upgrade puma 6.0 #23295
upgrade puma 6.0 #23295
Conversation
- CVE-2024-45614 (6.4.3 ManageIQ#22672
Looks like python slithered into your mind... 🐍 |
| @@ -916,7 +916,7 @@ GEM | |||
| faraday (>= 0.9, < 2.0.0) | |||
| psych (3.3.2) | |||
| public_suffix (4.0.6) | |||
| puma (4.3.10) | |||
There was a problem hiding this comment.
My only question is can you revisit the config/puma.rb and see if there were any changes in threads that might affect our current value and if there are any other settings added/changed that we might want to look at. Note, the comment there is from 3.0.0 puma.
It's fine if it's a followup PR but it's worth revisiting those when we upgrade to see if anything needs to change. For example, if the default is the same as our setting, we can probably drop threads(5, 5) from our configuration.
There was a problem hiding this comment.
@jrafanie config/puma.rb on morphy is the same as on master.
I did not find any changes that we would need.
There was a problem hiding this comment.
does this affect us setting min and max thread from configuration file?
We've removed the following public methods on Puma::Server: Puma::Server#min_threads, Puma::Server#max_threads. Instead, you can pass in configuration as an option to Puma::Server#new. This might make certain gems break (capybara for example).
| @@ -916,7 +916,7 @@ GEM | |||
| faraday (>= 0.9, < 2.0.0) | |||
| psych (3.3.2) | |||
| public_suffix (4.0.6) | |||
| puma (4.3.10) | |||
| puma (6.5.0) | |||
There was a problem hiding this comment.
If 6.5 is out anyway, should we just change the Gemfile to ~> 6.5 ?
|
I didn't realize this is for morphy... should we consider 5.6.9 as that's also patched there. I'm fine with latest on master but morphy is so old. I don't know. |
CVE-2024-45614 (required version: 6.4.3, destination version: 5.0)
Upgrade puma to 6.x #22672
For reference, here is the PR we used to upgrade to
pythonpuma 6.3: #22672