Skip to content

Tighten dependency lower bounds to their compatibility floors#2756

Merged
dblock merged 1 commit into
masterfrom
chore/raise-dependency-lower-bounds
Jun 2, 2026
Merged

Tighten dependency lower bounds to their compatibility floors#2756
dblock merged 1 commit into
masterfrom
chore/raise-dependency-lower-bounds

Conversation

@ericproulx
Copy link
Copy Markdown
Contributor

@ericproulx ericproulx commented Jun 1, 2026
edited
Loading

What

Tighten Grape's loose dependency floors to the lowest versions Grape is actually compatible with — not the latest. Grape is a library (a dependency in other apps' bundles), so a floor should be the minimum compatible version; pinning higher just causes downstream resolution conflicts for no benefit.

dep before after why
rack >= 2 >= 2.2.4 Rails 7.2's own floor; avoids the rack CVEs fixed in 2.2.4
zeitwerk (unpinned) >= 2.6 mirrors Rails 7.2's zeitwerk ~> 2.6; Grape uses only long-stable zeitwerk API
dry-configurable (unpinned) >= 1.0 the release that introduced the setting …, default: keyword API Grape relies on (0.x differs)

dry-types is left at >= 1.1 (unchanged), and mustermann is handled separately in #2755.

Notes

  • Floors only, no upper bounds, and resolved versions are unchanged (rack 3.2.6, zeitwerk 2.8.2, dry-configurable 1.4.0 all already satisfy these) — they're lower bounds, not pins.
  • These are deliberately set to compatibility minimums rather than each dependency's own Ruby-3.3-aligned release: those newer releases aren't required (the older ones install and run fine on Ruby 3.3), and requiring them would needlessly constrain downstream bundles. Notably zeitwerk >= 2.6 matches what Rails 7.2/8.0 themselves allow rather than being stricter.
  • Full suite 2,320 examples, 0 failures.

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 1, 2026
edited
Loading

Danger Report

No issues found.

View run

@ericproulx ericproulx force-pushed the chore/raise-dependency-lower-bounds branch from cee8cbb to 889d7ec Compare June 1, 2026 15:08
@ericproulx @claude
Tighten dependency lower bounds to their compatibility floors
9ed3bcb 
Grape's dependency floors were loose (zeitwerk and dry-configurable were
unpinned, rack was >= 2). Raise them to the lowest versions Grape is actually
compatible with on its Ruby 3.3 / Rails 7.2 baseline -- not the latest:

- rack:             >= 2 -> >= 2.2.4  (Rails 7.2's floor; avoids rack CVEs < 2.2.4)
- zeitwerk:         unpinned -> >= 2.6  (mirrors Rails 7.2's `zeitwerk ~> 2.6`)
- dry-configurable: unpinned -> >= 1.0  (the `setting ..., default:` keyword API)

dry-types stays at >= 1.1. Floors only, no upper bounds; resolved versions
are unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ericproulx ericproulx force-pushed the chore/raise-dependency-lower-bounds branch from 889d7ec to 9ed3bcb Compare June 1, 2026 15:18
@ericproulx ericproulx changed the title Raise dependency lower bounds for the Ruby 3.3 / Rails 7.2 baseline Tighten dependency lower bounds to their compatibility floors Jun 1, 2026
@dblock dblock merged commit df9338f into master Jun 2, 2026
66 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dblock dblock dblock approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ericproulx @dblock