actionpack 5.1.7 → 5.2.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: b74291670f1ba9c12fe411448739a7435744e7594005819f11ff447a0db28e26
-  data.tar.gz: ac53ac07f2a25fe3a212acbe4717d55e2fe361267648820ecd72ede6e0167245
+SHA1:
+  metadata.gz: 3821f4323c39965ff764dbf966834e13c75b853c
+  data.tar.gz: 2d8cc8b821ddd606cf856288b702f7605f0bdbc2
 SHA512:
-  metadata.gz: 8cd67c197cff3ae4c31e9e64c4d24a7b05dfbce7b0c289122554e7a60eb38256cf6ea85bd2d49092dfed2c6fc4aa32cd0bf93ab6fdc81388e6d40d25348fba5f
-  data.tar.gz: d005d7a4ea15138642967820d6c585d1eedf169d06012ea19f6cab2810e5ac21d62d938e633724a916570ab7804b8f7315874bdf4fa696128968240ec77917d9
+  metadata.gz: a1fcd84c325af712a75a7041f4614c1ee7e13b6f82f6f88a498f2cc085dc92b7a7af1195d73d2c0faaf46eb7500a39c8d3e206b5acce29267eec29741bf9e7dc
+  data.tar.gz: 3a90e34a9403fdaba1fb2d4b8a25f8412043f65f5015ffe30b3515a4adfc4d9aed6824eb9568f5b81b35aed016380d2b42b9ba5f070fa43e01f58bdee388af93

data/CHANGELOG.md

@@ -1,134 +1,189 @@
-## Rails 5.1.7 (March 27, 2019) ##
-
-*   No changes.
+## Rails 5.2.0.beta1 (November 27, 2017) ##
+
+*   Add DSL for configuring Content-Security-Policy header
+
+    The DSL allows you to configure a global Content-Security-Policy
+    header and then override within a controller. For more information
+    about the Content-Security-Policy header see MDN:
+
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+    Example global policy:
+
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy do |p|
+          p.default_src :self, :https
+          p.font_src    :self, :https, :data
+          p.img_src     :self, :https, :data
+          p.object_src  :none
+          p.script_src  :self, :https
+          p.style_src   :self, :https, :unsafe_inline
+        end
+
+    Example controller overrides:
+
+        # Override policy inline
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.upgrade_insecure_requests true
+          end
+        end
+
+        # Using literal values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri "https://www.example.com"
+          end
+        end
+
+        # Using mixed static and dynamic values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+          end
+        end
+
+    Allows you to also only report content violations for migrating
+    legacy content using the `content_security_policy_report_only`
+    configuration attribute, e.g;
+
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy_report_only = true
+
+        # controller override
+        class PostsController < ApplicationController
+          self.content_security_policy_report_only = true
+        end
+
+    Note that this feature does not validate the header for performance
+    reasons since the header is calculated at runtime.
 
+    *Andrew White*
 
-## Rails 5.1.6.2 (March 11, 2019) ##
+*   Make `assert_recognizes` to traverse mounted engines
 
-*   No changes.
+    *Yuichiro Kaneko*
 
+*   Remove deprecated `ActionController::ParamsParser::ParseError`.
 
-## Rails 5.1.6.1 (November 27, 2018) ##
+    *Rafael Mendonça França*
 
-*   No changes.
+*   Add `:allow_other_host` option to `redirect_back` method.
+    When `allow_other_host` is set to `false`, the `redirect_back`
+    will not allow a redirecting from a different host.
+    `allow_other_host` is `true` by default.
 
+    *Tim Masliuchenko*
 
-## Rails 5.1.6 (March 29, 2018) ##
+*   Add headless chrome support to System Tests.
 
-*   Check exclude before flagging cookies as secure.
+    *Yuji Yaginuma*
 
-    *Catherine Khuu*
+*   Add ability to enable Early Hints for HTTP/2
 
+    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
 
-## Rails 5.1.5 (February 14, 2018) ##
+    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
 
-*   Fix optimized url helpers when using relative url root
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
-    Fixes #31220.
+*   Simplify cookies middleware with key rotation support
 
-    *Andrew White*
+    Use the `rotate` method for both `MessageEncryptor` and
+    `MessageVerifier` to add key rotation support for encrypted and
+    signed cookies. This also helps simplify support for legacy cookie
+    security.
 
-*   Ensure dev and prod puma configs do not clobber `ActionDispatch::SystemTesting` defaults. Adds workers: 0 and daemon: false
+    *Michael J Coyne*
 
-    *Max Schwenk*
+*   Use Capybara registered `:puma` server config.
 
-## Rails 5.1.4 (September 07, 2017) ##
+    The Capybara registered `:puma` server ensures the puma server is run in process so
+    connection sharing and open request detection work correctly by default.
 
-*   Make `take_failed_screenshot` work within engine.
+    *Thomas Walpole*
 
-    Fixes #30405.
+*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
 
-    *Yuji Yaginuma*
+        cookies[:user_name] = { value: "assain", expires: 1.hour }
+        cookies[:key] = { value: "a yummy cookie", expires: 6.months }
 
-## Rails 5.1.4.rc1 (August 24, 2017) ##
+    Pull Request: #30121
 
-*   No changes.
+    *Assain Jaleel*
 
+*   Enforce signed/encrypted cookie expiry server side.
 
-## Rails 5.1.3 (August 03, 2017) ##
+    Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
 
-*   No changes.
+    It does so by stashing the expiry within the written cookie and relying on the
+    signing/encrypting to vouch that it hasn't been tampered with. Then on a
+    server-side read, the expiry is verified and any expired cookie is discarded.
 
+    Pull Request: #30121
 
-## Rails 5.1.3.rc3 (July 31, 2017) ##
+    *Assain Jaleel*
 
-*   No changes.
+*   Make `take_failed_screenshot` work within engine.
 
+    Fixes #30405.
 
-## Rails 5.1.3.rc2 (July 25, 2017) ##
+    *Yuji Yaginuma*
 
-*   No changes.
+*   Deprecate `ActionDispatch::TestResponse` response aliases
 
+    `#success?`, `#missing?` & `#error?` are not supported by the actual
+    `ActionDispatch::Response` object and can produce false-positives. Instead,
+    use the response helpers provided by `Rack::Response`.
 
-## Rails 5.1.3.rc1 (July 19, 2017) ##
+    *Trevor Wistaff*
 
-*   No changes.
+*   Protect from forgery by default
 
+    Rather than protecting from forgery in the generated `ApplicationController`,
+    add it to `ActionController::Base` depending on
+    `config.action_controller.default_protect_from_forgery`. This configuration
+    defaults to false to support older versions which have removed it from their
+    `ApplicationController`, but is set to true for Rails 5.2.
 
-## Rails 5.1.2 (June 26, 2017) ##
+    *Lisa Ugray*
 
 *   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
 
     *Kir Shatrov*
 
-*   `driven_by` now registers poltergeist and capybara-webkit
+*   `driven_by` now registers poltergeist and capybara-webkit.
 
-    If driver poltergeist or capybara-webkit is set for System Tests,
+    If poltergeist or capybara-webkit are set as drivers is set for System Tests,
     `driven_by` will register the driver and set additional options passed via
-    `:options` param.
+    the `:options` parameter.
 
-    Refer to drivers documentation to learn what options can be passed.
+    Refer to the respective driver's documentation to see what options can be passed.
 
     *Mario Chavez*
 
-## Rails 5.1.1 (May 12, 2017) ##
-
-*   No changes.
+*   AEAD encrypted cookies and sessions with GCM.
 
+    Encrypted cookies now use AES-GCM which couples authentication and
+    encryption in one faster step and produces shorter ciphertexts. Cookies
+    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
+    this new mode is enabled via the
+    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
 
-## Rails 5.1.0 (April 27, 2017) ##
+    *Michael J Coyne*
 
-*   Raise exception when calling `to_h` and `to_hash` in an unpermitted Parameters.
+*   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
 
-    Before we returned either an empty hash or only the always permitted parameters
-    (`:controller` and `:action` by default).
-
-    The previous behavior was dangerous because in order to get the attributes users
-    usually fallback to use `to_unsafe_h that` could potentially introduce security issues.
-
-    *Rafael Mendonça França*
+        views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
+              ^template path           ^template tree digest            ^class   ^id
 
-*   Deprecate `config.action_controller.raise_on_unfiltered_parameters`.
-
-    This option has no effect in Rails 5.1.
-
-    *Rafael Mendonça França*
-
-*   Use more specific check for :format in route path
-
-    The current check for whether to add an optional format to the path is very lax
-    and will match things like `:format_id` where there are nested resources, e.g:
-
-    ``` ruby
-    resources :formats do
-      resources :items
-    end
-    ```
-
-    Fix this by using a more restrictive regex pattern that looks for the patterns
-    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
-    allow for multiple closing parenthesis since the route may be of this form:
-
-    ``` ruby
-    get "/books(/:action(.:format))", controller: "books"
-    ```
-
-    This probably isn't what's intended since it means that the default index action
-    route doesn't support a format but we have a test for it so we need to allow it.
+    *DHH*
 
-    Fixes #28517.
+*   Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
+    `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
+    to support it.
 
-    *Andrew White*
+    *DHH*
 
 *   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
 
@@ -142,418 +197,5 @@
 
     *Julian Nadeau*
 
-*   Don't include default headers in `ActionController::Metal` responses
-
-    The commit e16afe6 introduced an unintentional change of behavior where the default
-    headers were included in responses from `ActionController::Metal` based controllers.
-    This is now reverted to the previous behavior of having no default headers.
-
-    Fixes #25820.
-
-    *Jon Moss*
-
-*   Fix `NameError` raised in `ActionController::Renderer#with_defaults`
-
-    *Hiroyuki Ishii*
-
-*   Added `#reverse_merge` and `#reverse_merge!` methods to `ActionController::Parameters`
-
-    *Edouard Chin*, *Mitsutaka Mimura*
-
-*   Fix malformed URLS when using `ApplicationController.renderer`
-
-    The Rack environment variable `rack.url_scheme` was not being set so `scheme` was
-    returning `nil`. This caused URLs to be malformed with the default settings.
-    Fix this by setting `rack.url_scheme` when the environment is normalized.
-
-    Fixes #28151.
-
-    *George Vrettos*
-
-*   Commit flash changes when using a redirect route.
-
-    Fixes #27992.
-
-    *Andrew White*
-
-*   Prefer `remove_method` over `undef_method` when reloading routes
-
-    When `undef_method` is used it prevents access to other implementations of that
-    url helper in the ancestor chain so use `remove_method` instead to restore access.
-
-    *Andrew White*
-
-*   Add the `resolve` method to the routing DSL
-
-    This new method allows customization of the polymorphic mapping of models:
-
-    ``` ruby
-    resource :basket
-    resolve("Basket") { [:basket] }
-    ```
-
-    ``` erb
-    <%= form_for @basket do |form| %>
-    <!-- basket form -->
-    <% end %>
-    ```
-
-    This generates the correct singular URL for the form instead of the default
-    resources member url, e.g. `/basket` vs. `/basket/:id`.
-
-    Fixes #1769.
-
-    *Andrew White*
-
-*   Add the `direct` method to the routing DSL
-
-    This new method allows creation of custom url helpers, e.g:
-
-    ``` ruby
-    direct(:apple) { "http://www.apple.com" }
-
-    >> apple_url
-    => "http://www.apple.com"
-    ```
-
-    This has the advantage of being available everywhere url helpers are available
-    unlike custom url helpers defined in helper modules, etc.
-
-    *Andrew White*
-
-*   Add `ActionDispatch::SystemTestCase` to Action Pack
-
-    Adds Capybara integration directly into Rails through Action Pack!
-
-    See PR [#26703](https://github.com/rails/rails/pull/26703)
-
-    *Eileen M. Uchitelle*
-
-*   Remove deprecated `.to_prepare`, `.to_cleanup`, `.prepare!` and `.cleanup!` from `ActionDispatch::Reloader`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionDispatch::Callbacks.to_prepare` and `ActionDispatch::Callbacks.to_cleanup`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionController::Metal.call`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionController::Metal#env`.
-
-    *Rafael Mendonça França*
-
-*   Make `with_routing` test helper work when testing controllers inheriting from `ActionController::API`
-
-    *Julia López*
-
-*   Use accept header in integration tests with `as: :json`
-
-    Instead of appending the `format` to the request path, Rails will figure
-    out the format from the header instead.
-
-    This allows devs to use `:as` on routes that don't have a format.
-
-    Fixes #27144.
-
-    *Kasper Timm Hansen*
-
-*   Reset a new session directly after its creation in `ActionDispatch::IntegrationTest#open_session`.
-
-    Fixes #22742.
-
-    *Tawan Sierek*
-
-*   Fixes incorrect output from `rails routes` when using singular resources.
-
-    Fixes #26606.
-
-    *Erick Reyna*
-
-*   Fixes multiple calls to `logger.fatal` instead of a single call,
-    for every line in an exception backtrace, when printing trace
-    from `DebugExceptions` middleware.
-
-    Fixes #26134.
-
-    *Vipul A M*
-
-*   Add support for arbitrary hashes in strong parameters:
-
-    ```ruby
-    params.permit(preferences: {})
-    ```
-
-    *Xavier Noria*
-
-*   Add `ActionController::Parameters#merge!`, which behaves the same as `Hash#merge!`.
-
-    *Yuji Yaginuma*
-
-*   Allow keys not found in `RACK_KEY_TRANSLATION` for setting the environment when rendering
-    arbitrary templates.
-
-    *Sammy Larbi*
-
-*   Remove deprecated support to non-keyword arguments in `ActionDispatch::IntegrationTest#process`,
-    `#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionDispatch::IntegrationTest#*_via_redirect`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionDispatch::IntegrationTest#xml_http_request`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support for passing `:path` and route path as strings in `ActionDispatch::Routing::Mapper#match`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support for passing path as `nil` in `ActionDispatch::Routing::Mapper#match`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `cache_control` argument from `ActionDispatch::Static#initialize`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to passing strings or symbols to the middleware stack.
-
-    *Rafael Mendonça França*
-
-*   Change HSTS subdomain to true.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `host` and `port` ssl options.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `const_error` argument in
-    `ActionDispatch::Session::SessionRestoreError#initialize`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `#original_exception` in `ActionDispatch::Session::SessionRestoreError`.
-
-    *Rafael Mendonça França*
-
-*   Deprecate `ActionDispatch::ParamsParser::ParseError` in favor of
-    `ActionDispatch::Http::Parameters::ParseError`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionDispatch::ParamsParser`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `original_exception` and `message` arguments in
-    `ActionDispatch::ParamsParser::ParseError#initialize`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `#original_exception` in `ActionDispatch::ParamsParser::ParseError`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated access to mime types through constants.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to non-keyword arguments in `ActionController::TestCase#process`,
-    `#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `xml_http_request` and `xhr` methods in `ActionController::TestCase`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated methods in `ActionController::Parameters`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to comparing a `ActionController::Parameters`
-    with a `Hash`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to `:text` in `render`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to `:nothing` in `render`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to `:back` in `redirect_to`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to passing status as option `head`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to passing original exception to `ActionController::BadRequest`
-    and the `ActionController::BadRequest#original_exception` method.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated methods `skip_action_callback`, `skip_filter`, `before_filter`,
-    `prepend_before_filter`, `skip_before_filter`, `append_before_filter`, `around_filter`
-    `prepend_around_filter`, `skip_around_filter`, `append_around_filter`, `after_filter`,
-    `prepend_after_filter`, `skip_after_filter` and `append_after_filter`.
-
-    *Rafael Mendonça França*
-
-*   Show an "unmatched constraints" error when params fail to match constraints
-    on a matched route, rather than a "missing keys" error.
-
-    Fixes #26470.
-
-    *Chris Carter*
-
-*   Fix adding implicitly rendered template digests to ETags.
-
-    Fixes a case when modifying an implicitly rendered template for a
-    controller action using `fresh_when` or `stale?` would not result in a new
-    `ETag` value.
-
-    *Javan Makhmali*
-
-*   Make `fixture_file_upload` work in integration tests.
-
-    *Yuji Yaginuma*
-
-*   Add `to_param` to `ActionController::Parameters` deprecations.
-
-    In the future `ActionController::Parameters` are discouraged from being used
-    in URLs without explicit whitelisting. Go through `to_h` to use `to_param`.
-
-    *Kir Shatrov*
-
-*   Fix nested multiple roots
-
-    The PR #20940 enabled the use of multiple roots with different constraints
-    at the top level but unfortunately didn't work when those roots were inside
-    a namespace and also broke the use of root inside a namespace after a top
-    level root was defined because the check for the existence of the named route
-    used the global :root name and not the namespaced name.
-
-    This is fixed by using the name_for_action method to expand the :root name to
-    the full namespaced name. We can pass nil for the second argument as we're not
-    dealing with resource definitions so don't need to handle the cases for edit
-    and new routes.
-
-    Fixes #26148.
-
-    *Ryo Hashimoto*, *Andrew White*
-
-*   Include the content of the flash in the auto-generated etag. This solves the following problem:
-
-      1. POST /messages
-      2. redirect_to messages_url, notice: 'Message was created'
-      3. GET /messages/1
-      4. GET /messages
-
-      Step 4 would before still include the flash message, even though it's no longer relevant,
-      because the etag cache was recorded with the flash in place and didn't change when it was gone.
-
-    *DHH*
-
-*   SSL: Changes redirect behavior for all non-GET and non-HEAD requests
-    (like POST/PUT/PATCH etc) to `http://` resources to redirect to `https://`
-    with a [307 status code](http://tools.ietf.org/html/rfc7231#section-6.4.7) instead of [301 status code](http://tools.ietf.org/html/rfc7231#section-6.4.2).
-
-    307 status code instructs the HTTP clients to preserve the original
-    request method while redirecting. It has been part of HTTP RFC since
-    1999 and is implemented/recognized by most (if not all) user agents.
-
-        # Before
-        POST http://example.com/articles (i.e. ArticlesContoller#create)
-        redirects to
-        GET https://example.com/articles (i.e. ArticlesContoller#index)
-
-        # After
-        POST http://example.com/articles (i.e. ArticlesContoller#create)
-        redirects to
-        POST https://example.com/articles (i.e. ArticlesContoller#create)
-
-    *Chirag Singhal*
-
-*   Add `:as` option to `ActionController:TestCase#process` and related methods.
-
-    Specifying `as: mime_type` allows the `CONTENT_TYPE` header to be specified
-    in controller tests without manually doing this through `@request.headers['CONTENT_TYPE']`.
-
-    *Everest Stefan Munro-Zeisberger*
-
-*   Show cache hits and misses when rendering partials.
-
-    Partials using the `cache` helper will show whether a render hit or missed
-    the cache:
-
-    ```
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
-
-    This removes the need for the old fragment cache logging:
-
-    ```
-    Read fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/d0bdf2974e1ef6d31685c3b392ad0b74 (0.6ms)
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Write fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/3b4e249ac9d168c617e32e84b99218b5 (1.1ms)
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
-
-    Though that full output can be reenabled with
-    `config.action_controller.enable_fragment_cache_logging = true`.
-
-    *Stan Lo*
-
-*   Don't override the `Accept` header in integration tests when called with `xhr: true`.
-
-    Fixes #25859.
-
-    *David Chen*
-
-*   Fix `defaults` option for root route.
-
-    A regression from some refactoring for the 5.0 release, this change
-    fixes the use of `defaults` (default parameters) in the `root` routing method.
-
-    *Chris Arcand*
-
-*   Check `request.path_parameters` encoding at the point they're set.
-
-    Check for any non-UTF8 characters in path parameters at the point they're
-    set in `env`. Previously they were checked for when used to get a controller
-    class, but this meant routes that went directly to a Rack app, or skipped
-    controller instantiation for some other reason, had to defend against
-    non-UTF8 characters themselves.
-
-    *Grey Baker*
-
-*   Don't raise `ActionController::UnknownHttpMethod` from `ActionDispatch::Static`.
-
-    Pass `Rack::Request` objects to `ActionDispatch::FileHandler` to avoid it
-    raising `ActionController::UnknownHttpMethod`. If an unknown method is
-    passed, it should pass exception higher in the stack instead, once we've had a
-    chance to define exception handling behaviour.
-
-    *Grey Baker*
-
-*   Handle `Rack::QueryParser` errors in `ActionDispatch::ExceptionWrapper`.
-
-    Updated `ActionDispatch::ExceptionWrapper` to handle the Rack 2.0 namespace
-    for `ParameterTypeError` and `InvalidParameterError` errors.
-
-    *Grey Baker*
 
-Please check [5-0-stable](https://github.com/rails/rails/blob/5-0-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.