fizzy
fizzy copied to clipboard
Published
2 weeks ago
•
basecamp
basecamp
Update Rails
Changelog changes
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index a0c184e..74ccf51 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,105 @@
+* Add `ActionDispatch::Request#bearer_token` to extract the bearer token from the Authorization header.
+ Bearer tokens are commonly used for API and MCP requests.
+
+ *DHH*
+
+* Add block support to `ActionController::Parameters#merge`
+
+ `ActionController::Parameters#merge` now accepts a block to resolve conflicts,
+ consistent with `Hash#merge` and `Parameters#merge!`.
+
+ ```ruby
+ params1 = ActionController::Parameters.new(a: 1, b: 2)
+ params2 = ActionController::Parameters.new(b: 3, c: 4)
+ params1.merge(params2) { |key, old_val, new_val| old_val + new_val }
+ # => #<ActionController::Parameters {"a"=>1, "b"=>5, "c"=>4} permitted: false>
+ ```
+
+ *Said Kaldybaev*
+
+* Yield key to `ActionController::Parameters#fetch` block
+
+ ```ruby
+ key = params.fetch(:missing) { |missing_key| missing_key }
+ key # => :missing
+
+ key = params.fetch("missing") { |missing_key| missing_key }
+ key # => "missing"
+ ```
+
+ *Sean Doyle*
+
+* Add `config.action_controller.live_streaming_excluded_keys` to control execution state sharing in ActionController::Live.
+
+ When using ActionController::Live, actions are executed in a separate thread that shares
+ state from the parent thread. This new configuration allows applications to opt-out specific
+ state keys that should not be shared.
+
+ This is useful when streaming inside a `connected_to` block, where you may want
+ the streaming thread to use its own database connection context.
+
+ ```ruby
+ # config/application.rb
+ config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]
+ ```
+
+ By default, all keys are shared.
+
+ *Eileen M. Uchitelle*
+
+* Add controller action source location to routes inspector.
+
+ The routes inspector now shows where controller actions are defined.
+ In `rails routes --expanded`, a new "Action Location" field displays
+ the file and line number of each action method.
+
+ On the routing error page, when `RAILS_EDITOR` or `EDITOR` is set,
+ a clickable ✏️ icon appears next to each Controller#Action that opens
+ the action directly in the editor.
+
+ *Guillermo Iguaran*
+
+* Active Support notifications for CSRF warnings.
+
+ Switches from direct logging to event-driven logging, allowing others to
+ subscribe to and act on CSRF events:
+
+ - `csrf_token_fallback.action_controller`
+ - `csrf_request_blocked.action_controller`
+ - `csrf_javascript_blocked.action_controller`
+
+ *Jeremy Daer*
+
+* Modern header-based CSRF protection.
+
+ Modern browsers send the `Sec-Fetch-Site` header to indicate the relationship
+ between request initiator and target origins. Rails now uses this header to
+ verify same-origin requests without requiring authenticity tokens.
+
+ Two verification strategies are available via `protect_from_forgery using:`:
+
+ * `:header_only` - Uses `Sec-Fetch-Site` header only. Rejects requests
+ without a valid header. Default for new Rails 8.2 applications.
+
+ * `:header_or_legacy_token` - Uses `Sec-Fetch-Site` header when present,
+ falls back to authenticity token verification for older browsers.
+
+ Configure trusted origins for legitimate cross-site requests (OAuth callbacks,
+ third-party embeds) with `trusted_origins:`:
+
+ ```ruby
+ protect_from_forgery trusted_origins: %w[ https://accounts.google.com ]
+ ```
+
+ `InvalidAuthenticityToken` is deprecated in favor of `InvalidCrossOriginRequest`.
+
+ *Rosa Gutierrez*
+
+* Fix `action_dispatch_request` early load hook call when building
+ Rails app middleware.
+
+ *Gannon McGibbon*
+
* Emit a structured event when `action_on_open_redirect` is set to `:notify`
in addition to the existing Active Support Notification.
diff --git a/activejob/CHANGELOG.md b/activejob/CHANGELOG.md
index 28a9017..431e566 100644
--- a/activejob/CHANGELOG.md
+++ b/activejob/CHANGELOG.md
@@ -1,3 +1,26 @@
+* Jobs are now enqueued after transaction commit.
+
+ This fixes that jobs would surprisingly run against uncommitted and
+ rolled-back records.
+
+ New Rails 8.2 apps (and apps upgrading to `config.load_defaults "8.2"`)
+ have `config.active_job.enqueue_after_transaction_commit = true` by default.
+ Uncomment the setting in `config/initializers/new_framework_defaults_8_2.rb`
+ to opt in.
+
+ *mugitti9*
+
+* Un-deprecate the global `config.active_job.enqueue_after_transaction_commit`
+ toggle for app-wide overrides. It was deprecated in Rails 8.0 (when the
+ symbol values were removed) and made non-functional in 8.1. It now works
+ as a boolean config again.
+
+ *Jeremy Daer*
+
+* Deprecate built-in `sneakers` adapter.
+
+ *Dino Maric*
+
* Fix using custom serializers with `ActiveJob::Arguments.serialize` when
`ActiveJob::Base` hasn't been loaded.
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index b6b10de..970eeb3 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,3 +1,25 @@
+* Add `ActiveSupport::CombinedConfiguration` to offer interchangeable access to configuration provided by
+ either ENV or encrypted credentials. Used by Rails to first look at ENV, then look in encrypted credentials,
+ but can be configured separately with any number of API-compatible backends in a first-look order.
+
+ *DHH*
+
+* Add `ActiveSupport::EnvConfiguration` to provide access to ENV variables in a way that's compatible with
+ `ActiveSupport::EncryptedConfiguration` and therefore can be used by `ActiveSupport::CombinedConfiguration`.
+
+ Examples:
+
+ ```ruby
+ conf = ActiveSupport::EnvConfiguration.new
+ conf.require(:db_host) # ENV.fetch("DB_HOST")
+ conf.require(:aws, :access_key_id) # ENV.fetch("AWS__ACCESS_KEY_ID")
+ conf.option(:cache_host) # ENV["CACHE_HOST"]
+ conf.option(:cache_host, default: "cache-host-1") # ENV["CACHE_HOST"] || "cache-host-1"
+ conf.option(:cache_host, default: -> { "cache-host-1" }) # ENV["CACHE_HOST"] || "cache-host-1"
+ ```
+
+ *DHH*
+
* Make flaky parallel tests easier to diagnose by deterministically assigning
tests to workers.
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 3ba581c..bbf746d 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,79 @@
+* Add `Rails.app.revision` to provide a version identifier for error reporting, monitoring, cache keys, etc.
+
+ ```ruby
+ Rails.app.revision # => "3d31d593e6cf0f82fa9bd0338b635af2f30d627b"
+ ```
+
+ By defaults it looks for a `REVISION` file at the root of the application, if absent it tries to extract
+ the revision from the local git repository.
+
+ If none of that is adequate, it can be set in the application config:
+
+ ```ruby
+ # config/application.rb
+ module MyApp
+ class Application < Rails::Application
+ config.revision = ENV["GIT_SHA"]
+ end
+ end
+ ```
+
+ *Abdelkader Boudih*, *Jean Boussier*
+
+* Add `Rails.app.creds` to provide combined access to credentials stored in either ENV or the encrypted credentials file,
+ and in development also .env credentials. Provides a new require/option API for accessing these values. Examples:
+
+ ```ruby
+ Rails.app.creds.require(:db_host) # ENV.fetch("DB_HOST") || Rails.app.credentials.require(:db_host)
+ Rails.app.creds.require(:aws, :access_key_id) # ENV.fetch("AWS__ACCESS_KEY_ID") || Rails.app.credentials.require(:aws, :access_key_id)
+ Rails.app.creds.option(:cache_host) # ENV["CACHE_HOST"] || Rails.app.credentials.option(:cache_host)
+ Rails.app.creds.option(:cache_host, default: "cache-host-1") # ENV["CACHE_HOST"] || Rails.app.credentials.option(:cache_host) || "cache-host-1"
+ Rails.app.creds.option(:cache_host, default: -> { "cache-host-1" }) # ENV["CACHE_HOST"] || Rails.app.credentials.option(:cache_host) || "cache-host-1"
+ ```
+
+ It's also possible to assign your own combined configuration, if you need to use a different backend than just ENVs + encrypted files:
+
+ ```ruby
+ Rails.app.creds = ActiveSupport::CombinedConfiguration.new(Rails.app.envs, OnePasswordConfiguration.new)
+ ```
+
+ *DHH*
+
+* Add `Rails.app.dotenvs` to provide access to .env variables through symbol-based lookup with explicit methods
+ for required and optional values. This is the same interface offered by #credentials and can be accessed in a combined manner via #creds.
+
+ It supports both variable interpolation with ${VAR} and command interpolation with $(echo "hello"). Otherwise the same as `Rails.app.envs`.
+
+ *DHH*
+
+* Add `Rails.app.envs` to provide access to ENV variables through symbol-based lookup with explicit methods
+ for required and optional values. This is the same interface offered by #credentials and can be accessed in a combined manner via #creds.
+
+ ```ruby
+ Rails.app.envs.require(:db_password) # ENV,fetch("DB_PASSWORD")
+ Rails.app.envs.require(:aws, :access_key_id) # ENV.fetch("AWS__ACCESS_KEY_ID")
+ Rails.app.envs.option(:cache_host) # ENV["CACHE_HOST"]
+ Rails.app.envs.option(:cache_host, default: "cache-host-1") # ENV.fetch("CACHE_HOST", "cache-host-1")
+ Rails.app.envs.option(:cache_host, default: -> { HostProvider.cache }) # ENV.fetch("CACHE_HOST") { HostProvider.cache }
+ ```
+
+ *DHH*
+
+* Add `Rails.app` as alias for `Rails.application`. Particularly helpful when accessing nested accessors inside application code,
+ like when using `Rails.app.credentials`.
+
+ *DHH*
+
+* Remove duplicate unique index for token migrations
+
+ *zzak*, *Dan Bota*
+
+* Do not clean directories directly under the application root with `Rails::BacktraceCleaner`
+
+ Improved `Rails.backtrace_cleaner` so that most paths located directly under the application's root directory are no longer silenced.
+
+ *alpaca-tc*
+
* Add `Rails::CodeStatistics#register_extension` to register file extensions for `rails stats`
