Project

General

Profile

Actions
Copy link

Feature #19776

closed

Warn bundled gems when it called from `require`

Feature #19776: Warn bundled gems when it called from `require`

Added by hsbt (Hiroshi SHIBATA) over 2 years ago. Updated about 2 years ago.

Status:
Closed
Assignee:
hsbt (Hiroshi SHIBATA)
Target version:
-
[ruby-core:114241]

Description

We should warn when users try to load default gems that will be promoted bundled gems at next version. We will warn them only under the bundler environment without Gemfile.

  • Ruby 3.3:
    • Warn for adding bundled gems to be addressed Ruby 3.4 to Gemfile when user load its gem without gem 'foo' in their Gemfile.
      • Target libraries are TBD
    • Also warn existing bundled gems was loaded without gem 'foo' of Gemfile. Ex. net-smtp, rexml etc.
  • Ruby 3.4:
    • Promote bundled gems.
      • Raise LoadError same as current behavior with warnings of Ruby 3.3.
    • Warn same as Ruby 3.3.

I implemented PoC for this: https://github.com/ruby/ruby/pull/8096

Related issues 3 (0 open3 closed)

Related to Ruby - Feature #19351: Promote bundled gems at Ruby 3.3Closedhsbt (Hiroshi SHIBATA)Actions
Related to Ruby - Feature #19843: Promote bigdecimal as bundled gems at Ruby 3.4ClosedActions
Related to Ruby - Bug #19885: Invalid Warning for Default Gems That Will Move to Bundled GemsClosedhsbt (Hiroshi SHIBATA)Actions

Updated by hsbt (Hiroshi SHIBATA) over 2 years ago Actions
Copy link
 #1

Updated by vo.x (Vit Ondruch) about 2 years ago Actions
Copy link
 #2 [ruby-core:114243]

Isn't it time that upstream should start to encourage that every part of the StdLib should be listed in Gemfile? How long it is the URI gem fixing MEDIUM rated CVE was released and who uses it? Who added it into their Gemfile? Who even noticed that there is some vulnerability to fix?

Really, the current practice "it is part of StdLib, therefore I don't list it anywhere among dependencies" should be discouraged. The PR should actually be updated to warn when any part of StdLib is loaded without being listed as a dependency in either Gemfile or transitively via different gem.

Updated by jeremyevans0 (Jeremy Evans) about 2 years ago Actions
Copy link
 #4

  • Status changed from Assigned to Closed

Updated by hsbt (Hiroshi SHIBATA) about 2 years ago Actions
Copy link
 #5

  • Related to Feature #19843: Promote bigdecimal as bundled gems at Ruby 3.4 added

Updated by hsbt (Hiroshi SHIBATA) about 2 years ago Actions
Copy link
 #6

  • Tracker changed from Bug to Feature
  • Backport deleted (3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN)

Updated by Eregon (Benoit Daloze) about 2 years ago Actions
Copy link
 #7

  • Related to Bug #19885: Invalid Warning for Default Gems That Will Move to Bundled Gems added
Actions
Copy link

Also available in: PDF Atom