head 1.6; access; symbols pkgsrc-2026Q2:1.6.0.2 pkgsrc-2026Q2-base:1.6 pkgsrc-2026Q1:1.5.0.4 pkgsrc-2026Q1-base:1.5 pkgsrc-2025Q4:1.5.0.2 pkgsrc-2025Q4-base:1.5 pkgsrc-2025Q3:1.3.0.2 pkgsrc-2025Q3-base:1.3 pkgsrc-2025Q2:1.2.0.4 pkgsrc-2025Q2-base:1.2 pkgsrc-2025Q1:1.2.0.2 pkgsrc-2025Q1-base:1.2; locks; strict; comment @# @; 1.6 date 2026.03.29.14.23.50; author taca; state Exp; branches; next 1.5; commitid GdlaYMrkDvI6wSzG; 1.5 date 2025.11.03.08.51.48; author taca; state Exp; branches 1.5.4.1; next 1.4; commitid 4EV3oTYJkYSan5hG; 1.4 date 2025.09.23.04.18.47; author taca; state Exp; branches; next 1.3; commitid 9AP2d6aNkpghbNbG; 1.3 date 2025.08.14.15.25.07; author taca; state Exp; branches; next 1.2; commitid E4UQOMSWVtxz9I6G; 1.2 date 2025.03.16.15.29.52; author taca; state Exp; branches; next 1.1; commitid BEvHyz9EPgN82jNF; 1.1 date 2025.01.02.07.10.55; author taca; state Exp; branches; next ; commitid yEeZZK4e5QWrCSDF; 1.5.4.1 date 2026.03.31.13.37.47; author maya; state Exp; branches; next ; commitid Xqfm4HcoSdOoc8AG; desc @@ 1.6 log @www/ruby-rails80: update to 8.0.5 Ruby on Rails 8.0.4.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. 8.0.5 (2026-03-24) Changes are too many to write here, please refer: . @ text @$NetBSD: distinfo,v 1.5 2025/11/03 08:51:48 taca Exp $ BLAKE2s (actionpack-8.0.5.gem) = d5f15946b968d2c0e6266f46caa154e7de8217f47df5ac41107ae7b89197286c SHA512 (actionpack-8.0.5.gem) = ec9bddd9fb69e4fddaba24e5a33cb1a94fe78cd6308a5c89429971845ac1c53a69836cb9aec3486540018a6f517b032a909444300fa0d5f8e05383b6b07c6013 Size (actionpack-8.0.5.gem) = 250368 bytes @ 1.5 log @www/ruby-rails80: update to 8.0.4 8.0.4 (2025-10-28) Active Support * Fix Enumerable#sole to return the full tuple instead of just the first element of the tuple. [Olivier Bellone] * Fix parallel tests hanging when worker processes die abruptly. Previously, if a worker process was killed (e.g., OOM killed, kill -9) during parallel test execution, the test suite would hang forever waiting for the dead worker. [Joshua Young] * Fix NameError when class_attribute is defined on instance singleton classes. Previously, calling class_attribute on an instance's singleton class would raise a NameError when accessing the attribute through the instance. object = MyClass.new object.singleton_class.class_attribute :foo, default: "bar" object.foo # previously raised NameError, now returns "bar" [Joshua Young] Active Record * Fix SQLite3 data loss during table alterations with CASCADE foreign keys. When altering a table in SQLite3 that is referenced by child tables with ON DELETE CASCADE foreign keys, ActiveRecord would silently delete all data from the child tables. This occurred because SQLite requires table recreation for schema changes, and during this process the original table is temporarily dropped, triggering CASCADE deletes on child tables. The root cause was incorrect ordering of operations. The original code wrapped disable_referential_integrity inside a transaction, but PRAGMA foreign_keys cannot be modified inside a transaction in SQLite - attempting to do so simply has no effect. This meant foreign keys remained enabled during table recreation, causing CASCADE deletes to fire. The fix reverses the order to follow the official SQLite 12-step ALTER TABLE procedure: disable_referential_integrity now wraps the transaction instead of being wrapped by it. This ensures foreign keys are properly disabled before the transaction starts and re-enabled after it commits, preventing CASCADE deletes while maintaining data integrity through atomic transactions. [Ruy Rocha] * Add support for bound SQL literals in CTEs. [Nicolas Bachschmidt] * Fix belongs_to associations not to clear the entire composite primary key. When clearing a belongs_to association that references a model with composite primary key, only the optional part of the key should be cleared. [zzak] * Fix invalid records being autosaved when distantly associated records are marked for deletion. [Ian Terrell, axlekb AB] Action View * Restore add_default_name_and_id method. [Hartley McGuire] Action Pack * Submit test requests using as: :html with Content-Type: x-www-form-urlencoded [Sean Doyle] Active Model Active Job Action Mailer Action Cable Active Storage Action Mailbox Action Text Railties * No changes. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2025/09/23 04:18:47 taca Exp $ d3 3 a5 3 BLAKE2s (actionpack-8.0.4.gem) = 39d40a5da845654ee7edd5e2cd5f7ab1182466d46f9433302b5cbf908e2ebddd SHA512 (actionpack-8.0.4.gem) = 8753e1399b0d000a36945da26756639e503f91b9fbcdd788fad776322802008f8aef8c5f2700c49dc1ac70c38f926c1477676bff5f6129e665e0dd5c0305f5e2 Size (actionpack-8.0.4.gem) = 249856 bytes @ 1.5.4.1 log @Pullup ticket #7062 - requested by taca databases/ruby-activerecord80: Security fix devel/ruby-activejob80: Security fix devel/ruby-activemodel80: Security fix devel/ruby-activestorage80: Security fix devel/ruby-activesupport80: Security fix devel/ruby-railties80: Security fix mail/ruby-actionmailbox80: Security fix mail/ruby-actionmailer80: Security fix textproc/ruby-actiontext80: Security fix www/ruby-actioncable80: Security fix www/ruby-actionpack80: Security fix www/ruby-actionview80: Security fix www/ruby-rails80: Security fix Revisions pulled up: - databases/ruby-activerecord80/distinfo 1.6 - devel/ruby-activejob80/distinfo 1.6 - devel/ruby-activemodel80/distinfo 1.6 - devel/ruby-activestorage80/distinfo 1.6 - devel/ruby-activesupport80/distinfo 1.6 - devel/ruby-railties80/Makefile 1.5 - devel/ruby-railties80/distinfo 1.6 - lang/ruby/rails.mk 1.189 - mail/ruby-actionmailbox80/distinfo 1.6 - mail/ruby-actionmailer80/distinfo 1.6 - textproc/ruby-actiontext80/distinfo 1.6 - www/ruby-actioncable80/distinfo 1.6 - www/ruby-actionpack80/Makefile 1.6 - www/ruby-actionpack80/distinfo 1.6 - www/ruby-actionview80/distinfo 1.6 - www/ruby-rails80/distinfo 1.6 --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:23:51 UTC 2026 Modified Files: pkgsrc/databases/ruby-activerecord80: distinfo pkgsrc/devel/ruby-activejob80: distinfo pkgsrc/devel/ruby-activemodel80: distinfo pkgsrc/devel/ruby-activestorage80: distinfo pkgsrc/devel/ruby-activesupport80: distinfo pkgsrc/devel/ruby-railties80: Makefile distinfo pkgsrc/mail/ruby-actionmailbox80: distinfo pkgsrc/mail/ruby-actionmailer80: distinfo pkgsrc/textproc/ruby-actiontext80: distinfo pkgsrc/www/ruby-actioncable80: distinfo pkgsrc/www/ruby-actionpack80: Makefile distinfo pkgsrc/www/ruby-actionview80: distinfo pkgsrc/www/ruby-rails80: distinfo Log Message: www/ruby-rails80: update to 8.0.5 Ruby on Rails 8.0.4.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. 8.0.5 (2026-03-24) Changes are too many to write here, please refer: . --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:28:13 UTC 2026 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby: update rails80 to 8.0.5 Make sure to update rails80 to 8.0.5. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (actionpack-8.0.5.gem) = d5f15946b968d2c0e6266f46caa154e7de8217f47df5ac41107ae7b89197286c SHA512 (actionpack-8.0.5.gem) = ec9bddd9fb69e4fddaba24e5a33cb1a94fe78cd6308a5c89429971845ac1c53a69836cb9aec3486540018a6f517b032a909444300fa0d5f8e05383b6b07c6013 Size (actionpack-8.0.5.gem) = 250368 bytes @ 1.4 log @www/ruby-actionpack80: update to 8.0.3 8.0.3 (2025-09-22) Action Pack * URL helpers for engines mounted at the application root handle SCRIPT_NAME correctly. Fixed an issue where SCRIPT_NAME is not applied to paths generated for routes in an engine mounted at "/". Mike Dalessio * Fix Rails.application.reload_routes! from clearing almost all routes. When calling Rails.application.reload_routes! inside a middleware of a Rake task, it was possible under certain conditions that all routes would be cleared. If ran inside a middleware, this would result in getting a 404 on most page you visit. This issue was only happening in development. Edouard Chin * Address rack 3.2 deprecations warnings. warning: Status code :unprocessable_entity is deprecated and will be removed in a future version of Rack. Please use :unprocessable_content instead. Rails API will transparently convert one into the other for the foreseeable future. Earlopain, Jean Boussier * Support hash-source in Content Security Policy. madogiwa * Always return empty body for HEAD requests in PublicExceptions and DebugExceptions. This is required by Rack::Lint (per RFC9110). Hartley McGuire @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2025/08/14 15:25:07 taca Exp $ d3 3 a5 3 BLAKE2s (actionpack-8.0.3.gem) = e9e068786c06ac6f814ec29d76f9919cdff506e4575b48a86c4a93d52e008dff SHA512 (actionpack-8.0.3.gem) = e7635c40c3e239f1d7ac52f4b1d7c10042b9a1ef724cd8b702b60e11363105fde4ad9a72eeedfa1271311e011776f76c43d0bca5b3beb3c1a16afb5800a5fb5d Size (actionpack-8.0.3.gem) = 249856 bytes @ 1.3 log @www/ruby-rails80: update to 8.0.2.1 Ruby on Rails 8.0.2.1 (2025-08-13) Active Record * Call inspect on ids in RecordNotFound error [CVE-2025-55193] Gannon McGibbon, John Hawthorn Active Storage * Remove dangerous transformations [CVE-2025-24293] Zack Deveau @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/03/16 15:29:52 taca Exp $ d3 3 a5 3 BLAKE2s (actionpack-8.0.2.1.gem) = 8d8064721b3f8af3b402e20d190a56f73191bcee5e8fd96305ca852971f57a60 SHA512 (actionpack-8.0.2.1.gem) = 940984cffc237b25f325e32654ff8256550bcd6259a9fd4d929861ffa10f87907d5ac5b4e1f0c815b42beb802553c188d0cfa6f03d266d9c6b5f07ea62b1ac80 Size (actionpack-8.0.2.1.gem) = 248832 bytes @ 1.2 log @www/ruby-actionpack80: update to 8.0.2 8.0.2 (2025/03/12) * Improve with_routing test helper to not rebuild the middleware stack. Otherwise some middleware configuration could be lost. Édouard Chin * Add resource name to the ArgumentError that's raised when invalid :only or :except options are given to #resource or #resources This makes it easier to locate the source of the problem, especially for routes drawn by gems. Before: :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar] After: Route `resources :products` - :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar] Jeremy Green * Fix url_for to handle :path_params gracefully when it's not a Hash. Prevents various security scanners from causing exceptions. Martin Emde * Fix ActionDispatch::Executor to unwrap exceptions like other error reporting middlewares. Jean Boussier @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2025/01/02 07:10:55 taca Exp $ d3 3 a5 3 BLAKE2s (actionpack-8.0.2.gem) = 2a7d5734ae712a7fba2256a228a3a989eb605072a7746858e985f7eaab123716 SHA512 (actionpack-8.0.2.gem) = fa3a7c86dcbf3b5fe5048730bb89c5469b006413e4493865c69c0ee759792370f5691f2fa06b3c9f31ca3f9264da0854bcc0941052e5795e9fff338f246a0cbe Size (actionpack-8.0.2.gem) = 248832 bytes @ 1.1 log @www/ruby-actionpack80: add package version 8.0.1 Action Pack -- From request to response Action Pack is a framework for handling and responding to web requests. It provides mechanisms for *routing* (mapping request URLs to actions), defining *controllers* that implement actions, and generating responses. In short, Action Pack provides the controller layer in the MVC paradigm. It consists of several modules: * Action Dispatch, which parses information about the web request, handles routing as defined by the user, and does advanced processing related to HTTP such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies, handling HTTP caching logic, cookies and sessions. * Action Controller, which provides a base controller class that can be subclassed to implement filters and actions to handle requests. The result of an action is typically content generated from views. With the Ruby on Rails framework, users only directly interface with the Action Controller module. Necessary Action Dispatch functionality is activated by default and Action View rendering is implicitly triggered by Action Controller. However, these modules are designed to function on their own and can be used outside of Rails. This is for Ruby on Rails 8.0. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (actionpack-8.0.1.gem) = 3119bb22dbf2d7be1b414082bf26d2b6a1e276f90ff818017f5323def7f0cfd4 SHA512 (actionpack-8.0.1.gem) = 97d4e3a16c63ea8624f02ff2466936542194e3edeceed124020b08e113968e631bcfb9e15f59326642cbff2f11efba34362a58a24bc354ec45f4214450b95a65 Size (actionpack-8.0.1.gem) = 248320 bytes @