-
Notifications
You must be signed in to change notification settings - Fork 633
Don't Bundle Foreman
This usually comes up in the context of someone submitting a PR wanting to update thor
.
I highly suggest that you do not include foreman
in your Gemfile. Foreman is not a library, and should not affect the dependency tree of your application. Updating one of foreman's dependencies just to satisfy your project's dependency matrix is problematic as this in turn could break older applications that are doing the same thing.
The only reason that foreman
will update a dependency is to acquire a new, desired feature or to remove a vulnerability
Foreman is very stable at this point, and upgrading its dependencies for any other reason introduces potential bugs (or worse) for virtually no gain.
In addition, adding foreman
to your Gemfile
causes foreman to be loaded into your application as a dependency which is, at best, an unnecessary vulnerability vector for your application.
Hopefully this clears things up! Happy hacking.