actionpack 8.0.2.1 → 8.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cb8e992334f0e3f93612b4537cc5ba4ce6bd5c3dc08e8af9d80ab52c83da4ea
-  data.tar.gz: 65cb880c5201bbd397b7da6e9c74e9979f4d96c4767d737788ed8cfb045b0592
+  metadata.gz: b131da258151267320d978699cdc9ed60f96060bbeeb5bfa85f8da0ab648497f
+  data.tar.gz: 2300ba0391c2e63f5e0ab71060bec7ef3e149d32064e5eccfd1a1f46ecad2820
 SHA512:
-  metadata.gz: 9f6fea1838782b52b118384a0a3f9f1dd7a97503b2dcfcbd629e18126b9f4bfdf5e9bc506936b345d178f29ee92714ec6e462efa49dfe5c2768c75b38e9c9e00
-  data.tar.gz: 9e707325f4080e40f36ae4815a247f6ece5ab56e392f6b9c71d1c5bed34b66e63be49f75a747904388fe6ecf47a4964447a4ac01db60fd6286a80bce773673aa
+  metadata.gz: 13ee7198d843341f8b97aa564b70385fd26ee5e3bdd2560e56cc20a16591d8502daa4befec55a81bc4783e5451648acf35dd67de6ca62cf0b41f5ae37cec9557
+  data.tar.gz: 17972b2a557984ad9a96f3947135fe29dd6aae6dfd0a019204be60e0d82056ed390333bad574ae9ec8d762b24574f4aac8103e04d647fca3a75736763ecae9f6

data/CHANGELOG.md

@@ -1,12 +1,47 @@
-## Rails 8.0.2.1 (August 13, 2025) ##
+## Rails 8.0.3 (September 22, 2025) ##
 
-*   No changes.
+*   URL helpers for engines mounted at the application root handle `SCRIPT_NAME` correctly.
 
+    Fixed an issue where `SCRIPT_NAME` is not applied to paths generated for routes in an engine
+    mounted at "/".
 
-## Rails 8.0.2 (March 12, 2025) ##
+    *Mike Dalessio*
 
-*   No changes.
+*   Fix `Rails.application.reload_routes!` from clearing almost all routes.
+
+    When calling `Rails.application.reload_routes!` inside a middleware of
+    a Rake task, it was possible under certain conditions that all routes would be cleared.
+    If ran inside a middleware, this would result in getting a 404 on most page you visit.
+    This issue was only happening in development.
+
+    *Edouard Chin*
+
+*   Address `rack 3.2` deprecations warnings.
+
+    ```
+    warning: Status code :unprocessable_entity is deprecated and will be removed in a future version of Rack.
+    Please use :unprocessable_content instead.
+    ```
+
+    Rails API will transparently convert one into the other for the foreseeable future.
 
+    *Earlopain*, *Jean Boussier*
+
+*   Support hash-source in Content Security Policy.
+
+    *madogiwa*
+
+*   Always return empty body for HEAD requests in `PublicExceptions` and
+    `DebugExceptions`.
+
+    This is required by `Rack::Lint` (per RFC9110).
+
+    *Hartley McGuire*
+
+
+## Rails 8.0.2.1 (August 13, 2025) ##
+
+*   No changes.
 
 ## Rails 8.0.2 (March 12, 2025) ##
 

data/README.rdoc

@@ -52,6 +52,6 @@ Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
-Feature requests should be discussed on the rails-core mailing list here:
+Feature requests should be discussed on the rubyonrails-core forum here:
 
 * https://discuss.rubyonrails.org/c/rubyonrails-core

data/lib/abstract_controller/base.rb

@@ -86,14 +86,10 @@ module AbstractController
         controller.public_instance_methods(true) - methods
       end
 
-      # A list of method names that should be considered actions. This includes all
+      # A `Set` of method names that should be considered actions. This includes all
       # public instance methods on a controller, less any internal methods (see
       # internal_methods), adding back in any methods that are internal, but still
       # exist on the class itself.
-      #
-      # #### Returns
-      # *   `Set` - A set of all methods that should be considered actions.
-      #
       def action_methods
         @action_methods ||= begin
           # All public instance methods of this class, including ancestors except for
@@ -121,9 +117,6 @@ module AbstractController
       #
       #     MyApp::MyPostsController.controller_path # => "my_app/my_posts"
       #
-      # #### Returns
-      # *   `String`
-      #
       def controller_path
         @controller_path ||= name.delete_suffix("Controller").underscore unless anonymous?
       end
@@ -147,10 +140,6 @@ module AbstractController
     # The actual method that is called is determined by calling #method_for_action.
     # If no method can handle the action, then an AbstractController::ActionNotFound
     # error is raised.
-    #
-    # #### Returns
-    # *   `self`
-    #
     def process(action, ...)
       @_action_name = action.to_s
 

data/lib/abstract_controller/collector.rb

@@ -27,7 +27,7 @@ module AbstractController
     def method_missing(symbol, ...)
       unless mime_constant = Mime[symbol]
         raise NoMethodError, "To respond to a custom format, register it as a MIME type first: " \
-          "https://guides.rubyonrails.org/action_controller_overview.html#restful-downloads. " \
+          "https://guides.rubyonrails.org/action_controller_advanced_topics.html#restful-downloads. " \
           "If you meant to respond to a variant like :tablet or :phone, not a custom format, " \
           "be sure to nest your variant response within a format response: " \
           "format.html { |html| html.tablet { ... } }"

data/lib/action_controller/metal/live.rb

@@ -171,12 +171,6 @@ module ActionController
         @ignore_disconnect = false
       end
 
-      # ActionDispatch::Response delegates #to_ary to the internal
-      # ActionDispatch::Response::Buffer, defining #to_ary is an indicator that the
-      # response body can be buffered and/or cached by Rack middlewares, this is not
-      # the case for Live responses so we undefine it for this Buffer subclass.
-      undef_method :to_ary
-
       def write(string)
         unless @response.committed?
           @response.headers["Cache-Control"] ||= "no-cache"

data/lib/action_controller/metal/redirecting.rb

@@ -212,9 +212,9 @@ module ActionController
 
       def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
-          Rack::Utils.status_code(options.delete(:status))
+          ActionDispatch::Response.rack_status_code(options.delete(:status))
         elsif response_options.key?(:status)
-          Rack::Utils.status_code(response_options[:status])
+          ActionDispatch::Response.rack_status_code(response_options[:status])
         else
           302
         end

data/lib/action_controller/metal/rendering.rb

@@ -232,7 +232,7 @@ module ActionController
         end
 
         if options[:status]
-          options[:status] = Rack::Utils.status_code(options[:status])
+          options[:status] = ActionDispatch::Response.rack_status_code(options[:status])
         end
 
         super

data/lib/action_controller/renderer.rb

@@ -96,7 +96,6 @@ module ActionController
     #     *   `:script_name` - The portion of the incoming request's URL path that
     #         corresponds to the application. Converts to Rack's `SCRIPT_NAME`.
     #     *   `:input` - The input stream. Converts to Rack's `rack.input`.
-    #
     # *   `defaults` - Default values for the Rack env. Entries are specified in the
     #     same format as `env`. `env` will be merged on top of these values.
     #     `defaults` will be retained when calling #new on a renderer instance.

data/lib/action_dispatch/constants.rb

@@ -30,5 +30,11 @@ module ActionDispatch
       SERVER_TIMING = "server-timing"
       STRICT_TRANSPORT_SECURITY = "strict-transport-security"
     end
+
+    if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3.1")
+      UNPROCESSABLE_CONTENT = :unprocessable_entity
+    else
+      UNPROCESSABLE_CONTENT = :unprocessable_content
+    end
   end
 end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -171,6 +171,8 @@ module ActionDispatch # :nodoc:
       worker_src:                 "worker-src"
     }.freeze
 
+    HASH_SOURCE_ALGORITHM_PREFIXES = ["sha256-", "sha384-", "sha512-"].freeze
+
     DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
 
     private_constant :MAPPINGS, :DIRECTIVES, :DEFAULT_NONCE_DIRECTIVES
@@ -305,7 +307,13 @@ module ActionDispatch # :nodoc:
           case source
           when Symbol
             apply_mapping(source)
-          when String, Proc
+          when String
+            if hash_source?(source)
+              "'#{source}'"
+            else
+              source
+            end
+          when Proc
             source
           else
             raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
@@ -374,5 +382,9 @@ module ActionDispatch # :nodoc:
       def nonce_directive?(directive, nonce_directives)
         nonce_directives.include?(directive)
       end
+
+      def hash_source?(source)
+        source.start_with?(*HASH_SOURCE_ALGORITHM_PREFIXES)
+      end
   end
 end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -56,9 +56,14 @@ module ActionDispatch
 
       # Returns the MIME type for the format used in the request.
       #
-      #     GET /posts/5.xml   | request.format => Mime[:xml]
-      #     GET /posts/5.xhtml | request.format => Mime[:html]
-      #     GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
+      #     # GET /posts/5.xml
+      #     request.format # => Mime[:xml]
+      #
+      #     # GET /posts/5.xhtml
+      #     request.format # => Mime[:html]
+      #
+      #     # GET /posts/5
+      #     request.format # => Mime[:html] or Mime[:js], or request.accepts.first
       #
       def format(_view_path = nil)
         formats.first || Mime::NullType.instance

data/lib/action_dispatch/http/response.rb

@@ -46,6 +46,20 @@ module ActionDispatch # :nodoc:
       Headers = ::Rack::Utils::HeaderHash
     end
 
+    class << self
+      if ActionDispatch::Constants::UNPROCESSABLE_CONTENT == :unprocessable_content
+        def rack_status_code(status) # :nodoc:
+          status = :unprocessable_content if status == :unprocessable_entity
+          Rack::Utils.status_code(status)
+        end
+      else
+        def rack_status_code(status) # :nodoc:
+          status = :unprocessable_entity if status == :unprocessable_content
+          Rack::Utils.status_code(status)
+        end
+      end
+    end
+
     # To be deprecated:
     Header = Headers
 
@@ -105,10 +119,22 @@ module ActionDispatch # :nodoc:
         @str_body = nil
       end
 
+      BODY_METHODS = { to_ary: true }
+
+      def respond_to?(method, include_private = false)
+        if BODY_METHODS.key?(method)
+          @buf.respond_to?(method)
+        else
+          super
+        end
+      end
+
       def to_ary
-        @buf.respond_to?(:to_ary) ?
-          @buf.to_ary :
-          @buf.each
+        if @str_body
+          [body]
+        else
+          @buf = @buf.to_ary
+        end
       end
 
       def body
@@ -245,7 +271,7 @@ module ActionDispatch # :nodoc:
 
     # Sets the HTTP status code.
     def status=(status)
-      @status = Rack::Utils.status_code(status)
+      @status = Response.rack_status_code(status)
     end
 
     # Sets the HTTP response's content MIME type. For example, in the controller you
@@ -328,7 +354,13 @@ module ActionDispatch # :nodoc:
     # Returns the content of the response as a string. This contains the contents of
     # any calls to `render`.
     def body
-      @stream.body
+      if @stream.respond_to?(:to_ary)
+        @stream.to_ary.join
+      elsif @stream.respond_to?(:body)
+        @stream.body
+      else
+        @stream
+      end
     end
 
     def write(string)
@@ -337,11 +369,16 @@ module ActionDispatch # :nodoc:
 
     # Allows you to manually set or override the response body.
     def body=(body)
-      if body.respond_to?(:to_path)
-        @stream = body
-      else
-        synchronize do
-          @stream = build_buffer self, munge_body_object(body)
+      # Prevent ActionController::Metal::Live::Response from committing the response prematurely.
+      synchronize do
+        if body.respond_to?(:to_str)
+          @stream = build_buffer(self, [body])
+        elsif body.respond_to?(:to_path)
+          @stream = body
+        elsif body.respond_to?(:to_ary)
+          @stream = build_buffer(self, body)
+        else
+          @stream = body
         end
       end
     end
@@ -482,10 +519,6 @@ module ActionDispatch # :nodoc:
       Buffer.new response, body
     end
 
-    def munge_body_object(body)
-      body.respond_to?(:each) ? body : [body]
-    end
-
     def assign_default_content_type_and_charset!
       return if media_type
 
@@ -499,6 +532,8 @@ module ActionDispatch # :nodoc:
         @response = response
       end
 
+      attr :response
+
       def close
         # Rack "close" maps to Response#abort, and **not** Response#close (which is used
         # when the controller's finished writing)

data/lib/action_dispatch/http/url.rb

@@ -272,7 +272,7 @@ module ActionDispatch
         end
       end
 
-      # Returns whether this request is using the standard port
+      # Returns whether this request is using the standard port.
       #
       #     req = ActionDispatch::Request.new 'HTTP_HOST' => 'example.com:80'
       #     req.standard_port? # => true
@@ -307,7 +307,7 @@ module ActionDispatch
         standard_port? ? "" : ":#{port}"
       end
 
-      # Returns the requested port, such as 8080, based on SERVER_PORT
+      # Returns the requested port, such as 8080, based on SERVER_PORT.
       #
       #     req = ActionDispatch::Request.new 'SERVER_PORT' => '80'
       #     req.server_port # => 80

data/lib/action_dispatch/journey/gtg/transition_table.rb

@@ -107,10 +107,10 @@ module ActionDispatch
           end
 
           {
-            regexp_states:   simple_regexp,
-            string_states:   @string_states,
-            stdparam_states: @stdparam_states,
-            accepting:       @accepting
+            regexp_states:   simple_regexp.stringify_keys,
+            string_states:   @string_states.stringify_keys,
+            stdparam_states: @stdparam_states.stringify_keys,
+            accepting:       @accepting.stringify_keys
           }
         end
 

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -65,7 +65,9 @@ module ActionDispatch
             content_type = Mime[:text]
           end
 
-          if api_request?(content_type)
+          if request.head?
+            render(wrapper.status_code, "", content_type)
+          elsif api_request?(content_type)
             render_for_api_request(content_type, wrapper)
           else
             render_for_browser_request(request, wrapper)

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -18,8 +18,8 @@ module ActionDispatch
       "ActionController::UnknownFormat"                    => :not_acceptable,
       "ActionDispatch::Http::MimeNegotiation::InvalidType" => :not_acceptable,
       "ActionController::MissingExactTemplate"             => :not_acceptable,
-      "ActionController::InvalidAuthenticityToken"         => :unprocessable_entity,
-      "ActionController::InvalidCrossOriginRequest"        => :unprocessable_entity,
+      "ActionController::InvalidAuthenticityToken"         => ActionDispatch::Constants::UNPROCESSABLE_CONTENT,
+      "ActionController::InvalidCrossOriginRequest"        => ActionDispatch::Constants::UNPROCESSABLE_CONTENT,
       "ActionDispatch::Http::Parameters::ParseError"       => :bad_request,
       "ActionController::BadRequest"                       => :bad_request,
       "ActionController::ParameterMissing"                 => :bad_request,
@@ -173,7 +173,7 @@ module ActionDispatch
     end
 
     def self.status_code_for_exception(class_name)
-      Rack::Utils.status_code(@@rescue_responses[class_name])
+      ActionDispatch::Response.rack_status_code(@@rescue_responses[class_name])
     end
 
     def show?(request)

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -32,7 +32,11 @@ module ActionDispatch
       end
       body = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }
 
-      render(status, content_type, body)
+      if env["action_dispatch.original_request_method"] == "HEAD"
+        render_format(status, content_type, "")
+      else
+        render(status, content_type, body)
+      end
     end
 
     private

data/lib/action_dispatch/routing/route_set.rb

@@ -29,7 +29,7 @@ module ActionDispatch
       def from_requirements(requirements)
         routes.find { |route| route.requirements == requirements }
       end
-      # :stopdoc:
+      # :enddoc:
 
       # Since the router holds references to many parts of the system like engines,
       # controllers and the application itself, inspecting the route set can actually
@@ -953,6 +953,5 @@ module ActionDispatch
         end
       end
     end
-    # :startdoc:
   end
 end

data/lib/action_dispatch/routing/routes_proxy.rb

@@ -54,6 +54,7 @@ module ActionDispatch
       # dependent part.
       def merge_script_names(previous_script_name, new_script_name)
         return new_script_name unless previous_script_name
+        new_script_name = new_script_name.chomp("/")
 
         resolved_parts = new_script_name.count("/")
         previous_parts = previous_script_name.count("/")

data/lib/action_dispatch/testing/assertion_response.rb

@@ -38,7 +38,7 @@ module ActionDispatch
 
     private
       def code_from_name(name)
-        GENERIC_RESPONSE_CODES[name] || Rack::Utils.status_code(name)
+        GENERIC_RESPONSE_CODES[name] || ActionDispatch::Response.rack_status_code(name)
       end
 
       def name_from_code(code)

data/lib/action_dispatch/testing/integration.rb

@@ -604,9 +604,8 @@ module ActionDispatch
   #         end
   #     end
   #
-  # See the [request helpers documentation]
-  # (rdoc-ref:ActionDispatch::Integration::RequestHelpers) for help
-  # on how to use `get`, etc.
+  # See the [request helpers documentation](rdoc-ref:ActionDispatch::Integration::RequestHelpers)
+  # for help on how to use `get`, etc.
   #
   # ### Changing the request encoding
   #

data/lib/action_pack/gem_version.rb

@@ -11,8 +11,8 @@ module ActionPack
   module VERSION
     MAJOR = 8
     MINOR = 0
-    TINY  = 2
-    PRE   = "1"
+    TINY  = 3
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 8.0.2.1
+  version: 8.0.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.2.1
+        version: 8.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.2.1
+        version: 8.0.3
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -127,28 +127,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.2.1
+        version: 8.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.2.1
+        version: 8.0.3
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.2.1
+        version: 8.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.2.1
+        version: 8.0.3
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -349,10 +349,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v8.0.2.1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v8.0.2.1/
+  changelog_uri: https://github.com/rails/rails/blob/v8.0.3/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v8.0.3/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v8.0.2.1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v8.0.3/actionpack
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: