Nexmo / ruby-2fa

Two Factor Authentication with Nexmo Verify
https://developer.nexmo.com/tutorials/two-factor-authentication
MIT License
1 stars 4 forks source link

Update dependency rails to v6 (main) #20

Open mend-for-github-com[bot] opened 6 months ago

mend-for-github-com[bot] commented 6 months ago

This PR contains the following updates:

Package Update Change
rails (source, changelog) major '~> 5.0.0' -> '~> 6.1.0'

By merging this PR, the issue #13 will be automatically resolved and closed:

Severity CVSS Score CVE Reachability
High High 7.5 CVE-2021-22880
Medium Medium 6.5 CVE-2010-3299
Medium Medium 6.5 CVE-2020-8167
Medium Medium 6.1 CVE-2023-28120

Release Notes

rails/rails (rails) ### [`v6.1.7.3`](https://redirect.github.com/rails/rails/releases/tag/v6.1.7.3) [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.7.2...v6.1.7.3) #### Active Support - Implement SafeBuffer#bytesplice \[CVE-2023-28120] #### Active Model - No changes. #### Active Record - No changes. #### Action View - Ignore certain data-\* attributes in rails-ujs when element is contenteditable \[CVE-2023-23913] #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.2`](https://redirect.github.com/rails/rails/releases/tag/v6.1.7.2) [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.7.1...v6.1.7.2) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix `domain: :all` for two letter TLD This fixes a compatibility issue introduced in our previous security release when using `domain: :all` with a two letter but single level top level domain domain (like `.ca`, rather than `.co.uk`). #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.1`](https://redirect.github.com/rails/rails/releases/tag/v6.1.7.1) [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.7...v6.1.7.1) #### Active Support - Avoid regex backtracking in Inflector.underscore \[CVE-2023-22796] #### Active Model - No changes. #### Active Record - Make sanitize_as_sql_comment more strict Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input. This commit makes the sanitization more robust by replacing any occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal. This also clarifies in the documentation of annotate that it should not be provided user input. \[CVE-2023-22794] - Added integer width check to PostgreSQL::Quoting Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan. This behavior is configurable via ActiveRecord::Base.raise_int_wider_than\_64bit which defaults to true. \[CVE-2022-44566] #### Action View - No changes. #### Action Pack - Avoid regex backtracking on If-None-Match header \[CVE-2023-22795] - Use string#split instead of regex for domain parts \[CVE-2023-22792] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7`](https://redirect.github.com/rails/rails/releases/tag/v6.1.7) [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.6.1...v6.1.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Symbol is allowed by default for YAML columns *Étienne Barrié* - Fix `ActiveRecord::Store` to serialize as a regular Hash Previously it would serialize as an `ActiveSupport::HashWithIndifferentAccess` which is wasteful and cause problem with YAML safe_load. *Jean Boussier* - Fix PG.connect keyword arguments deprecation warning on ruby 2.7 Fixes [#​44307](https://redirect.github.com/rails/rails/issues/44307). *Nikita Vasilevsky* #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0. *fatkodima* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.6.1`](https://redirect.github.com/rails/rails/releases/tag/v6.1.6.1): 6.1.6.1 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.6...v6.1.6.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Change ActiveRecord::Coders::YAMLColumn default to safe_load This adds two new configuration options The configuration options are as follows: - `config.active_storage.use_yaml_unsafe_load` When set to true, this configuration option tells Rails to use the old "unsafe" YAML loading strategy, maintaining the existing behavior but leaving the possible escalation vulnerability in place. Setting this option to true is *not* recommended, but can aid in upgrading. - `config.active_record.yaml_column_permitted_classes` The "safe YAML" loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed "safe" in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list as follows: config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time] \[CVE-2022-32224] #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.6`](https://redirect.github.com/rails/rails/releases/tag/v6.1.6): 6.1.6 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.5.1...v6.1.6) #### Active Support - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* #### Active Model - No changes. #### Active Record - No changes. #### Action View - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* #### Action Pack - Allow Content Security Policy DSL to generate for API responses. *Tim Wade* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.5.1`](https://redirect.github.com/rails/rails/releases/tag/v6.1.5.1): 6.1.5.1 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.5...v6.1.5.1) #### Active Support - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Add the method `ERB::Util.xml_name_escape` to escape dangerous characters in names of tags and names of attributes, following the specification of XML. *Álvaro Martín Fraguas* #### Active Model - No changes. #### Active Record - No changes. #### Action View - Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`. Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option `:escape_attributes` to `:escape`, to simplify by applying the option to the whole tag. *Álvaro Martín Fraguas* #### Action Pack - Allow Content Security Policy DSL to generate for API responses. *Tim Wade* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Railties - No changes. ### [`v6.1.5`](https://redirect.github.com/rails/rails/releases/tag/v6.1.5): 6.1.5 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4.7...v6.1.5) #### Active Support - Fix `ActiveSupport::Duration.build` to support negative values. The algorithm to collect the `parts` of the `ActiveSupport::Duration` ignored the sign of the `value` and accumulated incorrect part values. This impacted `ActiveSupport::Duration#sum` (which is dependent on `parts`) but not `ActiveSupport::Duration#eql?` (which is dependent on `value`). *Caleb Buxton*, *Braden Staudacher* - `Time#change` and methods that call it (eg. `Time#advance`) will now return a `Time` with the timezone argument provided, if the caller was initialized with a timezone argument. Fixes [#​42467](https://redirect.github.com/rails/rails/issues/42467). *Alex Ghiculescu* - Clone to keep extended Logger methods for tagged logger. *Orhan Toy* - `assert_changes` works on including `ActiveSupport::Assertions` module. *Pedro Medeiros* #### Active Model - Clear secure password cache if password is set to `nil` Before: user.password = 'something' user.password = nil user.password # => 'something' Now: user.password = 'something' user.password = nil user.password # => nil *Markus Doits* - Fix delegation in `ActiveModel::Type::Registry#lookup` and `ActiveModel::Type.lookup` Passing a last positional argument `{}` would be incorrectly considered as keyword argument. *Benoit Daloze* - Fix `to_json` after `changes_applied` for `ActiveModel::Dirty` object. *Ryuta Kamizono* #### Active Record - Fix `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` for Ruby 2.6. Ruby 2.6 and 2.7 have slightly different implementations of the `String#@​-` method. In Ruby 2.6, the receiver of the `String#@​-` method is modified under certain circumstances. This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only fixed in Ruby 2.7. Before the changes in this commit, the `ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate` method, which internally calls the `String#@​-` method, could also modify an input string argument in Ruby 2.6 -- changing a tainted, unfrozen string into a tainted, frozen string. Fixes [#​43056](https://redirect.github.com/rails/rails/issues/43056) *Eric O'Hanlon* - Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0. `reference`/`belongs_to` in migrations with version 6.0 were creating columns as bigint instead of integer for the SQLite Adapter. *Marcelo Lauxen* - Fix dbconsole for 3-tier config. *Eileen M. Uchitelle* - Better handle SQL queries with invalid encoding. ```ruby Post.create(name: "broken \xC8 UTF-8") ``` Would cause all adapters to fail in a non controlled way in the code responsible to detect write queries. The query is now properly passed to the database connection, which might or might not be able to handle it, but will either succeed or failed in a more correct way. *Jean Boussier* - Ignore persisted in-memory records when merging target lists. *Kevin Sjöberg* - Fix regression bug that caused ignoring additional conditions for preloading `has_many` through relations. Fixes [#​43132](https://redirect.github.com/rails/rails/issues/43132) *Alexander Pauly* - Fix `ActiveRecord::InternalMetadata` to not be broken by `config.active_record.record_timestamps = false` Since the model always create the timestamp columns, it has to set them, otherwise it breaks various DB management tasks. Fixes [#​42983](https://redirect.github.com/rails/rails/issues/42983) *Jean Boussier* - Fix duplicate active record objects on `inverse_of`. *Justin Carvalho* - Fix duplicate objects stored in has many association after save. Fixes [#​42549](https://redirect.github.com/rails/rails/issues/42549). *Alex Ghiculescu* - Fix performance regression in `CollectionAssocation#build`. *Alex Ghiculescu* - Fix retrieving default value for text column for MariaDB. *fatkodima* #### Action View - `preload_link_tag` properly inserts `as` attributes for files with `image` MIME types, such as JPG or SVG. *Nate Berkopec* - Add `autocomplete="off"` to all generated hidden fields. Fixes [#​42610](https://redirect.github.com/rails/rails/issues/42610). *Ryan Baumann* - Fix `current_page?` when URL has trailing slash. This fixes the `current_page?` helper when the given URL has a trailing slash, and is an absolute URL or also has query params. Fixes [#​33956](https://redirect.github.com/rails/rails/issues/33956). *Jonathan Hefner* #### Action Pack - Fix `content_security_policy` returning invalid directives. Directives such as `self`, `unsafe-eval` and few others were not single quoted when the directive was the result of calling a lambda returning an array. ```ruby content_security_policy do |policy| policy.frame_ancestors lambda { [:self, "https://example.com"] } end ``` With this fix the policy generated from above will now be valid. *Edouard Chin* - Update `HostAuthorization` middleware to render debug info only when `config.consider_all_requests_local` is set to true. Also, blocked host info is always logged with level `error`. Fixes [#​42813](https://redirect.github.com/rails/rails/issues/42813). *Nikita Vyrko* - Dup arrays that get "converted". Fixes [#​43681](https://redirect.github.com/rails/rails/issues/43681). *Aaron Patterson* - Don't show deprecation warning for equal paths. *Anton Rieder* - Fix crash in `ActionController::Instrumentation` with invalid HTTP formats. Fixes [#​43094](https://redirect.github.com/rails/rails/issues/43094). *Alex Ghiculescu* - Add fallback host for SystemTestCase driven by RackTest. Fixes [#​42780](https://redirect.github.com/rails/rails/issues/42780). *Petrik de Heus* - Add more detail about what hosts are allowed. *Alex Ghiculescu* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - The Action Cable client now ensures successful channel subscriptions: - The client maintains a set of pending subscriptions until either the server confirms the subscription or the channel is torn down. - Rectifies the race condition where an unsubscribe is rapidly followed by a subscribe (on the same channel identifier) and the requests are handled out of order by the ActionCable server, thereby ignoring the subscribe command. *Daniel Spinosa* - Truncate broadcast logging messages. *J Smith* #### Active Storage - Attachments can be deleted after their association is no longer defined. Fixes [#​42514](https://redirect.github.com/rails/rails/issues/42514) *Don Sisco* #### Action Mailbox - Add `attachments` to the list of permitted parameters for inbound emails conductor. When using the conductor to test inbound emails with attachments, this prevents an unpermitted parameter warning in default configurations, and prevents errors for applications that set: ```ruby config.action_controller.action_on_unpermitted_parameters = :raise ``` *David Jones*, *Dana Henke* #### Action Text - Fix Action Text extra trix content wrapper. *Alexandre Ruban* #### Railties - In `zeitwerk` mode, setup the `once` autoloader first, and the `main` autoloader after it. This order plays better with shared namespaces. *Xavier Noria* - Handle paths with spaces when editing credentials. *Alex Ghiculescu* - Support Psych 4 when loading secrets. *Nat Morcos* ### [`v6.1.4.7`](https://redirect.github.com/rails/rails/releases/tag/v6.1.4.7): 6.1.4.7 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4.6...v6.1.4.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Added image transformation validation via configurable allow-list. Variant now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments. \[CVE-2022-21831] #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.6`](https://redirect.github.com/rails/rails/releases/tag/v6.1.4.6): 6.1.4.6 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4.5...v6.1.4.6) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix Reloader method signature to work with the new Executor signature #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.5`](https://redirect.github.com/rails/rails/releases/tag/v6.1.4.5): 6.1.4.5 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4.4...v6.1.4.5) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Under certain circumstances, the middleware isn't informed that the response body has been fully closed which result in request state not being fully reset before the next request \[CVE-2022-23633] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.4`](https://redirect.github.com/rails/rails/releases/tag/v6.1.4.4): 6.1.4.4 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4.3...v6.1.4.4) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix issue with host protection not allowing host with port in development. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.3`](https://redirect.github.com/rails/rails/releases/tag/v6.1.4.3): 6.1.4.3 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4.2...v6.1.4.3) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - Allow localhost with a port by default in development \[Fixes: [#​43864](https://redirect.github.com/rails/rails/issues/43864)] ### [`v6.1.4.2`](https://redirect.github.com/rails/rails/releases/tag/v6.1.4.2): 6.1.4.2 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4.1...v6.1.4.2) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix X_FORWARDED_HOST protection. \[CVE-2021-44528] #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.4.1`](https://redirect.github.com/rails/rails/compare/v6.1.4...v6.1.4.1) [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.4...v6.1.4.1) ### [`v6.1.4`](https://redirect.github.com/rails/rails/releases/tag/v6.1.4): 6.1.4 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.3.2...v6.1.4) #### Active Support - MemCacheStore: convert any underlying value (including `false`) to an `Entry`. See [#​42559](https://redirect.github.com/rails/rails/pull/42559). *Alex Ghiculescu* - Fix bug in `number_with_precision` when using large `BigDecimal` values. Fixes [#​42302](https://redirect.github.com/rails/rails/issues/42302). *Federico Aldunate*, *Zachary Scott* - Check byte size instead of length on `secure_compare`. *Tietew* - Fix `Time.at` to not lose `:in` option. *Ryuta Kamizono* - Require a path for `config.cache_store = :file_store`. *Alex Ghiculescu* - Avoid having to store complex object in the default translation file. *Rafael Mendonça França* #### Active Model - Fix `to_json` for `ActiveModel::Dirty` object. Exclude +mutations_from_database+ attribute from json as it lead to recursion. *Anil Maurya* #### Active Record - Do not try to rollback transactions that failed due to a `ActiveRecord::TransactionRollbackError`. *Jamie McCarthy* - Raise an error if `pool_config` is `nil` in `set_pool_config`. *Eileen M. Uchitelle* - Fix compatibility with `psych >= 4`. Starting in Psych 4.0.0 `YAML.load` behaves like `YAML.safe_load`. To preserve compatibility Active Record's schema cache loader and `YAMLColumn` now uses `YAML.unsafe_load` if available. *Jean Boussier* - Support using replicas when using `rails dbconsole`. *Christopher Thornton* - Restore connection pools after transactional tests. *Eugene Kenny* - Change `upsert_all` to fails cleanly for MySQL when `:unique_by` is used. *Bastian Bartmann* - Fix user-defined `self.default_scope` to respect table alias. *Ryuta Kamizono* - Clear `@cache_keys` cache after `update_all`, `delete_all`, `destroy_all`. *Ryuta Kamizono* - Changed Arel predications `contains` and `overlaps` to use `quoted_node` so that PostgreSQL arrays are quoted properly. *Bradley Priest* - Fix `merge` when the `where` clauses have string contents. *Ryuta Kamizono* - Fix rollback of parent destruction with nested `dependent: :destroy`. *Jacopo Beschi* - Fix binds logging for `"WHERE ... IN ..."` statements. *Ricardo Díaz* - Handle `false` in relation strict loading checks. Previously when a model had strict loading set to true and then had a relation set `strict_loading` to false the false wasn't considered when deciding whether to raise/warn about strict loading. class Dog < ActiveRecord::Base self.strict_loading_by_default = true has_many :treats, strict_loading: false end In the example, `dog.treats` would still raise even though `strict_loading` was set to false. This is a bug effecting more than Active Storage which is why I made this PR superceeding [#​41461](https://redirect.github.com/rails/rails/issues/41461). We need to fix this for all applications since the behavior is a little surprising. I took the test from #[#​41461](https://redirect.github.com/rails/rails/issues/41461) and the code suggestion from [#​41453](https://redirect.github.com/rails/rails/issues/41453) with some additions. *Eileen M. Uchitelle*, *Radamés Roriz* - Fix numericality validator without precision. *Ryuta Kamizono* - Fix aggregate attribute on Enum types. *Ryuta Kamizono* - Fix `CREATE INDEX` statement generation for PostgreSQL. *eltongo* - Fix where clause on enum attribute when providing array of strings. *Ryuta Kamizono* - Fix `unprepared_statement` to work it when nesting. *Ryuta Kamizono* #### Action View - The `translate` helper now passes `default` values that aren't translation keys through `I18n.translate` for interpolation. *Jonathan Hefner* - Don't attach UJS form submission handlers to Turbo forms. *David Heinemeier Hansson* - Allow both `current_page?(url_hash)` and `current_page?(**url_hash)` on Ruby 2.7. *Ryuta Kamizono* #### Action Pack - Ignore file fixtures on `db:fixtures:load` *Kevin Sjöberg* - Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests. *Dylan Thacker-Smith* - Correctly place optional path parameter booleans. Previously, if you specify a url parameter that is part of the path as false it would include that part of the path as parameter for example: get "(/optional/:optional_id)/things" => "foo#foo", as: :things things_path(optional_id: false) # => /things?optional_id=false After this change, true and false will be treated the same when used as optional path parameters. Meaning now: get '(this/:my_bool)/that' as: :that that_path(my_bool: true) # => `/this/true/that` that_path(my_bool: false) # => `/this/false/that` *Adam Hess* - Add support for 'private, no-store' Cache-Control headers. Previously, 'no-store' was exclusive; no other directives could be specified. *Alex Smith* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - Fix `ArgumentError` with ruby 3.0 on `RemoteConnection#disconnect`. *Vladislav* #### Active Storage - The parameters sent to `ffmpeg` for generating a video preview image are now configurable under `config.active_storage.video_preview_arguments`. *Brendon Muir* - Fix Active Storage update task when running in an engine. Justin Malčić\* - Don't raise an error if the mime type is not recognized. Fixes [#​41777](https://redirect.github.com/rails/rails/issues/41777). *Alex Ghiculescu* - `ActiveStorage::PreviewError` is raised when a previewer is unable to generate a preview image. *Alex Robbin* - respond with 404 given invalid variation key when asking for representations. *George Claghorn* - `Blob` creation shouldn't crash if no service selected. *Alex Ghiculescu* #### Action Mailbox - No changes. #### Action Text - Always render attachment partials as HTML with `:html` format inside trix editor. *James Brooks* #### Railties - Fix compatibility with `psych >= 4`. Starting in Psych 4.0.0 `YAML.load` behaves like `YAML.safe_load`. To preserve compatibility `Rails.application.config_for` now uses `YAML.unsafe_load` if available. *Jean Boussier* - Ensure `Rails.application.config_for` always cast hashes to `ActiveSupport::OrderedOptions`. *Jean Boussier* - Fix create migration generator with `--pretend` option. *euxx* ### [`v6.1.3.2`](https://redirect.github.com/rails/rails/releases/tag/v6.1.3.2): 6.1.3.2 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.3.1...v6.1.3.2) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Prevent open redirects by correctly escaping the host allow list CVE-2021-22903 - Prevent catastrophic backtracking during mime parsing CVE-2021-22902 - Prevent regex DoS in HTTP token authentication CVE-2021-22904 - Prevent string polymorphic route arguments. `url_for` supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls. CVE-2021-22885 *Gannon McGibbon* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.3.1`](https://redirect.github.com/rails/rails/releases/tag/v6.1.3.1): 6.1.3.1 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.3...v6.1.3.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data. *George Claghorn* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.3`](https://redirect.github.com/rails/rails/releases/tag/v6.1.3): 6.1.3 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.2.1...v6.1.3) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Fix the MySQL adapter to always set the right collation and charset to the connection session. *Rafael Mendonça França* - Fix MySQL adapter handling of time objects when prepared statements are enabled. *Rafael Mendonça França* - Fix scoping in enum fields using conditions that would generate an `IN` clause. *Ryuta Kamizono* - Skip optimised #exist? query when #include? is called on a relation with a having clause Relations that have aliased select values AND a having clause that references an aliased select value would generate an error when \#include? was called, due to an optimisation that would generate call #exists? on the relation instead, which effectively alters the select values of the query (and thus removes the aliased select values), but leaves the having clause intact. Because the having clause is then referencing an aliased column that is no longer present in the simplified query, an ActiveRecord::InvalidStatement error was raised. An sample query affected by this problem: ```ruby Author.select('COUNT(*) as total_posts', 'authors.*') .joins(:posts) .group(:id) .having('total_posts > 2') .include?(Author.first) ``` This change adds an addition check to the condition that skips the simplified #exists? query, which simply checks for the presence of a having clause. Fixes [#​41417](https://redirect.github.com/rails/rails/issues/41417) *Michael Smart* - Increment postgres prepared statement counter before making a prepared statement, so if the statement is aborted without Rails knowledge (e.g., if app gets kill -9d during long-running query or due to Rack::Timeout), app won't end up in perpetual crash state for being inconsistent with Postgres. *wbharding*, *Martin Tepper* #### Action View - No changes. #### Action Pack - Re-define routes when not set correctly via inheritance. *John Hawthorn* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.2.1`](https://redirect.github.com/rails/rails/releases/tag/v6.1.2.1): 6.1.2.1 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.2...v6.1.2.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - Fix possible DoS vector in PostgreSQL money type Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp. Thanks to [@​dee-see](https://redirect.github.com/dee-see) from Hackerone for this patch! \[CVE-2021-22880] *Aaron Patterson* #### Action View - No changes. #### Action Pack - Prevent open redirect when allowed host starts with a dot \[CVE-2021-22881] Thanks to [@​tktech](https://redirect.github.com/tktech) (https://hackerone.com/tktech) for reporting this issue and the patch! *Aaron Patterson* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.2`](https://redirect.github.com/rails/rails/releases/tag/v6.1.2): 6.1.2 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.1...v6.1.2) #### Active Support - `ActiveSupport::Cache::MemCacheStore` now accepts an explicit `nil` for its `addresses` argument. ```ruby config.cache_store = :mem_cache_store, nil ``` ### is now equivalent to config.cache_store = :mem_cache_store ### and is also equivalent to config.cache_store = :mem_cache_store, ENV["MEMCACHE_SERVERS"] || "localhost:11211" ### which is the fallback behavior of Dalli ``` This helps those migrating from `:dalli_store`, where an explicit `nil` was permitted. *Michael Overmeyer* #### Active Model - No changes. #### Active Record - Fix timestamp type for sqlite3. *Eileen M. Uchitelle* - Make destroy async transactional. An active record rollback could occur while enqueuing a job. In this case the job would enqueue even though the database deletion rolledback putting things in a funky state. Now the jobs are only enqueued until after the db transaction has been committed. *Cory Gwin* - Fix malformed packet error in MySQL statement for connection configuration. *robinroestenburg* - Connection specification now passes the "url" key as a configuration for the adapter if the "url" protocol is "jdbc", "http", or "https". Previously only urls with the "jdbc" prefix were passed to the Active Record Adapter, others are assumed to be adapter specification urls. Fixes [#​41137](https://redirect.github.com/rails/rails/issues/41137). *Jonathan Bracy* - Fix granular connection swapping when there are multiple abstract classes. *Eileen M. Uchitelle* - Fix `find_by` with custom primary key for belongs_to association. *Ryuta Kamizono* - Add support for `rails console --sandbox` for multiple database applications. *alpaca-tc* - Fix `where` on polymorphic association with empty array. *Ryuta Kamizono* - Fix preventing writes for `ApplicationRecord`. *Eileen M. Uchitelle* #### Action View - No changes. #### Action Pack - Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action. *Janko Marohnić* - Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path. *Eugene Kenny* #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.1`](https://redirect.github.com/rails/rails/releases/tag/v6.1.1): 6.1.1 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.1.0...v6.1.1) #### Active Support - Change `IPAddr#to_json` to match the behavior of the json gem returning the string representation instead of the instance variables of the object. Before: ```ruby IPAddr.new("127.0.0.1").to_json ``` ### => "{"addr":2130706433,"family":2,"mask_addr":4294967295}" ``` After: ```ruby IPAddr.new("127.0.0.1").to_json ### => ""127.0.0.1"" ``` #### Active Model - No changes. #### Active Record - Fix fixtures loading when strict loading is enabled for the association. *Alex Ghiculescu* - Fix `where` with custom primary key for belongs_to association. *Ryuta Kamizono* - Fix `where` with aliased associations. *Ryuta Kamizono* - Fix `composed_of` with symbol mapping. *Ryuta Kamizono* - Don't skip money's type cast for pluck and calculations. *Ryuta Kamizono* - Fix `where` on polymorphic association with non Active Record object. *Ryuta Kamizono* - Make sure `db:prepare` works even the schema file doesn't exist. *Rafael Mendonça França* - Fix complicated `has_many :through` with nested where condition. *Ryuta Kamizono* - Handle STI models for `has_many dependent: :destroy_async`. *Muhammad Usman* - Restore possibility of passing `false` to :polymorphic option of `belongs_to`. Previously, passing `false` would trigger the option validation logic to throw an error saying :polymorphic would not be a valid option. *glaszig* - Allow adding nonnamed expression indexes to be revertible. Fixes [#​40732](https://redirect.github.com/rails/rails/issues/40732). Previously, the following code would raise an error, when executed while rolling back, and the index name should be specified explicitly. Now, the index name is inferred automatically. ```ruby add_index(:items, "to_tsvector('english', description)") ``` *fatkodima* #### Action View - Fix lazy translation in partial with block. *Marek Kasztelnik* - Avoid extra `SELECT COUNT` queries when rendering Active Record collections. *aar0nr* - Link preloading keep integrity hashes in the header. *Étienne Barrié* - Add `config.action_view.preload_links_header` to allow disabling of the `Link` header being added by default when using `stylesheet_link_tag` and `javascript_include_tag`. *Andrew White* - The `translate` helper now resolves `default` values when a `nil` key is specified, instead of always returning `nil`. *Jonathan Hefner* #### Action Pack - Fix nil translation key lookup in controllers/ *Jan Klimo* - Quietly handle unknown HTTP methods in Action Dispatch SSL middleware. *Alex Robbin* - Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`. *Alex Robbin* #### Active Job - Make `retry_job` return the job that was created. *Rafael Mendonça França* - Include `ActiveSupport::Testing::Assertions` in `ActiveJob::TestHelpers`. *Mikkel Malmberg* #### Action Mailer - Sets default mailer queue to `"default"` in the mail assertions. *Paul Keen* #### Action Cable - No changes. #### Active Storage - Fix S3 multipart uploads when threshold is larger than file. *Matt Muller* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - Allow spaces in path to Yarn binstub and only run on precompile if needed. *Markus Doits* - Populate ARGV for app template. Fixes [#​40945](https://redirect.github.com/rails/rails/issues/40945). *Jonathan Hefner* ### [`v6.1.0`](https://redirect.github.com/rails/rails/releases/tag/v6.1.0): 6.1.0 [Compare Source](https://redirect.github.com/rails/rails/compare/v6.0.6.1...v6.1.0) #### Active Support - Ensure `MemoryStore` disables compression by default. Reverts behavior of `MemoryStore` to its prior rails `5.1` behavior. *Max Gurewitz* - Calling `iso8601` on negative durations retains the negative sign on individual digits instead of prepending it. This change is required so we can interoperate with PostgreSQL, which prefers negative signs for each component. Compatibility with other iso8601 parsers which support leading negatives as well as negatives per component is still retained. Before: (-1.year - 1.day).iso8601 ### => "-P1Y1D" After: (-1.year - 1.day).iso8601 ### => "P-1Y-1D" *Vipul A M* - Remove deprecated `ActiveSupport::Notifications::Instrumenter#end=`. *Rafael Mendonça França* - Deprecate `ActiveSupport::Multibyte::Unicode.default_normalization_form`. *Rafael Mendonça França* - Remove deprecated `ActiveSupport::Multibyte::Unicode.pack_graphemes`, `ActiveSupport::Multibyte::Unicode.unpack_graphemes`, `ActiveSupport::Multibyte::Unicode.normalize`, `ActiveSupport::Multibyte::Unicode.downcase`, `ActiveSupport::Multibyte::Unicode.upcase` and `ActiveSupport::Multibyte::Unicode.swapcase`. *Rafael Mendonça França* - Remove deprecated `ActiveSupport::Multibyte::Chars#consumes?` and `ActiveSupport::Multibyte::Chars#normalize`. *Rafael Mendonça França* - Remove deprecated file `active_support/core_ext/range/include_range`. *Rafael Mendonça França* - Remove deprecated file `active_support/core_ext/hash/transform_values`. *Rafael Mendonça França* - Remove deprecated file `active_support/core_ext/hash/compact`. *Rafael Mendonça França* - Remove deprecated file `active_support/core_ext/array/prepend_and_append`. *Rafael Mendonça França* - Remove deprecated file `active_support/core_ext/numeric/inquiry`. *Rafael Mendonça França* - Remove deprecated file `active_support/core_ext/module/reachable`. *Rafael Mendonça França* - Remove deprecated `Module#parent_name`, `Module#parent` and `Module#parents`. *Rafael Mendonça França* - Remove deprecated `ActiveSupport::LoggerThreadSafeLevel#after_initialize`. *Rafael Mendonça França* - Remove deprecated `LoggerSilence` constant. *Rafael Mendonça França* - Remove deprecated fallback to `I18n.default_local` when `config.i18n.fallbacks` is empty. *Rafael Mendonça França* - Remove entries from local cache on `RedisCacheStore#delete_matched` Fixes [#​38627](https://redirect.github.com/rails/rails/issues/38627) *ojab* - Speed up `ActiveSupport::SecurityUtils.fixed_length_secure_compare` by using `OpenSSL.fixed_length_secure_compare`, if available. *Nate Matykiewicz* - `ActiveSupport::Cache::MemCacheStore` now checks `ENV["MEMCACHE_SERVERS"]` before falling back to `"localhost:11211"` if configured without any addresses. ```ruby config.cache_store = :mem_cache_store ``` ### is now equivalent to config.cache_store = :mem_cache_store, ENV["MEMCACHE_SERVERS"] || "localhost:11211" ### instead of config.cache_store = :mem_cache_store, "localhost:11211" # ignores ENV["MEMCACHE_SERVERS"] ``` *Sam Bostock* - `ActiveSupport::Subscriber#attach_to` now accepts an `inherit_all:` argument. When set to true, it allows a subscriber to receive events for methods defined in the subscriber's ancestor class(es). ```ruby class ActionControllerSubscriber < ActiveSupport::Subscriber attach_to :action_controller def start_processing(event) info "Processing by #{event.payload[:controller]}##{event.payload[:action]} as #{format}" end def redirect_to(event) info { "Redirected to #{event.payload[:location]}" } end end ``` ### We detach ActionControllerSubscriber from the :action_controller namespace so that our CustomActionControllerSubscriber ### can provide its own instrumentation for certain events in the namespace ActionControllerSubscriber.detach_from(:action_controller) class CustomActionControllerSubscriber < ActionControllerSubscriber attach_to :action_controller, inherit_all: true def start_processing(event) info "A custom response to start_processing events" end ### => CustomActionControllerSubscriber will process events for "start_processing.action_controller" notifications ### using its own #start_processing implementation, while retaining ActionControllerSubscriber's instrumentation ### for "redirect_to.action_controller" notifications end ``` *Adrianna Chang* - Allow the digest class used to generate non-sensitive digests to be configured with `config.active_support.hash_digest_class`. `config.active_support.use_sha1_digests` is deprecated in favour of `config.active_support.hash_digest_class = ::Digest::SHA1`. *Dirkjan Bussink* - Fix bug to make memcached write_entry expire correctly with unless_exist *Jye Lee* - Add `ActiveSupport::Duration` conversion methods `in_seconds`, `in_minutes`, `in_hours`, `in_days`, `in_weeks`, `in_months`, and `in_years` return the respective duration covered. *Jason York* - Fixed issue in `ActiveSupport::Cache::RedisCacheStore` not passing options to `read_multi` causing `fetch_multi` to not work properly *Rajesh Sharma* - Fixed issue in `ActiveSupport::Cache::MemCacheStore` which caused duplicate compression, and caused the provided `compression_threshold` to not be respected. *Max Gurewitz* - Prevent `RedisCacheStore` and `MemCacheStore` from performing compression when reading entries written with `raw: true`. *Max Gurewitz* - `URI.parser` is deprecated and will be removed in Rails 6.2. Use `URI::DEFAULT_PARSER` instead. *Jean Boussier* - `require_dependency` has been documented to be *obsolete* in `:zeitwerk` mode. The method is not deprecated as such (yet), but applications are encouraged to not use it. In `:zeitwerk` mode, semantics match Ruby's and you do not need to be defensive with load order. Just refer to classes and modules normally. If the constant name is dynamic, camelize if needed, and constantize. *Xavier Noria* - Add 3rd person aliases of `Symbol#start_with?` and `Symbol#end_with?`. ```ruby :foo.starts_with?("f") # => true :foo.ends_with?("o") # => true ``` *Ryuta Kamizono* - Add override of unary plus for `ActiveSupport::Duration`. `+ 1.second` is now identical to `+1.second` to prevent errors where a seemingly innocent change of formatting leads to a change in the code behavior. Before: ```ruby +1.second.class ``` ### => ActiveSupport::Duration (+ 1.second).class ### => Integer ``` After: ```ruby +1.second.class ### => ActiveSupport::Duration (+ 1.second).class ### => ActiveSupport::Duration ``` Fixes #​39079. *Roman Kushnir* - Add subsec to `ActiveSupport::TimeWithZone#inspect`. Before: Time.at(1498099140).in_time_zone.inspect ### => "Thu, 22 Jun 2017 02:39:00 UTC +00:00" Time.at(1498099140, 123456780, :nsec).in_time_zone.inspect ### => "Thu, 22 Jun 2017 02:39:00 UTC +00:00" Time.at(1498099140 + Rational("1/3")).in_time_zone.inspect ### => "Thu, 22 Jun 2017 02:39:00 UTC +00:00" After: Time.at(1498099140).in_time_zone.inspect ### => "Thu, 22 Jun 2017 02:39:00.000000000 UTC +00:00" Time.at(1498099140, 123456780, :nsec).in_time_zone.inspect ### => "Thu, 22 Jun 2017 02:39:00.123456780 UTC +00:00" Time.at(1498099140 + Rational("1/3")).in_time_zone.inspect ### => "Thu, 22 Jun 2017 02:39:00.333333333 UTC +00:00" *akinomaeni* - Calling `ActiveSupport::TaggedLogging#tagged` without a block now returns a tagged logger. ```ruby logger.tagged("BCX").info("Funky time!") # => [BCX] Funky time! ``` *Eugene Kenny* - Align `Range#cover?` extension behavior with Ruby behavior for backwards ranges. `(1..10).cover?(5..3)` now returns `false`, as it does in plain Ruby. Also update `#include?` and `#===` behavior to match. *Michael Groeneman* - Update to TZInfo v2.0.0. This changes the output of `ActiveSupport::TimeZone.utc_to_local`, but can be controlled with the `ActiveSupport.utc_to_local_returns_utc_offset_times` config. New Rails 6.1 apps have it enabled by default, existing apps can upgrade via the config in config/initializers/new_framework_defaults\_6\_1.rb See the `utc_to_local_returns_utc_offset_times` documentation for details. *Phil Ross*, *Jared Beck* - Add Date and Time `#yesterday?` and `#tomorrow?` alongside `#today?`. Aliased to `#prev_day?` and `#next_day?` to match the existing `#prev/next_day` methods. *Jatin Dhankhar* - Add `Enumerable#pick` to complement `ActiveRecord::Relation#pick`. *Eugene Kenny* - \[Breaking change] `ActiveSupport::Callbacks#halted_callback_hook` now receive a 2nd argument: `ActiveSupport::Callbacks#halted_callback_hook` now receive the name of the callback being halted as second argument. This change will allow you to differentiate which callbacks halted the chain and act accordingly. ```ruby class Book < ApplicationRecord before_save { throw(:abort) } before_create { throw(:abort) } def halted_callback_hook(filter, callback_name) Rails.logger.info("Book couldn't be #{callback_name}d") end Book.create # => "Book couldn't be created" book.save # => "Book couldn't be saved" end ``` *Edouard Chin* - Support `prepend` with `ActiveSupport::Concern`. Allows a module with `extend ActiveSupport::Concern` to be prepended. module Imposter extend ActiveSupport::Concern ### Same as `included`, except only run when prepended. prepended do end end class Person prepend Imposter end Class methods are prepended to the base class, concerning is also updated: `concerning :Imposter, prepend: true do`. *Jason Karns*, *Elia Schito* - Deprecate using `Range#include?` method to check the inclusion of a value in a date time range. It is recommended to use `Range#cover?` method instead of `Range#include?` to check the inclusion of a value in a date time range. *Vishal Telangre* - Support added for a `round_mode` parameter, in all number helpers. (See: `BigDecimal::mode`.) ```ruby number_to_currency(1234567890.50, precision: 0, round_mode: :half_down) # => "$1,234,567,890" number_to_percentage(302.24398923423, precision: 5, round_mode: :down) # => "302.24398%" number_to_rounded(389.32314, precision: 0, round_mode: :ceil) # => "390" number_to_human_size(483989, precision: 2, round_mode: :up) # => "480 KB" number_to_human(489939, precision: 2, round_mode: :floor) # => "480 Thousand" 485000.to_s(:human, precision: 2, round_mode: :half_even) # => "480 Thousand" ``` *Tom Lord* - `Array#to_sentence` no longer returns a frozen string. Before: ['one', 'two'].to_sentence.frozen? ### => true After: ['one', 'two'].to_sentence.frozen? ### => false *Nicolas Dular* - When an instance of `ActiveSupport::Duration` is converted to an `iso8601` duration string, if `weeks` are mixed with `date` parts, the `week` part will be converted to days. This keeps the parser and serializer on the same page. ```ruby duration = ActiveSupport::Duration.build(1000000) ``` ### 1 week, 4 days, 13 hours, 46 minutes, and 40.0 seconds duration_iso = duration.iso8601 ### P11DT13H46M40S ActiveSupport::Duration.parse(duration_iso) ### 11 days, 13 hours, 46 minutes, and 40 seconds duration = ActiveSupport::Duration.build(604800) ### 1 week duration_iso = duration.iso8601 ### P1W ActiveSupport::Duration.parse(duration_iso) ### 1 week ``` *Abhishek Sarkar* - Add block support to `ActiveSupport::Testing::TimeHelpers#travel_back`. *Tim Masliuchenko* - Update `ActiveSupport::Messages::Metadata#fresh?` to work for cookies with expiry set when `ActiveSupport.parse_json_times = true`. *Christian Gregg* - Support symbolic links for `content_path` in `ActiveSupport::EncryptedFile`. *Takumi Shotoku* - Improve `Range#===`, `Range#include?`, and `Range#cover?` to work with beginless (startless) and endless range targets. *Allen Hsu*, *Andrew Hodgkinson* - Don't use `Process#clock_gettime(CLOCK_THREAD_CPUTIME_ID)` on Solaris. *Iain Beeston* - Prevent `ActiveSupport::Duration.build(value)` from creating instances of `ActiveSupport::Duration` unless `value` is of type `Numeric`. Addresses the errant set of behaviours described in [#​37012](https://redirect.github.com/rails/rails/issues/37012) where `ActiveSupport::Duration` comparisons would fail confusingly or return unexpected results when comparing durations built from instances of `String`. Before: small_duration_from_string = ActiveSupport::Duration.build('9') large_duration_from_string = ActiveSupport::Duration.build('100000000000000') small_duration_from_int = ActiveSupport::Duration.build(9) large_duration_from_string > small_duration_from_string ### => false small_duration_from_string == small_duration_from_int ### => false small_duration_from_int < large_duration_from_string ### => ArgumentError (comparison of ActiveSupport::Duration::Scalar with ActiveSupport::Duration failed) large_duration_from_string > small_duration_from_int ### => ArgumentError (comparison of String with ActiveSupport::Duration failed) After: small_duration_from_string = ActiveSupport::Duration.build('9') ### => TypeError (can't build an ActiveSupport::Duration from a String) *Alexei Emam* - Add `ActiveSupport::Cache::Store#delete_multi` method to delete multiple keys from the cache store. *Peter Zhu* - Support multiple arguments in `HashWithIndifferentAccess` for `merge` and `update` methods, to follow Ruby 2.6 addition. *Wojciech Wnętrzak* - Allow initializing `thread_mattr_*` attributes via `:default` option. class Scraper thread_mattr_reader :client, default: Api::Client.new end *Guilherme Mansur* - Add `compact_blank` for those times when you want to remove #blank? values from an Enumerable (also `compact_blank!` on Hash, Array, ActionController::Parameters). *Dana Sherson* - Make ActiveSupport::Logger Fiber-safe. Use `Fiber.current.__id__` in `ActiveSupport::Logger#local_level=` in order to make log level local to Ruby Fibers in addition to Threads. Example: logger = ActiveSupport::Logger.new(STDOUT) logger.level = 1 puts "Main is debug? #{logger.debug?}" Fiber.new { logger.local_level = 0 puts "Thread is debug? #{logger.debug?}" }.resume puts "Main is debug? #{logger.debug?}" Before: Main is debug? false Thread is debug? true Main is debug? true After: Main is debug? false Thread is debug? true Main is debug? false Fixes [#​36752](https://redirect.github.com/rails/rails/issues/36752). *Alexander Varnin* - Allow the `on_rotation` proc used when decrypting/verifying a message to be passed at the constructor level. Before: crypt = ActiveSupport::MessageEncryptor.new('long_secret') crypt.decrypt_and_verify(encrypted_message, on_rotation: proc { ... }) crypt.decrypt_and_verify(another_encrypted_message, on_rotation: proc { ... }) After: crypt = ActiveSupport::MessageEncryptor.new('long_secret', on_rotation: proc { ... }) crypt.decrypt_and_verify(encrypted_message) crypt.decrypt_and_verify(another_encrypted_message) *Edouard Chin* - `delegate_missing_to` would raise a `DelegationError` if the object delegated to was `nil`. Now the `allow_nil` option has been added to enable the user to specify they want `nil` returned in this case. *Matthew Tanous* - `truncate` would return the original string if it was too short to be truncated and a frozen string if it were long enough to be truncated. Now truncate will consistently return an unfrozen string regardless. This behavior is consistent with `gsub` and `strip`. Before: 'foobar'.truncate(5).frozen? ### => true 'foobar'.truncate(6).frozen? ### => false After: 'foobar'.truncate(5).frozen? ### => false 'foobar'.truncate(6).frozen? ### => false *Jordan Thomas* #### Active Model - Pass in `base` instead of `base_class` to Error.human_attribute_name This is useful in cases where the `human_attribute_name` method depends on other attributes' values of the class under validation to derive what the attribute name should be. *Filipe Sabella* - Deprecate marshalling load from legacy attributes format. *Ryuta Kamizono* - `*_previously_changed?` accepts `:from` and `:to` keyword arguments like `*_changed?`. topic.update!(status: :archived) topic.status_previously_changed?(from: "active", to: "archived") ### => true *George Claghorn* - Raise FrozenError when trying to write attributes that aren't backed by the database on an object that is frozen: class Animal include ActiveModel::Attributes attribute :age end animal = Animal.new animal.freeze animal.age = 25 #
mend-for-github-com[bot] commented 6 months ago

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: Gemfile.lock
[03:58:33.591] INFO (75719): Installing tool bundler v1.16.1...
[03:58:33.602] INFO (75719): tool already installed
    tool: "bundler"
[03:58:33.965] FATAL (75719): Command failed with exit code 1: bundler --version
    err: {
      "type": "Error",
      "message": "Command failed with exit code 1: bundler --version",
      "stack":
          Error: Command failed with exit code 1: bundler --version
              at makeError (/snapshot/dist/containerbase-cli.js:43710:13)
              at handlePromise (/snapshot/dist/containerbase-cli.js:44609:29)
              at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
              at async InstallBundlerService.test (/snapshot/dist/containerbase-cli.js:51111:5)
              at async InstallToolService.linkAndTest (/snapshot/dist/containerbase-cli.js:51422:7)
              at async InstallToolService.execute (/snapshot/dist/containerbase-cli.js:51369:11)
              at async InstallToolShortCommand.execute (/snapshot/dist/containerbase-cli.js:51715:14)
              at async InstallToolShortCommand.validateAndExecute (/snapshot/dist/containerbase-cli.js:1344:26)
              at async _Cli.run (/snapshot/dist/containerbase-cli.js:2457:22)
              at async _Cli.runExit (/snapshot/dist/containerbase-cli.js:2465:28)
      "shortMessage": "Command failed with exit code 1: bundler --version",
      "command": "bundler --version",
      "escapedCommand": "bundler --version",
      "exitCode": 1,
      "cwd": "/tmp/renovate/github/Nexmo/ruby-2fa",
      "failed": true,
      "timedOut": false,
      "isCanceled": false,
      "killed": false
    }
[03:58:34.214] INFO (75719): Installed tool bundler with errors in 623ms.

/opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:266:in `search_up': undefined method `untaint' for an instance of String (NoMethodError)

      current  = File.expand_path(SharedHelpers.pwd).untaint
                                                    ^^^^^^^^
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:253:in `find_file'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:245:in `find_gemfile'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:27:in `root'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler.rb:218:in `root'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler.rb:230:in `app_config_path'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler.rb:257:in `settings'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/env.rb:20:in `report'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/friendly_errors.rb:96:in `request_issue_report_for'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/friendly_errors.rb:46:in `log_error'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/friendly_errors.rb:126:in `rescue in with_friendly_errors'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/friendly_errors.rb:121:in `with_friendly_errors'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/exe/bundle:22:in `<top (required)>'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/exe/bundler:4:in `load'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/exe/bundler:4:in `<top (required)>'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/bin/bundler:25:in `load'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/bin/bundler:25:in `<main>'
/opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:266:in `search_up': undefined method `untaint' for an instance of String (NoMethodError)

      current  = File.expand_path(SharedHelpers.pwd).untaint
                                                    ^^^^^^^^
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:253:in `find_file'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:245:in `find_gemfile'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/shared_helpers.rb:27:in `root'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler.rb:218:in `root'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler.rb:230:in `app_config_path'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler.rb:257:in `settings'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/feature_flag.rb:21:in `block in settings_method'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/cli.rb:97:in `<class:CLI>'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/cli.rb:7:in `<module:Bundler>'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/cli.rb:6:in `<top (required)>'
    from <internal:/opt/containerbase/tools/ruby/3.3.1/lib/ruby/3.3.0/rubygems/core_ext/kernel_require.rb>:136:in `require'
    from <internal:/opt/containerbase/tools/ruby/3.3.1/lib/ruby/3.3.0/rubygems/core_ext/kernel_require.rb>:136:in `require'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/exe/bundle:23:in `block in <top (required)>'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/lib/bundler/friendly_errors.rb:122:in `with_friendly_errors'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/exe/bundle:22:in `<top (required)>'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/exe/bundler:4:in `load'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/gems/bundler-1.16.1/exe/bundler:4:in `<top (required)>'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/bin/bundler:25:in `load'
    from /opt/containerbase/tools/bundler/1.16.1/3.3/bin/bundler:25:in `<main>'