This week in Rails - security releases, new mailing list, new features, and refactoring

Daniel here, holed up in my apartment in New York City trying to stay healthy. Overwhelmed by all the latest pandemic news? Why not take a break with some exciting Rails news?

Security Fixes

Rails and were recently released to fix a XSS vulnerability in Action View. If you are not running one of these versions, it is time to upgrade. While you are at it, it is also time to upgrade to Ruby 2.5.8, 2.6.6, or 2.7.1.

Ruby on Rails on Discourse

The Ruby on Rails mailing list has migrated to If you would like to suggest changes or new features, discuss documentation, or ask questions about Rails, this is the place to be.

Annotate HTML output with template names

If you have ever opened your HTML source in the browser and wondered which templates were rendering which part of the page, this feature is for you. config.action_view.annotate_template_file_names adds HTML comments to the rendered output indicating where each template begins and ends. I am a fan of this feature, and I also like the clear problem statement in the commit message and PR description.

Quickly generate a Rails app pointing to master

If you are anything like me, you want to try out new Rails features the moment they are merged. Why wait? Now generating a new Rails app pointing to master is as simple as rails new <app_name> --master.

Just simply improve the documentation

Removing words like “just” and “simple” from the documentation might seem like a small change, but removing these superfluous words can make for a significantly more welcoming experience to folks who are struggling. 😍

Use index_by and index_with wherever possible

I haven’t used index_by and index_with before, but seeing this PR makes me want to try them out. It certainly looks nicer than map { ... }.to_h. And if you really like these methods you can enforce that with a new rubocop-rails cop.

And plenty of refactoring

Eileen refactored invert_predicate and fetch_attribute to get rid of some case statements in favor of a more object oriented approach. Aaron refactored the PartialRenderer, splitting out classes for rendering single objects and collections. John improved some things by making ActionView rendering instrumentation less DRY (sometimes WET code is better!).

106 people contributed since our last issue. Check out the full list of changes and Stay healthy out there!

Rails and have been released!


I accidentally posted the wrong shas for the release in the original version of this post. I’ve updated the post to reflect the correct information.

Hi everyone,


I am pleased to announce that Rails and have been released. This release contains a security fix for CVE-2020-5267. You can find out more about the issue here.

For ease of upgrade, these releases only contain one patch which addresses the security issue.

If you would like to see the full list of changes, you can check out all of the commits on GitHub.


If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-256 hashes.

Here are the checksums for

b2170b2b670e9f3d8a355a7ad78dabe996b7290c3e1a0390cc8782fabd1a93cd  actioncable-
c5f6d4bb2b083de45c547089addb351c01bb6c29c8789f447bca19f34f05223e  actionmailbox-
baf2a7d294b0f5cff209f754e877eeebb9263115c3f91bf91255733beb9df84f  actionmailer-
58c0f04386b014e5d4a8a1c1a48a9a67f3fb38243a3be74d7201dc18d68de25c  actionpack-
872fb41b79794eaa9d1007e4b2e73cfa031ab2a47e5ee8cdae362518d917fed9  actiontext-
5e43aae3f0f6961d5dd85002147cccf2dbadfe88f41725d874a1b42e76bd7117  actionview-
7ed215efd26e335d8ce56dbf141b735548e33bf6cf9e953f22558e370d4b3fe3  activejob-
35559978a7641c85d47709c7c3b75fcc456b1ec882631ffeba82e8a4e12f99cd  activemodel-
4c6aae2cfa9d19ac9901c3b2514fb1c3ccd82b61839f2b52d6711edc00013c80  activerecord-
818c65056c5e58df009bdd89fef099e3b4abcd99f4836360713b646dfb60715e  activestorage-
8b73152669af7b8e3840e16052d6d951620e07c63bfc650bae88e5b86643a9d5  activesupport-
4b789dc6d942e133032485169aa30553482b528ffea5dd52a3bab853fca0c822  rails-
5b9d0d0a814ce9f5061aabd24d31e7bcc6864f6fa16565c1b3d9dc646c6b9ab1  railties-

Here are the checksums for

$ shasum -a 256 *-
bbb8c0cd649eabec75a86f7750e264f0e20335cfadb1c6901427d9401af28b60  actioncable-
bf2c0b60db93a6e7a86483f791ce631564ec0182270851ae83bd72e4bdb2e24d  actionmailer-
5df1b1a9e70f959a9b00087bef01893dc4c2fc15a8d040a827daf6844d4c34f0  actionpack-
97227c123908b84fface498ed50d755c12408037440380ee4b8b9a208cafe33a  actionview-
71df9fd6b723b1bb97e71329179ac1e2b5f8173ec6de5dd33937639e135a5be3  activejob-
b109119b3de473ebb24c4a85fcf9462ee052b83d647cd00c922ed609c06e8e49  activemodel-
e5d6db49d48018bf54133f6155a635e4de69f73dbbef6cb8cc79223604cc58f9  activerecord-
49a3b1c7cfe3fddb409df595b372d1077cf67536c4a3ba635e642676c2fda1b4  activestorage-
8c3ae3df5b08b49b6b5d9c5028da1a1e582f1243b7362dbb9736f65ede492378  activesupport-
44ab2836290ef259ed12fc6a24c1e62e317a534b79c37c0d1a8ec7ef893513f5  rails-
26b44b3d6c650d64ea2496c3328b9092efef5101ed953a660a93e2d643b359dc  railties-

Thanks to Jesse Campos for reporting this issue!

Have a good day!

This week in Rails - horizontal sharding, gzip schema cache, database rake tasks

Greetings, all! Daniel here, together with my pup (🐶 woof!) bringing you the latest news in Rails.

Add support for horizontal sharding

The good folks at GitHub have done an incredible amount of work to support multiple databases in Rails. This week brings horizontal sharding. Rails applications can now connect to and (manually) switch between multiple shards.

Support gzip for the schema cache

Katrina continues to work on the schema cache, this time by adding gzip support for both the YAML and the Marshal serialization strategies. This can come in handy when trying to deploy particularly large schemas in constrained environments.

Add additional multi-database rake tasks

It is now possible to run rails db:schema:dump, rails db:schema:load, rails db:structure:dump, rails db:structure:load and rails db:test:prepare on a specific database. This was previously only possible for rails db:create, rails db:drop, and rails db:migrate. Excellent work on your first few commits to Rails, Kyle!

Eliminate a hash allocation when rendering templates

I included this one for the commit message more than for the code change itself. The benchmark taught me a bit about Action Controller, Action View, and how to write a good benchmark.

That’s all for now. 18 people contributed since last time, including some first-time contributors. Check out the full list of changes.

Strict loading in Active Record and more

Hi, Wojtek from this side with latest changes in Ruby on Rails codebase.

Add strict_loading mode to Active Record

To prevent lazy loading of associations, strict_loading will cascade down from the parent record to all the associations to help you catch any places where you may want to preload instead of lazy loading.

Serialize schema cache dump with Marshal

In addition to YAML it is now possible to use Marshal as schema cache dump serializer.

Improve assert_changes output

Provides more specific diffs when comparing complex objects. Co-authored by few contributors.

36 people contributed to Rails since last time. Check out the detailed list of all changes. Until next time!

This week in Rails - PostgreSQL 11 partitioned indexes support and more!

Hello, this is Greg, bringing you the latest news about Ruby on Rails!

20 contributors to Rails in past week

There have been 20 contributors to Rails past week! 

Default HSTS max-age directive to 2 years

The new recommendation for the HSTS max-age directive is 2 years, and that’s what Rails defaults to from now on.

Add support for partitioned indexes in PostgreSQL 11+

This pull request adds support to retrieve partitioned indexes when asking for indexes in a table. 

Add a fallback database config when loading schema cache

The schema cache defaults to loading the ‘primary’ database config, however, if an app doesn’t have a db config with a spec name of ‘primary’ the filename lookup will  blow up. This pull request adds a fallback for this case.

That’s it for this week, till next time! 

This week in Rails - Rack 2.1 released, disallowed deprecations, and more!

Hello, this is Andrew, bringing you the latest news from the Ruby on Rails world!

18 contributors to Rails in past week

There have been 18 contributors to Rails in the second full week of 2020! 

Rack 2.1.0 and 2.1.1 released

These releases add support for the SameSite=None cookie value, new HTTP status codes, bug fixes, and several other exciting changes and additions. Updates to Rails following the release have also begun.

Check out the Rack changelog to learn more.

Introduce Active Support Disallowed Deprecations

This addition allows the configuration of rules to match deprecation warnings that should not be allowed and ActiveSupport::Deprecation#disallowed_behavior, which specifies the behavior to be used when a disallowed deprecation warning is matched.

Stop individual Action Cable streams

Channels with multiple subscriptions can now stop following individual streams. Before this change, the only option was to stop all streams.

Remove an empty line from generated migration

This fix prevents an extra newline from getting added in generated migrations.

That’s it for this week, till next time! 

This week in Rails - Deprecations, bugfixes and improvements!

Hello, this is Greg, bringing you the latest news from the Ruby on Rails world!

38 contributors to Rails in past week

There have been 38 contributors to Rails in the first week of the year! 

Deprecate “primary” as a connection_specification_name for ActiveRecord::Base

This PR deprecates the use of the name “primary” as the connection_specification_name for ActiveRecord::Base in favor of using “ActiveRecord::Base” to avoid confusion as earlier the classname was used in any other case.

Deprecate using Range#include? to check the inclusion of a value in a date time range

The usage of the Range#include? method to check the inclusion of an argument in date-time with zone range is deprecated in Ruby and since Rails extends it, the deprecation needs to be carried forward. As a replacement, it is recommended to use Range#cover?

Restore previous behavior of parallel test databases

Before this bugfix, if an app called establish_connection with no arguments or doesn’t call connects_to in ApplicationRecord and uses parallel testing databases, the application could’ve picked up the wrong configuration.

Reduce number of created objects in Hash#as_json

The improvement is highly coupled to the size of the hash but can be quite a bit for medium sized nested hashes.

That’s it for this week, till next time! 

This week in Rails - The 2019 edition

Hello, this is Prathamesh bringing you first issue of This week in Rails of the new year and new decade.
In this issue, we will go over the major changes that happened last year to the Rails codebase.

Happy new year!

494 contributors to Rails in 2019

There have been 494 contributors to Rails in 2019. Wow, that’s a staggering number! Thank you all for making Rails better.

Rails 6.0 released

Rails 6 includes headline features such as parallel testing, multi database support, new Zeitwerk autoloader along with new frameworks added to the Rails family.

Two new frameworks added to Rails

Action Mailbox and Action Text made their way to the Rails codebase during the Rails 6 release. Action Mailbox will help you accept the incoming emails and Action Text brings rich text content and editing to Rails.

Other releases

Apart from Rails 6, 2019 also saw release of Rails 5.2.4 series and 5.1.7.

The party is still rocking in 2020. 18 people contributed to Rails in new year so far! Check out the detailed list of all changes.

Happy new year again!

Ruby 2.7.0, Rails and more

Hello, this is Wojtek reporting on last month additions to Rails codebase.

Ruby 2.7.0 released

The last minor version of Ruby 2.7 before 3.0 release in the next year. Rails codebase is constantly updated to support Ruby 2.7 without any warnings.

Rails 6.0.2 released

Followed by security fix releases and

Track Active Storage variants in the database

Optimization and bug fix by avoiding existence checks in the storage service.

Conditional values in Tag Builder

Handy addition to clean up common use case with constructing class names when creating content tags.

Add class_names view helper

As a follow-up to conditional values in Tag Builder, to ease even more constructing class names on views.

Deep merge of shared configuration in config_for method

From now on config_for will deeply merge shared configuration section with environment specific one.

76 people contributed to Rails since last time. Check out the detailed list of all changes.
Happy new year!

Rails has been released!

Hi everyone,

I am happy to announce that Rails has been released. This is a complementary release to rack in order to address CVE-2019-16782.

CHANGES since 5.2.4

To view the changes for each gem, please read the changelogs on GitHub:

To see a summary of changes, please read the release on GitHub: CHANGELOG

Full listing

To see the full list of changes, check out all the commits on GitHub.


If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-256 hashes.

Here are the checksums for

$ shasum -a 256 *-
95531ad4731ff341e0df4bff722bc28cf534ca9ed9e00d8a4949474225abe5fb  actioncable-
aad99ddae83c22162ba580fc0efe10611bb407832605c21e3ff540ef071e7cb5  actionmailer-
5f9cfff904e6d8ed5bd9439a76639e22393308a295c13d663a4622e085a9b738  actionpack-
327e504aea3cfd7484c9ec059b7e58faad96be65379a2da959ee336444f7d342  actionview-
2141876d50219726ea17b9d8aa8604e6a8fc555fb6230d7987a422e6981b924c  activejob-
a1df0522b937364f1ff7f748457644de1863dfba4b4bf01386fd8270bef7e169  activemodel-
2fdbe670205b040f0de64198bdbb4093857a32a409e37ba9ade08c20af6965dc  activerecord-
ee841d3c038cc45f393bc384be8afc8f4629587411f3eb6b396821b4429aa835  activestorage-
57874366b06882ad0c0a0557640851aef13afec19bd4d6c2ee286c9d4eb7b452  activesupport-
402c80f8533052bb9f62e9c61aad9a559b96c04961ddda93151852b8f8572885  rails-
0b6b0ec65aedae1f3627b05091d63a55bfabd214f483389a9096332dbdc71ac7  railties-

As always, huge thanks to the many contributors who helped with this release.