[Snyk] Upgrade @rails/activestorage from 6.1.7 to 7.0.4 #80
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade @rails/activestorage from 6.1.7 to 7.0.4.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Warning: This is a major version upgrade, and may be a breaking change.
Release notes
Package name: @rails/activestorage
Active Support
Redis cache store is now compatible with redis-rb 5.0.
Jean Boussier
Fix
NoMethodError
on customActiveSupport::Deprecation
behavior.ActiveSupport::Deprecation.behavior=
was supposed to accept any objectthat responds to
call
, but in fact its internal implementation assumed thatthis object could respond to
arity
, so it was restricted to onlyProc
objects.This change removes this
arity
restriction of custom behaviors.Ryo Nakamura
Active Model
Handle name clashes in attribute methods code generation cache.
When two distinct attribute methods would generate similar names,
the first implementation would be incorrectly re-used.
attribute_method_suffix "_changed?"
define_attribute_methods :x
end
class B
attribute_method_suffix "?"
define_attribute_methods :x_changed
end
Jean Boussier
Active Record
Symbol is allowed by default for YAML columns
Étienne Barrié
Fix
ActiveRecord::Store
to serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccess
which is wasteful and cause problem with YAML safe_load.
Jean Boussier
Add
timestamptz
as a time zone aware type for PostgreSQLThis is required for correctly parsing
timestamp with time zone
values in your database.If you don't want this, you can opt out by adding this initializer:
Alex Ghiculescu
Fix supporting timezone awareness for
tsrange
andtstzrange
array columns.Wojciech Wnętrzak
Resolve issue where a relation cache_version could be left stale.
Previously, when
reset
was called on a relation object it did not reset the cache_versionsivar. This led to a confusing situation where despite having the correct data the relation
still reported a stale cache_version.
Usage:
developers.cache_version
Developer.update_all(updated_at: Time.now.utc + 1.second)
developers.cache_version # Stale cache_version
developers.reset
developers.cache_version # Returns the current correct cache_version
Fixes #45341.
Austen Madden
Fix
load_async
when called on an association proxy.Calling
load_async
directly an association would schedulea query but never use it.
Now it does use the async query, however note that it doesn't
cause the association to be loaded.
Jean Boussier
Fix eager loading for models without primary keys.
Anmol Chopra, Matt Lawrence, and Jonathan Hefner
rails db:schema:{dump,load}
now checksENV["SCHEMA_FORMAT"]
before configSince
rails db:structure:{dump,load}
was deprecated there wasn't a simpleway to dump a schema to both SQL and Ruby formats. You can now do this with
an environment variable. For example:
Alex Ghiculescu
Fix Hstore deserialize regression.
edsharp
Action View
Guard against
ActionView::Helpers::FormTagHelper#field_name
calls with nilobject_name
arguments. For example:Sean Doyle
Strings returned from
strip_tags
are correctly taggedhtml_safe?
Because these strings contain no HTML elements and the basic entities are escaped, they are safe
to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
entities when being concatenated to a SafeBuffer during rendering.
Fixes rails/rails-html-sanitizer#124
Mike Dalessio
Action Pack
Prevent
ActionDispatch::ServerTiming
from overwriting existing values inServer-Timing
.Previously, if another middleware down the chain set
Server-Timing
header,it would overwritten by
ActionDispatch::ServerTiming
.Jakub Malinowski
Active Job
Update
ActiveJob::QueueAdapters::QueAdapter
to remove deprecation warning.Remove a deprecation warning introduced in que 1.2 to prepare for changes in
que 2.0 necessary for Ruby 3 compatibility.
Damir Zekic and Adis Hasovic
Action Mailer
Action Cable
The Redis adapter is now compatible with redis-rb 5.0
Compatibility with redis-rb 3.x was dropped.
Jean Boussier
The Action Cable server is now mounted with
anchor: true
.This means that routes that also start with
/cable
will no longer clash with Action Cable.Alex Ghiculescu
Active Storage
Fixes proxy downloads of files over 5MiB
Previously, trying to view and/or download files larger than 5mb stored in
services like S3 via proxy mode could return corrupted files at around
5.2mb or cause random halts in the download. Now,
ActiveStorage::Blobs::ProxyController
correctly handles streaming theselarger files from the service to the client without any issues.
Fixes #44679
Felipe Raul
Action Mailbox
Action Text
Railties
config.allow_concurrency = false
now use aMonitor
instead of aMutex
This allows to enable
config.active_support.executor_around_test_case
evenwhen
config.allow_concurrency
is disabled.Jean Boussier
Skip Active Storage and Action Mailer if Active Job is skipped.
Étienne Barrié
Correctly check if frameworks are disabled when running app:update.
Étienne Barrié and Paulo Barros
Fixed
config.active_support.cache_format_version
never being applied.Rails 7.0 shipped with a new serializer for Rails.cache, but the associated config
wasn't working properly. Note that even after this fix, it can only be applied from
the
application.rb
file.Alex Ghiculescu
Active Support
Active Model
Active Record
Some internal housekeeping on reloads could break custom
respond_to?
methods in class objects that referenced reloadable constants. See
#44125 for details.
Xavier Noria
Fixed MariaDB default function support.
Defaults would be written wrong in "db/schema.rb" and not work correctly
if using
db:schema:load
. Further more the function name would beadded as string content when saving new records.
kaspernj
Fix
remove_foreign_key
with:if_exists
option when foreign key actually exists.fatkodima
Remove
--no-comments
flag in structure dumps for PostgreSQLThis broke some apps that used custom schema comments. If you don't want
comments in your structure dump, you can use:
Alex Ghiculescu
Use the model name as a prefix when filtering encrypted attributes from logs.
For example, when encrypting
Person#name
it will addperson.name
as a filterparameter, instead of just
name
. This prevents unintended filtering of parameterswith a matching name in other models.
Jorge Manrubia
Fix quoting of
ActiveSupport::Duration
andRational
numbers in the MySQL adapter.Kevin McPhillips
Fix
change_column_comment
to preserve column's AUTO_INCREMENT in the MySQL adapterfatkodima
Action View
Ensure models passed to
form_for
attempt to callto_model
.Sean Doyle
Action Pack
Allow relative redirects when
raise_on_open_redirects
is enabled.Tom Hughes
Fix
authenticate_with_http_basic
to allow for missing password.Before Rails 7.0 it was possible to handle basic authentication with only a username.
This ability is restored.
Jean Boussier
Fix
content_security_policy
returning invalid directives.Directives such as
self
,unsafe-eval
and few others were notsingle quoted when the directive was the result of calling a lambda
returning an array.
With this fix the policy generated from above will now be valid.
Edouard Chin
Fix
skip_forgery_protection
to run without raising an error if forgeryprotection has not been enabled /
verify_authenticity_token
is not adefined callback.
This fix prevents the Rails 7.0 Welcome Page (
/
) from raising anArgumentError
ifdefault_protect_from_forgery
is false.Brad Trick
Fix
ActionController::Live
to copy the IsolatedExecutionState in the ephemeral thread.Since its inception
ActionController::Live
has been copying thread local variablesto keep things such as
CurrentAttributes
set from middlewares working in the controller action.With the introduction of
IsolatedExecutionState
in 7.0, some of that global state was lost inActionController::Live
controllers.Jean Boussier
Fix setting
trailing_slash: true
in route definition.test_path() # => "/test/"
Jean Boussier
Active Job
Add missing
bigdecimal
require inActiveJob::Arguments
Could cause
uninitialized constant ActiveJob::Arguments::BigDecimal (NameError)
when loading Active Job in isolation.
Jean Boussier
Action Mailer
Action Cable
Active Storage
Don't stream responses in redirect mode
Previously, both redirect mode and proxy mode streamed their
responses which caused a new thread to be created, and could end
up leaking connections in the connection pool. But since redirect
mode doesn't actually send any data, it doesn't need to be
streamed.
Luke Lau
Action Mailbox
Action Text
Railties
If reloading and eager loading are both enabled, after a reload Rails eager loads again the application code.
Xavier Noria
Use
controller_class_path
inRails::Generators::NamedBase#route_url
The
route_url
method now returns the correct path when generatinga namespaced controller with a top-level model using
--model-name
.Previously, when running this command:
the comments above the controller action would look like:
afterwards, they now look like this:
Fixes #44662.
Andrew White
Active Support
Active Model
Active Record
Symbol is allowed by default for YAML columns
Étienne Barrié
Fix
ActiveRecord::Store
to serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccess
which is wasteful and cause problem with YAML safe_load.
Jean Boussier
Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes #44307.
Nikita Vasilevsky
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.
fatkodima
Action Mailbox
Action Text
Railties
Commit messages
Package name: @rails/activestorage
errors
in the Active Record Validations guide rails/rails#45891 from Cofense/active-record-validations-guide-internal-link-errorsAS::HWIA
for stored attributes rails/rails#45872 from the-spectator/correct_hwia_encodingCompare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs