Skip to content

Upgrade Faraday for CVE#76

Merged
bogdanadrianmarc merged 13 commits into
mainfrom
issue/75-dependencies-upgrade
Jul 10, 2026
Merged

Upgrade Faraday for CVE#76
bogdanadrianmarc merged 13 commits into
mainfrom
issue/75-dependencies-upgrade

Conversation

@bogdanadrianmarc

@bogdanadrianmarc bogdanadrianmarc commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR addresses issue #75 by upgrading Faraday to resolve https://github.com/epimorphics/sapi-client-ruby/security/dependabot/15, as well as the other dependencies. I've also moved all development dependencies from the gemspec file into the Gemfile and removed version constraints where possible

@bogdanadrianmarc bogdanadrianmarc self-assigned this Jul 8, 2026
@bogdanadrianmarc
bogdanadrianmarc removed the request for review from joescottdave July 8, 2026 15:49
Comment thread sapi-client-ruby.gemspec Outdated
@tomguilbert

Copy link
Copy Markdown

Does this in some way address #74 now?

@ajtucker

ajtucker commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Does this in some way address #74 now?

Yes, well spotted. We should be able to write up some process or good practice for updating Gems too.

@joescottdave joescottdave left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Questions about some of the places we're specifying 3.3 - I think it makes sense as the baseline for the required version, and we're testing it in the matrix, but elsewhere probably makes sense to be using the latest version (that we support)

Comment thread .github/workflows/lint-app.yml Outdated
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.7
ruby-version: 3.3

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be 3.4 now? I think things have moved on from when the tickets were written

Comment thread .rubocop.yml Outdated
@@ -1,5 +1,5 @@
AllCops:
TargetRubyVersion: 2.7
TargetRubyVersion: 3.3

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should maybe be 3.4 also ?

Comment thread .ruby-version Outdated
@@ -1 +1 @@
2.7.8
3.3.11 No newline at end of file

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3.4 ?

@ajtucker

Copy link
Copy Markdown
Contributor

Questions about some of the places we're specifying 3.3 - I think it makes sense as the baseline for the required version, and we're testing it in the matrix, but elsewhere probably makes sense to be using the latest version (that we support)

Good question. We want to explicitly support the currently in-support versions of Ruby, so the 3.3, 3.4 and 4.0 series as of writing. For Gems that are used by other apps, it makes sense to be compatible with these versions and test that the Gems work across the versions.

For linting/Rubocop, I guess these will pick up newer constraints and issues with newer Rubies if we bump the target version and there shouldn't be any harm in that, as long as they are backward compatible with the minimal version we specify?

We could, for instance, put the linting/Rubocop checks in the same matrix loop as the tests. That might highlight whether things are backward compatible.

The supported version range is specified in the gemspec and I don't think the .ruby-version is necessary, but it would be good to have a single place to specify the "target" Ruby version for linting/Rubocop and I think the setup-ruby task should default to .ruby-version, so there's a case for making .ruby-version the target version.

…default Ruby in the GH runner.

Move Rubucop to matrix so it'll run using the latest in 3.3 and 3.4 series Rubies.

@joescottdave joescottdave left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from my perspective

@ajtucker ajtucker left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before we merge, I need to check the Rubocop linting...

…te the test runs.

Remove targetRubyVersion from Rubocop config as it will conservatively use the minimal version from the gemspec.
Avoid re-running Rubocop for anything other than the minimal Ruby version in the matrix.

@ajtucker ajtucker left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't quite pin it down, but https://docs.rubocop.org/rubocop/latest/configuration.html#setting-the-target-ruby-version has mention that we need to set the RuboCop target to the minimal/oldest version of Ruby that we want to support in order that we don't fall foul of e.g. newer recommended syntax that isn't support in older versions.

@ajtucker ajtucker linked an issue Jul 10, 2026 that may be closed by this pull request
@bogdanadrianmarc
bogdanadrianmarc merged commit 9537467 into main Jul 10, 2026
2 checks passed
@bogdanadrianmarc
bogdanadrianmarc deleted the issue/75-dependencies-upgrade branch July 10, 2026 15:25
@ajtucker ajtucker mentioned this pull request Jul 10, 2026
7 tasks
@ajtucker ajtucker changed the title Issue/75 dependencies upgrade Upgrade Faraday for CVE Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Upgrade Faraday to mitigate vulnerabilities

4 participants