railties 8.0.5 → 8.1.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 664663d9e6513cdea42ce00026cfd1a3248e696a9410064f13e9e1de36e6b438
-  data.tar.gz: a81210cc416f95b59cce06656ecd36303e5c0be6c96e1430506d26b51c4e5f7c
+  metadata.gz: f96d0bd7304aebd3f5b4067354bd24c00ad034b34b03454275124bda2ef80371
+  data.tar.gz: 2d8e046700f53160f821f70ceb11f6cf8799fc9654ba8f4b73d283240d8f7259
 SHA512:
-  metadata.gz: 8d292ad13dee2d276f86fd1d96acc74a382b1c05c1063898895cfeda2a41fc7b3390901fbd89219c4f4036e84f2a2a0dc22efb5d302e766db602d88cb46e6dfd
-  data.tar.gz: 5298c4febcca27bc252e640f212d20e1d91f8715bbc993dac23777abff52687a03deba0789e5db1d850aba50ee0c22c35e073ffc0672fc0f7c649bc571327c75
+  metadata.gz: 031c43f3c487649f1d6a83622afd3d438aa437e259864372c685b5e720b8b636cecbf7bf083afb58219b20120059c85ebf9bdfdb756afdbd59e713d7443a6f98
+  data.tar.gz: 0d2eb2b9519a859362aa6eda717ba8b0a9ef54fa975824f76c295f84e1750d2c30a3d5b9b0983e075c8bf1b89a2d80c6c3b469952920bd5537ed728d4b140e62

data/CHANGELOG.md

@@ -1,310 +1,129 @@
-## Rails 8.0.5 (March 24, 2026) ##
+## Rails 8.1.0.beta1 (September 04, 2025) ##
 
-*   Fixed the `rails notes` command to properly extract notes in CSS files.
+*   Add command `rails credentials:fetch PATH` to get the value of a credential from the credentials file.
 
-    *David White*
-
-*   Fixed the default Dockerfile to properly include the `vendor/` directory during `bundle install`.
-
-    *Zhong Sheng*
-
-
-## Rails 8.0.4.1 (March 23, 2026) ##
-
-*   No changes.
-
-
-## Rails 8.0.4 (October 28, 2025) ##
-
-*   No changes.
-
-
-## Rails 8.0.3 (September 22, 2025) ##
-
-*   Fix `polymorphic_url` and `polymorphic_path` not working when routes are not loaded.
-
-    *Édouard Chin*
-
-*   Fix Rails console to not override user defined IRB_NAME.
-
-    Only change the prompt name if it hasn't been customized in `.irbrc`.
-
-    *Jarrett Lusso*
-
-
-## Rails 8.0.2.1 (August 13, 2025) ##
-
-*   No changes.
-
-
-## Rails 8.0.2 (March 12, 2025) ##
-
-*   Fix Rails console to load routes.
-
-    Otherwise `*_path` and `*url` methods are missing on the `app` object.
-
-    *Édouard Chin*
-
-*   Update `rails new --minimal` option
-
-    Extend the `--minimal` flag to exclude recently added features:
-    `skip_brakeman`, `skip_ci`, `skip_docker`, `skip_kamal`, `skip_rubocop`, `skip_solid` and `skip_thruster`.
-
-    *eelcoj*
-
-*   Use `secret_key_base` from ENV or credentials when present locally.
-
-    When ENV["SECRET_KEY_BASE"] or
-    `Rails.application.credentials.secret_key_base` is set for test or
-    development, it is used for the `Rails.config.secret_key_base`,
-    instead of generating a `tmp/local_secret.txt` file.
-
-    *Petrik de Heus*
-
-
-## Rails 8.0.1 (December 13, 2024) ##
-
-*   Skip generation system tests related code for CI when `--skip-system-test` is given.
-
-    *fatkodima*
-
-*   Don't add bin/thrust if thruster is not in Gemfile.
-
-    *Étienne Barrié*
-
-*   Don't install a package for system test when applications don't use it.
-
-    *y-yagi*
-
-
-## Rails 8.0.0.1 (December 10, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0 (November 07, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0.rc2 (October 30, 2024) ##
-
-*   Fix incorrect database.yml with `skip_solid`.
-
-    *Joé Dupuis*
-
-*   Set `Regexp.timeout` to `1`s by default to improve security over Regexp Denial-of-Service attacks.
-
-    *Rafael Mendonça França*
-
-
-## Rails 8.0.0.rc1 (October 19, 2024) ##
-
-*   Remove deprecated support to extend Rails console through `Rails::ConsoleMethods`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated file `rails/console/helpers`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated file `rails/console/app`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `config.read_encrypted_secrets`.
-
-    *Rafael Mendonça França*
-
-*   Add Kamal support for devcontainers
-
-    Previously generated devcontainer could not use docker and therefore Kamal.
-
-    *Joé Dupuis*
-
-
-## Rails 8.0.0.beta1 (September 26, 2024) ##
-
-*   Exit `rails g` with code 1 if generator could not be found.
-
-    Previously `rails g` returned 0, which would make it harder to catch typos in scripts calling `rails g`.
-
-    *Christopher Özbek*
-
-*   Remove `require_*` statements from application.css to align with the transition from Sprockets to Propshaft.
-
-    With Propshaft as the default asset pipeline in Rails 8, the require_tree and require_self clauses in application.css are no longer necessary, as they were specific to Sprockets. Additionally, the comment has been updated to clarify that CSS precedence now follows standard cascading order without automatic prioritization by the asset pipeline.
-
-    *Eduardo Alencar*
+    ```bash
+    $ bin/rails credentials:fetch kamal_registry.password
+    ```
 
-*   Do not include redis by default in generated Dev Containers.
+    *Matthew Nguyen*, *Jean Boussier*
 
-    Now that applications use the Solid Queue and Solid Cache gems by default, we do not need to include redis
-    in the Dev Container. We will only include redis if `--skip-solid` is used when generating an app that uses
-    Active Job or Action Cable.
+*   Generate static BCrypt password digests in fixtures instead of dynamic ERB expressions.
 
-    When generating a Dev Container for an existing app, we will not include redis if either of the solid gems
-    are in use.
+    Previously, fixtures with password digest attributes used `<%= BCrypt::Password.create("secret") %>`,
+    which regenerated the hash on each test run. Now generates a static hash with a comment
+    showing how to recreate it.
 
-    *Andrew Novoselac*
+    *Nate Smith*, *Cassia Scheffer*
 
-*   Use [Solid Cable](https://github.com/rails/solid_cable) as the default Action Cable adapter in production, configured as a separate queue database in config/database.yml. It keeps messages in a table and continuously polls for updates. This makes it possible to drop the common dependency on Redis, if it isn't needed for any other purpose. Despite polling, the performance of Solid Cable is comparable to Redis in most situations. And in all circumstances, it makes it easier to deploy Rails when Redis is no longer a required dependency for Action Cable functionality.
+*   Broaden the `.gitignore` entry when adding a credentials key to ignore all key files.
 
-    *DHH*
+    *Greg Molnar*
 
-*   Use [Solid Queue](https://github.com/rails/solid_queue) as the default Active Job backend in production, configured as a separate queue database in config/database.yml. In a single-server deployment, it'll run as a Puma plugin. This is configured in `config/deploy.yml` and can easily be changed to use a dedicated jobs machine.
+*   Remove unnecessary `ruby-version` input from `ruby/setup-ruby`
 
-    *DHH*
+    *TangRufus*
 
-*   Use [Solid Cache](https://github.com/rails/solid_cache) as the default Rails.cache backend in production, configured as a separate cache database in config/database.yml.
+*   Add --reset option to bin/setup which will call db:reset as part of the setup.
 
     *DHH*
 
-*   Add Rails::Rack::SilenceRequest middleware and use it via `config.silence_healthcheck_path = path`
-    to silence requests to "/up". This prevents the Kamal-required health checks from clogging up
-    the production logs.
-
-    *DHH*
+*   Add RuboCop cache restoration to RuboCop job in GitHub Actions workflow templates.
 
-*   Introduce `mariadb-mysql` and `mariadb-trilogy` database options for `rails new`
+    *Lovro Bikić*
 
-    When used with the `--devcontainer` flag, these options will use `mariadb` as the database for the
-    Dev Container. The original `mysql` and `trilogy` options will use `mysql`. Users who are not
-    generating a Dev Container do not need to use the new options.
+*   Skip generating mailer-related files in authentication generator if the application does
+    not use ActionMailer
 
-    *Andrew Novoselac*
+    *Rami Massoud*
 
-*   Deprecate `::STATS_DIRECTORIES`.
+*   Introduce `bin/ci` for running your tests, style checks, and security audits locally or in the cloud.
 
-    The global constant `STATS_DIRECTORIES` has been deprecated in favor of
-    `Rails::CodeStatistics.register_directory`.
-
-    Add extra directories with `Rails::CodeStatistics.register_directory(label, path)`:
+    The specific steps are defined by a new DSL in `config/ci.rb`.
 
     ```ruby
-    require "rails/code_statistics"
-    Rails::CodeStatistics.register_directory('My Directory', 'path/to/dir')
+    ActiveSupport::ContinuousIntegration.run do
+      step "Setup", "bin/setup --skip-server"
+      step "Style: Ruby", "bin/rubocop"
+      step "Security: Gem audit", "bin/bundler-audit"
+      step "Tests: Rails", "bin/rails test test:system"
+    end
     ```
 
-    *Petrik de Heus*
-
-*   Enable query log tags by default on development env
+    Optionally use [gh-signoff](https://github.com/basecamp/gh-signoff) to
+    set a green PR status - ready for merge.
 
-    This can be used to trace troublesome SQL statements back to the application
-    code that generated these statements. It is also useful when using multiple
-    databases because the query logs can identify which database is being used.
+    *Jeremy Daer*, *DHH*
 
-    *Matheus Richard*
+*   Generate session controller tests when running the authentication generator.
 
-*   Defer route drawing to the first request, or when url_helpers are called
+    *Jerome Dalbert*
 
-    Executes the first routes reload in middleware, or when a route set's
-    url_helpers receives a route call / asked if it responds to a route.
-    Previously, this was executed unconditionally on boot, which can
-    slow down boot time unnecessarily for larger apps with lots of routes.
+*   Add bin/bundler-audit and config/bundler-audit.yml for discovering and managing known security problems with app gems.
 
-    Environments like production that have `config.eager_load = true` will
-    continue to eagerly load routes on boot.
+    *DHH*
 
-    *Gannon McGibbon*
+*   Rails no longer generates a `bin/bundle` binstub when creating new applications.
 
-*   Generate form helpers to use `textarea*` methods instead of `text_area*` methods
+    The `bin/bundle` binstub used to help activate the right version of bundler.
+    This is no longer necessary as this mechanism is now part of Rubygem itself.
 
-    *Sean Doyle*
+    *Edouard Chin*
 
-*   Add authentication generator to give a basic start to an authentication system using database-tracked sessions and password reset.
+*   Add a `SessionTestHelper` module with `sign_in_as(user)` and `sign_out` test helpers when
+    running `rails g authentication`. Simplifies authentication in integration tests.
 
-    Generate with...
+    *Bijan Rahnema*
 
-    ```
-    bin/rails generate authentication
-    ```
+*   Rate limit password resets in authentication generator
 
-    Generated files:
+    This helps mitigate abuse from attackers spamming the password reset form.
 
-    ```
-    app/models/current.rb
-    app/models/user.rb
-    app/models/session.rb
-    app/controllers/sessions_controller.rb
-    app/controllers/passwords_controller.rb
-    app/mailers/passwords_mailer.rb
-    app/views/sessions/new.html.erb
-    app/views/passwords/new.html.erb
-    app/views/passwords/edit.html.erb
-    app/views/passwords_mailer/reset.html.erb
-    app/views/passwords_mailer/reset.text.erb
-    db/migrate/xxxxxxx_create_users.rb
-    db/migrate/xxxxxxx_create_sessions.rb
-    test/mailers/previews/passwords_mailer_preview.rb
-    ```
-
-    *DHH*
+    *Chris Oliver*
 
+*   Update `rails new --minimal` option
 
-*   Add not-null type modifier to migration attributes.
+    Extend the `--minimal` flag to exclude recently added features:
+    `skip_brakeman`, `skip_ci`, `skip_docker`, `skip_kamal`, `skip_rubocop`, `skip_solid` and `skip_thruster`.
 
-    Generating with...
+    *eelcoj*
 
-    ```
-    bin/rails generate migration CreateUsers email_address:string!:uniq password_digest:string!
-    ```
+*   Add `application-name` metadata to application layout
 
-    Produces:
+    The following metatag will be added to `app/views/layouts/application.html.erb`
 
-    ```ruby
-    class CreateUsers < ActiveRecord::Migration[8.0]
-      def change
-        create_table :users do |t|
-          t.string :email_address, null: false
-          t.string :password_digest, null: false
-
-          t.timestamps
-        end
-        add_index :users, :email_address, unique: true
-      end
-    end
+    ```html
+    <meta name="application-name" content="Name of Rails Application">
     ```
 
-    *DHH*
-
-*   Add a `script` folder to applications, and a scripts generator.
+    *Steve Polito*
 
-    The new `script` folder is meant to hold one-off or general purpose scripts,
-    such as data migration scripts, cleanup scripts, etc.
-
-    A new script generator allows you to create such scripts:
-
-    ```
-    bin/rails generate script my_script
-    bin/rails generate script data/backfill
-    ```
+*   Use `secret_key_base` from ENV or credentials when present locally.
 
-    You can run the generated script using:
+    When ENV["SECRET_KEY_BASE"] or
+    `Rails.application.credentials.secret_key_base` is set for test or
+    development, it is used for the `Rails.config.secret_key_base`,
+    instead of generating a `tmp/local_secret.txt` file.
 
-    ```
-    bundle exec ruby script/my_script.rb
-    bundle exec ruby script/data/backfill.rb
-    ```
+    *Petrik de Heus*
 
-    *Jerome Dalbert*, *Haroon Ahmed*
+*   Introduce `RAILS_MASTER_KEY` placeholder in generated ci.yml files
 
-*   Deprecate `bin/rake stats` in favor of `bin/rails stats`.
+    *Steve Polito*
 
-    *Juan Vásquez*
+*   Colorize the Rails console prompt even on non standard environments.
 
-*   Add internal page `/rails/info/notes`, that displays the same information as `bin/rails notes`.
+    *Lorenzo Zabot*
 
-    *Deepak Mahakale*
+*   Don't enable YJIT in development and test environments
 
-*   Add Rubocop and GitHub Actions to plugin generator.
-    This can be skipped using --skip-rubocop and --skip-ci.
+    Development and test environments tend to reload code and redefine methods (e.g. mocking),
+    hence YJIT isn't generally faster in these environments.
 
-    *Chris Oliver*
+    *Ali Ismayilov*, *Jean Boussier*
 
-*   Use Kamal for deployment by default, which includes generating a Rails-specific config/deploy.yml.
-    This can be skipped using --skip-kamal. See more: https://kamal-deploy.org/
+*   Only include PermissionsPolicy::Middleware if policy is configured.
 
-    *DHH*
+    *Petrik de Heus*
 
-Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/railties/CHANGELOG.md) for previous changes.
+Please check [8-0-stable](https://github.com/rails/rails/blob/8-0-stable/railties/CHANGELOG.md) for previous changes.

data/lib/minitest/rails_plugin.rb

@@ -26,6 +26,8 @@ module Minitest
   end
 
   class ProfileReporter < Reporter
+    attr_accessor :results
+
     def initialize(io = $stdout, options = {})
       super
       @results = []
@@ -33,26 +35,49 @@ module Minitest
     end
 
     def record(result)
-      @results << result
+      if output_file = ENV["RAILTIES_OUTPUT_FILE"]
+        File.open(output_file, "a") do |f|
+          # Round-trip for re-serialization
+          data = JSON.parse(result.to_json)
+          data[:location] = result.location
+          f.puts(data.to_json)
+        end
+      else
+        @results << result
+      end
+    end
+
+    def passed?
+      true
     end
 
     def report
-      total_time = @results.sum(&:time)
+      # Skip if we're outputting to a file
+      return if ENV["RAILTIES_OUTPUT_FILE"]
+      print_summary
+    end
+
+    def summary
+      print_summary
+    end
+
+    private
+      def print_summary
+        total_time = @results.sum(&:time)
 
-      @results.sort! { |a, b| b.time <=> a.time }
-      slow_results = @results.take(@count)
-      slow_tests_total_time = slow_results.sum(&:time)
+        @results.sort! { |a, b| b.time <=> a.time }
+        slow_results = @results.take(@count)
+        slow_tests_total_time = slow_results.sum(&:time)
 
-      ratio = (total_time == 0) ? 0.0 : (slow_tests_total_time / total_time) * 100
+        ratio = (total_time == 0) ? 0.0 : (slow_tests_total_time / total_time) * 100
 
-      io.puts("\nTop %d slowest tests (%.2f seconds, %.1f%% of total time):\n" % [slow_results.size, slow_tests_total_time, ratio])
-      slow_results.each do |result|
-        io.puts("  %s\n    %.4f seconds %s\n" % [result.location, result.time, source_location(result)])
+        io.puts("\nTop %d slowest tests (%.2f seconds, %.1f%% of total time):\n" % [slow_results.size, slow_tests_total_time, ratio])
+        slow_results.each do |result|
+          io.puts("  %s\n    %.4f seconds %s\n" % [result.location, result.time, source_location(result)])
+        end
+        io.puts("\n")
       end
-      io.puts("\n")
-    end
 
-    private
       def source_location(result)
         filename, line = result.source_location
         return "" unless filename
@@ -80,13 +105,6 @@ module Minitest
       options[:fail_fast] = true
     end
 
-    if Minitest::VERSION > "6" then
-      opts.on "-n", "--name PATTERN", "Include /regexp/ or string for run." do |a|
-        warn "Please switch from -n/--name to -i/--include"
-        options[:include] = a
-      end
-    end
-
     opts.on("-c", "--[no-]color", "Enable color in the output") do |value|
       options[:color] = value
     end
@@ -109,8 +127,19 @@ module Minitest
       options[:profile] = count
     end
 
+    opts.on(/^[^-]/) do |test_file|
+      options[:test_files] ||= []
+      options[:test_files] << test_file
+    end
+
     options[:color] = true
     options[:output_inline] = true
+
+    opts.on do
+      if ::Rails::TestUnit::Runner.load_test_files
+        ::Rails::TestUnit::Runner.load_tests(options.fetch(:test_files, []))
+      end
+    end
   end
 
   # Owes great inspiration to test runner trailblazers like RSpec,

data/lib/rails/application/bootstrap.rb

@@ -71,6 +71,11 @@ module Rails
         end
       end
 
+      initializer :initialize_event_reporter, group: :all do
+        Rails.event.raise_on_error = config.consider_all_requests_local
+        Rails.event.debug_mode = config.consider_all_requests_local
+      end
+
       # Initialize cache early in the stack so railties can make use of it.
       initializer :initialize_cache, group: :all do
         cache_format_version = config.active_support.delete(:cache_format_version)

data/lib/rails/application/configuration.rb

@@ -21,6 +21,7 @@ module Rails
                     :beginning_of_week, :filter_redirect, :x,
                     :content_security_policy_report_only,
                     :content_security_policy_nonce_generator, :content_security_policy_nonce_directives,
+                    :content_security_policy_nonce_auto,
                     :require_master_key, :credentials, :disable_sandbox, :sandbox_by_default,
                     :add_autoload_paths_to_load_path, :rake_eager_load, :server_timing, :log_file_size,
                     :dom_testing_default_html_version, :yjit
@@ -72,6 +73,7 @@ module Rails
         @content_security_policy_report_only     = false
         @content_security_policy_nonce_generator = nil
         @content_security_policy_nonce_directives = nil
+        @content_security_policy_nonce_auto      = false
         @require_master_key                      = false
         @loaded_config_version                   = nil
         @credentials                             = ActiveSupport::InheritableOptions.new(credentials_defaults)
@@ -346,6 +348,30 @@ module Rails
           end
 
           Regexp.timeout ||= 1 if Regexp.respond_to?(:timeout=)
+        when "8.1"
+          load_defaults "8.0"
+
+          # Development and test environments tend to reload code and
+          # redefine methods (e.g. mocking), hence YJIT isn't generally
+          # faster in these environments.
+          self.yjit = !Rails.env.local?
+
+          if respond_to?(:action_controller)
+            action_controller.escape_json_responses = false
+            action_controller.action_on_path_relative_redirect = :raise
+          end
+
+          if respond_to?(:active_record)
+            active_record.raise_on_missing_required_finder_order_columns = true
+          end
+
+          if respond_to?(:action_view)
+            action_view.render_tracker = :ruby
+          end
+
+          if respond_to?(:action_view)
+            action_view.remove_hidden_field_autocomplete = true
+          end
         else
           raise "Unknown version #{target_version.to_s.inspect}"
         end

data/lib/rails/application/default_middleware_stack.rb

@@ -83,7 +83,7 @@ module Rails
           unless config.api_only
             middleware.use ::ActionDispatch::Flash
             middleware.use ::ActionDispatch::ContentSecurityPolicy::Middleware
-            middleware.use ::ActionDispatch::PermissionsPolicy::Middleware
+            middleware.use ::ActionDispatch::PermissionsPolicy::Middleware if config.permissions_policy
           end
 
           middleware.use ::Rack::Head

data/lib/rails/application/finisher.rb

@@ -229,7 +229,8 @@ module Rails
 
       initializer :enable_yjit do
         if config.yjit && defined?(RubyVM::YJIT.enable)
-          RubyVM::YJIT.enable
+          options = config.yjit.is_a?(Hash) ? config.yjit : {}
+          RubyVM::YJIT.enable(**options)
         end
       end
     end

data/lib/rails/application/routes_reloader.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/module/delegation"
 
 module Rails
   class Application

data/lib/rails/application.rb

@@ -2,10 +2,8 @@
 
 require "yaml"
 require "active_support/core_ext/hash/keys"
-require "active_support/core_ext/object/blank"
 require "active_support/key_generator"
 require "active_support/message_verifiers"
-require "active_support/deprecation"
 require "active_support/encrypted_configuration"
 require "active_support/hash_with_indifferent_access"
 require "active_support/configuration_file"
@@ -616,7 +614,7 @@ module Rails
     end
 
     def railties_initializers(current) # :nodoc:
-      initializers = []
+      initializers = Initializable::Collection.new
       ordered_railties.reverse.flatten.each do |r|
         if r == self
           initializers += current

data/lib/rails/command/base.rb

@@ -3,8 +3,6 @@
 require "thor"
 require "erb"
 
-require "active_support/core_ext/class/attribute"
-require "active_support/core_ext/module/delegation"
 require "active_support/core_ext/string/inflections"
 
 require "rails/command/actions"

data/lib/rails/command/environment_argument.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "active_support"
-require "active_support/core_ext/class/attribute"
 
 module Rails
   module Command

data/lib/rails/command.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 require "active_support"
+require "active_support/rails"
 require "active_support/core_ext/enumerable"
-require "active_support/core_ext/object/blank"
 require "rails/deprecator"
 
 require "thor"

data/lib/rails/commands/console/irb_console.rb

@@ -91,9 +91,9 @@ module Rails
         IRB.conf[:IRB_NAME] = @app.name if IRB.conf[:IRB_NAME] == "irb"
 
         IRB.conf[:PROMPT][:RAILS_PROMPT] = {
-          PROMPT_I: "#{prompt_prefix}> ",
-          PROMPT_S: "#{prompt_prefix}%l ",
-          PROMPT_C: "#{prompt_prefix}* ",
+          PROMPT_I: "#{prompt_prefix}:%03n> ",
+          PROMPT_S: "#{prompt_prefix}:%03n%l ",
+          PROMPT_C: "#{prompt_prefix}:%03n* ",
           RETURN: "=> %s\n"
         }
 
@@ -122,7 +122,7 @@ module Rails
         when "production"
           IRB::Color.colorize("prod", [:RED])
         else
-          Rails.env
+          IRB::Color.colorize(Rails.env, [:MAGENTA])
         end
       end
     end