Skip to content

Update dependency rails to '~> 5.2.0' (main) - autoclosed #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mend-for-github-com wants to merge 1 commit into from
Closed

Update dependency rails to '~> 5.2.0' (main) - autoclosed #26

mend-for-github-com wants to merge 1 commit into from

Conversation

@mend-for-github-com
Copy link

@mend-for-github-com mend-for-github-com bot commented Aug 4, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
rails (source, changelog) minor '~> 5.0.1' -> '~> 5.2.0'

By merging this PR, the issue #5 will be automatically resolved and closed:

Severity CVSS Score Vulnerability Reachability
High High 7.5 CVE-2021-22880

Release Notes

rails/rails (rails)

v5.2.4.5: 5.2.4.5

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Fix possible DoS vector in PostgreSQL money type

    Carefully crafted input can cause a DoS via the regular expressions used
    for validating the money format in the PostgreSQL adapter. This patch
    fixes the regexp.

    Thanks to @​dee-see from Hackerone for this patch!

    [CVE-2021-22880]

    Aaron Patterson

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • No changes.

v5.2.4.4: 5.2.4.4

Compare Source

Active Support
  • No changes.
Active Model
  • No changes.
Active Record
  • No changes.
Action View
  • [CVE-2020-15169] Fix potential XSS vulnerability in the translate/t helper
Action Pack
  • No changes.
Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Railties
  • No changes.

v5.2.4.3: 5.2.4.3

Compare Source

Active Support

  • [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore

  • [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore

Active Model
  • No changes.
Active Record
  • No changes.
Action View
  • [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
Action Pack

  • [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token

  • [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @​parameters hash

Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload
Railties
  • No changes.

v5.2.4.2: 5.2.4.2

Compare Source

Active Support
  • No changes.
Active Model
  • No changes.
Active Record
  • No changes.
Action View

  • Fix possible XSS vector in escape_javascript helper

    CVE-2020-5267

    Aaron Patterson

Action Pack
  • No changes.
Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Railties
  • No changes.

v5.2.4.1: 5.2.4.1

Compare Source

Active Support
  • No changes.
Active Model
  • No changes.
Active Record
  • No changes.
Action View
  • No changes.
Action Pack

  • Fix possible information leak / session hijacking vulnerability.

    The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the
    gem dalli to be updated as well.

    CVE-2019-16782.

Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Railties
  • No changes.

v5.2.4: 5.2.4

Compare Source

Active Support

  • Make ActiveSupport::Logger Fiber-safe. Fixes #​36752.

    Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
    to make log level local to Ruby Fibers in addition to Threads.

    Example:

    logger = ActiveSupport::Logger.new(STDOUT)
logger.level = 1
p "Main is debug? #{logger.debug?}"

Fiber.new {
  logger.local_level = 0
  p "Thread is debug? #{logger.debug?}"
}.resume

p "Main is debug? #{logger.debug?}"

    Before:

    Main is debug? false
Thread is debug? true
Main is debug? true

    After:

    Main is debug? false
Thread is debug? true
Main is debug? false

    Alexander Varnin

Active Model

  • Type cast falsy boolean symbols on boolean attribute as false.

    Fixes #​35676.

    Ryuta Kamizono

Active Record

  • Fix circular autosave: true causes invalid records to be saved.

    Prior to the fix, when there was a circular series of autosave: true
    associations, the callback for a has_many association was run while
    another instance of the same callback on the same association hadn't
    finished running. When control returned to the first instance of the
    callback, the instance variable had changed, and subsequent associated
    records weren't saved correctly. Specifically, the ID field for the
    belongs_to corresponding to the has_many was nil.

    Fixes #​28080.

    Larry Reid

  • PostgreSQL: Fix GROUP BY with ORDER BY virtual count attribute.

    Fixes #​36022.

    Ryuta Kamizono

  • Fix sqlite3 collation parsing when using decimal columns.

    Martin R. Schuster

  • Make ActiveRecord ConnectionPool.connections method thread-safe.

    Fixes #​36465.

    Jeff Doering

  • Assign all attributes before calling build to ensure the child record is visible in
    before_add and after_add callbacks for has_many :through associations.

    Fixes #​33249.

    Ryan H. Kerr

Action View

  • Allow programmatic click events to trigger Rails UJS click handlers.
    Programmatic click events (eg. ones generated by Rails.fire(link, "click")) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #​34573.

    Sudara Williams

Action Pack
  • No changes.
Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Railties

  • Use original bundler environment variables during the process of generating a new rails project.

    Marco Costa

  • Allow loading seeds without ActiveJob.

    Fixes #​35782

    Jeremy Weathers

  • Only force :async ActiveJob adapter to :inline during seeding.

    BatedUrGonnaDie

v5.2.3: 5.2.3

Compare Source

Active Support

  • Add ActiveSupport::HashWithIndifferentAccess#assoc.

    assoc can now be called with either a string or a symbol.

    Stefan Schüßler

  • Fix String#safe_constantize throwing a LoadError for incorrectly cased constant references.

    Keenan Brock

  • Allow Range#=== and Range#cover? on Range

    Range#cover? can now accept a range argument like Range#include? and
    Range#===. Range#=== works correctly on Ruby 2.6. Range#include? is moved
    into a new file, with these two methods.

    utilum

  • If the same block is included multiple times for a Concern, an exception is no longer raised.

    Mark J. Titorenko, Vlad Bokov

Active Model

  • Fix date value when casting a multiparameter date hash to not convert
    from Gregorian date to Julian date.

    Before:

    Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
=> #<Day id: nil, day: "0001-01-03", created_at: nil, updated_at: nil>

    After:

    Day.new({"day(1i)"=>"1", "day(2i)"=>"1", "day(3i)"=>"1"})
=> #<Day id: nil, day: "0001-01-01", created_at: nil, updated_at: nil>

    Fixes #​28521.

    Sayan Chakraborty

  • Fix numericality equality validation of BigDecimal and Float
    by casting to BigDecimal on both ends of the validation.

    Gannon McGibbon

Active Record

  • Fix different count calculation when using size with manual select with DISTINCT.

    Fixes #​35214.

    Juani Villarejo

  • Fix prepared statements caching to be enabled even when query caching is enabled.

    Ryuta Kamizono

  • Don't allow where with invalid value matches to nil values.

    Fixes #​33624.

    Ryuta Kamizono

  • Restore an ability that class level update without giving ids.

    Fixes #​34743.

    Ryuta Kamizono

  • Fix join table column quoting with SQLite.

    Gannon McGibbon

  • Ensure that delete_all on collection proxy returns affected count.

    Ryuta Kamizono

  • Reset scope after delete on collection association to clear stale offsets of removed records.

    Gannon McGibbon

Action View

  • Prevent non-primary mouse keys from triggering Rails UJS click handlers.
    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.

    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>

    Fixes #​34541

    Wolfgang Hobmaier

Action Pack

  • Allow using combine the Cache Control public and no-cache headers.

    Before this change, even if public was specified for Cache Control header,
    it was excluded when no-cache was included. This fixed to keep public
    header as is.

    Fixes #​34780.

    Yuji Yaginuma

  • Allow nil params for ActionController::TestCase.

    Ryo Nakamura

Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Railties

  • Seed database with inline ActiveJob job adapter.

    Gannon McGibbon

  • Fix boolean interaction in scaffold system tests.

    Gannon McGibbon

v5.2.2.1

Compare Source

v5.2.2: 5.2.2

Compare Source

Active Support

  • Fix bug where #to_options for ActiveSupport::HashWithIndifferentAccess
    would not act as alias for #symbolize_keys.

    Nick Weiland

  • Improve the logic that detects non-autoloaded constants.

    Jan Habermann, Xavier Noria

  • Fix bug where URI.unescape would fail with mixed Unicode/escaped character input:

    URI.unescape("\xe3\x83\x90")  # => "バ"
URI.unescape("%E3%83%90")  # => "バ"
URI.unescape("\xe3\x83\x90%E3%83%90")  # => Encoding::CompatibilityError

    Ashe Connor, Aaron Patterson

Active Model

  • Fix numericality validator to still use value before type cast except Active Record.

    Fixes #​33651, #​33686.

    Ryuta Kamizono

Active Record

  • Do not ignore the scoping with query methods in the scope block.

    Ryuta Kamizono

  • Allow aliased attributes to be used in #update_columns and #update.

    Gannon McGibbon

  • Allow spaces in postgres table names.

    Fixes issue where "user post" is misinterpreted as ""user"."post"" when quoting table names with the postgres
    adapter.

    Gannon McGibbon

  • Cached columns_hash fields should be excluded from ResultSet#column_types

    PR #​34528 addresses the inconsistent behaviour when attribute is defined for an ignored column. The following test
    was passing for SQLite and MySQL, but failed for PostgreSQL:

    class DeveloperName < ActiveRecord::Type::String
  def deserialize(value)
    "Developer: #{value}"
  end
end

class AttributedDeveloper < ActiveRecord::Base
  self.table_name = "developers"

  attribute :name, DeveloperName.new

  self.ignored_columns += ["name"]
end

developer = AttributedDeveloper.create
developer.update_column :name, "name"

loaded_developer = AttributedDeveloper.where(id: developer.id).select("*").first
puts loaded_developer.name # should be "Developer: name" but it's just "name"

    Dmitry Tsepelev

  • Values of enum are frozen, raising an error when attempting to modify them.

    Emmanuel Byrd

  • update_columns now correctly raises ActiveModel::MissingAttributeError
    if the attribute does not exist.

    Sean Griffin

  • Do not use prepared statement in queries that have a large number of binds.

    Ryuta Kamizono

  • Fix query cache to load before first request.

    Eileen M. Uchitelle

  • Fix collection cache key with limit and custom select to avoid ambiguous timestamp column error.

    Fixes #​33056.

    Federico Martinez

  • Fix duplicated record creation when using nested attributes with create_with.

    Darwin Wu

  • Fix regression setting children record in parent before_save callback.

    Guo Xiang Tan

  • Prevent leaking of user's DB credentials on rails db:create failure.

    bogdanvlviv

  • Clear mutation tracker before continuing the around callbacks.

    Yuya Tanaka

  • Prevent deadlocks when waiting for connection from pool.

    Brent Wheeldon

  • Avoid extra scoping when using Relation#update that was causing this method to change the current scope.

    Ryuta Kamizono

  • Fix numericality validator not to be affected by custom getter.

    Ryuta Kamizono

  • Fix bulk change table ignores comment option on PostgreSQL.

    Yoshiyuki Kinjo

Action View
  • No changes.
Action Pack

  • Reset Capybara sessions if failed system test screenshot raising an exception.

    Reset Capybara sessions if take_failed_screenshot raise exception
    in system test after_teardown.

    Maxim Perepelitsa

  • Use request object for context if there's no controller

    There is no controller instance when using a redirect route or a
    mounted rack application so pass the request object as the context
    when resolving dynamic CSP sources in this scenario.

    Fixes #​34200.

    Andrew White

  • Apply mapping to symbols returned from dynamic CSP sources

    Previously if a dynamic source returned a symbol such as :self it
    would be converted to a string implicity, e.g:

    policy.default_src -> { :self }

    would generate the header:

    Content-Security-Policy: default-src self

    and now it generates:

    Content-Security-Policy: default-src 'self'

    Andrew White

  • Fix rails routes -c for controller name consists of multiple word.

    Yoshiyuki Kinjo

  • Call the #redirect_to block in controller context.

    Steven Peckins

Active Job

  • Make sure assert_enqueued_with() & assert_performed_with() work reliably with hash arguments.

    Sharang Dashputre

  • Restore ActionController::Parameters support to ActiveJob::Arguments.serialize.

    Bernie Chiu

  • Restore HashWithIndifferentAccess support to ActiveJob::Arguments.deserialize.

    Gannon McGibbon

  • Include deserialized arguments in job instances returned from
    assert_enqueued_with and assert_performed_with

    Alan Wu

  • Increment execution count before deserialize arguments.

    Currently, the execution count increments after deserializes arguments.
    Therefore, if an error occurs with deserialize, it retries indefinitely.

    Yuji Yaginuma

Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage

  • Support multiple submit buttons in Active Storage forms.

    Chrıs Seelus

  • Fix ArgumentError when uploading to amazon s3

    Hiroki Sanpei

  • Add a foreign-key constraint to the active_storage_attachments table for blobs.

    George Claghorn

  • Discard ActiveStorage::PurgeJobs for missing blobs.

    George Claghorn

  • Fix uploading Tempfiles to Azure Storage.

    George Claghorn

Railties

  • Disable content security policy for mailer previews.

    Dylan Reile

  • Log the remote IP address of clients behind a proxy.

    Atul Bhosale

v5.2.1.1

Compare Source

v5.2.1

Compare Source

v5.2.0

Compare Source

v5.1.7: 5.1.7

Compare Source

Active Support
  • No changes.
Active Model
  • No changes.
Active Record

  • Fix touch option to behave consistently with Persistence#touch method.

    Ryuta Kamizono

  • Back port Rails 5.2 reverse_order Arel SQL literal fix.

    Matt Jones, Brooke Kuhlmann

  • becomes should clear the mutation tracker which is created in after_initialize.

    Fixes #​32867.

    Ryuta Kamizono

Action View

  • Fix issue with button_to's to_form_params

    button_to was throwing exception when invoked with params hash that
    contains symbol and string keys. The reason for the exception was that
    to_form_params was comparing the given symbol and string keys.

    The issue is fixed by turning all keys to strings inside
    to_form_params before comparing them.

    Georgi Georgiev

Action Pack
  • No changes.
Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Railties
  • No changes.

v5.1.6.2

Compare Source

v5.1.6.1

Compare Source

v5.1.6

Compare Source

v5.1.5

Compare Source

v5.1.4

Compare Source

v5.1.3

Compare Source

v5.1.2

Compare Source

v5.1.1

Compare Source

v5.1.0

Compare Source

v5.0.7.2

Compare Source

v5.0.7.1

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com
Copy link
Author

mend-for-github-com bot commented Aug 4, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

/opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:161:in 'Bundler::SharedHelpers#search_up': undefined method 'untaint' for an instance of String (NoMethodError)

      current  = File.expand_path(SharedHelpers.pwd).untaint
                                                    ^^^^^^^^
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:148:in 'Bundler::SharedHelpers#find_file'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:144:in 'Bundler::SharedHelpers#find_gemfile'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:24:in 'Bundler::SharedHelpers#default_gemfile'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:261:in 'Bundler.default_gemfile'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:171:in 'Bundler.root'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:183:in 'Bundler.app_config_path'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:209:in 'Bundler.settings'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/env.rb:28:in 'Bundler::Env#report'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/friendly_errors.rb:74:in 'Bundler::FriendlyErrors.request_issue_report_for'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/friendly_errors.rb:40:in 'Bundler::FriendlyErrors.log_error'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/friendly_errors.rb:102:in 'Bundler.with_friendly_errors'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/exe/bundle:26:in '<top (required)>'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/exe/bundler:4:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/exe/bundler:4:in '<top (required)>'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/bin/bundler:25:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/bin/bundler:25:in '<main>'
/opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:161:in 'Bundler::SharedHelpers#search_up': undefined method 'untaint' for an instance of String (NoMethodError)

      current  = File.expand_path(SharedHelpers.pwd).untaint
                                                    ^^^^^^^^
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:148:in 'Bundler::SharedHelpers#find_file'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:144:in 'Bundler::SharedHelpers#find_gemfile'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/shared_helpers.rb:24:in 'Bundler::SharedHelpers#default_gemfile'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:261:in 'Bundler.default_gemfile'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:171:in 'Bundler.root'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:183:in 'Bundler.app_config_path'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler.rb:209:in 'Bundler.settings'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/cli.rb:485:in '<class:CLI>'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/cli.rb:6:in '<module:Bundler>'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/cli.rb:5:in '<top (required)>'
	from <internal:/opt/containerbase/tools/ruby/3.4.5/lib/ruby/3.4.0/rubygems/core_ext/kernel_require.rb>:136:in 'Kernel#require'
	from <internal:/opt/containerbase/tools/ruby/3.4.5/lib/ruby/3.4.0/rubygems/core_ext/kernel_require.rb>:136:in 'Kernel#require'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/exe/bundle:27:in 'block in <top (required)>'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/lib/bundler/friendly_errors.rb:100:in 'Bundler.with_friendly_errors'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/exe/bundle:26:in '<top (required)>'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/exe/bundler:4:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/gems/bundler-1.13.6/exe/bundler:4:in '<top (required)>'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/bin/bundler:25:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/1.13.6/3.4.5/bin/bundler:25:in '<main>'

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Aug 4, 2025
@mend-for-github-com mend-for-github-com bot changed the title Update dependency rails to '~> 5.2.0' (main) Update dependency rails to '~> 5.2.0' (main) - autoclosed Nov 29, 2025
@mend-for-github-com mend-for-github-com bot deleted the whitesource-remediate/main-rails-5.x branch November 29, 2025 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant