chore(deps): update all non-major bundler dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
carrierwave	'~> 2.1' -> '~> 2.2', '>= 2.2.6'
doorkeeper (changelog)	'~> 5.2' -> '~> 5.8', '>= 5.8.1'
jsonapi-resources	'~> 0.9.1' -> '~> 0.10.7'
puma	'~> 6.0' -> '~> 6.5'
rails (source, changelog)	'~> 7.0', '>= 7.0.4.3' -> '~> 7.2', '>= 7.2.2.1'
validates_timeliness (changelog)	'~> 7.0.0.beta2' -> '~> 7.0.0'

---

Release Notes

doorkeeper-gem/doorkeeper (doorkeeper)

v5.8.1

Compare Source

• [#​1752] Bump the range of supported Ruby and Rails versions
• [#​1747] Fix unknown pkce method error when configured
• [#​1744] Allow for expired refresh tokens to be revoked
• [#​1754] Fix refresh tokens with dynamic scopes

cerebris/jsonapi-resources (jsonapi-resources)

v0.10.7

Compare Source

v0.10.6: Use related records for joined resources

Compare Source

Features:

Adds an option to merge in the related resource's records when joining. This allows permission checks from the related resource to be applied for includes.

Bug fixes

Fixes issue where a relationship's data is cached, resulting in the presence of the data in a response where it's not expected.

Commits:

• fa37d64 Use records for joined resources for 0.10 (#​1381)
• 3fda2cf Remove data from cached resource fragments (#​1380)

v0.10.5: - Fix polymorphic support for multiword resources

Compare Source

Fix polymorphic support for multiword resources
Also fixes some testing issues resulting in flappy tests

v0.10.4: - Rails 6.1 and Ruby 3.0 support

Compare Source

Brings in support for Rails 6.1 and Ruby 3.0

v0.10.3: - Fixes Included resources being limited with pagination

Compare Source

This is primarily a bug fix release. Fixes:

• issue with included resources be limited when pagination is enabled
• default_processor_klass deprecated. Use default_processor_klass_name to avoid warnings

v0.10.2: - Return 404 for show request when resource is not found

Compare Source

A 404 is now returned for a show request for a record that can not be found.

v0.10.1: - Fix for PostgreSQL SQL generation error

Compare Source

This is a bug fix for this error in PostgreSQL: ERROR: for SELECT DISTINCT, ORDER BY expressions must appear in select list

This is accomplished by ensuring fields used in sorting are also selected. This should be a transparent change.

v0.10.0: - Rework of internals

Compare Source

This large release contains a substantial re-architecture of the internals, especially the process of finding resources and their included resources, and caching.

Please see https://jsonapi-resources.com/v0.10/guide/whats_new.html for more details.

An upgrade guide has been added at https://jsonapi-resources.com/v0.10/guide/upgrade_guide.html

rails/rails (rails)

v7.2.2.1: 7.2.2.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons.
  Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Update vendored trix version to 2.1.10

  John Hawthorn

Railties

• No changes.

Guides

• No changes.

v7.2.2: 7.2.2

Compare Source

Active Support

• Include options when instrumenting ActiveSupport::Cache::Store#delete and ActiveSupport::Cache::Store#delete_multi.

  Adam Renberg Tamm

• Print test names when running rails test -v for parallel tests.

  John Hawthorn, Abeid Ahmed

Active Model

• Fix regression in alias_attribute to work with user defined methods.

  alias_attribute would wrongly assume the attribute accessor was generated by Active Model.

  class Person
    include ActiveModel::AttributeMethods
  
    define_attribute_methods :name
    attr_accessor :name
  
    alias_attribute :full_name, :name
  end
  
  person.full_name # => NoMethodError: undefined method `attribute' for an instance of Person

  Jean Boussier

Active Record

• Fix support for query_cache: false in database.yml.

  query_cache: false would no longer entirely disable the Active Record query cache.

  zzak

• Set .attributes_for_inspect to :all by default.

  For new applications it is set to [:id] in config/environment/production.rb.

  In the console all the attributes are always shown.

  Andrew Novoselac

• PG::UnableToSend: no connection to the server is now retryable as a connection-related exception

  Kazuma Watanabe

• Fix marshalling of unsaved associated records in 7.1 format.

  The 7.1 format would only marshal associated records if the association was loaded.
  But associations that would only contain unsaved records would be skipped.

  Jean Boussier

• Fix incorrect SQL query when passing an empty hash to ActiveRecord::Base.insert.

  David Stosik

• Allow to save records with polymorphic join tables that have inverse_of
  specified.

  Markus Doits

• Fix association scopes applying on the incorrect join when using a polymorphic has_many through:.

  Joshua Young

• Fix dependent: :destroy for bi-directional has one through association.

  Fixes #​50948.

  class Left < ActiveRecord::Base
    has_one :middle, dependent: :destroy
    has_one :right, through: :middle
  end
  
  class Middle < ActiveRecord::Base
    belongs_to :left, dependent: :destroy
    belongs_to :right, dependent: :destroy
  end
  
  class Right < ActiveRecord::Base
    has_one :middle, dependent: :destroy
    has_one :left, through: :middle
  end

  In the above example left.destroy wouldn't destroy its associated Right
  record.

  Andy Stewart

• Properly handle lazily pinned connection pools.

  Fixes #​53147.

  When using transactional fixtures with system tests to similar tools
  such as capybara, it could happen that a connection end up pinned by the
  server thread rather than the test thread, causing
  "Cannot expire connection, it is owned by a different thread" errors.

  Jean Boussier

• Fix ActiveRecord::Base.with to accept more than two sub queries.

  Fixes #​53110.

  User.with(foo: [User.select(:id), User.select(:id), User.select(:id)]).to_sql
  undefined method `union' for an instance of Arel::Nodes::UnionAll (NoMethodError)

  The above now works as expected.

  fatkodima

• Properly release pinned connections with non joinable connections.

  Fixes #​52973

  When running system tests with transactional fixtures on, it could happen that
  the connection leased by the Puma thread wouldn't be properly released back to the pool,
  causing "Cannot expire connection, it is owned by a different thread" errors in later tests.

  Jean Boussier

• Make Float distinguish between float4 and float8 in PostgreSQL.

  Fixes #​52742

  Ryota Kitazawa, Takayuki Nagatomi

• Fix an issue where .left_outer_joins used with multiple associations that have
  the same child association but different parents does not join all parents.

  Previously, using .left_outer_joins with the same child association would only join one of the parents.

  Now it will correctly join both parents.

  Fixes #​41498.

  Garrett Blehm

• Ensure ActiveRecord::Encryption.config is always ready before access.

  Previously, ActiveRecord::Encryption configuration was deferred until ActiveRecord::Base
  was loaded. Therefore, accessing ActiveRecord::Encryption.config properties before
  ActiveRecord::Base was loaded would give incorrect results.

  ActiveRecord::Encryption now has its own loading hook so that its configuration is set as
  soon as needed.

  When ActiveRecord::Base is loaded, even lazily, it in turn triggers the loading of
  ActiveRecord::Encryption, thus preserving the original behavior of having its config ready
  before any use of ActiveRecord::Base.

  Maxime Réty

• Add TimeZoneConverter#== method, so objects will be properly compared by
  their type, scale, limit & precision.

  Address #​52699.

  Ruy Rocha

Action View

• No changes.

Action Pack

• Fix non-GET requests not updating cookies in ActionController::TestCase.

  Jon Moss, Hartley McGuire

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

v7.2.1.2: 7.2.1.2

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• Fix NoMethodError in block_format helper

  Michael Leimstaedtner

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

v7.2.1.1: 7.2.1.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Avoid backtracing in plain_text_for_blockquote_node

  [CVE-2024-47888]

Railties

• No changes.

Guides

• No changes.

v7.2.1: 7.2.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix detection for enum columns with parallelized tests and PostgreSQL.

  Rafael Mendonça França

• Allow to eager load nested nil associations.

  fatkodima

• Fix swallowing ignore order warning when batching using BatchEnumerator.

  fatkodima

• Fix memory bloat on the connection pool when using the Fiber IsolatedExecutionState.

  Jean Boussier

• Restore inferred association class with the same modularized name.

  Justin Ko

• Fix ActiveRecord::Base.inspect to properly explain how to load schema information.

  Jean Boussier

• Check invalid enum options for the new syntax.

  The options using _ prefix in the old syntax are invalid in the new syntax.

  Rafael Mendonça França

• Fix ActiveRecord::Encryption::EncryptedAttributeType#type to return
  actual cast type.

  Vasiliy Ermolovich

• Fix create_table with :auto_increment option for MySQL adapter.

  fatkodima

Action View

• No changes.

Action Pack

• Fix Request#raw_post raising NoMethodError when rack.input is nil.

  Hartley McGuire

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Strip content attribute if the key is present but the value is empty

  Jeremy Green

Railties

• Fix rails console for application with non default application constant.

  The wrongly assumed the Rails application would be named AppNamespace::Application,
  which is the default but not an obligation.

  Jean Boussier

• Fix the default Dockerfile to include the full sqlite3 package.

  Prior to this it only included libsqlite3, so it wasn't enough to
  run rails dbconsole.

  Jerome Dalbert

• Don't update public directory during app:update command for API-only Applications.

  y-yagi

• Don't add bin/brakeman if brakeman is not in bundle when upgrading an application.

  Etienne Barrié

• Remove PWA views and routes if its an API only project.

  Jean Boussier

• Simplify generated Puma configuration

  DHH, Rafael Mendonça França

v7.2.0

Compare Source

v7.1.5.1: 7.1.5.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons.
  Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Update vendored trix version to 2.1.10

  John Hawthorn

Railties

• No changes.

Guides

• No changes.

v7.1.5: 7.1.5

Compare Source

Active Support

• No changes.

Active Model

• Fix regression in alias_attribute to work with user defined methods.

  alias_attribute would wrongly assume the attribute accessor was generated by Active Model.

  class Person
    include ActiveModel::AttributeMethods
  
    define_attribute_methods :name
    attr_accessor :name
  
    alias_attribute :full_name, :name
  end
  
  person.full_name # => NoMethodError: undefined method `attribute' for an instance of Person

  Jean Boussier

Active Record

• Fix marshalling of unsaved associated records in 7.1 format.

  The 7.1 format would only marshal associated records if the association was loaded.
  But associations that would only contain unsaved records would be skipped.

  Jean Boussier

• Fix an issue where .left_outer_joins used with multiple associations that have
  the same child association but different parents does not join all parents.

  Previously, using .left_outer_joins with the same child association would only join one of the parents.

  Now it will correctly join both parents.

  Fixes #​41498.

  Garrett Blehm

• Ensure ActiveRecord::Encryption.config is always ready before access.

  Previously, ActiveRecord::Encryption configuration was deferred until ActiveRecord::Base
  was loaded. Therefore, accessing ActiveRecord::Encryption.config properties before
  ActiveRecord::Base was loaded would give incorrect results.

  ActiveRecord::Encryption now has its own loading hook so that its configuration is set as
  soon as needed.

  When ActiveRecord::Base is loaded, even lazily, it in turn triggers the loading of
  ActiveRecord::Encryption, thus preserving the original behavior of having its config ready
  before any use of ActiveRecord::Base.

  Maxime Réty

• Add TimeZoneConverter#== method, so objects will be properly compared by
  their type, scale, limit & precision.

  Address #​52699.

  Ruy Rocha

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

v7.1.4.2: 7.1.4.2

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• Fix NoMethodError in block_format helper

  Michael Leimstaedtner

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

v7.1.4.1: 7.1.4.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Avoid backtracing in plain_text_for_blockquote_node

  [CVE-2024-47888]

Railties

• No changes.

Guides

• No changes.

v7.1.4: 7.1.4

Compare Source

Active Support

• Improve compatibility for ActiveSupport::BroadcastLogger.

  Máximo Mussini

• Pass options along to write_entry in handle_expired_entry method.

  Graham Cooper

• Fix Active Support configurations deprecations.

  fatkodima

• Fix teardown callbacks.

  Tristan Starck

• BacktraceCleaner silence core internal methods by default.

  Jean Boussier

• Fix delegate_missing_to allow_nil: true when called with implict self

  class Person
    delegate_missing_to :address, allow_nil: true
  
    def address
      nil
    end
  
    def berliner?
      city == "Berlin"
    end
  end
  
  Person.new.city # => nil
  Person.new.berliner? # undefined local variable or method `city' for an instance of Person (NameError)

  Jean Boussier

• Work around a Ruby bug that can cause a VM crash.

  This would happen if using TaggerLogger with a Proc
  formatter on which you called object_id.

  [BUG] Object ID seen, but not in mapping table: proc
  

  Jean Boussier

• Fix ActiveSupport::Notifications.publish_event to preserve units.

  This solves the incorrect reporting of time spent running Active Record
  asynchronous queries (by a factor 1000).

  Jean Boussier

Active Model

• No changes.

Active Record

• Allow to eager load nested nil associations.

  fatkodima

• Fix create_table with :auto_increment option for MySQL adapter.

  fatkodima

• Don't load has_one associations during autosave.

  Eugene Kenny

• Fix migration ordering for bin/rails db:prepare across databases.

  fatkodima

• Fix alias_attribute to ignore methods defined in parent classes.

  Jean Boussier

• Fix a performance regression in attribute methods.

  Jean Boussier

• Fix Active Record configs variable shadowing.

  Joel Lubrano

• Fix running migrations on other databases when database_tasks: false on primary.

  fatkodima

• Fix non-partial inserts for models with composite identity primary keys.

  fatkodima

• Fix ActiveRecord::Relation#touch_all with custom attribute aliased as attribute for update.

  fatkodima

• Fix a crash when an Executor wrapped fork exit.

  Joé Dupuis

• Fix destroy_async job for owners with composite primary keys.

  fatkodima

• Ensure pre-7.1 migrations use legacy index names when using rename_table.

  fatkodima

• Allow primary_key: association option to be composite.

  Nikita Vasilevsky

• Do not try to alias on key update when raw SQL is supplied.

  Gabriel Amaral

• Memoize key_provider from key or deterministic key_provider if any.

  Rosa Gutierrez

• Fix upsert warning for MySQL.

  fatkodima

• Fix predicate builder for polymorphic models referencing models with composite primary keys.

  fatkodima

• Fix update_all/delete_all on CPK model relation with join subquery.

  Nikita Vasilevsky

• Remove memoization to accept key_provider overridden by with_encryption_context.

  John Hawthorn

• Raise error for Trilogy when prepared_statements is true.

  Trilogy doesn't currently support prepared statements. The error that
  applications would see is a StatementInvalid error. This doesn't quite point
  you to the fact this isn't supported. So raise a more appropriate error
  pointing to what to change.

  Eileen M. Uchitelle

• Fix loading schema cache when all databases have disabled database tasks.

  fatkodima

• Always request primary_key in RETURNING if no other columns requested.

  Nikita Vasilevsky

• Handle records being loaded with Marshal without triggering schema load

  When using the old marshalling format for Active Record and loading
  a serialized instance, it didn't trigger loading the schema and defining
  attribute methods.

  Jean Boussier

• Prevent some constant redefinition warnings when defining inherited on models.

  Adrian Hirt

• Fix a memory perfomance regression in attribute methods.

  Attribute methods used much more memory and were slower to define than
  they should have been.

  Jean Boussier

• Fix an issue that could cause database connection leaks.

  If Active Record successfully connected to the database, but then failed
  to read the server informations, the connection would be leaked until the
  Ruby garbage collector triggers.

  Jean Boussier

• Fix an issue where the IDs reader method did not return expected results
  for preloaded associations in models using composite primary keys.

  Jay Ang

• PostgreSQL Cidr#change? detects the address prefix change.

  Taketo Takashima

• Fix Active Record serialization to not include instantiated but not loaded associations

  Jean Boussier, Ben Kyriakou

• Allow Sqlite3Adapter to use sqlite3 gem version 2.x

  Mike Dalessio

• Strict loading using :n_plus_one_only does not eagerly load child associations.

  With this change, child associations are no longer eagerly loaded, to
  match intended behavior and to prevent non-deterministic order issues caused
  by calling methods like first or last. As first and last don't cause
  an N+1 by themselves, calling child associations will no longer raise.
  Fixes #​49473.

  Before:

  person = Person.find(1)
  person.strict_loading!(mode: :n_plus_one_only)
  person.posts.first

SELECT * FROM posts WHERE person_id = 1; -- non-deterministic order

person.posts.first.firm # raises ActiveRecord::StrictLoadingViolationError
```

After:

```ruby
person = Person.find(1)
person.strict_loading!(mode: :n_plus_one_only)
person.posts.first # this is 1+1, not N+1

SELECT * FROM posts WHERE person_id = 1 ORDER BY id LIMIT 1;

person.posts.first.firm # no longer raises
```

*Reid Lynch*

• Using Model.query_constraints with a single non-primary-key column used to raise as expected, but with an
  incorrect error message. This has been fixed to raise with a more appropriate error message.

  Joshua Young

• Fix has_one association autosave setting the foreign key attribute when it is unchanged.

  This behaviour is also inconsistent with autosaving belongs_to and can have unintended side effects like raising
  an ActiveRecord::ReadonlyAttributeError when the foreign key attribute is marked as read-only.

  Joshua Young

• Fix an issue where ActiveRecord::Encryption configurations are not ready before the loading
  of Active Record models, when an application is eager loaded. As a result, encrypted attributes
  could be misconfigured in some cases.

  Maxime Réty

• Properly synchronize Mysql2Adapter#active? and TrilogyAdapter#active?

  As well as disconnect! and verify!.

  This generally isn't a big problem as connections must not be shared between
  threads, but is required when running transactional tests or system tests
  and could lead to a SEGV.

  Jean Boussier

• Fix counter caches when the foreign key is composite.

  If the model holding the counter cache had a composite primary key,
  inserting a dependent record would fail with an ArgumentError
Expected corresponding value for...

  fatkodima

• Fix loading of schema cache for multiple databases.

  Before this change, if you have multiple databases configured in your
  application, and had schema cache present, Rails would load the same
  cache to all databases.

  Rafael Mendonça França

• Fix eager loading of composite primary key associations.

  relation.eager_load(:other_model) could load the wrong records if other_model
  had a composite primary key.

  Nikita Vasilevsky

• Fix async queries returning a doubly wrapped result when hitting the query cache.

  fatkodima

• Fix single quote escapes on default generated MySQL columns

  MySQL 5.7.5+ supports generated columns, which can be used to create a column that is computed from an expression.

  Previously, the schema dump would output a string with double escapes for generated columns with single quotes in the default expression.

  This would result in issues when importing the schema on a fresh instance of a MySQL database.

  Now, the string will not be escaped and will be valid Ruby upon importing of the schema.

  Yash Kapadia

• Fix Migrations with versions older than 7.1 validating options given to
  t.references.

  Hartley McGuire

Action View

• Action View Test Case rendered memoization.

  Sean Doyle

• Restore the ability for templates to return any kind of object and not just strings

  Jean Boussier

• Fix threading issue with strict locals.

  Robert Fletcher

Action Pack

• Resolve deprecation warning in latest selenium-webdriver.

  Earlopain

• Don't preload Selenium browser when remote.

  Noah Horton

• Fix crash for invalid Content-Type in ShowExceptions middleware.

  Earlopain

• Fix inconsistent results of params.deep_transform_keys.

  Iago Pimenta

• Do not report rendered errors except 500.

  Nikita Vasilevsky

• Improve routes source location detection.

  Jean Boussier

• Fix Request#raw_post raising NoMethodError when rack.input is nil.

  Hartley McGuire

• Fix url generation in nested engine when script name is empty.

  zzak

• Fix Mime::Type.parse handling type parameters for HTTP Accept headers.

  Taylor Chaparro

• Fix the error page that is displayed when a view template is missing to account for nested controller paths in the
  suggested correct location for the missing template.

  Joshua Young

• Fix a regression in 7.1.3 passing a to: option without a controller when the controller is already defined by a scope.

  Rails.application.routes.draw do
    controller :home do
      get "recent", to: "recent_posts"
    end
  end

  Étienne Barrié

• Fix ActionDispatch::Executor middleware to report errors handled by ActionDispatch::ShowExceptions

  In the default production environment, ShowExceptions rescues uncaught errors
  and returns a response. Because of this the executor wouldn't report production
  errors with the default Rails configuration.

  Jean Boussier

Active Job

• Register autoload for ActiveJob::Arguments.

  Rafael Mendonça França

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Fixes race condition for multiple preprocessed video variants.

  Justin Searls

Action Mailbox

• No changes.

Action Text

• Strip content attribute if the key is present but the value is empty

  Jeremy Green

• Only sanitize content attribute when present in attachments.

  Petrik de Heus

Railties

• Preserve --asset-pipeline propshaft when running app:update.

  Zacharias Knudsen

• Allow string keys for SQLCommenter.

  Ngan Pham

• Fix derived foreign key to return correctly when association id is part of query constraints.

  Varun Sharma

• Show warning for secret_key_base in development too.

  fatkodima

• Fix sanitizer vendor configuration in 7.1 defaults.

  In apps where rails-html-sanitizer was not eagerly loaded, the sanitizer default could end up
  being Rails::HTML4::Sanitizer when it should be set to Rails::HTML5::Sanitizer.

  Mike Dalessio, Rafael Mendonça França

• Revert the use of Concurrent.physical_processor_count in default Puma config

  While for many people this saves one config to set, for many others using
  a shared hosting solution, this cause the default configuration to spawn
  way more workers than reasonable.

  There is unfortunately no reliable way to detect how many cores an application
  can realistically use, and even then, assuming the application should use
  all the machine resources is often wrong.

  Jean Boussier

v7.1.3.4: 7.1.3.4

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types
  [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Sanitize ActionText HTML ContentAttachment in Trix edit view
  [CVE-2024-32464]

Railties

• No changes.

v7.1.3.3: 7.1.3.3

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Upgrade Trix to 2.1.1 to fix CVE-2024-34341.

  Rafael Mendonça França

Railties

• No changes.

v7.1.3.2

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix raise_on_missing_translations not working correctly with the
  translate method in controllers after the patch for CVE-2024-26143.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v7.1.3.1: 7.1.3.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

• Fix ReDoS in Accept header parsing

  CVE-2024-26142

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v7.1.3: 7.1.3

Compare Source

Active Support

• Handle nil backtrace_locations in ActiveSupport::SyntaxErrorProxy.

  Eugene Kenny

• Fix ActiveSupport::JSON.encode to prevent duplicate keys.

  If the same key exist in both String and Symbol form it could
  lead to the same key being emitted twice.

  Manish Sharma

• Fix ActiveSupport::Cache::Store#read_multi when using a cache namespace
  and local cache strategy.

  Mark Oleson

• Fix Time.now/DateTime.now/Date.today to return results in a system timezone after #travel_to.

  There is a bug in the current implementation of #travel_to:
  it remembers a timezone of its argument, and all stubbed methods start
  returning results in that remembered timezone. However, the expected
  behaviour is to return results in a system timezone.

  Aleksei Chernenkov

• Fix :unless_exist option for MemoryStore#write (et al) when using a
  cache namespace.

  S. Brent Faulkner

• Fix ActiveSupport::Deprecation to handle blaming generated code.

  Jean Boussier, fatkodima

Active Model

• No changes.

Active Record

• Fix Migrations with versions older than 7.1 validating options given to
  add_reference.

  Hartley McGuire

• Ensure reload sets correct owner for each association.

  Dmytro Savochkin

• Fix view runtime for controllers with async queries.

  fatkodima

• Fix load_async to work with query cache.

  fatkodima

• Fix polymorphic belongs_to to correctly use parent's query_constraints.

  fatkodima

• Fix Preloader to not generate a query for already loaded association with query_constraints.

  fatkodima

• Fix multi-database polymorphic preloading with equivalent table names.

  When preloading polymorphic associations, if two models pointed to two
  tables with the same name but located in different databases, the
  preloader would only load one.

  Ari Summer

• Fix encrypted_attribute? to take into account context properties passed to encrypts.

  Maxime Réty

• Fix find_by to work correctly in presence of composite primary keys.

  fatkodima

• Fix async queries sometimes returning a raw result if they hit the query cache.

  ShipPart.async_count could return a raw integer rather than a Promise
  if it found the result in the query cache.

  fatkodima

• Fix Relation#transaction to not apply a default scope.

  The method was incorrectly setting a default scope around its block:

  Post.where(published: true).transaction do
    Post.count # SELECT COUNT(*) FROM posts WHERE published = FALSE;
  end

  Jean Boussier

• Fix calling async_pluck on a none relation.

  Model.none.async_pluck(:id) was returning a naked value
  instead of a promise.

  Jean Boussier

• Fix calling load_async on a none relation.

  Model.none.load_async was returning a broken result.

  Lucas Mazza

• TrilogyAdapter: ignore host if socket parameter is set.

  This allows to configure a connection on a UNIX socket via DATABASE_URL:

  DATABASE_URL=trilogy://does-not-matter/my_db_production?socket=/var/run/mysql.sock
  

  Jean Boussier

• Fix has_secure_token calls the setter method on initialize.

  Abeid Ahmed

• Allow using object_id as a database column name.
  It was available before rails 7.1 and may be used as a part of polymorphic relationship to object where object can be any other database record.

  Mikhail Doronin

• Fix rails db:create:all to not touch databases before they are created.

  fatkodima

Action View

• Better handle SyntaxError in Action View.

  Mario Caropreso

• Fix word_wrap with empty string.

  Jonathan Hefner

• Rename ActionView::TestCase::Behavior::Content to ActionView::TestCase::Behavior::RenderedViewContent.

  Make RenderedViewContent inherit from String. Make private API with :nodoc:.

  Sean Doyle

• Fix detection of required strict locals.

  Further fix render @​collection compatibility with strict locals

  Jean Boussier

Action Pack

• Fix including Rails.application.routes.url_helpers directly in an
  ActiveSupport::Concern.

  Jonathan Hefner

• Fix system tests when using a Chrome binary that has been downloaded by
  Selenium.

  Jonathan Hefner

Active Job

• Do not trigger immediate loading of ActiveJob::Base when loading ActiveJob::TestHelper.

  Maxime Réty

• Preserve the serialized timezone when deserializing ActiveSupport::TimeWithZone arguments.

  Joshua Young

• Fix ActiveJob arguments serialization to correctly serialize String subclasses having custom serializers.

  fatkodima

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Fix N+1 query when fetching preview images for non-image assets.

  Aaron Patterson & Justin Searls

• Fix all Active Storage database related models to respect
  ActiveRecord::Base.table_name_prefix configuration.

  Chedli Bourguiba

• Fix ActiveStorage::Representations::ProxyController not returning the proper
  preview image variant for previewable files.

  Chedli Bourguiba

• Fix ActiveStorage::Representations::ProxyController to proxy untracked
  variants.

  Chedli Bourguiba

• Fix direct upload forms when submit button contains nested elements.

  Marc Köhlbrugge

• When using the preprocessed: true option, avoid enqueuing transform jobs
  for blobs that are not representable.

  Chedli Bourguiba

• Process preview image variant when calling ActiveStorage::Preview#processed.
  For example, attached_pdf.preview(:thumb).processed will now immediately
  generate the full-sized preview image and the :thumb variant of it.
  Previously, the :thumb variant would not be generated until a further call
  to e.g. processed.url.

  Chedli Bourguiba and Jonathan Hefner

• Prevent ActiveRecord::StrictLoadingViolationError when strict loading is
  enabled and the variant of an Active Storage preview has already been
  processed (for example, by calling ActiveStorage::Preview#url).

  Jonathan Hefner

• Fix preprocessed: true option for named variants of previewable files.

  Nico Wenterodt

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Make sure config.after_routes_loaded hook runs on boot.

  Rafael Mendonça França

• Fix config.log_level not being respected when using a BroadcastLogger

  Édouard Chin

• Fix isolated engines to take ActiveRecord::Base.table_name_prefix into consideration.
  This will allow for engine defined models, such as inside Active Storage, to respect
  Active Record table name prefix configuration.

  Chedli Bourguiba

• The bin/rails app:template command will no longer add potentially unwanted
  gem platforms via bundle lock --add-platform=... commands.

  Jonathan Hefner

v7.1.2: 7.1.2

Compare Source

Active Support

• Fix :expires_in option for RedisCacheStore#write_multi.

  fatkodima

• Fix deserialization of non-string "purpose" field in Message serializer

  Jacopo Beschi

• Prevent global cache options being overwritten when setting dynamic options
  inside a ActiveSupport::Cache::Store#fetch block.

  Yasha Krasnou

• Fix missing require resulting in NoMethodError when running
  bin/rails secrets:show or bin/rails secrets:edit.

  Stephen Ierodiaconou

• Ensure {down,up}case_first returns non-frozen string.

  Jonathan Hefner

• Fix #to_fs(:human_size) to correctly work with negative numbers.

  Earlopain

• Fix BroadcastLogger#dup so that it duplicates the logger's broadcasts.

  Andrew Novoselac

• Fix issue where bootstrap.rb overwrites the level of a BroadcastLogger's broadcasts.

  Andrew Novoselac

• Fix ActiveSupport::Cache to handle outdated Marshal payload from Rails 6.1 format.

  Active Support's Cache is supposed to treat a Marshal payload that can no longer be
  deserialized as a cache miss. It fail to do so for compressed payload in the Rails 6.1
  legacy format.

  Jean Boussier

• Fix OrderedOptions#dig for array indexes.

  fatkodima

• Fix time travel helpers to work when nested using with separate classes.

  fatkodima

• Fix delete_matched for file cache store to work with keys longer than the
  max filename size.

  fatkodima and Jonathan Hefner

• Fix compatibility with the semantic_logger gem.

  The semantic_logger gem doesn't behave exactly like stdlib logger in that
  SemanticLogger#level returns a Symbol while stdlib Logger#level returns an Integer.

  This caused the various LogSubscriber classes in Rails to break when assigned a
  SemanticLogger instance.

  Jean Boussier, ojab

Active Model

• Make ==(other) method of AttributeSet safe.

  Dmitry Pogrebnoy

Active Record

• Fix renaming primary key index when renaming a table with a UUID primary key
  in PostgreSQL.

  fatkodima

• Fix where(field: values) queries when field is a serialized attribute
  (for example, when field uses ActiveRecord::Base.serialize or is a JSON
  column).

  João Alves

• Prevent marking broken connections as verified.

  Daniel Colson

• Don't mark Float::INFINITY as changed when reassigning it

  When saving a record with a float infinite value, it shouldn't mark as changed

  Maicol Bentancor

• ActiveRecord::Base.table_name now returns nil instead of raising
  "undefined method abstract_class? for Object:Class".

  a5-stable

• Fix upserting for custom :on_duplicate and :unique_by consisting of all
  inserts keys.

  fatkodima

• Fixed an issue where saving a
  record could innappropriately dup its attributes.

  Jonathan Hefner

• Dump schema only for a specific db for rollback/up/down tasks for multiple dbs.

  fatkodima

• Fix NoMethodError when casting a PostgreSQL money value that uses a
  comma as its radix point and has no leading currency symbol. For example,
  when casting "3,50".

  Andreas Reischuck and Jonathan Hefner

• Re-enable support for using enum with non-column-backed attributes.
  Non-column-backed attributes must be previously declared with an explicit
  type. For example:

  class Post < ActiveRecord::Base
    attribute :topic, :string
    enum topic: %i[science tech engineering math]
  end

  Jonathan Hefner

• Raise on foreign_key: being passed as an array in associations

  Nikita Vasilevsky

• Return back maximum allowed PostgreSQL table name to 63 characters.

  fatkodima

• Fix detecting IDENTITY columns for PostgreSQL < 10.

  fatkodima

Action View

• Fix the number_to_human_size view helper to correctly work with negative numbers.

  Earlopain

• Automatically discard the implicit locals injected by collection rendering for template that can't accept them

  When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.

  Now they are only passed if the template will actually accept them.

  Yasha Krasnou, Jean Boussier

• Fix @rails/ujs calling start() an extra time when using bundlers

  Hartley McGuire, Ryunosuke Sato

• Fix the capture view helper compatibility with HAML and Slim

  When a blank string was captured in HAML or Slim (and possibly other template engines)
  it would instead return the entire buffer.

  Jean Boussier

Action Pack

• Fix a race condition that could cause a Text file busy - chromedriver
  error with parallel system tests

  Matt Brictson

• Fix StrongParameters#extract_value to include blank values

  Otherwise composite parameters may not be parsed correctly when one of the
  component is blank.

  fatkodima, Yasha Krasnou, Matthias Eiglsperger

• Add racc as a dependency since it will become a bundled gem in Ruby 3.4.0

  Hartley McGuire

• Support handling Enumerator for non-buffered responses.

  Zachary Scott

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Compile ESM package that can be used directly in the browser as actiontext.esm.js

  Matias Grunberg

• Fix using actiontext.js with Sprockets

  Matias Grunberg

• Upgrade Trix to 2.0.7

  Hartley McGuire

• Fix using Trix with Sprockets

  Hartley McGuire

Railties

• Fix running db:system:change when app has no Dockerfile.

  Hartley McGuire

• If you accessed config.eager_load_paths and friends, later changes to
  config.paths were not reflected in the expected auto/eager load paths.
  Now, they are.

  This bug has been latent since Rails 3.

  Fixes #​49629.

  Xavier Noria

v7.1.1: 7.1.1

Compare Source

Active Support

• Add support for keyword arguments when delegating calls to custom loggers from ActiveSupport::BroadcastLogger.

  Jenny Shen

• NumberHelper: handle objects responding to_d.

  fatkodima

• Fix RedisCacheStore to properly set the TTL when incrementing or decrementing.

  This bug was only impacting Redis server older than 7.0.

  Thomas Countz

• Fix MemoryStore to prevent race conditions when incrementing or decrementing.

  Pierre Jambet

Active Model

• No changes.

Active Record

• Fix auto populating IDENTITY columns for PostgreSQL.

  fatkodima

• Fix "ArgumentError: wrong number of arguments (given 3, expected 2)" when
  down migrating rename_table in older migrations.

  fatkodima

• Do not require the Action Text, Active Storage and Action Mailbox tables
  to be present when running when running test on CI.

  Rafael Mendonça França

Action View

• Updated @rails/ujs files to ignore certain data-* attributes when element is contenteditable.

  This fix was already landed in >= 7.0.4.3, < 7.1.0.
  [CVE-2023-23913]

  Ryunosuke Sato

Action Pack

• No changes.

Active Job

• Don't log enqueuing details when the job wasn't enqueued.

  Dustin Brown

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Ensures the Rails generated Dockerfile uses correct ruby version and matches Gemfile.

  Abhay Nikam

v7.1.0: 7.1.0

Compare Source

Active Support

• Fix AS::MessagePack with ENV["RAILS_MAX_THREADS"].

  Jonathan Hefner

• Add a new public API for broadcasting logs

  This feature existed for a while but was until now a private API.
  Broadcasting log allows to send log message to difference sinks (STDOUT, a file ...) and
  is used by default in the development environment to write logs both on STDOUT and in the
  "development.log" file.

  Basic usage:

  stdout_logger = Logger.new(STDOUT)
  file_logger = Logger.new("development.log")
  broadcast = ActiveSupport::BroadcastLogger.new(stdout_logger, file_logger)
  
  broadcast.info("Hello!") # The "Hello!" message is written on STDOUT and in the log file.

  Adding other sink(s) to the broadcast:

  broadcast = ActiveSupport::BroadcastLogger.new
  broadcast.broadcast_to(Logger.new(STDERR))

  Remove a sink from the broadcast:

  stdout_logger = Logger.new(STDOUT)
  broadcast = ActiveSupport::BroadcastLogger.new(stdout_logger)
  
  broadcast.stop_broadcasting_to(stdout_logger)

  Edouard Chin

• Fix Range#overlap? not taking empty ranges into account on Ruby < 3.3

  Nobuyoshi Nakada, Shouichi Kamiya, Hartley McGuire

• Use Ruby 3.3 Range#overlap? if available

  Yasuo Honda

• Add bigdecimal as Active Support dependency that is a bundled gem candidate for Ruby 3.4.

  bigdecimal 3.1.4 or higher version will be installed.
  Ruby 2.7 and 3.0 users who want bigdecimal version 2.0.0 or 3.0.0 behavior as a default gem,
  pin the bigdecimal version in your application Gemfile.

  Koichi ITO

• Add drb, mutex_m and base64 that are bundled gem candidates for Ruby 3.4

  Yasuo Honda

• When using cache format version >= 7.1 or a custom serializer, expired and
  version-mismatched cache entries can now be detected without deserializing
  their values.

  Jonathan Hefner

• Make all cache stores return a boolean for #delete

  Previously the RedisCacheStore#delete would return 1 if the entry
  exists and 0 otherwise. Now it returns true if the entry

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...

Could not find compatible versions

Because jsonapi-authorization >= 3.0.2 depends on jsonapi-resources ~> 0.9.0
  and Gemfile depends on jsonapi-authorization >= 3.0.2, < 4.A,
  jsonapi-resources ~> 0.9.0 is required.
So, because Gemfile depends on jsonapi-resources ~> 0.10.7,
  version solving has failed.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.92%. Comparing base (1bfe253) to head (b2489b2).
Report is 4 commits behind head on staging.

Additional details and impacted files

@@           Coverage Diff            @@
##           staging     #474   +/-   ##
========================================
  Coverage    99.92%   99.92%           
========================================
  Files          203      203           
  Lines         2714     2726   +12     
========================================
+ Hits          2712     2724   +12     
  Misses           2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[lodewiges]

still need to look into doorkeeper and carrierwave changelog