Update dependency @rails/activestorage to v6.1.7

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@rails/activestorage (source)	6.1.4 -> 6.1.7

---

Release Notes

rails/rails

v6.1.7

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Symbol is allowed by default for YAML columns

  Étienne Barrié

• Fix ActiveRecord::Store to serialize as a regular Hash

  Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
  which is wasteful and cause problem with YAML safe_load.

  Jean Boussier

• Fix PG.connect keyword arguments deprecation warning on ruby 2.7

  Fixes #​44307.

  Nikita Vasilevsky

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.

  fatkodima

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.6: 6.1.6

Compare Source

Active Support

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Add the method ERB::Util.xml_name_escape to escape dangerous characters
  in names of tags and names of attributes, following the specification of XML.

  Álvaro Martín Fraguas

Active Model

• No changes.

Active Record

• No changes.

Action View

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Escape dangerous characters in names of tags and names of attributes in the
  tag helpers, following the XML specification. Rename the option
  :escape_attributes to :escape, to simplify by applying the option to the
  whole tag.

  Álvaro Martín Fraguas

Action Pack

• Allow Content Security Policy DSL to generate for API responses.

  Tim Wade

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.5: 6.1.5

Compare Source

Active Support

• Fix ActiveSupport::Duration.build to support negative values.

  The algorithm to collect the parts of the ActiveSupport::Duration
  ignored the sign of the value and accumulated incorrect part values. This
  impacted ActiveSupport::Duration#sum (which is dependent on parts) but
  not ActiveSupport::Duration#eql? (which is dependent on value).

  Caleb Buxton, Braden Staudacher

• Time#change and methods that call it (eg. Time#advance) will now
  return a Time with the timezone argument provided, if the caller was
  initialized with a timezone argument.

  Fixes #​42467.

  Alex Ghiculescu

• Clone to keep extended Logger methods for tagged logger.

  Orhan Toy

• assert_changes works on including ActiveSupport::Assertions module.

  Pedro Medeiros

Active Model

• Clear secure password cache if password is set to nil

  Before:

  user.password = 'something'
  user.password = nil

  user.password # => 'something'

  Now:

  user.password = 'something'
  user.password = nil

  user.password # => nil

  Markus Doits

• Fix delegation in ActiveModel::Type::Registry#lookup and ActiveModel::Type.lookup

  Passing a last positional argument {} would be incorrectly considered as keyword argument.

  Benoit Daloze

• Fix to_json after changes_applied for ActiveModel::Dirty object.

  Ryuta Kamizono

Active Record

• Fix ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6.

  Ruby 2.6 and 2.7 have slightly different implementations of the String#@​- method.
  In Ruby 2.6, the receiver of the String#@​- method is modified under certain circumstances.
  This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
  fixed in Ruby 2.7.

  Before the changes in this commit, the
  ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate method, which internally
  calls the String#@​- method, could also modify an input string argument in Ruby 2.6 --
  changing a tainted, unfrozen string into a tainted, frozen string.

  Fixes #​43056

  Eric O'Hanlon

• Fix migration compatibility to create SQLite references/belongs_to column as integer when
  migration version is 6.0.

  reference/belongs_to in migrations with version 6.0 were creating columns as
  bigint instead of integer for the SQLite Adapter.

  Marcelo Lauxen

• Fix dbconsole for 3-tier config.

  Eileen M. Uchitelle

• Better handle SQL queries with invalid encoding.

  Post.create(name: "broken \xC8 UTF-8")

  Would cause all adapters to fail in a non controlled way in the code
  responsible to detect write queries.

  The query is now properly passed to the database connection, which might or might
  not be able to handle it, but will either succeed or failed in a more correct way.

  Jean Boussier

• Ignore persisted in-memory records when merging target lists.

  Kevin Sjöberg

• Fix regression bug that caused ignoring additional conditions for preloading
  has_many through relations.

  Fixes #​43132

  Alexander Pauly

• Fix ActiveRecord::InternalMetadata to not be broken by
  config.active_record.record_timestamps = false

  Since the model always create the timestamp columns, it has to set them, otherwise it breaks
  various DB management tasks.

  Fixes #​42983

  Jean Boussier

• Fix duplicate active record objects on inverse_of.

  Justin Carvalho

• Fix duplicate objects stored in has many association after save.

  Fixes #​42549.

  Alex Ghiculescu

• Fix performance regression in CollectionAssocation#build.

  Alex Ghiculescu

• Fix retrieving default value for text column for MariaDB.

  fatkodima

Action View

• preload_link_tag properly inserts as attributes for files with image MIME
  types, such as JPG or SVG.

  Nate Berkopec

• Add autocomplete="off" to all generated hidden fields.

  Fixes #​42610.

  Ryan Baumann

• Fix current_page? when URL has trailing slash.

  This fixes the current_page? helper when the given URL has a trailing slash,
  and is an absolute URL or also has query params.

  Fixes #​33956.

  Jonathan Hefner

Action Pack

• Fix content_security_policy returning invalid directives.

  Directives such as self, unsafe-eval and few others were not
  single quoted when the directive was the result of calling a lambda
  returning an array.

  content_security_policy do |policy|
    policy.frame_ancestors lambda { [:self, "https://example.com"] }
  end

  With this fix the policy generated from above will now be valid.

  Edouard Chin

• Update HostAuthorization middleware to render debug info only
  when config.consider_all_requests_local is set to true.

  Also, blocked host info is always logged with level error.

  Fixes #​42813.

  Nikita Vyrko

• Dup arrays that get "converted".

  Fixes #​43681.

  Aaron Patterson

• Don't show deprecation warning for equal paths.

  Anton Rieder

• Fix crash in ActionController::Instrumentation with invalid HTTP formats.

  Fixes #​43094.

  Alex Ghiculescu

• Add fallback host for SystemTestCase driven by RackTest.

  Fixes #​42780.

  Petrik de Heus

• Add more detail about what hosts are allowed.

  Alex Ghiculescu

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• The Action Cable client now ensures successful channel subscriptions:

  • The client maintains a set of pending subscriptions until either
    the server confirms the subscription or the channel is torn down.
  • Rectifies the race condition where an unsubscribe is rapidly followed
    by a subscribe (on the same channel identifier) and the requests are
    handled out of order by the ActionCable server, thereby ignoring the
    subscribe command.

  Daniel Spinosa

• Truncate broadcast logging messages.

  J Smith

Active Storage

• Attachments can be deleted after their association is no longer defined.

  Fixes #​42514

  Don Sisco

Action Mailbox

• Add attachments to the list of permitted parameters for inbound emails conductor.

  When using the conductor to test inbound emails with attachments, this prevents an
  unpermitted parameter warning in default configurations, and prevents errors for
  applications that set:

  config.action_controller.action_on_unpermitted_parameters = :raise

  David Jones, Dana Henke

Action Text

• Fix Action Text extra trix content wrapper.

  Alexandre Ruban

Railties

• In zeitwerk mode, setup the once autoloader first, and the main autoloader after it.
  This order plays better with shared namespaces.

  Xavier Noria

• Handle paths with spaces when editing credentials.

  Alex Ghiculescu

• Support Psych 4 when loading secrets.

  Nat Morcos

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (6.1.7). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.