here: ruby/webrick#145 (comment) |
With webrick as a direct dependency, it is kind of a nice out of the box experience currently: You only need to install rackup and you are ready to go. Directly running In case webrick gets removed as a dependency, the webrick handler ( |
It's a little bit bothersome since Webrick is now marked explicitly as insecure for production use. If the out of the box for rackup experience is very important, perhaps the gem could be split into rackup and rackup_core (which would not depend on webrick). Then Rails could depend on rackup_core so that not all Rails apps have to pull in webrick. |
IMHO,
I would be okay with removing If we did decide to remove gem "rackup"
gem "webrick" # or "falcon" or "puma" or "pitchfork" etc I'd be okay with this if someone wants to work on a PR, but I'd also like to hear feedback from @jeremyevans. |
Removing the dependency on webrick here would make this message (https://github.com/sinatra/sinatra/blob/ef00c6a0db0ef31143e529e7e6edddf2d5c99653/lib/sinatra/base.rb#L1607) that Sinatra (in some situations) prints out a bit weird, I guess it could be patched to give even more instructions. When I added Rack 3 support to Sinatra I chose to not add rackup as dependency, as it would also bring webrick, which felt a bit weird for a framework to do. I think it should be suggested to the Rails project to make changes on this matter. |
I recommend we drop the webrick dependency from rackup, so libraries that depend on rackup do not pull in webrick. I also recommend that libraries not depend on rackup. I think frameworks/applications should just focus on providing |
I am okay with that direction, so I'll cut a PR. |
This repo was extracted from rack for v3, which previously didn't explicitly depend on webrick.
Webrick was dropped as a bundled gem from ruby 3 and the default web server for Rails is puma.
The other supported servers aren't depended upon and it would be nice if webrick is the same when I'm not actually using it.
The text was updated successfully, but these errors were encountered: