Update dependency activerecord to v6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
activerecord (source, changelog)	"~>5.2.6" -> "~>6.1.7", ">= 6.1.7.1"

GitHub Vulnerability Alerts

CVE-2022-44566

There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter.

This has been assigned the CVE identifier CVE-2022-44566.

Versions Affected: All. Not affected: None. Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1

Impact:
In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
Releases

The fixed releases are available at the normal locations.
Workarounds

Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.

6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series
7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series

---

Release Notes

rails/rails (activerecord)

v6.1.7.1

Compare Source

Active Support

• Avoid regex backtracking in Inflector.underscore

  [CVE-2023-22796]

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was
  attempting sanitization. That sanitization could be bypassed with
  carefully crafted input.

  This commit makes the sanitization more robust by replacing any
  occurrances of "/" or "/" with "/ " or " /". It also performs a
  first pass to remove one surrounding comment to avoid compatibility
  issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not
  be provided user input.

  [CVE-2023-22794]

• Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type
  PostgreSQL will treat the column type as numeric. Comparing
  integer values against numeric values can result in a slow
  sequential scan.

  This behavior is configurable via
  ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

Action View

• No changes.

Action Pack

• Avoid regex backtracking on If-None-Match header

  [CVE-2023-22795]

• Use string#split instead of regex for domain parts

  [CVE-2023-22792]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.7

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Symbol is allowed by default for YAML columns

  Étienne Barrié

• Fix ActiveRecord::Store to serialize as a regular Hash

  Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
  which is wasteful and cause problem with YAML safe_load.

  Jean Boussier

• Fix PG.connect keyword arguments deprecation warning on ruby 2.7

  Fixes #​44307.

  Nikita Vasilevsky

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.

  fatkodima

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.6.1: 6.1.6.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Change ActiveRecord::Coders::YAMLColumn default to safe_load

  This adds two new configuration options The configuration options are as
  follows:

  • config.active_storage.use_yaml_unsafe_load

  When set to true, this configuration option tells Rails to use the old
  "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
  the possible escalation vulnerability in place. Setting this option to true
  is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

  The "safe YAML" loading method does not allow all classes to be deserialized
  by default. This option allows you to specify classes deemed "safe" in your
  application. For example, if your application uses Symbol and Time in
  serialized data, you can add Symbol and Time to the allowed list as follows:

  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
  

  [CVE-2022-32224]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.6: 6.1.6

Compare Source

Active Support

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Add the method ERB::Util.xml_name_escape to escape dangerous characters
  in names of tags and names of attributes, following the specification of XML.

  Álvaro Martín Fraguas

Active Model

• No changes.

Active Record

• No changes.

Action View

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Escape dangerous characters in names of tags and names of attributes in the
  tag helpers, following the XML specification. Rename the option
  :escape_attributes to :escape, to simplify by applying the option to the
  whole tag.

  Álvaro Martín Fraguas

Action Pack

• Allow Content Security Policy DSL to generate for API responses.

  Tim Wade

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.5.1: 6.1.5.1

Compare Source

Active Support

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Add the method ERB::Util.xml_name_escape to escape dangerous characters
  in names of tags and names of attributes, following the specification of XML.

  Álvaro Martín Fraguas

Active Model

• No changes.

Active Record

• No changes.

Action View

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Escape dangerous characters in names of tags and names of attributes in the
  tag helpers, following the XML specification. Rename the option
  :escape_attributes to :escape, to simplify by applying the option to the
  whole tag.

  Álvaro Martín Fraguas

Action Pack

• Allow Content Security Policy DSL to generate for API responses.

  Tim Wade

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

v6.1.5: 6.1.5

Compare Source

Active Support

• Fix ActiveSupport::Duration.build to support negative values.

  The algorithm to collect the parts of the ActiveSupport::Duration
  ignored the sign of the value and accumulated incorrect part values. This
  impacted ActiveSupport::Duration#sum (which is dependent on parts) but
  not ActiveSupport::Duration#eql? (which is dependent on value).

  Caleb Buxton, Braden Staudacher

• Time#change and methods that call it (eg. Time#advance) will now
  return a Time with the timezone argument provided, if the caller was
  initialized with a timezone argument.

  Fixes #​42467.

  Alex Ghiculescu

• Clone to keep extended Logger methods for tagged logger.

  Orhan Toy

• assert_changes works on including ActiveSupport::Assertions module.

  Pedro Medeiros

Active Model

• Clear secure password cache if password is set to nil

  Before:

  user.password = 'something'
  user.password = nil

  user.password # => 'something'

  Now:

  user.password = 'something'
  user.password = nil

  user.password # => nil

  Markus Doits

• Fix delegation in ActiveModel::Type::Registry#lookup and ActiveModel::Type.lookup

  Passing a last positional argument {} would be incorrectly considered as keyword argument.

  Benoit Daloze

• Fix to_json after changes_applied for ActiveModel::Dirty object.

  Ryuta Kamizono

Active Record

• Fix ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6.

  Ruby 2.6 and 2.7 have slightly different implementations of the String#@​- method.
  In Ruby 2.6, the receiver of the String#@​- method is modified under certain circumstances.
  This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
  fixed in Ruby 2.7.

  Before the changes in this commit, the
  ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate method, which internally
  calls the String#@​- method, could also modify an input string argument in Ruby 2.6 --
  changing a tainted, unfrozen string into a tainted, frozen string.

  Fixes #​43056

  Eric O'Hanlon

• Fix migration compatibility to create SQLite references/belongs_to column as integer when
  migration version is 6.0.

  reference/belongs_to in migrations with version 6.0 were creating columns as
  bigint instead of integer for the SQLite Adapter.

  Marcelo Lauxen

• Fix dbconsole for 3-tier config.

  Eileen M. Uchitelle

• Better handle SQL queries with invalid encoding.

  Post.create(name: "broken \xC8 UTF-8")

  Would cause all adapters to fail in a non controlled way in the code
  responsible to detect write queries.

  The query is now properly passed to the database connection, which might or might
  not be able to handle it, but will either succeed or failed in a more correct way.

  Jean Boussier

• Ignore persisted in-memory records when merging target lists.

  Kevin Sjöberg

• Fix regression bug that caused ignoring additional conditions for preloading
  has_many through relations.

  Fixes #​43132

  Alexander Pauly

• Fix ActiveRecord::InternalMetadata to not be broken by
  config.active_record.record_timestamps = false

  Since the model always create the timestamp columns, it has to set them, otherwise it breaks
  various DB management tasks.

  Fixes #​42983

  Jean Boussier

• Fix duplicate active record objects on inverse_of.

  Justin Carvalho

• Fix duplicate objects stored in has many association after save.

  Fixes #​42549.

  Alex Ghiculescu

• Fix performance regression in CollectionAssocation#build.

  Alex Ghiculescu

• Fix retrieving default value for text column for MariaDB.

  fatkodima

Action View

• preload_link_tag properly inserts as attributes for files with image MIME
  types, such as JPG or SVG.

  Nate Berkopec

• Add autocomplete="off" to all generated hidden fields.

  Fixes #​42610.

  Ryan Baumann

• Fix current_page? when URL has trailing slash.

  This fixes the current_page? helper when the given URL has a trailing slash,
  and is an absolute URL or also has query params.

  Fixes #​33956.

  Jonathan Hefner

Action Pack

• Fix content_security_policy returning invalid directives.

  Directives such as self, unsafe-eval and few others were not
  single quoted when the directive was the result of calling a lambda
  returning an array.

  content_security_policy do |policy|
    policy.frame_ancestors lambda { [:self, "https://example.com"] }
  end

  With this fix the policy generated from above will now be valid.

  Edouard Chin

• Update HostAuthorization middleware to render debug info only
  when config.consider_all_requests_local is set to true.

  Also, blocked host info is always logged with level error.

  Fixes #​42813.

  Nikita Vyrko

• Dup arrays that get "converted".

  Fixes #​43681.

  Aaron Patterson

• Don't show deprecation warning for equal paths.

  Anton Rieder

• Fix crash in ActionController::Instrumentation with invalid HTTP formats.

  Fixes #​43094.

  Alex Ghiculescu

• Add fallback host for SystemTestCase driven by RackTest.

  Fixes #​42780.

  Petrik de Heus

• Add more detail about what hosts are allowed.

  Alex Ghiculescu

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• The Action Cable client now ensures successful channel subscriptions:

  • The client maintains a set of pending subscriptions until either
    the server confirms the subscription or the channel is torn down.
  • Rectifies the race condition where an unsubscribe is rapidly followed
    by a subscribe (on the same channel identifier) and the requests are
    handled out of order by the ActionCable server, thereby ignoring the
    subscribe command.

  Daniel Spinosa

• Truncate broadcast logging messages.

  J Smith

Active Storage

• Attachments can be deleted after their association is no longer defined.

  Fixes #​42514

  Don Sisco

Action Mailbox

• Add attachments to the list of permitted parameters for inbound emails conductor.

  When using the conductor to test inbound emails with attachments, this prevents an
  unpermitted parameter warning in default configurations, and prevents errors for
  applications that set:

  config.action_controller.action_on_unpermitted_parameters = :raise

  David Jones, Dana Henke

Action Text

• Fix Action Text extra trix content wrapper.

  Alexandre Ruban

Railties

• In zeitwerk mode, setup the once autoloader first, and the main autoloader after it.
  This order plays better with shared namespaces.

  Xavier Noria

• Handle paths with spaces when editing credentials.

  Alex Ghiculescu

• Support Psych 4 when loading secrets.

  Nat Morcos

v6.1.4.7: 6.1.4.7

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Added image transformation validation via configurable allow-list.

  Variant now offers a configurable allow-list for
  transformation methods in addition to a configurable deny-list for arguments.

  [CVE-2022-21831]

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.6: 6.1.4.6

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix Reloader method signature to work with the new Executor signature

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.5: 6.1.4.5

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Under certain circumstances, the middleware isn't informed that the
  response body has been fully closed which result in request state not
  being fully reset before the next request

  [CVE-2022-23633]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.4: 6.1.4.4

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix issue with host protection not allowing host with port in development.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.3: 6.1.4.3

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Allow localhost with a port by default in development

  [Fixes: #​43864]

v6.1.4.2: 6.1.4.2

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix X_FORWARDED_HOST protection. [CVE-2021-44528]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.1

Compare Source

v6.1.4: 6.1.4

Compare Source

Active Support

• MemCacheStore: convert any underlying value (including false) to an Entry.

  See #​42559.

  Alex Ghiculescu

• Fix bug in number_with_precision when using large BigDecimal values.

  Fixes #​42302.

  Federico Aldunate, Zachary Scott

• Check byte size instead of length on secure_compare.

  Tietew

• Fix Time.at to not lose :in option.

  Ryuta Kamizono

• Require a path for config.cache_store = :file_store.

  Alex Ghiculescu

• Avoid having to store complex object in the default translation file.

  Rafael Mendonça França

Active Model

• Fix to_json for ActiveModel::Dirty object.

  Exclude +mutations_from_database+ attribute from json as it lead to recursion.

  Anil Maurya

Active Record

• Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

  Jamie McCarthy

• Raise an error if pool_config is nil in set_pool_config.

  Eileen M. Uchitelle

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Active Record's schema cache loader and YAMLColumn now uses YAML.unsafe_load if available.

  Jean Boussier

• Support using replicas when using rails dbconsole.

  Christopher Thornton

• Restore connection pools after transactional tests.

  Eugene Kenny

• Change upsert_all to fails cleanly for MySQL when :unique_by is used.

  Bastian Bartmann

• Fix user-defined self.default_scope to respect table alias.

  Ryuta Kamizono

• Clear @cache_keys cache after update_all, delete_all, destroy_all.

  Ryuta Kamizono

• Changed Arel predications contains and overlaps to use
  quoted_node so that PostgreSQL arrays are quoted properly.

  Bradley Priest

• Fix merge when the where clauses have string contents.

  Ryuta Kamizono

• Fix rollback of parent destruction with nested dependent: :destroy.

  Jacopo Beschi

• Fix binds logging for "WHERE ... IN ..." statements.

  Ricardo Díaz

• Handle false in relation strict loading checks.

  Previously when a model had strict loading set to true and then had a
  relation set strict_loading to false the false wasn't considered when
  deciding whether to raise/warn about strict loading.

  class Dog < ActiveRecord::Base
    self.strict_loading_by_default = true
  
    has_many :treats, strict_loading: false
  end
  

  In the example, dog.treats would still raise even though
  strict_loading was set to false. This is a bug effecting more than
  Active Storage which is why I made this PR superceeding #​41461. We need
  to fix this for all applications since the behavior is a little
  surprising. I took the test from ##​41461 and the code suggestion from #​41453
  with some additions.

  Eileen M. Uchitelle, Radamés Roriz

• Fix numericality validator without precision.

  Ryuta Kamizono

• Fix aggregate attribute on Enum types.

  Ryuta Kamizono

• Fix CREATE INDEX statement generation for PostgreSQL.

  eltongo

• Fix where clause on enum attribute when providing array of strings.

  Ryuta Kamizono

• Fix unprepared_statement to work it when nesting.

  Ryuta Kamizono

Action View

• The translate helper now passes default values that aren't
  translation keys through I18n.translate for interpolation.

  Jonathan Hefner

• Don't attach UJS form submission handlers to Turbo forms.

  David Heinemeier Hansson

• Allow both current_page?(url_hash) and current_page?(**url_hash) on Ruby 2.7.

  Ryuta Kamizono

Action Pack

• Ignore file fixtures on db:fixtures:load

  Kevin Sjöberg

• Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.

  Dylan Thacker-Smith

• Correctly place optional path parameter booleans.

  Previously, if you specify a url parameter that is part of the path as false it would include that part
  of the path as parameter for example:

  get "(/optional/:optional_id)/things" => "foo#foo", as: :things
  things_path(optional_id: false) # => /things?optional_id=false
  

  After this change, true and false will be treated the same when used as optional path parameters. Meaning now:

  get '(this/:my_bool)/that' as: :that
  
  that_path(my_bool: true) # => `/this/true/that`
  that_path(my_bool: false) # => `/this/false/that`
  

  Adam Hess

• Add support for 'private, no-store' Cache-Control headers.

  Previously, 'no-store' was exclusive; no other directives could be specified.

  Alex Smith

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• Fix ArgumentError with ruby 3.0 on RemoteConnection#disconnect.

  Vladislav

Active Storage

• The parameters sent to ffmpeg for generating a video preview image are now
  configurable under config.active_storage.video_preview_arguments.

  Brendon Muir

• Fix Active Storage update task when running in an engine.

  Justin Malčić*

• Don't raise an error if the mime type is not recognized.

  Fixes #​41777.

  Alex Ghiculescu

• ActiveStorage::PreviewError is raised when a previewer is unable to generate a preview image.

  Alex Robbin

• respond with 404 given invalid variation key when asking for representations.

  George Claghorn

• Blob creation shouldn't crash if no service selected.

  Alex Ghiculescu

Action Mailbox

• No changes.

Action Text

• Always render attachment partials as HTML with :html format inside trix editor.

  James Brooks

Railties

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Rails.application.config_for now uses YAML.unsafe_load if available.

  Jean Boussier

• Ensure Rails.application.config_for always cast hashes to ActiveSupport::OrderedOptions.

  Jean Boussier

• Fix create migration generator with --pretend option.

  euxx

v6.1.3.2: 6.1.3.2

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Prevent open redirects by correctly escaping the host allow list
  CVE-2021-22903

• Prevent catastrophic backtracking during mime parsing
  CVE-2021-22902

• Prevent regex DoS in HTTP token authentication
  CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array
  of arguments (usually symbols and records). If a developer passes a
  user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.3.1: 6.1.3.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

  George Claghorn

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.3: 6.1.3

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix the MySQL adapter to always set the right collation and charset
  to the connection session.

  Rafael Mendonça França

• Fix MySQL adapter handling of time objects when prepared statements
  are enabled.

  Rafael Mendonça França

• Fix scoping in enum fields using conditions that would generate
  an IN clause.

  Ryuta Kamizono

• Skip optimised #exist? query when #include? is called on a relation
  with a having clause

  Relations that have aliased select values AND a having clause that
  references an aliased select value would generate an error when
  #include? was called, due to an optimisation that would generate
  call #exists? on the relation instead, which effectively alters
  the select values of the query (and thus removes the aliased select
  values), but leaves the having clause intact. Because the having
  clause is then referencing an aliased column that is no longer
  present in the simplified query, an ActiveRecord::InvalidStatement
  error was raised.

  An sample query affected by this problem:

  Author.select('COUNT(*) as total_posts', 'authors.*')
        .joins(:posts)
        .group(:id)
        .having('total_posts > 2')
        .include?(Author.first)

  This change adds an addition check to the condition that skips the
  simplified #exists? query, which simply checks for the presence of
  a having clause.

  Fixes #​41417

  Michael Smart

• Increment postgres prepared statement counter before making a prepared statement, so if the statement is aborted
  without Rails knowledge (e.g., if app gets kill -9d during long-running query or due to Rack::Timeout), app won't end
  up in perpetual crash state for being inconsistent with Postgres.

  wbharding, Martin Tepper

Action View

• No changes.

Action Pack

• Re-define routes when not set correctly via inheritance.

  John Hawthorn

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.2.1: 6.1.2.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix possible DoS vector in PostgreSQL money type

  Carefully crafted input can cause a DoS via the regular expressions used
  for validating the money format in the PostgreSQL adapter. This patch
  fixes the regexp.

  Thanks to @​dee-see from Hackerone for this patch!

  [CVE-2021-22880]

  Aaron Patterson

Action View

• No changes.

Action Pack

• Prevent open redirect when allowed host starts with a dot

  [CVE-2021-22881]

  Thanks to @​tktech (https://hackerone.com/tktech) for reporting this
  issue and the patch!

  Aaron Patterson

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.2: 6.1.2

Compare Source

Active Support

• ActiveSupport::Cache::MemCacheStore now accepts an explicit nil for its addresses argument.

  config.cache_store = :mem_cache_store, nil

is now equivalent to

config.cache_store = :mem_cache_store

and is also equivalent to

config.cache_store = :mem_cache_store, ENV["MEMCACHE_SERVERS"] || "localhost:11211"

which is the fallback behavior of Dalli

```

This helps those migrating from `:dalli_store`, where an explicit `nil` was permitted.

*Michael Overmeyer*

Active Model

• No changes.

Active Record

• Fix timestamp type for sqlite3.

  Eileen M. Uchitelle

• Make destroy async transactional.

  An active record rollback could occur while enqueuing a job. In this
  case the job would enqueue even though the database deletion
  rolledback putting things in a funky state.

  Now the jobs are only enqueued until after the db transaction has been committed.

  Cory Gwin

• Fix malformed packet error in MySQL statement for connection configuration.

  robinroestenburg

• Connection specification now passes the "url" key as a configuration for the
  adapter if the "url" protocol is "jdbc", "http", or "https". Previously only
  urls with the "jdbc" prefix were passed to the Active Record Adapter, others
  are assumed to be adapter specification urls.

  Fixes #​41137.

  Jonathan Bracy

• Fix granular connection swapping when there are multiple abstract classes.

  Eileen M. Uchitelle

• Fix find_by with custom primary key for belongs_to association.

  Ryuta Kamizono

• Add support for rails console --sandbox for multiple database applications.

  alpaca-tc

• Fix where on polymorphic association with empty array.

  Ryuta Kamizono

• Fix preventing writes for ApplicationRecord.

  Eileen M. Uchitelle

Action View

• No changes.

Action Pack

• Fix error in ActionController::LogSubscriber that would happen when throwing inside a controller action.

  Janko Marohnić

• Fix fixture_file_upload deprecation when file_fixture_path is a relative path.

  Eugene Kenny

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.1: 6.1.1

Compare Source

Active Support

• Change IPAddr#to_json to match the behavior of the json gem returning the string representation
  instead of the instance variables of the object.

  Before:

  IPAddr.new("127.0.0.1").to_json

=> "{"addr":2130706433,"family":2,"mask_addr":4294967295}"

```

After:

```ruby
IPAddr.new("127.0.0.1").to_json

=> ""127.0.0.1""

```

Active Model

• No changes.

Active Record

• Fix fixtures loading when strict loading is enabled for the association.

  Alex Ghiculescu

• Fix where with custom primary key for belongs_to association.

  Ryuta Kamizono

• Fix where with aliased associations.

  Ryuta Kamizono

• Fix composed_of with symbol mapping.

  Ryuta Kamizono

• Don't skip money's type cast for pluck and calculations.

  Ryuta Kamizono

• Fix where on polymorphic association with non Active Record object.

  Ryuta Kamizono

• Make sure db:prepare works even the schema file doesn't exist.

  Rafael Mendonça França

• Fix complicated has_many :through with nested where condition.

  Ryuta Kamizono

• Handle STI models for has_many dependent: :destroy_async.

  Muhammad Usman

• Restore possibility of passing false to :polymorphic option of belongs_to.

  Previously, passing false would trigger the option validation logic
  to throw an error saying :polymorphic would not be a valid option.

  glaszig

• Allow adding nonnamed expression indexes to be revertible.

  Fixes #​40732.

  Previously, the following code would raise an error, when executed while rolling back,
  and the index name should be specified explicitly. Now, the index name is inferred
  automatically.

  add_index(:items, "to_tsvector('english', description)")

  fatkodima

Action View

• Fix lazy translation in partial with block.

  Marek Kasztelnik

• Avoid extra SELECT COUNT queries when rendering Active Record collections.

  aar0nr

• Link preloading keep integrity hashes in the header.

  Étienne Barrié

• Add config.action_view.preload_links_header to allow disabling of
  the Link header being added by default when using stylesheet_link_tag
  and javascript_include_tag.

  Andrew White

• The translate helper now resolves default values when a nil key is
  specified, instead of always returning nil.

  Jonathan Hefner

Action Pack

• Fix nil translation key lookup in controllers/

  Jan Klimo

• Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.

  Alex Robbin

• Change the request method to a GET when passing failed requests down to config.exceptions_app.

  Alex Robbin

Active Job

• Make retry_job return the job that was created.

  Rafael Mendonça França

• Include ActiveSupport::Testing::Assertions in ActiveJob::TestHelpers.

  Mikkel Malmberg

Action Mailer

• Sets default mailer queue to "default" in the mail assertions.

  Paul Keen

Action Cable

• No changes.

Active Storage

• Fix S3 multipart uploads when threshold is larger than file.

  Matt Muller

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Allow spaces in path to Yarn binstub and only run on precompile if needed.

  Markus Doits

• Populate ARGV for app template.

  Fixes #​40945.

  Jonathan Hefner

v6.1.0: 6.1.0

Compare Source

Active Support

• Ensure MemoryStore disables compression by default. Reverts behavior of
  MemoryStore to its prior rails 5.1 behavior.

  Max Gurewitz

• Calling iso8601 on negative durations retains the negative sign on individual
  digits instead of prepending it.

  This change is required so we can interoperate with PostgreSQL, which prefers
  negative signs for each component.

  Compatibility with other iso8601 parsers which support leading negatives as well
  as negatives per component is still retained.

  Before:

  (-1.year - 1.day).iso8601
  

=> "-P1Y1D"

After:

    (-1.year - 1.day).iso8601

=> "P-1Y-1D"

*Vipul A M*

• Remove deprecated ActiveSupport::Notifications::Instrumenter#end=.

  Rafael Mendonça França

• Deprecate ActiveSupport::Multibyte::Unicode.default_normalization_form.

  Rafael Mendonça França

• Remove deprecated ActiveSupport::Multibyte::Unicode.pack_graphemes,
  ActiveSupport::Multibyte::Unicode.unpack_graphemes,
  ActiveSupport::Multibyte::Unicode.normalize,
  ActiveSupport::Multibyte::Unicode.downcase,
  ActiveSupport::Multibyte::Unicode.upcase and ActiveSupport::Multibyte::Unicode.swapcase.

  Rafael Mendonça França

• Remove deprecated ActiveSupport::Multibyte::Chars#consumes? and ActiveSupport::Multibyte::Chars#normalize.

  Rafael Mendonça França

• Remove deprecated file active_support/core_ext/range/include_range.

  Rafael Mendonça França

• Remove deprecated file active_support/core_ext/hash/transform_values.

  Rafael Mendonça França

• Remove deprecated file active_support/core_ext/hash/compact.

  Rafael Mendonça França

• Remove deprecated file active_support/core_ext/array/prepend_and_append.

  Rafael Mendonça França

• Remove deprecated file active_support/core_ext/numeric/inquiry.

  Rafael Mendonça França

• Remove deprecated file active_support/core_ext/module/reachable.

  Rafael Mendonça França

• Remove deprecated Module#parent_name, Module#parent and Module#parents.

  Rafael Mendonça França

• Remove deprecated ActiveSupport::LoggerThreadSafeLevel#after_initialize.

  Rafael Mendonça França

• Remove deprecated LoggerSilence constant.

  Rafael Mendonça França

• Remove deprecated fallback to I18n.default_local when config.i18n.fallbacks is empty.

  Rafael Mendonça França

• Remove entries from local cache on RedisCacheStore#delete_matched

  Fixes #​38627

  ojab

• Speed up ActiveSupport::SecurityUtils.fixed_length_secure_compare by using
  OpenSSL.fixed_length_secure_compare, if available.

  Nate Matykiewicz

• ActiveSupport::Cache::MemCacheStore now checks ENV["MEMCACHE_SERVERS"] before falling back to "localhost:11211" if configured without any addresses.

  config.cache_store = :mem_cache_store

is now equivalent to

config.cache_store = :mem_cache_store, ENV["MEMCACHE_SERVERS"] || "localhost:11211"

instead of

config.cache_store = :mem_cache_store, "localhost:11211" # ignores ENV["MEMCACHE_SERVERS"]
```

*Sam Bostock*

• ActiveSupport::Subscriber#attach_to now accepts an inherit_all: argument. When set to true,
  it allows a subscriber to receive events for methods defined in the subscriber's ancestor class(es).

  class ActionControllerSubscriber < ActiveSupport::Subscriber
    attach_to :action_controller
  
    def start_processing(event)
      info "Processing by #{event.payload[:controller]}##{event.payload[:action]} as #{format}"
    end
  
    def redirect_to(event)
      info { "Redirected to #{event.payload[:location]}" }
    end
  end

We detach ActionControllerSubscriber from the :action_controller namespace so that our CustomActionControllerSubscriber

can provide its own instrumentation for certain events in the namespace

ActionControllerSubscriber.detach_from(:action_controller)

class CustomActionControllerSubscriber < ActionControllerSubscriber
  attach_to :action_controller, inherit_all: true

  def start_processing(event)
    info "A custom response to start_processing events"
  end

=> CustomActionControllerSubscriber will process events for "start_processing.action_controller" notifications

using its own #start_processing implementation, while retaining ActionControllerSubscriber's instrumentation

for "redirect_to.action_controller" notifications

end
```

*Adrianna Chang*

• Allow the digest class used to generate non-sensitive digests to be configured with config.active_support.hash_digest_class.

  config.active_support.use_sha1_digests is deprecated in favour of config.active_support.hash_digest_class = ::Digest::SHA1.

  Dirkjan Bussink

• Fix bug to make memcached write_entry expire correctly with unless_exist

  Jye Lee

• Add ActiveSupport::Duration conversion methods

  in_seconds, in_minutes, in_hours, in_days, in_weeks, in_months, and in_years return the respective duration covered.

  Jason York

• Fixed issue in ActiveSupport::Cache::RedisCacheStore not passing options
  to read_multi causing fetch_multi to not work properly

  Rajesh Sharma

• Fixed issue in ActiveSupport::Cache::MemCacheStore which caused duplicate compression,
  and caused the provided compression_threshold to not be respected.

  Max Gurewitz

• Prevent RedisCacheStore and MemCacheStore from performing compression
  when reading entries written with raw: true.

  Max Gurewitz

• URI.parser is deprecated and will be removed in Rails 6.2. Use
  URI::DEFAULT_PARSER instead.

  Jean Boussier

• require_dependency has been documented to be obsolete in :zeitwerk
  mode. The method is not deprecated as such (yet), but applications are
  encouraged to not use it.

  In :zeitwerk mode, semantics match Ruby's and you do not need to be
  defensive with load order. Just refer to classes and modules normally. If
  the constant name is dynamic, camelize if needed, and constantize.

  Xavier Noria

• Add 3rd person aliases of Symbol#start_with? and Symbol#end_with?.

  :foo.starts_with?("f") # => true
  :foo.ends_with?("o")   # => true

  Ryuta Kamizono

• Add override of unary plus for ActiveSupport::Duration.

  + 1.second is now identical to +1.second to prevent errors
  where a seemingly innocent change of formatting leads to a change in the code behavior.

  Before:

  +1.second.class

=> ActiveSupport::Duration

(+ 1.second).class

=> Integer

```

After:
```ruby
+1.second.class

=> ActiveSupport::Duration

(+ 1.second).class

=> ActiveSupport::Duration

```

Fixes #​39079.

*Roman Kushnir*

• Add subsec to ActiveSupport::TimeWithZone#inspect.

  Before:

  Time.at(1498099140).in_time_zone.inspect
  

=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"

    Time.at(1498099140, 123456780, :nsec).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"

    Time.at(1498099140 + Rational("1/3")).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"

After:

    Time.at(1498099140).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00.000000000 UTC +00:00"

    Time.at(1498099140, 123456780, :nsec).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00.123456780 UTC +00:00"

    Time.at(1498099140 + Rational("1/3")).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00.333333333 UTC +00:00"

*akinomaeni*

• Calling ActiveSupport::TaggedLogging#tagged without a block now returns a tagged logger.

  logger.tagged("BCX").info("Funky time!") # => [BCX] Funky time!

  Eugene Kenny

• Align Range#cover? extension behavior with Ruby behavior for backwards ranges.

  (1..10).cover?(5..3) now returns false, as it does in plain Ruby.

  Also update #include? and #=== behavior to match.

  Michael Groeneman

• Update to TZInfo v2.0.0.

  This changes the output of ActiveSupport::TimeZone.utc_to_local, but
  can be controlled with the
  ActiveSupport.utc_to_local_returns_utc_offset_times config.

  New Rails 6.1 apps have it enabled by default, existing apps can upgrade
  via the config in config/initializers/new_framework_defaults_6_1.rb

  See the utc_to_local_returns_utc_offset_times documentation for details.

  Phil Ross, Jared Beck

• Add Date and Time #yesterday? and #tomorrow? alongside #today?.

  Aliased to #prev_day? and #next_day? to match the existing #prev/next_day methods.

  Jatin Dhankhar

• Add Enumerable#pick to complement ActiveRecord::Relation#pick.

  Eugene Kenny

• [Breaking change] ActiveSupport::Callbacks#halted_callback_hook now receive a 2nd argument:

  ActiveSupport::Callbacks#halted_callback_hook now receive the name of the callback
  being halted as second argument.
  This change will allow you to differentiate which callbacks halted the chain
  and act accordingly.

    class Book < ApplicationRecord
      before_save { throw(:abort) }
      before_create { throw(:abort) }
  
      def halted_callback_hook(filter, callback_name)
        Rails.logger.info("Book couldn't be #{callback_name}d")
      end
  
      Book.create # => "Book couldn't be created"
      book.save # => "Book couldn't be saved"
    end

  Edouard Chin

• Support prepend with ActiveSupport::Concern.

  Allows a module with extend ActiveSupport::Concern to be prepended.

  module Imposter
    extend ActiveSupport::Concern
  

Same as included, except only run when prepended.

      prepended do
      end
    end

    class Person
      prepend Imposter
    end

Class methods are prepended to the base class, concerning is also
updated: `concerning :Imposter, prepend: true do`.

*Jason Karns*, *Elia Schito*

• Deprecate using Range#include? method to check the inclusion of a value
  in a date time range. It is recommended to use Range#cover? method
  instead of Range#include? to check the inclusion of a value
  in a date time range.

  Vishal Telangre

• Support added for a round_mode parameter, in all number helpers. (See: BigDecimal::mode.)

  number_to_currency(1234567890.50, precision: 0, round_mode: :half_down) # => "$1,234,567,890"
  number_to_percentage(302.24398923423, precision: 5, round_mode: :down) # => "302.24398%"
  number_to_rounded(389.32314, precision: 0, round_mode: :ceil) # => "390"
  number_to_human_size(483989, precision: 2, round_mode: :up) # => "480 KB"
  number_to_human(489939, precision: 2, round_mode: :floor) # => "480 Thousand"
  
  485000.to_s(:human, precision: 2, round_mode: :half_even) # => "480 Thousand"

  Tom Lord

• Array#to_sentence no longer returns a frozen string.

  Before:

  ['one', 'two'].to_sentence.frozen?
  

=> true

After:

    ['one', 'two'].to_sentence.frozen?

=> false

*Nicolas Dular*

• When an instance of ActiveSupport::Duration is converted to an iso8601 duration string, if weeks are mixed with date parts, the week part will be converted to days.
  This keeps the parser and serializer on the same page.

  duration = ActiveSupport::Duration.build(1000000)

1 week, 4 days, 13 hours, 46 minutes, and 40.0 seconds

duration_iso = duration.iso8601

P11DT13H46M40S

ActiveSupport::Duration.parse(duration_iso)

11 days, 13 hours, 46 minutes, and 40 seconds

duration = ActiveSupport::Duration.build(604800)

1 week

duration_iso = duration.iso8601

P1W

ActiveSupport::Duration.parse(duration_iso)

1 week

```

*Abhishek Sarkar*

• Add block support to ActiveSupport::Testing::TimeHelpers#travel_back.

  Tim Masliuchenko

• Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when
  ActiveSupport.parse_json_times = true.

  Christian Gregg

• Support symbolic links for content_path in ActiveSupport::EncryptedFile.

  Takumi Shotoku

• Improve Range#===, Range#include?, and Range#cover? to work with beginless (startless)
  and endless range targets.

  Allen Hsu, Andrew Hodgkinson

• Don't use Process#clock_gettime(CLOCK_THREAD_CPUTIME_ID) on Solaris.

  Iain Beeston

• Prevent ActiveSupport::Duration.build(value) from creating instances of
  ActiveSupport::Duration unless value is of type Numeric.

  Addresses the errant set of behaviours described in #​37012 where
  ActiveSupport::Duration comparisons would fail confusingly
  or return unexpected results when comparing durations built from instances of String.

  Before:

  small_duration_from_string = ActiveSupport::Duration.build('9')
  large_duration_from_string = ActiveSupport::Duration.build('100000000000000')
  small_duration_from_int = ActiveSupport::Duration.build(9)
  
  large_duration_from_string > small_duration_from_string
  

=> false

    small_duration_from_string == small_duration_from_int

=> false

    small_duration_from_int < large_duration_from_string

=> ArgumentError (comparison of ActiveSupport::Duration::Scalar with ActiveSupport::Duration failed)

    large_duration_from_string > small_duration_from_int

=> ArgumentError (comparison of String with ActiveSupport::Duration failed)

After:

    small_duration_from_string = ActiveSupport::Duration.build('9')

=> TypeError (can't build an ActiveSupport::Duration from a String)

*Alexei Emam*

• Add ActiveSupport::Cache::Store#delete_multi method to delete multiple keys from the cache store.

  Peter Zhu

• Support multiple arguments in HashWithIndifferentAccess for merge and update methods, to
  follow Ruby 2.6 addition.

  Wojciech Wnętrzak

• Allow initializing thread_mattr_* attributes via :default option.

  class Scraper
    thread_mattr_reader :client, default: Api::Client.new
  end
  

  Guilherme Mansur

• Add compact_blank for those times when you want to remove #blank? values from
  an Enumerable (also compact_blank! on Hash, Array, ActionController::Parameters).

  Dana Sherson

• Make ActiveSupport::Logger Fiber-safe.

  Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
  to make log level local to Ruby Fibers in addition to Threads.

  Example:

  logger = ActiveSupport::Logger.new(STDOUT)
  logger.level = 1
  puts "Main is debug? #{logger.debug?}"
  
  Fiber.new {
    logger.local_level = 0
    puts "Thread is debug? #{logger.debug?}"
  }.resume
  
  puts "Main is debug? #{logger.debug?}"
  

  Before:

  Main is debug? false
  Thread is debug? true
  Main is debug? true
  

  After:

  Main is debug? false
  Thread is debug? true
  Main is debug? false
  

  Fixes #​36752.

  Alexander Varnin

• Allow the on_rotation proc used when decrypting/verifying a message to be
  passed at the constructor level.

  Before:

  crypt = ActiveSupport::MessageEncryptor.new('long_secret')
  crypt.decrypt_and_verify(encrypted_message, on_rotation: proc { ... })
  crypt.decrypt_and_verify(another_encrypted_message, on_rotation: proc { ... })
  

  After:

  crypt = ActiveSupport::MessageEncryptor.new('long_secret', on_rotation: proc { ... })
  crypt.decrypt_and_verify(encrypted_message)
  crypt.decrypt_and_verify(another_encrypted_message)
  

  Edouard Chin

• delegate_missing_to would raise a DelegationError if the object
  delegated to was nil. Now the allow_nil option has been added to enable
  the user to specify they want nil returned in this case.

  Matthew Tanous

• truncate would return the original string if it was too short to be truncated
  and a frozen string if it were long enough to be truncated. Now truncate will
  consistently return an unfrozen string regardless. This behavior is consistent
  with gsub and strip.

  Before:

  'foobar'.truncate(5).frozen?
  

=> true

    'foobar'.truncate(6).frozen?

=> false

After:

    'foobar'.truncate(5).frozen?

=> false

    'foobar'.truncate(6).frozen?

=> false

*Jordan Thomas*

Active Model

• Pass in base instead of base_class to Error.human_attribute_name

  This is useful in cases where the human_attribute_name method depends
  on other attributes' values of the class under validation to derive what the
  attribute name should be.

  Filipe Sabella

• Deprecate marshalling load from legacy attributes format.

  Ryuta Kamizono

• *_previously_changed? accepts :from and :to keyword arguments like *_changed?.

  topic.update!(status: :archived)
  topic.status_previously_changed?(from: "active", to: "archived")
  

=> true

*George Claghorn*

• Raise FrozenError when trying to write attributes that aren't backed by the database on an object that is frozen:

  class Animal
    include ActiveModel::Attributes
    attribute :age
  end
  
  animal = Animal.new
  animal.freeze
  animal.age = 25 # => FrozenError, "can't modify a frozen Animal"
  

  Josh Brody

• Add *_previously_was attribute methods when dirty tracking. Example:

  pirate.update(catchphrase: "Ahoy!")
  pirate.previous_changes["catchphrase"] # => ["Thar She Blows!", "Ahoy!"]
  pirate.catchphrase_previously_was # => "Thar She Blows!"
  

  DHH

• Encapsulate each validation error as an Error object.

  The ActiveModel’s errors collection is now an array of these Error
  objects, instead of messages/details h

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[miq-bot]

Checked commit fa8d9f6 with ruby 2.7.8, rubocop 1.56.3, haml-lint 0.51.0, and yamllint
1 file checked, 0 offenses detected
Everything looks fine. 🍰

[agrare]

This is here to specifically test various versions of activerecord/rails

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 6.x releases. But if you manually upgrade to 6.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.