govuk_app_config 4.12.0 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7906015f743285fadae37a3b4c0754fcb3ef5d6c6d59ff5b8f67d0f0b43ce970
-  data.tar.gz: da302c7be0424e4b4b476669468e8cbb1b6a3f5b38a017ddac4999ec14e0b622
+  metadata.gz: 0bc71cc5bd08fd8564de90311775a22d6c9b6a11bfbda2924c8782be3c265ff9
+  data.tar.gz: 6d28205894b18a2b5ceaaed55967d8a55aaf7ab4e375979b1366cf42fbcd98c7
 SHA512:
-  metadata.gz: fac4b8128b250e74a9e71f165e6ca5eb431bd3f364a2efea18ceb696ce55d9e772fe73a04020811d6cbdd68341bd711fe07bc99e3f37d4ad371ea57b5446360d
-  data.tar.gz: adef9932375e8c63f002a99ef759e1a301fdfbd1f4ad21a7b089fcda8b33acf83dcb4b6c658e5ccf9872171fac6cf58c2e0a0bbfd2a31dd2fbf7323669ea746b
+  metadata.gz: 87122fbe05b408cb3578e3b983e99451f5fe0898316f31f8e87107d4a09b50f0205ea803620af3a40dc2a0459015fcb67a898359a66aa998b092a9c2d143b2cd
+  data.tar.gz: b4fe9f24dfe1f98efd3d5988f46f147b48bf869eb3e3901634efc4ceb6089d9735588d92a4574d822c68bfe9e8c219a572d69cab971c688a864b2f4e640d2052

data/.github/workflows/ci.yml

@@ -6,7 +6,7 @@ jobs:
       fail-fast: false
       matrix:
         # Due to https://github.com/actions/runner/issues/849, we have to use quotes for '3.0'
-        ruby: [2.7, '3.0', 3.1]
+        ruby: [2.7, '3.0', 3.1, 3.2]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
@@ -30,6 +30,6 @@ jobs:
     if: ${{ github.ref == 'refs/heads/main' }}
     permissions:
       contents: write
-    uses: alphagov/govuk-infrastructure/.github/workflows/publish-rubygem.yaml@main
+    uses: alphagov/govuk-infrastructure/.github/workflows/publish-rubygem.yml@main
     secrets:
       GEM_HOST_API_KEY: ${{ secrets.ALPHAGOV_RUBYGEMS_API_KEY }}

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+# 5.0.0
+
+* Forbid base elements in the Content Security Policy
+* BREAKING: Content Security Policy forbids unsafe-inline script-src and data: image-src. It provides a nonce generator. Apps that can't support this will need to amend their CSP configuration in an initializer, see [example](https://github.com/alphagov/signon/commit/ddcf31f5c30b8fd334e4aea74986b24bf2b0e9be) in signon. Any apps that still use jQuery 1.x will need unsafe-inline for Firefox compatibility.
+
+# 4.13.0
+
+* Flush log writes to stdout immediately so that structured (JSON) logs are not lost on crash or delayed indefinitely.
+
 # 4.12.0
 
 * Allow `https://img.youtube.com` as a CSP image source
@@ -9,148 +18,149 @@
 
 # 4.11.1
 
-- Remove govuk_i18n plural rules file
+* Remove govuk_i18n plural rules file
 
 # 4.11.0
 
-- Update Plek support to allow version 5
-- Add I18n plural rules for Welsh (cy), Maltese (mt) and Chinese (zh) since Rails-I18n has [dropped support](https://github.com/svenfuchs/rails-i18n/pull/1017) for them in 7.0.6 ([#266](https://github.com/alphagov/govuk_app_config/pull/266))
+* Update Plek support to allow version 5
+* Add I18n plural rules for Welsh (cy), Maltese (mt) and Chinese (zh) since Rails-I18n has [dropped support](https://github.com/svenfuchs/rails-i18n/pull/1017) for them in 7.0.6 ([#266](https://github.com/alphagov/govuk_app_config/pull/266))
 
 # 4.10.1
 
-- Fix an object ownership/sharing bug where the Rails log level was erroneously being set to `WARN` when initialising Sentry.
+* Fix an object ownership/sharing bug where the Rails log level was erroneously being set to `WARN` when initialising Sentry.
 
 # 4.10.0
 
-- Reduce log level for the Sentry gem from `INFO` to `WARN` to avoid polluting logs with uninformative messages. This only affects log messages from the Sentry gem itself, which go to `stdout`.
+* Reduce log level for the Sentry gem from `INFO` to `WARN` to avoid polluting logs with uninformative messages. This only affects log messages from the Sentry gem itself, which go to `stdout`.
 
 # 4.9.0
 
-- Add GovukProxy::StaticProxy to forward Static asset requests by setting `GOVUK_PROXY_STATIC_ENABLED=true`.([#261](https://github.com/alphagov/govuk_app_config/pull/261))
+* Add GovukProxy::StaticProxy to forward Static asset requests by setting `GOVUK_PROXY_STATIC_ENABLED=true`.([#261](https://github.com/alphagov/govuk_app_config/pull/261))
 
 # 4.8.0
 
-- Enables Sentry environment names for EKS versions of integration, staging and production.([#260](https://github.com/alphagov/govuk_app_config/pull/260))
+* Enables Sentry environment names for EKS versions of integration, staging and production.([#260](https://github.com/alphagov/govuk_app_config/pull/260))
 
 # 4.7.1
 
-- Fix the ability to open the Rails console (`bundle exec rails c`) when running inside a container ([#257](https://github.com/alphagov/govuk_app_config/pull/257)).
+* Fix the ability to open the Rails console (`bundle exec rails c`) when running inside a container ([#257](https://github.com/alphagov/govuk_app_config/pull/257)).
 
 # 4.7.0
 
-- Adds Prometheus Sidekiq monitoring ([#255](https://github.com/alphagov/govuk_app_config/pull/255))
+* Adds Prometheus Sidekiq monitoring ([#255](https://github.com/alphagov/govuk_app_config/pull/255))
 
 # 4.6.3
 
-- Adds `region1.google-analytics.com` to the security policy for GA ([#250](https://github.com/alphagov/govuk_app_config/pull/250))
+* Adds `region1.google-analytics.com` to the security policy for GA ([#250](https://github.com/alphagov/govuk_app_config/pull/250))
 
 # 4.6.2
 
-- Adds a new domain to the security policy for GA ([#248](https://https://github.com/alphagov/govuk_app_config/pull/248))
+* Adds a new domain to the security policy for GA ([#248](https://https://github.com/alphagov/govuk_app_config/pull/248))
 
 # 4.6.1
 
-- Fixes warning message to refer to correct Sidekiq gem dependency name ([#243](https://github.com/alphagov/govuk_app_config/pull/243)).
+* Fixes warning message to refer to correct Sidekiq gem dependency name ([#243](https://github.com/alphagov/govuk_app_config/pull/243)).
 
 # 4.6.0
 
-- Add a warning for apps using GovukError with Sidekiq that don't have sentry-sidekiq installed ([#241](https://github.com/alphagov/govuk_app_config/pull/241)).
-- Add internal Sidekiq exception "Sidekiq::JobRetry::Skip" to excluded exceptions ([#241](https://github.com/alphagov/govuk_app_config/pull/241)).
+* Add a warning for apps using GovukError with Sidekiq that don't have sentry-sidekiq installed ([#241](https://github.com/alphagov/govuk_app_config/pull/241)).
+* Add internal Sidekiq exception "Sidekiq::JobRetry::Skip" to excluded exceptions ([#241](https://github.com/alphagov/govuk_app_config/pull/241)).
 
 # 4.5.0
 
-- Add lux.speedcurve.com to connect_src for GOV.UK Content Security Policy ([#232](https://github.com/alphagov/govuk_app_config/pull/232))
-- Fix prometheus_exporter to only be enabled when the GOVUK_PROMETHEUS_EXPORTER env var is set to "true" ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
-- Add Prometheus monitoring for EKS section to README.md ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
-- Fix govuk_error being incompatible with Ruby >= 3 ([#233](https://github.com/alphagov/govuk_app_config/pull/233))
-- Require Ruby 2.7 as the minimum supported Ruby version ([#233](https://github.com/alphagov/govuk_app_config/pull/233))
-- Require Sentry 5 and Unicorn 6 major versions ([#237](https://github.com/alphagov/govuk_app_config/pull/237))
-- Prevent sentry-rails logger warnings when govuk_error is used with non-Rails apps ([#234](https://github.com/alphagov/govuk_app_config/pull/234))
+* Add lux.speedcurve.com to connect_src for GOV.UK Content Security Policy ([#232](https://github.com/alphagov/govuk_app_config/pull/232))
+* Fix prometheus_exporter to only be enabled when the GOVUK_PROMETHEUS_EXPORTER env var is set to "true" ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
+* Add Prometheus monitoring for EKS section to README.md ([#231](https://github.com/alphagov/govuk_app_config/pull/231)).
+* Fix govuk_error being incompatible with Ruby >= 3 ([#233](https://github.com/alphagov/govuk_app_config/pull/233))
+* Require Ruby 2.7 as the minimum supported Ruby version ([#233](https://github.com/alphagov/govuk_app_config/pull/233))
+* Require Sentry 5 and Unicorn 6 major versions ([#237](https://github.com/alphagov/govuk_app_config/pull/237))
+* Prevent sentry-rails logger warnings when govuk_error is used with non-Rails apps ([#234](https://github.com/alphagov/govuk_app_config/pull/234))
 
 # 4.4.3
 
-- Update prometheus exporter server to 0.0.0.0 from localhost  ([#227](https://github.com/alphagov/govuk_app_config/pull/227)).
+* Update prometheus exporter server to 0.0.0.0 from localhost  ([#227](https://github.com/alphagov/govuk_app_config/pull/227)).
 
 # 4.4.2
 
-- Update HMPO webchat address in security policy ([#225](https://github.com/alphagov/govuk_app_config/pull/225)).
+* Update HMPO webchat address in security policy ([#225](https://github.com/alphagov/govuk_app_config/pull/225)).
 
 # 4.4.1
 
-- Fix issue where GovukPrometheusExporter module prevented the gem to load due to missing constant "PrometheusExporter" ([#224](https://github.com/alphagov/govuk_app_config/pull/224)).
-- Lazy load the prometheus_exporter dependency for only apps that use GovukPrometheusExporter ([#224](https://github.com/alphagov/govuk_app_config/pull/224)).
+* Fix issue where GovukPrometheusExporter module prevented the gem to load due to missing constant "PrometheusExporter" ([#224](https://github.com/alphagov/govuk_app_config/pull/224)).
+* Lazy load the prometheus_exporter dependency for only apps that use GovukPrometheusExporter ([#224](https://github.com/alphagov/govuk_app_config/pull/224)).
 
 # 4.4.0
 
-- Add GovukPrometheusModule, to allow for export of prometheus metrics ([#223](https://github.com/alphagov/govuk_app_config/pull/223)).
+* Add GovukPrometheusModule, to allow for export of prometheus metrics ([#223](https://github.com/alphagov/govuk_app_config/pull/223)).
 
 # 4.3.0
 
-- Remove Speedcurve's LUX from the connect-src policy ([#216](https://github.com/alphagov/govuk_app_config/pull/216)).
+* Remove Speedcurve's LUX from the connect-src policy ([#216](https://github.com/alphagov/govuk_app_config/pull/216)).
 
 # 4.2.0
 
-- Add pluralisation rules for Azerbaijani, Persian, Georgian, and Turkish. ([#219](https://github.com/alphagov/govuk_app_config/pull/219))
+* Add pluralisation rules for Azerbaijani, Persian, Georgian, and Turkish. ([#219](https://github.com/alphagov/govuk_app_config/pull/219))
 
 # 4.1.0
 
-- Add Puma to dependencies ([#214](https://github.com/alphagov/govuk_app_config/pull/214)).
+* Add Puma to dependencies ([#214](https://github.com/alphagov/govuk_app_config/pull/214)).
 
 # 4.0.1
 
-- Update Content Security Policy with new klick2contact.com subdomain ([#213](https://github.com/alphagov/govuk_app_config/pull/213)).
+* Update Content Security Policy with new klick2contact.com subdomain ([#213](https://github.com/alphagov/govuk_app_config/pull/213)).
 
 # 4.0.0
 
-- BREAKING: replaces deprecated `sentry-raven` with `sentry-ruby` and `sentry-rails`. Follow the **[migration guide](https://docs.sentry.io/platforms/ruby/migration/)** before upgrading to this version of govuk_app_config to ensure full compatibility with the new gems.
-- BREAKING: `GovukError.configure` can only be called once, and non-Rails apps will have to manually call `GovukError.configure` in order to initialise Sentry.
-- BREAKING: apps will no longer increment the `error_reports_failed` statsd if events fail to get sent to Sentry.
-- BREAKING: the behaviour of `before_send` has changed, and the `should_capture` method is deprecated.
-- See pre-release notes below for details.
-- PR: [#212](https://github.com/alphagov/govuk_app_config/pull/212)
+* BREAKING: replaces deprecated `sentry-raven` with `sentry-ruby` and `sentry-rails`. Follow the **[migration guide](https://docs.sentry.io/platforms/ruby/migration/)** before upgrading to this version of govuk_app_config to ensure full compatibility with the new gems.
+* BREAKING: `GovukError.configure` can only be called once, and non-Rails apps will have to manually call `GovukError.configure` in order to initialise Sentry.
+* BREAKING: apps will no longer increment the `error_reports_failed` statsd if events fail to get sent to Sentry.
+* BREAKING: the behaviour of `before_send` has changed, and the `should_capture` method is deprecated.
+* See pre-release notes below for details.
+* PR: [#212](https://github.com/alphagov/govuk_app_config/pull/212)
 
 # 4.0.0.pre.4
 
-- Fix Sentry client initialisation ([#205](https://github.com/alphagov/govuk_app_config/pull/205)).
-- BREAKING: non-Rails apps will need to manually call `GovukError.configure` in order to initialise Sentry.
-- BREAKING: `GovukError.configure` can only be called once by the downstream application.
+* Fix Sentry client initialisation ([#205](https://github.com/alphagov/govuk_app_config/pull/205)).
+* BREAKING: non-Rails apps will need to manually call `GovukError.configure` in order to initialise Sentry.
+* BREAKING: `GovukError.configure` can only be called once by the downstream application.
 
 # 4.0.0.pre.3
 
-- Include [sentry-rails](https://github.com/getsentry/sentry-ruby/tree/master/sentry-rails) by default ([#203](https://github.com/alphagov/govuk_app_config/pull/203)).
+* Include [sentry-rails](https://github.com/getsentry/sentry-ruby/tree/master/sentry-rails) by default ([#203](https://github.com/alphagov/govuk_app_config/pull/203)).
 
 # 4.0.0.pre.2
 
-- Fix default Sentry configuration ([#202](https://github.com/alphagov/govuk_app_config/pull/202)).
-- BREAKING: this means no more `silence_ready` or `transport_failure_callback` options.
+* Fix default Sentry configuration ([#202](https://github.com/alphagov/govuk_app_config/pull/202)).
+* BREAKING: this means no more `silence_ready` or `transport_failure_callback` options.
 
 # 4.0.0.pre.1
 
-- BREAKING: upgrades Sentry gem from `sentry-raven` to `sentry-ruby` ([#199](https://github.com/alphagov/govuk_app_config/pull/199)). There is a **[migration guide](https://docs.sentry.io/platforms/ruby/migration/)** you should follow before upgrading to this version of govuk_app_config.
-- This release also fixes the `data_sync_excluded_exceptions` behaviour that was broken in v3.1.0 (later fixed in v3.3.0, which was released after 4.0.0.pre.1).
-- Released as a pre-release to identify and fix any problems before a wider rollout.
+* BREAKING: upgrades Sentry gem from `sentry-raven` to `sentry-ruby` ([#199](https://github.com/alphagov/govuk_app_config/pull/199)). There is a **[migration guide](https://docs.sentry.io/platforms/ruby/migration/)** you should follow before upgrading to this version of govuk_app_config.
+* This release also fixes the `data_sync_excluded_exceptions` behaviour that was broken in v3.1.0 (later fixed in v3.3.0, which was released after 4.0.0.pre.1).
+* Released as a pre-release to identify and fix any problems before a wider rollout.
 
 # 3.3.0
 
-- Revert the `should_capture`/`before_send` consolidation introduced in 3.1.0. This fixes the `data_sync_excluded_exceptions` behaviour that has been broken since v3.1.0. ([#211](https://github.com/alphagov/govuk_app_config/pull/211))
+* Revert the `should_capture`/`before_send` consolidation introduced in 3.1.0. This fixes the `data_sync_excluded_exceptions` behaviour that has been broken since v3.1.0. ([#211](https://github.com/alphagov/govuk_app_config/pull/211))
 
 # 3.2.0
 
-- Add Speedcurve's LUX to connect-src policy ([#206](https://github.com/alphagov/govuk_app_config/pull/206))
+* Add Speedcurve's LUX to connect-src policy ([#206](https://github.com/alphagov/govuk_app_config/pull/206))
 
 # 3.1.1
 
-- Fix the new before_send behaviour & tests, and add documentation ([#197](https://github.com/alphagov/govuk_app_config/pull/197))
+* Fix the new before_send behaviour & tests, and add documentation ([#197](https://github.com/alphagov/govuk_app_config/pull/197))
 
 # 3.1.0
 
-- Remove support for `should_capture` callbacks in favour of `before_send` ([#196](https://github.com/alphagov/govuk_app_config/pull/196))
+* Remove support for `should_capture` callbacks in favour of `before_send` ([#196](https://github.com/alphagov/govuk_app_config/pull/196))
 
 # 3.0.0
 
 * BREAKING: Implement RFC 141 - remove unsuitable healthchecks and return a 500 on healthcheck failure ([#193](https://github.com/alphagov/govuk_app_config/pull/193))
 
 # 2.10.0
+
 * Allow LUX domain on img-src policy ([#191](https://github.com/alphagov/govuk_app_config/pull/191))
 
 # 2.9.1

data/lib/govuk_app_config/govuk_content_security_policy.rb

@@ -28,13 +28,12 @@ module GovukContentSecurityPolicy
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
     policy.default_src :self
 
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
+    policy.base_uri :none
+
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
+    # Note: we purposely don't include `data:` here because it produces a security risk.
     policy.img_src :self,
-                   # This allows Base64 encoded images, but is a security
-                   # risk as it can embed third party resources.
-                   # As of December 2022, we intend to remove this prior
-                   # to making the CSP live.
-                   :data,
                    *GOVUK_DOMAINS,
                    *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
                    # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
@@ -45,25 +44,28 @@ module GovukContentSecurityPolicy
                    "https://img.youtube.com"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
+    # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
+    # they are security risks, if you need them for a legacy app please only apply them at
+    # an app level.
     policy.script_src :self,
                       *GOOGLE_ANALYTICS_DOMAINS,
                       *GOOGLE_STATIC_DOMAINS,
                       # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
                       "*.ytimg.com",
                       "www.youtube.com",
-                      "www.youtube-nocookie.com",
-                      # This allows inline scripts and thus is a XSS risk.
-                      # As of December 2022, we intend to work towards removing
-                      # this from apps that don't use jQuery 1.12 (which needs
-                      # this) once we've set up nonces.
-                      :unsafe_inline
+                      "www.youtube-nocookie.com"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
+    # Note: we purposely don't include `data:` or `unsafe-eval` because
+    # they are security risks, if you need them for a legacy app please only apply them at
+    # an app level.
     policy.style_src :self,
                      *GOOGLE_STATIC_DOMAINS,
-                     # This allows style="" attributes and style elements.
-                     # As of December 2022, we intend to remove this prior
-                     # to making the CSP live due to the security risks it has.
+                     # This allows `style=""` attributes and `<style>` elements.
+                     # As of January 2023 our intentions to remove this were scuppered
+                     # by Govspeak [1] using inline styles on tables. Until that
+                     # is resolved we'll keep unsafe_inline
+                     # [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
                      :unsafe_inline
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
@@ -91,6 +93,20 @@ module GovukContentSecurityPolicy
   def self.configure
     Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
 
+    # Sets a nonce per request that can be set on script-src and style-src
+    # directives depending on the value of Rails.application.config.content_security_policy_nonce_directives
+    #
+    # Note: if an application needs to set unsafe-inline they will need to
+    # unset this generator (by setting this config option to nil in their application)
+    Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
+
+    # This only applies the nonce generator to the script-src directive. We need this to
+    # use unsafe-inline for style-src as a nonce will override it.
+    #
+    # When we want to apply it to style-src we can remove this line as the Rails default
+    # is for both script-src and style-src
+    Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
+
     policy = Rails.application.config.content_security_policy(&method(:build_policy))
 
     # # allow apps to customise the CSP by passing a block e.g:

data/lib/govuk_app_config/govuk_logging.rb

@@ -12,36 +12,37 @@ module GovukLogging
     # `Rails.logger` calls or 'puts' statements. However these are not in a
     # JSON format which causes problems for the log file parsers.
     #
-    # To resolve this we've directed stdout to stderr, to cover any Rails
+    # To resolve this we redirect stdout to stderr, to cover any Rails
     # writing. This frees up the normal stdout for the logstasher logs.
+    #
+    # We also disable buffering, so that logs aren't lost on crash or delayed
+    # indefinitely while troubleshooting.
 
     # rubocop:disable Style/GlobalVars
     $real_stdout = $stdout.clone
+    $real_stdout.sync = true
     $stdout.reopen($stderr)
+    $stdout.sync = true
     # rubocop:enable Style/GlobalVars
 
     # Send Rails' logs to STDERR because they're not JSON formatted.
     Rails.logger = ActiveSupport::TaggedLogging.new(Logger.new($stderr, level: Rails.logger.level))
 
-    # Custom that will be added to the Rails request logs
     LogStasher.add_custom_fields do |fields|
-      # Mirrors Nginx request logging, e.g GET /path/here HTTP/1.1
+      # Mirrors Nginx request logging, e.g. GET /path/here HTTP/1.1
       fields[:request] = "#{request.request_method} #{request.fullpath} #{request.headers['SERVER_PROTOCOL']}"
 
-      # Pass request Id to logging
       fields[:govuk_request_id] = request.headers["GOVUK-Request-Id"]
-
       fields[:varnish_id] = request.headers["X-Varnish"]
-
       fields[:govuk_app_config] = GovukAppConfig::VERSION
     end
 
     Rails.application.config.logstasher.enabled = true
 
-    # Log controller actions so that we can graph response times
+    # Log controller actions so that we can graph response times.
     Rails.application.config.logstasher.controller_enabled = true
 
-    # The other loggers are not that interesting in production
+    # The other loggers are not that interesting in production.
     Rails.application.config.logstasher.mailer_enabled = false
     Rails.application.config.logstasher.record_enabled = false
     Rails.application.config.logstasher.view_enabled = false
@@ -59,11 +60,9 @@ module GovukLogging
     if defined?(GdsApi::Base)
       GdsApi::Base.default_options ||= {}
 
-      # The GDS API Adapters gem logs JSON to describe the requests it
-      # makes and the responses it gets, so direct this to the
-      # logstasher logger
-      GdsApi::Base.default_options[:logger] =
-        Rails.application.config.logstasher.logger
+      # The gds-api-adapters gem logs JSON to describe the requests it makes and
+      # the responses it gets, so direct this to the logstasher logger.
+      GdsApi::Base.default_options[:logger] = Rails.application.config.logstasher.logger
     end
 
     RailsExt::ActionDispatch.monkey_patch_log_error if RailsExt::ActionDispatch.should_monkey_patch_log_error?

data/lib/govuk_app_config/version.rb

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "4.12.0".freeze
+  VERSION = "5.0.0".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 4.12.0
+  version: 5.0.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-01-03 00:00:00.000000000 Z
+date: 2023-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstasher
@@ -336,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.2
+rubygems_version: 3.4.5
 signing_key: 
 specification_version: 4
 summary: Base configuration for GOV.UK applications