head 1.6; access; symbols pkgsrc-2026Q1:1.5.0.2 pkgsrc-2026Q1-base:1.5 pkgsrc-2025Q4:1.3.0.6 pkgsrc-2025Q4-base:1.3 pkgsrc-2025Q3:1.3.0.4 pkgsrc-2025Q3-base:1.3 pkgsrc-2025Q2:1.3.0.2 pkgsrc-2025Q2-base:1.3 pkgsrc-2025Q1:1.2.0.2 pkgsrc-2025Q1-base:1.2; locks; strict; comment @# @; 1.6 date 2026.03.29.14.23.50; author taca; state Exp; branches; next 1.5; commitid GdlaYMrkDvI6wSzG; 1.5 date 2026.02.13.02.12.37; author taca; state Exp; branches 1.5.2.1; next 1.4; commitid PePFcIL0j08WS9uG; 1.4 date 2026.02.11.08.50.21; author taca; state Exp; branches; next 1.3; commitid 8WD20Aptzp7r9WtG; 1.3 date 2025.05.27.16.13.45; author taca; state Exp; branches; next 1.2; commitid mV2t5t7k0EjAXyWF; 1.2 date 2025.01.23.08.02.13; author wiz; state Exp; branches; next 1.1; commitid QrYzCdTa1vn3eAGF; 1.1 date 2025.01.02.07.10.55; author taca; state Exp; branches; next ; commitid yEeZZK4e5QWrCSDF; 1.5.2.1 date 2026.03.31.13.37.47; author maya; state Exp; branches; next ; commitid Xqfm4HcoSdOoc8AG; desc @@ 1.6 log @www/ruby-rails80: update to 8.0.5 Ruby on Rails 8.0.4.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. 8.0.5 (2026-03-24) Changes are too many to write here, please refer: . @ text @# $NetBSD: Makefile,v 1.5 2026/02/13 02:12:37 taca Exp $ DISTNAME= actionpack-${RAILS_VERSION} PKGNAME= ${RUBY_PKGPREFIX}-actionpack${RUBY_RAILS}-${RAILS_VERSION} CATEGORIES= www MAINTAINER= pkgsrc-users@@NetBSD.org HOMEPAGE= http://www.rubyonrails.org/ COMMENT= Toolkit for building modeling frameworks (part of Rails 8.0) LICENSE= mit DEPENDS+= ${RUBY_ACTIONVIEW_DEPENDS} DEPENDS+= ${RUBY_PKGPREFIX}-rack>=2.2.4:../../www/ruby-rack DEPENDS+= ${RUBY_PKGPREFIX}-rack-session>=1.0.1:../../www/ruby-rack-session DEPENDS+= ${RUBY_PKGPREFIX}-rack-test>=0.6.3:../../www/ruby-rack-test # ruby-actionview already depends them. #DEPENDS+= ${RUBY_PKGPREFIX}-rails-dom-testing>=2.2.0<3:../../textproc/ruby-rails-dom-testing #DEPENDS+= ${RUBY_PKGPREFIX}-rails-html-sanitizer>=1.6<2:../../www/ruby-rails-html-sanitizer DEPENDS+= ${RUBY_PKGPREFIX}-useragent>=0.16<1:../../www/ruby-useragent USE_LANGUAGES= # none RUBY_RAILS_ACCEPTED= 80 RUBY_RAILS_STRICT_DEP= yes .include "../../lang/ruby/gem.mk" .include "../../mk/bsd.pkg.mk" @ 1.5 log @www/ruby-actionpack80: correct wrong DEPENDS line @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2026/02/11 08:50:21 taca Exp $ a4 1 PKGREVISION= 1 @ 1.5.2.1 log @Pullup ticket #7062 - requested by taca databases/ruby-activerecord80: Security fix devel/ruby-activejob80: Security fix devel/ruby-activemodel80: Security fix devel/ruby-activestorage80: Security fix devel/ruby-activesupport80: Security fix devel/ruby-railties80: Security fix mail/ruby-actionmailbox80: Security fix mail/ruby-actionmailer80: Security fix textproc/ruby-actiontext80: Security fix www/ruby-actioncable80: Security fix www/ruby-actionpack80: Security fix www/ruby-actionview80: Security fix www/ruby-rails80: Security fix Revisions pulled up: - databases/ruby-activerecord80/distinfo 1.6 - devel/ruby-activejob80/distinfo 1.6 - devel/ruby-activemodel80/distinfo 1.6 - devel/ruby-activestorage80/distinfo 1.6 - devel/ruby-activesupport80/distinfo 1.6 - devel/ruby-railties80/Makefile 1.5 - devel/ruby-railties80/distinfo 1.6 - lang/ruby/rails.mk 1.189 - mail/ruby-actionmailbox80/distinfo 1.6 - mail/ruby-actionmailer80/distinfo 1.6 - textproc/ruby-actiontext80/distinfo 1.6 - www/ruby-actioncable80/distinfo 1.6 - www/ruby-actionpack80/Makefile 1.6 - www/ruby-actionpack80/distinfo 1.6 - www/ruby-actionview80/distinfo 1.6 - www/ruby-rails80/distinfo 1.6 --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:23:51 UTC 2026 Modified Files: pkgsrc/databases/ruby-activerecord80: distinfo pkgsrc/devel/ruby-activejob80: distinfo pkgsrc/devel/ruby-activemodel80: distinfo pkgsrc/devel/ruby-activestorage80: distinfo pkgsrc/devel/ruby-activesupport80: distinfo pkgsrc/devel/ruby-railties80: Makefile distinfo pkgsrc/mail/ruby-actionmailbox80: distinfo pkgsrc/mail/ruby-actionmailer80: distinfo pkgsrc/textproc/ruby-actiontext80: distinfo pkgsrc/www/ruby-actioncable80: distinfo pkgsrc/www/ruby-actionpack80: Makefile distinfo pkgsrc/www/ruby-actionview80: distinfo pkgsrc/www/ruby-rails80: distinfo Log Message: www/ruby-rails80: update to 8.0.5 Ruby on Rails 8.0.4.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. 8.0.5 (2026-03-24) Changes are too many to write here, please refer: . --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:28:13 UTC 2026 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby: update rails80 to 8.0.5 Make sure to update rails80 to 8.0.5. @ text @d1 1 a1 1 # $NetBSD$ d5 1 @ 1.4 log @www/ruby-actionpack80: add dependency www/ruby-actionpack80 require ruby-useragent. Bump PKGREVISION. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2025/05/27 16:13:45 taca Exp $ d20 1 a20 1 DEPENDS+= ${RUBY_PKGPREFIX}-useragent>=0.16<../1:../../www/ruby-useragent @ 1.3 log @Remove RUBY_VERSIONS_INCOMPATIBLE line which contains 31 only. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2025/01/23 08:02:13 wiz Exp $ d5 1 d20 1 @ 1.2 log @*: Rails 8.0 is not available for Ruby 3.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2025/01/02 07:10:55 taca Exp $ a24 2 RUBY_VERSIONS_INCOMPATIBLE= 31 @ 1.1 log @www/ruby-actionpack80: add package version 8.0.1 Action Pack -- From request to response Action Pack is a framework for handling and responding to web requests. It provides mechanisms for *routing* (mapping request URLs to actions), defining *controllers* that implement actions, and generating responses. In short, Action Pack provides the controller layer in the MVC paradigm. It consists of several modules: * Action Dispatch, which parses information about the web request, handles routing as defined by the user, and does advanced processing related to HTTP such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies, handling HTTP caching logic, cookies and sessions. * Action Controller, which provides a base controller class that can be subclassed to implement filters and actions to handle requests. The result of an action is typically content generated from views. With the Ruby on Rails framework, users only directly interface with the Action Controller module. Necessary Action Dispatch functionality is activated by default and Action View rendering is implicitly triggered by Action Controller. However, these modules are designed to function on their own and can be used outside of Rails. This is for Ruby on Rails 8.0. @ text @d1 1 a1 1 # $NetBSD$ d25 2 @