Over the past few weeks, Heroku proactively updated our entire Redis fleet with a version of Redis not vulnerable to CVE-2018-3760. This was an embargoed vulnerability, so we did this work without notifying our customers about the underlying cause. As always, our goal was to update all Heroku Redis instances well before the embargo expired.

Rolling The Heroku Redis Fleet - Blog Post

As a Data Infrastructure Engineer at Heroku, I wanted to share how we manage large fleet operations such as this one. The most important aspect of our job is keeping customers safe from security vulnerabilities, while also minimizing disruption and downtime. Those two objectives are often at odds with each other, so we work hard to reduce the impact...


All previously released versions of Sprockets, the software that powers the Rails asset pipeline, contain a directory traversal vulnerability. This vulnerability has been assigned CVE-2018-3760.

How do I know if I'm affected?

Rails applications are vulnerable if they have this setting enabled in their application:

# config/environments/production.rb config.assets.compile = true # setting to true makes your app vulnerable 

Note: The default value of this setting that ships with Rails in production.rb is false. By default, Rails apps running in production mode are not vulnerable to this exploit.

How do I fix it?

To remediate this vulnerability, applications can either change the...


The CLI Team at Heroku strives to create a CLI user experience that is intuitive and productive. We had “build CLI autocomplete” in the icebox of our roadmap for many years. But if we were going to ship it, it had to complement the existing CLI experience. This is challenging because the Heroku CLI is very dynamic: it comprises user installable plugins, and the data needed for completions is behind an API.

Recently, we spent some time brainstorming the experience we wanted from Heroku CLI Autocomplete and decided it was time. We took “build autocomplete” out of the icebox and shipped it.

This post will discuss the main challenges we faced building Heroku CLI Autocomplete and how we solved...


The Public Cloud Security (PCS) group at Salesforce partners very closely with Heroku engineering to review and advise on new product features across the platform, from infrastructure to applications. One of the most rewarding aspects about this partnership and working on this team for me is when we not only identify security concerns, but take an active role in building safe solutions.

Heroku recently announced support for Active Storage in Rails 5.2, which introduces the ability to generate previews of PDFs and videos. As a security engineer, hearing about a new feature in a product that automatically parses media files definitely grabbed my attention. This post takes a look at...


How to blend a rock-solid CMS and API with the absolute best in front-end tooling, built as a single project and hosted seamlessly on Heroku.

Rails is an incredible framework, but modern web development has moved to the front-end, meaning sometimes you don’t need all the bulk of the asset pipeline and the templating system. In Rails 5 you can now create an API-only Rails app, meaning you can build your front-end however you like—using Create React App, for example. It’s no longer 100% omakase.

An image of four logos, React, Rails, Activeadmin, and Heroku


Browse the archives for engineering or all blogs Subscribe to the RSS feed for engineering or all blogs.