Skip to content

Bump the rails-gems group across 1 directory with 12 updates#6248

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/rails-gems-f84e2dbc3e
Open

Bump the rails-gems group across 1 directory with 12 updates#6248
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/rails-gems-f84e2dbc3e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown
Contributor

Bumps the rails-gems group with 1 update in the / directory: rails.

Updates rails from 8.0.5 to 8.1.3

Release notes

Sourced from rails's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 1c7d1cf Update changelog
  • e91694b Update CHANGELOG (8.1 only)
  • 6752711 Fix XSS in debug exceptions copy-to-clipboard
  • 63f5ad8 Skip blank attribute names in Action View tag helpers
  • 8c9676b Prevent glob injection in ActiveStorage DiskService#delete_prefixed
  • 9b06fbc Prevent path traversal in ActiveStorage DiskService
  • ec1a0e2 Improve performance of NumberToDelimitedConverter
  • Additional commits viewable in compare view

Updates actioncable from 8.0.5 to 8.1.3

Release notes

Sourced from actioncable's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from actioncable's changelog.

Rails 8.1.3 (March 24, 2026)

  • No changes.

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • No changes.

Rails 8.1.1 (October 28, 2025)

  • No changes.

Rails 8.1.0 (October 22, 2025)

  • Allow passing composite channels to ActionCable::Channel#stream_for – e.g. stream_for [ group, group.owner ]

    hey-leon

  • Allow setting nil as subscription connection identifier for Redis.

    Nguyen Nguyen

Please check 8-0-stable for previous changes.

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 1db4b89 Preparing for 8.1.2.1 release
  • d7c8ae6 Preparing for 8.1.2 release
  • 90a1eaa Preparing for 8.1.1 release
  • df9f432 Allow methods starting with underscore to be action methods.
  • 53c4ed8 Merge pull request #55973 from rails/fix-ci
  • 1cdd190 Preparing for 8.1.0 release
  • 1ace683 Preparing for 8.1.0.rc1 release
  • b92d302 Address Can not start microsoftedge 17.17134 (Windows 10) error
  • 207a254 ActiveSupport::Callbacks add a fast path when there is no callbacks
  • Additional commits viewable in compare view

Updates actionmailbox from 8.0.5 to 8.1.3

Release notes

Sourced from actionmailbox's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from actionmailbox's changelog.

Rails 8.1.3 (March 24, 2026)

  • No changes.

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • No changes.

Rails 8.1.1 (October 28, 2025)

  • No changes.

Rails 8.1.0 (October 22, 2025)

  • Add reply_to_address extension method on Mail::Message.

    Mr0grog

Please check 8-0-stable for previous changes.

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 1db4b89 Preparing for 8.1.2.1 release
  • d7c8ae6 Preparing for 8.1.2 release
  • 90a1eaa Preparing for 8.1.1 release
  • 53c4ed8 Merge pull request #55973 from rails/fix-ci
  • 1cdd190 Preparing for 8.1.0 release
  • 1ace683 Preparing for 8.1.0.rc1 release
  • 80827ca Preparing for 8.1.0.beta1 release
  • f3e0670 Remove deprecated :azure storage service
  • a99903d Bump RuboCop to fix some transient failures
  • Additional commits viewable in compare view

Updates actionmailer from 8.0.5 to 8.1.3

Release notes

Sourced from actionmailer's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from actionmailer's changelog.

Rails 8.1.3 (March 24, 2026)

  • No changes.

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • No changes.

Rails 8.1.1 (October 28, 2025)

  • No changes.

Rails 8.1.0 (October 22, 2025)

  • Add structured events for Action Mailer:

    • action_mailer.delivered
    • action_mailer.processed

    Gannon McGibbon

  • Add deliver_all_later to enqueue multiple emails at once.

    user_emails = User.all.map { |user| Notifier.welcome(user) }
    ActionMailer.deliver_all_later(user_emails)
    use a custom queue
    ActionMailer.deliver_all_later(user_emails, queue: :my_queue)

    This can greatly reduce the number of round-trips to the queue datastore. For queue adapters that do not implement the enqueue_all method, we fall back to enqueuing email jobs indvidually.

    fatkodima

Please check 8-0-stable for previous changes.

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 1db4b89 Preparing for 8.1.2.1 release
  • d7c8ae6 Preparing for 8.1.2 release
  • dc94813 Merge pull request #56050 from jclusso/fix-stylesheet-tag-nonce-mailer
  • 90a1eaa Preparing for 8.1.1 release
  • df9f432 Allow methods starting with underscore to be action methods.
  • 53c4ed8 Merge pull request #55973 from rails/fix-ci
  • f77a1c3 Require 'rails' at the top of railltie files to ensure Rails is loaded first
  • 1cdd190 Preparing for 8.1.0 release
  • 1ace683 Preparing for 8.1.0.rc1 release
  • Additional commits viewable in compare view

Updates actionpack from 8.0.5 to 8.1.3

Release notes

Sourced from actionpack's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 8.1.3 (March 24, 2026)

  • No changes.

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • Add config.action_controller.live_streaming_excluded_keys to control execution state sharing in ActionController::Live.

    When using ActionController::Live, actions are executed in a separate thread that shares state from the parent thread. This new configuration allows applications to opt-out specific state keys that should not be shared.

    This is useful when streaming inside a connected_to block, where you may want the streaming thread to use its own database connection context.

    # config/application.rb
    config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]

    By default, all keys are shared.

    Eileen M. Uchitelle

  • Fix IpSpoofAttackError message to include Forwarded header content.

    Without it, the error message may be misleading.

    zzak

Rails 8.1.1 (October 28, 2025)

  • Allow methods starting with underscore to be action methods.

    Disallowing methods starting with an underscore from being action methods was an unintended side effect of the performance optimization in 207a254.

    Fixes #55985.

    Rafael Mendonça França

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 6752711 Fix XSS in debug exceptions copy-to-clipboard
  • 10c6e0e Merge pull request #56750 from nicolasva/fix/UnknownHttpMethod
  • cce61db Merge pull request #56820 from ybiquitous/improve-apidoc-for-ActionDispatch_I...
  • d7c8ae6 Preparing for 8.1.2 release
  • df98a0d Merge pull request #56440 from zzak/ac-live-streaming-keys-typo
  • 0f8014a [8-1-stable] Minitest 6 support
  • 991ccf3 Merge pull request #56393 from rails/add-exclude-keys-to-live-controller
  • Additional commits viewable in compare view

Updates actiontext from 8.0.5 to 8.1.3

Release notes

Sourced from actiontext's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from actiontext's changelog.

Rails 8.1.3 (March 24, 2026)

  • No changes.

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • No changes.

Rails 8.1.1 (October 28, 2025)

  • No changes.

Rails 8.1.0 (October 22, 2025)

  • De-couple @rails/actiontext/attachment_upload.js from Trix.Attachment

    Implement @rails/actiontext/index.js with a direct-upload:progress event listeners and Promise resolution.

    Sean Doyle

  • Capture block content for form helper methods

    <%= rich_textarea_tag :content, nil do %>
      <h1>hello world</h1>
    <% end %>
    <!-- <input type="hidden" name="content" id="trix_input_1" value="&lt;h1&gt;hello world&lt;/h1&gt;"/><trix-editor … -->
    <%= rich_textarea :message, :content, input: "trix_input_1" do %>
    <h1>hello world</h1>
    <% end %>
    <!-- <input type="hidden" name="message[content]" id="trix_input_1" value="&lt;h1&gt;hello world&lt;/h1&gt;"/><trix-editor … -->
    <%= form_with model: Message.new do |form| %>
    <%= form.rich_textarea :content do %>
    <h1>hello world</h1>
    <% end %>
    <% end %>
    <!-- <form action="/messages" accept-charset="UTF-8" method="post"><input type="hidden" name="message[content]" id="message_content_trix_input_message" value="&lt;h1&gt;hello world&lt;/h1&gt;"/><trix-editor … -->

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 1db4b89 Preparing for 8.1.2.1 release
  • d7c8ae6 Preparing for 8.1.2 release
  • 90a1eaa Preparing for 8.1.1 release
  • 53c4ed8 Merge pull request #55973 from rails/fix-ci
  • 1cdd190 Preparing for 8.1.0 release
  • 5e231ae Merge pull request #54914 from chaadow/fix_autoloaded_content_helper
  • 1ace683 Preparing for 8.1.0.rc1 release
  • 8c624be De-couple @rails/actiontext/attachment_upload.js from Trix.Attachment
  • 9825b1b Action Text: change tag helpers to accept optional blocks
  • Additional commits viewable in compare view

Updates actionview from 8.0.5 to 8.1.3

Release notes

Sourced from actionview's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from actionview's changelog.

Rails 8.1.3 (March 24, 2026)

  • Fix encoding errors for string locals containing non-ASCII characters.

    Kataoka Katsuki

  • Fix collection caching to only forward expires_in argument if explicitly set.

    Pieter Visser

Rails 8.1.2.1 (March 23, 2026)

  • Fix possible XSS in DebugExceptions middleware

    [CVE-2026-33167]

    John Hawthorn

  • Skip blank attribute names in tag helpers to avoid generating invalid HTML.

    [CVE-2026-33168]

    Mike Dalessio

Rails 8.1.2 (January 08, 2026)

  • Fix file_field to join mime types with a comma when provided as Array

    file_field(:article, :image, accept: ['image/png', 'image/gif', 'image/jpeg'])

    Now behaves likes:

    file_field(:article, :image, accept: 'image/png,image/gif,image/jpeg')
    

    Bogdan Gusiev

  • Fix strict locals parsing to handle multiline definitions.

    Said Kaldybaev

  • Fix content_security_policy_nonce error in mailers when using content_security_policy_nonce_auto setting.

    The content_security_policy_nonce helper is provided by ActionController::ContentSecurityPolicy, and it relies on request.content_security_policy_nonce. Mailers lack both the module and the request object.

    Jarrett Lusso

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 1c7d1cf Update changelog
  • e91694b Update CHANGELOG (8.1 only)
  • 63f5ad8 Skip blank attribute names in Action View tag helpers
  • e598b94 Merge pull request #56906 from kataokatsuki/fix-strict-locals-non-ascii-encoding
  • c2ea79c Merge pull request #56891 from pietervisser/fix-collection-caching-to-preserv...
  • d7c8ae6 Preparing for 8.1.2 release
  • 27aa94f Merge pull request #56389 from bogdan/semantic-file-input-accept
  • Additional commits viewable in compare view

Updates activejob from 8.0.5 to 8.1.3

Release notes

Sourced from activejob's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from activejob's changelog.

Rails 8.1.3 (March 24, 2026)

  • No changes.

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • Fix ActiveJob.perform_all_later to respect job_class.enqueue_after_transaction_commit.

    Previously, perform_all_later would enqueue all jobs immediately, even if they had enqueue_after_transaction_commit = true. Now it correctly defers jobs with this setting until after transaction commits, matching the behavior of perform_later.

    OuYangJinTing

  • Fix using custom serializers with ActiveJob::Arguments.serialize when ActiveJob::Base hasn't been loaded.

    Hartley McGuire

Rails 8.1.1 (October 28, 2025)

  • Only index new serializers.

    Jesse Sharps

Rails 8.1.0 (October 22, 2025)

  • Add structured events for Active Job:

    • active_job.enqueued
    • active_job.bulk_enqueued
    • active_job.started
    • active_job.completed
    • active_job.retry_scheduled
    • active_job.retry_stopped
    • active_job.discarded
    • active_job.interrupt
    • active_job.resume
    • active_job.step_skipped
    • active_job.step_started
    • active_job.step

    Adrianna Chang

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 0924172 Fix deprecation of sidekiq/testing in integration test adapter
  • 3277c4e Fix deprecation of sidekiq/testing/inline
  • d7c8ae6 Preparing for 8.1.2 release
  • f33ca37 Merge pull request #56507 from tiramizoo/rm-sucker_punch
  • 63a0e6c Merge pull request #56264 from byroot/fix/activejob/perform_all_later-2
  • c8155a6 Merge pull request #56093 from skipkayhil/hm-rynrvruzqlkttuqt
  • 90a1eaa Preparing for 8.1.1 release
  • Additional commits viewable in compare view

Updates activemodel from 8.0.5 to 8.1.3

Release notes

Sourced from activemodel's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from activemodel's changelog.

Rails 8.1.3 (March 24, 2026)

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

    Edward Woodcock

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • No changes.

Rails 8.1.1 (October 28, 2025)

  • No changes.

Rails 8.1.0 (October 22, 2025)

  • Add reset_token: { expires_in: ... } option to has_secure_password.

    Allows configuring the expiry duration of password reset tokens (default remains 15 minutes for backwards compatibility).

    has_secure_password reset_token: { expires_in: 1.hour }

    Jevin Sew, Abeid Ahmed

  • Add except_on: option for validation callbacks.

    Ben Sheldon

  • Backport ActiveRecord::Normalization to ActiveModel::Attributes::Normalization

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 5a3d7d9 Merge pull request #56943 from yahonda/ruby-16321
  • 034ca73 Merge pull request #56867 from hammadxcm/fix-ruby4-delegator-inspect-warning
  • 6c23f3b Merge pull request #56768 from RemoteCTO/fix/integer-type-marshal-compat
  • d7c8ae6 Preparing for 8.1.2 release
  • 1723cc5 Address Layout/EmptyLineAfterMagicComment offense at 8-1-stable
  • 3c3c20b Merge pull request #56058 from Shopify/uk-am-secure-password-require-fix
  • 90a1eaa Preparing for 8.1.1 release
  • Additional commits viewable in compare view

Updates activerecord from 8.0.5 to 8.1.3

Release notes

Sourced from activerecord's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from activerecord's changelog.

Rails 8.1.3 (March 24, 2026)

  • Fix insert_all and upsert_all log message when called on anonymous classes.

    Gabriel Sobrinho

  • Respect ActiveRecord::SchemaDumper.ignore_tables when dumping SQLite virtual tables.

    Hans Schnedlitz

  • Restore previous instrumenter after execute_or_skip

    FutureResult#execute_or_skip replaces the thread's instrumenter with an EventBuffer to collect events published during async query execution. If the global async executor is saturated and the caller_runs fallback executes the task on the calling thread, we need to make sure the previous instrumenter is restored or the stale EventBuffer would stay in place and permanently swallow all subsequent sql.active_record notifications on that thread.

    Rosa Gutierrez

  • Bump the minimum PostgreSQL version to 9.5, due to usage of array_position function.

    Ivan Kuchin

  • Fix Ruby 4.0 delegator warning when calling inspect on ActiveRecord::Type::Serialized.

    Hammad Khan

  • Fix support for table names containing hyphens.

    Evgeniy Demin

  • Fix column deduplication for SQLite3 and PostgreSQL virtual (generated) columns.

    Column#== and Column#hash now account for virtual? so that the Deduplicable registry does not treat a generated column and a regular column with the same name and type as identical. Previously, if a generated column was registered first, a regular column on a different table could be deduplicated to the generated instance, silently excluding it from INSERT/UPDATE statements.

    Jay Huber

  • Fix PostgreSQL schema dumping to handle schema-qualified table names in foreign_key references that span different schemas.

    # before
    add_foreign_key "hst.event_log_attributes", "hst.event_logs" # emits correctly because they're in the same schema (hst)
    add_foreign_key "hst.event_log_attributes", "hst.usr.user_profiles", column: "created_by_id" # emits hst.user.* when user.* is expected
    

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • e449905 Merge pull request #57022 from byroot/sobrinho-main
  • 7d8eeea Merge pull request #56977 from hschne/26-03-fix-ignore-virtual-tables
  • 148e4d8 Merge pull request #56970 from nicolasva/fix_spatia_lite
  • 004eb65 Restore previous instrumenter after execute_or_skip
  • b8b23c0 Merge pull request #56932 from eglitobias/fix-dbconsole-notimplemented-message
  • 2250b16 Merge pull request #56951 from r-plus/patch-1
  • 635841a Merge pull request #56911 from toy/postgresql-9.5-required
  • Additional commits viewable in compare view

Updates activestorage from 8.0.5 to 8.1.3

Release notes

Sourced from activestorage's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from activestorage's changelog.

Rails 8.1.3 (March 24, 2026)

  • Fix ActiveStorage::Blob content type predicate methods to handle nil.

    Daichi KUDO

Rails 8.1.2.1 (March 23, 2026)

  • Filter user supplied metadata in DirectUploadController

    [CVE-2026-33173]

    Jean Boussier

  • Configurable maxmimum streaming chunk size

    Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service.

    [CVE-2026-33174]

    Gannon McGibbon

  • Limit range requests to a single range

    [CVE-2026-33658]

    Jean Boussier

  • Prevent path traversal in DiskService.

    DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory.

    #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError.

    DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes.

    [CVE-2026-33195]

    Mike Dalessio

  • Prevent glob injection in DiskService#delete_prefixed.

    Escape glob metacharacters in the resolved path before passing to Dir.glob.

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 1c7d1cf Update changelog
  • 8c9676b Prevent glob injection in ActiveStorage DiskService#delete_prefixed
  • 9b06fbc Prevent path traversal in ActiveStorage DiskService
  • d9502f5 Active Storage: Filter user supplied metadata in DirectUploadController
  • 85ec5b1 ActiveStorage::Streaming limit range requests to a single range
  • 42012ea Configurable maxmimum streaming chunk size
  • 064cea7 Merge pull request #56783 from kudoas/fix-activestorage-blob-content-type-nil
  • Additional commits viewable in compare view

Updates railties from 8.0.5 to 8.1.3

Release notes

Sourced from railties's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
      inflect.acronym "USD"
      inflect.acronym "USDC"
    end
    "USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from railties's changelog.

Rails 8.1.3 (March 24, 2026)

  • Add libvips to generated ci.yml

    Conditionally adds libvips to ci.yml.

    Steve Polito

Rails 8.1.2.1 (March 23, 2026)

  • No changes.

Rails 8.1.2 (January 08, 2026)

  • Skip all system test files on app generation.

    Eileen M. Uchitelle

  • Fix db:system:change to correctly update Dockerfile base packages.

    Josiah Smith

  • Fix devcontainer volume mount when app name differs from folder name.

    Rafael Mendonça França

  • Fixed the rails notes command to properly extract notes in CSS files.

    David White

  • Fixed the default Doc...

    Description has been truncated

@dependabot dependabot Bot added dependencies ruby Pull requests that update Ruby code labels Jun 9, 2026
@dependabot dependabot Bot changed the title Bump the rails-gems group with 12 updates Bump the rails-gems group across 1 directory with 12 updates Jun 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/bundler/rails-gems-f84e2dbc3e branch 9 times, most recently from e942c0a to fb030fb Compare June 17, 2026 04:03
@dependabot dependabot Bot force-pushed the dependabot/bundler/rails-gems-f84e2dbc3e branch 15 times, most recently from d0bd43c to 9c10e86 Compare June 24, 2026 13:50
@dependabot dependabot Bot force-pushed the dependabot/bundler/rails-gems-f84e2dbc3e branch from 9c10e86 to 78a2ff0 Compare June 25, 2026 04:03
@dependabot dependabot Bot force-pushed the dependabot/bundler/rails-gems-f84e2dbc3e branch 2 times, most recently from c4a2267 to a66d551 Compare June 27, 2026 04:03
@dependabot dependabot Bot force-pushed the dependabot/bundler/rails-gems-f84e2dbc3e branch 4 times, most recently from e55c43d to aafc405 Compare July 3, 2026 18:54
Bumps the rails-gems group with 1 update in the / directory: [rails](https://github.com/rails/rails).


Updates `rails` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `actioncable` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actioncable/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `actionmailbox` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionmailbox/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `actionmailer` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionmailer/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `actionpack` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionpack/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `actiontext` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actiontext/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `actionview` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionview/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `activejob` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activejob/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `activemodel` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activemodel/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `activerecord` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activerecord/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `activestorage` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activestorage/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

Updates `railties` from 8.0.5 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/railties/CHANGELOG.md)
- [Commits](rails/rails@v8.0.5...v8.1.3)

---
updated-dependencies:
- dependency-name: actioncable
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: actionmailbox
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: actionmailer
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: actionpack
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: actiontext
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: actionview
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: activejob
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: activemodel
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: activerecord
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: activestorage
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: rails
  dependency-version: 8.1.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: rails-gems
- dependency-name: railties
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: rails-gems
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bundler/rails-gems-f84e2dbc3e branch from aafc405 to 10198ef Compare July 3, 2026 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies ruby Pull requests that update Ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants