From 9ed3bcb3e024735bb2dacd24c15012bb636c8dfc Mon Sep 17 00:00:00 2001 From: Eric Proulx Date: Mon, 1 Jun 2026 17:06:42 +0200 Subject: [PATCH] Tighten dependency lower bounds to their compatibility floors Grape's dependency floors were loose (zeitwerk and dry-configurable were unpinned, rack was >= 2). Raise them to the lowest versions Grape is actually compatible with on its Ruby 3.3 / Rails 7.2 baseline -- not the latest: - rack: >= 2 -> >= 2.2.4 (Rails 7.2's floor; avoids rack CVEs < 2.2.4) - zeitwerk: unpinned -> >= 2.6 (mirrors Rails 7.2's `zeitwerk ~> 2.6`) - dry-configurable: unpinned -> >= 1.0 (the `setting ..., default:` keyword API) dry-types stays at >= 1.1. Floors only, no upper bounds; resolved versions are unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 1 + grape.gemspec | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a93d89c0..5f5cba8e3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,7 @@ * [#2754](https://github.com/ruby-grape/grape/pull/2754): Merge routing args in place in `Router#process_route` instead of allocating a new Hash via `merge` - [@ericproulx](https://github.com/ericproulx). * [#2753](https://github.com/ruby-grape/grape/pull/2753): Lazy-allocate `Grape::Validations::ParamScopeTracker`'s identity-keyed hashes so validating requests that never use the index / qualifying-params trackers allocate no hash - [@ericproulx](https://github.com/ericproulx). * [#2752](https://github.com/ruby-grape/grape/pull/2752): Skip per-request `ActiveSupport::Notifications` payload and dispatch when no subscriber is listening, via private `instrument_` guards on `Endpoint`/`Middleware::Formatter` - [@ericproulx](https://github.com/ericproulx). +* [#2756](https://github.com/ruby-grape/grape/pull/2756): Tighten dependency lower bounds to their compatibility floors (`rack >= 2.2.4`, `zeitwerk >= 2.6`, `dry-configurable >= 1.0`) - [@ericproulx](https://github.com/ericproulx). * Your contribution here. #### Fixes diff --git a/grape.gemspec b/grape.gemspec index ac917449a..dbfc51705 100644 --- a/grape.gemspec +++ b/grape.gemspec @@ -21,11 +21,11 @@ Gem::Specification.new do |s| } s.add_dependency 'activesupport', '>= 7.2' - s.add_dependency 'dry-configurable' + s.add_dependency 'dry-configurable', '>= 1.0' s.add_dependency 'dry-types', '>= 1.1' s.add_dependency 'mustermann-grape', '~> 1.1.0' - s.add_dependency 'rack', '>= 2' - s.add_dependency 'zeitwerk' + s.add_dependency 'rack', '>= 2.2.4' + s.add_dependency 'zeitwerk', '>= 2.6' s.files = Dir['lib/**/*', 'CHANGELOG.md', 'CONTRIBUTING.md', 'README.md', 'grape.png', 'UPGRADING.md', 'LICENSE', 'grape.gemspec'] s.require_paths = ['lib']