v8.0.4

Compare Source

• Load 'date' library for --ensure-latest

v8.0.3

Compare Source

• Fix polymorphic_name SQLi false positive (Fredrico Franco)
• Fix logger behavior when loading config files
• Handle application names with module prefixes
• Add release age option for --ensure-latest

v8.0.2

Compare Source

• Reline console control should use stderr
• Fix logger cleanup based method (Imran Iqbal)

v8.1.1

Compare Source

• Fix ActiveRecord 8.1 patch-level method signature compatibility; test against Rails 8.1.3.
• Handle string associations in safelist for Action Text
• Enhance N+1 query detection by including caller stack in association calls
• Update external links in README.md

v2.1.3

Compare Source

• Fix MissingDependentDestroyChecker to support composite keys. Thanks Andy Allan for reporting this!

v2.1.2

Compare Source

• Fix ForeignKeyTypeChecker to support composite keys. Thanks Quentin de Metz for reporting this!
• Fix MissingUniqueIndexChecker to support composite keys. Thanks Andy Allan for reporting this!

v1.16.0

Compare Source

• Added Ruby 4.0 to test matrix.
• Added compatibility with Devise 5.0.
• Updated views for Devise 5.0. Any views generated into your app prior to this release of devise-i18n should continue to work. Changes from Devise are:
  • heartcombo/devise#5494
  • heartcombo/devise@d13ef89
• Updated one English string for Devise 5.0: heartcombo/devise@41003bf. Translations of this string are unaffected.
• Dropped compatibility for Devise < 5.0.

v3.8.0

Compare Source

• Add Lazy loading config by @​stefannibrasil and @​thdaraujo in #​3244

Enabling lazy load

This version introduces lazy loading. It means users will only pay for what they use. Faker loads 2x faster when it's enabled.

Lazy loading the generators is disabled by default. To enable it, choose one of the configuration options below:

1 - Set lazy load as a Faker Config

Faker::Config.lazy_loading = true

2 - Set lazy load as an environment variable

FAKER_LAZY_LOAD = 1

We hope you get to see the improvement by enabling it. Please file a bug report for any issues!

Thanks to @​jeremyevans for the mentoring, and to @​thdaraujo for pairing and code reviews.

Full Changelog: faker-ruby/faker@v3.7.1...v3.8.0

v3.7.1

Compare Source

• Add Lazy loading config by @​stefannibrasil and @​thdaraujo in #​3244

Enabling lazy load

This version introduces lazy loading. It means users will only pay for what they use. Faker loads 2x faster when it's enabled.

Lazy loading the generators is disabled by default. To enable it, choose one of the configuration options below:

1 - Set lazy load as a Faker Config

Faker::Config.lazy_loading = true

2 - Set lazy load as an environment variable

FAKER_LAZY_LOAD = 1

We hope you get to see the improvement by enabling it. Please file a bug report for any issues!

Thanks to @​jeremyevans for the mentoring, and to @​thdaraujo for pairing and code reviews.

Full Changelog: faker-ruby/faker@v3.7.1...v3.8.0

v3.6.1

Compare Source

It's almost Spring time in the Northern hemisphere 🌸

Security, performance improvements and bug fixes

• fix: polynomial regex on uncontrolled input by @​thdaraujo in #​3196
• perf: replaces list of postcodes in ja/address.yml with a 7-digit format by @​thdaraujo in #​3201
• Remove unnecessary whitespace from code blocks in READMEs by @​ryotaro-shirai in #​3209
• Document lazy load experiment results by @​stefannibrasil in #​3205
• [skip ci] Add-backtick by @​OzuAkira in #​3210
• Zeitwerk experiment changes and results [skip ci] by @​stefannibrasil in #​3213
• Remove duplicate reference link in README.md by @​yutasb in #​3217

Update development dependencies

• Bump rubocop from 1.84.0 to 1.84.1 by @​dependabot[bot] in #​3202
• Bump irb from 1.16.0 to 1.17.0 by @​dependabot[bot] in #​3203
• Bump rubocop version and fix offenses by @​stefannibrasil in #​3198
• Bump rdoc from 7.1.0 to 7.2.0 by @​dependabot[bot] in #​3204
• Bump rubocop to 1.84.2 by @​stefannibrasil in #​3215
• Bump rubocop-minitest from 0.38.2 to 0.39.1 by @​dependabot[bot] in #​3216
• Bump rubocop to v1.85.0 by @​stefannibrasil in #​3220

New Contributors

• @​ryotaro-shirai made their first contribution in #​3209
• @​OzuAkira made their first contribution in #​3210
• @​yutasb made their first contribution in #​3217

Full Changelog: faker-ruby/faker@v3.6.0...v3.6.1

v1.2.10

Compare Source

Fixed

• #​305 Fix session isolation for remote browser WebSocket connections ([@​wooly][])

v1.2.9

Compare Source

Added

• #​304 Add javascript_enabled option ([@​vakuum][])

v1.2.8

Compare Source

Added

• #​303 Allow overriding of browser launch timeout ([@​abrom][])

v1.2.7

Compare Source

Added

• #​302 Capture/expose Puppeteer DevTools debug output ([@​abrom][])

v4.19.0

Compare Source

• (c61808e) Allow bigdecimal 4.x

v0.6.4

Compare Source

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

[!WARNING]
#​664 fixes a STARTTLS stripping vulnerability. Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

[!IMPORTANT]
Argument validation is significantly improved. Several command injection vulnerabilities have been fixed:
#​657 fixes a CRLF/command/argument injection vulnerability for Symbol arguments.
#​658 fixes a CRLF/command/argument injection vulnerability for the attr argument to #store/#uid_store.
#​659 fixes a CRLF/command/argument injection vulnerability for the storage_limit argument to #setquota.
#​660 fixes a CRLF/command injection vulnerability for RawData, which is used by:

• #search and #uid_search send criteria as raw data, when it is a String
• #fetch and #uid_fetch send attr as raw data, when it is a String.
  When attr is an Array, its String members are sent as raw data.

[!CAUTION]
RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

[!NOTE]
Two denial of service vectors have been addressed.
These are relevant when connecting to an untrusted hostile server (or without TLS).

#​642 fixes quadratic time complexity when reading large responses containing many string literals.
#​654 adds a configurable max_iterations count for SCRAM-* authentication.

The default ScramAuthenticator#max_iterations is 2**31 - 1 (max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers unless it is explicitly set to a lower value by the user.

Breaking Changes

• ⚡ ResponseReader memoizes Config#max_response_size in #​642.
  Changes to #max_response_size now take effect once per response, not on every IO#read.
  NOTE: It is not expected that this will affect any current usage. See the PR for details.

Added

• ✨ Support BINARY extention to #append (RFC3516) by @​nevans in #​616
• ✨ Support LITERAL+ and LITERAL- non-synchronizing literals (RFC7888) by @​nevans in #​649
• 🔒 Add ScramAuthenticator#max_iterations by @​nevans in #​654
• 🏷️ Add number64 and nz-number64 to NumValidator by @​nevans in #​625
• ♻️ Add MailboxQuota#quota_root alias by @​nevans in #​636
• 🔍 Simplify Net::IMAP#inspect with basic state by @​nevans in #​612
• 🥅 Add ResponseParseError#parser_methods (and override #==) by @​nevans in #​615

Fixed

• 🔒 Fix STARTTLS stripping vulnerability in #​664, reported by @​Masamuneee
• Argument validation, reported by @​manunio
  • 🔒️ Strictly validate symbol (\flag) arguments in #​657
  • 🔒️ Validate and send STORE attr as an atom in #​658
  • 🔒 Validate #setquota storage limit argument in #​659
  • 🔒 Validate RawData for CRLF injection in #​660
  • 📚 Improve documentation of RawData arguments in #​661
• ⚡ Much faster ResponseReader performance by @​nevans in #​642
• 🥅 Successfully parse invalid response code data by @​nevans in #​614
• Fix JRuby SSL connection failure: use SSLContext#setup instead of #freeze by @​idahomst in #​627
• 🐛 Fix InvalidResponseError in #get_tagged_response by @​nevans in #​633
• Pass an Exception to #raise by @​eregon in #​643
• 🐛 Fix empty SearchResult#to_sequence_set in #​644, reported by @​Quintasan
• 🐛 Wait to continue RawData literals by @​nevans in #​660

Documentation

• 📚 Fix rdoc 7.2 compatibility (section bugfix) by @​nevans in #​617
• 📚 Switch back to rdoc's darkfish generator (🚧TMP) by @​nevans in #​618
• 📚 Use .document and .rdoc_options files, where possible by @​nevans in #​619
• Update README example: Expunge is implicit in MOVE by @​sebbASF in #​623
• 📚️ Fix QUOTA documentation by @​nevans in #​636
• 📚 Minor documentation fixes by @​nevans in #​638
• 📚 Improve documentation of RawData arguments by @​nevans in #​661

Other Changes

• Handle deep response recursion as ResponseParseError by @​Masamuneee in #​629

Miscellaneous

• ✅ Fix typo in FakeServer (tests only) by @​nevans in #​620
• ⬆️ Bump step-security/harden-runner from 2.14.2 to 2.15.0 by @​dependabot[bot] in #​621
• Bump step-security/harden-runner from 2.15.0 to 2.15.1 by @​dependabot[bot] in #​626
• ⬆️ Bump step-security/harden-runner from 2.15.1 to 2.16.0 by @​dependabot[bot] in #​628
• ⬆️ Bump actions/configure-pages from 5 to 6 by @​dependabot[bot] in #​635
• ✅ Test #setquota by @​nevans in #​636
• ⬆️ Bump actions/deploy-pages from 4 to 5 by @​dependabot[bot] in #​634
• ⬆️ Bump step-security/harden-runner from 2.16.0 to 2.17.0 by @​dependabot[bot] in #​639
• Test TruffleRuby release in CI for improved stability by @​eregon in #​640
• ⬆️ Bump actions/upload-pages-artifact from 4 to 5 by @​dependabot[bot] in #​646
• ⬆️ Bump step-security/harden-runner from 2.17.0 to 2.19.0 by @​dependabot[bot] in #​647

New Contributors

• @​sebbASF made their first contribution in #​623
• @​idahomst made their first contribution in #​627
• @​Masamuneee made their first contribution in #​629
• @​eregon made their first contribution in #​640

Full Changelog: ruby/net-imap@v0.6.3...v0.6.4

v0.6.3

Compare Source

What's Changed

Added

• 🥅 Add parser state and #detailed_message to ResponseParseError by @​nevans in #​599
  • 🥅💄 Support (monochrome) highlights in parse error details by @​nevans in #​603
  • 🥅💄 Auto-highlight parse error detailed_message using TERM and FORCE_COLOR by @​nevans in #​607
  • 🥅💄 Add color highlights to parse error details (default honors NO_COLOR) by @​nevans in #​609
• 🔧 Add Config#overrides? (opposite of #inherited?) by @​nevans in #​610
• 🔧 Add recursive Config#inherits_defaults? by @​nevans in #​611

Fixed

• 🐛 Parse resp-text with invalid resp-text-code by @​nevans in #​601
• 🐛 Config.version_defaults should be read only by @​nevans in #​594

Other Changes

• 🥅 Only print parser debug for unhandled errors by @​nevans in #​600
• ♻️ Don't hardcode parser deprecation warning uplevel by @​nevans in #​602
• ♻️ Simplify Config::AttrAccessors a little by @​nevans in #​606
• ♻️ Set Config[:default] as alias of Config[VERSION] by @​nevans in #​608

Fixes for unreleased code:

• 🐛 Return ResponseText from resp-text fallback by @​nevans in #​605
• 🐛 Fix parse error parser_backtrace (for ruby <= 3.3) by @​nevans in #​604

Miscellaneous

• Delete test/net/imap/test_data_lite.rb by @​nobu in #​593
• ⬆️ Bump step-security/harden-runner from 2.14.0 to 2.14.1 by @​dependabot[bot] in #​596
• Bump step-security/harden-runner from 2.14.1 to 2.14.2 by @​dependabot[bot] in #​598

Full Changelog: ruby/net-imap@v0.6.2...v0.6.3

v7.2.3.1: 7.2.3.1

Compare Source

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Filter user supplied metadata in DirectUploadController

  [CVE-2026-33173]

  Jean Boussier

• Configurable maxmimum streaming chunk size

  Makes sure that byte ranges for blobs don't exceed 100mb by default.
  Content ranges that are too big can result in denial of service.

  [CVE-2026-33174]

  Gannon McGibbon

• Limit range requests to a single range

  [CVE-2026-33658]

  Jean Boussier

• Prevent path traversal in DiskService.

  DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".",
  ".."), or if the resolved path is outside the storage root directory.

  #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for
  example containing null bytes or having an incompatible encoding. Previously, the exception
  raised may have been ArgumentError or Encoding::CompatibilityError.

  DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes.

  [CVE-2026-33195]

  Mike Dalessio

• Prevent glob injection in DiskService#delete_prefixed.

  Escape glob metacharacters in the resolved path before passing to Dir.glob.

  Note that this change breaks any existing code that is relying on delete_prefixed to expand
  glob metacharacters. This change presumes that is unintended behavior (as other storage services
  do not respect these metacharacters).

  [CVE-2026-33202]

  Mike Dalessio

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

v8.0.4

Compare Source

Full Changelog

Released to relax version constraint for rspec to allow 4.0.0.beta1.

v8.0.3

Compare Source

Full Changelog

Bug Fixes:

• Fix insertion order of controller prefix in the view lookup_context. (Stephen Nelson, #​2749)
• Ensure rails stats looks for specs using application root rather than working directory.
  (Marvin Tangpos, #​2879)

v1.86.1

Compare Source

Bug fixes

• #​11051: Fix Style/AccessModifierDeclarations inline autocorrect dropping comments between the access modifier and the following method definition. ([@​dduugg][])
• #​14665: Cache plugin integration in CopHelper to avoid repeated loading. ([@​55728][])
• #​15091: Fix Lint/DuplicateMethods false positives for anonymous classes in constant assignments and method return values. ([@​eugeneius][])
• #​15055: Fix Lint/DuplicateMethods false positives with anonymous classes inside blocks (e.g. RSpec let, describe). ([@​ShkumbinDelija][])
• #​15035: Exclude included_modules from Style/ModuleMemberExistenceCheck. ([@​koic][])
• #​15087: Fix false positive for Style/RedundantLineContinuation when using interpolated string literals. ([@​koic][])
• #​14361: Fix false positive in file_to_include? when a relative Include pattern matches a parent directory name in the absolute file path. ([@​jonas054][])
• #​15090: Fix false positives for Layout/EmptyLineAfterGuardClause when consecutive guard clauses use and return. ([@​eugeneius][])
• #​15070: Fix false positive for Lint/RedundantSafeNavigation when chained safe navigation is used in a conditional expression with InferNonNilReceiver enabled. ([@​koic][])
• #​15074: Fix false positives in Style/RedundantParentheses when using parentheses around an endless range in assignment. ([@​koic][])
• #​15048: Fix issue where the url_for is missing for Cops without instance methods. ([@​Fryguy][])
• #​15051: Fix Style/RedundantParentheses handling of beginless ranges. ([@​oggy][])
• #​14980: Fix Lint/Syntax zero-length diagnostic range for syntax errors at EOF. ([@​55728][])
• #​15084: Handle heredocs with methods calls correctly when fixing guard clauses. ([@​G-Rath][])
• #​11398: Fix incorrect Include path adjustment when local config overrides an inherited Include. ([@​jonas054][])
• #​15092: Fix Layout/EndAlignment cop error on an empty begin. ([@​viralpraxis][])
• #​15059: Fix an error in Layout/LineLength when SplitStrings option is enabled and __FILE__ is used. ([@​jeromedalbert][])
• #​5876: Fix Lint/UnusedMethodArgument false positive when block argument is used via yield. ([@​dduugg][])
• #​15093: Return tool execution errors instead of protocol errors in MCP server. ([@​koic][])

Changes

• #​15005: Make Style/OneClassPerFile exclude spec/**/* and test/**/* by default. ([@​koic][])
• #​15081: Relax parallel dependency to >= 1.10. ([@​koic][])
• #​15063: Disable Style/RedundantStructKeywordInit cop by default. ([@​koic][])

v1.86.0

Compare Source

New features

• #​15000: Display ZJIT usage when running under LSP. ([@​koic][])
• #​14961: Add AllowedParentClasses option to Style/EmptyClassDefinition. ([@​hammadkhan][])
• #​14977: Support AllowedReceivers for Style/HashLookupMethod. ([@​koic][])

Bug fixes

• #​15015: Fix Style/ConcatArrayLiterals autocorrect deleting code for percent literals with interpolation. ([@​bbatsov][])
• #​14897: Detect constant reassignment after class/module definition in Lint/ConstantReassignment. ([@​ydakuka][])
• #​11829: Fix false negatives for Lint/DuplicateMethods when duplicate methods are defined in anonymous classes and modules not assigned to a constant. ([@​Darhazer][])
• #​14988: Fix false negative in Style/RedundantParentheses when redundant parentheses around range literals in block body. ([@​koic][])
• #​14916: Fix false positive for Layout/MultilineMethodCallIndentation when method chain is inside a hash pair value passed to a multiline chained method call. ([@​ydakuka][])
• #​15010: Fix a false positive for Lint/DuplicateMethods when modules blocks are passed as method arguments. ([@​5hun-s][])
• #​15028: Fix a false positive for Lint/DuplicateMethods when the same method is defined in different anonymous module blocks passed to a no-receiver call (e.g. stub_const). ([@​Darhazer][])
• #​15021: Fix false positives in Layout/EmptyLineAfterGuardClause when using a guard clause followed by a multi-line guard clause with raise, fail, return, break, or next. ([@​koic][])
• #​15001: Fix false positives in Layout/RedundantLineBreak when setting InspectBlocks: true and using rescue or ensure in the block. ([@​koic][])
• #​14997: Fix false positives in Style/FileOpen when assigning File.open to an instance variable, class variable, global variable, or constant. ([@​koic][])
• #​15019: Fix false positives in Lint/DuplicateMethods when the same method is defined in anonymous module blocks passed to different receivers. ([@​koic][])
• #​14987: Complete ERB and Haml autocorrection in a single run. ([@​alpaca-tc][])
• #​15039: Fix incorrect autocorrect in Style/IfWithSemicolon when return with value is in the else branch. ([@​koic][])
• #​14930: Fix incorrect autocorrection for Style/IfUnlessModifier when multiple if/unless modifier forms are on the same line inside a collection. ([@​ydakuka][])
• #​14985: Fix incorrect autocorrection in Lint/SafeNavigationChain when chaining a method call after safe navigation in the if branch of a ternary. ([@​koic][])
• #​15009: Fix infinite loop in Layout/EndAlignment when end is followed by || or &&. ([@​koic][])
• #​14981: Fix spurious warning "does not support Safe/SafeAutoCorrect parameter" when those parameters are set for cops that don't have them in their default configuration. ([@​dduugg][])
• #​15043: Fix an error for Lint/UselessDefaultValueArgument when fetch without a receiver is inside a fetch block. ([@​koic][])
• #​15034: Fix incorrect autocorrection in Style/IfWithSemicolon when using single-line unless / ; / end. ([@​koic][])
• #​15015: Fix Style/NonNilCheck autocorrect for receivers containing spaces. ([@​bbatsov][])
• #​15015: Fix Style/RaiseArgs to allow anonymous keyword forwarding (raise Ex.new(**)). ([@​bbatsov][])
• #​14890: Fix a false positive for Lint/RedundantCopDisableDirective when a rubocop:disable comment is used to suppress Lint/EmptyWhen, Lint/EmptyConditionalBody, Lint/EmptyInPattern, or Style/SymbolProc. ([@​eugeneius][])
• #​15015: Fix false negative in Style/RedundantPercentQ for %q strings with interpolation-like syntax. ([@​bbatsov][])
• #​14984: Fix Style/AndOr adding unnecessary parentheses around return without arguments. ([@​eugeneius][])
• #​14945: Support files with multiple modifiers in Lint/UselessConstantScoping. ([@​h-lame][])
• #​15015: Fix Style/TrailingMethodEndStatement to detect singleton methods (def self.foo). ([@​bbatsov][])
• #​10822: Don't store results in cache if there are warnings. ([@​jonas054][])

Changes

• #​14718: Allow setting MaxFilesInCache to false to entirely disable cache pruning. ([@​byroot][])
• #​14989: Make Lint/RedundantSafeNavigation aware of safe navigation in conditional true branch. ([@​koic][])
• #​15041: Remove mcp gem from runtime dependencies. ([@​koic][])

v1.85.1

Compare Source

Bug fixes

• #​14958: Fix false positives in Style/FileOpen when File.open is passed as an argument or returned from a method. ([@​sferik][])
• #​14973: Fix Style/ReduceToHash false positive when accumulator is read in key/value. ([@​sferik][])
• #​14964: Fix false positives in Style/RedundantParentheses when parenthesizing a range in a block body. ([@​koic][])

Changes

• #​14969: Autoload formatters; they're required only when actually used. ([@​lovro-bikic][])

v1.85.0

Compare Source

New features

• #​14921: Add mise.toml as source for TargetRubyVersion. ([@​kitsane][])
• #​14925: Add new Lint/UnreachablePatternBranch cop. ([@​sferik][])
• #​14942: Add new Style/FileOpen cop. ([@​sferik][])
• #​14939: Add new Style/MapJoin cop. ([@​sferik][])
• #​14924: Add new Style/OneClassPerFile cop. ([@​sferik][])
• #​14923: Add new Style/PartitionInsteadOfDoubleSelect cop. ([@​sferik][])
• #​14811: Add new Style/PredicateWithKind cop. ([@​sferik][])
• #​14938: Add new Style/ReduceToHash cop. ([@​sferik][])
• #​14812: Add new Style/RedundantMinMaxBy cop. ([@​sferik][])
• #​13501: Add new Style/RedundantStructKeywordInit cop. ([@​koic][])
• #​14808: Add new Style/SelectByKind cop. ([@​sferik][])
• #​14810: Add new Style/SelectByRange cop. ([@​sferik][])
• #​14922: Add new Style/TallyMethod cop. ([@​sferik][])
• #​14773: Add new Lint/DataDefineOverride cop. ([@​bbatsov][])
• #​14781: Add new InternalAffairs/ItblockHandler cop. ([@​bbatsov][])
• #​14911: Support built-in MCP server (experimental). ([@​koic][])

Bug fixes

• #​14829: Allow classes without a superclass in Style/EmptyClassDefinition. ([@​koic][])
• #​14873: Fix an error in Style/NegatedWhile when the last expression of an until condition is negated. ([@​koic][])
• #​14827: Improve Style/EmptyClassDefinition message wording. ([@​bbatsov][])
• #​14800: Fix false obsolete configuration error for extracted cops when loaded as plugins. ([@​bbatsov][])
• #​14928: Fix a false positive for Lint/Void when nil is used in case branch. ([@​5hun-s][])
• #​14857: Fix false positives in Style/IfUnlessModifier when modifier forms are used inside string interpolations. ([@​koic][])
• #​8773: Fix false positives in Style/HashTransformKeys and Style/HashTransformValues. ([@​sferik][])
• #​6963: Fix false positives in Lint/Void for each blocks where the return value may be meaningful (e.g., Enumerator#each). ([@​sferik][])
• #​14931: Ignore directive comments inside comments. ([@​koic][])
• #​14834: Fix Layout/IndentationWidth false positive for chained method blocks when EnforcedStyleAlignWith is start_of_line. (\