hello there Pact team, I was wondering if there are plans to update the standalone ruby pact cli to use a new version of ruby? I know traveling ruby isn't something that has been updated for donkey's years, but are there other options to look into? We would love to use it as a universal way to chat to pactflow across teams, independent of the tech stack, however we can't allow the vulnerabilities within that package to travel along the environments unfortunately.

Hey hey, It opens up a can of worms can of worms 🙂 There seems to be very little movement in any of the ruby packagers, and we've been migrating functionality over to the rust core. (equivalent ruby based distribs have ported over to go/rust over time for easier cross platform distrib) https://github.com/pact-foundation/pact-ruby-standalone/issues/70#issuecomment-961729859 https://github.com/pact-foundation/pact-ruby-standalone/issues/95#issuecomment-1497398831 some comments regarding the above. I've been watching a couple of forks, and have a bit of a play yesterday at getting ruby 3.1.2 support for osx/linux & windows, and including aarch64 support for linux/osx, been successful so far, but its a complex tool-chain and issues may arise which are outside of our expertise. - I'm creating CI builds for them, and will provide the fixes upstream but unsure if and when they may be merged. Couple of questions 1. What part of the pact-ruby-standalone are you interested in using 2. Is there the ability to use it via the docker pact-cli image, which uses ruby 3.x 3. which vulnerabilities have you identified, and how have you found them? 4. What is your teams/companies policy towards open source in terms of vulnerabilities/support, is there support/capacity provided by your teams to help fix the toolchain you use, or is the onus on the library maintainers. Generally the core pact team is very small, I would imagine its probably smaller than the numbers in your team(s), so although we would love to support all the things, its a delicate balancing act. We would love to see all the equivalent operations provided by the pact-ruby-standalone, available in rust clis, we already have several here https://github.com/pact-foundation/pact-reference/tree/master/rust I'll look to work with other maintainers this year to map out parity equivalence between the ruby-standalone and rust libs, and provide good first tasks that community members can pick up.

Hey! thanks very much for the response. From our side: 1. We are using `pact-broke`r and

pactflow

, in the future likely to use

pact-mock-service

2. Yes I am currently looking into running this as a service as an alternative 3. Can't currently find the exact vulnerability sorry as it was from last week or so and the branch has since been deleted, but it was going through our usual security checks in the pipeline (to preinstall the standalone to our jenkins pods) 4. We're currently weighing all options and thus looking into the dockerised solution you offer instead. Unsure of open source contribution policies but will defo have a look, as I'm keen on working with some rust 👀 So I'll look out for any good first tasks to pick up in spare time anyway thumbs I think for now will look into that dockerised option (tho I want to run it as a service rather than spin up a pod each time - some workaround required). In the mean time, will keep an eye on that rust repo 🙂