I’m planning to release ImageProcessing 2.x soon, which would bring a few breaking changes, and I wanted to coordinate how to make it as smooth as possible for Active Storage.
The primary breaking change would be moving mini_magick and ruby-vips from hard to soft dependencies. Currently, ImageProcessing gem depends on both processors, which doesn’t make a lot of sense, as you’re most likely to use only one. Controlling dependencies here has been requested in the past, so ImageProcessing 2.x would require manually adding mini_magick and/or ruby-vips to the Gemfile.
Another breaking change would be blocking unfuzzed loaders by default in libvips processor. Basically, this means libvips would refuse to process formats that are more likely to carry security vulnerabilities because of lack of testing. So, JPEG, PNG, WebP, TIFF, GIF, HEIF/AVIF would continue being accepted, but SVG, JPEG-XL, RAW, OpenSlide, NIFTI, FITS, MATLAB, Analyze6 would now be rejected. I think the only one that’s likely to cause breakage in Rails apps is the SVG rejection.
I’m also considering removing the autoloading of ImageProcessing::MiniMagick and ImageProcessing::Vips classes, because it leads to loading processor code at the time of processing, instead of at boot time. For example, it seems to me Active Storage currently loads image_processing/mini_magick + mini_magick and image_processing/vips + ruby-vips on-demand – when the first variant is being processed – which isn’t good for performance / memory. However, I’m not yet 100% sure it’s worth making this breaking change.
I wanted to give the core team a heads-up and maybe hear your thoughts, concerns or suggestions if you have any. Otherwise I plan to start sending PRs to prepare Active Storage for these changes.