head 1.4; access; symbols pkgsrc-2026Q2:1.4.0.2 pkgsrc-2026Q2-base:1.4 pkgsrc-2026Q1:1.3.0.4 pkgsrc-2026Q1-base:1.3 pkgsrc-2025Q4:1.3.0.2 pkgsrc-2025Q4-base:1.3 pkgsrc-2025Q3:1.2.0.2 pkgsrc-2025Q3-base:1.2 pkgsrc-2025Q2:1.1.0.6 pkgsrc-2025Q2-base:1.1 pkgsrc-2025Q1:1.1.0.4 pkgsrc-2025Q1-base:1.1 pkgsrc-2024Q4:1.1.0.2 pkgsrc-2024Q4-base:1.1; locks; strict; comment @# @; 1.4 date 2026.03.29.14.07.38; author taca; state Exp; branches; next 1.3; commitid 7MD3YzIuBQozqSzG; 1.3 date 2025.11.03.08.38.51; author taca; state Exp; branches 1.3.4.1; next 1.2; commitid N1TMmnpYo1eNi5hG; 1.2 date 2025.08.14.15.22.46; author taca; state Exp; branches; next 1.1; commitid EsnJg8uLp28F8I6G; 1.1 date 2024.12.13.16.45.12; author taca; state Exp; branches; next ; commitid UzB0GmR3H2jjrmBF; 1.3.4.1 date 2026.03.31.13.31.40; author maya; state Exp; branches; next ; commitid iqK8mCnuD32ja8AG; desc @@ 1.4 log @www/ruby-rails72: update to 7.2.3.1 Ruby on Rails 7.2.3.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. @ text @$NetBSD: distinfo,v 1.3 2025/11/03 08:38:51 taca Exp $ BLAKE2s (activerecord-7.2.3.1.gem) = eae189b25212dd7d4a15efa5a7880d5e628c5ffb9089aad4745e4db8bb4108be SHA512 (activerecord-7.2.3.1.gem) = c03ae09b1d3bd8aa61fb1b29499c0b0dbc8636eddd3fd7561dce91d0d44e0387c7f4565df262ed727c8b5cd9b00bded55d115233238e632bb1cda97486faf379 Size (activerecord-7.2.3.1.gem) = 549888 bytes @ 1.3 log @databases/ruby-activerecord72 7.2.3 (2025-10-28) Changes are too many to write here, please refer in datail. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/08/14 15:22:46 taca Exp $ d3 3 a5 3 BLAKE2s (activerecord-7.2.3.gem) = 5149e5d4bfdcf1d329d46672ecbe4beb638fa14e2bee10ec5a753502a706a622 SHA512 (activerecord-7.2.3.gem) = 25a47018018553a9a502e5007dfe5e7919849bf2a3a87be9efa4c50a7862a4a5398c04e36377eac8133e8f69aabc1f7c895126db13ca60625cd42806d2f3a34d Size (activerecord-7.2.3.gem) = 549888 bytes @ 1.3.4.1 log @Pullup ticket #7061 - requested by taca databases/ruby-activerecord72: Security fix devel/ruby-activejob72: Security fix devel/ruby-activemodel72: Security fix devel/ruby-activestorage72: Security fix devel/ruby-activesupport72: Security fix devel/ruby-activesupport72: Security fix devel/ruby-railties72: Security fix devel/ruby-railties72: Security fix lang/ruby: Security fix mail/ruby-actionmailbox72: Security fix mail/ruby-actionmailer72: Security fix textproc/ruby-actiontext72: Security fix www/ruby-actioncable72: Security fix www/ruby-actionpack72: Security fix www/ruby-actionpack72: Security fix www/ruby-actionview72: Security fix www/ruby-rails72: Security fix Revisions pulled up: - databases/ruby-activerecord72/distinfo 1.4 - devel/ruby-activejob72/distinfo 1.4 - devel/ruby-activemodel72/distinfo 1.4 - devel/ruby-activestorage72/distinfo 1.4 - devel/ruby-activesupport72/Makefile 1.4 - devel/ruby-activesupport72/distinfo 1.4 - devel/ruby-railties72/Makefile 1.5 - devel/ruby-railties72/distinfo 1.4 - lang/ruby/rails.mk 1.188 - mail/ruby-actionmailbox72/distinfo 1.4 - mail/ruby-actionmailer72/distinfo 1.4 - textproc/ruby-actiontext72/distinfo 1.4 - www/ruby-actioncable72/distinfo 1.4 - www/ruby-actionpack72/Makefile 1.3 - www/ruby-actionpack72/distinfo 1.4 - www/ruby-actionview72/distinfo 1.4 - www/ruby-rails72/distinfo 1.4 --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:07:39 UTC 2026 Modified Files: pkgsrc/databases/ruby-activerecord72: distinfo pkgsrc/devel/ruby-activejob72: distinfo pkgsrc/devel/ruby-activemodel72: distinfo pkgsrc/devel/ruby-activestorage72: distinfo pkgsrc/devel/ruby-activesupport72: Makefile distinfo pkgsrc/devel/ruby-railties72: Makefile distinfo pkgsrc/mail/ruby-actionmailbox72: distinfo pkgsrc/mail/ruby-actionmailer72: distinfo pkgsrc/textproc/ruby-actiontext72: distinfo pkgsrc/www/ruby-actioncable72: distinfo pkgsrc/www/ruby-actionpack72: Makefile distinfo pkgsrc/www/ruby-actionview72: distinfo pkgsrc/www/ruby-rails72: distinfo Log Message: www/ruby-rails72: update to 7.2.3.1 Ruby on Rails 7.2.3.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:26:36 UTC 2026 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby: update to rails to 7.2.3.1 Make sure to update rails72 to 7.2.3.1. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (activerecord-7.2.3.1.gem) = eae189b25212dd7d4a15efa5a7880d5e628c5ffb9089aad4745e4db8bb4108be SHA512 (activerecord-7.2.3.1.gem) = c03ae09b1d3bd8aa61fb1b29499c0b0dbc8636eddd3fd7561dce91d0d44e0387c7f4565df262ed727c8b5cd9b00bded55d115233238e632bb1cda97486faf379 Size (activerecord-7.2.3.1.gem) = 549888 bytes @ 1.2 log @www/ruby-rails72: update to 7.2.2.2 Ruby on Rails 7.2.2.2 (2025-08-13) Active Record * Call inspect on ids in RecordNotFound error [CVE-2025-55193] Gannon McGibbon, John Hawthorn Active Storage * Remove dangerous transformations [CVE-2025-24293] Zack Deveau @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2024/12/13 16:45:12 taca Exp $ d3 3 a5 3 BLAKE2s (activerecord-7.2.2.2.gem) = 17c5149b5f080b93b427dac2bbfd8dc27c2e6c020375eb62efee48bbfd5e8547 SHA512 (activerecord-7.2.2.2.gem) = 8e8667e225294318b64030fef9a64c99bf137849e2cdc54f15e3347f82957b7f98751b10694f7cda41ab8b416da05e574c24d26cc96469c3ae708cd13d683658 Size (activerecord-7.2.2.2.gem) = 545280 bytes @ 1.1 log @databases/ruby-activerecord72: add package version 7.2.2.1 Active Record -- Object-relational mapping in Rails Active Record connects classes to relational database tables to establish an almost zero-configuration persistence layer for applications. The library provides a base class that, when subclassed, sets up a mapping between the new class and an existing table in the database. In the context of an application, these classes are commonly referred to as *models*. Models can also be connected to other models; this is done by defining *associations*. Active Record relies heavily on naming in that it uses class and association names to establish mappings between respective database tables and foreign key columns. Although these mappings can be defined explicitly, it's recommended to follow naming conventions, especially when getting started with the library. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (activerecord-7.2.2.1.gem) = 5353d381ac67b37c108f9cb0ea33951184c4c7a4961b91513c7938e90010f646 SHA512 (activerecord-7.2.2.1.gem) = f91b7a6765ce3bf7b51d6da54447fe60e12bad25739442ecd72da94b7c774ef366ceb02c6b272728509b6aedefbf79863c1db54bf4baf5e5d9baddf8e9cd34df Size (activerecord-7.2.2.1.gem) = 545792 bytes @