rails/rails (rails)
### [`v6.1.7.7`](https://togithub.com/rails/rails/releases/tag/v6.1.7.7): 6.1.7.7
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.6...v6.1.7.7)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- Disables the session in `ActiveStorage::Blobs::ProxyController`
and `ActiveStorage::Representations::ProxyController`
in order to allow caching by default in some CDNs as CloudFlare
Fixes [#44136](https://togithub.com/rails/rails/issues/44136)
*Bruno Prieto*
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.7.6`](https://togithub.com/rails/rails/releases/tag/v6.1.7.6)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.5...v6.1.7.6)
No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
### [`v6.1.7.5`](https://togithub.com/rails/rails/releases/tag/v6.1.7.5): 6.1.7.5 Release
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.4...v6.1.7.5)
#### Active Support
- Use a temporary file for storing unencrypted files while editing
\[CVE-2023-38037]
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.7.4`](https://togithub.com/rails/rails/releases/tag/v6.1.7.4)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.3...v6.1.7.4)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- Raise an exception if illegal characters are provide to redirect_to
\[CVE-2023-28362]
*Zack Deveau*
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.7.3`](https://togithub.com/rails/rails/releases/tag/v6.1.7.3)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.2...v6.1.7.3)
#### Active Support
- Implement SafeBuffer#bytesplice
\[CVE-2023-28120]
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- Ignore certain data-\* attributes in rails-ujs when element is contenteditable
\[CVE-2023-23913]
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.7.2`](https://togithub.com/rails/rails/releases/tag/v6.1.7.2)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.1...v6.1.7.2)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.7.1`](https://togithub.com/rails/rails/releases/tag/v6.1.7.1)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7...v6.1.7.1)
#### Active Support
- Avoid regex backtracking in Inflector.underscore
\[CVE-2023-22796]
#### Active Model
- No changes.
#### Active Record
- Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
\[CVE-2023-22794]
- Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than\_64bit which defaults to true.
\[CVE-2022-44566]
#### Action View
- No changes.
#### Action Pack
- Avoid regex backtracking on If-None-Match header
\[CVE-2023-22795]
- Use string#split instead of regex for domain parts
\[CVE-2023-22792]
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.7`](https://togithub.com/rails/rails/releases/tag/v6.1.7)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.6.1...v6.1.7)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- Symbol is allowed by default for YAML columns
*Étienne Barrié*
- Fix `ActiveRecord::Store` to serialize as a regular Hash
Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess`
which is wasteful and cause problem with YAML safe_load.
*Jean Boussier*
- Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes [#44307](https://togithub.com/rails/rails/issues/44307).
*Nikita Vasilevsky*
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.
*fatkodima*
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.6.1`](https://togithub.com/rails/rails/releases/tag/v6.1.6.1): 6.1.6.1
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.6...v6.1.6.1)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
- `config.active_storage.use_yaml_unsafe_load`
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is *not* recommended, but can aid in upgrading.
- `config.active_record.yaml_column_permitted_classes`
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
\[CVE-2022-32224]
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.6`](https://togithub.com/rails/rails/releases/tag/v6.1.6): 6.1.6
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.5.1...v6.1.6)
#### Active Support
- Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.
*Álvaro Martín Fraguas*
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
`:escape_attributes` to `:escape`, to simplify by applying the option to the
whole tag.
*Álvaro Martín Fraguas*
#### Action Pack
- Allow Content Security Policy DSL to generate for API responses.
*Tim Wade*
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.5.1`](https://togithub.com/rails/rails/releases/tag/v6.1.5.1): 6.1.5.1
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.5...v6.1.5.1)
#### Active Support
- Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.
*Álvaro Martín Fraguas*
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
`:escape_attributes` to `:escape`, to simplify by applying the option to the
whole tag.
*Álvaro Martín Fraguas*
#### Action Pack
- Allow Content Security Policy DSL to generate for API responses.
*Tim Wade*
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Railties
- No changes.
### [`v6.1.5`](https://togithub.com/rails/rails/releases/tag/v6.1.5): 6.1.5
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.7...v6.1.5)
#### Active Support
- Fix `ActiveSupport::Duration.build` to support negative values.
The algorithm to collect the `parts` of the `ActiveSupport::Duration`
ignored the sign of the `value` and accumulated incorrect part values. This
impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but
not `ActiveSupport::Duration#eql?` (which is dependent on `value`).
*Caleb Buxton*, *Braden Staudacher*
- `Time#change` and methods that call it (eg. `Time#advance`) will now
return a `Time` with the timezone argument provided, if the caller was
initialized with a timezone argument.
Fixes [#42467](https://togithub.com/rails/rails/issues/42467).
*Alex Ghiculescu*
- Clone to keep extended Logger methods for tagged logger.
*Orhan Toy*
- `assert_changes` works on including `ActiveSupport::Assertions` module.
*Pedro Medeiros*
#### Active Model
- Clear secure password cache if password is set to `nil`
Before:
user.password = 'something'
user.password = nil
user.password # => 'something'
Now:
user.password = 'something'
user.password = nil
user.password # => nil
*Markus Doits*
- Fix delegation in `ActiveModel::Type::Registry#lookup` and `ActiveModel::Type.lookup`
Passing a last positional argument `{}` would be incorrectly considered as keyword argument.
*Benoit Daloze*
- Fix `to_json` after `changes_applied` for `ActiveModel::Dirty` object.
*Ryuta Kamizono*
#### Active Record
- Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6.
Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method.
In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances.
This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
fixed in Ruby 2.7.
Before the changes in this commit, the
`ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally
calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 --
changing a tainted, unfrozen string into a tainted, frozen string.
Fixes [#43056](https://togithub.com/rails/rails/issues/43056)
*Eric O'Hanlon*
- Fix migration compatibility to create SQLite references/belongs_to column as integer when
migration version is 6.0.
`reference`/`belongs_to` in migrations with version 6.0 were creating columns as
bigint instead of integer for the SQLite Adapter.
*Marcelo Lauxen*
- Fix dbconsole for 3-tier config.
*Eileen M. Uchitelle*
- Better handle SQL queries with invalid encoding.
```ruby
Post.create(name: "broken \xC8 UTF-8")
```
Would cause all adapters to fail in a non controlled way in the code
responsible to detect write queries.
The query is now properly passed to the database connection, which might or might
not be able to handle it, but will either succeed or failed in a more correct way.
*Jean Boussier*
- Ignore persisted in-memory records when merging target lists.
*Kevin Sjöberg*
- Fix regression bug that caused ignoring additional conditions for preloading
`has_many` through relations.
Fixes [#43132](https://togithub.com/rails/rails/issues/43132)
*Alexander Pauly*
- Fix `ActiveRecord::InternalMetadata` to not be broken by
`config.active_record.record_timestamps = false`
Since the model always create the timestamp columns, it has to set them, otherwise it breaks
various DB management tasks.
Fixes [#42983](https://togithub.com/rails/rails/issues/42983)
*Jean Boussier*
- Fix duplicate active record objects on `inverse_of`.
*Justin Carvalho*
- Fix duplicate objects stored in has many association after save.
Fixes [#42549](https://togithub.com/rails/rails/issues/42549).
*Alex Ghiculescu*
- Fix performance regression in `CollectionAssocation#build`.
*Alex Ghiculescu*
- Fix retrieving default value for text column for MariaDB.
*fatkodima*
#### Action View
- `preload_link_tag` properly inserts `as` attributes for files with `image` MIME
types, such as JPG or SVG.
*Nate Berkopec*
- Add `autocomplete="off"` to all generated hidden fields.
Fixes [#42610](https://togithub.com/rails/rails/issues/42610).
*Ryan Baumann*
- Fix `current_page?` when URL has trailing slash.
This fixes the `current_page?` helper when the given URL has a trailing slash,
and is an absolute URL or also has query params.
Fixes [#33956](https://togithub.com/rails/rails/issues/33956).
*Jonathan Hefner*
#### Action Pack
- Fix `content_security_policy` returning invalid directives.
Directives such as `self`, `unsafe-eval` and few others were not
single quoted when the directive was the result of calling a lambda
returning an array.
```ruby
content_security_policy do |policy|
policy.frame_ancestors lambda { [:self, "https://example.com"] }
end
```
With this fix the policy generated from above will now be valid.
*Edouard Chin*
- Update `HostAuthorization` middleware to render debug info only
when `config.consider_all_requests_local` is set to true.
Also, blocked host info is always logged with level `error`.
Fixes [#42813](https://togithub.com/rails/rails/issues/42813).
*Nikita Vyrko*
- Dup arrays that get "converted".
Fixes [#43681](https://togithub.com/rails/rails/issues/43681).
*Aaron Patterson*
- Don't show deprecation warning for equal paths.
*Anton Rieder*
- Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
Fixes [#43094](https://togithub.com/rails/rails/issues/43094).
*Alex Ghiculescu*
- Add fallback host for SystemTestCase driven by RackTest.
Fixes [#42780](https://togithub.com/rails/rails/issues/42780).
*Petrik de Heus*
- Add more detail about what hosts are allowed.
*Alex Ghiculescu*
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- The Action Cable client now ensures successful channel subscriptions:
- The client maintains a set of pending subscriptions until either
the server confirms the subscription or the channel is torn down.
- Rectifies the race condition where an unsubscribe is rapidly followed
by a subscribe (on the same channel identifier) and the requests are
handled out of order by the ActionCable server, thereby ignoring the
subscribe command.
*Daniel Spinosa*
- Truncate broadcast logging messages.
*J Smith*
#### Active Storage
- Attachments can be deleted after their association is no longer defined.
Fixes [#42514](https://togithub.com/rails/rails/issues/42514)
*Don Sisco*
#### Action Mailbox
- Add `attachments` to the list of permitted parameters for inbound emails conductor.
When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
```ruby
config.action_controller.action_on_unpermitted_parameters = :raise
```
*David Jones*, *Dana Henke*
#### Action Text
- Fix Action Text extra trix content wrapper.
*Alexandre Ruban*
#### Railties
- In `zeitwerk` mode, setup the `once` autoloader first, and the `main` autoloader after it.
This order plays better with shared namespaces.
*Xavier Noria*
- Handle paths with spaces when editing credentials.
*Alex Ghiculescu*
- Support Psych 4 when loading secrets.
*Nat Morcos*
### [`v6.1.4.7`](https://togithub.com/rails/rails/releases/tag/v6.1.4.7): 6.1.4.7
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.6...v6.1.4.7)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
\[CVE-2022-21831]
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.4.6`](https://togithub.com/rails/rails/releases/tag/v6.1.4.6): 6.1.4.6
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.5...v6.1.4.6)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- Fix Reloader method signature to work with the new Executor signature
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.4.5`](https://togithub.com/rails/rails/releases/tag/v6.1.4.5): 6.1.4.5
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.4...v6.1.4.5)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
\[CVE-2022-23633]
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.4.4`](https://togithub.com/rails/rails/releases/tag/v6.1.4.4): 6.1.4.4
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.3...v6.1.4.4)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- Fix issue with host protection not allowing host with port in development.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.4.3`](https://togithub.com/rails/rails/releases/tag/v6.1.4.3): 6.1.4.3
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.2...v6.1.4.3)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- Allow localhost with a port by default in development
\[Fixes: [#43864](https://togithub.com/rails/rails/issues/43864)]
### [`v6.1.4.2`](https://togithub.com/rails/rails/releases/tag/v6.1.4.2): 6.1.4.2
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.1...v6.1.4.2)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- Fix X_FORWARDED_HOST protection. \[CVE-2021-44528]
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.4.1`](https://togithub.com/rails/rails/compare/v6.1.4...v6.1.4.1)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.4...v6.1.4.1)
### [`v6.1.4`](https://togithub.com/rails/rails/releases/tag/v6.1.4): 6.1.4
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.3.2...v6.1.4)
#### Active Support
- MemCacheStore: convert any underlying value (including `false`) to an `Entry`.
See [#42559](https://togithub.com/rails/rails/pull/42559).
*Alex Ghiculescu*
- Fix bug in `number_with_precision` when using large `BigDecimal` values.
Fixes [#42302](https://togithub.com/rails/rails/issues/42302).
*Federico Aldunate*, *Zachary Scott*
- Check byte size instead of length on `secure_compare`.
*Tietew*
- Fix `Time.at` to not lose `:in` option.
*Ryuta Kamizono*
- Require a path for `config.cache_store = :file_store`.
*Alex Ghiculescu*
- Avoid having to store complex object in the default translation file.
*Rafael Mendonça França*
#### Active Model
- Fix `to_json` for `ActiveModel::Dirty` object.
Exclude +mutations_from_database+ attribute from json as it lead to recursion.
*Anil Maurya*
#### Active Record
- Do not try to rollback transactions that failed due to a `ActiveRecord::TransactionRollbackError`.
*Jamie McCarthy*
- Raise an error if `pool_config` is `nil` in `set_pool_config`.
*Eileen M. Uchitelle*
- Fix compatibility with `psych >= 4`.
Starting in Psych 4.0.0 `YAML.load` behaves like `YAML.safe_load`. To preserve compatibility
Active Record's schema cache loader and `YAMLColumn` now uses `YAML.unsafe_load` if available.
*Jean Boussier*
- Support using replicas when using `rails dbconsole`.
*Christopher Thornton*
- Restore connection pools after transactional tests.
*Eugene Kenny*
- Change `upsert_all` to fails cleanly for MySQL when `:unique_by` is used.
*Bastian Bartmann*
- Fix user-defined `self.default_scope` to respect table alias.
*Ryuta Kamizono*
- Clear `@cache_keys` cache after `update_all`, `delete_all`, `destroy_all`.
*Ryuta Kamizono*
- Changed Arel predications `contains` and `overlaps` to use
`quoted_node` so that PostgreSQL arrays are quoted properly.
*Bradley Priest*
- Fix `merge` when the `where` clauses have string contents.
*Ryuta Kamizono*
- Fix rollback of parent destruction with nested `dependent: :destroy`.
*Jacopo Beschi*
- Fix binds logging for `"WHERE ... IN ..."` statements.
*Ricardo Díaz*
- Handle `false` in relation strict loading checks.
Previously when a model had strict loading set to true and then had a
relation set `strict_loading` to false the false wasn't considered when
deciding whether to raise/warn about strict loading.
class Dog < ActiveRecord::Base
self.strict_loading_by_default = true
has_many :treats, strict_loading: false
end
In the example, `dog.treats` would still raise even though
`strict_loading` was set to false. This is a bug effecting more than
Active Storage which is why I made this PR superceeding [#41461](https://togithub.com/rails/rails/issues/41461). We need
to fix this for all applications since the behavior is a little
surprising. I took the test from #[#41461](https://togithub.com/rails/rails/issues/41461) and the code suggestion from [#41453](https://togithub.com/rails/rails/issues/41453)
with some additions.
*Eileen M. Uchitelle*, *Radamés Roriz*
- Fix numericality validator without precision.
*Ryuta Kamizono*
- Fix aggregate attribute on Enum types.
*Ryuta Kamizono*
- Fix `CREATE INDEX` statement generation for PostgreSQL.
*eltongo*
- Fix where clause on enum attribute when providing array of strings.
*Ryuta Kamizono*
- Fix `unprepared_statement` to work it when nesting.
*Ryuta Kamizono*
#### Action View
- The `translate` helper now passes `default` values that aren't
translation keys through `I18n.translate` for interpolation.
*Jonathan Hefner*
- Don't attach UJS form submission handlers to Turbo forms.
*David Heinemeier Hansson*
- Allow both `current_page?(url_hash)` and `current_page?(**url_hash)` on Ruby 2.7.
*Ryuta Kamizono*
#### Action Pack
- Ignore file fixtures on `db:fixtures:load`
*Kevin Sjöberg*
- Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
*Dylan Thacker-Smith*
- Correctly place optional path parameter booleans.
Previously, if you specify a url parameter that is part of the path as false it would include that part
of the path as parameter for example:
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
things_path(optional_id: false) # => /things?optional_id=false
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
get '(this/:my_bool)/that' as: :that
that_path(my_bool: true) # => `/this/true/that`
that_path(my_bool: false) # => `/this/false/that`
*Adam Hess*
- Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be specified.
*Alex Smith*
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- Fix `ArgumentError` with ruby 3.0 on `RemoteConnection#disconnect`.
*Vladislav*
#### Active Storage
- The parameters sent to `ffmpeg` for generating a video preview image are now
configurable under `config.active_storage.video_preview_arguments`.
*Brendon Muir*
- Fix Active Storage update task when running in an engine.
Justin Malčić\*
- Don't raise an error if the mime type is not recognized.
Fixes [#41777](https://togithub.com/rails/rails/issues/41777).
*Alex Ghiculescu*
- `ActiveStorage::PreviewError` is raised when a previewer is unable to generate a preview image.
*Alex Robbin*
- respond with 404 given invalid variation key when asking for representations.
*George Claghorn*
- `Blob` creation shouldn't crash if no service selected.
*Alex Ghiculescu*
#### Action Mailbox
- No changes.
#### Action Text
- Always render attachment partials as HTML with `:html` format inside trix editor.
*James Brooks*
#### Railties
- Fix compatibility with `psych >= 4`.
Starting in Psych 4.0.0 `YAML.load` behaves like `YAML.safe_load`. To preserve compatibility
`Rails.application.config_for` now uses `YAML.unsafe_load` if available.
*Jean Boussier*
- Ensure `Rails.application.config_for` always cast hashes to `ActiveSupport::OrderedOptions`.
*Jean Boussier*
- Fix create migration generator with `--pretend` option.
*euxx*
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
6.1.3.2->6.1.7.7By merging this PR, the issue #124 will be automatically resolved and closed:
Release Notes
rails/rails (rails)
### [`v6.1.7.7`](https://togithub.com/rails/rails/releases/tag/v6.1.7.7): 6.1.7.7 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.6...v6.1.7.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Disables the session in `ActiveStorage::Blobs::ProxyController` and `ActiveStorage::Representations::ProxyController` in order to allow caching by default in some CDNs as CloudFlare Fixes [#44136](https://togithub.com/rails/rails/issues/44136) *Bruno Prieto* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.6`](https://togithub.com/rails/rails/releases/tag/v6.1.7.6) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.5...v6.1.7.6) No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release. ### [`v6.1.7.5`](https://togithub.com/rails/rails/releases/tag/v6.1.7.5): 6.1.7.5 Release [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.4...v6.1.7.5) #### Active Support - Use a temporary file for storing unencrypted files while editing \[CVE-2023-38037] #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.4`](https://togithub.com/rails/rails/releases/tag/v6.1.7.4) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.3...v6.1.7.4) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Raise an exception if illegal characters are provide to redirect_to \[CVE-2023-28362] *Zack Deveau* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.3`](https://togithub.com/rails/rails/releases/tag/v6.1.7.3) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.2...v6.1.7.3) #### Active Support - Implement SafeBuffer#bytesplice \[CVE-2023-28120] #### Active Model - No changes. #### Active Record - No changes. #### Action View - Ignore certain data-\* attributes in rails-ujs when element is contenteditable \[CVE-2023-23913] #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.2`](https://togithub.com/rails/rails/releases/tag/v6.1.7.2) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.1...v6.1.7.2) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix `domain: :all` for two letter TLD This fixes a compatibility issue introduced in our previous security release when using `domain: :all` with a two letter but single level top level domain domain (like `.ca`, rather than `.co.uk`). #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.1`](https://togithub.com/rails/rails/releases/tag/v6.1.7.1) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7...v6.1.7.1) #### Active Support - Avoid regex backtracking in Inflector.underscore \[CVE-2023-22796] #### Active Model - No changes. #### Active Record - Make sanitize_as_sql_comment more strict Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input. This commit makes the sanitization more robust by replacing any occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal. This also clarifies in the documentation of annotate that it should not be provided user input. \[CVE-2023-22794] - Added integer width check to PostgreSQL::Quoting Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan. This behavior is configurable via ActiveRecord::Base.raise_int_wider_than\_64bit which defaults to true. \[CVE-2022-44566] #### Action View - No changes. #### Action Pack - Avoid regex backtracking on If-None-Match header \[CVE-2023-22795] - Use string#split instead of regex for domain parts \[CVE-2023-22792] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7`](https://togithub.com/rails/rails/releases/tag/v6.1.7) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.6.1...v6.1.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Symbol is allowed by default for YAML columns *Étienne Barrié* - Fix `ActiveRecord::Store` to serialize as a regular Hash Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess` which is wasteful and cause problem with YAML safe_load. *Jean Boussier* - Fix PG.connect keyword arguments deprecation warning on ruby 2.7 Fixes [#44307](https://togithub.com/rails/rails/issues/44307). *Nikita Vasilevsky* #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0. *fatkodima* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.6.1`](https://togithub.com/rails/rails/releases/tag/v6.1.6.1): 6.1.6.1 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.6...v6.1.6.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Change ActiveRecord::Coders::YAMLColumn default to safe_load This adds two new configuration options The configuration options are as follows: - `config.active_storage.use_yaml_unsafe_load` When set to true, this configuration option tells Rails to use the old "unsafe" YAML loading strategy, maintaining the existing behavior but leaving the possible escalation vulnerability in place. Setting this option to true is *not* recommended, but can aid in upgrading. - `config.active_record.yaml_column_permitted_classes` The "safe YAML" loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed "safe" in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list as follows: config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] \[CVE-2022-32224] #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.6`](https://togithub.com/rails/rails/releases/tag/v6.1.6): 6.1.6 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.5.1...v6.1.6) #### Active Support - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* #### Active Model - No changes. #### Active Record - No changes. #### Action View - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* #### Action Pack - Allow Content Security Policy DSL to generate for API responses. *Tim Wade* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.5.1`](https://togithub.com/rails/rails/releases/tag/v6.1.5.1): 6.1.5.1 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.5...v6.1.5.1) #### Active Support - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* #### Active Model - No changes. #### Active Record - No changes. #### Action View - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* #### Action Pack - Allow Content Security Policy DSL to generate for API responses. *Tim Wade* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Railties - No changes. ### [`v6.1.5`](https://togithub.com/rails/rails/releases/tag/v6.1.5): 6.1.5 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.7...v6.1.5) #### Active Support - Fix `ActiveSupport::Duration.build` to support negative values. The algorithm to collect the `parts` of the `ActiveSupport::Duration` ignored the sign of the `value` and accumulated incorrect part values. This impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but not `ActiveSupport::Duration#eql?` (which is dependent on `value`). *Caleb Buxton*, *Braden Staudacher* - `Time#change` and methods that call it (eg. `Time#advance`) will now return a `Time` with the timezone argument provided, if the caller was initialized with a timezone argument. Fixes [#42467](https://togithub.com/rails/rails/issues/42467). *Alex Ghiculescu* - Clone to keep extended Logger methods for tagged logger. *Orhan Toy* - `assert_changes` works on including `ActiveSupport::Assertions` module. *Pedro Medeiros* #### Active Model - Clear secure password cache if password is set to `nil` Before: user.password = 'something' user.password = nil user.password # => 'something' Now: user.password = 'something' user.password = nil user.password # => nil *Markus Doits* - Fix delegation in `ActiveModel::Type::Registry#lookup` and `ActiveModel::Type.lookup` Passing a last positional argument `{}` would be incorrectly considered as keyword argument. *Benoit Daloze* - Fix `to_json` after `changes_applied` for `ActiveModel::Dirty` object. *Ryuta Kamizono* #### Active Record - Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6. Ruby 2.6 and 2.7 have slightly different implementations of the `String#@-` method. In Ruby 2.6, the receiver of the `String#@-` method is modified under certain circumstances. This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7. Before the changes in this commit, the `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally calls the `String#@-` method, could also modify an input string argument in Ruby 2.6 -- changing a tainted, unfrozen string into a tainted, frozen string. Fixes [#43056](https://togithub.com/rails/rails/issues/43056) *Eric O'Hanlon* - Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0. `reference`/`belongs_to` in migrations with version 6.0 were creating columns as bigint instead of integer for the SQLite Adapter. *Marcelo Lauxen* - Fix dbconsole for 3-tier config. *Eileen M. Uchitelle* - Better handle SQL queries with invalid encoding. ```ruby Post.create(name: "broken \xC8 UTF-8") ``` Would cause all adapters to fail in a non controlled way in the code responsible to detect write queries. The query is now properly passed to the database connection, which might or might not be able to handle it, but will either succeed or failed in a more correct way. *Jean Boussier* - Ignore persisted in-memory records when merging target lists. *Kevin Sjöberg* - Fix regression bug that caused ignoring additional conditions for preloading `has_many` through relations. Fixes [#43132](https://togithub.com/rails/rails/issues/43132) *Alexander Pauly* - Fix `ActiveRecord::InternalMetadata` to not be broken by `config.active_record.record_timestamps = false` Since the model always create the timestamp columns, it has to set them, otherwise it breaks various DB management tasks. Fixes [#42983](https://togithub.com/rails/rails/issues/42983) *Jean Boussier* - Fix duplicate active record objects on `inverse_of`. *Justin Carvalho* - Fix duplicate objects stored in has many association after save. Fixes [#42549](https://togithub.com/rails/rails/issues/42549). *Alex Ghiculescu* - Fix performance regression in `CollectionAssocation#build`. *Alex Ghiculescu* - Fix retrieving default value for text column for MariaDB. *fatkodima* #### Action View - `preload_link_tag` properly inserts `as` attributes for files with `image` MIME types, such as JPG or SVG. *Nate Berkopec* - Add `autocomplete="off"` to all generated hidden fields. Fixes [#42610](https://togithub.com/rails/rails/issues/42610). *Ryan Baumann* - Fix `current_page?` when URL has trailing slash. This fixes the `current_page?` helper when the given URL has a trailing slash, and is an absolute URL or also has query params. Fixes [#33956](https://togithub.com/rails/rails/issues/33956). *Jonathan Hefner* #### Action Pack - Fix `content_security_policy` returning invalid directives. Directives such as `self`, `unsafe-eval` and few others were not single quoted when the directive was the result of calling a lambda returning an array. ```ruby content_security_policy do |policy| policy.frame_ancestors lambda { [:self, "https://example.com"] } end ``` With this fix the policy generated from above will now be valid. *Edouard Chin* - Update `HostAuthorization` middleware to render debug info only when `config.consider_all_requests_local` is set to true. Also, blocked host info is always logged with level `error`. Fixes [#42813](https://togithub.com/rails/rails/issues/42813). *Nikita Vyrko* - Dup arrays that get "converted". Fixes [#43681](https://togithub.com/rails/rails/issues/43681). *Aaron Patterson* - Don't show deprecation warning for equal paths. *Anton Rieder* - Fix crash in `ActionController::Instrumentation` with invalid HTTP formats. Fixes [#43094](https://togithub.com/rails/rails/issues/43094). *Alex Ghiculescu* - Add fallback host for SystemTestCase driven by RackTest. Fixes [#42780](https://togithub.com/rails/rails/issues/42780). *Petrik de Heus* - Add more detail about what hosts are allowed. *Alex Ghiculescu* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - The Action Cable client now ensures successful channel subscriptions: - The client maintains a set of pending subscriptions until either the server confirms the subscription or the channel is torn down. - Rectifies the race condition where an unsubscribe is rapidly followed by a subscribe (on the same channel identifier) and the requests are handled out of order by the ActionCable server, thereby ignoring the subscribe command. *Daniel Spinosa* - Truncate broadcast logging messages. *J Smith* #### Active Storage - Attachments can be deleted after their association is no longer defined. Fixes [#42514](https://togithub.com/rails/rails/issues/42514) *Don Sisco* #### Action Mailbox - Add `attachments` to the list of permitted parameters for inbound emails conductor. When using the conductor to test inbound emails with attachments, this prevents an unpermitted parameter warning in default configurations, and prevents errors for applications that set: ```ruby config.action_controller.action_on_unpermitted_parameters = :raise ``` *David Jones*, *Dana Henke* #### Action Text - Fix Action Text extra trix content wrapper. *Alexandre Ruban* #### Railties - In `zeitwerk` mode, setup the `once` autoloader first, and the `main` autoloader after it. This order plays better with shared namespaces. *Xavier Noria* - Handle paths with spaces when editing credentials. *Alex Ghiculescu* - Support Psych 4 when loading secrets. *Nat Morcos* ### [`v6.1.4.7`](https://togithub.com/rails/rails/releases/tag/v6.1.4.7): 6.1.4.7 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.6...v6.1.4.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Added image transformation validation via configurable allow-list. Variant now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments. \[CVE-2022-21831] #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.6`](https://togithub.com/rails/rails/releases/tag/v6.1.4.6): 6.1.4.6 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.5...v6.1.4.6) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix Reloader method signature to work with the new Executor signature #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.5`](https://togithub.com/rails/rails/releases/tag/v6.1.4.5): 6.1.4.5 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.4...v6.1.4.5) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Under certain circumstances, the middleware isn't informed that the response body has been fully closed which result in request state not being fully reset before the next request \[CVE-2022-23633] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.4`](https://togithub.com/rails/rails/releases/tag/v6.1.4.4): 6.1.4.4 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.3...v6.1.4.4) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix issue with host protection not allowing host with port in development. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.3`](https://togithub.com/rails/rails/releases/tag/v6.1.4.3): 6.1.4.3 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.2...v6.1.4.3) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - Allow localhost with a port by default in development \[Fixes: [#43864](https://togithub.com/rails/rails/issues/43864)] ### [`v6.1.4.2`](https://togithub.com/rails/rails/releases/tag/v6.1.4.2): 6.1.4.2 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4.1...v6.1.4.2) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix X_FORWARDED_HOST protection. \[CVE-2021-44528] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.1`](https://togithub.com/rails/rails/compare/v6.1.4...v6.1.4.1) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.4...v6.1.4.1) ### [`v6.1.4`](https://togithub.com/rails/rails/releases/tag/v6.1.4): 6.1.4 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.3.2...v6.1.4) #### Active Support - MemCacheStore: convert any underlying value (including `false`) to an `Entry`. See [#42559](https://togithub.com/rails/rails/pull/42559). *Alex Ghiculescu* - Fix bug in `number_with_precision` when using large `BigDecimal` values. Fixes [#42302](https://togithub.com/rails/rails/issues/42302). *Federico Aldunate*, *Zachary Scott* - Check byte size instead of length on `secure_compare`. *Tietew* - Fix `Time.at` to not lose `:in` option. *Ryuta Kamizono* - Require a path for `config.cache_store = :file_store`. *Alex Ghiculescu* - Avoid having to store complex object in the default translation file. *Rafael Mendonça França* #### Active Model - Fix `to_json` for `ActiveModel::Dirty` object. Exclude +mutations_from_database+ attribute from json as it lead to recursion. *Anil Maurya* #### Active Record - Do not try to rollback transactions that failed due to a `ActiveRecord::TransactionRollbackError`. *Jamie McCarthy* - Raise an error if `pool_config` is `nil` in `set_pool_config`. *Eileen M. Uchitelle* - Fix compatibility with `psych >= 4`. Starting in Psych 4.0.0 `YAML.load` behaves like `YAML.safe_load`. To preserve compatibility Active Record's schema cache loader and `YAMLColumn` now uses `YAML.unsafe_load` if available. *Jean Boussier* - Support using replicas when using `rails dbconsole`. *Christopher Thornton* - Restore connection pools after transactional tests. *Eugene Kenny* - Change `upsert_all` to fails cleanly for MySQL when `:unique_by` is used. *Bastian Bartmann* - Fix user-defined `self.default_scope` to respect table alias. *Ryuta Kamizono* - Clear `@cache_keys` cache after `update_all`, `delete_all`, `destroy_all`. *Ryuta Kamizono* - Changed Arel predications `contains` and `overlaps` to use `quoted_node` so that PostgreSQL arrays are quoted properly. *Bradley Priest* - Fix `merge` when the `where` clauses have string contents. *Ryuta Kamizono* - Fix rollback of parent destruction with nested `dependent: :destroy`. *Jacopo Beschi* - Fix binds logging for `"WHERE ... IN ..."` statements. *Ricardo Díaz* - Handle `false` in relation strict loading checks. Previously when a model had strict loading set to true and then had a relation set `strict_loading` to false the false wasn't considered when deciding whether to raise/warn about strict loading. class Dog < ActiveRecord::Base self.strict_loading_by_default = true has_many :treats, strict_loading: false end In the example, `dog.treats` would still raise even though `strict_loading` was set to false. This is a bug effecting more than Active Storage which is why I made this PR superceeding [#41461](https://togithub.com/rails/rails/issues/41461). We need to fix this for all applications since the behavior is a little surprising. I took the test from #[#41461](https://togithub.com/rails/rails/issues/41461) and the code suggestion from [#41453](https://togithub.com/rails/rails/issues/41453) with some additions. *Eileen M. Uchitelle*, *Radamés Roriz* - Fix numericality validator without precision. *Ryuta Kamizono* - Fix aggregate attribute on Enum types. *Ryuta Kamizono* - Fix `CREATE INDEX` statement generation for PostgreSQL. *eltongo* - Fix where clause on enum attribute when providing array of strings. *Ryuta Kamizono* - Fix `unprepared_statement` to work it when nesting. *Ryuta Kamizono* #### Action View - The `translate` helper now passes `default` values that aren't translation keys through `I18n.translate` for interpolation. *Jonathan Hefner* - Don't attach UJS form submission handlers to Turbo forms. *David Heinemeier Hansson* - Allow both `current_page?(url_hash)` and `current_page?(**url_hash)` on Ruby 2.7. *Ryuta Kamizono* #### Action Pack - Ignore file fixtures on `db:fixtures:load` *Kevin Sjöberg* - Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests. *Dylan Thacker-Smith* - Correctly place optional path parameter booleans. Previously, if you specify a url parameter that is part of the path as false it would include that part of the path as parameter for example: get "(/optional/:optional_id)/things" => "foo#foo", as: :things things_path(optional_id: false) # => /things?optional_id=false After this change, true and false will be treated the same when used as optional path parameters. Meaning now: get '(this/:my_bool)/that' as: :that that_path(my_bool: true) # => `/this/true/that` that_path(my_bool: false) # => `/this/false/that` *Adam Hess* - Add support for 'private, no-store' Cache-Control headers. Previously, 'no-store' was exclusive; no other directives could be specified. *Alex Smith* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - Fix `ArgumentError` with ruby 3.0 on `RemoteConnection#disconnect`. *Vladislav* #### Active Storage - The parameters sent to `ffmpeg` for generating a video preview image are now configurable under `config.active_storage.video_preview_arguments`. *Brendon Muir* - Fix Active Storage update task when running in an engine. Justin Malčić\* - Don't raise an error if the mime type is not recognized. Fixes [#41777](https://togithub.com/rails/rails/issues/41777). *Alex Ghiculescu* - `ActiveStorage::PreviewError` is raised when a previewer is unable to generate a preview image. *Alex Robbin* - respond with 404 given invalid variation key when asking for representations. *George Claghorn* - `Blob` creation shouldn't crash if no service selected. *Alex Ghiculescu* #### Action Mailbox - No changes. #### Action Text - Always render attachment partials as HTML with `:html` format inside trix editor. *James Brooks* #### Railties - Fix compatibility with `psych >= 4`. Starting in Psych 4.0.0 `YAML.load` behaves like `YAML.safe_load`. To preserve compatibility `Rails.application.config_for` now uses `YAML.unsafe_load` if available. *Jean Boussier* - Ensure `Rails.application.config_for` always cast hashes to `ActiveSupport::OrderedOptions`. *Jean Boussier* - Fix create migration generator with `--pretend` option. *euxx*