Skip to content

Don't Bundle Foreman

Jump to bottom Edit New page
David Dollar edited this page Aug 29, 2019 · 3 revisions

This usually comes up in the context of someone submitting a PR wanting to update thor.

I highly suggest that you do not include foreman in your Gemfile. Foreman is not a library, and should not affect the dependency tree of your application. Updating one of foreman's dependencies just to satisfy your project's dependency matrix is problematic as this in turn could break older applications that are doing the same thing.

The only reason that foreman will update a dependency is to acquire a new, desired feature or to remove a vulnerability

Foreman is very stable at this point, and upgrading its dependencies for any other reason introduces potential bugs (or worse) for virtually no gain.

In addition, adding foreman to your Gemfile causes foreman to be loaded into your application as a dependency which is, at best, an unnecessary vulnerability vector for your application.

Hopefully this clears things up! Happy hacking.

Add a custom footer
Add a custom sidebar
Clone this wiki locally