Rails Daily: Security Fixes and Performance Improvements
Rails merged eight pull requests focused on security hardening for Action Mailbox, performance optimizations for ActiveJob testing, and bug fixes for number formatting helpers.
Duration: PT1M53S
Transcript
Good morning. This is Rails Daily for May 28th, 2026.
The Rails team merged eight pull requests yesterday, with security and performance taking center stage.
Security improvements dominated Action Mailbox updates. afurm merged two critical fixes - one rejecting malformed original recipients from Mailgun and Postmark ingresses, and another blocking malformed Mailgun signatures that could cause authentication bypasses. Both changes return proper HTTP 422 and 401 responses instead of raising exceptions.
On the performance front, byroot refactored ActiveJob's TestHelper to eliminate expensive descendant walking during teardown. The change replaces class attributes with O(1) data structures, addressing reported performance issues in large test suites.
Matthew Draper optimized PostgreSQL timezone handling, ensuring the adapter only sets timezone parameters when actually needed. The fix includes case-insensitive parameter status checking for better compatibility.
Number formatting got attention with two bug fixes from contributor 55728. The first prevents number_to_delimited from mangling infinity values into "In,fin,ity", while the second ensures consistent formatting of non-finite numbers in significant digit mode.
Testing improvements came from Edilbek, who continued simplifying ActiveRecord tests by replacing manual notification subscriptions with NotificationAssertions helpers across asynchronous queries and connection pool tests.
Finally, bensheldon enhanced Action Mailer documentation and testing around before_action abort behavior, providing clearer guidance for callback handling.
What's next: Watch for continued Action Mailbox security hardening and potential follow-ups to the ActiveJob performance improvements.
That's your Rails update. I'm back tomorrow.