Skip to content

Add explicit dependency to 'cgi' for ruby 4.0 support#560

Merged
vcsjones merged 6 commits intomainfrom
add-cgi-dependency
Dec 11, 2025
Merged

Add explicit dependency to 'cgi' for ruby 4.0 support#560
vcsjones merged 6 commits intomainfrom
add-cgi-dependency

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Dec 9, 2025

Ruby 4.0 (currently preview 2) has removed the default dependency on CGI:

CGI library is removed from the default gems. Now we only provide cgi/escape for the following methods:

We use CGI::Cookie

secure_headers/lib/secure_headers/headers/cookie.rb

Line 63 in 8b1029c

@parsed_cookie ||= CGI::Cookie.parse(raw_cookie)

So we should take an explicit dependency on the cgi gem.

Copilot AI review requested due to automatic review settings December 9, 2025 22:39
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an explicit dependency on the cgi gem to ensure compatibility with Ruby 4.0, which has removed cgi from its default gems (except for cgi/escape). Since the codebase uses CGI::Cookie.parse (which is NOT part of cgi/escape) and CGI.unescape in lib/secure_headers/headers/cookie.rb, this dependency is necessary for the gem to function properly with Ruby 4.0.

Key Changes:

  • Added cgi gem as a runtime dependency with version constraint ~> 0.5.0

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rei-moo rei-moo mentioned this pull request Dec 11, 2025
Merged
2 tasks
rei-moo added a commit that referenced this pull request Dec 11, 2025
@rei-moo
update rubocop configuration for CI (#561)
a11f8a4 
Updates our rubocop config to prevent lint errors from blocking CI.

Once #560 is unblocked we
can focus on Ruby 4.0 support and cleaning up the linting rules that
were disabled in this PR.


## All PRs:

* [x] Has tests
* [ ] Documentation updated
rei-moo
rei-moo reviewed Dec 11, 2025
View reviewed changes
Copy link
Contributor

@rei-moo rei-moo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we add Ruby 4.0 support to our CI matrix here as well?

We'll need to update setup-ruby to a version that supports 4.0

@vcsjones
Copy link
Member Author

vcsjones commented Dec 11, 2025

@rei-moo I added 4.0.0-preview2 as well as 3.4. We can bump it to 4.0.0 GA when its available.

@vcsjones
Copy link
Member Author

vcsjones commented Dec 11, 2025

@rei-moo Hm. Looks like the setup-ruby dropped ruby 2.6 support. That seems reasonable to me, but we will need to remove it from being a required check.

@rei-moo
Copy link
Contributor

rei-moo commented Dec 11, 2025

@vcsjones I believe you can already specify 4.0 directly in the workflow despite it not being GA.

Hm. Bummer about losing 2.6 support in setup-ruby. I'll look into trying to make sure that we still support older versions for as long as is reasonable. Dropping from CI makes sense for now. 👍

rei-moo
rei-moo approved these changes Dec 11, 2025
View reviewed changes
Copy link
Contributor

@rei-moo rei-moo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thank you 👏

@vcsjones vcsjones merged commit b413bd7 into main Dec 11, 2025
15 checks passed
@vcsjones vcsjones deleted the add-cgi-dependency branch December 11, 2025 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rei-moo rei-moo rei-moo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vcsjones @rei-moo

Comments