Ruby on Rails: Security Hardening and Performance Fixes

Transcript

Good morning. This is your Ruby on Rails development briefing for May 28th, 2026.

The Rails team merged eight pull requests yesterday addressing security vulnerabilities and performance issues across multiple components.

Two critical security fixes landed in Action Mailbox. afurm merged improvements to reject malformed original recipients from Mailgun and Postmark ingresses, preventing TypeError exceptions when optional parameters are present but malformed. The same contributor also fixed malformed Mailgun signature handling, ensuring array-shaped signature parameters trigger proper authentication failures rather than raising exceptions.

Active Support received two number formatting bug fixes from contributor 55728. The first resolves a regression where `number_to_delimited` was incorrectly formatting infinity values as "In,fin,ity" instead of "Infinity". The second ensures consistent formatting of non-finite numbers in NumberHelper's significant mode.

matthewd optimized PostgreSQL timezone handling, implementing a smarter approach that only sets timezone parameters when needed and treats variable keys case-insensitively. This follows up on previous PostgreSQL adapter improvements.

byroot refactored ActiveJob's TestHelper to eliminate performance bottlenecks by removing the need to walk through all ActiveJob descendants during teardown, storing overrides in efficient data structures instead.

Edilbek continued test simplification work, converting more ActiveRecord tests to use NotificationAssertions helpers instead of manual ActiveSupport::Notifications patterns. bensheldon improved Action Mailer documentation and testing around abort behavior in before_action callbacks.

What's next: These changes strengthen Rails' security posture and resolve performance regressions. The PostgreSQL optimizations should improve database connection efficiency for applications using timezone-aware queries.

That's your Rails briefing. More updates tomorrow.