Week of January 06 - January 13, 2026

Transcript

Good morning. This is your Rails Daily weekly recap for January 6th through 13th, 2026.

33 pull requests merged with 35 additional commits this week.

**Ruby Compatibility and Infrastructure**

Rails continues modernizing its codebase. PR 56527 removed Ruby compatibility code for versions below 3.3, eliminating outdated checks for SecureRandom parameters, Range overlap methods, and Fiber kill functionality. The Gemfile also dropped explicit Rake version constraints since Ruby 3.3 bundles Rake 13.1.0.

System tests were removed from the default CI template, moving them to a commented section since new Rails applications no longer generate system tests by default.

**Security Updates**

Two significant CSRF protection changes landed. Rails now deprecates calling `protect_from_forgery` without an explicit strategy parameter. The header-only CSRF protection received compatibility improvements for local HTTP installations, allowing requests with missing Sec-Fetch-Site headers when SSL isn't forced.

The X-XSS-Protection header was removed from Rails' default security headers, reflecting current web security best practices.

**Database Improvements**

PostgreSQL received several enhancements. A new `register_type_mapping` method provides a cleaner interface for gems to add custom types, replacing monkey-patching approaches. Schema search path handling was fixed after reconnects and resets. The schema dumper now correctly handles relation names and non-autoincrement integer primary keys.

SQLite3 schema dumping was corrected for non-autoincrement integer primary keys, ensuring `default: nil` options are preserved during schema restoration.

**Active Record and Arel**

Arel TreeManagers can now use their table's engine automatically, eliminating the need to explicitly pass engines to `to_sql` calls. Case-sensitive operators were added to improve uniqueness validation query building.

Migration improvements include fixes for reverting `change_table bulk: true` operations with table prefixes, suffixes, and indexes.

**Active Storage and Testing**

Google Cloud Storage service received IAM client memoization and Application Default Credentials authorization. The bug report template for Action View was enhanced with better template rendering examples.

Testing infrastructure saw ENV leak cleanup and improved version manager tests for rbenv and rvm environments.

**Documentation**

Multiple documentation fixes addressed API examples in humanize methods, Active Record finder methods, and migration guides. The authentication generator test template received minor improvements.

Next week expect continued refinements to the new CSRF protection defaults and potential PostgreSQL adapter enhancements.

That's your Rails Daily weekly recap. Stay updated at railsdaily.com.