Skip to content

Reintroduce Rack v2.1.4

Stan Hu requested to merge sh-bring-back-rack-2.1.4 into master

This is needed to address a few outstanding CVEs and fix cookie timestamp formats.

Full list of changes: https://github.com/rack/rack/compare/2.0.9..2.1.4

Relates to:

Rack v2.1.x no longer coerces the body to a string. The Rack spec (https://github.com/rack/rack/blob/master/SPEC.rdoc#the-body-) says:

The Body must respond to each and must only yield String values

Previously in a few places the Grape API was returning the status code as an integer, which Grape used as the response body. To preserve the legacy behavior, we explicitly set the body to the stringified integer.

In #267598 (closed), we saw Maven packages report 500 errors because a nil body was being returned. This has been fixed in !45271 (merged).

Because it's easy to mistakenly return the wrong type in the Grape body, this commit also adds a new Grape middleware that will automatically coerce values to strings but raise an exception in development and test.

This reverts !45246 (merged) and brings back !44518 (merged).

Edited by Stan Hu

Merge request reports

Loading