Skip to content

[CHA-2578] chore: relax faraday and sorbet-runtime version constraints#200

Merged
nijeesh-stream merged 6 commits intomasterfrom
chore/relax-dependency-constraints
Mar 5, 2026
Merged

[CHA-2578] chore: relax faraday and sorbet-runtime version constraints#200
nijeesh-stream merged 6 commits intomasterfrom
chore/relax-dependency-constraints

Conversation

@nijeesh-stream
Copy link
Contributor

@nijeesh-stream nijeesh-stream commented Mar 5, 2026
edited
Loading

Summary

Ticket

https://linear.app/stream/issue/CHA-2578/update-stream-chat-ruby-gemspec-unblock-sorbet-runtime-06-and-faraday

Relaxes dependency version constraints to unblock security fixes and improve Ruby 4.0 compatibility. No breaking changes — all constraints are widened, not tightened.

Dependency changes

Gem Before After Reason
faraday ~> 2.12.2 ~> 2.12 Unblocks security fix in 2.14.1 (closes #196)
faraday-multipart ~> 1.1.0 ~> 1.1 Allows 1.2.x which adds Ruby 4.0 support (closes #189)
faraday-net_http_persistent ~> 2.3.0 ~> 2.3 Consistent relaxation
sorbet-runtime ~> 0.5.11820 >= 0.5.11820, < 1 Spans 0.5.x and 0.6.x; upper bound < 1 is precise since both versions are < 1
sorbet (dev) ~> 0.5 ~> 0.6 Upgrade dev tooling to current release

CI changes

  • Add Ruby 4.0 to test matrix
  • Refactor lint condition from ruby == '3.4' to a lint: true matrix flag — cleaner and easier to maintain as versions are added

Sorbet 0.6 RBI compatibility

Sorbet 0.6 changed the default typing level for RBI files without a # typed: sigil from true to strict, causing errors in stale autogenerated stubs. Fixed in three ways:

  • sorbet/rbi/sorbet-typed/ — added to --ignore in sorbet/config. These are community stubs for dev tools (rake, rspec, rubocop) that don't affect source type checking.
  • sorbet/rbi/gems/ — added # typed: true to 16 files that were missing sigils.
  • sorbet/rbi/hidden-definitions/hidden.rbi — removed suggest_gems_from_name and wait_readable, now covered by Sorbet 0.6's built-in stdlib RBIs.

srb tc passes with zero errors on lib/.

Impact on consumers

None. Existing users on Faraday 2.12.x are unaffected. Users who want the Faraday 2.14.1 security fix are now unblocked. The sorbet-runtime range covers both 0.5.x and 0.6.x.

Follow-up

  • Migrate sorbet/rbi/ generation from deprecated srb rbi to Tapioca to properly regenerate all stubs and remove the sorbet/rbi/sorbet-typed/ directory.

cursor[bot]

This comment was marked as resolved.

Sign in to view

cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@nijeesh-stream nijeesh-stream force-pushed the chore/relax-dependency-constraints branch from cae3f59 to c334fe8 Compare March 5, 2026 11:14
@nijeesh-stream nijeesh-stream marked this pull request as draft March 5, 2026 11:21
@nijeesh-stream nijeesh-stream changed the title chore: relax faraday and sorbet-runtime version constraints [CHA-2578] chore: relax faraday and sorbet-runtime version constraints Mar 5, 2026
@nijeesh-stream
chore: relax faraday and sorbet-runtime version constraints
5b2b70a 
- faraday: ~> 2.12.2 -> ~> 2.12 (unblocks security fix in 2.14.1)
- faraday-multipart: ~> 1.1.0 -> ~> 1.1 (allows 1.2.x, Ruby 4 compat)
- faraday-net_http_persistent: ~> 2.3.0 -> ~> 2.3
- sorbet-runtime: ~> 0.5.11820 -> >= 0.5.11820, < 2 (allows 0.5.x and 0.6.x)
- sorbet (dev): ~> 0.5 -> ~> 0.6

Closes #196, closes #189
@nijeesh-stream
chore: add Ruby 4.0 to CI matrix, run lint checks on 3.4 and 4.0
e26955d
@nijeesh-stream
fix: update sorbet RBI stubs for Sorbet 0.6 compatibility
5086c47 
- Remove conflicting method stubs from hidden.rbi (now in Sorbet 0.6 stdlib)
- Add typed: true headers to gem RBIs missing sigils
- Ignore sorbet/rbi/sorbet-typed in sorbet config (stale 0.5 community stubs)
- Delete sorbet/rbi/sorbet-typed (ignored, 1071 lines of stale stubs removed)
@nijeesh-stream nijeesh-stream force-pushed the chore/relax-dependency-constraints branch from c6e2d61 to 5086c47 Compare March 5, 2026 12:02
nijeesh-stream and others added 3 commits March 5, 2026 13:13
@nijeesh-stream @claude
chore: make lint configurable via matrix flag instead of hardcoded ru…
88129b9 
…by version check

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nijeesh-stream
enabled lint check on ruby 3.4 as well
3497651
@nijeesh-stream
fix: tighten sorbet-runtime upper bound from < 2 to < 1
4e3be11 
Current sorbet versions are 0.5.x and 0.6.x, both of which are < 1.
Using < 2 was unnecessarily wide and would allow a hypothetical 1.x
series without explicit opt-in.
@nijeesh-stream nijeesh-stream marked this pull request as ready for review March 5, 2026 12:45
@nijeesh-stream nijeesh-stream merged commit 1411d38 into master Mar 5, 2026
10 of 13 checks passed
@nijeesh-stream nijeesh-stream deleted the chore/relax-dependency-constraints branch March 5, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@vishalnarkhede vishalnarkhede vishalnarkhede approved these changes

@totalimmersion totalimmersion Awaiting requested review from totalimmersion totalimmersion is a code owner

@JimmyPettersson85 JimmyPettersson85 Awaiting requested review from JimmyPettersson85 JimmyPettersson85 is a code owner

@shaljam shaljam Awaiting requested review from shaljam shaljam is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Faraday dependency locked in a version affected by a security issue Upgrade to faraday-multipart 1.2.0 for supports Ruby 4

2 participants

@nijeesh-stream @vishalnarkhede