Hi, it’s Emmanuel Hayford. Here’s a look at the highlights from this week’s updates to the Rails codebase.

Allow retry_on wait procs to accept error as a second argument
This PR adds support for retry_on wait procs to optionally receive the error as a second argument, enabling dynamic retry strategies based on error properties.

class RemoteServiceJob < ActiveJob::Base
  retry_on CustomError, wait: ->(executions, error) { error.retry_after || executions * 2 }

  def perform
    # ...
  end
end

Procs with arity 0 or 1 continue to receive only the execution count, maintaining backwards compatibility.

Make CSRF header-only protection compatible with local installs using HTTP
This change allows requests with missing Sec-Fetch-Site headers if they happen over HTTP and the app is not configured to force SSL. The Origin check always happens in any case.

Remove X-XSS-Protection from default headers
The X-XSS-Protection header has been removed from the default headers as modern browsers no longer support it.

Deprecate protect_from_forgery without explicit strategy
When protect_from_forgery is called without arguments, it defaults to :null_session. However, when config.action_controller.default_protect_from_forgery is enabled, it uses :exception. This inconsistency is now deprecated to encourage explicit strategy declaration.

Wrap setting ActionController::Live config in load hook
This change wraps the ActionController::Live configuration setting in a load hook, ensuring proper initialization timing.

Add PostgreSQLAdapter.register_type_mapping
Gems adding types to PostgreSQL (like PostGIS or pgvector) previously had to monkey-patch the adapter. This PR adds a cleaner public interface for registering custom type mappings.

Override inspect in Combined, Env & Encrypted Configurations
Previously, inspecting configuration objects would expose all sensitive data including ENV variables and credentials. Now only key names are shown:

# Before
Rails.app.creds
#<ActiveSupport::CombinedConfiguration:0x... @configurations=[... "SOME_SECRET" => "secret_value" ...]>

# After
Rails.app.creds
#<ActiveSupport::CombinedConfiguration:0x... keys=[:rails_env, :some_secret, :secret_key_base]>

Memoize IAM client and set authorization to ADC for GCS Active Storage service
This PR restores the previous behaviour where Application Default Credentials (ADC) is used when iam: true is set, while avoiding excessive ADC calls by memoizing the client. Calls are only made at instantiation time and when credentials expire.

Make ActiveStorage::Service responsible for checksums
S3, GCS, and Azure all support file integrity checksums beyond MD5, which cannot be used in FIPS-compliant environments. This PR moves checksum calculation to the storage service class, enabling support for additional algorithms like SHA256 for the S3 service, including direct uploads.

Deprecate built-in ActiveJob backburner adapter
As part of the ongoing cleanup of legacy adapters from Active Job, the built-in Backburner adapter has been deprecated.

You can view the whole list of changes here. We had 36 contributors to the Rails codebase this past week!

Until next time!

Subscribe to get these updates mailed to you.