Composable blobs, improved upsert and much more!

Hey, Wojtek here with recent additions to Rails. All of them today for FREE, for you.
Thank you all the contributors for making Rails. Those from one-time to day by day committers.

Add compose method to Active Storage Blob
Concatenating multiple blobs is now possible.

Support custom metadata on Active Storage
Setting custom metadata on blobs are now persisted to remote storage.

Allow to configure the list of columns to update in upsert_all
Before, you could only customize the update SQL sentence via :on_duplicate. There is now a new option :update_only that lets you provide a list of columns to update in case of conflict.

Expose role/shard on pool/connection
It can be useful to know what the role and shard of the connection or pool is. Previously there was no way to find the role or shard other than asking connected_to?.

Allow a fallback value to be returned from Rails.error.handle
The passed fallback will be returned in case the code inside the handle block raises an error.
Improved later to make a fallback option to be a callable.

Add existence method to Pathname
Shorthand for code like:

Rails.root.join('file').exist? && Rails.root.join('file').read



Change default X-XSS-Protection header to ‘0’

This header has been deprecated and the XSS auditor it triggered has been removed from all major modern browsers (in favour of Content Security Policy) that implemented this header to begin with.

Deprecate PerThreadRegistry
This module has been soft deprecated for a long time, but since it was used internally it wasn’t throwing deprecation warnings. Now it is. Apps should use Module#thread_mattr_accessor instead.

26 people contributed to Rails since the last time. All the changes can be checked here. Until next week!

Automated shard swapping middleware, standardised error reporting interface and more!

Hey, this is Greg, bringing you the latest news about Ruby on Rails.

Support <form> elements without [action] By default, when a form is declared without an action attribute, browsers will encode the form’s fields into the current URL. Prior to this commit, none of the form construction variations supported declaring a form without an action attribute, form_with, form_for, and form_tag all default to url_for({}) when a url or action option is omitted, but with this change, when they are set to false, the form will be rendered without an action attribute.

Support authenticity_token option in button_to helper This PR adds support for passing authenticity_token option to button_to, the same way as in form_with and form_for calls.

Introduce field_name view helper The field_name helper and corresponding FormBuilder#field_name method provides an Action View compliant way of overriding an element’s name attribute. For instance you can do the following:

text\_field\_tag :post, :tag, name: field\_name(:post, :tag, multiple: true) # =\> \<input type="text" name="post[tag][]"\>

Automatic shard swapping middleware This PR adds a middleware that can be used for automatic shard swapping. The design is similar to the database selector middleware in that the resolver is provided by the application to determine which shard to switch to. The selector also takes options (the only supported one is lock yet) to change the default behavior of the middleware.

Standardised error reporting interface Rails.error is a new error reporting interface, with two block based methods. handle, which swallows errors and forwards them to the subscribers:

Rails.error.handle do 1 + '1' # raises TypeError end 1 + 1 # This will be executed

and record, which forwards the errors to the subscribes but lets it continue rewinding the call stack:

Rails.error.record do 1 + '1' # raises TypeError end 1 + 1 # This won't be executed.

For cases where the blocked based API isn’t suitable, the lower level report method can be used:, handled: true / false)

Filter attributes in SQL logs with debug SQL queries are logged when the Rails log level is set to :debug and previously, filter attributes were not masked in the logs in this case. With this change, filter attributes will be masked as [FILTERED] in the logs, but he filtration is applied only when prepared_statement is enabled.

Speed up collection rendering and add support for multifetch collection handling in jbuilder This PR speeds up collection rendering by taking advantage of the existing collection renderer in Action View, and it adds support for multifetch collection handling to make it more efficient.

33 people contributed to Rails since last time. We couldn’t cover all the changes, but you can see all of them here. Until next time!

Nested attributes for delegated types, improved performances and more!

Hey! Robin here with the latest news from the Ruby on Rails world.

Support accepts_nested_attributes_for for delegated types
Rails 6.1 introduced delegated types to ease handling some polymorphic relationships. This pull request makes using accepts_nested_attributes_for on such types a piece of cake.

Use nested queries doing UPDATE with GROUP BY and HAVING on MySQL
Since MySQL doesn’t support UPDATE with GROUP BY and HAVING clauses, this patch fixes such scenario to rely on a sub-query. A similar patch has been merged to deal with DELETE queries.

Raise a specific error on unsafe redirects
Rails 7.0 prevents redirects to other hosts than the current one unless you explicitly ask it to. In case of unsafe redirects, an ArgumentError was raised. Now, the error is more specific, allowing you to rely on a rescue_from block to deal with such cases.

Add url_from to check if an URL is internal
In line with the previous patch, a new url_from method is available in controllers to check whether an URL is internal or not, simplifying the way to provide an alternative in case it is not.

Improved Active Job test helpers error messages
This is the kind of little changes that make life easier. The error messages of assert_enqueued_with and assert_performed_with have been improved to ease debugging when the assertion failed. Happy testing!

Optimize ActiveSupport::CurrentAttributes method generation
It’s always lovely to see performance optimizations. This patch is about method generation of classes inheriting from ActiveSupport::CurrentAttributes. The trick here is to generate the code as a string rather than relying on a closure.

13 people contributed to Rails since last time. All the changes can be checked here. Until next week!

🎃 Halloween Edition: Zeitwerk migration guide, selenium-webdriver, and some Ruby 3.1 snacks

🍭 Trick or treat, zzak here after a week off with lots of goodies! 🍬

Rails Autoloader Migration Guide: From Classic to Zeitwerk

This new guide has all you need to know to switch the autoloader for Rails 6.x and 7.0 applications!

Add ActiveRecord::Base.prohibit_shard_swapping

This new method prohibits swapping shards within the given block. This can be useful if you’re using sharding to provide database isolation on a per-request basis.

Add support for setting the schema/structure dump filepath in the config

This PR adds the ability to specify the path used for schema dump files. For those using horizontal sharding, previously a schema file would be created for every shard which makes sharing the same migrations across shards more difficult.

Rails 7.0 requires selenium-webdriver >= 4.0.0

Previously, Rails generated a Gemfile with an alpha release for selenium-webdriver due to an incompatibility with Ruby 3.0

Replace Concurrent.monotonic_time with Process.clock_gettime

Since all modern Rubies support this interface a small optimization can be made to reduce method calls in Active Record connection adapters.

Enable eager loading by default on CI systems

When running your Rails app test suite inside of a CI environment that sets ENV[“CI”] it’s recommended to turn on eager loading to help identify errors that may only occur in production. This will be the default for newly generated apps.

Support RFC 4122 strings for namespace UUIDs

You can now effectively use an RFC 4122 compliant string by default in newly generated apps, or by enabling the new config.active_support.use_rfc4122_namespaced_uuids setting.

Use the native Class#descendants if available

With the addition of Class#decendents in Ruby 3.1, we can avoid iterating over every object in ObjectSpace to achieve the same feature. Also, check out #43548 for some additional refactoring of DescendantsTracker.

Call Executor#wrap around each test

Rails.application.executor hooks are now called around every tests which helps prevent state to leak from one test to another.

Add :day_format option to date_select

Similar to :year_format, this new option for date_select allows you to pass a lambda for setting the format to display days select options.

38 people contributed to Rails since the last time. All the changes can be checked here. Until next week!

Auto timestamps on bulk inserts, HTML safe translations in controllers and more

Hey, Wojtek here with last week updates from the Ruby on Rails world.

Set timestamps on insert_all/upsert_all record creation

The timestamps will be automatically set when using bulk insert/upsert. This behaviour can be disabled by the record_timestamps config on the model class.

Treat html suffix in controller translation

When translation key ending with _html is used it will be marked as HTML safe in the same way as in the views.

Add support for FILTER clause to Arel

Can be used with PostgreSQL and SQlite databases to use FILTER clause.

Better Action Text plain text output for nested lists

Fixed an issue with how nested lists were displayed when converting to plain text.

Add support for custom CSRF strategies.

Can be used via protect_from_forgery with: CustomStrategy among built in options: exception, reset_session, null_session.

Clear secure password cache if password is set to nil

user.password = 'something'
user.password = nil
# before:
user.password # => 'something'    
# now:
user.password # => nil  

29 people contributed to Rails since the last time. All the changes can be checked here. Until next week!

Automatic inverse_of, performance improvements and more!

Hi, this is Greg, bringing you the latest news about Ruby on Rails!

This week we switched our newsletter delivery platform to HEY, if you are reading this email, you already confirmed your subscription and there is no other action needed on your end.

Avoid instance_exec for controller callbacks

This change brings some performance improvements, by avoiding to create the extra controller singleton classes, created by instance_exec, when :only or :except are passed to a callback.

Automatically infer inverse_of with scopes

This PR changes can_find_inverse_of_automatically to allow us to automatically detect inverse_of when there is a scope on the association, but not when there is a scope on the potential inverse association. Since this is a breaking change, it is placed behind the automatic_scope_inversing configuration flag, which is set to true for new applications via framework defaults.

Add ability to lazily load the schema cache on connection

A new a configuration option enables lazy loading of the schema cache on the connection. If config.active_record.lazily_load_schema_cache is set to true then the schema cache will be loaded when the connection is established rather than on boot.

31 people contributed to Rails since last time. All the changes can be checked here. Until next week!

Autumn is here, and so is Rails 7 Alpha 2! 🍂

Hey! Zzak here with a JAM-PACKED edition of This Week In Rails. 🍇

Server Timing Middleware for Development

This PR started nearly 2 and a half years ago, finally made its way into Rails!

A really neat feature, uses the Server-Timing header to emit durations for all ActiveSupport::Notifications. You can then view these metrics in your browser’s Network Inspector. 

If your model defines #to_s, you can now take advantage of this feature without having to supply a second argument to link_to.

Adds support for deferrable foreign key constraints in PostgreSQL

By default, foreign key constraints in PostgreSQL are checked after each statement. This works for most use cases, but becomes a major limitation when creating related records before the parent record is inserted into the database. Check out the PR for some examples and more detail.

GitHub Codespaces configuration

This PR adds support for GitHub Codespaces, which allows contributors to easily boot a fully functional environment to create patches and test changes to Rails.

Close Rails Guides menu dropdown by pressing Escape

A welcome UX patch that lets you close the menu dropdown by pressing the Escape key.

Improve margin styles for Rails Guides

We always appreciate when folks help improve our documentation, especially the visual aspect to make reading on multiple devices a pleasure.

Fix the diff highlight background for Rails Guides dark mode

Another great UX patch for Rails Guides that is always appreciated.

Suggest a CSP that’s compatible with Turbo + import map

In order for CSP to work with Turbo and an import map, we need nonces to be generated. This PR changes the generated CSP initializer to use per-session nonces instead of per-request nonces which would have negative impact on caching.

Add Bootstrap and Bulma to the CSS processors’ list

As support for more CSS processors are added to cssbundling-rails, we’ve updated the rails new --help text to include currently available options.

Don’t overwrite default opts in rich_text_area_tag

This PR enables passing in a custom direct_upload_url or blob_url_template to rich_text_area_tag. In the case you want to use your own controller to authenticate requests or perform server-side validations.

Avoid comment statements in pg:dump

This PR adds the –no-comment flag to pg_dump to ensure COMMENT statements are omitted from the output when using PostgreSQL >= 11.

Require latest release candidate for selenium-webdriver in Rails new

Since the “rexml” gem was removed from Ruby version >= 3 the selenium-webdriver gem has been waiting for a release that includes their updated dependency on the standard library gem.

Support clearing acronyms from inflector

Previously attempting to clear acronyms in the Inflector breaks would result in a TypeError.

Allow permitting numeric params

ActionController::Parameters now lets you specify multiple parameters index by a number. This may be necessary if the parameters belong to a numeric key.

Check basic auth credentials before authenticate

This PR fixes a bug when sending invalid basic authorization header data when using http_basic_authentication_with.

Render host_authorization debug view only for local requests

This PR fixes a bug where debugging information was visible in production by restricting access to local requests only.

Add missing migrate command to Getting Started Rails Guide

This might seem like a minor patch, but contributions from folks learning Ruby on Rails for the first time is a healthy sign. Changes like these help ease the difficulty of learning and welcomes new contributors to the community.

Active Storage: deprecate invalid default content types

Blobs created with content_type image/jpg, image/pjpeg, image/bmp, text/javascript will now produce a deprecation warning, since these are not valid content types.

Allow configuring PostgreSQL connection password through socket URL

This PR allows you to specify your password using a socket URL, such as “postgres:///?user=user&password=secret&dbname=app”.

Add autocomplete=”off” to all generated hidden fields

Due to a longstanding Firefox bug, this PR ensures hidden fields such as CSRF token and HTTP method fields are not modified without the user’s knowledge.

Add beginning_of_week option to weekday_options_for_select

Now you can specify the beginning of the week to this select field without depending on Date.beginning_of_week.

Action Mailer email_address_with_name now returns the email if name is blank

When sending an email using Action Mailer the object referencing the person you want to send it to may not have a name associated with it. For example, in the case this field is optional for your User record. In this case Action Mailer will now use the target email address.

Add missing DOM ids to rails/mailers/email.html template

This PR will help folks testing their Mailer Preview actions by using unique identifiers to select the mail data from the DOM instantly.

35 people contributed (over 120 commits!) to Rails since last time. All the changes can be checked here. Until next week!

Rails 7 alpha released

Hi, Wojtek here with more new Rails 7 changes.

Rails 7.0 alpha released

The new Rails frontend approach and all the other new goodies can already be checked in this release.

Introduce ActiveModel::API

Make ActiveModel::API the minimum API to talk with Action Pack and Action View. This will allow adding more functionality to ActiveModel::Model.

Add support for generated columns in PostgreSQL

Generated columns are supported since version 12.0 of PostgreSQL. This adds
 support of those to the Active Record PostgreSQL adapter.

Generate less initializers in new/upgraded Rails apps

Removed configurations are set by the default Rails configuration and can be still changed when needed.

Use correct precision when touching updated_at column in upsert

CURRENT_TIMESTAMP provides differing precision depending on the database,
and not all databases support explicitly specifying additional precision. Instead, delegate to the new connection.high_precision_current_timestamp
for the SQL to produce a high precision timestamp on the current database.

13 people contributed to Rails since last time. All the changes can be checked here. Until next week!

Rails 7.0 Alpha 1: New JavaScript Answers, At-Work Encryption, Query Origin Logging, Zeitwerk Exclusively

Welcome to the first alpha release of Rails 7. It brings some very exciting new answers to how we do JavaScript, an awesome approach to at-work encryption with Active Record, SQL query origin logging, asynchronous query loading, exclusive autoloading through Zeitwerk, and much more.

We usually don’t do alpha releases for Rails, but given the fact that the new front-end approach is such a substantial change, we thought it best to validate that a little further before jumping straight on the beta -> release candidate -> final train.

Please help us test all this new stuff so we can ensure a solid final release of Rails 7 this year!

All New Answers On The Front-End

After almost five years with Webpacker as our default answer to writing modern JavaScript in Rails, it’s time to move on. Advancements in browser support for ES6/ESM, widespread adoption of HTTP/2, and the exciting new standard for import maps has paved the way for a no-Node approach to JavaScript in Rails 7without giving up on npm packages.

Together with the replacement of Turbolinks and Rails UJS by the Hotwire combination of Stimulus and Turbo, we now have the most complete in-the-box front-end setup for writing great Rails applications ever. Without needing thousands of node dependencies in node_modules, fighting with bundler configurations, or any of the other challenges common with JavaScript development.

At the same time, we’ve also dramatically improved the integration between Rails and JavaScript + CSS bundlers for those who need that. Through two new companion gems that can be triggered via rails new –javascript [bundler] and –css [bundler], you get easy access to starting a new application or changing one that starts with import maps to use esbuild, rollup.js, Webpack, Tailwind CSS, PostCSS, Dart Sass, and Bootstrap.

At-Work Encryption With Active Record

Extracted from HEY, we’ve added encrypted attributes to Active Record, so your application can offer at-work encryption in addition to the traditional at-rest and in-transit coverage.

As an immediate practical benefit, encrypting sensitive attributes adds an additional security layer. For example, if an attacker gained access to your database, a snapshot of it, or your application logs, they wouldn’t be able to make sense of the encrypted information. And even without thinking about malicious actors, checking application logs for legit reasons shouldn’t expose personal information from customers either.

But more importantly, by using Active Record Encryption, you define what constitutes sensitive information in your application at the code level. This enables controlling how this information is accessed and building services around it. As examples, think about auditable Rails consoles that protect encrypted data or check the built-in system to filter controller params automatically.

Checkout the full guide on how to use encrypted attributes.

Trace Query Origins With Marginalia-Style Tagging

Almost a decade ago, Marginalia was extracted from Basecamp to trace query origins with SQL comment tagging. Now this external gem has been upstreamed into Active Record as QueryLogs.

Asynchronous Query Loading

When you have a controller action that needs to load two unrelated queries, you can now do it concurrently through Relation#load_async. If you have three complex queries that each take 100ms, you’d have to spend 300ms executing them one by one before. Now you can run them in parallel, spending only a total of 100ms on the set.

Zeitwerk Exclusively

Autoloading in Rails is one of those magical quality of life realities that it’s easy to just take for granted. The trusty old const_missing approach which came with a range of quirks and missing features has finally been replaced exclusively with the Zeitwerk code loader. There are a few upgrade gotchas to be aware of, especially for older applications, but with this upgrade guide you should be on your way in no time

A Few Other Highlights

From All Of Us To All Of You

There are over three thousand commits that have gone into Rails 7 since we released version 6.1 last year. This is the work of hundreds of contributors. Including over 200 first-time contributors this year alone. They join the nearly six thousand contributors that have made changes to the Rails code base over the years!

Bye-bye Byebug, Hello jsbundling and cssbundling!

Hi! zzak here! We’re back after a 2 week break with some of the latest changes that will land in Rails 7.

DHH previews JavaScript options in Rails 7 [YouTube]

If you haven’t been following along, Rails 7 will get a major facelift on the front-end. We recommend reading this blog post to learn more.

Replace Byebug with ruby/debug

Ruby 3.1 will launch with a new first-class debugger that works great with Rails.

Let’s all appreciate the many years Byebug has helped us ship software.

Add SSL support for postgresql in “bin/rails dbconsole”

This PR fixes the dbconsole command when used with PostgreSQL to support encrypted connections.

Instrument ActiveStorage analyzers

Help identify bottle necks when using ActiveStorage analyzers by emitting ActiveSupport instrumentation metrics.

Add –css app generator option

The rails new command just got a brand new --css flag that let’s you specify which CSS processor to use in your app. You can choose from tailwind, postcss, or sass.

21 people contributed to Rails since last time. All the changes can be checked here. Until next week!