solargraph icon indicating copy to clipboard operation
solargraph copied to clipboard
verified publisher icon castwide

Concerns about `yard-activesupport-concern`

Open tagliala opened this issue 3 months ago • 2 comments

Hello,

I noticed that this project recently introduced dependency on yard-activesupport-concern that has not been updated in over a decade and is still at version 0.0.1. Given that its functionality appears to be minimal, would it not make sense to integrate its features directly into this library?

Bundling this code could help reduce external dependencies, simplify maintenance, and improve long-term project stability. Is there a specific reason for having introduced this outdated gem?

Recent incidents, such as the widespread npm supply chain attack (where malicious packages were published and billions of weekly downloads were put at risk), have made me increasingly wary of relying on third-party dependencies. Even trusted sources can be compromised, and attacks like these are difficult to detect and mitigate.

Removing unnecessary dependencies helps reduce our attack surface and makes this project safer.

Thank you for considering this suggestion

tagliala avatar Sep 23 '25 17:09 tagliala

that has not been updated in over a decade and is still at version 0.0.1

If only all gems were so stable! ;)

functionality appears to be minimal

It absolutely is not minimal (in impact). Pulling this in unlocks a ton of gem info in the Rails ecosystem if nothing else.

Given that its functionality appears to be minimal, would it not make sense to integrate its features directly into this library

Very valid. Unless the original author is still watching GitHub, it's likely the next related improvement will either vendor this gem or move it to a fork under either my or @castwide's repo and with us in control of gem releases either way.

Glad to have your trust in distribution! @castwide can share his preference on how this gets pulled in - if in-repo vendoring is an option, your organization can probably go ahead and PR it in.

apiology avatar Sep 23 '25 17:09 apiology

Thanks for considering this.

If only all gems were so stable! ;)

Yeah, that would be amazing! 😅

It absolutely is not minimal (in impact).

Sorry, I meant minimal in terms of implementation. From what I can see, it's just a few lines of code: https://github.com/digitalcuisine/yard-activesupport-concern/blob/master/lib/yard-activesupport-concern.rb

If the author of yard-activesupport-concern is still active on GitHub, I’d be happy to submit a PR there to opt in for MFA releases—even though, as demonstrated by the recent npm supply chain attack, MFA alone isn't a silver bullet and attackers have managed to bypass it :(

tagliala avatar Sep 23 '25 18:09 tagliala