January 12, 2026

Transcript

Good morning, this is Rails Daily for January 13th, 2026.

Six pull requests were merged yesterday with several important fixes and improvements.

Rosa merged CSRF header-only protection compatibility for local HTTP installations. This addresses a problem where non-HTTPS local network requests were failing CSRF protection because browsers don't send the Sec-Fetch-Site header from insecure contexts. The fix allows these requests when running over HTTP without forced SSL.

Adrianna Chang from Shopify merged a change wrapping ActionController::Live config in a load hook. This prevents ActionController::Live from loading unnecessarily when ActionController is loaded, improving performance for applications that don't use Live features.

Fatkodima merged a fix for reverting change_table bulk operations with indexes. This resolves migration reversal issues when using the bulk option with index changes.

Yujiteshima merged a fix for the "invalid option: --trace" error when running railties tests. The issue occurred because Minitest was trying to parse ARGV containing trace options at exit.

Zzak merged continued cleanup of ENV leaks across multiple test files, addressing issue 56563 to prevent test environment pollution.

Tahsin merged a documentation update removing outdated Proc support references from Rails application comments.

Jean Boussier also committed additional cleanup to ActionController RequestForgeryProtection, refactoring the code structure.

What's next: The focus remains on test stability improvements and performance optimizations. CSRF protection enhancements are being refined for edge cases.

That's your Rails update for today.