Skip to content

3 x security backports#2650

Merged
joelhawksley merged 13 commits into
3.xfrom
3-x-security
Jun 5, 2026
Merged

3 x security backports#2650
joelhawksley merged 13 commits into
3.xfrom
3-x-security

Conversation

@joelhawksley
Copy link
Copy Markdown
Member

@joelhawksley joelhawksley commented Jun 5, 2026

What are you trying to accomplish?

What approach did you choose and why?

Anything you want to highlight for special attention from reviewers?

@joelhawksley
fix advisory
8b05b3b 
(cherry picked from commit 765d7bc)
@joelhawksley
fix advisory
ea9a14a 
(cherry picked from commit da99314)
@joelhawksley
fix Reused component instances retain stale render context
ce1c920 
(cherry picked from commit 7b05073)
@joelhawksley
cleanup
1428d29
@joelhawksley joelhawksley marked this pull request as ready for review June 5, 2026 17:17
@joelhawksley
fix CI
81a96ed
@joelhawksley
Support Rails render_in options signature
1532690
@joelhawksley
Pin cgi gem and make backtrace test Rails 8.1-aware
cd3217a
@joelhawksley
Changelog entry for render_in options signature
c9656ab
@joelhawksley
Fix Ruby 3.5 globalid crash and skip allocation test on Rails prerelease
938ebda 
- Force-load CGI in sandbox boot.rb so @@accept_charset is defined on CGI
  before globalid's Railtie calls CGI.unescape (avoids C extension crash
  on Ruby 3.5).
- Remove the ineffective cgi < 0.5 pin from Gemfile, Appraisals, and all
  generated gemfiles; the explicit require is the actual fix.
- Skip test_render_inline_allocations on prerelease Rails (main): the
  allocation count fluctuates day-to-day with upstream churn.
@joelhawksley
Remove ruby directive from generated gemfiles
041c3ff 
`appraisal generate` baked "ruby ~> 3.4" into each gemfile from the
parent Gemfile's `ruby ruby_version` declaration. This caused Bundler
to fail in CI for Ruby 3.0/3.1/3.2/3.3 jobs (the CI matrix sets Ruby
via ruby/setup-ruby@v1, not via the Gemfile).
@joelhawksley
Force Ruby platform for nokogiri on Ruby 3.5 jobs
705c172 
Nokogiri 1.19.3 (current latest) ships precompiled binaries for ABIs
3.2/3.3/3.4 but not 3.5. Setting BUNDLE_FORCE_RUBY_PLATFORM=true on the
Ruby 3.5 jobs makes Bundler install the platform-agnostic gem so it
builds from source against the system libxml/libxslt.
@joelhawksley
Bump Ruby 3.5 allocation expectations by 1
abffebc 
The require "cgi" added in 938ebda (to fix the Ruby 3.5 globalid crash)
adds one extra allocation during the first render. Bump the expected
counts on Ruby 3.5: 119->120 (Rails 8.0) and 117->118 (Rails 8.1).
@joelhawksley
Update Gemfile.lock to drop cgi pin
9493c69
@joelhawksley joelhawksley merged commit c36913a into 3.x Jun 5, 2026
28 checks passed
@joelhawksley joelhawksley deleted the 3-x-security branch June 5, 2026 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joelhawksley