Puma
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://puma.io/ | High | Very Low |
External contacts
The Puma team is reachable via their public GitHub issue tracker. Security issues are reported privately to the maintainer, Evan Phoenix.
Security posture
The Puma server parses HTTP requests from clients and passes them on to Rack and Rails, which is then interpreted by RR code. Any security exploit could lead to a DoS or, in the worst case, request smuggling. Therefore, Puma is considered a critical dependency for the security of RR.
Abandonment risk
The Puma community is vibrant, and has multiple private sponsors. It is considered very unlikely that Puma would be abandoned.
Versioning policy
Presently, RR uses the Puma 7.x branch, as recommended by Rails 8. This version is still supported upstream for security fixes.