rails_admin_next targets a single supported runtime: Ruby >= 4.0.5, Rails ~> 8.1,
ActiveRecord, and the importmap + Propshaft asset pipeline. Security fixes land on the
latest 1.x release.
| Version | Supported |
|---|---|
| 1.x | yes |
| < 1.0 | no (the pre-fork rails_admin gem; unrelated release line) |
Please report security issues privately via GitHub's "Report a vulnerability" button on the repository's Security tab (private security advisories), not through a public issue or pull request. Include a description, affected versions, and a reproduction if possible. You will get an acknowledgement and a remediation timeline.
For the admin's request-forgery, clickjacking, export, destructive-action, mass-assignment, and
Content-Security-Policy posture (and the one host opt-in), see docs/security.md.
CI gates every push and pull request on:
- bundler-audit — Ruby gem advisories (
bundle exec bundler-audit check --update). Reviewed, justified ignores live in.bundler-audit.yml(currently a few test/development-only advisories that are not in the gem's runtime dependency closure). - brakeman — static analysis (
bundle exec brakeman -A). Reviewed false positives live inconfig/brakeman.ignore, each with a written justification. - Dependabot — weekly
bundlerandgithub-actionsupdate PRs (.github/dependabot.yml). - Standard and Prettier — Ruby and JS/CSS style gates.
The engine's importmap (config/importmap.rails_admin.rb) pins
only self-hosted assets — there are no external CDN URLs (grep jspm.io returns nothing). Every
third-party module resolves from a file on the Propshaft load path, served and fingerprinted
same-origin:
@hotwired/stimulus,@hotwired/turbo-rails→ thestimulus-rails/turbo-railsgems.@rails/actioncable,@rails/activestorage,@rails/actiontext→ theactioncable/activestorage/actiontextgems (all pulled in by therailsdependency;action_cable/engineisrequired inlib/rails_admin_next/engine.rbso its asset path registers).trix→ theaction_text-trixgem (loaded with ActionText).rails_admin_next/*→ the engine's own source undersrc/, versioned with the gem.
Because every pinned module ships inside a gem, Dependabot's bundler updates move all of them —
the front-end JS is now versioned in lockstep with the gems. The previous jspm.io blind spot (pins
that no manifest declared and Dependabot could not see) is closed; there is nothing left to
hand-audit in the importmap.
There is no remaining external CDN or third-party network dependency in the engine's front-end — default or opt-in. The previously cdnjs-backed rich-text/code editors (CKEditor, CodeMirror, SimpleMDE) have been removed; rich text is now served exclusively by the self-hosted ActionText/Trix pin, and any other text field renders a plain textarea. Every asset the engine serves resolves same-origin off a gem on the Propshaft load path.
- Tooling: the repository's
update-importmapworkflow automates the detect → audit → re-vendor/re-pin loop for the self-hosted front-end dependencies.