Hotwire
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://hotwired.dev/ | Medium | Very Low |
External contacts
The Hotwire team is reachable via their public GitHub issue tracker. Security policy is not defined.
Security posture
Hotwire, including Turbo, is used in the entire application on browsers with JavaScript enabled (which is virtually all of them). A security issue inside Turbo, while very unlikely, could cause any number of client-side risks.
Since Turbo caches pages and DOM content, admin content may persist after an administrator signs out (i.e. of a public computer) if the tab is not also closed.
It is for this reason that we classify Hotwire as a medium risk.
Abandonment risk
Hotwire is developed by the same developers as Ruby on Rails, and therefore has a very low risk of abandonment. See the Ruby on Rails section.
Versioning policy
Our usage of Hotwire comes from Rails and therefore follows their versioning policy. As we update and upgrade Rails, we will receive the co-released version of Hotwire. Evaluations shall be taken as part of Rails evaluations.