Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flood of invalid (?) deprecation warnings upon upgrade to 2.5.0 #203

Closed
mattbrictson opened this issue Jan 7, 2016 · 3 comments
Closed

Flood of invalid (?) deprecation warnings upon upgrade to 2.5.0 #203

mattbrictson opened this issue Jan 7, 2016 · 3 comments

Comments

@mattbrictson
Copy link
Contributor

Upon upgrading to secure_headers 2.5.0, I get a flood of these deprecations when running my tests:

[DEPRECATION] secure_header_options_for will not be supported in secure_headers

I've looked at the secure_headers source code, and it appears that secure_header_options_for is used internally by the library whenever ensure_security_headers is called. The call path is:

ensure_security_headers → set_csp_header → secure_header_options_for

Code: https://github.com/twitter/secureheaders/blob/2.5.0/lib/secure_headers.rb#L104

That means there is nothing I can do to "fix" this warning, as far as I can tell. Is this warning being printed by mistake?
@oreoshake
Copy link
Contributor

Hmm well ensure_security_headers and secure_header_options_for are gone in 3.x. Without an alternative, I suppose the deprecation warning isn't really useful or valid.

What's the right semver thing to do in this case?

@mattbrictson
Copy link
Contributor Author

Hmm. OK, now having read the 3.0 upgrade doc, I see the problem. The before filters are going away, and a middleware will be used instead. Hence, ensure_security_headers is being removed with no replacement.

Off the top of my head, it seems that there is no graceful way for the 2.x API to work on the 3.x codebase, due to the magnitude of the change. Therefore I don't think this particular deprecation is helpful. The point of deprecations is to support two API versions at once, new and old, with the old one printing warnings. I don't see that as a possibility here.

I guess my approach would be to print a warning in a gem post-install message when 3.0 is released, like this:

secure_headers 3.0 has breaking changes.
If you are migrating from 2.x, you *must* make changes to your app.
Please read this document for upgrade instructions:
https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md

@oreoshake
Copy link
Contributor

OK I've removed the deprecation warning in cfad0e5. There is already a post-install message present. I've pushed 2.5.1 with this change.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattbrictson @oreoshake