Releases: rails/rails
6.0.4.2
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
- Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
7.0.0.rc1
Active Support
-
Deprecate passing a format to
#to_s
in favor of#to_formatted_s
inArray
,Range
,Date
,DateTime
,Time
,
BigDecimal
,Float
and,Integer
.Rafael Mendonça França
-
Document
ActiveSupport::Testing::Deprecation
.Sam Bostock & Sam Jordan
-
Add
Pathname#existence
.Pathname.new("file").existence&.read
Timo Schilling
-
Remove deprecate
ActiveSupport::Multibyte::Unicode.default_normalization_form
.Rafael Mendonça França
-
Remove deprecated support to use
Range#include?
to check the inclusion of a value in
a date time range is deprecated.Rafael Mendonça França
-
Remove deprecated
URI.parser
.Rafael Mendonça França
-
Remove deprecated
config.active_support.use_sha1_digests
.Rafael Mendonça França
-
Invoking
Object#with_options
without a&block
argument returns the
ActiveSupport::OptionMerger
instance.Sean Doyle
-
Rails.application.executor
hooks can now be called around every testThis helps to better simulate request or job local state being reset around tests and prevents state
leaking from one test to another.However it requires the executor hooks executed in the test environment to be re-entrant.
To enable this, set
config.active_support.executor_around_test_case = true
(this is the default in Rails 7).Jean Boussier
-
ActiveSupport::DescendantsTracker
now mostly delegate toClass#descendants
on Ruby 3.1Ruby now provides a fast
Class#descendants
makingActiveSupport::DescendantsTracker
mostly useless.As a result the following methods are deprecated:
ActiveSupport::DescendantsTracker.direct_descendants
ActiveSupport::DescendantsTracker#direct_descendants
Jean Boussier
-
Fix the
Digest::UUID.uuid_from_hash
behavior for namespace IDs that are different from the ones defined onDigest::UUID
.The new behavior will be enabled by setting the
config.active_support.use_rfc4122_namespaced_uuids
option totrue
and is the default for new apps.The old behavior is the default for upgraded apps and will output a
deprecation warning every time a value that is different than one of
the constants defined on theDigest::UUID
extension is used as the
namespace ID.Alex Robbin, Erich Soares Machado, Eugene Kenny
-
ActiveSupport::Inflector::Inflections#clear(:acronyms)
is now supported,
andinflector.clear
/inflector.clear(:all)
also clears acronyms.Alex Ghiculescu, Oliver Peate
Active Model
-
Remove support to Marshal load Rails 5.x
ActiveModel::AttributeSet
format.Rafael Mendonça França
-
Remove support to Marshal and YAML load Rails 5.x error format.
Rafael Mendonça França
-
Remove deprecated support to use
[]=
inActiveModel::Errors#messages
.Rafael Mendonça França
-
Remove deprecated support to
delete
errors fromActiveModel::Errors#messages
.Rafael Mendonça França
-
Remove deprecated support to
clear
errors fromActiveModel::Errors#messages
.Rafael Mendonça França
-
Remove deprecated support concat errors to
ActiveModel::Errors#messages
.Rafael Mendonça França
-
Remove deprecated
ActiveModel::Errors#to_xml
.Rafael Mendonça França
-
Remove deprecated
ActiveModel::Errors#keys
.Rafael Mendonça França
-
Remove deprecated
ActiveModel::Errors#values
.Rafael Mendonça França
-
Remove deprecated
ActiveModel::Errors#slice!
.Rafael Mendonça França
-
Remove deprecated
ActiveModel::Errors#to_h
.Rafael Mendonça França
-
Remove deprecated enumeration of
ActiveModel::Errors
instances as a Hash.Rafael Mendonça França
-
Clear secure password cache if password is set to
nil
Before:
user.password = 'something'
user.password = niluser.password # => 'something'
Now:
user.password = 'something'
user.password = niluser.password # => nil
Markus Doits
Active Record
-
Remove deprecated
ActiveRecord::DatabaseConfigurations::DatabaseConfig#spec_name
.Rafael Mendonça França
-
Remove deprecated
ActiveRecord::Connection#in_clause_length
.Rafael Mendonça França
-
Remove deprecated
ActiveRecord::Connection#allowed_index_name_length
.Rafael Mendonça França
-
Remove deprecated
ActiveRecord::Base#remove_connection
.Rafael Mendonça França
-
Load STI Models in fixtures
Data from Fixtures now loads based on the specific class for models with
Single Table Inheritance. This affects enums defined in subclasses, previously
the value of these fields was not parsed and remainednil
Andres Howard
-
#authenticate
returns false when the password is blank instead of raising an error.Muhammad Muhammad Ibrahim
-
Fix
ActiveRecord::QueryMethods#in_order_of
behavior for integer enums.ActiveRecord::QueryMethods#in_order_of
didn't work as expected for enums stored as integers in the database when passing an array of strings or symbols as the order argument. This unexpected behavior occurred because the string or symbol values were not casted to match the integers in the database.The following example now works as expected:
class Book < ApplicationRecord enum status: [:proposed, :written, :published] end Book.in_order_of(:status, %w[written published proposed])
Alexandre Ruban
-
Ignore persisted in-memory records when merging target lists.
Kevin Sjöberg
-
Add a new option
:update_only
toupsert_all
to configure the list of columns to update in case of conflict.Before, you could only customize the update SQL sentence via
:on_duplicate
. There is now a new option:update_only
that lets you provide a list of columns to update in case of conflict:Commodity.upsert_all( [ { id: 2, name: "Copper", price: 4.84 }, { id: 4, name: "Gold", price: 1380.87 }, { id: 6, name: "Aluminium", price: 0.35 } ], update_only: [:price] # Only prices will be updated )
Jorge Manrubia
-
Remove deprecated
ActiveRecord::Result#map!
andActiveRecord::Result#collect!
.Rafael Mendonça França
-
Remove deprecated
ActiveRecord::Base.configurations.to_h
.Rafael Mendonça França
-
Remove deprecated
ActiveRecord::Base.configurations.default_hash
.Rafael Mendonça França
-
Remove deprecated
ActiveRecord::Base.arel_attribute
.Rafael Mendonça França
-
Remove deprecated
ActiveRecord::Base.connection_config
.Rafael Mendonça França
-
Filter attributes in SQL logs
Previously, SQL queries in logs containing
ActiveRecord::Base.filter_attributes
were not filtered.Now, the filter attributes will be masked
[FILTERED]
in the logs whenprepared_statement
is enabled.# Before: Foo Load (0.2ms) SELECT "foos".* FROM "foos" WHERE "foos"."passw" = ? LIMIT ? [["passw", "hello"], ["LIMIT", 1]] # After: Foo Load (0.5ms) SELECT "foos".* FROM "foos" WHERE "foos"."passw" = ? LIMIT ? [["passw", "[FILTERED]"], ["LIMIT", 1]]
Aishwarya Subramanian
-
Remove deprecated
Tasks::DatabaseTasks.spec
.Rafael Mendonça França
-
Remove deprecated
Tasks::DatabaseTasks.current_config
.Rafael Mendonça França
-
Deprecate
Tasks::DatabaseTasks.schema_file_type
.Rafael Mendonça França
-
Remove deprecated
Tasks::DatabaseTasks.dump_filename
.Rafael Mendonça França
-
Remove deprecated
Tasks::DatabaseTasks.schema_file
.Rafael Mendonça França
-
Remove deprecated
environment
andname
arguments fromTasks::DatabaseTasks.schema_up_to_date?
.Rafael Mendonça França
-
Merging conditions on the same column no longer maintain both conditions,
and will be consistently replaced by the latter condition.# Rails 6.1 (IN clause is replaced by merger side equality condition) Author.where(id: [david.id, mary.id]).merge(Author.where(id: bob)) # => [bob] # Rails 6.1 (both conflict conditions exists, deprecated) Author.where(id: david.id..mary.id).merge(Author.where(id: bob)) # => [] # Rails 6.1 with rewhere to migrate to Rails 7.0's behavior Author.where(id: david.id..mary.id).merge(Author.where(id: bob), rewhere: true) # => [bob] # Rails 7.0 (same behavior with IN clause, mergee side condition is consistently replaced) Author.where(id: [david.id, mary.id]).merge(Author.where(id: bob)) # => [bob] Author.where(id: david.id..mary.id).merge(Author.where(id: bob)) # => [bob] *Rafael Mendonça França*
-
Remove deprecated support to
Model.reorder(nil).first
to search using non-deterministic order.Rafael Mendonça França
-
Remove deprecated rake tasks:
db:schema:load_if_ruby
db:structure:dump
db:structure:load
db:structure:load_if_sql
db:structure:dump:#{name}
db:structure:load:#{name}
db:test:load_structure
db:test:load_structure:#{name}
Rafael Mendonça França
-
Remove deprecated
DatabaseConfig#config
method.Rafael Mendonça França
-
Rollback transactions when the block returns earlier than expected.
Before this change, when a transaction block returned early, the transaction would be committed.
The problem is that timeouts triggered inside the transaction block was also making the incomplete transact...
6.1.4
Active Support
-
MemCacheStore: convert any underlying value (including
false
) to anEntry
.See #42559.
Alex Ghiculescu
-
Fix bug in
number_with_precision
when using largeBigDecimal
values.Fixes #42302.
Federico Aldunate, Zachary Scott
-
Check byte size instead of length on
secure_compare
.Tietew
-
Fix
Time.at
to not lose:in
option.Ryuta Kamizono
-
Require a path for
config.cache_store = :file_store
.Alex Ghiculescu
-
Avoid having to store complex object in the default translation file.
Rafael Mendonça França
Active Model
-
Fix
to_json
forActiveModel::Dirty
object.Exclude +mutations_from_database+ attribute from json as it lead to recursion.
Anil Maurya
Active Record
-
Do not try to rollback transactions that failed due to a
ActiveRecord::TransactionRollbackError
.Jamie McCarthy
-
Raise an error if
pool_config
isnil
inset_pool_config
.Eileen M. Uchitelle
-
Fix compatibility with
psych >= 4
.Starting in Psych 4.0.0
YAML.load
behaves likeYAML.safe_load
. To preserve compatibility
Active Record's schema cache loader andYAMLColumn
now usesYAML.unsafe_load
if available.Jean Boussier
-
Support using replicas when using
rails dbconsole
.Christopher Thornton
-
Restore connection pools after transactional tests.
Eugene Kenny
-
Change
upsert_all
to fails cleanly for MySQL when:unique_by
is used.Bastian Bartmann
-
Fix user-defined
self.default_scope
to respect table alias.Ryuta Kamizono
-
Clear
@cache_keys
cache afterupdate_all
,delete_all
,destroy_all
.Ryuta Kamizono
-
Changed Arel predications
contains
andoverlaps
to use
quoted_node
so that PostgreSQL arrays are quoted properly.Bradley Priest
-
Fix
merge
when thewhere
clauses have string contents.Ryuta Kamizono
-
Fix rollback of parent destruction with nested
dependent: :destroy
.Jacopo Beschi
-
Fix binds logging for
"WHERE ... IN ..."
statements.Ricardo Díaz
-
Handle
false
in relation strict loading checks.Previously when a model had strict loading set to true and then had a
relation setstrict_loading
to false the false wasn't considered when
deciding whether to raise/warn about strict loading.class Dog < ActiveRecord::Base self.strict_loading_by_default = true has_many :treats, strict_loading: false end
In the example,
dog.treats
would still raise even though
strict_loading
was set to false. This is a bug effecting more than
Active Storage which is why I made this PR superceeding #41461. We need
to fix this for all applications since the behavior is a little
surprising. I took the test from ##41461 and the code suggestion from #41453
with some additions.Eileen M. Uchitelle, Radamés Roriz
-
Fix numericality validator without precision.
Ryuta Kamizono
-
Fix aggregate attribute on Enum types.
Ryuta Kamizono
-
Fix
CREATE INDEX
statement generation for PostgreSQL.eltongo
-
Fix where clause on enum attribute when providing array of strings.
Ryuta Kamizono
-
Fix
unprepared_statement
to work it when nesting.Ryuta Kamizono
Action View
-
The
translate
helper now passesdefault
values that aren't
translation keys throughI18n.translate
for interpolation.Jonathan Hefner
-
Don't attach UJS form submission handlers to Turbo forms.
David Heinemeier Hansson
-
Allow both
current_page?(url_hash)
andcurrent_page?(**url_hash)
on Ruby 2.7.Ryuta Kamizono
Action Pack
-
Ignore file fixtures on
db:fixtures:load
Kevin Sjöberg
-
Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
Dylan Thacker-Smith
-
Correctly place optional path parameter booleans.
Previously, if you specify a url parameter that is part of the path as false it would include that part
of the path as parameter for example:get "(/optional/:optional_id)/things" => "foo#foo", as: :things things_path(optional_id: false) # => /things?optional_id=false
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
get '(this/:my_bool)/that' as: :that that_path(my_bool: true) # => `/this/true/that` that_path(my_bool: false) # => `/this/false/that`
Adam Hess
-
Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be specified.
Alex Smith
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
-
Fix
ArgumentError
with ruby 3.0 onRemoteConnection#disconnect
.Vladislav
Active Storage
-
The parameters sent to
ffmpeg
for generating a video preview image are now
configurable underconfig.active_storage.video_preview_arguments
.Brendon Muir
-
Fix Active Storage update task when running in an engine.
Justin Malčić*
-
Don't raise an error if the mime type is not recognized.
Fixes #41777.
Alex Ghiculescu
-
ActiveStorage::PreviewError
is raised when a previewer is unable to generate a preview image.Alex Robbin
-
respond with 404 given invalid variation key when asking for representations.
George Claghorn
-
Blob
creation shouldn't crash if no service selected.Alex Ghiculescu
Action Mailbox
- No changes.
Action Text
-
Always render attachment partials as HTML with
:html
format inside trix editor.James Brooks
Railties
-
Fix compatibility with
psych >= 4
.Starting in Psych 4.0.0
YAML.load
behaves likeYAML.safe_load
. To preserve compatibility
Rails.application.config_for
now usesYAML.unsafe_load
if available.Jean Boussier
-
Ensure
Rails.application.config_for
always cast hashes toActiveSupport::OrderedOptions
.Jean Boussier
-
Fix create migration generator with
--pretend
option.euxx
6.0.4
Active Support
-
Fixed issue in
ActiveSupport::Cache::RedisCacheStore
not passing options
toread_multi
causingfetch_multi
to not work properly.Rajesh Sharma
-
with_options
copies its options hash again to avoid leaking mutations.Fixes #39343.
Eugene Kenny
Active Model
- No changes.
Active Record
-
Only warn about negative enums if a positive form that would cause conflicts exists.
Fixes #39065.
Alex Ghiculescu
-
Allow the inverse of a
has_one
association that was previously autosaved to be loaded.Fixes #34255.
Steven Weber
-
Reset statement cache for association if
table_name
is changed.Fixes #36453.
Ryuta Kamizono
-
Type cast extra select for eager loading.
Ryuta Kamizono
-
Prevent collection associations from being autosaved multiple times.
Fixes #39173.
Eugene Kenny
-
Resolve issue with insert_all unique_by option when used with expression index.
When the
:unique_by
option ofActiveRecord::Persistence.insert_all
and
ActiveRecord::Persistence.upsert_all
was used with the name of an expression index, an error
was raised. Adding a guard around the formatting behavior for the:unique_by
corrects this.Usage:
create_table :books, id: :integer, force: true do |t| t.column :name, :string t.index "lower(name)", unique: true end Book.insert_all [{ name: "MyTest" }], unique_by: :index_books_on_lower_name
Fixes #39516.
Austen Madden
-
Fix preloading for polymorphic association with custom scope.
Ryuta Kamizono
-
Allow relations with different SQL comments in the
or
method.Takumi Shotoku
-
Resolve conflict between counter cache and optimistic locking.
Bump an Active Record instance's lock version after updating its counter
cache. This avoids raising an unnecessaryActiveRecord::StaleObjectError
upon subsequent transactions by maintaining parity with the corresponding
database record'slock_version
column.Fixes #16449.
Aaron Lipman
-
Fix through association with source/through scope which has joins.
Ryuta Kamizono
-
Fix through association to respect source scope for includes/preload.
Ryuta Kamizono
-
Fix eager load with Arel joins to maintain the original joins order.
Ryuta Kamizono
-
Fix group by count with eager loading + order + limit/offset.
Ryuta Kamizono
-
Fix left joins order when merging multiple left joins from different associations.
Ryuta Kamizono
-
Fix index creation to preserve index comment in bulk change table on MySQL.
Ryuta Kamizono
-
Change
remove_foreign_key
to not check:validate
option if database
doesn't support the feature.Ryuta Kamizono
-
Fix the result of aggregations to maintain duplicated "group by" fields.
Ryuta Kamizono
-
Do not return duplicated records when using preload.
Bogdan Gusiev
Action View
-
SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags
call safe_list_sanitizer's class methodFixes #39586
Taufiq Muhammadi
Action Pack
-
Accept base64_urlsafe CSRF tokens to make forward compatible.
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
tokens for backwards compatibility.In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
If you upgrade apps from 5.2.5, set the configurlsafe_csrf_tokens = true
.Rails.application.config.action_controller.urlsafe_csrf_tokens = true
Scott Blum, Étienne Barrié
-
Signed and encrypted cookies can now store
false
as their value when
action_dispatch.use_cookies_with_metadata
is enabled.Rolandas Barysas
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
-
The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print margins. This
matches the behavior of the MuPDF previewer.Vincent Robert
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
-
Allow relative paths with trailing slashes to be passed to
rails test
.Eugene Kenny
-
Return a 405 Method Not Allowed response when a request uses an unknown HTTP method.
Fixes #38998.
Loren Norman
6.1.3.2
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903 -
Prevent catastrophic backtracking during mime parsing
CVE-2021-22902 -
Prevent regex DoS in HTTP token authentication
CVE-2021-22904 -
Prevent string polymorphic route arguments.
url_for
supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.Gannon McGibbon
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.0.3.7
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Prevent catastrophic backtracking during mime parsing
CVE-2021-22902 -
Prevent regex DoS in HTTP token authentication
CVE-2021-22904 -
Prevent string polymorphic route arguments.
url_for
supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.Gannon McGibbon
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
5.2.6
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Accept base64_urlsafe CSRF tokens to make forward compatible.
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
tokens for backwards compatibility.How the tokes are encoded is controllr by the
action_controller.urlsafe_csrf_tokens
config.In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
Atention: If you already upgraded your application to 5.2.5, set the config
urlsafe_csrf_tokens
totrue
, otherwise your form submission will start to fail
during the deploy of this new version.Rails.application.config.action_controller.urlsafe_csrf_tokens = true
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
Scott Blum, Étienne Barrié
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.
5.2.4.6
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Prevent regex DoS in HTTP token authentication
CVE-2021-22904 -
Prevent string polymorphic route arguments.
url_for
supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.Gannon McGibbon
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.
6.1.3.1
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
-
Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.
George Claghorn
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.0.3.6
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
-
Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.
George Claghorn
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.