####

Hello, this is Greg bringing you the latest news about the Rails framework!

Featured

This week’s Rails contributors

This week 51 great developer helped to move Rails forward! Want to be one of them? Look at the issues list and make a contribution!

Rails 5.0.0.beta3 has been released

Rails 5 is getting closer to the release candidate. The new beta brings many improvements and fixes.

New Stuff

Turbolinks 5 compatibility changes

This commit made Rails compatible with Turbolinks 5 and master uses the beta release of Turbolinks 5 now.

rake test now respects TESTOPTS

With this change, we can now pass options to minitest via the TESTOPTS environment variable.

Fixed

Fixed primary key uniqueness issue

This commit reverted some earlier changes which caused an issue with the uniqueness validation of a primary key field, when the primary key field is called something other than id.

Fixed CSRF issue with button_to tag

There was an issue with the CSRF token generated when button_to was called with the delete method, but it is all fixed now!

Improved

Improved Action Cable reconnection reliability

This pull request improved the Action Cable reconnections by treating closing state as closed and by calling ActionCable.ConnectionMonitor#connected() on the client side upon successful connection. It also introduced client side logging to make debugging easier.

Wrapping Up

That’s all for This week in Rails. As always, there are plenty of things we’re not able to cover here, so take a look at the changes yourself.

Until next time!

Hello, this is Godfrey and Prathamesh bringing you the latest developments from Rails!

Featured

RailsConf 2016 program announced

The conference is looking pretty awesome, with a good mix of talks on various topics. I hope you are as excited as I am!

This week’s Rails contributors

This week, we have recorded 136 commits from 37 contributors (including 8 first-time contributors)! Thank you for making Rails better for everyone!

New Stuff

#on_weekday? method to Date, Time, and DateTime

Along with #on_weekend?, you can now easily find out if a certain day falls on a weekday (M-F). The question is, do you really want to know?

Fixed

Fix incorrect behavior with unsubscribing to channels

Saying goodbye is certainly hard, but having to listen for one might just be worse. Luckily for us, all of these are abstracted deep inside Action Cable, so we will never have to go through that ourselves.

Improved

Inject Rails configurations through Railtie

Dependency injection might not be a virtue, but in this case, it certainly helps keeping things neatly isolated from each other.

Tagged errors in logs

A while ago, tagged logging became the default on production on Rails 5. Now the tags are included in the logs for errors too!

Automatically reset ActionMailer::Base.deliveries in integration tests

With this patch, Rails 5 will automatically clear the ActionMailer::Base.deliveries array in between your integration tests.

Support nested params in button_to helper

We can now pass nested hashes or arrays to button_to helpers’s params option.

Wrapping Up

That’s all for This week in Rails. As always, there are plenty of things we’re not able to cover here, so take a look at the changes yourself.

Until next time!

####

Happy Valentine’s Day weekend!

What better way to show your love for Rails than to help close the last few issues pending for the release candidate of Rails 5? ☺️

– Claudio

Featured

This week’s contributors

Thanks to the 41 people who loved Rails this week by contributing to its source code. A special kiss to the 14 of you who contributed for the first time!

Guides: Using Rails for API-only Applications

You heard that Rails 5 will be able to generate API-only applications. Now you can learn all the details by reading this new chapter added to the Rails Guides.

A new organization for Turbolinks

The source code of turbolinks has been moved to a new GitHub organization, with plans to release more turbolinks-related libraries in the future.

New Stuff

Added numeric helper into SchemaStatements

Need to add a numeric column to a database table? You can now use t.numeric :foo which is a lovely alias of t.decimal :foo.

Add as to encode a request as a specific mime type

You can now test a JSON POST request with post articles_path, as: :json rather than adding helpers like post_json. And you can also test the response as parsed JSON with parsed_body.

Fixed

Fix performance regression in Active Record

RubyBench analyzes every commit made to rails/rails so performance regressions can be rapidly discovered… and fixed!

Improved

Speed up string xor operation and reduce object allocations

We love commits like this one which improve the performance of Rails and use benchmark/ips to measure their impact.

Set database poolsize via RAILS_MAX_THREADS

The environment variable introduced in config/puma.rb is now reused in the database configuration to avoid connection timeout errors.

Wrapping Up

That’s all for This week in Rails. As always, there are plenty of things we’re not able to cover here, so take a peek at the changes yourself.

Until next time!

####

Hello everyone! This is Roque bringing the latest from the Rails world. Stay tuned!

Featured

Rails 5.0.0.beta2 has been released!

Please give Rails 5.0 a try on your app. Spotting bugs and upgrade issues ahead helps big releases like this.

This week’s contributors

This week 54 people contributed to Rails. We also got 10 first time contributors. Welcome aboard folks and keep it going!

RailsConf 2016 registration is open

All aboard! The next train is leaving to Kansas City. Don’t miss it! Tickets sales ends April 3rd.

Rails 5 only supports PostgreSQL 9.1+

Rails 5 will only support versions of PostgreSQL greater than or equal to 9.1. Older versions are no longer supported by the PostgreSQL team. You can read more on their official page.

New Stuff

Add default Puma config and option to skip it

A default config has been added for Puma. It sets the default Puma thread count to 5 to mach Active Record’s default, and prevent connection timeout errors.
Puma can now be skipped when generating new apps with the --skip-puma option.

Rails command now runs Rake tasks in Engines

Just like in Rails apps, it is now possible to use the rails command to execute rake tasks in Engines.

Fixed

Fix corrupt transaction state caused by before_commit exceptions

This makes Active Record aware that a database was rolled back when a before_commit callback raises an exception.
Before, Active Record would think the connection was active, and fail.

Wrapping Up

That’s all for This week in Rails. As always, there are plenty of things we’re not able to cover here, so take a peek at the changes yourself.

Until next time!

Progress waits for nobody: The second beta release of Rails 5 is out, and it’s packed with a six weeks worth of fixes and upgrades.

The big news is that Action Cable no longer depends on Celluloid, Redis, or even EventMachine! We’ve doubled down on concurrent-ruby, added a PostgreSQL alternative adapter to Redis for pubsub, and added a non-EventMachine Redis adapter too. So if you were freaking out over the new dependencies in beta1, you can breathe easy again. The Rails community has, as per-usual, stepped up and Made It Better. Special thanks to Mike Perham, Jon Moss, and Matthew Draper for their work on this!

Beyond that, there’s literally 25 pages of commits on GitHub detailing the work done since the beta1 release on December 18. It’s a good stroll through the work it takes to go from beta to beta.

The release targets from here are RC1 on February 16 and then final on February 23. All depends on how much stuff pops up from beta2 and RC1, though. So don’t order cake or champagne for delivery on those dates just yet!

If you missed the announcement on what’s new in Rails 5, checkout the beta1 story. Oh, and thanks to Sean Griffin for coordinating this release.

This is Prathamesh bringing the latest news from this eventful week of security releases and getting closer to Rails 5 RC.

Featured

Security releases!

New Rails versions are released with many important security fixes. If you have not done already, upgrade as soon as possible.

This weeks contributors

This week 44 people contributed to Rails. We also got 11 first time contributors. Welcome aboard folks and keep it going!

New Stuff

Drop Action Cable dependency on EventMachine

Action Cable no longer depends on EventMachine. A lot of work is done to make sure that this change works properly. Hat tip to Matthew Draper for all the great work!

New welcome page for Rails 5

Do you remember the old Welcome aboard page? It’s now replaced by Yay! You are on Rails! The welcome page got a big facelift in Rails 5, gone are the needless links and extra data. It’s compact and mentions only relevant things.

Generate index for referenced columns by default

Rails will now generate indexes for referenced columns by default without mentioning it in migrations. That’s what we want in 90% of the cases anyways!

Fixed

Issues with ActiveRecord::Relation#cache_key fixed

Lots of corner cases with using cache_key with loaded and unloaded collections and with selecting specific columns are fixed.

Fix issue with has_many: through STI association

An issue with incorrect source_type getting used in case of has_many: through associations with STI models is fixed.

Wrapping Up

That’s all for This week in Rails. As always, there are plenty of things we’re not able to cover here, so take a peek at the changes yourself.

Until next time!

Hello everyone and happy Monday!

Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible:

• CVE-2015-7576 Timing attack vulnerability in basic authentication in Action Controller.
• CVE-2016-0751 Possible Object Leak and Denial of Service attack in Action Pack
• CVE-2015-7577 Nested attributes rejection proc bypass in Active Record.
• CVE-2016-0752 Possible Information Leak Vulnerability in Action View
• CVE-2016-0753 Possible Input Validation Circumvention in Active Model
• CVE-2015-7581 Object leak vulnerability for wildcard controller routes in Action Pack

For ease of upgrading, these Rails releases only contain patches pertaining to the security fixes. The released versions can be found in the usual locations, and you can find a list of changes on GitHub:

• Changes in 5.0.0.beta1.1
• Changes in 4.2.5.1
• Changes in 4.1.14.1
• Changes in 3.2.22.1

rails-html-sanitizer version 1.0.3 has been released, and it contains the following important security fixes:

• CVE-2015-7578 Possible XSS vulnerability in rails-html-sanitizer
• CVE-2015-7579 XSS vulnerability in rails-html-sanitizer
• CVE-2015-7580 Possible XSS vulnerability in rails-html-sanitizer

In Rails 4.2, the HTML sanitizer was inadvertently made much more permissive than in 4.1.

In order to maintain our “secure by default” policy, rectifying this has forced us to make a backwards-incompatible change to the sanitizer.

If you use the sanitizer in 4.2, you will need to verify that the more restrictive filter still permits all the tags you need to allow. If it doesn’t, you can add additional tags to the whitelist.

We’ve done our best to minimize any impact to your applications, but if you run in to any issues, please file a ticket and we’ll do our best to help!

Again, as always, if you run in to any bugs, please file them on the Rails issue tracker which is located here. If you run in to security issues, please follow the reporting process which can be found here.

Please have a happy Monday! <3<3<3

P.S.

Here are checksums for the released gems:

[aaron@TC release]$ shasum *-5.0*
ab66244a0982e78502f6a80763509ac2d44b6cbd  actioncable-5.0.0.beta1.1.gem
47d8065ff0d6cfda2a5ccd85cffcd20144ea3555  actionmailer-5.0.0.beta1.1.gem
b358da8e683c6f15c03623f79abae8a6e0af2519  actionpack-5.0.0.beta1.1.gem
cc2e392c216c19736b9bbdd38066fc93384d7b4b  actionview-5.0.0.beta1.1.gem
fdbb7d5c251bde51dd669b4003096cc68a1cae1b  activejob-5.0.0.beta1.1.gem
b15cd7b0d9b434b140674ff52e0cbdeb9e71b887  activemodel-5.0.0.beta1.1.gem
414e46249b1cb8076b50b6515a8d61ef7e1a6cb7  activerecord-5.0.0.beta1.1.gem
e02309dd676f9959b6065ee04662430042b6ebc6  activesupport-5.0.0.beta1.1.gem
5f4b04e885781c639ff98857f4c85ffaeba934ef  rails-5.0.0.beta1.1.gem
dc72e0c60c86800612048f093543e183afb85ecc  railties-5.0.0.beta1.1.gem
[aaron@TC release]$ shasum *-4.2*
1d811a70a882be3f2e41932e5f90997d6dc63bf0  actionmailer-4.2.5.1.gem
800fec0a382e3642d500c5dd42e6b8b4c9ebe75e  actionpack-4.2.5.1.gem
201df102af6af1ac0efbe1a6c3c0f5c11fca58f9  actionview-4.2.5.1.gem
543413c4066e20db128888ba21c253b7b33d4e87  activejob-4.2.5.1.gem
1a845d38be3add3d52006d0b81a7e5ef28160c30  activemodel-4.2.5.1.gem
9ceffa7cf0d0f83d75768d5387fcba5c0b35102e  activerecord-4.2.5.1.gem
9cdf9da5f93f2ab83e4bbbf569e1f48bd6b8d713  activesupport-4.2.5.1.gem
e53fbe562bea0fd5ccd2a46730d4d2f802e79ee7  rails-4.2.5.1.gem
e9b8efe89c901b5f590c1560d82dac2b41d409f4  railties-4.2.5.1.gem
[aaron@TC release]$ shasum *-4.1*
f7df30256e1f3fa13659ec1f310200ad9fcfdead  actionmailer-4.1.14.1.gem
9333184fffbfbefe6cedfb2cf13d9a6e546f0d86  actionpack-4.1.14.1.gem
d4aa63a687959aaa2c33bed6985b4817b2f104d0  actionview-4.1.14.1.gem
f70164d1240eed8eab9a2f1e559aae336a0b228a  activemodel-4.1.14.1.gem
94c1475aa3350db98440c5332b699bec366bc22e  activerecord-4.1.14.1.gem
08b6adf299220cf404974d2bd5fcf5f72993c0c8  activesupport-4.1.14.1.gem
0f7995d9aded79e1e1e9269fecd8981c83dfded3  rails-4.1.14.1.gem
91a956ef86cc297ebee65e862ee6f9b840bbaf91  railties-4.1.14.1.gem
[aaron@TC release]$ shasum *-3.2*
f8a07a9ac582ef33b0112e79d606ef04aefbd2d3  actionmailer-3.2.22.1.gem
a26eb1752f625997fc87ab861312a056937c0276  actionpack-3.2.22.1.gem
6d4a6d976a3a07651dae211eefe447edea4d3263  activemodel-3.2.22.1.gem
9669c73665acd7cb0b67eaa84d4784252478e7f8  activerecord-3.2.22.1.gem
e1267d756271ef66022a83725b26762e758071f9  activeresource-3.2.22.1.gem
5a1daf97cf4dd4333a61c4a1209b97a8f22f083d  activesupport-3.2.22.1.gem
b5b624c8365b7061274642a2038935d06191ca8b  rails-3.2.22.1.gem
af2827bff9a94f733c98b2f88b3efe00cb22af79  railties-3.2.22.1.gem
[aaron@TC release]$ shasum *-1.0*
9c84dca57b521ff92fbdceba1de959db539e4c19  rails-html-sanitizer-1.0.3.gem

Hey passengers!

Have your luggage ready and get those ticket stubs out, a new issue is just about to roll in to the station. Godfrey and Kasper are co-conducting this beast of steel — eh, newsletter with Rails news, we mean.

Hop aboard before we roll off, and start choo-chooing toward…

Hey, does that sign say “Tracks End Here”?

Featured

Fresh off the tracks, a new Rails site!

Ahead of the coming major release of Rails, we got a new website and logo and… doctrine?

Yes! See, Rails has been going strong for over 10 years, the Rails Doctrine just captures that magic and spells it out. Thus Rails is ready to roll on for the next decade. The blog post dishes on the new design’s backstory.

P.S. The Rails core team got some awesome new pictures too!

This weeks Rails Contributors

This week 41 people contributed managed to rivet themselves away from the shiny new pixels above and buckle down some contributions. Kudos to you folks 😁

New Stuff

Action Cable: Postgres pubsub can sub for Redis

Action Cable uses Redis to handle publishing and subscribing, but this week Postgres became a proper pubsub’er and is swappable with Redis.

SQL expressions as a column’s default value

With this pull request, you will be able to use a SQL expression (such as a SQL function) as the default value for any column type!

Fixed

Weaker ETags makes HTTP caches stronger

HTTP ETags help cut bandwidth by sending along a tag that the server could use to validate the cached content.

Rails supports it out-of-the-box but issues “strong” ETags, which has stronger cachability implications than Rails can guarantee.

Not anymore! In Rails 5, Rails now correctly issue “weak” ETags — matching Rack::ETag’s behavior.

Improved

Removed Action Cable’s celluloid dependency

Action Cable’s dependency on the celluloid gem has been removed by using the thread pool from concurrent-ruby (which Rails already uses). While temporarily reverted it was reintroduced this week.

Better configuration documentation for Action Cable

Now rejiggered: the Action Cable documentation on how to configure the library has been clarified and better highlights how useful some methods are.

Wrapping Up

That’s all for This week in Rails. As always, there are plenty of things we’re not able to cover here, so take a peek at the changes yourself.

Until next time!

It’s been 10 years since we last updated the Rails identity, so with Rails 5 just around the corner, we thought it was finally time for a fresh look for a new day. This is it! We have a brand new logo, a brand new site design, and lots of lovely new illustrations.

We can thank Basecamp designer Jamie Dihiansan for the awesome new look. The brief was that Rails shouldn’t feel slick. It should be warm, approachable, and welcoming. Rails is in a different place from where it was in 2004. We aren’t courting cutting-edge early adopters, so we can lay off the gradients. Rails is now for everyone and our site should reflect that.

The Rails Doctrine

In concert with the new look, I wrote the eight major tenets of The Rails Doctrine. It’s still a bit of a work in progress, but please do give it a read if you want to understand deeper the values and practices that underpin us as a framework and a community.

A new video is coming

I was going to record a new video for the homepage, but since we’re just on the cusp on some changes to Rails 5 that’ll change things a bit, I’m holding off until beta2 (which should be out shortly). In the mean time, you can enjoy the introduction to Action Cable. But rest assured that it’ll soon be replaced by a new, proper introduction.

Hope you all enjoy the new look. Now let’s ship Rails 5!

Happy New Year! Welcome to the first 2016 issue of This week in Rails.

I’m Andy, and before diving in to contributions from this week, let’s briefly recap some stats from 2015. Our 12 editors released 50 issues summarizing over 6500 commits to Rails! Each issue is now being sent to over 4300 subscribers.

What a great year! To celebrate, sweep up some confetti laying around from last weekend, toss it in the air, and sing some bars of Auld Lang Syne.

Featured

This Week’s Rails Contributors

79 people contributed to Rails since the last issue on December 18, 2015! Check out the list of issues if you’d like to help out as well.

RailsConf 2016 CFP deadline

Interested in speaking at RailsConf 2016 in Kansas City? Call for proposals closes January 15th, 2016, 11:59pm CST! You’ve got 1 week!

New Stuff

Security: Per-form CSRF tokens

Changes brought upstream from GitHub, related to Content Security Policy (CSP) and securing forms. Check out the links in the PR to learn more.

Default new apps to tag logs with request_id

The :request_id log tag ensures that each request is tagged with a unique identifier.

Short-hand methods for types in MySQL

This change adds short-hand methods like tinyblob and mediumblob for text and blob types when using MySQL.

Fixed

Don’t output to STDOUT twice

Stops printing messages twice with rails console or rails server and a logger set to output to STDOUT.

Faster

Replace x.times.map{} with Array.new(x){}

Small performance improvement supported with a benchmark. Check out the results.

Wrapping Up

That’s all for This week in Rails. As always, there are many more changes than we have room to cover here, but feel free to check them out yourself.

Until next time!