[Snyk] Upgrade @rails/activestorage from 6.1.7 to 7.0.4

[rubarb666]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade @rails/activestorage from 6.1.7 to 7.0.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 15 versions ahead of your current version.
• The recommended version was released a month ago, on 2022-09-09.

Release notes

Package name: @rails/activestorage

• 7.0.4 - 2022-09-09
  

  Active Support

  • Redis cache store is now compatible with redis-rb 5.0.

    Jean Boussier

  • Fix NoMethodError on custom ActiveSupport::Deprecation behavior.

    ActiveSupport::Deprecation.behavior= was supposed to accept any object
    that responds to call, but in fact its internal implementation assumed that
    this object could respond to arity, so it was restricted to only Proc objects.

    This change removes this arity restriction of custom behaviors.

    Ryo Nakamura

  Active Model

  • Handle name clashes in attribute methods code generation cache.

    When two distinct attribute methods would generate similar names,
    the first implementation would be incorrectly re-used.

    class A
    attribute_method_suffix "_changed?"
    define_attribute_methods :x
    end

    class B
    attribute_method_suffix "?"
    define_attribute_methods :x_changed
    end

    Jean Boussier

  Active Record

  • Symbol is allowed by default for YAML columns

    Étienne Barrié

  • Fix ActiveRecord::Store to serialize as a regular Hash

    Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
    which is wasteful and cause problem with YAML safe_load.

    Jean Boussier

  • Add timestamptz as a time zone aware type for PostgreSQL

    This is required for correctly parsing timestamp with time zone values in your database.

    If you don't want this, you can opt out by adding this initializer:

    ActiveRecord::Base.time_zone_aware_types -= [:timestamptz]

    Alex Ghiculescu

  • Fix supporting timezone awareness for tsrange and tstzrange array columns.

    # In database migrations
    add_column :shops, :open_hours, :tsrange, array: true
    # In app config
    ActiveRecord::Base.time_zone_aware_types += [:tsrange]
    # In the code times are properly converted to app time zone
    Shop.create!(open_hours: [Time.current..8.hour.from_now])

    Wojciech Wnętrzak

  • Resolve issue where a relation cache_version could be left stale.

    Previously, when reset was called on a relation object it did not reset the cache_versions
    ivar. This led to a confusing situation where despite having the correct data the relation
    still reported a stale cache_version.

    Usage:

    developers = Developer.all
    developers.cache_version

    Developer.update_all(updated_at: Time.now.utc + 1.second)

    developers.cache_version # Stale cache_version
    developers.reset
    developers.cache_version # Returns the current correct cache_version

    Fixes #45341.

    Austen Madden

  • Fix load_async when called on an association proxy.

    Calling load_async directly an association would schedule
    a query but never use it.

    comments = post.comments.load_async # schedule a query
    comments.to_a # perform an entirely new sync query

    Now it does use the async query, however note that it doesn't
    cause the association to be loaded.

    Jean Boussier

  • Fix eager loading for models without primary keys.

    Anmol Chopra, Matt Lawrence, and Jonathan Hefner

  • rails db:schema:{dump,load} now checks ENV["SCHEMA_FORMAT"] before config

    Since rails db:structure:{dump,load} was deprecated there wasn't a simple
    way to dump a schema to both SQL and Ruby formats. You can now do this with
    an environment variable. For example:

    SCHEMA_FORMAT=sql rake db:schema:dump
    

    Alex Ghiculescu

  • Fix Hstore deserialize regression.

    edsharp

  Action View

  • Guard against ActionView::Helpers::FormTagHelper#field_name calls with nil
    object_name arguments. For example:

    <%= fields do |f| %>
      <%= f.field_name :body %>
    <% end %>

    Sean Doyle

  • Strings returned from strip_tags are correctly tagged html_safe?

    Because these strings contain no HTML elements and the basic entities are escaped, they are safe
    to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
    entities when being concatenated to a SafeBuffer during rendering.

    Fixes rails/rails-html-sanitizer#124

    Mike Dalessio

  Action Pack

  • Prevent ActionDispatch::ServerTiming from overwriting existing values in Server-Timing.

    Previously, if another middleware down the chain set Server-Timing header,
    it would overwritten by ActionDispatch::ServerTiming.

    Jakub Malinowski

  Active Job

  • Update ActiveJob::QueueAdapters::QueAdapter to remove deprecation warning.

    Remove a deprecation warning introduced in que 1.2 to prepare for changes in
    que 2.0 necessary for Ruby 3 compatibility.

    Damir Zekic and Adis Hasovic

  Action Mailer

  • No changes.

  Action Cable

  • The Redis adapter is now compatible with redis-rb 5.0

    Compatibility with redis-rb 3.x was dropped.

    Jean Boussier

  • The Action Cable server is now mounted with anchor: true.

    This means that routes that also start with /cable will no longer clash with Action Cable.

    Alex Ghiculescu

  Active Storage

  • Fixes proxy downloads of files over 5MiB

    Previously, trying to view and/or download files larger than 5mb stored in
    services like S3 via proxy mode could return corrupted files at around
    5.2mb or cause random halts in the download. Now,
    ActiveStorage::Blobs::ProxyController correctly handles streaming these
    larger files from the service to the client without any issues.

    Fixes #44679

    Felipe Raul

  Action Mailbox

  • No changes.

  Action Text

  • No changes.

  Railties

  • config.allow_concurrency = false now use a Monitor instead of a Mutex

    This allows to enable config.active_support.executor_around_test_case even
    when config.allow_concurrency is disabled.

    Jean Boussier

  • Skip Active Storage and Action Mailer if Active Job is skipped.

    Étienne Barrié

  • Correctly check if frameworks are disabled when running app:update.

    Étienne Barrié and Paulo Barros

  • Fixed config.active_support.cache_format_version never being applied.

    Rails 7.0 shipped with a new serializer for Rails.cache, but the associated config
    wasn't working properly. Note that even after this fix, it can only be applied from
    the application.rb file.

    Alex Ghiculescu

• 7.0.3 - 2022-05-09
  

  Active Support

  • No changes.

  Active Model

  • No changes.

  Active Record

  • Some internal housekeeping on reloads could break custom respond_to?
    methods in class objects that referenced reloadable constants. See
    #44125 for details.

    Xavier Noria

  • Fixed MariaDB default function support.

    Defaults would be written wrong in "db/schema.rb" and not work correctly
    if using db:schema:load. Further more the function name would be
    added as string content when saving new records.

    kaspernj

  • Fix remove_foreign_key with :if_exists option when foreign key actually exists.

    fatkodima

  • Remove --no-comments flag in structure dumps for PostgreSQL

    This broke some apps that used custom schema comments. If you don't want
    comments in your structure dump, you can use:

    ActiveRecord::Tasks::DatabaseTasks.structure_dump_flags = ['--no-comments']

    Alex Ghiculescu

  • Use the model name as a prefix when filtering encrypted attributes from logs.

    For example, when encrypting Person#name it will add person.name as a filter
    parameter, instead of just name. This prevents unintended filtering of parameters
    with a matching name in other models.

    Jorge Manrubia

  • Fix quoting of ActiveSupport::Duration and Rational numbers in the MySQL adapter.

    Kevin McPhillips

  • Fix change_column_comment to preserve column's AUTO_INCREMENT in the MySQL adapter

    fatkodima

  Action View

  • Ensure models passed to form_for attempt to call to_model.

    Sean Doyle

  Action Pack

  • Allow relative redirects when raise_on_open_redirects is enabled.

    Tom Hughes

  • Fix authenticate_with_http_basic to allow for missing password.

    Before Rails 7.0 it was possible to handle basic authentication with only a username.

    authenticate_with_http_basic do |token, _|
      ApiClient.authenticate(token)
    end

    This ability is restored.

    Jean Boussier

  • Fix content_security_policy returning invalid directives.

    Directives such as self, unsafe-eval and few others were not
    single quoted when the directive was the result of calling a lambda
    returning an array.

    content_security_policy do |policy|
      policy.frame_ancestors lambda { [:self, "https://example.com"] }
    end

    With this fix the policy generated from above will now be valid.

    Edouard Chin

  • Fix skip_forgery_protection to run without raising an error if forgery
    protection has not been enabled / verify_authenticity_token is not a
    defined callback.

    This fix prevents the Rails 7.0 Welcome Page (/) from raising an
    ArgumentError if default_protect_from_forgery is false.

    Brad Trick

  • Fix ActionController::Live to copy the IsolatedExecutionState in the ephemeral thread.

    Since its inception ActionController::Live has been copying thread local variables
    to keep things such as CurrentAttributes set from middlewares working in the controller action.

    With the introduction of IsolatedExecutionState in 7.0, some of that global state was lost in
    ActionController::Live controllers.

    Jean Boussier

  • Fix setting trailing_slash: true in route definition.

    get '/test' => "test#index", as: :test, trailing_slash: true

    test_path() # => "/test/"

    Jean Boussier

  Active Job

  • Add missing bigdecimal require in ActiveJob::Arguments

    Could cause uninitialized constant ActiveJob::Arguments::BigDecimal (NameError)
    when loading Active Job in isolation.

    Jean Boussier

  Action Mailer

  • No changes.

  Action Cable

  • No changes.

  Active Storage

  • Don't stream responses in redirect mode

    Previously, both redirect mode and proxy mode streamed their
    responses which caused a new thread to be created, and could end
    up leaking connections in the connection pool. But since redirect
    mode doesn't actually send any data, it doesn't need to be
    streamed.

    Luke Lau

  Action Mailbox

  • No changes.

  Action Text

  • No changes.

  Railties

  • If reloading and eager loading are both enabled, after a reload Rails eager loads again the application code.

    Xavier Noria

  • Use controller_class_path in Rails::Generators::NamedBase#route_url

    The route_url method now returns the correct path when generating
    a namespaced controller with a top-level model using --model-name.

    Previously, when running this command:

    bin/rails generate scaffold_controller Admin/Post --model-name Post

    the comments above the controller action would look like:

    # GET /posts
    def index
      @ posts = Post.all
    end

    afterwards, they now look like this:

    # GET /admin/posts
    def index
      @ posts = Post.all
    end

    Fixes #44662.

    Andrew White

• 7.0.3-1 - 2022-07-12
• 7.0.2 - 2022-02-08
• 7.0.2-4 - 2022-04-26
• 7.0.2-3 - 2022-03-08
• 7.0.2-2 - 2022-02-11
• 7.0.2-1 - 2022-02-11
• 7.0.1 - 2022-01-06
• 7.0.0 - 2021-12-15
• 7.0.0-rc3 - 2021-12-14
• 7.0.0-rc2 - 2021-12-14
• 7.0.0-rc1 - 2021-12-06
• 7.0.0-alpha2 - 2021-09-15
• 7.0.0-alpha1 - 2021-09-15
• 6.1.7 - 2022-09-09
  

  Active Support

  • No changes.

  Active Model

  • No changes.

  Active Record

  • Symbol is allowed by default for YAML columns

    Étienne Barrié

  • Fix ActiveRecord::Store to serialize as a regular Hash

    Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
    which is wasteful and cause problem with YAML safe_load.

    Jean Boussier

  • Fix PG.connect keyword arguments deprecation warning on ruby 2.7

    Fixes #44307.

    Nikita Vasilevsky

  Action View

  • No changes.

  Action Pack

  • No changes.

  Active Job

  • No changes.

  Action Mailer

  • No changes.

  Action Cable

  • No changes.

  Active Storage

  • Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.

    fatkodima

  Action Mailbox

  • No changes.

  Action Text

  • No changes.

  Railties

  • No changes.

from @rails/activestorage GitHub release notes

Commit messages

Package name: @rails/activestorage

• 8015c2c Version 7.0.4
• f3c345e Merge pull request Fix ServerTiming in Threads, use single subscriber  rails/rails#45964 from jhawthorn/server_timing_safety
• ff27758 Revert "Merge pull request Fix TaggedLogging functionality when broadcasting to another logger: rails/rails#44695 from Edouard-chin/ec-tagger-logger-broadcast"
• 4d25c64 Merge pull request Fix eql? of AC::Parameters to match hash rails/rails#45221 from jhawthorn/ac_params_eql_fix
• 8525e57 Merge pull request Fixes ActiveStorage proxy downloads of files over 5mb in S3-like storages rails/rails#45102 from feliperaul/fix_activestorage_proxy_downloads_files_larger_5mb
• b45f5f2 Merge pull request Fix typo in "Configuring Rails Applications" guide rails/rails#45907 from eitoball/fix-typo-in-guide-configureing
• fae93e0 Merge pull request Add missing documentation for Rails.error rails/rails#45928 from Shopify/rails-error-doc
• 670ad8d Merge pull request Make internal links to errors in the Active Record Validations guide rails/rails#45891 from Cofense/active-record-validations-guide-internal-link-errors
• 1a81cf1 Merge pull request Lock que version to v1 until #45899 is resolved rails/rails#45900 from yahonda/lock_que_version
• 76df62d Merge pull request Backport #45851 rails/rails#45903 from skipkayhil/backport-45851
• 2fc9a4a Merge pull request Install specific version of codespell rails/rails#45851 from jhawthorn/codespell_version
• fd68a83 Fix typo in activejob/CHANGELOG.md [ci-skip]
• 4a1f224 Merge pull request Stop gap solution for long output on test cases rails/rails#45882 from rails/short-inspect-on-test-case
• 4d9b4b4 Merge pull request Fixes #45868 by Using #to_hash to serialize AS::HWIA for stored attributes rails/rails#45872 from the-spectator/correct_hwia_encoding
• dcf3345 Merge pull request Backport Redis 5.0 compatibility (7-0-stable) rails/rails#45873 from Shopify/7-0-stable-redis-5-compat
• a3bd3b5 Backport Redis 5.0 compatibility
• 67f37ac Fix flaky tests for RedisCacheStore
• f1bae2b Merge pull request Replace MutexHook by MonitorHook to allow reentrancy rails/rails#45857 from Shopify/monitor-hook
• cd67377 Merge pull request Fix actiontext js not pointing to compiled file rails/rails#45412 from skipkayhil/fix-actiontext-js-main
• 3ab77b0 Reorganize "Cache Stores" sections [ci-skip]
• 4dda60b Rely on API docs for AS::Cache::Store options docs [ci-skip]
• c520e38 Document AS::Cache::MemCacheStore#write options [ci-skip]
• a74b650 Document AS::Cache::Store#initialize options [ci-skip]
• f7a82bf Document AS::Cache::Store#read options [ci-skip]

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs