Following the mime gem incident I've been reviewing which of the gems we use depend on the rails meta-gem rather than the specific dependencies. At the moment, by requiring rails, if I use this gem for a small API-only application I will be forced to pull in features like actioncable,activestorage, which expands my dependency surface area and increases the risk of a dependency incident like this.
Would you be open to a pull request to only require the sub-dependencies needed for this gem? At a glance I think it might just be railties and actionpack (for ActionController) that you need.
Thanks! (oh also, this is a great gem thanks for maintaining it 🙏 )
Following the mime gem incident I've been reviewing which of the gems we use depend on the
rails
meta-gem rather than the specific dependencies. At the moment, by requiringrails
, if I use this gem for a small API-only application I will be forced to pull in features likeactioncable,
activestorage
, which expands my dependency surface area and increases the risk of a dependency incident like this.Would you be open to a pull request to only require the sub-dependencies needed for this gem? At a glance I think it might just be
railties
andactionpack
(forActionController
) that you need.Thanks! (oh also, this is a great gem thanks for maintaining it 🙏 )