bundler-audit icon indicating copy to clipboard operation
bundler-audit copied to clipboard
verified publisher icon rubysec

Only load from `cgi` what is required for Ruby 3.5

Open Earlopain opened this issue 7 months ago • 3 comments

In Ruby 3.5 most of the cgi gem will be removed. Only the various escape/unescape methods will be retained by default.

But: cgi/escape only exists since Ruby 2.3. So I fall back to cgi/util on earlier versions.

https://bugs.ruby-lang.org/issues/21258

Earlopain avatar May 13 '25 09:05 Earlopain

The linked upstream issue is still open and they appear to still be discussing what to do with cgi. Testing under ruby-3.5.0-preview1, one can still require cgi, cgi/escape, and cgi/util, and call CGI.escapeHTML. This doesn't appear to be an issue, yet. Feel free to re-open when cgi is removed from stdlib.

postmodern avatar May 15 '25 16:05 postmodern

Hmm, it looks like hsbt's PR was merged into Ruby master, so cgi will be soft-removed in 3.5.0-preview2, with a placeholder cgi.rb file left behind recommending using cgi/escape instead. At that point I'll probably use this code from the PR instead:

      begin
        require 'cgi/escape'
      rescue LoadError
        require 'cgi/util'
      end

postmodern avatar May 15 '25 16:05 postmodern

Sure, I changed it and left a comment for which ruby version it applies

Earlopain avatar May 16 '25 10:05 Earlopain

Could you take a look at this pull request and consider merging it?

Ruby 3.5 is now planned to ship as Ruby 4.0, and Ruby 4.0.0-preview2 has already been released (see https://www.ruby-lang.org/en/news/2025/11/17/ruby-4-0-0-preview2-released/).

With the full Ruby 4.0 release scheduled for December 25, I’d like to ensure bundler-audit works reliably with Ruby 4.0 and Rails 8.1. Merging this PR will help us test that everything runs smoothly ahead of the release.

Thanks in advance.

yahonda avatar Nov 18 '25 07:11 yahonda