Skip to content

chore(action-scripts): update dependency activesupport to '~> 8.1', '>= 8.1.3'#157

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/action-scriptsactivesupport
Mar 26, 2026
Merged

chore(action-scripts): update dependency activesupport to '~> 8.1', '>= 8.1.3'#157
renovate[bot] merged 1 commit intomainfrom
renovate/action-scriptsactivesupport

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 25, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
activesupport (source, changelog) '~> 8.1', '>= 8.1.2''~> 8.1', '>= 8.1.3' age confidence

Release Notes

rails/rails (activesupport)

v8.1.3: 8.1.3

Compare Source

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash,
    the encoder now calls to_s on the original key object instead of
    on the as_json result.

    Before:
    hash = {CustomKey.new(123) => "value"}
    hash.to_json # => {"{:id=>123}":"value"}

    After:
    hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
  inflect.acronym "USD"
  inflect.acronym "USDC"
end

"USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min
    broke Marshal compatibility. Objects serialised under 8.0 (with @range)
    and deserialised under 8.1 (expecting @max/@min) would crash with
    undefined method '<=' for nil because Marshal.load restores instance
    variables without calling initialize.

    Edward Woodcock

Active Record

  • Fix insert_all and upsert_all log message when called on anonymous classes.

    Gabriel Sobrinho

  • Respect ActiveRecord::SchemaDumper.ignore_tables when dumping SQLite virtual tables.

    Hans Schnedlitz

  • Restore previous instrumenter after execute_or_skip

    FutureResult#execute_or_skip replaces the thread's instrumenter with an
    EventBuffer to collect events published during async query execution.
    If the global async executor is saturated and the caller_runs fallback
    executes the task on the calling thread, we need to make sure the previous
    instrumenter is restored or the stale EventBuffer would stay in place and
    permanently swallow all subsequent sql.active_record notifications on
    that thread.

    Rosa Gutierrez

  • Bump the minimum PostgreSQL version to 9.5, due to usage of array_position function.

    Ivan Kuchin

  • Fix Ruby 4.0 delegator warning when calling inspect on ActiveRecord::Type::Serialized.

    Hammad Khan

  • Fix support for table names containing hyphens.

    Evgeniy Demin

  • Fix column deduplication for SQLite3 and PostgreSQL virtual (generated) columns.

    Column#== and Column#hash now account for virtual? so that the
    Deduplicable registry does not treat a generated column and a regular
    column with the same name and type as identical. Previously, if a
    generated column was registered first, a regular column on a different
    table could be deduplicated to the generated instance, silently
    excluding it from INSERT/UPDATE statements.

    Jay Huber

  • Fix PostgreSQL schema dumping to handle schema-qualified table names in foreign_key references that span different schemas.

before

    add_foreign_key "hst.event_log_attributes", "hst.event_logs" # emits correctly because they're in the same schema (hst)
    add_foreign_key "hst.event_log_attributes", "hst.usr.user_profiles", column: "created_by_id" # emits hst.user.* when user.* is expected

after

    add_foreign_key "hst.event_log_attributes", "hst.event_logs"
    add_foreign_key "hst.event_log_attributes", "usr.user_profiles", column: "created_by_id"

*Chiperific*

Action View

  • Fix encoding errors for string locals containing non-ASCII characters.

    Kataoka Katsuki

  • Fix collection caching to only forward expires_in argument if explicitly set.

    Pieter Visser

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Fix ActiveStorage::Blob content type predicate methods to handle nil.

    Daichi KUDO

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • Add libvips to generated ci.yml

    Conditionally adds libvips to ci.yml.

    Steve Polito

Guides

  • No changes.

v8.1.2.1: 8.1.2.1

Compare Source

Active Support

  • Reject scientific notation in NumberConverter

    [CVE-2026-33176]

    Jean Boussier

  • Fix SafeBuffer#% to preserve unsafe status

    [CVE-2026-33170]

    Jean Boussier

  • Improve performance of NumberToDelimitedConverter

    [CVE-2026-33169]

    Jean Boussier

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Skip blank attribute names in tag helpers to avoid generating invalid HTML.

    [CVE-2026-33168]

    Mike Dalessio

Action Pack

  • Fix possible XSS in DebugExceptions middleware

    [CVE-2026-33167]

    John Hawthorn

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Filter user supplied metadata in DirectUploadController

    [CVE-2026-33173]

    Jean Boussier

  • Configurable maxmimum streaming chunk size

    Makes sure that byte ranges for blobs don't exceed 100mb by default.
    Content ranges that are too big can result in denial of service.

    [CVE-2026-33174]

    Gannon McGibbon

  • Limit range requests to a single range

    [CVE-2026-33658]

    Jean Boussier

  • Prevent path traversal in DiskService.

    DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".",
    ".."), or if the resolved path is outside the storage root directory.

    #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for
    example containing null bytes or having an incompatible encoding. Previously, the exception
    raised may have been ArgumentError or Encoding::CompatibilityError.

    DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes.

    [CVE-2026-33195]

    Mike Dalessio

  • Prevent glob injection in DiskService#delete_prefixed.

    Escape glob metacharacters in the resolved path before passing to Dir.glob.

    Note that this change breaks any existing code that is relying on delete_prefixed to expand
    glob metacharacters. This change presumes that is unintended behavior (as other storage services
    do not respect these metacharacters).

    [CVE-2026-33202]

    Mike Dalessio

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

Guides

  • No changes.

Configuration

📅 Schedule: Branch creation - "before 4am every weekday" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from panicboat as a code owner March 25, 2026 18:28
@renovate renovate bot force-pushed the renovate/action-scriptsactivesupport branch from dac4219 to eeb4841 Compare March 25, 2026 21:53
@renovate renovate bot changed the title chore(action-scripts): update dependency activesupport to '~> 8.1', '>= 8.1.2.1' chore(action-scripts): update dependency activesupport to '~> 8.1', '>= 8.1.3' Mar 25, 2026
@renovate renovate bot merged commit fa7ce3d into main Mar 26, 2026
3 checks passed
@renovate renovate bot deleted the renovate/action-scriptsactivesupport branch March 26, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@panicboat panicboat[bot] panicboat[bot] approved these changes

@panicboat panicboat Awaiting requested review from panicboat panicboat is a code owner

Assignees

No one assigned

Labels

🤖 renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants