Rails 5.2.4.4 (September 09, 2020)

• No changes.

Rails 5.2.4.3 (May 18, 2020)

• [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore

• [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore

Rails 5.2.4.1 (December 18, 2019)

• No changes.

Rails 5.2.4 (November 27, 2019)

• Make ActiveSupport::Logger Fiber-safe. Fixes #36752.

  Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order to make log level local to Ruby Fibers in addition to Threads.

  Example:

  logger = ActiveSupport::Logger.new(STDOUT)
  logger.level = 1
  p "Main is debug? #{logger.debug?}"
  
  Fiber.new {
    logger.local_level = 0
    p "Thread is debug? #{logger.debug?}"
  }.resume
  
  p "Main is debug? #{logger.debug?}"
  

  Before:

  Main is debug? false
  Thread is debug? true
  Main is debug? true
  

  After:

  Main is debug? false
  Thread is debug? true
  Main is debug? false
  

  Alexander Varnin

Rails 5.2.3 (March 27, 2019)

• Add ActiveSupport::HashWithIndifferentAccess#assoc.

  assoc can now be called with either a string or a symbol.

  Stefan Schüßler

• Fix String#safe_constantize throwing a LoadError for incorrectly cased constant references.

  Keenan Brock

• Allow Range#=== and Range#cover? on Range

  Range#cover? can now accept a range argument like Range#include? and Range#===. Range#=== works correctly on Ruby 2.6. Range#include? is moved into a new file, with these two methods.

  utilum

• If the same block is included multiple times for a Concern, an exception is no longer raised.

  Mark J. Titorenko, Vlad Bokov

Rails 5.2.2.1 (March 11, 2019)

• No changes.

Rails 5.2.2 (December 04, 2018)

• Fix bug where #to_options for ActiveSupport::HashWithIndifferentAccess would not act as alias for #symbolize_keys.

  Nick Weiland

• Improve the logic that detects non-autoloaded constants.

  Jan Habermann, Xavier Noria

• Fix bug where URI.unescape would fail with mixed Unicode/escaped character input:

  URI.unescape("\xe3\x83\x90")  # => "バ"
  URI.unescape("%E3%83%90")  # => "バ"
  URI.unescape("\xe3\x83\x90%E3%83%90")  # => Encoding::CompatibilityError
  

  Ashe Connor, Aaron Patterson

Rails 5.2.1.1 (November 27, 2018)

• No changes.

Rails 5.2.1 (August 07, 2018)

• Redis cache store: delete_matched no longer blocks the Redis server. (Switches from evaled Lua to a batched SCAN + DEL loop.)

  Gleb Mazovetskiy

• Fix bug where ActiveSupport::Timezone.all would fail when tzinfo data for any timezone defined in ActiveSupport::TimeZone::MAPPING is missing.

  Dominik Sander

• Fix bug where ActiveSupport::Cache will massively inflate the storage size when compression is enabled (which is true by default). This patch does not attempt to repair existing data: please manually flush the cache to clear out the problematic entries.

  Godfrey Chan

• Fix ActiveSupport::Cache#read_multi bug with local cache enabled that was returning instances of ActiveSupport::Cache::Entry instead of the raw values.

  Jason Lee

Rails 5.2.0 (April 09, 2018)

• Caching: MemCache and Redis read_multi and fetch_multi speedup. Read from the local in-memory cache before consulting the backend.

  Gabriel Sobrinho

• Return all mappings for a timezone identifier in country_zones.

  Some timezones like Europe/London have multiple mappings in ActiveSupport::TimeZone::MAPPING so return all of them instead of the first one found by using Hash#value. e.g:

  # Before
  ActiveSupport::TimeZone.country_zones("GB") # => ["Edinburgh"]
  
  # After
  ActiveSupport::TimeZone.country_zones("GB") # => ["Edinburgh", "London"]
  

  Fixes #31668.

  Andrew White

• Add support for connection pooling on RedisCacheStore.

  fatkodima

• Support hash as first argument in assert_difference. This allows to specify multiple numeric differences in the same assertion.

  assert_difference ->{ Article.count } => 1, ->{ Post.count } => 2
  

  Julien Meichelbeck

• Add missing instrumentation for read_multi in ActiveSupport::Cache::Store.

  Ignatius Reza Lesmana

• assert_changes will always assert that the expression changes, regardless of from: and to: argument combinations.

  Daniel Ma

• Use SHA-1 to generate non-sensitive digests, such as the ETag header.

  Enabled by default for new apps; upgrading apps can opt in by setting config.active_support.use_sha1_digests = true.

  Dmitri Dolguikh, Eugene Kenny

• Changed default behaviour of ActiveSupport::SecurityUtils.secure_compare, to make it not leak length information even for variable length string.

  Renamed old ActiveSupport::SecurityUtils.secure_compare to fixed_length_secure_compare, and started raising ArgumentError in case of length mismatch of passed strings.

  Vipul A M

• Make ActiveSupport::TimeZone.all return only time zones that are in ActiveSupport::TimeZone::MAPPING.

  Fixes #7245.

  Chris LaRose

• MemCacheStore: Support expiring counters.

  Pass expires_in: [seconds] to #increment and #decrement options to set the Memcached TTL (time-to-live) if the counter doesn't exist. If the counter exists, Memcached doesn't extend its expiry when it's incremented or decremented.

  Rails.cache.increment("my_counter", 1, expires_in: 2.minutes)
  

  Takumasa Ochi

• Handle TZInfo::AmbiguousTime errors.

  Make ActiveSupport::TimeWithZone match Ruby's handling of ambiguous times by choosing the later period, e.g.

  Ruby:

  ENV["TZ"] = "Europe/Moscow"
  Time.local(2014, 10, 26, 1, 0, 0)   # => 2014-10-26 01:00:00 +0300
  

  Before:

  >> "2014-10-26 01:00:00".in_time_zone("Moscow")
  TZInfo::AmbiguousTime: 26/10/2014 01:00 is an ambiguous local time.
  

  After:

  >> "2014-10-26 01:00:00".in_time_zone("Moscow")
  => Sun, 26 Oct 2014 01:00:00 MSK +03:00
  

  Fixes #17395.

  Andrew White

• Redis cache store.

  # Defaults to `redis://localhost:6379/0`. Only use for dev/test.
  config.cache_store = :redis_cache_store
  
  # Supports all common cache store options (:namespace, :compress,
  # :compress_threshold, :expires_in, :race_condition_ttl) and all
  # Redis options.
  cache_password = Rails.application.secrets.redis_cache_password
  config.cache_store = :redis_cache_store, driver: :hiredis,
    namespace: 'myapp-cache', compress: true, timeout: 1,
    url: "redis://:#{cache_password}@myapp-cache-1:6379/0"
  
  # Supports Redis::Distributed with multiple hosts
  config.cache_store = :redis_cache_store, driver: :hiredis
    namespace: 'myapp-cache', compress: true,
    url: %w[
      redis://myapp-cache-1:6379/0
      redis://myapp-cache-1:6380/0
      redis://myapp-cache-2:6379/0
      redis://myapp-cache-2:6380/0
      redis://myapp-cache-3:6379/0
      redis://myapp-cache-3:6380/0
    ]
  
  # Or pass a builder block
  config.cache_store = :redis_cache_store,
    namespace: 'myapp-cache', compress: true,
    redis: -> { Redis.new … }
  

  Deployment note: Take care to use a dedicated Redis cache rather than pointing this at your existing Redis server. It won't cope well with mixed usage patterns and it won't expire cache entries by default.

  Redis cache server setup guide: https://redis.io/topics/lru-cache

  Jeremy Daer

• Cache: Enable compression by default for values > 1kB.

  Compression has long been available, but opt-in and at a 16kB threshold. It wasn't enabled by default due to CPU cost. Today it's cheap and typical cache data is eminently compressible, such as HTML or JSON fragments. Compression dramatically reduces Memcached/Redis mem usage, which means the same cache servers can store more data, which means higher hit rates.

  To disable compression, pass compress: false to the initializer.

  Jeremy Daer

• Allow Range#include? on TWZ ranges.

  In #11474 we prevented TWZ ranges being iterated over which matched Ruby's handling of Time ranges and as a consequence include? stopped working with both Time ranges and TWZ ranges. However in ruby/ruby@b061634 support was added for include? to use cover? for 'linear' objects. Since we have no way of making Ruby consider TWZ instances as 'linear' we have to override Range#include?.

  Fixes #30799.

  Andrew White

• Fix acronym support in humanize.

  Acronym inflections are stored with lowercase keys in the hash but the match wasn't being lowercased before being looked up in the hash. This shouldn't have any performance impact because before it would fail to find the acronym and perform the downcase operation anyway.

  Fixes #31052.

  Andrew White

• Add same method signature for Time#prev_year and Time#next_year in accordance with Date#prev_year, Date#next_year.

  Allows pass argument for Time#prev_year and Time#next_year.

  Before:

  Time.new(2017, 9, 16, 17, 0).prev_year    # => 2016-09-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).prev_year(1)
  # => ArgumentError: wrong number of arguments (given 1, expected 0)
  
  Time.new(2017, 9, 16, 17, 0).next_year    # => 2018-09-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).next_year(1)
  # => ArgumentError: wrong number of arguments (given 1, expected 0)
  

  After:

  Time.new(2017, 9, 16, 17, 0).prev_year    # => 2016-09-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).prev_year(1) # => 2016-09-16 17:00:00 +0300
  
  Time.new(2017, 9, 16, 17, 0).next_year    # => 2018-09-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).next_year(1) # => 2018-09-16 17:00:00 +0300
  

  bogdanvlviv

• Add same method signature for Time#prev_month and Time#next_month in accordance with Date#prev_month, Date#next_month.

  Allows pass argument for Time#prev_month and Time#next_month.

  Before:

  Time.new(2017, 9, 16, 17, 0).prev_month    # => 2017-08-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).prev_month(1)
  # => ArgumentError: wrong number of arguments (given 1, expected 0)
  
  Time.new(2017, 9, 16, 17, 0).next_month    # => 2017-10-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).next_month(1)
  # => ArgumentError: wrong number of arguments (given 1, expected 0)
  

  After:

  Time.new(2017, 9, 16, 17, 0).prev_month    # => 2017-08-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).prev_month(1) # => 2017-08-16 17:00:00 +0300
  
  Time.new(2017, 9, 16, 17, 0).next_month    # => 2017-10-16 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).next_month(1) # => 2017-10-16 17:00:00 +0300
  

  bogdanvlviv

• Add same method signature for Time#prev_day and Time#next_day in accordance with Date#prev_day, Date#next_day.

  Allows pass argument for Time#prev_day and Time#next_day.

  Before:

  Time.new(2017, 9, 16, 17, 0).prev_day    # => 2017-09-15 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).prev_day(1)
  # => ArgumentError: wrong number of arguments (given 1, expected 0)
  
  Time.new(2017, 9, 16, 17, 0).next_day    # => 2017-09-17 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).next_day(1)
  # => ArgumentError: wrong number of arguments (given 1, expected 0)
  

  After:

  Time.new(2017, 9, 16, 17, 0).prev_day    # => 2017-09-15 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).prev_day(1) # => 2017-09-15 17:00:00 +0300
  
  Time.new(2017, 9, 16, 17, 0).next_day    # => 2017-09-17 17:00:00 +0300
  Time.new(2017, 9, 16, 17, 0).next_day(1) # => 2017-09-17 17:00:00 +0300
  

  bogdanvlviv

• IO#to_json now returns the to_s representation, rather than attempting to convert to an array. This fixes a bug where IO#to_json would raise an IOError when called on an unreadable object.

  Fixes #26132.

  Paul Kuruvilla

• Remove deprecated halt_callback_chains_on_return_false option.

  Rafael Mendonça França

• Remove deprecated :if and :unless string filter for callbacks.

  Rafael Mendonça França

• Hash#slice now falls back to Ruby 2.5+'s built-in definition if defined.

  Akira Matsuda

• Deprecate secrets.secret_token.

  The architecture for secrets had a big upgrade between Rails 3 and Rails 4, when the default changed from using secret_token to secret_key_base.

  secret_token has been soft deprecated in documentation for four years but is still in place to support apps created before Rails 4. Deprecation warnings have been added to help developers upgrade their applications to secret_key_base.

  claudiob, Kasper Timm Hansen

• Return an instance of HashWithIndifferentAccess from HashWithIndifferentAccess#transform_keys.

  Yuji Yaginuma

• Add key rotation support to MessageEncryptor and MessageVerifier.

  This change introduces a rotate method to both the MessageEncryptor and MessageVerifier classes. This method accepts the same arguments and options as the given classes' constructor. The encrypt_and_verify method for MessageEncryptor and the verified method for MessageVerifier also accept an optional keyword argument :on_rotation block which is called when a rotated instance is used to decrypt or verify the message.

  Michael J Coyne

• Deprecate Module#reachable? method.

  bogdanvlviv

• Add config/credentials.yml.enc to store production app secrets.

  Allows saving any authentication credentials for third party services directly in repo encrypted with config/master.key or ENV["RAILS_MASTER_KEY"].

  This will eventually replace Rails.application.secrets and the encrypted secrets introduced in Rails 5.1.

  DHH, Kasper Timm Hansen

• Add ActiveSupport::EncryptedFile and ActiveSupport::EncryptedConfiguration.

  Allows for stashing encrypted files or configuration directly in repo by encrypting it with a key.

  Backs the new credentials setup above, but can also be used independently.

  DHH, Kasper Timm Hansen

• Module#delegate_missing_to now raises DelegationError if target is nil, similar to Module#delegate.

  Anton Khamets

• Update String#camelize to provide feedback when wrong option is passed.

  String#camelize was returning nil without any feedback when an invalid option was passed as a parameter.

  Previously:

  'one_two'.camelize(true)
  # => nil
  

  Now:

  'one_two'.camelize(true)
  # => ArgumentError: Invalid option, use either :upper or :lower.
  

  Ricardo Díaz

• Fix modulo operations involving durations.

  Rails 5.1 introduced ActiveSupport::Duration::Scalar as a wrapper around numeric values as a way of ensuring a duration was the outcome of an expression. However, the implementation was missing support for modulo operations. This support has now been added and should result in a duration being returned from expressions involving modulo operations.

  Prior to Rails 5.1:

  5.minutes % 2.minutes
  # => 60
  

  Now:

  5.minutes % 2.minutes
  # => 1 minute
  

  Fixes #29603 and #29743.

  Sayan Chakraborty, Andrew White

• Fix division where a duration is the denominator.

  PR #29163 introduced a change in behavior when a duration was the denominator in a calculation - this was incorrect as dividing by a duration should always return a Numeric. The behavior of previous versions of Rails has been restored.

  Fixes #29592.

  Andrew White

• Add purpose and expiry support to ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor.

  For instance, to ensure a message is only usable for one intended purpose:

  token = @verifier.generate("x", purpose: :shipping)
  
  @verifier.verified(token, purpose: :shipping) # => "x"
  @verifier.verified(token)                     # => nil
  

  Or make it expire after a set time:

  @verifier.generate("x", expires_in: 1.month)
  @verifier.generate("y", expires_at: Time.now.end_of_year)
  

  Showcased with ActiveSupport::MessageVerifier, but works the same for ActiveSupport::MessageEncryptor's encrypt_and_sign and decrypt_and_verify.

  Pull requests: #29599, #29854

  Assain Jaleel

• Make the order of Hash#reverse_merge! consistent with HashWithIndifferentAccess.

  Erol Fornoles

• Add freeze_time helper which freezes time to Time.now in tests.

  Prathamesh Sonpatki

• Default ActiveSupport::MessageEncryptor to use AES 256 GCM encryption.

  On for new Rails 5.2 apps. Upgrading apps can find the config as a new framework default.

  Assain Jaleel

• Cache: write_multi.

  Rails.cache.write_multi foo: 'bar', baz: 'qux'
  

  Plus faster fetch_multi with stores that implement write_multi_entries. Keys that aren't found may be written to the cache store in one shot instead of separate writes.

  The default implementation simply calls write_entry for each entry. Stores may override if they're capable of one-shot bulk writes, like Redis MSET.

  Jeremy Daer

• Add default option to module and class attribute accessors.

  mattr_accessor :settings, default: {}
  

  Works for mattr_reader, mattr_writer, cattr_accessor, cattr_reader, and cattr_writer as well.

  Genadi Samokovarov

• Add Date#prev_occurring and Date#next_occurring to return specified next/previous occurring day of week.

  Shota Iguchi

• Add default option to class_attribute.

  Before:

  class_attribute :settings
  self.settings = {}
  

  Now:

  class_attribute :settings, default: {}
  

  DHH

• #singularize and #pluralize now respect uncountables for the specified locale.

  Eilis Hamilton

• Add ActiveSupport::CurrentAttributes to provide a thread-isolated attributes singleton. Primary use case is keeping all the per-request attributes easily available to the whole system.

  DHH

• Fix implicit coercion calculations with scalars and durations.

  Previously, calculations where the scalar is first would be converted to a duration of seconds, but this causes issues with dates being converted to times, e.g:

  Time.zone = "Beijing"           # => Asia/Shanghai
  date = Date.civil(2017, 5, 20)  # => Mon, 20 May 2017
  2 * 1.day                       # => 172800 seconds
  date + 2 * 1.day                # => Mon, 22 May 2017 00:00:00 CST +08:00
  

  Now, the ActiveSupport::Duration::Scalar calculation methods will try to maintain the part structure of the duration where possible, e.g:

  Time.zone = "Beijing"           # => Asia/Shanghai
  date = Date.civil(2017, 5, 20)  # => Mon, 20 May 2017
  2 * 1.day                       # => 2 days
  date + 2 * 1.day                # => Mon, 22 May 2017
  

  Fixes #29160, #28970.

  Andrew White

• Add support for versioned cache entries. This enables the cache stores to recycle cache keys, greatly saving on storage in cases with frequent churn. Works together with the separation of #cache_key and #cache_version in Active Record and its use in Action Pack's fragment caching.

  DHH

• Pass gem name and deprecation horizon to deprecation notifications.

  Willem van Bergen

• Add support for :offset and :zone to ActiveSupport::TimeWithZone#change.

  Andrew White

• Add support for :offset to Time#change.

  Fixes #28723.

  Andrew White

• Add fetch_values for HashWithIndifferentAccess.

  The method was originally added to Hash in Ruby 2.3.0.

  Josh Pencheon

Please check 5-1-stable for previous changes.