Support rack 3
#1797
Comments
|
Just found out that Rainbows needs its Rack dependency to not be greater than 3.0 https://rubygems.org/gems/rainbows/versions/5.2.1 What should we do about it? |
|
Maybe Sinatra 3 can't support Rainbows? I haven't really looked at what kind of integration we have |
|
I'm thinking we probably won't get Rack 3 support until Sinatra 4. I wonder if Rainbows will get an update to support Rack 3 once it is released? |
Rack < 3.0 already has known vulnerabilities, I hope this can be expedited. |
|
Feel free to do the work if you want it :) |
|
For reference, the vulnerability referenced above was mentioned in #1770 |
|
Pardon me please but this post is a summary of the current status. The gem for sinatra itself has a dependency on rack The mention from DannyBen is a change being worked on in a fork to replace the rack dependency in sinatra to a dependency on rack-contrib which has a rack dependency So the latest sinatra version still required rack less than |
|
Here are builds showing what tests fails with Rack 3: https://github.com/dentarg/sinatra/actions/runs/3771127371 |
|
Re: rainbows, when Rack 3 is used, bundler will try to install https://rubygems.org/gems/rainbows/versions/0.94.0 as that is the latest version didn't specify the Rack < 3 requirement. Can't see any activity at https://yhbt.net/rainbows-public/ indicating a release with Rack 3 support. |
I don't think it will get support for Rack 3 soon. Having a look at the last announcement the author doesn't recommend it for new projects And I'm not sure if it used much by the community. Here you have rubygems stats for downloads of the main servers, for what is worth:
|
|
Rainbows seems pretty abandoned. It should not be the reason that delays progress. |
|
It is not. It is a question of who wants to give away their time for free. |
No support for Rack 3 (that is "stable" Rack now) sinatra#1797
|
👍 to dropping support of Rainbows if that is blocking us from adopting Rack 3, maybe we can split it out into a separate gem or something for people who really need it |
|
Not sure if this is the right place to add some extra or if it's better to cut a new issue for this (happy to do so if more appropriate). I have a repo that's getting a dependabot PR (joshka/xkcd-with-alt-text#16) that bumps rackup from 1.0.0 to 2.1.0 and rack from 2 to 3. Because sinatra doesn't support rack 3, the PR downgrades sinatra to 1.0 (which has |
|
It's too late for that, we can't change requirements for older releases |
|
Just like to point out that rack-session-2.0.0 now requires |
|
Yes, rack-session was created for Rack 3. :) Same with rackup gem. The 1.x versions of those gems can be used with Rack 2 (they do nothing then). |
|
Any news on this? We really would prefer to keep rack-protection in our project but this is what keeps us on rack 2.2.x (funnily an upgrade is possible downgrading rack-protection to 3.0.6, but I guess that's rather a fluke than a real working version?) |
|
No news but I've been meaning to finish up this for a while now... but you know, there's always something wanting attention :-) I want to run it my apps before releasing it to decrease the chance I've missed something here. Have you tried it in your app @bvogel? |
Yeah, exactly. There hasn't been any rack-protection release tested with Rack 3, so I wouldn't go that route. |
Oh, I thought I was in the PR when I wrote the above. If you haven't seen it @bvogel, it is at #1857. Any testing is appreciated. |
|
For the record, I just tested this I'll see if I have other sinatra app that I could try this on. Edit: I just upgraded another small app and it's also working fine ✅ Edit 2: And finally yet another small app which is also working fine ✅ That's it for me I don't have any other Sinatra apps 😅 |
|
@dentarg thanks for the pointer, I will run a limited test next week (I can't use this in production as it's a commercial application and disruptions would be dangerous) |
|
@bvogel Yeah, well, I get that, but then you should be super eager to review and test this? There's no guarantee that releases of Sinatra are bug free and free of disruptions 😅 |
|
Thanks for your effort resolving this @dentarg! I just want to add to the discussion here and add another point why not supporting Rack 3 is problematic. Resque (https://github.com/resque/resque) uses Sinatra for its web UI. This means it's impossible to upgrade rails applications that use Resque to use rack 3, since Sinatra is a dependency through Resque and it doesn't support Rack 3. |
|
Well, it's not lack of reasons that are our problem... :-) |
|
I get that. I was hoping this could prompt more people to test out the Rack 3 branch. Only one of the applications I work with uses Sinatra, and that's through Resque in its web UI, so I can't help much with testing myself. FWIW I'm going to test with that app, but I don't expect any problems since it's a relatively small surface area. Is merging this in master but holding off on making a new release with the changes a viable option here? |
Not yet, merging to main will mark the end for Sinatra 3.x (at least I'm not interested in maintaining multiple branches). I just created #1962 with things that should be released for 3.x. |
|
I can confirm that our app (350 classes, 16k LOC) will work with this PR. I would just confirm that two suggested changes (marked with 👍) should be incorporated. We would in any case wait for an official release to start using this upgrade. |
Close #1797 This work was sponsored by 84codes (https://84.codes/). Co-authored-by: Samuel Williams <samuel.williams@oriontransfer.co.nz> Co-authored-by: Eloy Pérez <ej.perezgomez@gmail.com>
See https://github.com/rack/rack/blob/main/CHANGELOG.md
Example test run with rack main branch: https://github.com/sinatra/sinatra/runs/7418697522
The text was updated successfully, but these errors were encountered: