rails-rfc6570 3.3.0 → 3.5.0

data/vendor/bundle/ruby/3.4.0/gems/actionpack-8.0.3/CHANGELOG.md

@@ -0,0 +1,285 @@
+## Rails 8.0.3 (September 22, 2025) ##
+
+*   URL helpers for engines mounted at the application root handle `SCRIPT_NAME` correctly.
+
+    Fixed an issue where `SCRIPT_NAME` is not applied to paths generated for routes in an engine
+    mounted at "/".
+
+    *Mike Dalessio*
+
+*   Fix `Rails.application.reload_routes!` from clearing almost all routes.
+
+    When calling `Rails.application.reload_routes!` inside a middleware of
+    a Rake task, it was possible under certain conditions that all routes would be cleared.
+    If ran inside a middleware, this would result in getting a 404 on most page you visit.
+    This issue was only happening in development.
+
+    *Edouard Chin*
+
+*   Address `rack 3.2` deprecations warnings.
+
+    ```
+    warning: Status code :unprocessable_entity is deprecated and will be removed in a future version of Rack.
+    Please use :unprocessable_content instead.
+    ```
+
+    Rails API will transparently convert one into the other for the foreseeable future.
+
+    *Earlopain*, *Jean Boussier*
+
+*   Support hash-source in Content Security Policy.
+
+    *madogiwa*
+
+*   Always return empty body for HEAD requests in `PublicExceptions` and
+    `DebugExceptions`.
+
+    This is required by `Rack::Lint` (per RFC9110).
+
+    *Hartley McGuire*
+
+
+## Rails 8.0.2.1 (August 13, 2025) ##
+
+*   No changes.
+
+## Rails 8.0.2 (March 12, 2025) ##
+
+*   Improve `with_routing` test helper to not rebuild the middleware stack.
+
+    Otherwise some middleware configuration could be lost.
+
+    *Édouard Chin*
+
+*   Add resource name to the `ArgumentError` that's raised when invalid `:only` or `:except` options are given to `#resource` or `#resources`
+
+    This makes it easier to locate the source of the problem, especially for routes drawn by gems.
+
+    Before:
+    ```
+    :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
+    ```
+
+    After:
+    ```
+    Route `resources :products` - :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
+    ```
+
+    *Jeremy Green*
+
+*   Fix `url_for` to handle `:path_params` gracefully when it's not a `Hash`.
+
+    Prevents various security scanners from causing exceptions.
+
+    *Martin Emde*
+
+*   Fix `ActionDispatch::Executor` to unwrap exceptions like other error reporting middlewares.
+
+    *Jean Boussier*
+
+
+## Rails 8.0.1 (December 13, 2024) ##
+
+*   Add `ActionDispatch::Request::Session#store` method to conform Rack spec.
+
+    *Yaroslav*
+
+
+## Rails 8.0.0.1 (December 10, 2024) ##
+
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+
+    [CVE-2024-54133]
+
+    *Gannon McGibbon*
+
+
+## Rails 8.0.0 (November 07, 2024) ##
+
+*   No changes.
+
+
+## Rails 8.0.0.rc2 (October 30, 2024) ##
+
+*   Fix routes with `::` in the path.
+
+    *Rafael Mendonça França*
+
+*   Maintain Rack 2 parameter parsing behaviour.
+
+    *Matthew Draper*
+
+
+## Rails 8.0.0.rc1 (October 19, 2024) ##
+
+*   Remove `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
+
+    *Rafael Mendonça França*
+
+*   Improve `ActionController::TestCase` to expose a binary encoded `request.body`.
+
+    The rack spec clearly states:
+
+    > The input stream is an IO-like object which contains the raw HTTP POST data.
+    > When applicable, its external encoding must be “ASCII-8BIT” and it must be opened in binary mode.
+
+    Until now its encoding was generally UTF-8, which doesn't accurately reflect production
+    behavior.
+
+    *Jean Boussier*
+
+*   Update `ActionController::AllowBrowser` to support passing method names to `:block`
+
+    ```ruby
+    class ApplicationController < ActionController::Base
+      allow_browser versions: :modern, block: :handle_outdated_browser
+
+      private
+        def handle_outdated_browser
+          render file: Rails.root.join("public/custom-error.html"), status: :not_acceptable
+        end
+    end
+    ```
+
+    *Sean Doyle*
+
+*   Raise an `ArgumentError` when invalid `:only` or `:except` options are passed into `#resource` and `#resources`.
+
+    *Joshua Young*
+
+## Rails 8.0.0.beta1 (September 26, 2024) ##
+
+*   Fix non-GET requests not updating cookies in `ActionController::TestCase`.
+
+    *Jon Moss*, *Hartley McGuire*
+
+*   Update `ActionController::Live` to use a thread-pool to reuse threads across requests.
+
+    *Adam Renberg Tamm*
+
+*   Introduce safer, more explicit params handling method with `params#expect` such that
+    `params.expect(table: [ :attr ])` replaces `params.require(:table).permit(:attr)`
+
+    Ensures params are filtered with consideration for the expected
+    types of values, improving handling of params and avoiding ignorable
+    errors caused by params tampering.
+
+    ```ruby
+    # If the url is altered to ?person=hacked
+    # Before
+    params.require(:person).permit(:name, :age, pets: [:name])
+    # raises NoMethodError, causing a 500 and potential error reporting
+
+    # After
+    params.expect(person: [ :name, :age, pets: [[:name]] ])
+    # raises ActionController::ParameterMissing, correctly returning a 400 error
+    ```
+
+    You may also notice the new double array `[[:name]]`. In order to
+    declare when a param is expected to be an array of parameter hashes,
+    this new double array syntax is used to explicitly declare an array.
+    `expect` requires you to declare expected arrays in this way, and will
+    ignore arrays that are passed when, for example, `pet: [:name]` is used.
+
+    In order to preserve compatibility, `permit` does not adopt the new
+    double array syntax and is therefore more permissive about unexpected
+    types. Using `expect` everywhere is recommended.
+
+    We suggest replacing `params.require(:person).permit(:name, :age)`
+    with the direct replacement `params.expect(person: [:name, :age])`
+    to prevent external users from manipulating params to trigger 500
+    errors. A 400 error will be returned instead, using public/400.html
+
+    Usage of `params.require(:id)` should likewise be replaced with
+    `params.expect(:id)` which is designed to ensure that `params[:id]`
+    is a scalar and not an array or hash, also requiring the param.
+
+    ```ruby
+    # Before
+    User.find(params.require(:id)) # allows an array, altering behavior
+
+    # After
+    User.find(params.expect(:id)) # expect only returns non-blank permitted scalars (excludes Hash, Array, nil, "", etc)
+    ```
+
+    *Martin Emde*
+
+*   System Testing: Disable Chrome's search engine choice by default in system tests.
+
+    *glaszig*
+
+*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
+
+    *Hartley McGuire*
+
+*   Remove `racc` dependency by manually writing `ActionDispatch::Journey::Scanner`.
+
+    *Gannon McGibbon*
+
+*   Speed up `ActionDispatch::Routing::Mapper::Scope#[]` by merging frame hashes.
+
+    *Gannon McGibbon*
+
+*   Allow bots to ignore `allow_browser`.
+
+    *Matthew Nguyen*
+
+*   Deprecate drawing routes with multiple paths to make routing faster.
+    You may use `with_options` or a loop to make drawing multiple paths easier.
+
+    ```ruby
+    # Before
+    get "/users", "/other_path", to: "users#index"
+
+    # After
+    get "/users", to: "users#index"
+    get "/other_path", to: "users#index"
+    ```
+
+    *Gannon McGibbon*
+
+*   Make `http_cache_forever` use `immutable: true`
+
+    *Nate Matykiewicz*
+
+*   Add `config.action_dispatch.strict_freshness`.
+
+    When set to `true`, the `ETag` header takes precedence over the `Last-Modified` header when both are present,
+    as specified by RFC 7232, Section 6.
+
+    Defaults to `false` to maintain compatibility with previous versions of Rails, but is enabled as part of
+    Rails 8.0 defaults.
+
+    *heka1024*
+
+*   Support `immutable` directive in Cache-Control
+
+    ```ruby
+    expires_in 1.minute, public: true, immutable: true
+    # Cache-Control: public, max-age=60, immutable
+    ```
+
+    *heka1024*
+
+*   Add `:wasm_unsafe_eval` mapping for `content_security_policy`
+
+    ```ruby
+    # Before
+    policy.script_src "'wasm-unsafe-eval'"
+
+    # After
+    policy.script_src :wasm_unsafe_eval
+    ```
+
+    *Joe Haig*
+
+*   Add `display_capture` and `keyboard_map` in `permissions_policy`
+
+    *Cyril Blaecke*
+
+*   Add `connect` route helper.
+
+    *Samuel Williams*
+
+Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionpack/CHANGELOG.md) for previous changes.

data/vendor/bundle/ruby/3.4.0/gems/actionpack-8.0.3/MIT-LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/vendor/bundle/ruby/3.4.0/gems/actionpack-8.0.3/README.rdoc

@@ -0,0 +1,57 @@
+= Action Pack -- From request to response
+
+Action Pack is a framework for handling and responding to web requests. It
+provides mechanisms for *routing* (mapping request URLs to actions), defining
+*controllers* that implement actions, and generating responses. In short, Action Pack
+provides the controller layer in the MVC paradigm.
+
+It consists of several modules:
+
+* Action Dispatch, which parses information about the web request, handles
+  routing as defined by the user, and does advanced processing related to HTTP
+  such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies,
+  handling HTTP caching logic, cookies and sessions.
+
+* Action Controller, which provides a base controller class that can be
+  subclassed to implement filters and actions to handle requests. The result
+  of an action is typically content generated from views.
+
+With the Ruby on \Rails framework, users only directly interface with the
+Action Controller module. Necessary Action Dispatch functionality is activated
+by default and Action View rendering is implicitly triggered by Action
+Controller. However, these modules are designed to function on their own and
+can be used outside of \Rails.
+
+You can read more about Action Pack in the {Action Controller Overview}[https://guides.rubyonrails.org/action_controller_overview.html] guide.
+
+== Download and installation
+
+The latest version of Action Pack can be installed with RubyGems:
+
+  $ gem install actionpack
+
+Source code can be downloaded as part of the \Rails project on GitHub:
+
+* https://github.com/rails/rails/tree/main/actionpack
+
+
+== License
+
+Action Pack is released under the MIT license:
+
+* https://opensource.org/licenses/MIT
+
+
+== Support
+
+API documentation is at:
+
+* https://api.rubyonrails.org
+
+Bug reports for the Ruby on \Rails project can be filed here:
+
+* https://github.com/rails/rails/issues
+
+Feature requests should be discussed on the rubyonrails-core forum here:
+
+* https://discuss.rubyonrails.org/c/rubyonrails-core

data/vendor/bundle/ruby/3.4.0/gems/actionview-8.0.3/CHANGELOG.md

@@ -0,0 +1,129 @@
+## Rails 8.0.3 (September 22, 2025) ##
+
+*   Fix label with `for` option not getting prefixed by form `namespace` value
+
+    *Abeid Ahmed*, *Hartley McGuire*
+
+*   Fix `javascript_include_tag` `type` option to accept either strings and symbols.
+
+    ```ruby
+    javascript_include_tag "application", type: :module
+    javascript_include_tag "application", type: "module"
+    ```
+
+    Previously, only the string value was recognized.
+
+    *Jean Boussier*
+
+*   Fix `excerpt` helper with non-whitespace separator.
+
+    *Jonathan Hefner*
+
+
+## Rails 8.0.2.1 (August 13, 2025) ##
+
+*   No changes.
+
+
+## Rails 8.0.2 (March 12, 2025) ##
+
+*   Respect `html_options[:form]` when `collection_checkboxes` generates the
+    hidden `<input>`.
+
+    *Riccardo Odone*
+
+*   Layouts have access to local variables passed to `render`.
+
+    This fixes #31680 which was a regression in Rails 5.1.
+
+    *Mike Dalessio*
+
+*   Argument errors related to strict locals in templates now raise an
+    `ActionView::StrictLocalsError`, and all other argument errors are reraised as-is.
+
+    Previously, any `ArgumentError` raised during template rendering was swallowed during strict
+    local error handling, so that an `ArgumentError` unrelated to strict locals (e.g., a helper
+    method invoked with incorrect arguments) would be replaced by a similar `ArgumentError` with an
+    unrelated backtrace, making it difficult to debug templates.
+
+    Now, any `ArgumentError` unrelated to strict locals is reraised, preserving the original
+    backtrace for developers.
+
+    Also note that `ActionView::StrictLocalsError` is a subclass of `ArgumentError`, so any existing
+    code that rescues `ArgumentError` will continue to work.
+
+    Fixes #52227.
+
+    *Mike Dalessio*
+
+*   Fix stack overflow error in dependency tracker when dealing with circular dependencies
+
+    *Jean Boussier*
+
+## Rails 8.0.1 (December 13, 2024) ##
+
+*   Fix a crash in ERB template error highlighting when the error occurs on a
+    line in the compiled template that is past the end of the source template.
+
+    *Martin Emde*
+
+*   Improve reliability of ERB template error highlighting.
+    Fix infinite loops and crashes in highlighting and
+    improve tolerance for alternate ERB handlers.
+
+    *Martin Emde*
+
+
+## Rails 8.0.0.1 (December 10, 2024) ##
+
+*   No changes.
+
+
+## Rails 8.0.0 (November 07, 2024) ##
+
+*   No changes.
+
+
+## Rails 8.0.0.rc2 (October 30, 2024) ##
+
+*   No changes.
+
+
+## Rails 8.0.0.rc1 (October 19, 2024) ##
+
+*   Remove deprecated support to passing a content to void tag elements on the `tag` builder.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated support to passing `nil` to the `model:` argument of `form_with`.
+
+    *Rafael Mendonça França*
+
+
+## Rails 8.0.0.beta1 (September 26, 2024) ##
+
+*   Enable DependencyTracker to evaluate renders with trailing interpolation.
+
+    ```erb
+    <%= render "maintenance_tasks/runs/info/#{run.status}" %>
+    ```
+
+    Previously, the DependencyTracker would ignore this render, but now it will
+    mark all partials in the "maintenance_tasks/runs/info" folder as
+    dependencies.
+
+    *Hartley McGuire*
+
+*   Rename `text_area` methods into `textarea`
+
+    Old names are still available as aliases.
+
+    *Sean Doyle*
+
+*   Rename `check_box*` methods into `checkbox*`.
+
+    Old names are still available as aliases.
+
+    *Jean Boussier*
+
+Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionview/CHANGELOG.md) for previous changes.

data/vendor/bundle/ruby/3.4.0/gems/actionview-8.0.3/MIT-LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/vendor/bundle/ruby/3.4.0/gems/actionview-8.0.3/README.rdoc

@@ -0,0 +1,40 @@
+= Action View
+
+Action View is a framework for handling view template lookup and rendering, and provides
+view helpers that assist when building HTML forms, Atom feeds and more.
+Template formats that Action View handles are ERB (embedded Ruby, typically
+used to inline short Ruby snippets inside HTML), and XML Builder.
+
+You can read more about Action View in the {Action View Overview}[https://guides.rubyonrails.org/action_view_overview.html] guide.
+
+== Download and installation
+
+The latest version of Action View can be installed with RubyGems:
+
+  $ gem install actionview
+
+Source code can be downloaded as part of the \Rails project on GitHub:
+
+* https://github.com/rails/rails/tree/main/actionview
+
+
+== License
+
+Action View is released under the MIT license:
+
+* https://opensource.org/licenses/MIT
+
+
+== Support
+
+API documentation is at
+
+* https://api.rubyonrails.org
+
+Bug reports for the Ruby on \Rails project can be filed here:
+
+* https://github.com/rails/rails/issues
+
+Feature requests should be discussed on the rubyonrails-core forum here:
+
+* https://discuss.rubyonrails.org/c/rubyonrails-core