Puma
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://puma.io/ | High | Very Low |
External contacts
The Puma team is reachable via their public GitHub issue tracker. Security issues are reported privately to the maintainer, Evan Phoenix.
Security posture
The Puma server parses HTTP requests from clients and passes them on to Rack and Rails, which is then interpreted by MoR code. Any security exploit could lead to a DoS or, in the worst case, request smuggling. Therefore, Puma is considered a critical dependency for the security of MoR.
Abandonment risk
The Puma community is vibrant, and has multiple private sponsors. It is considered very unlikely that Puma would be abandoned.
Versioning policy
Presently, MoR uses the Puma 5.x branch, as recommended by Rails 7. This version is still supported upstream for security fixes. We expect to evaluate Puma 6.x in Q2 2025.