chore(deps): update dependency activesupport to v8.1.2.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
activesupport (source, changelog)	8.1.1 → 8.1.2.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-33169

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33170

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33176

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

Credit

https://hackerone.com/manun

---

Release Notes

rails/rails (activesupport)

v8.1.2.1: 8.1.2.1

Compare Source

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• Fix possible XSS in DebugExceptions middleware

  [CVE-2026-33167]

  John Hawthorn

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Filter user supplied metadata in DirectUploadController

  [CVE-2026-33173]

  Jean Boussier

• Configurable maxmimum streaming chunk size

  Makes sure that byte ranges for blobs don't exceed 100mb by default.
  Content ranges that are too big can result in denial of service.

  [CVE-2026-33174]

  Gannon McGibbon

• Limit range requests to a single range

  [CVE-2026-33658]

  Jean Boussier

• Prevent path traversal in DiskService.

  DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".",
  ".."), or if the resolved path is outside the storage root directory.

  #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for
  example containing null bytes or having an incompatible encoding. Previously, the exception
  raised may have been ArgumentError or Encoding::CompatibilityError.

  DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes.

  [CVE-2026-33195]

  Mike Dalessio

• Prevent glob injection in DiskService#delete_prefixed.

  Escape glob metacharacters in the resolved path before passing to Dir.glob.

  Note that this change breaks any existing code that is relying on delete_prefixed to expand
  glob metacharacters. This change presumes that is unintended behavior (as other storage services
  do not respect these metacharacters).

  [CVE-2026-33202]

  Mike Dalessio

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

v8.1.2: 8.1.2

Compare Source

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in
  some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store
  needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

  fatkodima

• Fix merging relations with arel equality predicates with null relations.

  fatkodima

• Fix SQLite3 schema dump for non-autoincrement integer primary keys.

  Previously, schema.rb should incorrectly restore that table with an auto incrementing
  primary key.

  Chris Hasiński

• Fix PostgreSQL schema_search_path not being reapplied after reset! or reconnect!.

  The schema_search_path configured in database.yml is now correctly
  reapplied instead of falling back to PostgreSQL defaults.

  Tobias Egli

• Restore the ability of enum to be foats.

  enum :rating, { low: 0.0, medium: 0.5, high: 1.0 },

  In Rails 8.1.0, enum values are eagerly validated, and floats weren't expected.

  Said Kaldybaev

• Ensure batched preloaded associations accounts for klass when grouping to avoid issues with STI.

  zzak, Stjepan Hadjic

• Fix ActiveRecord::SoleRecordExceeded#record to return the relation.

  This was the case until Rails 7.2, but starting from 8.0 it
  started mistakenly returning the model class.

  Jean Boussier

• Improve PostgreSQLAdapter resilience to Timeout.timeout.

  Better handle asynchronous exceptions being thrown inside
  the reconnect! method.

  This may fixes some deep errors such as:

  undefined method `key?' for nil:NilClass (NoMethodError)
            if !type_map.key?(oid)
  

  Jean Boussier

• Fix structured events for Active Record was not being emitted.

  Yuji Yaginuma

• Fix eager_load when loading has_many assocations with composite primary keys.

  This would result in some records being loaded multiple times.

  Martin-Alexander

Action View

• Fix file_field to join mime types with a comma when provided as Array

  file_field(:article, :image, accept: ['image/png', 'image/gif', 'image/jpeg'])

  Now behaves likes:

  file_field(:article, :image, accept: 'image/png,image/gif,image/jpeg')
  

  Bogdan Gusiev

• Fix strict locals parsing to handle multiline definitions.

  Said Kaldybaev

• Fix content_security_policy_nonce error in mailers when using content_security_policy_nonce_auto setting.

  The content_security_policy_nonce helper is provided by ActionController::ContentSecurityPolicy, and it relies on request.content_security_policy_nonce. Mailers lack both the module and the request object.

  Jarrett Lusso

Action Pack

• Add config.action_controller.live_streaming_excluded_keys to control execution state sharing in ActionController::Live.

  When using ActionController::Live, actions are executed in a separate thread that shares
  state from the parent thread. This new configuration allows applications to opt-out specific
  state keys that should not be shared.

  This is useful when streaming inside a connected_to block, where you may want
  the streaming thread to use its own database connection context.

  # config/application.rb
  config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]

  By default, all keys are shared.

  Eileen M. Uchitelle

• Fix IpSpoofAttackError message to include Forwarded header content.

  Without it, the error message may be misleading.

  zzak

Active Job

• Fix ActiveJob.perform_all_later to respect job_class.enqueue_after_transaction_commit.

  Previously, perform_all_later would enqueue all jobs immediately, even if
  they had enqueue_after_transaction_commit = true. Now it correctly defers
  jobs with this setting until after transaction commits, matching the behavior
  of perform_later.

  OuYangJinTing

• Fix using custom serializers with ActiveJob::Arguments.serialize when
  ActiveJob::Base hasn't been loaded.

  Hartley McGuire

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Restore ADC when signing URLs with IAM for GCS

  ADC was previously used for automatic authorization when signing URLs with IAM.
  Now it is again, but the auth client is memoized so that new credentials are only
  requested when the current ones expire. Other auth methods can now be used
  instead by setting the authorization on ActiveStorage::Service::GCSService#iam_client.

  ActiveStorage::Blob.service.iam_client.authorization = Google::Auth::ImpersonatedServiceAccountCredentials.new(options)

  This is safer than setting Google::Apis::RequestOptions.default.authorization
  because it only applies to Active Storage and does not affect other Google API
  clients.

  Justin Malčić

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Skip all system test files on app generation.

  Eileen M. Uchitelle

• Fix db:system:change to correctly update Dockerfile base packages.

  Josiah Smith

• Fix devcontainer volume mount when app name differs from folder name.

  Rafael Mendonça França

• Fixed the rails notes command to properly extract notes in CSS files.

  David White

• Fixed the default Dockerfile to properly include the vendor/ directory during bundle install.

  Zhong Sheng

Guides

• No changes.

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.