Hi, Wojtek here. Let’s see what’s new in the Rails on this finally sunny day (at least in my corner of the world ;-)
Query command for read-only database queries
Adds rails query — a read-only database query command with structured JSON output.
rails query "Account.where(plan: 'premium').limit(2)"
{
"columns": ["id", "name", "plan", "created_at"],
"rows": [
[1, "Acme", "premium", "2025-01-15T10:30:00Z"],
[2, "Widgets Co", "premium", "2025-03-22T14:00:00Z"]
],
"meta": {
"row_count": 2,
"query_time_ms": 4.2,
"page": 1,
"per_page": 100,
"has_more": false,
"sql": "SELECT \"accounts\".* FROM \"accounts\" WHERE \"accounts\".\"plan\" = 'premium' LIMIT 2"
}
}
There are many more possibilities and additional subcommands available, such as query schema, query models, and query explain.
Add charset=utf-8 to Content-Type for static CSS and HTML files
ActionDispatch::FileHandler#try_files now appends ; charset=utf-8 to the Content-Type header for CSS and HTML static files.
This is consistent with the rest of the Rails stack, which already assumes UTF-8 in all possible places.
Add offline fallback page to the PWA scaffold
New Rails apps now include an app/views/pwa/offline.html.erb template and a commented get “offline” route, alongside the existing manifest and service worker. The service worker template also includes a commented example for caching and serving the offline page.
Rewrite the Layouts and Rendering guide
New documentation pull request awaiting community review.
Fix IO copy stream writing to Action Controller Live Buffer
In addition to the fix, return the number of bytes written from write method.
Fix reset_counters when using string IDs
The fix brings consistency with other Active Record methods that already accepted string IDs.
Use hash lookup for exact-match regexp filters in ParameterFilter
When ParameterFilter is initialized with anchored regexp filters like /^code$/ or /\Atoken\z/, extract the literal string and store it in a Hash for O(1) lookup instead of iterating all regexps with .any?.
Make the warning about Active Storage redirect and proxy mode stronger
The existing documentation implied that the “hard to guess” URLs Active Storage generates provides some sort of access control. This is not the case. Rather, as they rely on ActiveRecord::SignedId, they’re tamper proof and don’t expose the underlying id.
The security risk of using these URLs isn’t that someone will guess them. Rather, it is if the URLs are ever leaked, the files will be exposed.
You can view the whole list of changes here.
We had 12 contributors to the Rails codebase this past week!
Until next time!
Subscribe to get these updates mailed to you.