2021-09-14 09:14:21 -04:00
|
|
|
* Change default `X-XSS-Protection` header to disable XSS auditor
|
|
|
|
|
|
|
|
|
|
This header has been deprecated and the XSS auditor it triggered
|
|
|
|
|
has been removed from all major modern browsers (in favour of
|
|
|
|
|
Content Security Policy) that implemented this header to begin with
|
|
|
|
|
(Firefox never did).
|
|
|
|
|
|
|
|
|
|
[OWASP](https://owasp.org/www-project-secure-headers/#x-xss-protection)
|
|
|
|
|
suggests setting this header to '0' to disable the default behaviour
|
|
|
|
|
on old browsers as it can introduce additional security issues.
|
|
|
|
|
|
|
|
|
|
Added the new behaviour as a framework default from Rails 7.0.
|
|
|
|
|
|
|
|
|
|
*Christian Sutter*
|
|
|
|
|
|
2021-10-07 08:32:35 -04:00
|
|
|
* Scaffolds now use date_field, time_field and datetime_field instead of
|
|
|
|
|
date_select, time_select and datetime_select; thus providing native date/time pickers.
|
|
|
|
|
|
|
|
|
|
*Martijn Lafeber*
|
|
|
|
|
|
2021-10-04 15:46:07 -04:00
|
|
|
* Fix a regression in which autoload paths were initialized too late.
|
|
|
|
|
|
|
|
|
|
*Xavier Noria*
|
|
|
|
|
|
2021-09-15 18:22:51 -04:00
|
|
|
## Rails 7.0.0.alpha2 (September 15, 2021) ##
|
|
|
|
|
|
|
|
|
|
* Fix activestorage dependency in the npm package.
|
|
|
|
|
|
|
|
|
|
*Rafael Mendonça França*
|
|
|
|
|
|
2021-09-15 17:55:08 -04:00
|
|
|
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
|
|
|
|
|
Generate less initializers in new/upgraded Rails apps
Currently when you make a new Rails app, we generate a lot of initializers. For new users, I think we should try and include as few as possible - the less files, the less daunting a new app is. And for upgrades I'd like to [continue to simplify the update process](https://github.com/rails/rails/pull/41083), in this case by not bringing back initializers you have probably already dismissed or modified.
In this PR I'm proposing we remove two initializers: `application_controller_renderer.rb` and `cookies_serializer.rb`:
**`application_controller_renderer.rb`**. This configures [`ActionController::Renderer`](https://api.rubyonrails.org/classes/ActionController/Renderer.html), for rendering views outside of controller actions. I don't think this is something most Rails apps will need (certainly not on day 1); users can configure this feature when they need it.
**`cookies_serializer.rb`**. This was added for [Rails 4.1](https://guides.rubyonrails.org/upgrading_ruby_on_rails.html#cookies-serializer). The behaviour is:
- For new apps, the initializer says `:json`.
- For upgraded apps that don't have the initializer, it is added with value `:marshal`.
- If there's no initializer, the [default value](https://github.com/rails/rails/blob/c9a89a4067834a095a41084030b8c9ccdbce77d5/actionpack/lib/action_dispatch/middleware/cookies.rb#L589) is `:marshal`.
Since nobody should be upgrading direct from Rails 4.0 to Rails 7.0, we can simplify this by using new framework defaults. So the behavior will now be:
- For new apps, `config.load_defaults("7.0")` sets the value to `:json`.
- The `new_framework_defaults_7_0.rb` file explains this, and suggests using `:hybrid` to be upgrade to JSON cookies.
- No changes to [the code](https://github.com/rails/rails/blob/c9a89a4067834a095a41084030b8c9ccdbce77d5/actionpack/lib/action_dispatch/middleware/cookies.rb#L589); the default value is `:marshal` if you don't set one.
So if you were not setting a `cookies_serializer` previously and you want to keep using `:marshal`, you'll need to explicitly set this before using `config.load_defaults("7.0")`, otherwise it will switch to `:json`. The upside of this is you won't get the `cookies_serializer.rb` file created for you every time you upgrade.
2021-06-18 16:46:23 -04:00
|
|
|
* New and upgraded Rails apps no longer generate `config/initializers/application_controller_renderer.rb`
|
|
|
|
|
or `config/initializers/cookies_serializer.rb`
|
|
|
|
|
|
|
|
|
|
The default value for `cookies_serializer` (`:json`) has been moved to `config.load_defaults("7.0")`.
|
2021-09-16 03:48:06 -04:00
|
|
|
The new framework defaults file can be used to upgrade the serializer.
|
Generate less initializers in new/upgraded Rails apps
Currently when you make a new Rails app, we generate a lot of initializers. For new users, I think we should try and include as few as possible - the less files, the less daunting a new app is. And for upgrades I'd like to [continue to simplify the update process](https://github.com/rails/rails/pull/41083), in this case by not bringing back initializers you have probably already dismissed or modified.
In this PR I'm proposing we remove two initializers: `application_controller_renderer.rb` and `cookies_serializer.rb`:
**`application_controller_renderer.rb`**. This configures [`ActionController::Renderer`](https://api.rubyonrails.org/classes/ActionController/Renderer.html), for rendering views outside of controller actions. I don't think this is something most Rails apps will need (certainly not on day 1); users can configure this feature when they need it.
**`cookies_serializer.rb`**. This was added for [Rails 4.1](https://guides.rubyonrails.org/upgrading_ruby_on_rails.html#cookies-serializer). The behaviour is:
- For new apps, the initializer says `:json`.
- For upgraded apps that don't have the initializer, it is added with value `:marshal`.
- If there's no initializer, the [default value](https://github.com/rails/rails/blob/c9a89a4067834a095a41084030b8c9ccdbce77d5/actionpack/lib/action_dispatch/middleware/cookies.rb#L589) is `:marshal`.
Since nobody should be upgrading direct from Rails 4.0 to Rails 7.0, we can simplify this by using new framework defaults. So the behavior will now be:
- For new apps, `config.load_defaults("7.0")` sets the value to `:json`.
- The `new_framework_defaults_7_0.rb` file explains this, and suggests using `:hybrid` to be upgrade to JSON cookies.
- No changes to [the code](https://github.com/rails/rails/blob/c9a89a4067834a095a41084030b8c9ccdbce77d5/actionpack/lib/action_dispatch/middleware/cookies.rb#L589); the default value is `:marshal` if you don't set one.
So if you were not setting a `cookies_serializer` previously and you want to keep using `:marshal`, you'll need to explicitly set this before using `config.load_defaults("7.0")`, otherwise it will switch to `:json`. The upside of this is you won't get the `cookies_serializer.rb` file created for you every time you upgrade.
2021-06-18 16:46:23 -04:00
|
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
|
2021-09-08 11:35:41 -04:00
|
|
|
* New applications get a dependency on the new `debug` gem, replacing `byebug`.
|
|
|
|
|
|
|
|
|
|
*Xavier Noria*
|
|
|
|
|
|
2021-08-27 10:22:28 -04:00
|
|
|
* Add SSL support for postgresql in `bin/rails dbconsole`.
|
|
|
|
|
|
|
|
|
|
Fixes #43114.
|
|
|
|
|
|
|
|
|
|
*Michael Bayucot*
|
|
|
|
|
|
2021-08-29 12:59:37 -04:00
|
|
|
* Add support for comments above gem declaration in Rails application templates, e.g. `gem("nokogiri", comment: "For XML")`.
|
|
|
|
|
|
|
|
|
|
*Linas Juškevičius*
|
|
|
|
|
|
2021-08-27 03:50:06 -04:00
|
|
|
* The setter `config.autoloader=` has been deleted. `zeitwerk` is the only
|
|
|
|
|
available autoloading mode.
|
|
|
|
|
|
|
|
|
|
*Xavier Noria*
|
|
|
|
|
|
|
|
|
|
* `config.autoload_once_paths` can be configured in the body of the
|
|
|
|
|
application class defined in `config/application.rb` or in the configuration
|
|
|
|
|
for environments in `config/environments/*`.
|
|
|
|
|
|
|
|
|
|
Similarly, engines can configure that collection in the class body of the
|
|
|
|
|
engine class or in the configuration for environments.
|
|
|
|
|
|
|
|
|
|
After that, the collection is frozen, and you can autoload from those paths.
|
|
|
|
|
They are managed by the `Rails.autoloaders.once` autoloader, which does not
|
|
|
|
|
reload, only autoloads/eager loads.
|
|
|
|
|
|
|
|
|
|
*Xavier Noria*
|
|
|
|
|
|
|
|
|
|
* During initialization, you cannot autoload reloadable classes or modules
|
|
|
|
|
like application models, unless they are wrapped in a `to_prepare` block.
|
|
|
|
|
For example, from `config/initializers/*`, or in application, engines, or
|
|
|
|
|
railties initializers.
|
|
|
|
|
|
|
|
|
|
Please check the [autoloading
|
2021-08-29 11:17:20 -04:00
|
|
|
guide](https://guides.rubyonrails.org/v7.0/autoloading_and_reloading_constants.html#autoloading-when-the-application-boots)
|
2021-08-27 03:50:06 -04:00
|
|
|
for details.
|
|
|
|
|
|
|
|
|
|
*Xavier Noria*
|
|
|
|
|
|
|
|
|
|
* While they are allowed to have elements in common, it is no longer required
|
|
|
|
|
that `config.autoload_once_paths` is a subset of `config.autoload_paths`.
|
|
|
|
|
The former are managed by the `once` autoloader. The `main` autoloader
|
|
|
|
|
manages the latter minus the former.
|
2021-08-27 03:21:11 -04:00
|
|
|
|
|
|
|
|
*Xavier Noria*
|
|
|
|
|
|
2021-08-29 11:44:25 -04:00
|
|
|
* Show Rake task description if command is run with `-h`.
|
2021-02-14 13:30:05 -05:00
|
|
|
|
2021-08-29 11:44:25 -04:00
|
|
|
Adding `-h` (or `--help`) to a Rails command that's a Rake task now outputs
|
2021-02-14 13:30:05 -05:00
|
|
|
the task description instead of the general Rake help.
|
|
|
|
|
|
|
|
|
|
*Petrik de Heus*
|
2021-08-27 03:21:11 -04:00
|
|
|
|
2021-07-28 17:59:22 -04:00
|
|
|
* Add missing `plugin new` command to help.
|
|
|
|
|
|
|
|
|
|
*Petrik de Heus
|
2021-02-14 13:30:05 -05:00
|
|
|
|
2021-07-06 19:20:18 -04:00
|
|
|
* Fix `config_for` error when there's only a shared root array.
|
2021-07-06 05:35:04 -04:00
|
|
|
|
|
|
|
|
*Loïc Delmaire*
|
|
|
|
|
|
2021-07-04 11:17:49 -04:00
|
|
|
* Raise an error in generators if an index type is invalid.
|
|
|
|
|
|
|
|
|
|
*Petrik de Heus*
|
|
|
|
|
|
2021-05-20 20:12:36 -04:00
|
|
|
* `package.json` now uses a strict version constraint for Rails JavaScript packages on new Rails apps.
|
|
|
|
|
|
|
|
|
|
*Zachary Scott*, *Alex Ghiculescu*
|
|
|
|
|
|
2020-12-09 19:37:45 -05:00
|
|
|
* Modified scaffold generator template so that running
|
|
|
|
|
`rails g scaffold Author` no longer generates tests called "creating
|
2021-07-20 21:08:08 -04:00
|
|
|
a Author", "updating a Author", and "destroying a Author".
|
2020-12-09 19:37:45 -05:00
|
|
|
|
|
|
|
|
Fixes #40744.
|
|
|
|
|
|
|
|
|
|
*Michael Duchemin*
|
|
|
|
|
|
Generators should raise an error if a field has an invalid type
Generators can create invalid migrations when passing an invalid
field type. For example, when mixing up the name and type:
bin/rails g model post string:title
This will generate a field for post with a column named `string`
of the type `title`, instead of a column named `title` of the type
`string`. Running the migration will result in an error as the type
`title` is not known to the database.
Instead of generating invalid files, the generator should raise an error
if the type is invalid. We validate the type by checking if it's a
default migration types like: string, integer, datetime, but also
references, and rich_text.
If the type isn't a default type, we can ask the
database connection if the type is valid. This uses the `valid_type?`
method defined on each database adapter, which returns true if the
adapter supports the column type. This method is also used by the
SchemaDumper.
Some gems like 'postgis' add custom types. The 'postgis' gem adds these
types by overriding the `native_database_types` method.
That method is used by `valid_type?` method on the database adapter,
making this change compatible with 'postgis'.
2020-06-04 14:57:25 -04:00
|
|
|
* Raise an error in generators if a field type is invalid.
|
|
|
|
|
|
|
|
|
|
*Petrik de Heus*
|
|
|
|
|
|
2021-05-29 05:57:54 -04:00
|
|
|
* `bin/rails tmp:clear` deletes also files and directories in `tmp/storage`.
|
2021-05-28 22:33:16 -04:00
|
|
|
|
|
|
|
|
*George Claghorn*
|
|
|
|
|
|
2021-05-19 05:22:13 -04:00
|
|
|
* Fix compatibility with `psych >= 4`.
|
|
|
|
|
|
|
|
|
|
Starting in Psych 4.0.0 `YAML.load` behaves like `YAML.safe_load`. To preserve compatibility
|
|
|
|
|
`Rails.application.config_for` now uses `YAML.unsafe_load` if available.
|
|
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
|
2021-04-07 16:39:20 -04:00
|
|
|
* Allow loading nested locales in engines.
|
|
|
|
|
|
|
|
|
|
*Gannon McGibbon*
|
|
|
|
|
|
2021-04-21 11:16:38 -04:00
|
|
|
* Ensure `Rails.application.config_for` always cast hashes to `ActiveSupport::OrderedOptions`.
|
|
|
|
|
|
|
|
|
|
*Jean Boussier*
|
|
|
|
|
|
2021-08-29 11:44:25 -04:00
|
|
|
* Remove `Rack::Runtime` from the default middleware stack and deprecate
|
2021-07-20 21:08:08 -04:00
|
|
|
referencing it in middleware operations without adding it back.
|
2021-04-12 14:31:12 -04:00
|
|
|
|
|
|
|
|
*Hartley McGuire*
|
|
|
|
|
|
2021-07-20 21:08:08 -04:00
|
|
|
* Allow adding additional authorized hosts in development via `ENV['RAILS_DEVELOPMENT_HOSTS']`.
|
2021-02-26 14:13:16 -05:00
|
|
|
|
|
|
|
|
*Josh Abernathy*, *Debbie Milburn*
|
|
|
|
|
|
2021-02-26 19:55:38 -05:00
|
|
|
* Add app concern and test keepfiles to generated engine plugins.
|
|
|
|
|
|
|
|
|
|
*Gannon McGibbon*
|
|
|
|
|
|
2021-02-26 18:13:10 -05:00
|
|
|
* Stop generating a license for in-app plugins.
|
|
|
|
|
|
|
|
|
|
*Gannon McGibbon*
|
|
|
|
|
|
Avoid footguns in `rails app:update`
While upgrading a Rails 6 app to Rails 6.1, I noticed that `rails app:update` asks you to review some file changes that you'd basically never want to accept. In this PR, I propose we make the update task do a bit less, by not offering to overwrite files where the developer has almost certainly changed them from the default. Specific changes:
Don't replace the following files, as they change very rarely at the framework level, so if the user has changes they almost certainly intend to keep them:
- [config/boot.rb](https://github.com/rails/rails/commits/master/railties/lib/rails/generators/rails/app/templates/config/boot.rb.tt)
- [config/environment.rb](https://github.com/rails/rails/commits/master/railties/lib/rails/generators/rails/app/templates/config/environment.rb.tt)
- [config/storage.yml](https://github.com/rails/rails/commits/master/railties/lib/rails/generators/rails/app/templates/config/storage.yml.tt)
- [config/spring.rb](https://github.com/rails/rails/commits/master/railties/lib/rails/generators/rails/app/templates/config/spring.rb.tt)
- [config/cable.yml](https://github.com/rails/rails/commits/master/railties/lib/rails/generators/rails/app/templates/config/cable.yml.tt)
- [config/puma.rb](https://github.com/rails/rails/commits/master/railties/lib/rails/generators/rails/app/templates/config/puma.rb.tt)
- [config.ru](https://github.com/rails/rails/commits/master/railties/lib/rails/generators/rails/app/templates/config.ru.tt)
Don't overwrite the config/locales directory. There's basically no chance you'll want to replace your current `config/locales/en.yml` with a [hello world](https://github.com/rails/rails/blob/master/railties/lib/rails/generators/rails/app/templates/config/locales/en.yml).
Don't replace config/routes.rb. It's so unlikely that the user will want to replace their routes file with [an empty file](https://github.com/rails/rails/blob/master/railties/lib/rails/generators/rails/app/templates/config/routes.rb.tt).
With these changes, you will still be prompted to accept/decline changes to these files when doing an update:
- config/application.rb
- config/environments/{development|test|production}.rb
- All the default [initializers](https://github.com/rails/rails/tree/master/railties/lib/rails/generators/rails/app/templates/config/initializers) that you already have a copy of. I go back and forth on also opting some of these out, specifically `assets.rb`, `filter_parameter_logging.rb`, and `inflections.rb` which seem pretty likely to have been changed.
- All the default [binstubs](https://github.com/rails/rails/tree/master/railties/lib/rails/generators/rails/app/templates/bin) that you already have a copy of. I decided to still make the user review these, as bugs here are going to be annoying to debug, but it is good to use the latest versions if possible.
2021-02-09 13:10:19 -05:00
|
|
|
* `rails app:update` no longer prompts you to overwrite files that are generally modified in the
|
|
|
|
|
course of developing a Rails app. See [#41083](https://github.com/rails/rails/pull/41083) for
|
|
|
|
|
the full list of changes.
|
|
|
|
|
|
|
|
|
|
*Alex Ghiculescu*
|
|
|
|
|
|
2021-02-06 15:45:53 -05:00
|
|
|
* Change default branch for new Rails projects and plugins to `main`.
|
2020-09-19 05:10:41 -04:00
|
|
|
|
|
|
|
|
*Prateek Choudhary*
|
2021-02-06 15:45:53 -05:00
|
|
|
|
2021-08-29 11:44:25 -04:00
|
|
|
* The new method `Rails.benchmark` gives you a quick way to measure and log the execution time taken by a block:
|
2020-12-04 07:52:10 -05:00
|
|
|
|
2021-08-29 11:44:25 -04:00
|
|
|
def test_expensive_stuff
|
|
|
|
|
Rails.benchmark("test_expensive_stuff") { ... }
|
2020-12-04 07:52:10 -05:00
|
|
|
end
|
|
|
|
|
|
2021-08-29 11:44:25 -04:00
|
|
|
This functionality was available in some contexts only before.
|
|
|
|
|
|
2020-12-04 07:52:10 -05:00
|
|
|
*Simon Perepelitsa*
|
|
|
|
|
|
2021-08-29 11:44:25 -04:00
|
|
|
* Applications generated with `--skip-sprockets` no longer get `app/assets/config/manifest.js` and `app/assets/stylesheets/application.css`.
|
2020-11-30 19:28:15 -05:00
|
|
|
|
|
|
|
|
*Cindy Gao*
|
|
|
|
|
|
2020-11-10 11:02:48 -05:00
|
|
|
* Add support for stylesheets and ERB views to `rails stats`.
|
|
|
|
|
|
|
|
|
|
*Joel Hawksley*
|
|
|
|
|
|
2020-08-04 12:32:37 -04:00
|
|
|
* Allow appended root routes to take precedence over internal welcome controller.
|
|
|
|
|
|
|
|
|
|
*Gannon McGibbon*
|
|
|
|
|
|
|
|
|
|
|
2020-12-02 18:37:26 -05:00
|
|
|
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/railties/CHANGELOG.md) for previous changes.
|