Rails 5.0.0.beta2: Slashed Action Cable dependencies, fixes galore

Progress waits for nobody: The second beta release of Rails 5 is out, and it's packed with a six weeks worth of fixes and upgrades.

The big news is that Action Cable no longer depends on Celluloid, Redis, or even EventMachine! We've doubled down on concurrent-ruby, added a PostgreSQL alternative adapter to Redis for pubsub, and added a non-EventMachine Redis adapter too. So if you were freaking out over the new dependencies in beta1, you can breathe easy again. The Rails community has, as per-usual, stepped up and Made It Better. Special thanks to Mike Perham, Jon Moss, and Matthew Draper for their work on this!

Beyond that, there's literally 25 pages of commits on GitHub detailing the work done since the beta1 release on December 18. It's a good stroll through the work it takes to go from beta to beta.

The release targets from here are RC1 on February 16 and then final on February 23. All depends on how much stuff pops up from beta2 and RC1, though. So don't order cake or champagne for delivery on those dates just yet!

If you missed the announcement on what's new in Rails 5, checkout the beta1 story. Oh, and thanks to Sean Griffin for coordinating this release.

This week in Rails: Security releases and getting closer to Rails 5 RC

This is Prathamesh bringing the latest news from this eventful week of security releases and getting closer to Rails 5 RC.


Security releases!

New Rails versions are released with many important security fixes. If you have not done already, upgrade as soon as possible.

This weeks contributors

This week 44 people contributed to Rails. We also got 11 first time contributors. Welcome aboard folks and keep it going!

New Stuff

Drop Action Cable dependency on EventMachine

Action Cable no longer depends on EventMachine. A lot of work is done to make sure that this change works properly. Hat tip to Matthew Draper for all the great work!

New welcome page for Rails 5

Do you remember the old Welcome aboard page? It's now replaced by Yay! You are on Rails! The welcome page got a big facelift in Rails 5, gone are the needless links and extra data. It's compact and mentions only relevant things.

Generate index for referenced columns by default

Rails will now generate indexes for referenced columns by default without mentioning it in migrations. That's what we want in 90% of the cases anyways!


Issues with ActiveRecord::Relation#cache_key fixed

Lots of corner cases with using cache_key with loaded and unloaded collections and with selecting specific columns are fixed.

Fix issue with has_many: through STI association

An issue with incorrect source_type getting used in case of has_many: through associations with STI models is fixed.

Wrapping Up

That's all for This week in Rails. As always, there are plenty of things we're not able to cover here, so take a peek at the changes yourself.

Until next time!

Rails 5.0.0.beta1.1,,,, and rails-html-sanitizer 1.0.3 have been released!

Hello everyone and happy Monday!

Rails 5.0.0.beta1.1,,, and have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible:

For ease of upgrading, these Rails releases only contain patches pertaining to the security fixes. The released versions can be found in the usual locations, and you can find a list of changes on GitHub:

rails-html-sanitizer version 1.0.3 has been released, and it contains the following important security fixes:

In Rails 4.2, the HTML sanitizer was inadvertently made much more permissive than in 4.1.

In order to maintain our "secure by default" policy, rectifying this has forced us to make a backwards-incompatible change to the sanitizer.

If you use the sanitizer in 4.2, you will need to verify that the more restrictive filter still permits all the tags you need to allow. If it doesn't, you can add additional tags to the whitelist.

We've done our best to minimize any impact to your applications, but if you run in to any issues, please file a ticket and we'll do our best to help!

Again, as always, if you run in to any bugs, please file them on the Rails issue tracker which is located here. If you run in to security issues, please follow the reporting process which can be found here.

Please have a happy Monday! <3<3<3


Here are checksums for the released gems:

[aaron@TC release]$ shasum *-5.0*
ab66244a0982e78502f6a80763509ac2d44b6cbd  actioncable-5.0.0.beta1.1.gem
47d8065ff0d6cfda2a5ccd85cffcd20144ea3555  actionmailer-5.0.0.beta1.1.gem
b358da8e683c6f15c03623f79abae8a6e0af2519  actionpack-5.0.0.beta1.1.gem
cc2e392c216c19736b9bbdd38066fc93384d7b4b  actionview-5.0.0.beta1.1.gem
fdbb7d5c251bde51dd669b4003096cc68a1cae1b  activejob-5.0.0.beta1.1.gem
b15cd7b0d9b434b140674ff52e0cbdeb9e71b887  activemodel-5.0.0.beta1.1.gem
414e46249b1cb8076b50b6515a8d61ef7e1a6cb7  activerecord-5.0.0.beta1.1.gem
e02309dd676f9959b6065ee04662430042b6ebc6  activesupport-5.0.0.beta1.1.gem
5f4b04e885781c639ff98857f4c85ffaeba934ef  rails-5.0.0.beta1.1.gem
dc72e0c60c86800612048f093543e183afb85ecc  railties-5.0.0.beta1.1.gem
[aaron@TC release]$ shasum *-4.2*
1d811a70a882be3f2e41932e5f90997d6dc63bf0  actionmailer-
800fec0a382e3642d500c5dd42e6b8b4c9ebe75e  actionpack-
201df102af6af1ac0efbe1a6c3c0f5c11fca58f9  actionview-
543413c4066e20db128888ba21c253b7b33d4e87  activejob-
1a845d38be3add3d52006d0b81a7e5ef28160c30  activemodel-
9ceffa7cf0d0f83d75768d5387fcba5c0b35102e  activerecord-
9cdf9da5f93f2ab83e4bbbf569e1f48bd6b8d713  activesupport-
e53fbe562bea0fd5ccd2a46730d4d2f802e79ee7  rails-
e9b8efe89c901b5f590c1560d82dac2b41d409f4  railties-
[aaron@TC release]$ shasum *-4.1*
f7df30256e1f3fa13659ec1f310200ad9fcfdead  actionmailer-
9333184fffbfbefe6cedfb2cf13d9a6e546f0d86  actionpack-
d4aa63a687959aaa2c33bed6985b4817b2f104d0  actionview-
f70164d1240eed8eab9a2f1e559aae336a0b228a  activemodel-
94c1475aa3350db98440c5332b699bec366bc22e  activerecord-
08b6adf299220cf404974d2bd5fcf5f72993c0c8  activesupport-
0f7995d9aded79e1e1e9269fecd8981c83dfded3  rails-
91a956ef86cc297ebee65e862ee6f9b840bbaf91  railties-
[aaron@TC release]$ shasum *-3.2*
f8a07a9ac582ef33b0112e79d606ef04aefbd2d3  actionmailer-
a26eb1752f625997fc87ab861312a056937c0276  actionpack-
6d4a6d976a3a07651dae211eefe447edea4d3263  activemodel-
9669c73665acd7cb0b67eaa84d4784252478e7f8  activerecord-
e1267d756271ef66022a83725b26762e758071f9  activeresource-
5a1daf97cf4dd4333a61c4a1209b97a8f22f083d  activesupport-
b5b624c8365b7061274642a2038935d06191ca8b  rails-
af2827bff9a94f733c98b2f88b3efe00cb22af79  railties-
[aaron@TC release]$ shasum *-1.0*
9c84dca57b521ff92fbdceba1de959db539e4c19  rails-html-sanitizer-1.0.3.gem

This Week In Rails: Doctrine, Weak ETags, Cabled Postgres and more!

Hey passengers!

Have your luggage ready and get those ticket stubs out, a new issue is just about to roll in to the station. Godfrey and Kasper are co-conducting this beast of steel — eh, newsletter with Rails news, we mean.

Hop aboard before we roll off, and start choo-chooing toward...

Hey, does that sign say "Tracks End Here"?


Fresh off the tracks, a new Rails site!

Ahead of the coming major release of Rails, we got a new website and logo and... doctrine?

Yes! See, Rails has been going strong for over 10 years, the Rails Doctrine just captures that magic and spells it out. Thus Rails is ready to roll on for the next decade. The blog post dishes on the new design's backstory.

P.S. The Rails core team got some awesome new pictures too!

This weeks Rails Contributors

This week 41 people contributed managed to rivet themselves away from the shiny new pixels above and buckle down some contributions. Kudos to you folks 😁

New Stuff

Action Cable: Postgres pubsub can sub for Redis

Action Cable uses Redis to handle publishing and subscribing, but this week Postgres became a proper pubsub'er and is swappable with Redis.

SQL expressions as a column's default value

With this pull request, you will be able to use a SQL expression (such as a SQL function) as the default value for any column type!


Weaker ETags makes HTTP caches stronger

HTTP ETags help cut bandwidth by sending along a tag that the server could use to validate the cached content.

Rails supports it out-of-the-box but issues "strong" ETags, which has stronger cachability implications than Rails can guarantee.

Not anymore! In Rails 5, Rails now correctly issue "weak" ETags — matching Rack::ETag's behavior.


Removed Action Cable's celluloid dependency

Action Cable's dependency on the celluloid gem has been removed by using the thread pool from concurrent-ruby (which Rails already uses). While temporarily reverted it was reintroduced this week.

Better configuration documentation for Action Cable

Now rejiggered: the Action Cable documentation on how to configure the library has been clarified and better highlights how useful some methods are.

Wrapping Up

That's all for This week in Rails. As always, there are plenty of things we're not able to cover here, so take a peek at the changes yourself.

Until next time!

New Rails identity

It's been 10 years since we last updated the Rails identity, so with Rails 5 just around the corner, we thought it was finally time for a fresh look for a new day. This is it! We have a brand new logo, a brand new site design, and lots of lovely new illustrations.

We can thank Basecamp designer Jamie Dihiansan for the awesome new look. The brief was that Rails shouldn't feel slick. It should be warm, approachable, and welcoming. Rails is in a different place from where it was in 2004. We aren't courting cutting-edge early adopters, so we can lay off the gradients. Rails is now for everyone and our site should reflect that.

The Rails Doctrine

In concert with the new look, I wrote the eight major tenets of The Rails Doctrine. It's still a bit of a work in progress, but please do give it a read if you want to understand deeper the values and practices that underpin us as a framework and a community.

A new video is coming

I was going to record a new video for the homepage, but since we're just on the cusp on some changes to Rails 5 that'll change things a bit, I'm holding off until beta2 (which should be out shortly). In the mean time, you can enjoy the introduction to Action Cable. But rest assured that it'll soon be replaced by a new, proper introduction.

Hope you all enjoy the new look. Now let's ship Rails 5!

This week in Rails: Happy New Year!

Happy New Year! Welcome to the first 2016 issue of This week in Rails.

I'm Andy, and before diving in to contributions from this week, let's briefly recap some stats from 2015. Our 12 editors released 50 issues summarizing over 6500 commits to Rails! Each issue is now being sent to over 4300 subscribers.

What a great year! To celebrate, sweep up some confetti laying around from last weekend, toss it in the air, and sing some bars of Auld Lang Syne.


This Week's Rails Contributors

79 people contributed to Rails since the last issue on December 18, 2015! Check out the list of issues if you'd like to help out as well.

RailsConf 2016 CFP deadline

Interested in speaking at RailsConf 2016 in Kansas City? Call for proposals closes January 15th, 2016, 11:59pm CST! You've got 1 week!

New Stuff

Security: Per-form CSRF tokens

Changes brought upstream from GitHub, related to Content Security Policy (CSP) and securing forms. Check out the links in the PR to learn more.

Default new apps to tag logs with request_id

The :request_id log tag ensures that each request is tagged with a unique identifier.

Short-hand methods for types in MySQL

This change adds short-hand methods like tinyblob and mediumblob for text and blob types when using MySQL.


Don't output to STDOUT twice

Stops printing messages twice with rails console or rails server and a logger set to output to STDOUT.


Replace x.times.map{} with Array.new(x){}

Small performance improvement supported with a benchmark. Check out the results.

Wrapping Up

That's all for This week in Rails. As always, there are many more changes than we have room to cover here, but feel free to check them out yourself.

Until next time!

This week in Rails: Rails 5 - The Beta Awakens

I hear you're looking for a pilot. Name's Todd Solo, captain of This Week in Rails. She may not look like much, but this bucket of bolts did the Kessel Run in less than twelve parsecs. She's more than capable of smuggling all of the latest Rails intelligence to you.

I've got a very Special Edition™ for you this week - we're celebrating the release of the very first beta of Rails 5! We're going to be covering all of the big additions made since the release of Rails 4.2 in this issue. Don't worry - no Bothans died to bring you this information.


This Release's Contributors

We had 790 scruffy-looking nerf herders contribute to this release. That's over 7000 commits in a little over a year! Give all of these folks a big round of applause!

Rails 5 Only Supports Ruby 2.2.2+

This is important - Rails 5 will only support versions of Ruby greater than 2.2.2. Ruby 2.2 introduces a number of new features and performance enhancements that the Rails team wants to capitalize on. You can read more about Ruby 2.2 in the release announcement.

New Stuff

Action Cable

In case you haven't heard, Rails 5 is bringing WebSocket support along with it! Action Cable is a completely integrated solution for building WebSocket apps in Rails. Give it a spin!

Rails API

Rails 5 introduces support for API-only apps. Based on the wonderful work done by the Rails API project, you can now generate apps that strip out parts of Rails not needed for pure backends.

New Command Router

Why do you start a console with rails console, but run migrations with rake db:migrate? That doesn't make any sense. Starting in Rails 5, many of these old rake commands can be run with rails instead.

Attributes API

Your models are getting a new attribute class method in Rails 5, allowing you to easily define a relationship between the model and a non-Active Record type. No more misusing serialize!


Just like ApplicationController, we're getting an ApplicationRecord model superclass in Rails 5. Now you don't have to monkeypatch ActiveRecord::Base to add functionality!


A long requested feature, ActiveRecord::Relation is finally getting the #or method we've all wanted.

Wrapping Up

That's all for This week in Rails. As always, there are plenty of things we're not able to cover here, so I highly recommend you take a peek at the release announcement and CHANGELOGs.

We'll be back to our regularly scheduled program next week.

Until next time - may the Force be with you!

Rails 5.0.0.beta1: Action Cable, API mode, Rails command

Rails 5.0! Can you believe it? We only just celebrated the tenth anniversary of Rails 1.0 a few days ago. Time flies when you're having fun with good friends, and we've never had more fun or better friends in the Rails community, so no wonder it's going swoosh! Now this is just the first beta release, but Rails 5.0.0.beta1 is already running Basecamp 3 in production.

Action Cable

The big new thing in Rails 5.0 is a brand-new framework for handling WebSockets called Action Cable. It's a completely integrated solution that includes an EventMachine-powered connection loop, a thread-backed channels layer for server-side processing, and a JavaScript layer for client-side interaction. It's incredibly easy to use, and makes designing live features like chat, notifications, and presence so much easier. It's what's powering all those features of Basecamp 3, if you want to see it in action.

What's really lovely about Action Cable is that you get access to your entire Active Record and PORO domain model in your WebSockets work. We even added a brand-new ActionController::Renderer system that makes it trivial to render your templates outside of controllers, when you want to reuse server-side templates for WebSocket responses.

In development, Action Cable runs in-process with the rest of your app. To do this, we've switched the default development server from Webrick to Puma. In production, you may well want to run Action Cable servers in their own processes. That's how we run it at Basecamp at scale.

Special thanks to Pratik Naik and Javan Makhmali for their formative work.

API mode

Rails is not only a great choice when you want to build a full-stack application that uses server-side rendering of HTML templates, but also a great companion for the new crop of client-side JavaScript or native applications that just needs the backend to speak JSON. We've made this even clearer now with the new --api mode. If you create a new Rails application using rails new backend --api, you'll get a slimmed down skeleton and configuration that assumes you'll be working with JSON, not HTML.

There's still more work to be done on this feature, but we're off to a great start. By default, API mode just relies on #to_json calls on model classes. But you can either use Jbuilder, Active Model Serializers, or look at the new JSONAPI::Resources project for a more advanced solution.

Thanks in particular to Santiago Pastorino and Jorge Bejar for making this happen.

One Rails command to rule them all

Why are some commands living in bin/rails and some commands living in bin/rake? That's a common question, especially for beginners, and we never had a good answer (just lots of technical excuses). So now we've committed to making bin/rails the one master command to rule them all. All your rake commands are available through here as a gateway, but we'll eventually port many of them over. So your fingers will now have to get used to bin/rails db:migrate instead of bin/rake db:migrate. That should only take a few months!

Kasper Timm Hansen has been herding this project.

A few other highlights

  • New Attributes API by Sean Griffin.
  • The test runner now reports failures inline, so you don't have to complete the suite to see what went wrong.
  • ApplicationRecord has been born as a default parent class of all models created by the generators.
  • ActiveRecord::Relation#in_batches makes it much easier to deal with record work in batches at a time to lessen memory overloads.
  • Post.where('id = 1').or(Post.where('id = 2')) gives you exactly what you'd think!
  • No more accidentally halting Active Record callbacks because the last statement is false. Now you throw(:abort) explicitly!

You should really checkout the CHANGELOGs, though. There's just so much new and good stuff available in all the frameworks:

Claudio did a nice little slide deck walking through some of his favorite improvements (and removals!).

Note too that we're cooking Turbolinks 5 – the one with native iOS and Android wrapper implementations! – for concurrent release with Rails 5. You can follow along on basecamp/turbolinks/v5.

Maintenance consequences

As per our maintenance policy, the release of Rails 5.0 will mean that bug fixes will only apply to 5.0.x, regular security issues to 5.0.x and 4.2.x, and severe security issues also to 5.0.x and 4.2.x (but when 5.1 drops, to 5.1.x, 5.0.x, and 4.2.x). This means 4.1.x and below will essentially be unsupported! Ruby 2.2.2+ is now also the only supported version of Ruby for Rails.

Please help us make Rails 5.0 solid!

We rely on the feedback from everyone in the community to flush out bugs and upgrade issues ahead of a big release like this. So please give Rails 5.0 a try on your app, and if you're starting a new app today, you should probably use the beta1 for that, if you're just the least bit savvy with Rails.

Issues can be recorded on the Github issues tracker.

Already, 789 people have contributed to this new release of Rails. Please do become one of them!

Your dynamic release manager duo for Rails 5.0 is Eileen M. Uchitelle and Sean Griffin. And the undisputed PR merge champ is Rafael França!

This week in Rails: GZipped Asset, API error responses and more!

Hello everyone! 🌨

This is Vipul, bringing you the latest from Rails.

P.S: Here's something for all those at RubyKaigi 🍣. Enjoy!


This Week's Rails Contributors

This week 26 fabulous people contributed to Rails, including 6 first-time contributors! Check out the list of issues if you'd like to help out as well.

Sprockets: Reintroduce gzip file generation

GZip file generation was taken out last year from sprockets. This change re-introduces compressed file generation and parallel file writing, which is useful for web servers that don't support gzipping static assets. This is pretty useful if you are on a service like Heroku.

New Stuff

Introduce after_{create,update,delete}_commit callbacks

New shortcuts were added to after_commit .. on: :action.

For example, after_commit :add_to_index_later, on: :create can now be written as after_create_commit :add_to_index_later.


Rails API: Ability to return error responses in json format in development

Previously error pages are always being delivered in html pages in development mode, which is not handy when you would like to view json responses. This change adds support for viewing errors in json format. It also makes sure that when requesting resources like post/1.json, when error occurs, it returns json response based on json format in url, unlike previously used html format.

Changed the protect_from_forgery prepend default to false

protect_from_forgery will now be inserted into the callback chain at the point it is called in the application. This is useful for cases where you want to protect_from_forgery after you perform required authentication callbacks or other callbacks that are required to run after forgery protection.

If needed, you can use protect_from_forgery prepend: true to always run protect_from_forgery before others.

request_forgery_protection initializer is removed from Rails API

Usually in Rails API, you would not use protect_from_forgery, by default. The initializer to add this option- request_forgery_protection is now removed if you are creating an API.


Subscribing to notifications while inside the instrumented section.

Previously if we tried to do

ActiveSupport::Notifications.instrument('foo') do
  ActiveSupport::Notifications.subscribe('foo') {}

it would create an error, because for the subscribe inside block, the dynamic subscription does not yet exist. This change make sure that subscriptions inside instrumentation get notified as well.

Add redirection path in the error message of assert_response if response is :redirect

Previously, if assert_response was checking for any non-redirect response like :success and actual response was a :redirect then, the error message displayed was like - Expected response to be a <success>. This change, now shows the redirected path in error response as - Expected response to be a <success>, but was a redirect to <http://test.host/posts/lol>

Wrapping Up

That's all for This week in Rails. As always, there are many more changes than we have room to cover here, but feel free to check them out yourself.

Until next time!

This week in Rails: Rails command infrastructure and more!

Hello everyone!

This is Marcel, bringing you the latest news in Rails.


This Week's Rails Contributors

This week 28 fabulous people contributed to Rails. Check out the list of issues if you'd like to see your name up there.

New Stuff

Rails Command Infrastructure

The infrastructure needed to support the movement of rake tasks to the rails command is now in place. This paves the way to make it easier to learn commands for persons new to Rails.


Allow use of minitest-rails gem with test runner

An explicit global namespace to Rails::TestUnitReporter has been added to resolve a namespace conflict between minitest-rails and Rails test runner.


Initialized STI models are now casted to the default type

If a database default was specified for the type column used in Single Table Inheritance (STI), it did not cast new instances to default type on initialize. This is now fixed.

Replace ActionMailer::Base.respond_to? with respond_to_missing?

This simple refactor utilizes the respond_to_missing? hook introduced in Ruby 1.9. This prevents the usage of the method method from raising a NameError.

Clarify connection pool error message

The previously error message whenever all connections in the pool were used up, did not mention that.

Wrapping Up

That's all for This week in Rails. As always, there are many more changes than we have room to cover here, but feel free to check them out yourself.

Until next time!