APPS-7784 Resolve dependency issues

[zendesk-subhasish]

✌️

/cc @zendesk/vegemite

Description

This changes are to resolving dependencies issue by upgrading gems version.

References

• JIRA: https://zendesk.atlassian.net/browse/APPS-7784

Risks

[low] version upgrade for few gems

[Copilot]

Pull request overview

This PR upgrades several critical Ruby gem dependencies to resolve dependency compatibility issues. The changes involve major version upgrades for core web server components including Sinatra (v1-2 → v4), Thin (v1.8 → v2.0), and Rack (implicit → v3.0), along with an attempted upgrade of Nokogiri.

Key Changes:

• Major version upgrades to Sinatra 4.1.0, Thin 2.0.0, and explicit Rack 3.0.0 dependency
• Updated nokogiri version specification (though the specified version appears invalid)
• Corresponding Gemfile.lock updates reflecting new dependency tree including new transitive dependencies (base64, logger, rack-session)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 5 comments.

File	Description
zendesk_apps_tools.gemspec	Updates runtime dependencies with major version bumps for thin, sinatra, rack, and nokogiri
Gemfile.lock	Reflects resolved dependency tree with upgraded versions and new transitive dependencies required by Sinatra 4.x and Rack 3.x

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The sinatra version is being upgraded from >= 1.4.6, < 2.3.0 to ~> 4.1.0, which is a major version jump (from v1-2 to v4). Sinatra 4.x introduced breaking changes including:

• Requires Ruby 3.0+
• Rack 3.x compatibility (now required)
• Changes to session handling and middleware stack

While the PR description mentions this is to resolve dependency issues, ensure that:

1. The codebase has been tested with Sinatra 4.x
2. Any breaking API changes have been addressed
3. Session handling code has been reviewed for compatibility

The risk level should likely be higher than "low" given this is a multi-major-version upgrade.

[zendesk-subhasish]

The changes has been tested locally.

[Copilot]

Given the significant dependency upgrades (especially Sinatra from v1-2 to v4, and Thin from v1.8 to v2.0), test coverage is critical to ensure backward compatibility and catch breaking changes.

The PR description indicates tests have not been written yet. Please ensure:

1. Existing test suites pass with the new dependency versions
2. Additional tests are added to cover any changed behavior due to the upgrades
3. Integration tests verify that the server (thin + sinatra) still functions correctly with Rack 3.x

The repository has comprehensive test coverage (spec/ and features/ directories), so maintaining this standard is important.

[mmassaki]

Consider using ~> 1.18 to allow minor version updates?

[zendesk-subhasish]

We got a dependency alert on version < 1.18.8 , so it would good to have any minor version after 1.18.8

[mmassaki]

Have you tried '~> 1.18', '>= 1.18.8'?

[zendesk-subhasish]

I tried with ~> 1.18 with this, its takes the version 1.18.10, I think it will works in tis case then.

[mmassaki]

The specification needs to be '~> 1.18', '>= 1.18.8' to not allow versions below 1.18.8. Otherwise the vulnerability can still exist in some installations.

[zendesk-subhasish]

Thats right, I have updated according to that. Thanks Marcio!