Rails Versions Save

Fix possible XSS vulnerability with the translate method in controllers

CVE-2024-26143

Fix ReDoS in Accept header parsing

CVE-2024-26142

Fix possible XSS vulnerability with the translate method in controllers

CVE-2024-26143

Disables the session in ActiveStorage::Blobs::ProxyController and ActiveStorage::Representations::ProxyController in order to allow caching by default in some CDNs as CloudFlare

Fixes #44136

Bruno Prieto

Disables the session in ActiveStorage::Blobs::ProxyController and ActiveStorage::Representations::ProxyController in order to allow caching by default in some CDNs as CloudFlare

Fixes #44136

Bruno Prieto

Handle nil backtrace_locations in ActiveSupport::SyntaxErrorProxy.

Eugene Kenny

Fix ActiveSupport::JSON.encode to prevent duplicate keys.

If the same key exist in both String and Symbol form it could lead to the same key being emitted twice.

Manish Sharma

Fix ActiveSupport::Cache::Store#read_multi when using a cache namespace and local cache strategy.

Mark Oleson

Fix Time.now/DateTime.now/Date.today to return results in a system timezone after #travel_to.

There is a bug in the current implementation of #travel_to: it remembers a timezone of its argument, and all stubbed methods start returning results in that remembered timezone. However, the expected behaviour is to return results in a system timezone.

Aleksei Chernenkov

Fix :unless_exist option for MemoryStore#write (et al) when using a cache namespace.

S. Brent Faulkner

Fix ActiveSupport::Deprecation to handle blaming generated code.

Jean Boussier, fatkodima

Fix Migrations with versions older than 7.1 validating options given to add_reference.

Hartley McGuire

Ensure reload sets correct owner for each association.

Dmytro Savochkin

Fix view runtime for controllers with async queries.

fatkodima

Fix load_async to work with query cache.

fatkodima

Fix polymorphic belongs_to to correctly use parent's query_constraints.

fatkodima

Fix Preloader to not generate a query for already loaded association with query_constraints.

fatkodima

Fix multi-database polymorphic preloading with equivalent table names.

When preloading polymorphic associations, if two models pointed to two tables with the same name but located in different databases, the preloader would only load one.

Ari Summer

Fix encrypted_attribute? to take into account context properties passed to encrypts.

Maxime Réty

Fix find_by to work correctly in presence of composite primary keys.

fatkodima

Fix async queries sometimes returning a raw result if they hit the query cache.

ShipPart.async_count could return a raw integer rather than a Promise if it found the result in the query cache.

fatkodima

Fix Relation#transaction to not apply a default scope.

The method was incorrectly setting a default scope around its block:

Post.where(published: true).transaction do
  Post.count # SELECT COUNT(*) FROM posts WHERE published = FALSE;
end

Jean Boussier

Fix calling async_pluck on a none relation.

Model.none.async_pluck(:id) was returning a naked value instead of a promise.

Jean Boussier

Fix calling load_async on a none relation.

Model.none.load_async was returning a broken result.

Lucas Mazza

TrilogyAdapter: ignore host if socket parameter is set.

This allows to configure a connection on a UNIX socket via DATABASE_URL:

DATABASE_URL=trilogy://does-not-matter/my_db_production?socket=/var/run/mysql.sock

Jean Boussier

Fix has_secure_token calls the setter method on initialize.

Abeid Ahmed

Allow using object_id as a database column name. It was available before rails 7.1 and may be used as a part of polymorphic relationship to object where object can be any other database record.

Mikhail Doronin

Fix rails db:create:all to not touch databases before they are created.

fatkodima

Better handle SyntaxError in Action View.

Mario Caropreso

Fix word_wrap with empty string.

Jonathan Hefner

Rename ActionView::TestCase::Behavior::Content to ActionView::TestCase::Behavior::RenderedViewContent.

Make RenderedViewContent inherit from String. Make private API with :nodoc:.

Sean Doyle

Fix detection of required strict locals.

Further fix render @collection compatibility with strict locals

Jean Boussier

Fix including Rails.application.routes.url_helpers directly in an ActiveSupport::Concern.

Jonathan Hefner

Fix system tests when using a Chrome binary that has been downloaded by Selenium.

Jonathan Hefner

Do not trigger immediate loading of ActiveJob::Base when loading ActiveJob::TestHelper.

Maxime Réty

Preserve the serialized timezone when deserializing ActiveSupport::TimeWithZone arguments.

Joshua Young

Fix ActiveJob arguments serialization to correctly serialize String subclasses having custom serializers.

fatkodima

Fix N+1 query when fetching preview images for non-image assets.

Aaron Patterson & Justin Searls

Fix all Active Storage database related models to respect ActiveRecord::Base.table_name_prefix configuration.

Chedli Bourguiba

Fix ActiveStorage::Representations::ProxyController not returning the proper preview image variant for previewable files.

Chedli Bourguiba

Fix ActiveStorage::Representations::ProxyController to proxy untracked variants.

Chedli Bourguiba

Fix direct upload forms when submit button contains nested elements.

Marc Köhlbrugge

When using the preprocessed: true option, avoid enqueuing transform jobs for blobs that are not representable.

Chedli Bourguiba

Process preview image variant when calling ActiveStorage::Preview#processed. For example, attached_pdf.preview(:thumb).processed will now immediately generate the full-sized preview image and the :thumb variant of it. Previously, the :thumb variant would not be generated until a further call to e.g. processed.url.

Chedli Bourguiba and Jonathan Hefner

Prevent ActiveRecord::StrictLoadingViolationError when strict loading is enabled and the variant of an Active Storage preview has already been processed (for example, by calling ActiveStorage::Preview#url).

Jonathan Hefner

Fix preprocessed: true option for named variants of previewable files.

Nico Wenterodt

Make sure config.after_routes_loaded hook runs on boot.

Rafael Mendonça França

Fix config.log_level not being respected when using a BroadcastLogger

Édouard Chin

Fix isolated engines to take ActiveRecord::Base.table_name_prefix into consideration. This will allow for engine defined models, such as inside Active Storage, to respect Active Record table name prefix configuration.

Chedli Bourguiba

The bin/rails app:template command will no longer add potentially unwanted gem platforms via bundle lock --add-platform=... commands.

Jonathan Hefner

Fix :expires_in option for RedisCacheStore#write_multi.

fatkodima

Fix deserialization of non-string "purpose" field in Message serializer

Jacopo Beschi

Prevent global cache options being overwritten when setting dynamic options inside a ActiveSupport::Cache::Store#fetch block.

Yasha Krasnou

Fix missing require resulting in NoMethodError when running bin/rails secrets:show or bin/rails secrets:edit.

Stephen Ierodiaconou

Ensure {down,up}case_first returns non-frozen string.

Jonathan Hefner

Fix #to_fs(:human_size) to correctly work with negative numbers.

Earlopain

Fix BroadcastLogger#dup so that it duplicates the logger's broadcasts.

Andrew Novoselac

Fix issue where bootstrap.rb overwrites the level of a BroadcastLogger's broadcasts.

Andrew Novoselac

Fix ActiveSupport::Cache to handle outdated Marshal payload from Rails 6.1 format.

Active Support's Cache is supposed to treat a Marshal payload that can no longer be deserialized as a cache miss. It fail to do so for compressed payload in the Rails 6.1 legacy format.

Jean Boussier

Fix OrderedOptions#dig for array indexes.

fatkodima

Fix time travel helpers to work when nested using with separate classes.

fatkodima

Fix delete_matched for file cache store to work with keys longer than the max filename size.

fatkodima and Jonathan Hefner

Fix compatibility with the semantic_logger gem.

The semantic_logger gem doesn't behave exactly like stdlib logger in that SemanticLogger#level returns a Symbol while stdlib Logger#level returns an Integer.

This caused the various LogSubscriber classes in Rails to break when assigned a SemanticLogger instance.

Jean Boussier, ojab

Make ==(other) method of AttributeSet safe.

Dmitry Pogrebnoy

Fix renaming primary key index when renaming a table with a UUID primary key in PostgreSQL.

fatkodima

Fix where(field: values) queries when field is a serialized attribute (for example, when field uses ActiveRecord::Base.serialize or is a JSON column).

João Alves

Prevent marking broken connections as verified.

Daniel Colson

Don't mark Float::INFINITY as changed when reassigning it

When saving a record with a float infinite value, it shouldn't mark as changed

Maicol Bentancor

ActiveRecord::Base.table_name now returns nil instead of raising "undefined method abstract_class? for Object:Class".

a5-stable

Fix upserting for custom :on_duplicate and :unique_by consisting of all inserts keys.

fatkodima

Fixed an issue where saving a record could innappropriately dup its attributes.

Jonathan Hefner

Dump schema only for a specific db for rollback/up/down tasks for multiple dbs.

fatkodima

Fix NoMethodError when casting a PostgreSQL money value that uses a comma as its radix point and has no leading currency symbol. For example, when casting "3,50".

Andreas Reischuck and Jonathan Hefner

Re-enable support for using enum with non-column-backed attributes. Non-column-backed attributes must be previously declared with an explicit type. For example:

class Post < ActiveRecord::Base
  attribute :topic, :string
  enum topic: %i[science tech engineering math]
end

Jonathan Hefner

Raise on foreign_key: being passed as an array in associations

Nikita Vasilevsky

Return back maximum allowed PostgreSQL table name to 63 characters.

fatkodima

Fix detecting IDENTITY columns for PostgreSQL < 10.

fatkodima

Fix the number_to_human_size view helper to correctly work with negative numbers.

Earlopain

Automatically discard the implicit locals injected by collection rendering for template that can't accept them

When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.

Now they are only passed if the template will actually accept them.

Yasha Krasnou, Jean Boussier

Fix @rails/ujs calling start() an extra time when using bundlers

Hartley McGuire, Ryunosuke Sato

Fix the capture view helper compatibility with HAML and Slim

When a blank string was captured in HAML or Slim (and possibly other template engines) it would instead return the entire buffer.

Jean Boussier

Fix a race condition that could cause a Text file busy - chromedriver error with parallel system tests

Matt Brictson

Fix StrongParameters#extract_value to include blank values

Otherwise composite parameters may not be parsed correctly when one of the component is blank.

fatkodima, Yasha Krasnou, Matthias Eiglsperger

Add racc as a dependency since it will become a bundled gem in Ruby 3.4.0

Hartley McGuire

Support handling Enumerator for non-buffered responses.

Zachary Scott

Compile ESM package that can be used directly in the browser as actiontext.esm.js

Matias Grunberg

Fix using actiontext.js with Sprockets

Matias Grunberg

Upgrade Trix to 2.0.7

Hartley McGuire

Fix using Trix with Sprockets

Hartley McGuire

Fix running db:system:change when app has no Dockerfile.

Hartley McGuire

If you accessed config.eager_load_paths and friends, later changes to config.paths were not reflected in the expected auto/eager load paths. Now, they are.

This bug has been latent since Rails 3.

Fixes #49629.

Xavier Noria

Add support for keyword arguments when delegating calls to custom loggers from ActiveSupport::BroadcastLogger.

Jenny Shen

NumberHelper: handle objects responding to_d.

fatkodima

Fix RedisCacheStore to properly set the TTL when incrementing or decrementing.

This bug was only impacting Redis server older than 7.0.

Thomas Countz

Fix MemoryStore to prevent race conditions when incrementing or decrementing.

Pierre Jambet

Fix auto populating IDENTITY columns for PostgreSQL.

fatkodima

Fix "ArgumentError: wrong number of arguments (given 3, expected 2)" when down migrating rename_table in older migrations.

fatkodima

Do not require the Action Text, Active Storage and Action Mailbox tables to be present when running when running test on CI.

Rafael Mendonça França

Updated @rails/ujs files to ignore certain data-* attributes when element is contenteditable.

This fix was already landed in >= 7.0.4.3, < 7.1.0. [CVE-2023-23913]

Ryunosuke Sato

Don't log enqueuing details when the job wasn't enqueued.

Dustin Brown

Ensures the Rails generated Dockerfile uses correct ruby version and matches Gemfile.

Abhay Nikam

Fix AS::MessagePack with ENV["RAILS_MAX_THREADS"].

Jonathan Hefner

Remove -shm and -wal SQLite files when rails db:drop is run.

Niklas Häusele

Revert the change to raise an ArgumentError when #accepts_nested_attributes_for is declared more than once for an association in the same class.

The reverted behavior broke the case where the #accepts_nested_attributes_for was defined in a concern and where overridden in the class that included the concern.

Rafael Mendonça França

Make sure scheduled_at is a Time object when asserting enqueued jobs.

Rafael Mendonça França

Always set the Rails logger to be an instance of ActiveSupport::BroadcastLogger.

Edouard Chin

Add a new public API for broadcasting logs

This feature existed for a while but was until now a private API. Broadcasting log allows to send log message to difference sinks (STDOUT, a file ...) and is used by default in the development environment to write logs both on STDOUT and in the "development.log" file.

Basic usage:

stdout_logger = Logger.new(STDOUT)
file_logger = Logger.new("development.log")
broadcast = ActiveSupport::BroadcastLogger.new(stdout_logger, file_logger)

broadcast.info("Hello!") # The "Hello!" message is written on STDOUT and in the log file.

Adding other sink(s) to the broadcast:

broadcast = ActiveSupport::BroadcastLogger.new
broadcast.broadcast_to(Logger.new(STDERR))

Remove a sink from the broadcast:

stdout_logger = Logger.new(STDOUT)
broadcast = ActiveSupport::BroadcastLogger.new(stdout_logger)

broadcast.stop_broadcasting_to(stdout_logger)

Edouard Chin

Fix Range#overlap? not taking empty ranges into account on Ruby < 3.3

Nobuyoshi Nakada, Shouichi Kamiya, Hartley McGuire

Use Ruby 3.3 Range#overlap? if available

Yasuo Honda

Remove change in the typography of user facing error messages. For example, “can’t be blank” is again “can't be blank”.

Rafael Mendonça França

Better naming for unique constraints support.

Naming unique keys leads to misunderstanding it's a short-hand of unique indexes. Just naming it unique constraints is not misleading.

In Rails 7.1.0.beta1 or before:

add_unique_key :sections, [:position], deferrable: :deferred, name: "unique_section_position"
remove_unique_key :sections, name: "unique_section_position"

Now:

add_unique_constraint :sections, [:position], deferrable: :deferred, name: "unique_section_position"
remove_unique_constraint :sections, name: "unique_section_position"

Ryuta Kamizono

Fix duplicate quoting for check constraint expressions in schema dump when using MySQL

A check constraint with an expression, that already contains quotes, lead to an invalid schema dump with the mysql2 adapter.

Fixes #42424.

Felix Tscheulin

Performance tune the SQLite3 adapter connection configuration

For Rails applications, the Write-Ahead-Log in normal syncing mode with a capped journal size, a healthy shared memory buffer and a shared cache will perform, on average, 2× better.

Stephen Margheim

Allow SQLite3 busy_handler to be configured with simple max number of retries

Retrying busy connections without delay is a preferred practice for performance-sensitive applications. Add support for a database.yml retries integer, which is used in a simple busy_handler function to retry busy connections without exponential backoff up to the max number of retries.

Stephen Margheim

The SQLite3 adapter now supports supports_insert_returning?

Implementing the full supports_insert_returning? contract means the SQLite3 adapter supports auto-populated columns (#48241) as well as custom primary keys.

Stephen Margheim

Ensure the SQLite3 adapter handles default functions with the || concatenation operator

Previously, this default function would produce the static string "'Ruby ' || 'on ' || 'Rails'". Now, the adapter will appropriately receive and use "Ruby on Rails".

change_column_default "test_models", "ruby_on_rails", -> { "('Ruby ' || 'on ' || 'Rails')" }

Stephen Margheim

Dump PostgreSQL schemas as part of the schema dump.

Lachlan Sylvester

Introduce ActionView::TestCase.register_parser

register_parser :rss, -> rendered { RSS::Parser.parse(rendered) }

test "renders RSS" do
  article = Article.create!(title: "Hello, world")

  render formats: :rss, partial: article

  assert_equal "Hello, world", rendered.rss.items.last.title
end

By default, register parsers for :html and :json.

Sean Doyle

Add support for #deep_merge and #deep_merge! to ActionController::Parameters.

Sean Doyle

Set scheduled_at attribute as a Time object instead of epoch seconds, and serialize and deserialize the value when enqueued. Assigning a numeric/epoch value to scheduled_at= is deprecated; use a Time object instead.

Deserializes enqueued_at as a Time instead of ISO8601 String.

Ben Sheldon

Clarify the backoff strategy for the recommended :wait option when retrying jobs

wait: :exponentially_longer is waiting polynomially longer, so it is now recommended to use wait: :polynomially_longer to keep the same behavior.

Victor Mours

Introduce ActionMailer::FormBuilder

Use the default_form_builder method in mailers to set the default form builder for templates rendered by that mailer. Matches the behaviour in Action Controller.

Alex Ghiculescu

Add expires_at option to ActiveStorage::Blob#signed_id.

rails_blob_path(user.avatar, disposition: "attachment", expires_at: 30.minutes.from_now)
<%= image_tag rails_blob_path(user.avatar.variant(resize: "100x100"), expires_at: 30.minutes.from_now) %>

Aki

Allow attaching File and Pathname when assigning attributes, e.g.

User.create!(avatar: File.open("image.jpg"))
User.create!(avatar: file_fixture("image.jpg"))

Dorian Marié

Require concurrent-ruby in config/puma.rb so that Puma can boot in production when WEB_CONCURRENCY is not explicitly specified.

Fixes #49323.

Matt Brictson

Raise error when generating attribute with dangerous name.

The following will now raise an error as save and hash are already defined by Active Record.

$ bin/rails generate model Post save
$ bin/rails generate model Post hash

Petrik de Heus