Support `rack` 3
dentarg opened this issue ยท 29 comments
See https://github.com/rack/rack/blob/main/CHANGELOG.md
Example test run with rack main branch: https://github.com/sinatra/sinatra/runs/7418697522
Just found out that Rainbows needs its Rack dependency to not be greater than 3.0 https://rubygems.org/gems/rainbows/versions/5.2.1 What should we do about it?
Maybe Sinatra 3 can't support Rainbows? I haven't really looked at what kind of integration we have
I'm thinking we probably won't get Rack 3 support until Sinatra 4. I wonder if Rainbows will get an update to support Rack 3 once it is released?
I'm thinking we probably won't get Rack 3 support until Sinatra 4. I wonder if Rainbows will get an update to support Rack 3 once it is released?
Rack < 3.0 already has known vulnerabilities, I hope this can be expedited.
Feel free to do the work if you want it :)
Pardon me please but this post is a summary of the current status.
The gem for sinatra itself has a dependency on rack ~> 2.2, even as late as the sinatra 3.0.4 version. The rainbows rack web server has a rack dependency < 3.0, and also a dependency on unicorn which has a dependency on the raindrops gem which has a rack dependency < 3.0. Looking at several rack web servers the only other problem I found was thin which has a rack dependency < 3.0.
The mention from DannyBen is a change being worked on in a fork to replace the rack dependency in sinatra to a dependency on rack-contrib which has a rack dependency ~> 2.0.
So the latest sinatra version still required rack less than 3.x, the work being done would need rack-contrib to be updated, and that work is on a fork not merged into the sinatra repo.
Here are builds showing what tests fails with Rack 3: https://github.com/dentarg/sinatra/actions/runs/3771127371
Re: rainbows, when Rack 3 is used, bundler will try to install https://rubygems.org/gems/rainbows/versions/0.94.0 as that is the latest version didn't specify the Rack < 3 requirement. Can't see any activity at https://yhbt.net/rainbows-public/ indicating a release with Rack 3 support.
Can't see any activity at https://yhbt.net/rainbows-public/ indicating a release with Rack 3 support.
I don't think it will get support for Rack 3 soon. Having a look at the last announcement the author doesn't recommend it for new projects
And I'm not sure if it used much by the community. Here you have rubygems stats for downloads of the main servers, for what is worth:
- puma: 252,472,210
- thin: 110,548,405
- unicorn: 87,643,880
- rainbows: 599,550
- falcon: 387,851
Rainbows seems pretty abandoned. It should not be the reason that delays progress.
It is not. It is a question of who wants to give away their time for free.
๐ to dropping support of Rainbows if that is blocking us from adopting Rack 3, maybe we can split it out into a separate gem or something for people who really need it
Not sure if this is the right place to add some extra or if it's better to cut a new issue for this (happy to do so if more appropriate).
I have a repo that's getting a dependabot PR (joshka/xkcd-with-alt-text#16) that bumps rackup from 1.0.0 to 2.1.0 and rack from 2 to 3. Because sinatra doesn't support rack 3, the PR downgrades sinatra to 1.0 (which has rack (>= 1.0) as its dependency). This seems a little odd to me. Would it be a good idea to ensure that sinatra 1.0 doesn't support rack >2 ?
It's too late for that, we can't change requirements for older releases
Just like to point out that rack-session-2.0.0 now requires rack >= 3.0.0, however sinatra-3.0.5 still requires rack ~> 2.2, which makes the rack-session-2.0.0 gem incompatible with sinatra <= 3.0.5. This will probably start biting developers.
Yes, rack-session was created for Rack 3. :) Same with rackup gem. The 1.x versions of those gems can be used with Rack 2 (they do nothing then).
Any news on this? We really would prefer to keep rack-protection in our project but this is what keeps us on rack 2.2.x (funnily an upgrade is possible downgrading rack-protection to 3.0.6, but I guess that's rather a fluke than a real working version?)
No news but I've been meaning to finish up this for a while now... but you know, there's always something wanting attention :-) I want to run it my apps before releasing it to decrease the chance I've missed something here.
Have you tried it in your app @bvogel?
funnily an upgrade is possible downgrading rack-protection to 3.0.6, but I guess that's rather a fluke than a real working version?
Yeah, exactly. There hasn't been any rack-protection release tested with Rack 3, so I wouldn't go that route.
No news but I've been meaning to finish up this for a while now... but you know, there's always something wanting attention :-) I want to run it my apps before releasing it to decrease the chance I've missed something here.
Have you tried it in your app @bvogel?
Oh, I thought I was in the PR when I wrote the above. If you haven't seen it @bvogel, it is at #1857. Any testing is appreciated.
For the record, I just tested this rack-3 branch (#1859) on a small website of mine, it's currently in production and working fine. It's not the type of app which will uncover snicky bugs though (too small), but at least it's one more validation โ
I'll see if I have other sinatra app that I could try this on.
Edit: I just upgraded another small app and it's also working fine โ
Edit 2: And finally yet another small app which is also working fine โ
That's it for me I don't have any other Sinatra apps ๐
@dentarg thanks for the pointer, I will run a limited test next week (I can't use this in production as it's a commercial application and disruptions would be dangerous)
@bvogel Yeah, well, I get that, but then you should be super eager to review and test this? There's no guarantee that releases of Sinatra are bug free and free of disruptions ๐
Thanks for your effort resolving this @dentarg!
I just want to add to the discussion here and add another point why not supporting Rack 3 is problematic. Resque (https://github.com/resque/resque) uses Sinatra for its web UI. This means it's impossible to upgrade rails applications that use Resque to use rack 3, since Sinatra is a dependency through Resque and it doesn't support Rack 3.
Well, it's not lack of reasons that are our problem... :-)
I get that. I was hoping this could prompt more people to test out the Rack 3 branch.
Only one of the applications I work with uses Sinatra, and that's through Resque in its web UI, so I can't help much with testing myself. FWIW I'm going to test with that app, but I don't expect any problems since it's a relatively small surface area.
Is merging this in master but holding off on making a new release with the changes a viable option here?
Is merging this in master but holding off on making a new release with the changes a viable option here?
Not yet, merging to main will mark the end for Sinatra 3.x (at least I'm not interested in maintaining multiple branches). I just created #1962 with things that should be released for 3.x.
I can confirm that our app (350 classes, 16k LOC) will work with this PR. I would just confirm that two suggested changes (marked with ๐) should be incorporated. We would in any case wait for an official release to start using this upgrade.