290 Ruby 2.7 support for Rails 2.3 LTS
Note
You can find the updated guide here.
Rails 2.3 LTS works with Ruby 1.8.7, Ruby 2.5, and Ruby 2.7. Typical web apps see a 2x to 4x performance boost by switching from Ruby 1.8.7 to Ruby 2.5+. "Support" means that upgrading a Rails 2.3 application to Ruby 2.5 will not require Rails related monkey patches.
However, upgrading will still require some effort for the majority of Rails 2.3 applications, since your own code as well as some th...
291 Ruby 2.7 support for Rails 3.2 LTS
Note
You can find the updated guide here.
Rails 3.2 LTS works with Ruby 1.8.7, 1.9.3, 2.3, 2.5, and 2.7. "Support" means that upgrading a Rails 3.2 application to Ruby 2.5 will not require Rails related monkey patches.
However, upgrading will still require some effort for the majority of Rails 3.2 applications, since your own code as well as some third-party gems might have compatibility issues. This is especially
true if you upgrade from...
303 Backported patches for legacy Ruby versions
The Rails LTS service only covers security updates for the Rails framework, not for Ruby.
As a courtesy to our customers, we sometimes backport security patches to legacy Ruby versions, which you can find below. However, we cannot guarantee future patches for legacy Ruby versions.
Patches for Ruby 1.8.7
Download ruby_1_8_7-p374-fixes-2015-04-14.patch and rename it to download.patch
.
This patch applies to Ruby version **...
310 rspec-rails 1.3 compatibility fork for Rails LTS 2.3
An expectation like this will fail with Rails LTS 2.3:
should render_template(:edit)
The error will look like this:
expecting <:edit> but rendering with <"">
This is an issue with rspec-rails 1.x monkey-patching into ActionController during controller specs.
Fix
To fix this, use our compatibility fork of rspec-rails 1.3.
If you are using [Rails 2.3 LT...
311 rspec-rails 2.14 compatibility fork for Rails 3.2 LTS
With Rails 3.2 LTS your RSpec 2 controller specs might fail with an error like this:
NoMethodError:
undefined method `[]' for nil:NilClass
Fix
To fix this, use our compatibility fork of rspec-rails 2.14.
You can switch to the fork by updating your Gemfile
:
gem 'rspec-rails', :git => 'https://github.com/makandra/rspec-rails.git', :branch => '2-14-lts'
Now run bundle update rspec-rails
.
401 [CVE-2018-15578] Denial of Service vulnerability in Rails 3.2 LTS (Active Record)
There is a possible ReDoS (regular expression denial of service) vulnerability in the activerecord gem that is part of Rails LTS. An attacker using a specially crafted request can cause an application with certain vulnerable code to consume an excessive amount of CPU time.
Affected versions: Rails 3.2.22.9 LTS and lower, Rails 3.0.20.12 LTS and lower
Unaffected versions: Rails 2.3 LTS
Note: The flaw is also present in the official non-LTS 3.x version of Active Record, which is no longer maintained. Other non-LTS Rails versions are not af...
Change to ActiveRecord deserialization (CVE-2022-32224)
Mimicking the offical change in Rails 5.1.8 to protect against CVE-2022-32224, all versions of Rails LTS try to use YAML.safe_load
to deserialize database columns in ActiveRecord. This is a potential breaking change.
Background
When using something like
class MyModel < ActiveRecord::Base
serialize :address_data
# or alternatively
store :settings, accessor: [:color, :homepage]
end
ActiveRecord will use YAML to serialize and deserialize data. However, YAML deserialization using YAML.load
(or explicitly `YAML.unsafe...
Installation instructions for rails-ujs or jquery-ujs
We maintain several forks since [CVE-2023-23913] of rails-ujs and jquery-ujs.
Since each Rails app has a different way of handling asset packages, we introduced several new forked packages with a fix.
If you want to install one of those packages, please replace your npm package or gem with one of our forked versions.
Use the NPM package @railslts/jquery-ujs
to replace the jquery-ujs
NPM package, e.g. with npm install @railslts/jquery-ujs
.
Use the NPM package @railslts/rails-ujs
to replace the rails-ujs
NPM package, e.g. with `npm...
Rack has been added to Rails LTS
Historically, the "rack" gem was not part of Rails LTS, simply because it was maintained and released separate from Ruby on Rails. However, since Rails cannot work without Rack, and since Rack did have a few minor security vulnerabilities, we've been maintaining forks of Rack on Github for a while.
This has now changed and Rack is now a core gem of Rails LTS. This means:
- We are committed to maintaining and patching Rack, and will make sure it works on the same Ruby versions that Rails LTS supports.
- We will serve rack over our gem server...
Ruby 3.1 support for Rails LTS
Note
You can find the updated guide here.
We are pleased to announce that all versions of Rails LTS now support Ruby 3.1, additionally to all Ruby versions we previously supported.
As always, "support" means:
- You should not run into errors that cannot be solved without changes to Rails.
- We did our best to not require you to make too many changes.
- There will most likely be issues within your own code and with third party gems.
We have successfully upgraded a...