🚨 [security] [ruby] Update rails 8.1.0 → 8.1.2.1 (minor) by depfu[bot] · Pull Request #43 · renuo/onlylogs

depfu · 2026-03-23T22:30:22Z

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (8.1.0 → 8.1.2.1) · Repo · Changelog

Release Notes

8.1.2.1

8.1.2

8.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ action_text-trix (indirect, 2.1.15 → 2.1.18) · Repo · Changelog

Security Advisories 🚨

🚨 Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)

🚨 Trix has a Stored XSS vulnerability through serialized attributes

🚨 Trix has a stored XSS vulnerability through its attachment attribute

Release Notes

2.1.18

2.1.17

2.1.16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailer (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ actionpack (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 Rails has a possible XSS vulnerability in its Action Pack debug exceptions

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 Rails has a possible XSS vulnerability in its Action View tag helpers

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activerecord (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activestorage (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activesupport (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bigdecimal (indirect, 3.3.1 → 4.1.1) · Repo · Changelog

Release Notes

4.1.1

4.1.0

4.0.1

4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.3.5 → 1.3.6) · Repo · Changelog

Release Notes

1.3.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ connection_pool (indirect, 2.5.4 → 3.0.2) · Repo · Changelog

Release Notes

3.0.2 (from changelog)

3.0.1 (from changelog)

3.0.0 (from changelog)

2.5.5 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ date (indirect, 3.4.1 → 3.5.1) · Repo · Changelog

Release Notes

3.5.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ erb (indirect, 5.1.1 → 6.0.2) · Repo · Changelog

Release Notes

6.0.2

6.0.1

6.0.0

5.1.3

5.1.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.14.7 → 1.14.8) · Repo · Changelog

Release Notes

1.14.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ io-console (indirect, 0.8.1 → 0.8.2) · Repo · Changelog

Release Notes

0.8.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ irb (indirect, 1.15.2 → 1.17.0) · Repo · Changelog

Release Notes

1.17.0

1.16.0

1.15.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json (indirect, 2.15.2 → 2.19.3) · Repo · Changelog

Security Advisories 🚨

🚨 Ruby JSON has a format string injection vulnerability

🚨 Ruby JSON has a format string injection vulnerability

🚨 Ruby JSON has a format string injection vulnerability

Release Notes

2.19.3

2.19.2

2.19.1

2.19.0

2.18.1

2.18.0

2.17.1.2

2.17.1 (from changelog)

2.17.0

2.16.0

2.15.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.24.1 → 2.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Loofah has improper detection of disallowed URIs via `allowed_uri?`

🚨 Improper detection of disallowed URIs by Loofah `allowed_uri?`

Release Notes

2.25.1

2.25.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.26.0 → 6.0.3) · Repo · Changelog

Release Notes

6.0.3 (from changelog)

6.0.2 (from changelog)

6.0.1 (from changelog)

6.0.0 (from changelog)

5.27.0 (from changelog)

5.26.2 (from changelog)

5.26.1 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ net-imap (indirect, 0.5.12 → 0.6.3) · Repo · Changelog

Release Notes

0.6.3

0.6.2

0.6.1

0.6.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.7.4 → 2.7.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.18.10 → 1.19.2) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri does not check the return value from xmlC14NExecute

Release Notes

1.19.2

1.19.1

1.19.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ psych (indirect, 5.2.6 → 5.3.1) · Repo · Changelog

Release Notes

5.3.1

5.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 3.2.3 → 3.2.6) · Repo · Changelog

Security Advisories 🚨

🚨 Rack::Request accepts invalid Host characters, enabling host allowlist bypass

🚨 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

🚨 Rack has Content-Length mismatch in Rack::Files error responses

🚨 Rack::Static prefix matching can expose unintended files under the static root

🚨 Rack:: Static header_rules bypass via URL-encoded paths

🚨 Rack's multipart byte range processing allows denial of service via excessive overlapping ranges

🚨 Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters

🚨 Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.

🚨 Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values

🚨 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

🚨 Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

🚨 Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory

🚨 Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads

🚨 Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

🚨 Rack has a Directory Traversal via Rack:Directory

Release Notes

3.2.6

3.2.4 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack-session (indirect, 2.1.1 → 2.1.2) · Repo · Changelog

Security Advisories 🚨

🚨 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

Release Notes

2.1.2 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rackup (indirect, 2.2.1 → 2.3.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.6.2 → 1.7.0) · Repo · Changelog

Release Notes

1.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.3.0 → 13.3.1) · Repo · Changelog

Release Notes

13.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rdoc (indirect, 6.15.0 → 7.2.0) · Repo · Changelog

Release Notes

7.2.0

7.1.0

7.0.3

7.0.2

7.0.1

7.0.0

6.17.0

6.16.1

6.16.0

6.15.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ reline (indirect, 0.6.2 → 0.6.3) · Repo · Changelog

Release Notes

0.6.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ stringio (indirect, 3.1.7 → 3.2.0) · Repo · Changelog

Release Notes

3.2.0

3.1.9

3.1.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.4.0 → 1.5.0) · Repo · Changelog

Release Notes

1.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ timeout (indirect, 0.4.3 → 0.6.1) · Repo · Changelog

Release Notes

0.6.1

0.6.0

0.5.0

0.4.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ uri (indirect, 1.0.4 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1

1.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.7.3 → 2.7.5) · Repo · Changelog

Release Notes

2.7.5 (from changelog)

2.7.4 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

depfu bot added the depfu label Mar 23, 2026

depfu bot force-pushed the depfu/update/group/rails-8.1.2.1 branch from b5dd814 to 021e979 Compare April 7, 2026 08:40

Update rails to version 8.1.2.1

a8bd1a8

depfu bot force-pushed the depfu/update/group/rails-8.1.2.1 branch from 021e979 to a8bd1a8 Compare April 10, 2026 07:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🚨 [security] [ruby] Update rails 8.1.0 → 8.1.2.1 (minor)#43

🚨 [security] [ruby] Update rails 8.1.0 → 8.1.2.1 (minor)#43
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/group/rails-8.1.2.1

depfu bot commented Mar 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

depfu bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What changed?

✳️ rails (8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ action_text-trix (indirect, 2.1.15 → 2.1.18) · Repo · Changelog

↗️ actioncable (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ actionmailbox (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ actionmailer (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ actionpack (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ actiontext (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ actionview (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activejob (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activemodel (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activerecord (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activestorage (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ activesupport (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ bigdecimal (indirect, 3.3.1 → 4.1.1) · Repo · Changelog

↗️ concurrent-ruby (indirect, 1.3.5 → 1.3.6) · Repo · Changelog

↗️ connection_pool (indirect, 2.5.4 → 3.0.2) · Repo · Changelog

3.0.2 (from changelog)

3.0.1 (from changelog)

3.0.0 (from changelog)

2.5.5 (from changelog)

↗️ date (indirect, 3.4.1 → 3.5.1) · Repo · Changelog

↗️ erb (indirect, 5.1.1 → 6.0.2) · Repo · Changelog

↗️ i18n (indirect, 1.14.7 → 1.14.8) · Repo · Changelog

↗️ io-console (indirect, 0.8.1 → 0.8.2) · Repo · Changelog

↗️ irb (indirect, 1.15.2 → 1.17.0) · Repo · Changelog

↗️ json (indirect, 2.15.2 → 2.19.3) · Repo · Changelog

2.17.1 (from changelog)

↗️ loofah (indirect, 2.24.1 → 2.25.1) · Repo · Changelog

↗️ minitest (indirect, 5.26.0 → 6.0.3) · Repo · Changelog

6.0.3 (from changelog)

6.0.2 (from changelog)

6.0.1 (from changelog)

6.0.0 (from changelog)

5.27.0 (from changelog)

5.26.2 (from changelog)

5.26.1 (from changelog)

↗️ net-imap (indirect, 0.5.12 → 0.6.3) · Repo · Changelog

↗️ nio4r (indirect, 2.7.4 → 2.7.5) · Repo · Changelog

↗️ nokogiri (indirect, 1.18.10 → 1.19.2) · Repo · Changelog

↗️ psych (indirect, 5.2.6 → 5.3.1) · Repo · Changelog

↗️ rack (indirect, 3.2.3 → 3.2.6) · Repo · Changelog

3.2.4 (from changelog)

↗️ rack-session (indirect, 2.1.1 → 2.1.2) · Repo · Changelog

2.1.2 (from changelog)

↗️ rackup (indirect, 2.2.1 → 2.3.1) · Repo · Changelog

↗️ rails-html-sanitizer (indirect, 1.6.2 → 1.7.0) · Repo · Changelog

↗️ railties (indirect, 8.1.0 → 8.1.2.1) · Repo · Changelog

↗️ rake (indirect, 13.3.0 → 13.3.1) · Repo · Changelog

↗️ rdoc (indirect, 6.15.0 → 7.2.0) · Repo · Changelog

↗️ reline (indirect, 0.6.2 → 0.6.3) · Repo · Changelog

↗️ stringio (indirect, 3.1.7 → 3.2.0) · Repo · Changelog

depfu bot commented Mar 23, 2026 •

edited

Loading