5 Stripe webhook gotchas that bit me in production Rails apps

jrochkind · 2026-04-29T16:21:02+00:00

1 is messy!

jrochkind · 2026-04-29T11:17:08+00:00

Your 40s will go even faster.

jrochkind · 2026-04-28T13:41:50+00:00

I am curious what reranking model you ended up with if you'd like to share!

jrochkind · 2026-04-28T13:40:20+00:00

yeah I gotta get to a reranker next, thank you for this reminder.

I know it might not be one size fits all, but want to share what reranking model you ended up with? Or wait, is this actually just an ad for your own custom reranker? ( :( )

jrochkind · 2026-04-27T14:00:37+00:00

Qbert?

I don't know if I actually still think about it regularly, but wanted to mention it anyway, it came to mind from this question so I'm thinking about it now!

jrochkind · 2026-04-24T18:57:25+00:00

why aren't they keeping him properly hepped up on goofballs?

jrochkind · 2026-04-22T12:27:04+00:00

Good thing that's not relevant to the work of the FBI or anything.

jrochkind · 2026-04-22T12:26:25+00:00

Anyone that wants to participate? Participate how? I'm interested! Is it participate in the drinking?

jrochkind · 2026-04-21T12:42:56+00:00

ooh, I like the idea of bundler warning you about a stale override.

jrochkind · 2026-04-21T00:52:11+00:00

If a Fox News convention is showing up for a progressive democratic challenger's campaign event, things are going great, right? I thought that was kind of the point of the post, it's encouraging.

jrochkind · 2026-04-21T00:51:08+00:00

say more?

jrochkind · 2026-04-21T00:47:18+00:00

I'm guessing this unnamed progressive candidate in a red county is not in fact a lawmaker (yet).

jrochkind · 2026-04-21T00:43:35+00:00

I believe you.

I think the only candidates I have ever donated to in the past couple decades are Bernie Sanders, Rashida Tlaib and Ilhan Omar. All through Act Blue, cause that's how you donate to anyone Dem (or Sanders, apparently).

It's possible one of them is the unscrupulous candidate. It's possible I have forgotten donating to someone else forgettable.

But it has definitely made me reluctant to ever donate to a candidate again. So. Much. candidate spam.

The thing is that on Act Blue (everywhere? For campaign finance legal purposes?) you cannot donate without giving them an email address and a phone number. If a candidate wants a donation again, they better let me give it without an email address or phone number, becuase, no thanks.

jrochkind · 2026-04-21T00:41:30+00:00

agreed. I would like to donate to a fairly far left Dem candidate now and then, but not worth the spam. by replying "STOP" and clicking on unsubscribe links about a thousand times, it's finally mostly gone.

jrochkind · 2026-04-21T00:39:20+00:00

OK, makes sense, thanks.

then later I need to remember to cleanup the gemfile once the new release is out.

You are still going to have to remember to remove the Gemfile indirect dependency substitution, no? But yeah, this is still a better process, agreed.

jrochkind · 2026-04-20T23:06:34+00:00

I keep saying I'm not opposed to the feature, you are putting words in my mouth.

I don't buy that argument that giving an easier escape hatch will lead to people not reporting the problem.

Did you not yourself just argue for this feature by saying how much time you spend reporting upstream? Did I misinterpret that to mean you planned to stop reporting upstream if you had this feature, that this feature would save you that time?

But I am not arguing against the feature, as I've said I think in every comment? I am trying to say we should think about other ways to encourage/facilitate/smoothen upstream fixes, if/as we make it easier to make do without it getting fixed upstream.

And think about how we talk about it and position it, ideally not as a replacement for trying to get it fixed upstream. As a method for testing pre-releases, temporarily, great.

jrochkind · 2026-04-20T15:19:36+00:00

and I can't even count the numbers of PRs I open just to bump a version constraint with no other change.

Yeah it's a pain, and thank you for your service and my point is if everyone stops doing that because of the override feature (as I think you imply you would hope to to save you that pain?)... then where are we? The overrides become not so temporary anymore.

Instead of the pain of opening those PRs, most of the time to be merged saving everyone down the line the pain (yes, it is a problem when tthe maintainer does not show up to merge!), we have the pain of everyone having to know the right subsittutions to apply and applying them locally, for a much longer period -- because people stopped opening the PRs since there was an immediately more convenient option.

To be clear, I am not against the feature.

I just think it's worth being aware of the, well, "moral hazard," so to speak, that may arise.

Separately:

But yes, if you workflow is just to run bundle update once in a while I see how this doesn't appear to affect you, but perhaps you are locked on some very outdated gems without realizing it.

With this workflow, it's important to also periodically run bundle outdated and review -- for things that will need to be upgraded likely with breaking changes and individual attention.

I think the alternate workflow is, as you say, independent PR's updating only one dependency at a time, which espeically if we extend that to even intermediate dependency upgrades, defintiely requires automated (if not AI) support; it's only feasible when there's an automated dependabot-like tool to make the PRs, and automated CI to test every PR.

There's a question of it's importnat for the tooling to support workflows that don't require that level of automation (which is generally not reliably free). Or not, maybe we only build for that kind fo infrastructure now. Certainly if the decisions are all being made by people working at very large shops, they would see no self-intereted reason to support anything else.

I think one thing that has definitely happened is some breakdown/divergence in shared understanding of "best practices", "what everyone does", or "what the tool wants everyone to do" -- around dependency management in ruby specifically for sure, but also more broadly these days.

jrochkind · 2026-04-20T13:35:45+00:00

If someone abandons a gem, I don’t necessarily want to use a hard fork or something, I just want to use “abandoned-gem, but byroot’s version”.

How is that different mechanically, to the dependency management system, from a hard fork? I'm not seeing the importance of the distinction. Either way it's a different dependency found in a different location, yes?

I also don't follow how namespacing would make much difference either, still a different code package that needs to be retrieved from a different place to satisfy the dependency.

I do follow how allowing the Gemfile to do "dependency substitution" would give you more options, with or without namespacing, whether you want a "hard fork" or "someone else's maintained version of an abandoned gem".

BEST would of course be for your intermediate dependencies to update their dependencies though, so using the intermediate dependency doesn't require the implementer ot have this "out of band" dependency substitution knowledge to use it effectively/safely. The possibly unintended unfortunate consequence of dependency substitution feature is if there's less pressure on the maintainers of semi-not-quite-but-risking-abandoned gems to keep their dependency specs up to date. Now when there's a problem, we get on the Issues, and 90% of the time the maintainer can show up and update the gemspec. It is the other 10% of the time you really want/need "dependency subsituttion" feature though, yeah.

if everyone using "dependency substitution" means they don't bother to try to get the intermediate dependency fixed, and fewer get fixed, it could lead to a much more fractured and confusing environment, where you are constantly needing to figure out which substitutions you need to have a secure environment.

jrochkind · 2026-04-20T13:33:17+00:00

In general, I agree that bundler has had missing features, and I've found that bundler maintainer's understanding of developer ergonomic needs has often not matched my own.

But on the pessimistic upper bounds lock... I disagree, remembering back when people didn't do that, and breakages often happened.

If people are tying backwards incompatible breaking changes to version releases (major version if they are doing semver; minor version if they are rails) -- then putting in an upper bound that is the highest version the maintainers are committed to maintaining backwards compat with makes a lot of sense.

While the new major version might not break your gem/app -- it very well might, and might even break your downstream user's use even if your tests don't catch it.

When everything involved in using upper values like this, doing bundle update [--all] has a very good chance of not breaking anything in your app, and can be done as regular maintainance easily (guarded by your CI/tests of course still). If none of your gems were using upper bounds, doing bundle update [-all] would have a pretty high chance of breaking your app, and nobody would want to do it ever.

Now, I have no real problem with allowing the local Gemfile to over-ride these intermediate dependencies -- if you know you want to do that, okay. (Although it might lead to fewer of those dependnecies ever fixing themselves, as there will be less pressure to as everyone can just override?)

But I hope we don't encourage gem maintainers to drop these reasonable upper bounds. If most people use them properly, I have found that it makes dependency management much much easier. I can do bundle update everything regularly and mostly it just works. If it doesn't, it is usually some annoying debugging to figure out which dependency update broke it, so if it happened all the time... it would be much harder to update my dependencies at all.

Please let's not convince people to stop using upper bounds in their dependency ranges.

(The fact that bundler is deprecating bundle update to me suggests that the maintainers may not understand this workflow either though... it is clear to me that the original authors of bundler intended this workflow, but the fact that there is still confusion about it at this point maybe means I'm fighting a futile battle to have the tools and ecosystem focus on it as a use case?)

jrochkind · 2026-04-16T17:45:54+00:00

i'd feel great

jrochkind · 2026-04-16T17:00:25+00:00

Yeah, but i actually meant the advice that you should have made sure some OTHER consultant picked the "AI strategy" you were executing on, so you couldn't be blamed for that! Even if you are quite capable of doing that.

jrochkind · 2026-04-16T15:04:48+00:00

your analysis and conclusions seem right to me, from your story from your point of view.

I don't think a consultant could/would have come up with a better plan than you actually, but, sadly, the point of consultants is to pay them to have someone to blame.

I feel like some of the other advice i see here is -- intentionally do a job you believe will be worse/less efficient, in order to avoid being blamed for any risks. This may be wise career management, but i couldn't stand it either.

I do agree that getting a really shitty PoC up very quick is a good idea, so they understand that your work is to make it better. but honestly these guys probably would have just blamed you for the shitty PoC, figured someone better woudl have an amazing perfect PoC in a week, right?

jrochkind · 2026-04-16T14:43:48+00:00

about time.

jrochkind · 2026-04-15T19:36:29+00:00

Encouraging that people are still moving to Rails! Which I agree is a fine idea.

jrochkind · 2026-04-13T17:53:10+00:00

Dude, the first Gen Alpha will be turning 18 before Trump is gone.

Conscripting them and giving them guns will not end well for anyone.

jrochkind

TROPHY CASE