From d435c1cd21ac1eaadf184e64f51daee118a20304 Mon Sep 17 00:00:00 2001 From: Tom Levy Date: Thu, 3 Jul 2025 21:58:50 +1200 Subject: [PATCH 1/2] Remove obsolete config `config.assets.compress` The config options `config.assets.{js,css}_compressor` replaced it in Rails 4.0 [1]. [1] https://github.com/rails/rails/blob/v8.0.2/guides/source/upgrading_ruby_on_rails.md#sprockets-rails --- config/environments/development.rb | 3 --- config/environments/production.rb | 1 - 2 files changed, 4 deletions(-) diff --git a/config/environments/development.rb b/config/environments/development.rb index 83b819c5..77ed050f 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -22,9 +22,6 @@ # Only use best-standards-support built into browsers config.action_dispatch.best_standards_support = :builtin - # Do not compress assets - config.assets.compress = false - # Expands the lines which load the assets config.assets.debug = true diff --git a/config/environments/production.rb b/config/environments/production.rb index fc621db9..edc5854e 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -52,7 +52,6 @@ config.active_support.deprecation = :log # Compress JavaScript and CSS - config.assets.compress = true config.assets.css_compressor = :yui config.assets.js_compressor = :uglifier From 2d3f6d7f3a801a33cc74588faea1cc78394f91d4 Mon Sep 17 00:00:00 2001 From: Tom Levy Date: Thu, 3 Jul 2025 22:06:28 +1200 Subject: [PATCH 2/2] Remove JS and CSS asset compressors Rails 8 has moved away from asset compression[1]. `uglifier` (JS compressor) requires a JavaScript runtime (which we previously provided using mini_racer). It's a large install and raises security concerns because it uses an outdated version of V8 (it's only meant to run as part of asset precompilation, not in the running web server; but still). `yui` requires the Java Runtime Environment. We follow the Rails 8 rationale and remove the asset compression (even though we are still on a much older version of Rails). [1] https://guides.rubyonrails.org/v8.0/asset_pipeline.html --- Gemfile | 14 -------------- Gemfile.lock | 10 ---------- config/environments/production.rb | 4 ++-- script/install.bash | 2 -- script/install/jre.bash | 7 ------- 5 files changed, 2 insertions(+), 35 deletions(-) delete mode 100644 script/install/jre.bash diff --git a/Gemfile b/Gemfile index b450fd05..6ccd5a52 100644 --- a/Gemfile +++ b/Gemfile @@ -86,17 +86,3 @@ group :development, :test do gem "rails-controller-testing", "~> 1.0" end - -# Gems used only for assets and not required -# in production environments by default. -# group :assets do -gem "uglifier", ">=1.0.3" -# Provide a JS runtime to execjs without needing to -# have node, bun, or similar installed on the relevant -# server. We should write this out asap, along with the -# rest of the gems in this assets category, as bundling -# a version of libv8 into a rubygem is just security-vuln -# city, but hey, what can you do. -gem "mini_racer", "~> 0.4.0" -gem "yui-compressor" -# end diff --git a/Gemfile.lock b/Gemfile.lock index 991b766c..a018a9cf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -123,7 +123,6 @@ GEM erubi (1.13.1) erubis (2.7.0) eventmachine (1.2.7) - execjs (2.9.0) factory_bot (5.2.0) activesupport (>= 4.2.0) factory_bot_rails (5.2.0) @@ -145,7 +144,6 @@ GEM i18n_data (0.11.0) iso8601 (0.13.0) json (2.7.6) - libv8-node (15.14.0.1) logger (1.5.3) loofah (2.20.0) crass (~> 1.0.2) @@ -173,8 +171,6 @@ GEM mime-types-data (3.2025.0415) mini_mime (1.1.2) mini_portile2 (2.4.0) - mini_racer (0.4.0) - libv8-node (~> 15.14.0.0) minitest (5.15.0) mustermann (2.0.2) ruby2_keywords (~> 0.0.1) @@ -356,8 +352,6 @@ GEM ttfunk (1.6.2.1) tzinfo (1.2.11) thread_safe (~> 0.1) - uglifier (4.2.1) - execjs (>= 0.3.0, < 3) unf (0.2.0) unicode-display_width (2.6.0) unicode_utils (1.4.0) @@ -378,7 +372,6 @@ GEM i18n (>= 0.6) xpath (3.2.0) nokogiri (~> 1.8) - yui-compressor (0.12.0) PLATFORMS ruby @@ -402,7 +395,6 @@ DEPENDENCIES has_scope loofah (<= 2.20.0) mechanize - mini_racer (~> 0.4.0) newrelic_rpm nokogiri (~> 1.10.10) pdf-reader @@ -435,11 +427,9 @@ DEPENDENCIES standard superfish-rails (~> 1.6.0) tilt - uglifier (>= 1.0.3) whenever will_paginate world-flags - yui-compressor RUBY VERSION ruby 2.4.10p364 diff --git a/config/environments/production.rb b/config/environments/production.rb index edc5854e..ff2d0700 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -52,8 +52,8 @@ config.active_support.deprecation = :log # Compress JavaScript and CSS - config.assets.css_compressor = :yui - config.assets.js_compressor = :uglifier + # config.assets.css_compressor = :yui + # config.assets.js_compressor = :uglifier # Don't fallback to assets pipeline # config.assets.compile = false diff --git a/script/install.bash b/script/install.bash index 234f6928..71c4a840 100755 --- a/script/install.bash +++ b/script/install.bash @@ -40,8 +40,6 @@ bash script/install/nztrain.bash || exit 1 # fix files & directory structure bash script/install/bundler.bash || exit 1 -bash script/install/jre.bash || exit 1 # required by yui-compressor - sudo bash script/install/isolate.bash || exit 1 # install isolate sudo bash script/install/cgroup.bash || exit 1 # install cgroups sudo bash script/install/isolock.bash || exit 1 # install isolock diff --git a/script/install/jre.bash b/script/install/jre.bash deleted file mode 100644 index 5c34bd11..00000000 --- a/script/install/jre.bash +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash - -cmd="sudo apt-get install default-jre-headless" # java required by yui-compressor gem -echo "$ $cmd" -$cmd -[[ $? -le 1 ]] || exit 1 # apt-get exit 0 = success, 1 = decline, otherwise unknown error -