6.0.4.2

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix X_FORWARDED_HOST protection. [CVE-2021-44528]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

7.0.0.rc1

Active Support

• Deprecate passing a format to #to_s in favor of #to_formatted_s in Array, Range, Date, DateTime, Time,
  BigDecimal, Float and, Integer.

  Rafael Mendonça França

• Document ActiveSupport::Testing::Deprecation.

  Sam Bostock & Sam Jordan

• Add Pathname#existence.

  Pathname.new("file").existence&.read

  Timo Schilling

• Remove deprecate ActiveSupport::Multibyte::Unicode.default_normalization_form.

  Rafael Mendonça França

• Remove deprecated support to use Range#include? to check the inclusion of a value in
  a date time range is deprecated.

  Rafael Mendonça França

• Remove deprecated URI.parser.

  Rafael Mendonça França

• Remove deprecated config.active_support.use_sha1_digests.

  Rafael Mendonça França

• Invoking Object#with_options without a &block argument returns the
  ActiveSupport::OptionMerger instance.

  Sean Doyle

• Rails.application.executor hooks can now be called around every test

  This helps to better simulate request or job local state being reset around tests and prevents state
  leaking from one test to another.

  However it requires the executor hooks executed in the test environment to be re-entrant.

  To enable this, set config.active_support.executor_around_test_case = true (this is the default in Rails 7).

  Jean Boussier

• ActiveSupport::DescendantsTracker now mostly delegate to Class#descendants on Ruby 3.1

  Ruby now provides a fast Class#descendants making ActiveSupport::DescendantsTracker mostly useless.

  As a result the following methods are deprecated:

  • ActiveSupport::DescendantsTracker.direct_descendants
  • ActiveSupport::DescendantsTracker#direct_descendants

  Jean Boussier

• Fix the Digest::UUID.uuid_from_hash behavior for namespace IDs that are different from the ones defined on Digest::UUID.

  The new behavior will be enabled by setting the
  config.active_support.use_rfc4122_namespaced_uuids option to true
  and is the default for new apps.

  The old behavior is the default for upgraded apps and will output a
  deprecation warning every time a value that is different than one of
  the constants defined on the Digest::UUID extension is used as the
  namespace ID.

  Alex Robbin, Erich Soares Machado, Eugene Kenny

• ActiveSupport::Inflector::Inflections#clear(:acronyms) is now supported,
  and inflector.clear / inflector.clear(:all) also clears acronyms.

  Alex Ghiculescu, Oliver Peate

Active Model

• Remove support to Marshal load Rails 5.x ActiveModel::AttributeSet format.

  Rafael Mendonça França

• Remove support to Marshal and YAML load Rails 5.x error format.

  Rafael Mendonça França

• Remove deprecated support to use []= in ActiveModel::Errors#messages.

  Rafael Mendonça França

• Remove deprecated support to delete errors from ActiveModel::Errors#messages.

  Rafael Mendonça França

• Remove deprecated support to clear errors from ActiveModel::Errors#messages.

  Rafael Mendonça França

• Remove deprecated support concat errors to ActiveModel::Errors#messages.

  Rafael Mendonça França

• Remove deprecated ActiveModel::Errors#to_xml.

  Rafael Mendonça França

• Remove deprecated ActiveModel::Errors#keys.

  Rafael Mendonça França

• Remove deprecated ActiveModel::Errors#values.

  Rafael Mendonça França

• Remove deprecated ActiveModel::Errors#slice!.

  Rafael Mendonça França

• Remove deprecated ActiveModel::Errors#to_h.

  Rafael Mendonça França

• Remove deprecated enumeration of ActiveModel::Errors instances as a Hash.

  Rafael Mendonça França

• Clear secure password cache if password is set to nil

  Before:

  user.password = 'something'
  user.password = nil

  user.password # => 'something'

  Now:

  user.password = 'something'
  user.password = nil

  user.password # => nil

  Markus Doits

Active Record

• Remove deprecated ActiveRecord::DatabaseConfigurations::DatabaseConfig#spec_name.

  Rafael Mendonça França

• Remove deprecated ActiveRecord::Connection#in_clause_length.

  Rafael Mendonça França

• Remove deprecated ActiveRecord::Connection#allowed_index_name_length.

  Rafael Mendonça França

• Remove deprecated ActiveRecord::Base#remove_connection.

  Rafael Mendonça França

• Load STI Models in fixtures

  Data from Fixtures now loads based on the specific class for models with
  Single Table Inheritance. This affects enums defined in subclasses, previously
  the value of these fields was not parsed and remained nil

  Andres Howard

• #authenticate returns false when the password is blank instead of raising an error.

  Muhammad Muhammad Ibrahim

• Fix ActiveRecord::QueryMethods#in_order_of behavior for integer enums.

  ActiveRecord::QueryMethods#in_order_of didn't work as expected for enums stored as integers in the database when passing an array of strings or symbols as the order argument. This unexpected behavior occurred because the string or symbol values were not casted to match the integers in the database.

  The following example now works as expected:

  class Book < ApplicationRecord
    enum status: [:proposed, :written, :published]
  end
  
  Book.in_order_of(:status, %w[written published proposed])

  Alexandre Ruban

• Ignore persisted in-memory records when merging target lists.

  Kevin Sjöberg

• Add a new option :update_only to upsert_all to configure the list of columns to update in case of conflict.

  Before, you could only customize the update SQL sentence via :on_duplicate. There is now a new option :update_only that lets you provide a list of columns to update in case of conflict:

  Commodity.upsert_all(
    [
      { id: 2, name: "Copper", price: 4.84 },
      { id: 4, name: "Gold", price: 1380.87 },
      { id: 6, name: "Aluminium", price: 0.35 }
    ],
    update_only: [:price] # Only prices will be updated
  )

  Jorge Manrubia

• Remove deprecated ActiveRecord::Result#map! and ActiveRecord::Result#collect!.

  Rafael Mendonça França

• Remove deprecated ActiveRecord::Base.configurations.to_h.

  Rafael Mendonça França

• Remove deprecated ActiveRecord::Base.configurations.default_hash.

  Rafael Mendonça França

• Remove deprecated ActiveRecord::Base.arel_attribute.

  Rafael Mendonça França

• Remove deprecated ActiveRecord::Base.connection_config.

  Rafael Mendonça França

• Filter attributes in SQL logs

  Previously, SQL queries in logs containing ActiveRecord::Base.filter_attributes were not filtered.

  Now, the filter attributes will be masked [FILTERED] in the logs when prepared_statement is enabled.

  # Before:
    Foo Load (0.2ms)  SELECT "foos".* FROM "foos" WHERE "foos"."passw" = ? LIMIT ?  [["passw", "hello"], ["LIMIT", 1]]
  
  # After:
    Foo Load (0.5ms)  SELECT "foos".* FROM "foos" WHERE "foos"."passw" = ? LIMIT ?  [["passw", "[FILTERED]"], ["LIMIT", 1]]
  

  Aishwarya Subramanian

• Remove deprecated Tasks::DatabaseTasks.spec.

  Rafael Mendonça França

• Remove deprecated Tasks::DatabaseTasks.current_config.

  Rafael Mendonça França

• Deprecate Tasks::DatabaseTasks.schema_file_type.

  Rafael Mendonça França

• Remove deprecated Tasks::DatabaseTasks.dump_filename.

  Rafael Mendonça França

• Remove deprecated Tasks::DatabaseTasks.schema_file.

  Rafael Mendonça França

• Remove deprecated environment and name arguments from Tasks::DatabaseTasks.schema_up_to_date?.

  Rafael Mendonça França

• Merging conditions on the same column no longer maintain both conditions,
  and will be consistently replaced by the latter condition.

  # Rails 6.1 (IN clause is replaced by merger side equality condition)
  Author.where(id: [david.id, mary.id]).merge(Author.where(id: bob)) # => [bob]
  # Rails 6.1 (both conflict conditions exists, deprecated)
  Author.where(id: david.id..mary.id).merge(Author.where(id: bob)) # => []
  # Rails 6.1 with rewhere to migrate to Rails 7.0's behavior
  Author.where(id: david.id..mary.id).merge(Author.where(id: bob), rewhere: true) # => [bob]
  # Rails 7.0 (same behavior with IN clause, mergee side condition is consistently replaced)
  Author.where(id: [david.id, mary.id]).merge(Author.where(id: bob)) # => [bob]
  Author.where(id: david.id..mary.id).merge(Author.where(id: bob)) # => [bob]
  
  *Rafael Mendonça França*

• Remove deprecated support to Model.reorder(nil).first to search using non-deterministic order.

  Rafael Mendonça França

• Remove deprecated rake tasks:

  • db:schema:load_if_ruby
  • db:structure:dump
  • db:structure:load
  • db:structure:load_if_sql
  • db:structure:dump:#{name}
  • db:structure:load:#{name}
  • db:test:load_structure
  • db:test:load_structure:#{name}

  Rafael Mendonça França

• Remove deprecated DatabaseConfig#config method.

  Rafael Mendonça França

• Rollback transactions when the block returns earlier than expected.

  Before this change, when a transaction block returned early, the transaction would be committed.

  The problem is that timeouts triggered inside the transaction block was also making the incomplete transact...

6.1.4

Active Support

• MemCacheStore: convert any underlying value (including false) to an Entry.

  See #42559.

  Alex Ghiculescu

• Fix bug in number_with_precision when using large BigDecimal values.

  Fixes #42302.

  Federico Aldunate, Zachary Scott

• Check byte size instead of length on secure_compare.

  Tietew

• Fix Time.at to not lose :in option.

  Ryuta Kamizono

• Require a path for config.cache_store = :file_store.

  Alex Ghiculescu

• Avoid having to store complex object in the default translation file.

  Rafael Mendonça França

Active Model

• Fix to_json for ActiveModel::Dirty object.

  Exclude +mutations_from_database+ attribute from json as it lead to recursion.

  Anil Maurya

Active Record

• Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

  Jamie McCarthy

• Raise an error if pool_config is nil in set_pool_config.

  Eileen M. Uchitelle

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Active Record's schema cache loader and YAMLColumn now uses YAML.unsafe_load if available.

  Jean Boussier

• Support using replicas when using rails dbconsole.

  Christopher Thornton

• Restore connection pools after transactional tests.

  Eugene Kenny

• Change upsert_all to fails cleanly for MySQL when :unique_by is used.

  Bastian Bartmann

• Fix user-defined self.default_scope to respect table alias.

  Ryuta Kamizono

• Clear @cache_keys cache after update_all, delete_all, destroy_all.

  Ryuta Kamizono

• Changed Arel predications contains and overlaps to use
  quoted_node so that PostgreSQL arrays are quoted properly.

  Bradley Priest

• Fix merge when the where clauses have string contents.

  Ryuta Kamizono

• Fix rollback of parent destruction with nested dependent: :destroy.

  Jacopo Beschi

• Fix binds logging for "WHERE ... IN ..." statements.

  Ricardo Díaz

• Handle false in relation strict loading checks.

  Previously when a model had strict loading set to true and then had a
  relation set strict_loading to false the false wasn't considered when
  deciding whether to raise/warn about strict loading.

  class Dog < ActiveRecord::Base
    self.strict_loading_by_default = true
  
    has_many :treats, strict_loading: false
  end
  

  In the example, dog.treats would still raise even though
  strict_loading was set to false. This is a bug effecting more than
  Active Storage which is why I made this PR superceeding #41461. We need
  to fix this for all applications since the behavior is a little
  surprising. I took the test from ##41461 and the code suggestion from #41453
  with some additions.

  Eileen M. Uchitelle, Radamés Roriz

• Fix numericality validator without precision.

  Ryuta Kamizono

• Fix aggregate attribute on Enum types.

  Ryuta Kamizono

• Fix CREATE INDEX statement generation for PostgreSQL.

  eltongo

• Fix where clause on enum attribute when providing array of strings.

  Ryuta Kamizono

• Fix unprepared_statement to work it when nesting.

  Ryuta Kamizono

Action View

• The translate helper now passes default values that aren't
  translation keys through I18n.translate for interpolation.

  Jonathan Hefner

• Don't attach UJS form submission handlers to Turbo forms.

  David Heinemeier Hansson

• Allow both current_page?(url_hash) and current_page?(**url_hash) on Ruby 2.7.

  Ryuta Kamizono

Action Pack

• Ignore file fixtures on db:fixtures:load

  Kevin Sjöberg

• Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.

  Dylan Thacker-Smith

• Correctly place optional path parameter booleans.

  Previously, if you specify a url parameter that is part of the path as false it would include that part
  of the path as parameter for example:

  get "(/optional/:optional_id)/things" => "foo#foo", as: :things
  things_path(optional_id: false) # => /things?optional_id=false
  

  After this change, true and false will be treated the same when used as optional path parameters. Meaning now:

  get '(this/:my_bool)/that' as: :that
  
  that_path(my_bool: true) # => `/this/true/that`
  that_path(my_bool: false) # => `/this/false/that`
  

  Adam Hess

• Add support for 'private, no-store' Cache-Control headers.

  Previously, 'no-store' was exclusive; no other directives could be specified.

  Alex Smith

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• Fix ArgumentError with ruby 3.0 on RemoteConnection#disconnect.

  Vladislav

Active Storage

• The parameters sent to ffmpeg for generating a video preview image are now
  configurable under config.active_storage.video_preview_arguments.

  Brendon Muir

• Fix Active Storage update task when running in an engine.

  Justin Malčić*

• Don't raise an error if the mime type is not recognized.

  Fixes #41777.

  Alex Ghiculescu

• ActiveStorage::PreviewError is raised when a previewer is unable to generate a preview image.

  Alex Robbin

• respond with 404 given invalid variation key when asking for representations.

  George Claghorn

• Blob creation shouldn't crash if no service selected.

  Alex Ghiculescu

Action Mailbox

• No changes.

Action Text

• Always render attachment partials as HTML with :html format inside trix editor.

  James Brooks

Railties

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Rails.application.config_for now uses YAML.unsafe_load if available.

  Jean Boussier

• Ensure Rails.application.config_for always cast hashes to ActiveSupport::OrderedOptions.

  Jean Boussier

• Fix create migration generator with --pretend option.

  euxx

6.0.4

Active Support

• Fixed issue in ActiveSupport::Cache::RedisCacheStore not passing options
  to read_multi causing fetch_multi to not work properly.

  Rajesh Sharma

• with_options copies its options hash again to avoid leaking mutations.

  Fixes #39343.

  Eugene Kenny

Active Model

• No changes.

Active Record

• Only warn about negative enums if a positive form that would cause conflicts exists.

  Fixes #39065.

  Alex Ghiculescu

• Allow the inverse of a has_one association that was previously autosaved to be loaded.

  Fixes #34255.

  Steven Weber

• Reset statement cache for association if table_name is changed.

  Fixes #36453.

  Ryuta Kamizono

• Type cast extra select for eager loading.

  Ryuta Kamizono

• Prevent collection associations from being autosaved multiple times.

  Fixes #39173.

  Eugene Kenny

• Resolve issue with insert_all unique_by option when used with expression index.

  When the :unique_by option of ActiveRecord::Persistence.insert_all and
  ActiveRecord::Persistence.upsert_all was used with the name of an expression index, an error
  was raised. Adding a guard around the formatting behavior for the :unique_by corrects this.

  Usage:

  create_table :books, id: :integer, force: true do |t|
    t.column :name, :string
    t.index "lower(name)", unique: true
  end
  
  Book.insert_all [{ name: "MyTest" }], unique_by: :index_books_on_lower_name

  Fixes #39516.

  Austen Madden

• Fix preloading for polymorphic association with custom scope.

  Ryuta Kamizono

• Allow relations with different SQL comments in the or method.

  Takumi Shotoku

• Resolve conflict between counter cache and optimistic locking.

  Bump an Active Record instance's lock version after updating its counter
  cache. This avoids raising an unnecessary ActiveRecord::StaleObjectError
  upon subsequent transactions by maintaining parity with the corresponding
  database record's lock_version column.

  Fixes #16449.

  Aaron Lipman

• Fix through association with source/through scope which has joins.

  Ryuta Kamizono

• Fix through association to respect source scope for includes/preload.

  Ryuta Kamizono

• Fix eager load with Arel joins to maintain the original joins order.

  Ryuta Kamizono

• Fix group by count with eager loading + order + limit/offset.

  Ryuta Kamizono

• Fix left joins order when merging multiple left joins from different associations.

  Ryuta Kamizono

• Fix index creation to preserve index comment in bulk change table on MySQL.

  Ryuta Kamizono

• Change remove_foreign_key to not check :validate option if database
  doesn't support the feature.

  Ryuta Kamizono

• Fix the result of aggregations to maintain duplicated "group by" fields.

  Ryuta Kamizono

• Do not return duplicated records when using preload.

  Bogdan Gusiev

Action View

• SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags
  call safe_list_sanitizer's class method

  Fixes #39586

  Taufiq Muhammadi

Action Pack

• Accept base64_urlsafe CSRF tokens to make forward compatible.

  Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
  them difficult to deal with. For example, the common practice of sending
  the CSRF token to a browser in a client-readable cookie does not work properly
  out of the box: the value has to be url-encoded and decoded to survive transport.

  In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
  safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
  tokens for backwards compatibility.

  In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
  If you upgrade apps from 5.2.5, set the config urlsafe_csrf_tokens = true.

  Rails.application.config.action_controller.urlsafe_csrf_tokens = true

  Scott Blum, Étienne Barrié

• Signed and encrypted cookies can now store false as their value when
  action_dispatch.use_cookies_with_metadata is enabled.

  Rolandas Barysas

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• The Poppler PDF previewer renders a preview image using the original
  document's crop box rather than its media box, hiding print margins. This
  matches the behavior of the MuPDF previewer.

  Vincent Robert

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Allow relative paths with trailing slashes to be passed to rails test.

  Eugene Kenny

• Return a 405 Method Not Allowed response when a request uses an unknown HTTP method.

  Fixes #38998.

  Loren Norman

6.1.3.2

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Prevent open redirects by correctly escaping the host allow list
  CVE-2021-22903

• Prevent catastrophic backtracking during mime parsing
  CVE-2021-22902

• Prevent regex DoS in HTTP token authentication
  CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array
  of arguments (usually symbols and records). If a developer passes a
  user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

6.0.3.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Prevent catastrophic backtracking during mime parsing
  CVE-2021-22902

• Prevent regex DoS in HTTP token authentication
  CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array
  of arguments (usually symbols and records). If a developer passes a
  user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

5.2.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Accept base64_urlsafe CSRF tokens to make forward compatible.

  Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
  them difficult to deal with. For example, the common practice of sending
  the CSRF token to a browser in a client-readable cookie does not work properly
  out of the box: the value has to be url-encoded and decoded to survive transport.

  In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
  safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
  tokens for backwards compatibility.

  How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens
  config.

  In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

  Atention: If you already upgraded your application to 5.2.5, set the config
  urlsafe_csrf_tokens to true, otherwise your form submission will start to fail
  during the deploy of this new version.

  Rails.application.config.action_controller.urlsafe_csrf_tokens = true

  If you are upgrading from 5.2.4.x, you don't need to change this configuration.

  Scott Blum, Étienne Barrié

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.4.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Prevent regex DoS in HTTP token authentication
  CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array
  of arguments (usually symbols and records). If a developer passes a
  user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

6.1.3.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

  George Claghorn

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

6.0.3.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

  George Claghorn

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.