Skip to content

Deploy log cleanup / hardening (casa-qa v3413) #7040

Description

@compwron

Deploy log cleanup / hardening

The casa-qa Heroku build (v3413, Heroku-26 stack) succeeds and deploys, but the build log surfaces several warnings worth cleaning up. Full TODO plan gist: https://gist.github.com/compwron/56813f4c5a6665d6d284c7d50b3d8f07

Items inline below, roughly in priority order.

High priority (real impact)

  • Disable on-demand asset compilation in production. Log warns config.assets.compile = true in production. Assets are already precompiled at build time (rake assets:precompile runs fine), so on-demand compile only adds request latency and load. → Set config.assets.compile = false in config/environments/production.rb.
  • Commit a normalized Gemfile.lock. Build warns ffi-1.17.2 platform-specific gem is installed but the lockfile only has the generic ruby version. → Run bundle lock --normalize-platforms (or bundle lock --add-platform x86_64-linux) and commit the updated Gemfile.lock.

Medium priority (hygiene)

  • Address npm vulnerabilities. 4 vulnerabilities (3 moderate, 1 high) in the full tree; 1 moderate remains in production deps after pruning. → Run npm audit, then npm audit fix. Note EOL/vulnerable build tooling: eslint@8.57.1, glob@10.5.0.
  • Bump Ruby patch version. Deploying on ruby-4.0.3; Heroku recommends 4.0.5 (security + bug fixes). → Update .ruby-version to 4.0.5, test, redeploy.
  • Verify the release-phase command actually succeeded. A release command is declared (this new release will not be available until the command succeeds); the log ends before showing its output. → Confirm the release/migration step passed in the release-phase logs.

Low priority (noise / optional)

  • Refresh deprecated npm packages. Transitive deprecations from build/lint tooling: rimraf@3, glob@7/glob@10.5.0, inflight@1.0.6 (memory leak), coffee-script, lodash.template, whatwg-encoding@3.1.1. Runtime unaffected — candidate for a dependency refresh.
  • Review npm install-script allowlist. esbuild@0.28.1 and unrs-resolver@1.12.2 have install scripts not yet on allowScripts. Build works; review/approve only if hardening the supply chain.
  • (Cosmetic) npm minor upgrade available 11.16.0 → 11.18.0.

Notes

  • The one-time cache purge (Changing stack from heroku-22 to heroku-26) explains this build's slowness. Subsequent builds should be cached again — no action needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions