🚨 [security] Update railties 7.2.2.1 → 8.0.2 (major)

[depfu]

👉 This PR is queued up to get rebased by Depfu

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ railties (7.2.2.1 → 8.0.2) · Repo · Changelog

Release Notes

8.0.1 (from changelog)

• Skip generation system tests related code for CI when --skip-system-test is given.

  fatkodima

• Don't add bin/thrust if thruster is not in Gemfile.

  Étienne Barrié

• Don't install a package for system test when applications don't use it.

  y-yagi

8.0.0.1 (from changelog)

• No changes.

8.0.0 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activemodel (7.2.2.1 → 8.0.2) · Repo · Changelog

Release Notes

8.0.1 (from changelog)

• No changes.

8.0.0.1 (from changelog)

• No changes.

8.0.0 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activerecord (7.2.2.1 → 8.0.2) · Repo · Changelog

Release Notes

8.0.1 (from changelog)

• Fix removing foreign keys with :restrict action for MySQ

  fatkodima

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

• Fix MySQL default functions getting dropped when changing a column's nullability.

  Bastian Bartmann

• Fix add_unique_constraint/add_check_constraint/add_foreign_key to be revertible when given invalid options.

  fatkodima

• Fix asynchronous destroying of polymorphic belongs_to associations.

  fatkodima

• Fix insert_all to not update existing records.

  fatkodima

• NOT VALID constraints should not dump in create_table.

  Ryuta Kamizono

• Fix finding by nil composite primary key association.

  fatkodima

• Properly reset composite primary key configuration when setting a primary key.

  fatkodima

• Fix Mysql2Adapter support for prepared statements

  Using prepared statements with MySQL could result in a NoMethodError exception.

  Jean Boussier, Leo Arnold, zzak

• Fix parsing of SQLite foreign key names when they contain non-ASCII characters

  Zacharias Knudsen

• Fix parsing of MySQL 8.0.16+ CHECK constraints when they contain new lines.

  Steve Hill

• Ensure normalized attribute queries use IS NULL consistently for nil and normalized nil values.

  Joshua Young

• Fix sum when performing a grouped calculation.

  User.group(:friendly).sum no longer worked. This is fixed.

  Edouard Chin

• Restore back the ability to pass only database name to DATABASE_URL.

  fatkodima

8.0.0.1 (from changelog)

• No changes.

8.0.0 (from changelog)

• Fix support for query_cache: false in database.yml.

  query_cache: false would no longer entirely disable the Active Record query cache.

  zzak

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activesupport (7.2.2.1 → 8.0.2) · Repo · Changelog

Release Notes

8.0.1 (from changelog)

• Fix a bug in ERB::Util.tokenize that causes incorrect tokenization when ERB tags are preceeded by multibyte characters.

  Martin Emde

• Restore the ability to decorate methods generated by class_attribute.

  It always has been complicated to use Module#prepend or an alias method chain to decorate methods defined by class_attribute, but became even harder in 8.0.

  This capability is now supported for both reader and writer methods.

  Jean Boussier

8.0.0.1 (from changelog)

• No changes.

8.0.0 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 7.2.2.1 → 8.0.2) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Content Security Policy bypass in Action Dispatch

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Release Notes

8.0.1 (from changelog)

• Add ActionDispatch::Request::Session#store method to conform Rack spec.

  Yaroslav

8.0.0.1 (from changelog)

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

8.0.0 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 7.2.2.1 → 8.0.2) · Repo · Changelog

Release Notes

8.0.1 (from changelog)

• Fix a crash in ERB template error highlighting when the error occurs on a line in the compiled template that is past the end of the source template.

  Martin Emde

• Improve reliability of ERB template error highlighting. Fix infinite loops and crashes in highlighting and improve tolerance for alternate ERB handlers.

  Martin Emde

8.0.0.1 (from changelog)

• No changes.

8.0.0 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ base64 (indirect, 0.2.0 → 0.3.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ benchmark (indirect, 0.4.0 → 0.4.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bigdecimal (indirect, 3.1.9 → 3.2.0) · Repo · Changelog

Release Notes

3.2.0

What's Changed

• Fix spec NoMethodError message for .allocator on truffle Ruby by @mrzasa in #313
• Remove outdated BigMath.atan document that refers to convergence by @tompng in #318
• Add a precision assertion to BigMath test by @tompng in #316
• Use Ractor#value as Ractor#take is removed by @ko1 in #327
• Indent multiline call-seq comment by @tompng in #311
• Integrate BigDecimal_div and BigDecimal_div2 by @tompng in #329
• Fix division rounding by @tompng in #330

New Contributors

• @tompng made their first contribution in #318
• @ko1 made their first contribution in #327

Full Changelog: v3.1.9...v3.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ drb (indirect, 2.2.1 → 2.2.3) · Repo · Changelog

Release Notes

2.2.3

Improvement

• Added support for "Changelog" link in RubyGems.org page.

  • GH-30
  • Patch by Mark Young

• Dropped ObjectSpace._id2ref dependency because
  ObjectSpace._id2ref is deprecated. Drb::WeakIdConv is
  meaningless by this. So it's deprecated. Use the default ID
  converter instead.

  • GH-35
  • https://bugs.ruby-lang.org/issues/15711

Fixes

• SSL: Fixed wrong certificate version.
  • GH-29

Thanks

• Mark Young

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ irb (indirect, 1.15.1 → 1.15.2) · Repo

Release Notes

1.15.2

What's Changed

🐛 Bug Fixes

• Fallback to Reline when require 'readline' fails by @tompng in #1076
• Zero winsize bugfix by @tompng in #1073

📚 Documentation

• (docs) Document the keys for completion by @andyw8 in #1082

🛠 Other Changes

• Use EnvUtil.rubybin instead of "ruby" in copy command test by @tompng in #1071
• Remove ruby-core workflow by @st0012 in #1075
• Suppress irb_info measures ambiguous_width in command test by @tompng in #1074
• bundled gems migration by @hsbt in #1078
• Ignore to contain directory to Gem::Specification#files by @hsbt in #1079
• Disable scheduled jobs for forks by @andyw8 in #1084
• add context.ap_name test by @QWYNG in #1052
• Document USE_PAGER config by @artur-intech in #1086
• Disable truffle-ruby scheduled job on forks by @andyw8 in #1087
• Bump version to 1.15.2 by @tompng in #1088

New Contributors

• @QWYNG made their first contribution in #1052

Full Changelog: v1.15.1...v1.15.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ logger (indirect, 1.6.6 → 1.7.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ loofah (indirect, 2.24.0 → 2.24.1) · Repo · Changelog

Release Notes

2.24.1

2.24.1 / 2025-05-12

Ruby support

• Import only what's needed from cgi for support for Ruby 3.5 #296 @Earlopain

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.8 → 2.8.9) · Repo · Changelog

Release Notes

2.8.9

2.8.9 / 2025-05-12

Ruby support

• Import only what's needed from cgi, for supporting Ruby 3.5. #160 @Earlopain

New Contributors

• @kenhys made their first contribution in #156
• @Earlopain made their first contribution in #160

Full Changelog: v2.8.8...v2.8.9

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ psych (indirect, 5.2.3 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6

What's Changed

• Fix dumping StringIO (and potentially others) on Ruby <= 2.7 by @Earlopain in #729

New Contributors

• @Earlopain made their first contribution in #729

Full Changelog: v5.2.5...v5.2.6

5.2.5

What's Changed

• Fix loading/parsing regular expressions with forward slashes by @mamhoff in #715
• Data object encoding by @nevans in #692
• Fix error in @dispatch_cache default value by @srawlins in #188
• Ensure to remove the test constants by @nobu in #727
• Refine Ruby 3.5 Set support. by @byroot in #728
• Adding safe_load_stream: a ( nearly ) equivalent to load_stream, but safe by @OrenGitHub in #724

New Contributors

• @mamhoff made their first contribution in #715
• @nevans made their first contribution in #692
• @srawlins made their first contribution in #188
• @OrenGitHub made their first contribution in #724

Full Changelog: v5.2.4...v5.2.5

5.2.4

What's Changed

• Bump step-security/harden-runner from 2.10.3 to 2.10.4 by @dependabot in #710
• Avoid calls to require in hotspots by @byroot in #713
• jruby: safer engine version resolution by @kares in #716
• Bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #717
• Schedule the CI by @nobu in #718
• JRuby head fails to build by @nobu in #719
• Format Date in ISO-8601 explicitly by @nobu in #720
• Bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #722
• Handle Ruby 3.5 new Set class by @casperisfine in #725

New Contributors

• @byroot made their first contribution in #713
• @kares made their first contribution in #716

Full Changelog: v5.2.3...v5.2.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 3.1.14 → 3.1.15) · Repo · Changelog

Release Notes

3.1.15 (from changelog)

• Optional support for CGI::Cookie if not available. (#2327, #2333, @earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-dom-testing (indirect, 2.2.0 → 2.3.0) · Repo · Changelog

Release Notes

2.3.0

What's Changed

• Add assert_not_dom, refute_dom, assert_not_select, refute_select & refute_dom_equal by @joshuay03 in #113
• Raise an error when given a block with a 0 element assertion by @joshuay03 in #116
• Raise an error when provided an invalid Range, or invalid :minimum and :maximum by @joshuay03 in #115
• assert_dom :text collapses whitespace by @jyeharry in #123

New Contributors

• @joshuay03 made their first contribution in #113
• @m-nakamura145 made their first contribution in #118
• @jyeharry made their first contribution in #122

Full Changelog: v2.2.0...v2.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.2.1 → 13.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rdoc (indirect, 6.13.0 → 6.14.0) · Repo · Changelog

Release Notes

6.14.0

What's Changed

✨ Enhancements

• Add support for canonical URL link tag by @p8 in #1354
• Set language in HTML by @p8 in #1361

🐛 Bug Fixes

• Fix image tag with external source by @ybiquitous in #1348

🛠 Other Changes

• Bump ruby/setup-ruby from 1.227.0 to 1.229.0 by @dependabot in #1336
• Fix RDoc::Options example in README by @tompng in #1337
• Bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #1338
• Bump ruby/setup-ruby from 1.229.0 to 1.230.0 by @dependabot in #1339
• Runs ruby-core workflow on ubuntu-latest by @st0012 in #1345
• Move default RDoc headings to a constant by @vinistock in #1341
• Enable Style/MethodDefParentheses rule by @vinistock in #1342
• Bump ruby/setup-ruby from 1.230.0 to 1.233.0 by @dependabot in #1346
• Fix rubygems hook execution when gemspec.rdoc_options contains --ri by @tompng in #1347
• Update ri manpage to show how to access ruby pages by @adam12 in #1340
• Fix link to CONTRIBUTING on README by @ybiquitous in #1350
• Bump step-security/harden-runner from 2.11.1 to 2.12.0 by @dependabot in #1351
• Bump ruby/setup-ruby from 1.233.0 to 1.235.0 by @dependabot in #1352
• Don't run CI jobs for push by Dependabot by @kou in #1353
• Fix typo in test name by @p8 in #1355
• Polish link underline in Darkfish CSS by @ybiquitous in #1349
• Rename test classes from Test* to *Test by @st0012 in #1359
• Bump ruby/setup-ruby from 1.235.0 to 1.237.0 by @dependabot in #1362
• Declare erb as a dependency by @st0012 in #1368
• Load cgi/escape instead of cgi/util by @Earlopain in #1366
• Add a new workflow to deploy page preview for PRs from forks by @st0012 in #1365
• Bump version to 6.14.0 by @st0012 in #1371

Full Changelog: v6.13.1...v6.14.0

6.13.1

What's Changed

✨ Enhancements

• Allow customizing path prefix through options by @st0012 in #1330

🛠 Other Changes

• Workaround build task issue in Ruby core CI by @st0012 in #1326
• Bump ruby/setup-ruby from 1.222.0 to 1.227.0 by @dependabot in #1329
• Remove needless RDoc::Options from XrefTestCase by @kou in #1332
• Bump version to v6.13.1 by @st0012 in #1334

Full Changelog: v6.13.0...v6.13.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ reline (indirect, 0.6.0 → 0.6.1) · Repo

Release Notes

0.6.1

What's Changed

✨ Enhancements

• Support inserting C-c C-z C-\ with quoted_insert by @tompng in #798
• Enter newline if cursor position is middle of input by @ima1zumi in #802
• Update to Unicode 16.0.0 by @ima1zumi in #803

🐛 Bug Fixes

• Fix bracketed paste and scrolling bug by @tompng in #801

🛠 Other Changes

• Fix typos in comment by @ydah in #796
• test_tty_ambiguous_width: Use Reline.test_rubybin by @sorah in #797
• Refactor handling key in LineEditor by @tompng in #799
• Refactor utf-8 strings and invalid strings in test code by @tompng in #800
• Fix typo: marco -> macro by @kaibadash in #806
• Fix CI for Ruby 2.7 by @ima1zumi in #807
• Migration for bundled gems by @hsbt in #811
• Add gem readline to Gemfile to fix failing ci jobs: readline by @tompng in #810
• Remove ruby-core workflow by @tompng in #812
• Remove unused constant CAPNAME_KEY_BINDINGS by @tompng in #808
• Refactor undo redo by @tompng in #809
• Reject directory from Gem::Specification#files by @hsbt in #813
• Use Relin::ANSI's buffer instead of calling STDIN.ungetc by @tompng in #815
• Fix typo by @ima1zumi in #817
• Add gem fiddle to Gemfile (Only used in windows) by @tompng in #818
• Basic setup for Reline's official documentation website by @st0012 in #820
• Bump version to 0.6.1 by @tompng in #823

New Contributors

• @ydah made their first contribution in #796
• @kaibadash made their first contribution in #806

Full Changelog: v0.6.0...v0.6.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ stringio (indirect, 3.1.5 → 3.1.7) · Repo · Changelog

Release Notes

3.1.7

Improvements

• CRuby: Added support for rb_io_mode_t that will be introduced in
  Ruby 3.5 or later.
  • GH-129
  • Patch by Samuel Williams

Thanks

• Samuel Williams

3.1.6

Fixes

• CRuby: Fix SEGV at unget to a null device StringIO
• JRuby:
  • Fix NullPointerException at unget to a null device StringIO
  • Use proper checkEncoding signature
  • Update strioWrite logic to match CRuby
  • GH-124

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.6.18 → 2.7.3) · Repo · Changelog

Release Notes

2.7.3 (from changelog)

• The helper Zeitwerk::Loader#cpath_expected_at did not work correctly if the inflector had logic that relied on the absolute path of the given file or directory. This has been fixed.

  This bug was found by Codex.

• Perpetual internal work.

2.7.2 (from changelog)

• Internal improvements and micro-optimizations.

• Add stable TruffleRuby to CI.

2.7.1 (from changelog)

• Micro-optimization in a hot path.

• Raises Zeitwerk::Error if an autoloaded constant expected to represent a namespace does not store a class or module object.

• Adds truffleruby-head to CI, except for autoloading thread-safety (see why in oracle/truffleruby#2431).

2.7.0 (from changelog)

• Explicit namespaces can now also be defined using constant assignments.

  While constant assignments like

  # coordinates.rb

  Coordinates = Data.define(:x, :y)

  worked for most objects, they did not for classes and modules that were also namespaces (i.e., those defined by a file and matching subdirectories). In such cases, their child constants could not be autoloaded.

  This limitation has been removed.

• TracePoint is no longer used.

• Requires Ruby 3.2 or later.

  Gems that work with previous versions of Zeitwerk also work with this one. If they support Ruby versions older than 3.2 they can specify a relaxed version constraint for Zeitwerk like "~> 2.6", for example.

  In client projects, Bundler takes the Ruby requirement into account when resolving dependencies, so Gemfile.lock will get one compatible with the Ruby version being used.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 erb (added, 5.0.1)

🆕 uri (added, 1.0.3)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[harrietc52]

@depfu rebase

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.85%. Comparing base (252be3f) to head (a90423d).
⚠️ Report is 91 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #784      +/-   ##
===========================================
- Coverage    97.85%   97.85%   -0.01%     
===========================================
  Files           74       73       -1     
  Lines         1633     1632       -1     
===========================================
- Hits          1598     1597       -1     
  Misses          35       35              

Flag	Coverage Δ
pull_request	97.85% <ø> (?)
push	97.85% <ø> (-0.01%)	⬇️
ruby	97.85% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.