Bump actionpack from 6.1.4.4 to 7.0.0

Created by: dependabot[bot]

Bumps actionpack from 6.1.4.4 to 7.0.0.

Release notes

Sourced from actionpack's releases.

7.0.0

Action Cable

• The Action Cable client now ensures successful channel subscriptions:

  • The client maintains a set of pending subscriptions until either the server confirms the subscription or the channel is torn down.
  • Rectifies the race condition where an unsubscribe is rapidly followed by a subscribe (on the same channel identifier) and the requests are handled out of order by the ActionCable server, thereby ignoring the subscribe command.

  Daniel Spinosa

• Compile ESM package that can be used directly in the browser as actioncable.esm.js.

  DHH

• Move action_cable.js to actioncable.js to match naming convention used for other Rails frameworks, and use JS console to communicate the deprecation.

  DHH

• Stop transpiling the UMD package generated as actioncable.js and drop the IE11 testing that relied on that.

  DHH

• Truncate broadcast logging messages.

  J Smith

• OpenSSL constants are now used for Digest computations.

  Dirkjan Bussink

• The Action Cable client now includes safeguards to prevent a "thundering herd" of client reconnects after server connectivity loss:

  • The client will wait a random amount between 1x and 3x of the stale threshold after the server's last ping before making the first reconnection attempt.
  • Subsequent reconnection attempts now use exponential backoff instead of logarithmic backoff. To allow the delay between reconnection attempts to increase slowly at first, the default exponentiation base is < 2.
  • Random jitter is applied to each delay between reconnection attempts.

  Jonathan Hefner

Action Mailbox

• Removed deprecated environment variable MAILGUN_INGRESS_API_KEY.

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 7.0.0 (December 15, 2021)

• Deprecate Rails.application.config.action_controller.urlsafe_csrf_tokens. This config is now always enabled.

  Étienne Barrié

• Instance variables set in requests in a ActionController::TestCase are now cleared before the next request

  This means if you make multiple requests in the same test, instance variables set in the first request will not persist into the second one. (It's not recommended to make multiple requests in the same test.)

  Alex Ghiculescu

Rails 7.0.0.rc3 (December 14, 2021)

• No changes.

Rails 7.0.0.rc2 (December 14, 2021)

• Fix X_FORWARDED_HOST protection. [CVE-2021-44528]

Rails 7.0.0.rc1 (December 06, 2021)

• Rails.application.executor hooks can now be called around every request in a ActionController::TestCase

  This helps to better simulate request or job local state being reset between requests and prevent state leaking from one request to another.

  To enable this, set config.active_support.executor_around_test_case = true (this is the default in Rails 7).

  Alex Ghiculescu

• Consider onion services secure for cookies.

  Justin Tracey

• Remove deprecated Rails.config.action_view.raise_on_missing_translations.

  Rafael Mendonça França

• Remove deprecated support to passing a path to fixture_file_upload relative to fixture_path.

  Rafael Mendonça França

• Remove deprecated ActionDispatch::SystemTestCase#host!.

  Rafael Mendonça França

• Remove deprecated Rails.config.action_dispatch.hosts_response_app.

... (truncated)

Commits

• 984c3ef Preparing for 7.0.0 release
• 8943a91 Merge pull request #43883 from rails/dup-converted-arrays
• 67a8028 Merge pull request #43882 from rails/rm-allow-ip-with-port
• 6c85f3b Merge pull request #43871 from rails/rm-fix-hosts-with-port
• aa1c8fc Fix ruby warnings
• 87cd782 Add CHANGELOG entry for #43817
• 51e6542 Merge pull request #43817 from etiennebarrie/deprecate-non-url-safe-csrf-tokens
• fa107f2 Merge pull request #43836 from donv/patch-1
• 797ac0c Merge branch '7-0-sec' into 7-0-stable
• 834cc1a Preparing for 7.0.0.rc3 release
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)