Support rack 3

[dentarg]

See https://github.com/rack/rack/blob/main/CHANGELOG.md

Example test run with rack main branch: https://github.com/sinatra/sinatra/runs/7418697522

[epergo]

Just found out that Rainbows needs its Rack dependency to not be greater than 3.0 https://rubygems.org/gems/rainbows/versions/5.2.1 What should we do about it?

[dentarg]

Maybe Sinatra 3 can't support Rainbows? I haven't really looked at what kind of integration we have

[jkowens]

I'm thinking we probably won't get Rack 3 support until Sinatra 4. I wonder if Rainbows will get an update to support Rack 3 once it is released?

[DannyBen]

I'm thinking we probably won't get Rack 3 support until Sinatra 4. I wonder if Rainbows will get an update to support Rack 3 once it is released?

Rack < 3.0 already has known vulnerabilities, I hope this can be expedited.

[dentarg]

Feel free to do the work if you want it :)

[dentarg]

For reference, the vulnerability referenced above was mentioned in #1770

[marlinpierce]

Pardon me please but this post is a summary of the current status.

The gem for sinatra itself has a dependency on rack ~> 2.2, even as late as the sinatra 3.0.4 version. The rainbows rack web server has a rack dependency < 3.0, and also a dependency on unicorn which has a dependency on the raindrops gem which has a rack dependency < 3.0. Looking at several rack web servers the only other problem I found was thin which has a rack dependency < 3.0.

The mention from DannyBen is a change being worked on in a fork to replace the rack dependency in sinatra to a dependency on rack-contrib which has a rack dependency ~> 2.0.

So the latest sinatra version still required rack less than 3.x, the work being done would need rack-contrib to be updated, and that work is on a fork not merged into the sinatra repo.

[dentarg]

Here are builds showing what tests fails with Rack 3: https://github.com/dentarg/sinatra/actions/runs/3771127371

• sinatra: https://github.com/dentarg/sinatra/actions/runs/3771127371/jobs/6411355622#step:5:1
• sinatra-contrib: https://github.com/dentarg/sinatra/actions/runs/3771127371/jobs/6411355622#step:6:1
• rack-protection: https://github.com/dentarg/sinatra/actions/runs/3771127371/jobs/6411355622#step:7:1

[dentarg]

Re: rainbows, when Rack 3 is used, bundler will try to install https://rubygems.org/gems/rainbows/versions/0.94.0 as that is the latest version didn't specify the Rack < 3 requirement. Can't see any activity at https://yhbt.net/rainbows-public/ indicating a release with Rack 3 support.

[epergo]

Can't see any activity at https://yhbt.net/rainbows-public/ indicating a release with Rack 3 support.

I don't think it will get support for Rack 3 soon. Having a look at the last announcement the author doesn't recommend it for new projects

And I'm not sure if it used much by the community. Here you have rubygems stats for downloads of the main servers, for what is worth:

• puma: 252,472,210
• thin: 110,548,405
• unicorn: 87,643,880
• rainbows: 599,550
• falcon: 387,851

[DannyBen]

Rainbows seems pretty abandoned. It should not be the reason that delays progress.

[dentarg]

It is not. It is a question of who wants to give away their time for free.

[zzak]

👍 to dropping support of Rainbows if that is blocking us from adopting Rack 3, maybe we can split it out into a separate gem or something for people who really need it

[joshka]

Not sure if this is the right place to add some extra or if it's better to cut a new issue for this (happy to do so if more appropriate).

I have a repo that's getting a dependabot PR (joshka/xkcd-with-alt-text#16) that bumps rackup from 1.0.0 to 2.1.0 and rack from 2 to 3. Because sinatra doesn't support rack 3, the PR downgrades sinatra to 1.0 (which has rack (>= 1.0) as its dependency). This seems a little odd to me. Would it be a good idea to ensure that sinatra 1.0 doesn't support rack >2 ?

[dentarg]

It's too late for that, we can't change requirements for older releases