Update dependency rails to v8.1.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
rails (source, changelog)	"8.1.2" → "8.1.3"

---

Release Notes

rails/rails (rails)

v8.1.3: 8.1.3

Compare Source

Active Support

• Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

  When hash keys are custom objects whose as_json returns a Hash,
  the encoder now calls to_s on the original key object instead of
  on the as_json result.

  Before:
  hash = {CustomKey.new(123) => "value"}
  hash.to_json # => {"{:id=>123}":"value"}

  After:
  hash.to_json # => {"custom_123":"value"}

  Dan Sharp

• Fix inflections to better handle overlapping acronyms.

  ActiveSupport::Inflector.inflections(:en) do |inflect|
    inflect.acronym "USD"
    inflect.acronym "USDC"
  end
  
  "USDC".underscore # => "usdc"

  Said Kaldybaev

• Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

  zzak

Active Model

• Fix Ruby 4.0 delegator warning when calling inspect on attributes.

  Hammad Khan

• Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

  The performance optimisation that replaced @range with @max/@min
  broke Marshal compatibility. Objects serialised under 8.0 (with @range)
  and deserialised under 8.1 (expecting @max/@min) would crash with
  undefined method '<=' for nil because Marshal.load restores instance
  variables without calling initialize.

  Edward Woodcock

Active Record

• Fix insert_all and upsert_all log message when called on anonymous classes.

  Gabriel Sobrinho

• Respect ActiveRecord::SchemaDumper.ignore_tables when dumping SQLite virtual tables.

  Hans Schnedlitz

• Restore previous instrumenter after execute_or_skip

  FutureResult#execute_or_skip replaces the thread's instrumenter with an
  EventBuffer to collect events published during async query execution.
  If the global async executor is saturated and the caller_runs fallback
  executes the task on the calling thread, we need to make sure the previous
  instrumenter is restored or the stale EventBuffer would stay in place and
  permanently swallow all subsequent sql.active_record notifications on
  that thread.

  Rosa Gutierrez

• Bump the minimum PostgreSQL version to 9.5, due to usage of array_position function.

  Ivan Kuchin

• Fix Ruby 4.0 delegator warning when calling inspect on ActiveRecord::Type::Serialized.

  Hammad Khan

• Fix support for table names containing hyphens.

  Evgeniy Demin

• Fix column deduplication for SQLite3 and PostgreSQL virtual (generated) columns.

  Column#== and Column#hash now account for virtual? so that the
  Deduplicable registry does not treat a generated column and a regular
  column with the same name and type as identical. Previously, if a
  generated column was registered first, a regular column on a different
  table could be deduplicated to the generated instance, silently
  excluding it from INSERT/UPDATE statements.

  Jay Huber

• Fix PostgreSQL schema dumping to handle schema-qualified table names in foreign_key references that span different schemas.

before

    add_foreign_key "hst.event_log_attributes", "hst.event_logs" # emits correctly because they're in the same schema (hst)
    add_foreign_key "hst.event_log_attributes", "hst.usr.user_profiles", column: "created_by_id" # emits hst.user.* when user.* is expected

after

    add_foreign_key "hst.event_log_attributes", "hst.event_logs"
    add_foreign_key "hst.event_log_attributes", "usr.user_profiles", column: "created_by_id"

*Chiperific*

Action View

• Fix encoding errors for string locals containing non-ASCII characters.

  Kataoka Katsuki

• Fix collection caching to only forward expires_in argument if explicitly set.

  Pieter Visser

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Fix ActiveStorage::Blob content type predicate methods to handle nil.

  Daichi KUDO

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Add libvips to generated ci.yml

  Conditionally adds libvips to ci.yml.

  Steve Polito

Guides

• No changes.

v8.1.2.1: 8.1.2.1

Compare Source

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• Fix possible XSS in DebugExceptions middleware

  [CVE-2026-33167]

  John Hawthorn

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Filter user supplied metadata in DirectUploadController

  [CVE-2026-33173]

  Jean Boussier

• Configurable maxmimum streaming chunk size

  Makes sure that byte ranges for blobs don't exceed 100mb by default.
  Content ranges that are too big can result in denial of service.

  [CVE-2026-33174]

  Gannon McGibbon

• Limit range requests to a single range

  [CVE-2026-33658]

  Jean Boussier

• Prevent path traversal in DiskService.

  DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".",
  ".."), or if the resolved path is outside the storage root directory.

  #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for
  example containing null bytes or having an incompatible encoding. Previously, the exception
  raised may have been ArgumentError or Encoding::CompatibilityError.

  DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes.

  [CVE-2026-33195]

  Mike Dalessio

• Prevent glob injection in DiskService#delete_prefixed.

  Escape glob metacharacters in the resolved path before passing to Dir.glob.

  Note that this change breaks any existing code that is relying on delete_prefixed to expand
  glob metacharacters. This change presumes that is unintended behavior (as other storage services
  do not respect these metacharacters).

  [CVE-2026-33202]

  Mike Dalessio

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Code Coverage Report: Only Changed Files listed

Package	Base Coverage	New Coverage	Difference
Overall Coverage	🟢 53.13%	🟢 53.13%	⚪ 0%

Minimum allowed coverage is 0%, this run produced 53.13%