Revert "Merge pull request #34387 from yhirano55/rails_info_properties_json"

We had a discussion on the Core team and we don't want to expose this information as a JSON endpoint and not by default. It doesn't make sense to expose this JSON locally and this controller is only accessible in dev, so the proposed access from a production app seems off. This reverts commit 8eaffe7e89, reversing changes made to b6e4305c3b.
2019-01-08 22:16:58 +01:00 · 2019-01-08 22:16:58 +01:00 · f66a977fc7
parent 842bc43f7f
commit f66a977fc7
13 changed files with 0 additions and 50 deletions
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@ -25,9 +25,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "actionpack", version

  s.add_dependency "nio4r",            "~> 2.0"
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@ -26,9 +26,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "actionpack", version
  s.add_dependency "actionview", version
  s.add_dependency "activejob", version
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@ -26,9 +26,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "activesupport", version

  s.add_dependency "rack",      "~> 2.0"
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@ -26,9 +26,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "activesupport", version

  s.add_dependency "builder",       "~> 3.1"
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@ -25,9 +25,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "activesupport", version
  s.add_dependency "globalid", ">= 0.3.6"
 end
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@ -25,8 +25,5 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "activesupport", version
 end
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@ -28,9 +28,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "activesupport", version
  s.add_dependency "activemodel",   version
 end
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@ -25,9 +25,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "actionpack", version
  s.add_dependency "activerecord", version

--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@ -27,9 +27,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "i18n",       ">= 0.7", "< 2"
  s.add_dependency "tzinfo",     "~> 1.1"
  s.add_dependency "minitest",   "~> 5.1"
--- a/guides/source/security.md
+++ b/guides/source/security.md
@ -1235,11 +1235,6 @@ version:
 Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
 ```

-Dependency Management and CVEs
------------------------------
-
-We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
-
 Additional Resources
 --------------------

--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@ -11,10 +11,6 @@
 #   policy.object_src  :none
 #   policy.script_src  :self, :https
 #   policy.style_src   :self, :https
-<%- unless options[:skip_javascript] -%>
-#   # If you are using webpack-dev-server then specify webpack-dev-server host
-#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
-<%- end -%>

 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@ -30,9 +30,6 @@ Gem::Specification.new do |s|
    "changelog_uri"   => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
  }

-  # NOTE: Please read our dependency guidelines before updating versions:
-  # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
-
  s.add_dependency "activesupport", version
  s.add_dependency "actionpack",    version

--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@ -230,14 +230,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
    assert_equal "false\n", output
  end

-  def test_csp_initializer_include_connect_src_example
-    run_generator
-
-    assert_file "config/initializers/content_security_policy.rb" do |content|
-      assert_match(/#   policy\.connect_src/, content)
-    end
-  end
-
  def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured
    app_root = File.join(destination_root, "myapp")
    run_generator [app_root]
@ -845,9 +837,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
    end

    assert_no_gem "webpacker"
-    assert_file "config/initializers/content_security_policy.rb" do |content|
-      assert_no_match(/policy\.connect_src/, content)
-    end
  end

  def test_webpack_option_with_js_framework