Bump the bundler group across 1 directory with 13 updates

[dependabot]

Bumps the bundler group with 4 updates in the / directory: devise, jquery-rails, bootstrap-sass and carrierwave.

Updates devise from 3.2.4 to 5.0.3

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

v4.9.4

https://github.com/heartcombo/devise/blob/v4.9.4/CHANGELOG.md#494---2024-04-10

v4.9.3

https://github.com/heartcombo/devise/blob/v4.9.3/CHANGELOG.md#493---2023-10-11

v4.9.2

https://github.com/heartcombo/devise/blob/v4.9.2/CHANGELOG.md#unreleased

v4.9.1

https://github.com/heartcombo/devise/blob/v4.9.1/CHANGELOG.md#491---2023-03-31

v4.9.0

https://github.com/heartcombo/devise/blob/v4.9.0/CHANGELOG.md#490---2023-02-17

v4.8.1

No release notes provided.

v4.8.0

No release notes provided.

v4.7.1

No release notes provided.

v4.7.0

No release notes provided.

v4.6.2

No release notes provided.

v4.6.1

No release notes provided.

v4.6.0

No release notes provided.

... (truncated)

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

• breaking changes

  • Drop support to Ruby < 2.7

  • Drop support to Rails < 7.0

  • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

  • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

  • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

  • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

  • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

  • Remove deprecated Devise.activerecord51? method.

  • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

    This is potentially a breaking change because Devise previously used the following order to find a secret key:

    app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
    

    Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

  • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

  • Change <br> tags separating form elements to wrapping them in <p> tags #5494

  • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

    If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].

• enhancements

  • Add Rails 8 support.

... (truncated)

Commits

• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• 879f79f Bundle update
• 0f4493b Configure default permissions as read-only for the workflow
• 8c78576 Ignore test/** folder for GH default code scanning
• c9e655e Bundle update, clear dependabot security issues
• 3fd0610 Add a note to the changelog about an edge case issue some users ran into
• 5b008ed Release v5.0.2
• 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
• Additional commits viewable in compare view

Updates jquery-rails from 3.1.0 to 4.6.1

Changelog

Sourced from jquery-rails's changelog.

4.6.1

• update jquery to 3.7.1

4.6.0

• update jquery to 3.7.0

4.5.1

• update jquery to 3.6.1
• update jquery-ujs to 1.2.3

4.5.0

• update jquery to 3.6.0

4.4.0

• update jquery to 3.5.1 (note: 3.5.0 contains important security updates)
• unescape dollar signs and backticks in assert_select_jquery to match Rails updated behavior.

4.3.5

• update jquery to 3.4.1

4.3.4

• update jquery to 3.4.0

4.3.3

• update jquery to 3.3.1

4.3.2

• update jquery to 3.3.0
• Add possibility to test HTML: all, attribute prefix, attribute contains, attribute ends with, child, and class selectors
• Fix matching multiple calls for the same selector/function exception

4.3.1

• update jquery to 3.2.1

4.3.0

• update jquery to 3.2.0
• Add possibility to test HTML attribute selectors

... (truncated)

Commits

• 0342960 Release v4.6.1 with jQuery v3.7.1
• 039b12e Update jquery to v3.7.1 (#305)
• 12869da Release v4.6.0 with jQuery v3.7.0
• 65a9c73 Update jquery to 3.7.0
• fb5a7a8 Merge pull request #293 from MichaelHoste/patch-1
• d9dfbe1 Merge pull request #296 from okuramasafumi/patch-1
• f34a439 Update CHANGELOG.md
• b9e5aa7 Fix typo in CHANGELOG.md (usj => ujs)
• de8792d Release v4.5.1 with jquery 3.6.1 and jquery-ujs 1.2.3
• 7e6f508 Update jquery-ujs to latest v1.2.3
• Additional commits viewable in compare view

Updates bootstrap-sass from 3.1.1.1 to 3.4.1

Release notes

Sourced from bootstrap-sass's releases.

v3.4.1

• Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer
• Handle bad selectors (#) in data-target for Dropdowns
• Clarified tooltip selector documentation
• Added support for NuGet contentFiles

v3.4.0

• New: Added a .row-no-gutters class.
• New: Added docs searching via Algolia.
• Fixed: Resolved an XSS issue in Alert, Carousel, Collapse, Dropdown, Modal, and Tab components. See https://snyk.io/vuln/npm:bootstrap:20160627 for details.
• Fixed: Added padding to .navbar-fixed-* on modal open
• Fixed: Removed the double border on elements.
• Removed Gist creation in web-based Customizer since anonymous gists were disabled long ago by GitHub.
• Removed drag and drop support from Customizer since it didn’t work anymore.

Framework version: Bootstrap v3.4.0 See the upstream blog post for a detailed overview.

v3.3.6

• Bumps Sass dependency to 3.3.4+ to avoid compatibility issues with @​at-root.
• Bumps node-sass dependency to ~3.4.2 for Node.js v5 compatibility. #986
• Fixes breadcrumb content issues on libsass. #919
• Fixes a Rails 5 compatibility issue. #965

Framework version: Bootstrap v3.3.6 See the upstream blog post for style and JavaScript changes.

v3.3.5

Fix for standalone Compass extension compatibility. #914

Framework version: Bootstrap v3.3.5

• Blog post.
• Upstream release notes.

v3.3.4

No Sass-specific changes.

Framework version: Bootstrap v3.3.4.

The Ruby gem was originally released as v3.3.4, but has been re-released as v3.3.4.1 due to a file permissions issue. Non-rubygem releases are not affected.

• Blog post.
• Upstream release notes.

v3.3.3

Released on 2015-01-19. This is a re-packaged release of v3.3.2.1 (v3.3.2+1). It includes the Sass-specific Glyphicons regression fix (daeb43dcc7b0ab06328acaca0549ee68c039aaa6) from v3.3.2.1.

bootstrap-sass versions will be strictly SemVer from now on. The PATCH version may be ahead of the upstream twbs/bootstrap version due to Sass-specific fixes. To avoid confusion, there is not, and will never be, an upstream Bootstrap v3.3.3.

... (truncated)

Changelog

Sourced from bootstrap-sass's changelog.

Changelog

3.4.3 (non-ruby only)

• Fix malformed math.div expressions. #1225

3.4.2 (non-ruby only)

• Compatibility with Sass 1.33. #1221

3.4.0

• Bootstrap rubygem now depends on SassC instead of Sass.
• Compass no longer supported.

3.3.7

• Allows jQuery 3.x in bower.json. #1048
• Adds the style and sass fields to package.json. #1045
• Adds Eyeglass support. #1007

3.3.6

• Bumps Sass dependency to 3.3.4+ to avoid compatibility issues with @​at-root.
• Bumps node-sass dependency to ~3.4.2 for Node.js v5 compatibility. #986
• Fixes breadcrumb content issues on libsass. #919
• Fixes a Rails 5 compatibility issue. #965

Framework version: Bootstrap v3.3.6

3.3.5

Fix for standalone Compass extension compatibility. #914

Framework version: Bootstrap v3.3.5

3.3.4

No Sass-specific changes.

Framework version: Bootstrap v3.3.4

3.3.3

This is a re-packaged release of 3.3.2.1 (v3.3.2+1).

Versions are now strictly semver. The PATCH version may be ahead of the upstream.

Framework version: Bootstrap v3.3.2.

... (truncated)

Commits

• See full diff in compare view

Updates carrierwave from 0.10.0 to 2.2.6

Release notes

Sourced from carrierwave's releases.

2.2.6

Security

• Fix Content-Type allowlist bypass vulnerability remained (@​mshibuya 4317871, GHSA-vfmv-jfc5-pjjw)

2.2.5

Security

• Fix Content-Type allowlist bypass vulnerability, possibly leading to XSS (@​mshibuya 39b282d, GHSA-gxhx-g4fq-49hj)

2.2.4

Fixed

• Fix Ruby 2.7 keyword argument warning in uploader process (@​SuperTux88 #2665, #2636, #2635)

2.2.3

Fixed

• Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@​mshibuya c74579d, #2628)
• Add workaround for the API change in ssrf_filter 1.1 (@​BrianHawley #2629, #2625)

2.2.2

Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@​pjmartorell #2562, #2559)

2.2.1

Changed

• Replace mimemagic with marcel due to licensing concern (@​pjmartorell #2551, #2548)

Fixed

• Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@​mshibuya 42c620a1, #2532)

2.2.0

Added

• libvips support through ImageProcessing::Vips and ruby-vips (@​rhymes #2500, e8421978, 4ae8dc64)
• Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@​grantbdev #2442, 4c3cac75, #2491)
• Support for the latest version of RMagick (@​mshibuya 88f24451)

Deprecated

• #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@​grantbdev #2442, 4c3cac75)

Fixed

• Calculate Fog expiration taking DST into account (@​mshibuya, f90e14ca, #2059)
• Set correct content type on copy of fog files (@​ZuevEvgenii #2503, 6682f7ac, #2487)
• Fix fog-google support to pass acl_header for public read if fog is public (@​yosiat #2525, #2426)
• Fix various URL escape issues by escaping on URI parse error only (@​mshibuya 3faf7491, #2457, #2473)
• Fix instance variables @versions_to_* not initialized warning (@​mshibuya c10b82ed, #2493)
• Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@​mshibuya a42e1b4c, #2495)
• Fix returning invalid content type on text files (@​inkstak #2474, #2424)
• Skip content type and extension filters where possible (@​alexpooley #2464)
• Fix file's #url being called twice, which might be costly for non-local files (@​skyeagle #2519)
• Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@​sylvainbx #2489)
• Fix #cached? to return boolean instead of @cache_id value (@​kmiyake #2510)
• Fix mime type detection for MS Office files (@​anthonypenner #2447)

... (truncated)

Changelog

Sourced from carrierwave's changelog.

2.2.6 - 2024-03-23

Security

• Fix Content-Type allowlist bypass vulnerability remained (@​mshibuya 4317871, GHSA-vfmv-jfc5-pjjw)

2.2.5 - 2023-11-29

Security

• Fix Content-Type allowlist bypass vulnerability, possibly leading to XSS (@​mshibuya 39b282d, GHSA-gxhx-g4fq-49hj)

2.2.4 - 2023-06-10

Fixed

• Fix Ruby 2.7 keyword argument warning in uploader process (@​SuperTux88 #2665, #2636, #2635)

2.2.3 - 2022-11-21

Fixed

• Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@​mshibuya c74579d, #2628)
• Add workaround for the API change in ssrf_filter 1.1 (@​BrianHawley #2629, #2625)

2.2.2 - 2021-05-28

Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@​pjmartorell #2562, #2559)

2.2.1 - 2021-03-30

Changed

• Replace mimemagic with marcel due to licensing concern (@​pjmartorell #2551, #2548)

Fixed

• Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@​mshibuya 42c620a1, #2532)

2.2.0 - 2021-02-23

Added

• libvips support through ImageProcessing::Vips and ruby-vips (@​rhymes #2500, e8421978, 4ae8dc64)
• Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@​grantbdev #2442, 4c3cac75, #2491)
• Support for the latest version of RMagick (@​mshibuya 88f24451)

Deprecated

• #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@​grantbdev #2442, 4c3cac75)

Fixed

• Calculate Fog expiration taking DST into account (@​mshibuya, f90e14ca, #2059)
• Set correct content type on copy of fog files (@​ZuevEvgenii #2503, 6682f7ac, #2487)
• Fix fog-google support to pass acl_header for public read if fog is public (@​yosiat #2525, #2426)
• Fix various URL escape issues by escaping on URI parse error only (@​mshibuya 3faf7491, #2457, #2473)
• Fix instance variables @versions_to_* not initialized warning (@​mshibuya c10b82ed, #2493)
• Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@​mshibuya a42e1b4c, #2495)
• Fix returning invalid content type on text files (@​inkstak #2474, #2424)
• Skip content type and extension filters where possible (@​alexpooley #2464)
• Fix file's #url being called twice, which might be costly for non-local files (@​skyeagle #2519)
• Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@​sylvainbx #2489)
• Fix #cached? to return boolean instead of @cache_id value (@​kmiyake #2510)
• Fix mime type detection for MS Office files (@​anthonypenner #2447)

... (truncated)

Commits

• eb6359e Version 2.2.6
• 4317871 Fix Content-Type allowlist bypass vulnerability remained
• 0fcff94 Version 2.2.5
• 39b282d Fix Content-Type allowlist bypass vulnerability
• 2f91bee Version 2.2.4
• 2f2d77a Merge pull request #2665 from SuperTux88/backport-kwargs-fix
• 52237f4 fix: ruby 2.7 kwarg warning in uploader process
• bdb0be0 File.exists? had been deprecated since Ruby 2.1 and has been deleted in Ruby 3.2
• ed8c518 Forward to 1.x changelog for older changes
• baf5df7 Version 2.2.3
• Additional commits viewable in compare view

Updates actionmailer from 4.1.1 to 8.1.2

Release notes

Sourced from actionmailer's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from actionmailer's changelog.

Rails 8.1.2 (January 08, 2026)

• No changes.

Rails 8.1.1 (October 28, 2025)

• No changes.

Rails 8.1.0 (October 22, 2025)

• Add structured events for Action Mailer:

  • action_mailer.delivered
  • action_mailer.processed

  Gannon McGibbon

• Add deliver_all_later to enqueue multiple emails at once.

  user_emails = User.all.map { |user| Notifier.welcome(user) }
  ActionMailer.deliver_all_later(user_emails)
  use a custom queue
  ActionMailer.deliver_all_later(user_emails, queue: :my_queue)

  This can greatly reduce the number of round-trips to the queue datastore. For queue adapters that do not implement the enqueue_all method, we fall back to enqueuing email jobs indvidually.

  fatkodima

Please check 8-0-stable for previous changes.

Commits

• d7c8ae6 Preparing for 8.1.2 release
• dc94813 Merge pull request #56050 from jclusso/fix-stylesheet-tag-nonce-mailer
• 90a1eaa Preparing for 8.1.1 release
• df9f432 Allow methods starting with underscore to be action methods.
• 53c4ed8 Merge pull request #55973 from rails/fix-ci
• f77a1c3 Require 'rails' at the top of railltie files to ensure Rails is loaded first
• 1cdd190 Preparing for 8.1.0 release
• 1ace683 Preparing for 8.1.0.rc1 release
• d6f9f62 Make the Structured Event Subscriber emit events in format that are useful fo...
• d2518fa Merge pull request #55748 from Shopify/event_with_debug_helper
• Additional commits viewable in compare view

Updates actionpack from 4.1.1 to 8.1.2

Release notes

Sourced from actionpack's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 8.1.2 (January 08, 2026)

• Add config.action_controller.live_streaming_excluded_keys to control execution state sharing in ActionController::Live.

  When using ActionController::Live, actions are executed in a separate thread that shares state from the parent thread. This new configuration allows applications to opt-out specific state keys that should not be shared.

  This is useful when streaming inside a connected_to block, where you may want the streaming thread to use its own database connection context.

  # config/application.rb
  config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]

  By default, all keys are shared.

  Eileen M. Uchitelle

• Fix IpSpoofAttackError message to include Forwarded header content.

  Without it, the error message may be misleading.

  zzak

Rails 8.1.1 (October 28, 2025)

• Allow methods starting with underscore to be action methods.

  Disallowing methods starting with an underscore from being action methods was an unintended side effect of the performance optimization in 207a254.

  Fixes #55985.

  Rafael Mendonça França

Rails 8.1.0 (October 22, 2025)

• Submit test requests using as: :html with Content-Type: x-www-form-urlencoded

  Sean Doyle

• Add link-local IP ranges to ActionDispatch::RemoteIp default proxies.

  Link-local addresses (169.254.0.0/16 for IPv4 and fe80::/10 for IPv6) are now included in the default trusted proxy list, similar to private IP ranges.

... (truncated)

Commits

• d7c8ae6 Preparing for 8.1.2 release
• df98a0d Merge pull request #56440 from zzak/ac-live-streaming-keys-typo
• 0f8014a [8-1-stable] Minitest 6 support
• 991ccf3 Merge pull request #56393 from rails/add-exclude-keys-to-live-controller
• 662609d Merge pull request #56252 from callmesangio/fix-testing-docs
• 81dca9c Merge pull request #56285 from markokajzer/main
• c98c994 Merge pull request #56256 from zzak/re-56186
• 4388688 Fix redirect_test leaking subscription state
• 13589db Fix dependency on Rails constant
• 27e709a Merge pull request #56059 from Shopify/hm-zpvonttrlztqnryl
• Additional commits viewable in compare view

Updates actionview from 4.1.1 to 8.1.2

Release notes

Sourced from actionview's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from actionview's changelog.

Rails 8.1.2 (January 08, 2026)

• Fix file_field to join mime types with a comma when provided as Array

  file_field(:article, :image, accept: ['image/png', 'image/gif', 'image/jpeg'])

  Now behaves likes:

  file_field(:article, :image, accept: 'image/png,image/gif,image/jpeg')
  

  Bogdan Gusiev

• Fix strict locals parsing to handle multiline definitions.

  Said Kaldybaev

• Fix content_security_policy_nonce error in mailers when using content_security_policy_nonce_auto setting.

  The content_security_policy_nonce helper is provided by ActionController::ContentSecurityPolicy, and it relies on request.content_security_policy_nonce. Mailers lack both the module and the request object.

  Jarrett Lusso

Rails 8.1.1 (October 28, 2025)

• Respect remove_hidden_field_autocomplete config in form builder hidden_field.

  Rafael Mendonça França

Rails 8.1.0 (October 22, 2025)

• The BEGIN template annotation/comment was previously printed on the same line as the following element. We now insert a newline inside the comment so it spans two lines without adding visible whitespace to the HTML output to enhance readability.

  Before:

  <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb --><p>This is grand!</p>
  

  After:

  <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb
  --><p>This is grand!</p>
  

  Emmanuel Hayford

... (truncated)

Commits

• d7c8ae6 Preparing for 8.1.2 release
• 27aa94f Merge pull request #56389 from bogdan/semantic-file-input-accept
• 7cf18e0 Merge pull request #56316 from shivabhusal/support-closing_parenthesis-in-nex...
• 160db66 Merge pull request #56270 from Saidbek/fix-multiline-strict-locals-parsing
• 386004e Add CHANGELOG entry for #56050
• dc94813 Merge pull request #56050 from jclusso/fix-stylesheet-tag-nonce-mailer
• 90a1eaa Preparing for 8.1.1 release
• 271acd5 Sync CHANGELOG
• ae6c5a2 Merge pull request #55989 from rails/rm-fix-remove_hidden_field_autocomplete
• 53c4ed8 Merge pull request #55973 from rails/fix-ci
• Additional commits viewable in compare view

Updates activerecord from 4.1.1 to 8.1.2

Release notes

Sourced from activerecord's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from activerecord's changelog.

Rails 8.1.2 (January 08, 2026)

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

  fatkodima

• Fix merging relations with arel equality predicates with null relations.

  fatkodima

• Fix SQLite3 schema dump for non-autoincrement integer primary keys.

  Previously, schema.rb should incorrectly restore that table with an auto incrementing primary key.

  Chris Hasiński

• Fix PostgreSQL schema_search_path not being reapplied after reset! or reconnect!.

  The schema_search_path configured in database.yml is now correctly reapplied instead of falling back to PostgreSQL defaults.

  Tobias Egli

• Restore the ability of enum to be foats.

  enum :rating, { low: 0.0, medium: 0.5, high: 1.0 },

  In Rails 8.1.0, enum values are eagerly validated, and floats weren't expected.

  Said Kaldybaev

• Ensure batched preloaded associations accounts for klass when grouping to avoid issues with STI.

  zzak, Stjepan Hadjic

• Fix ActiveRecord::SoleRecordExceeded#record to return the relation.

  This was the case until Rails 7.2, but starting from 8.0 it started mistakenly returning the model class.

  Jean Boussier

• Improve PostgreSQLAdapter resilience to Timeout.timeout.

  Better handle asynchronous exceptions being thrown inside the reconnect! method.

... (truncated)

Commits

• d7c8ae6 Preparing for 8.1.2 release
• 3ea2701 CHANGELOG sync
• 53e82ef Merge pull request #56534 from khasinski/fix-sqlite3-schema-dump-default-nil
• adcface Fix PostgreSQL schema_search_path after reconnect and reset
• 13952d5 Merge pull request #56447 from Saidbek/fix-enum-float-values-support
• 642baed Merge pull request #56482 from fatkodima/fix-merge-arel-equality-and-null
• 49a1f72 Merge pull request #56415 from zzak/re-56047
• 1b2a755 Fix CI rerun command for active record tests
• 186d51e Merge pull request #56304 from fatkodima/fix-dumping-views-indexes
• 7acf8b3 Merge pull request #56287 from byroot/fix-sole-error-record
• Additional commits viewab...

  Description has been truncated