v7.0.4

Active Support

• Redis cache store is now compatible with redis-rb 5.0.

  Jean Boussier

• Fix NoMethodError on custom ActiveSupport::Deprecation behavior.

  ActiveSupport::Deprecation.behavior= was supposed to accept any object
  that responds to call, but in fact its internal implementation assumed that
  this object could respond to arity, so it was restricted to only Proc objects.

  This change removes this arity restriction of custom behaviors.

  Ryo Nakamura

Active Model

• Handle name clashes in attribute methods code generation cache.

  When two distinct attribute methods would generate similar names,
  the first implementation would be incorrectly re-used.

  class A
    attribute_method_suffix "_changed?"
    define_attribute_methods :x
  end
  
  class B
    attribute_method_suffix "?"
    define_attribute_methods :x_changed
  end

  Jean Boussier

Active Record

• Symbol is allowed by default for YAML columns

  Étienne Barrié

• Fix ActiveRecord::Store to serialize as a regular Hash

  Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
  which is wasteful and cause problem with YAML safe_load.

  Jean Boussier

• Add timestamptz as a time zone aware type for PostgreSQL

  This is required for correctly parsing timestamp with time zone values in your database.

  If you don't want this, you can opt out by adding this initializer:

  ActiveRecord::Base.time_zone_aware_types -= [:timestamptz]

  Alex Ghiculescu

• Fix supporting timezone awareness for tsrange and tstzrange array columns.

  # In database migrations
  add_column :shops, :open_hours, :tsrange, array: true
  # In app config
  ActiveRecord::Base.time_zone_aware_types += [:tsrange]
  # In the code times are properly converted to app time zone
  Shop.create!(open_hours: [Time.current..8.hour.from_now])

  Wojciech Wnętrzak

• Resolve issue where a relation cache_version could be left stale.

  Previously, when reset was called on a relation object it did not reset the cache_versions
  ivar. This led to a confusing situation where despite having the correct data the relation
  still reported a stale cache_version.

  Usage:

  developers = Developer.all
  developers.cache_version
  
  Developer.update_all(updated_at: Time.now.utc + 1.second)
  
  developers.cache_version # Stale cache_version
  developers.reset
  developers.cache_version # Returns the current correct cache_version

  Fixes #45341.

  Austen Madden

• Fix load_async when called on an association proxy.

  Calling load_async directly an association would schedule
  a query but never use it.

  comments = post.comments.load_async # schedule a query
  comments.to_a # perform an entirely new sync query

  Now it does use the async query, however note that it doesn't
  cause the association to be loaded.

  Jean Boussier

• Fix eager loading for models without primary keys.

  Anmol Chopra, Matt Lawrence, and Jonathan Hefner

• rails db:schema:{dump,load} now checks ENV["SCHEMA_FORMAT"] before config

  Since rails db:structure:{dump,load} was deprecated there wasn't a simple
  way to dump a schema to both SQL and Ruby formats. You can now do this with
  an environment variable. For example:

  SCHEMA_FORMAT=sql rake db:schema:dump
  

  Alex Ghiculescu

• Fix Hstore deserialize regression.

  edsharp

Action View

• Guard against ActionView::Helpers::FormTagHelper#field_name calls with nil
  object_name arguments. For example:

  <%= fields do |f| %>
    <%= f.field_name :body %>
  <% end %>

  Sean Doyle

• Strings returned from strip_tags are correctly tagged html_safe?

  Because these strings contain no HTML elements and the basic entities are escaped, they are safe
  to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
  entities when being concatenated to a SafeBuffer during rendering.

  Fixes rails/rails-html-sanitizer#124

  Mike Dalessio

Action Pack

• Prevent ActionDispatch::ServerTiming from overwriting existing values in Server-Timing.

  Previously, if another middleware down the chain set Server-Timing header,
  it would overwritten by ActionDispatch::ServerTiming.

  Jakub Malinowski

Active Job

• Update ActiveJob::QueueAdapters::QueAdapter to remove deprecation warning.

  Remove a deprecation warning introduced in que 1.2 to prepare for changes in
  que 2.0 necessary for Ruby 3 compatibility.

  Damir Zekic and Adis Hasovic

Action Mailer

• No changes.

Action Cable

• The Redis adapter is now compatible with redis-rb 5.0

  Compatibility with redis-rb 3.x was dropped.

  Jean Boussier

• The Action Cable server is now mounted with anchor: true.

  This means that routes that also start with /cable will no longer clash with Action Cable.

  Alex Ghiculescu

Active Storage

• Fixes proxy downloads of files over 5MiB

  Previously, trying to view and/or download files larger than 5mb stored in
  services like S3 via proxy mode could return corrupted files at around
  5.2mb or cause random halts in the download. Now,
  ActiveStorage::Blobs::ProxyController correctly handles streaming these
  larger files from the service to the client without any issues.

  Fixes #44679

  Felipe Raul

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• config.allow_concurrency = false now use a Monitor instead of a Mutex

  This allows to enable config.active_support.executor_around_test_case even
  when config.allow_concurrency is disabled.

  Jean Boussier

• Skip Active Storage and Action Mailer if Active Job is skipped.

  Étienne Barrié

• Correctly check if frameworks are disabled when running app:update.

  Étienne Barrié and Paulo Barros

• Fixed config.active_support.cache_format_version never being applied.

  Rails 7.0 shipped with a new serializer for Rails.cache, but the associated config
  wasn't working properly. Note that even after this fix, it can only be applied from
  the application.rb file.

  Alex Ghiculescu

v6.1.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Symbol is allowed by default for YAML columns

  Étienne Barrié

• Fix ActiveRecord::Store to serialize as a regular Hash

  Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
  which is wasteful and cause problem with YAML safe_load.

  Jean Boussier

• Fix PG.connect keyword arguments deprecation warning on ruby 2.7

  Fixes #44307.

  Nikita Vasilevsky

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.

  fatkodima

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.0.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Symbol is allowed by default for YAML columns

  Étienne Barrié

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

7.0.3.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Change ActiveRecord::Coders::YAMLColumn default to safe_load

  This adds two new configuration options The configuration options are as
  follows:

  • config.active_storage.use_yaml_unsafe_load

  When set to true, this configuration option tells Rails to use the old
  "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
  the possible escalation vulnerability in place. Setting this option to true
  is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

  The "safe YAML" loading method does not allow all classes to be deserialized
  by default. This option allows you to specify classes deemed "safe" in your
  application. For example, if your application uses Symbol and Time in
  serialized data, you can add Symbol and Time to the allowed list as follows:

  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
  

  [CVE-2022-32224]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

6.1.6.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Change ActiveRecord::Coders::YAMLColumn default to safe_load

  This adds two new configuration options The configuration options are as
  follows:

  • config.active_storage.use_yaml_unsafe_load

  When set to true, this configuration option tells Rails to use the old
  "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
  the possible escalation vulnerability in place. Setting this option to true
  is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

  The "safe YAML" loading method does not allow all classes to be deserialized
  by default. This option allows you to specify classes deemed "safe" in your
  application. For example, if your application uses Symbol and Time in
  serialized data, you can add Symbol and Time to the allowed list as follows:

  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
  

  [CVE-2022-32224]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

6.0.5.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Change ActiveRecord::Coders::YAMLColumn default to safe_load

  This adds two new configuration options The configuration options are as
  follows:

  • config.active_storage.use_yaml_unsafe_load

  When set to true, this configuration option tells Rails to use the old
  "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
  the possible escalation vulnerability in place. Setting this option to true
  is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

  The "safe YAML" loading method does not allow all classes to be deserialized
  by default. This option allows you to specify classes deemed "safe" in your
  application. For example, if your application uses Symbol and Time in
  serialized data, you can add Symbol and Time to the allowed list as follows:

  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
  

  [CVE-2022-32224]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

5.2.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Change ActiveRecord::Coders::YAMLColumn default to safe_load

  This adds two new configuration options The configuration options are as
  follows:

  • config.active_storage.use_yaml_unsafe_load

  When set to true, this configuration option tells Rails to use the old
  "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
  the possible escalation vulnerability in place. Setting this option to true
  is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

  The "safe YAML" loading method does not allow all classes to be deserialized
  by default. This option allows you to specify classes deemed "safe" in your
  application. For example, if your application uses Symbol and Time in
  serialized data, you can add Symbol and Time to the allowed list as follows:

  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
  

  [CVE-2022-32224]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

7.0.3

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Some internal housekeeping on reloads could break custom respond_to?
  methods in class objects that referenced reloadable constants. See
  #44125 for details.

  Xavier Noria

• Fixed MariaDB default function support.

  Defaults would be written wrong in "db/schema.rb" and not work correctly
  if using db:schema:load. Further more the function name would be
  added as string content when saving new records.

  kaspernj

• Fix remove_foreign_key with :if_exists option when foreign key actually exists.

  fatkodima

• Remove --no-comments flag in structure dumps for PostgreSQL

  This broke some apps that used custom schema comments. If you don't want
  comments in your structure dump, you can use:

  ActiveRecord::Tasks::DatabaseTasks.structure_dump_flags = ['--no-comments']

  Alex Ghiculescu

• Use the model name as a prefix when filtering encrypted attributes from logs.

  For example, when encrypting Person#name it will add person.name as a filter
  parameter, instead of just name. This prevents unintended filtering of parameters
  with a matching name in other models.

  Jorge Manrubia

• Fix quoting of ActiveSupport::Duration and Rational numbers in the MySQL adapter.

  Kevin McPhillips

• Fix change_column_comment to preserve column's AUTO_INCREMENT in the MySQL adapter

  fatkodima

Action View

• Ensure models passed to form_for attempt to call to_model.

  Sean Doyle

Action Pack

• Allow relative redirects when raise_on_open_redirects is enabled.

  Tom Hughes

• Fix authenticate_with_http_basic to allow for missing password.

  Before Rails 7.0 it was possible to handle basic authentication with only a username.

  authenticate_with_http_basic do |token, _|
    ApiClient.authenticate(token)
  end

  This ability is restored.

  Jean Boussier

• Fix content_security_policy returning invalid directives.

  Directives such as self, unsafe-eval and few others were not
  single quoted when the directive was the result of calling a lambda
  returning an array.

  content_security_policy do |policy|
    policy.frame_ancestors lambda { [:self, "https://example.com"] }
  end

  With this fix the policy generated from above will now be valid.

  Edouard Chin

• Fix skip_forgery_protection to run without raising an error if forgery
  protection has not been enabled / verify_authenticity_token is not a
  defined callback.

  This fix prevents the Rails 7.0 Welcome Page (/) from raising an
  ArgumentError if default_protect_from_forgery is false.

  Brad Trick

• Fix ActionController::Live to copy the IsolatedExecutionState in the ephemeral thread.

  Since its inception ActionController::Live has been copying thread local variables
  to keep things such as CurrentAttributes set from middlewares working in the controller action.

  With the introduction of IsolatedExecutionState in 7.0, some of that global state was lost in
  ActionController::Live controllers.

  Jean Boussier

• Fix setting trailing_slash: true in route definition.

  get '/test' => "test#index", as: :test, trailing_slash: true
  
  test_path() # => "/test/"

  Jean Boussier

Active Job

• Add missing bigdecimal require in ActiveJob::Arguments

  Could cause uninitialized constant ActiveJob::Arguments::BigDecimal (NameError)
  when loading Active Job in isolation.

  Jean Boussier

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Don't stream responses in redirect mode

  Previously, both redirect mode and proxy mode streamed their
  responses which caused a new thread to be created, and could end
  up leaking connections in the connection pool. But since redirect
  mode doesn't actually send any data, it doesn't need to be
  streamed.

  Luke Lau

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• If reloading and eager loading are both enabled, after a reload Rails eager loads again the application code.

  Xavier Noria

• Use controller_class_path in Rails::Generators::NamedBase#route_url

  The route_url method now returns the correct path when generating
  a namespaced controller with a top-level model using --model-name.

  Previously, when running this command:

  bin/rails generate scaffold_controller Admin/Post --model-name Post

  the comments above the controller action would look like:

  # GET /posts
  def index
    @posts = Post.all
  end

  afterwards, they now look like this:

  # GET /admin/posts
  def index
    @posts = Post.all
  end

  Fixes #44662.

  Andrew White

6.1.6

Active Support

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Add the method ERB::Util.xml_name_escape to escape dangerous characters
  in names of tags and names of attributes, following the specification of XML.

  Álvaro Martín Fraguas

Active Model

• No changes.

Active Record

• No changes.

Action View

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Escape dangerous characters in names of tags and names of attributes in the
  tag helpers, following the XML specification. Rename the option
  :escape_attributes to :escape, to simplify by applying the option to the
  whole tag.

  Álvaro Martín Fraguas

Action Pack

• Allow Content Security Policy DSL to generate for API responses.

  Tim Wade

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

6.0.5

Active Support

• Fix tag helper regression.

  Eileen Uchitelle

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

Action Text

• Disentangle Action Text from ApplicationController

  Allow Action Text to be used without having an ApplicationController
  defined.
  This makes sure:

  • Action Text attachments render the correct URL host in mailers.
  • an ActionController::Renderer isn't allocated per request.
  • Sidekiq doesn't hang with the "classic" autoloader.

  Jonathan Hefner