from Hacker News

Rails 5.0.1 has been released

by CoachRufus87 on 12/21/16, 5:00 AM with 55 comments

  • by tinco on 12/21/16, 10:30 AM

    If you're using Rails 5 ActionCable and you're not on Passenger, I would recommend upgrading to this release as soon as possible. Phusion[0] and other Rails 5 users[1] found a slow client issue with its implementation that was not protected against by the default app server Puma.

    We contacted the Rails team early on about this issue and worked closely with them to have this issue solved. Now that 5.0.1 is released we are at liberty to disclose details about this security issue.

    I've written a blog post[2] on the problem, using OS X network shaping tools and a simple app to demonstrate it. Rails apps running on Passenger were never affected as Passenger implements response buffering for regular requests as well as websockets connections. Note that even popular reverse proxies like Nginx don't perform response buffering for websockets as far as I know, so this is something to be aware of if you're running on other frameworks than Rails as well.

    [0] GH merge of patch: https://github.com/rails/rails/pull/26646

    [1] GH related issue: https://github.com/rails/rails/issues/26409

    [2] Blog post: https://blog.phusion.nl/2016/12/21/actioncable-under-stress-...

  • by jph on 12/21/16, 5:35 AM

    TLDR: Definitely worth upgrading.

    Approximately hundreds of small bug fixes, across much of Rails. The fixes include some important ones for database types, time comparisons, thread issues, record reloading, etc.

    IMHO these fixes address dozens of bugs that could cause major puzzlement for a typical Rails developer.

    Thanks to all the contributors for excellent work on this release.

  • by Sivart13 on 12/21/16, 6:24 AM

    If anyone's been holding off on upgrading to 5.x because of the deprecation warnings you get about requiring `params` as w keyword argument in keyword tests, I wrote a gem that could help: https://github.com/tjgrathwell/rails5-spec-converter

  • by martijn_himself on 12/21/16, 11:52 AM

    Slightly off-topic: is learning Rails still a good career choice? I'm not particularly keen on JavaScript on the server and I think I am slightly tired using .NET on a daily basis.

  • by JelteF on 12/21/16, 8:15 AM

    Serving the SHA-1 hashes over an HTTP connection doesn't really seem useful at all to me. If you're worried about MITM the hashes could easily be changed as well.

  • by nickjj on 12/21/16, 12:52 PM

    If anyone is using Rails together with Docker, I just updated orats[1] to use Rails 5.0.1.

    [1]: https://github.com/nickjj/orats

  • by pandafoo on 12/21/16, 9:33 AM

    How is Rails still doing in the world of NodeJS, Microservices and React?

  • by wjossey on 12/21/16, 5:20 AM

    Anyone have a tl;dr?

  • by sergioocon on 12/21/16, 7:50 AM

    Updated and testing...

    Thanks!

  • by sergioocon on 12/21/16, 7:50 AM

    Updated and testing.

    Thanks!