head 1.6; access; symbols pkgsrc-2026Q1:1.5.0.4 pkgsrc-2026Q1-base:1.5 pkgsrc-2025Q4:1.5.0.2 pkgsrc-2025Q4-base:1.5 pkgsrc-2025Q3:1.3.0.2 pkgsrc-2025Q3-base:1.3 pkgsrc-2025Q2:1.2.0.4 pkgsrc-2025Q2-base:1.2 pkgsrc-2025Q1:1.2.0.2 pkgsrc-2025Q1-base:1.2; locks; strict; comment @# @; 1.6 date 2026.03.29.14.23.50; author taca; state Exp; branches; next 1.5; commitid GdlaYMrkDvI6wSzG; 1.5 date 2025.11.03.08.51.47; author taca; state Exp; branches 1.5.4.1; next 1.4; commitid 4EV3oTYJkYSan5hG; 1.4 date 2025.09.23.04.16.06; author taca; state Exp; branches; next 1.3; commitid 9PgxkDfwac5maNbG; 1.3 date 2025.08.14.15.25.06; author taca; state Exp; branches; next 1.2; commitid E4UQOMSWVtxz9I6G; 1.2 date 2025.03.16.15.19.52; author taca; state Exp; branches; next 1.1; commitid Z91jEezOMpnIYiNF; 1.1 date 2025.01.02.07.06.21; author taca; state Exp; branches; next ; commitid wddE8ckegfBSASDF; 1.5.4.1 date 2026.03.31.13.37.46; author maya; state Exp; branches; next ; commitid Xqfm4HcoSdOoc8AG; desc @@ 1.6 log @www/ruby-rails80: update to 8.0.5 Ruby on Rails 8.0.4.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. 8.0.5 (2026-03-24) Changes are too many to write here, please refer: . @ text @$NetBSD: distinfo,v 1.5 2025/11/03 08:51:47 taca Exp $ BLAKE2s (activejob-8.0.5.gem) = 8338176c743c540ee9df048378f3bc1523a88afa2f0b2b8eb51889d75db383d9 SHA512 (activejob-8.0.5.gem) = 5b53e0a2fdde0d6cacbbfca828b0b36842f0f0fa334ad7a632549f3becdc358b2ca21110f16b349d62d6423f2173b70e123caa08bf8d6e01968c9540a0d12907 Size (activejob-8.0.5.gem) = 35840 bytes @ 1.5 log @www/ruby-rails80: update to 8.0.4 8.0.4 (2025-10-28) Active Support * Fix Enumerable#sole to return the full tuple instead of just the first element of the tuple. [Olivier Bellone] * Fix parallel tests hanging when worker processes die abruptly. Previously, if a worker process was killed (e.g., OOM killed, kill -9) during parallel test execution, the test suite would hang forever waiting for the dead worker. [Joshua Young] * Fix NameError when class_attribute is defined on instance singleton classes. Previously, calling class_attribute on an instance's singleton class would raise a NameError when accessing the attribute through the instance. object = MyClass.new object.singleton_class.class_attribute :foo, default: "bar" object.foo # previously raised NameError, now returns "bar" [Joshua Young] Active Record * Fix SQLite3 data loss during table alterations with CASCADE foreign keys. When altering a table in SQLite3 that is referenced by child tables with ON DELETE CASCADE foreign keys, ActiveRecord would silently delete all data from the child tables. This occurred because SQLite requires table recreation for schema changes, and during this process the original table is temporarily dropped, triggering CASCADE deletes on child tables. The root cause was incorrect ordering of operations. The original code wrapped disable_referential_integrity inside a transaction, but PRAGMA foreign_keys cannot be modified inside a transaction in SQLite - attempting to do so simply has no effect. This meant foreign keys remained enabled during table recreation, causing CASCADE deletes to fire. The fix reverses the order to follow the official SQLite 12-step ALTER TABLE procedure: disable_referential_integrity now wraps the transaction instead of being wrapped by it. This ensures foreign keys are properly disabled before the transaction starts and re-enabled after it commits, preventing CASCADE deletes while maintaining data integrity through atomic transactions. [Ruy Rocha] * Add support for bound SQL literals in CTEs. [Nicolas Bachschmidt] * Fix belongs_to associations not to clear the entire composite primary key. When clearing a belongs_to association that references a model with composite primary key, only the optional part of the key should be cleared. [zzak] * Fix invalid records being autosaved when distantly associated records are marked for deletion. [Ian Terrell, axlekb AB] Action View * Restore add_default_name_and_id method. [Hartley McGuire] Action Pack * Submit test requests using as: :html with Content-Type: x-www-form-urlencoded [Sean Doyle] Active Model Active Job Action Mailer Action Cable Active Storage Action Mailbox Action Text Railties * No changes. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2025/09/23 04:16:06 taca Exp $ d3 3 a5 3 BLAKE2s (activejob-8.0.4.gem) = fb00267ede5ddea94e56fe6b6912a835c44ab791b65cc4a94c09b2be82aa381d SHA512 (activejob-8.0.4.gem) = 81de93c8d748971c55ce46c7c60af4b6fb634d0d67dde5478c4ae1d2daa307a9f7f71417bbd2936d7fafa2ddd99ee600c2570b32ee8d9b7ab2d4791321fa95ea Size (activejob-8.0.4.gem) = 35840 bytes @ 1.5.4.1 log @Pullup ticket #7062 - requested by taca databases/ruby-activerecord80: Security fix devel/ruby-activejob80: Security fix devel/ruby-activemodel80: Security fix devel/ruby-activestorage80: Security fix devel/ruby-activesupport80: Security fix devel/ruby-railties80: Security fix mail/ruby-actionmailbox80: Security fix mail/ruby-actionmailer80: Security fix textproc/ruby-actiontext80: Security fix www/ruby-actioncable80: Security fix www/ruby-actionpack80: Security fix www/ruby-actionview80: Security fix www/ruby-rails80: Security fix Revisions pulled up: - databases/ruby-activerecord80/distinfo 1.6 - devel/ruby-activejob80/distinfo 1.6 - devel/ruby-activemodel80/distinfo 1.6 - devel/ruby-activestorage80/distinfo 1.6 - devel/ruby-activesupport80/distinfo 1.6 - devel/ruby-railties80/Makefile 1.5 - devel/ruby-railties80/distinfo 1.6 - lang/ruby/rails.mk 1.189 - mail/ruby-actionmailbox80/distinfo 1.6 - mail/ruby-actionmailer80/distinfo 1.6 - textproc/ruby-actiontext80/distinfo 1.6 - www/ruby-actioncable80/distinfo 1.6 - www/ruby-actionpack80/Makefile 1.6 - www/ruby-actionpack80/distinfo 1.6 - www/ruby-actionview80/distinfo 1.6 - www/ruby-rails80/distinfo 1.6 --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:23:51 UTC 2026 Modified Files: pkgsrc/databases/ruby-activerecord80: distinfo pkgsrc/devel/ruby-activejob80: distinfo pkgsrc/devel/ruby-activemodel80: distinfo pkgsrc/devel/ruby-activestorage80: distinfo pkgsrc/devel/ruby-activesupport80: distinfo pkgsrc/devel/ruby-railties80: Makefile distinfo pkgsrc/mail/ruby-actionmailbox80: distinfo pkgsrc/mail/ruby-actionmailer80: distinfo pkgsrc/textproc/ruby-actiontext80: distinfo pkgsrc/www/ruby-actioncable80: distinfo pkgsrc/www/ruby-actionpack80: Makefile distinfo pkgsrc/www/ruby-actionview80: distinfo pkgsrc/www/ruby-rails80: distinfo Log Message: www/ruby-rails80: update to 8.0.5 Ruby on Rails 8.0.4.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. 8.0.5 (2026-03-24) Changes are too many to write here, please refer: . --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:28:13 UTC 2026 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby: update rails80 to 8.0.5 Make sure to update rails80 to 8.0.5. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (activejob-8.0.5.gem) = 8338176c743c540ee9df048378f3bc1523a88afa2f0b2b8eb51889d75db383d9 SHA512 (activejob-8.0.5.gem) = 5b53e0a2fdde0d6cacbbfca828b0b36842f0f0fa334ad7a632549f3becdc358b2ca21110f16b349d62d6423f2173b70e123caa08bf8d6e01968c9540a0d12907 Size (activejob-8.0.5.gem) = 35840 bytes @ 1.4 log @devel/ruby-activejob80: update to 8.0.3 8.0.3 (2025-09-22) Active Job * Include the actual Active Job locale when serializing rather than I18n locale. Adrien S * Fix retry_job instrumentation when using :test adapter for Active Job. fatkodima @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2025/08/14 15:25:06 taca Exp $ d3 3 a5 3 BLAKE2s (activejob-8.0.3.gem) = 9a1ef40d2cb68919992c0eda30115ede6247ded6f451cea8263181bea6ad454b SHA512 (activejob-8.0.3.gem) = f631db506f0fe3705ed7a84ac81934d16eed3aa4ce502b0e91c697d146321d87a3741a05456c8f31a9581ec8b56cdf12092a9b6106397307552a9d2ce416e44f Size (activejob-8.0.3.gem) = 35840 bytes @ 1.3 log @www/ruby-rails80: update to 8.0.2.1 Ruby on Rails 8.0.2.1 (2025-08-13) Active Record * Call inspect on ids in RecordNotFound error [CVE-2025-55193] Gannon McGibbon, John Hawthorn Active Storage * Remove dangerous transformations [CVE-2025-24293] Zack Deveau @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/03/16 15:19:52 taca Exp $ d3 3 a5 3 BLAKE2s (activejob-8.0.2.1.gem) = 7a5f0d1841a1e09c1a320a8dd470a069dcd6394194cf1b558d9a04c3f2673f71 SHA512 (activejob-8.0.2.1.gem) = ac5fa404facccf679ca15e85b2e109518c2ad8fd6933bcdb719056a9005df54fe0146147666173a70b733ae17c4e328724b41482d7ed4a323dea7a0dece8da01 Size (activejob-8.0.2.1.gem) = 35840 bytes @ 1.2 log @devel/ruby-activejob80: update to 8.0.2 8.0.2 (2025/03/12) No change except version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2025/01/02 07:06:21 taca Exp $ d3 3 a5 3 BLAKE2s (activejob-8.0.2.gem) = 26cae9e90852b2bf18d5c1418ab9dc0358916140d0128ca9f6d312a676cea99a SHA512 (activejob-8.0.2.gem) = 9f56f9ad6e34dc1a0bdac4a45b01d8a242bd51a70d3b5ff5b872f952526d2545f5a9dec55f34037ab531567b4677bfdbdffb7204ccb67af1854e1ba9219ba106 Size (activejob-8.0.2.gem) = 35840 bytes @ 1.1 log @devel/ruby-activejob80: add package version 8.0.1 Active Job - Make work happen later Active Job is a framework for declaring jobs and making them run on a variety of queuing backends. These jobs can be everything from regularly scheduled clean-ups, to billing charges, to mailings -- anything that can be chopped up into small units of work and run in parallel. It also serves as the backend for Action Mailer's #deliver_later functionality that makes it easy to turn any mailing into a job for running later. That's one of the most common jobs in a modern web application: sending emails outside the request-response cycle, so the user doesn't have to wait on it. The main point is to ensure that all Rails apps will have a job infrastructure in place, even if it's in the form of an "immediate runner". We can then have framework features and other gems build on top of that, without having to worry about API differences between Delayed Job and Resque. Picking your queuing backend becomes more of an operational concern, then. And you'll be able to switch between them without having to rewrite your jobs. This is for Ruby on Rails 8.0. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (activejob-8.0.1.gem) = 21c07e710bee789ed82171c4e06d85bd5d9cb067d36622e8c9278646692fe65d SHA512 (activejob-8.0.1.gem) = 82bd2fab2c5e40c2039de3bcc5a0bf4c4dae73c393dd0f159c754841dd4248ef4150665eea7e637e1798174bd44a8f56316e64c9e41d7d0b7d375214a54d8e89 Size (activejob-8.0.1.gem) = 35840 bytes @