[bundler] Bump actionpack from 8.0.3 to 8.1.0

[dependabot]

Bumps actionpack from 8.0.3 to 8.1.0.

Release notes

Sourced from actionpack's releases.

8.1.0

Active Support

• Remove deprecated passing a Time object to Time#since.

  Rafael Mendonça França

• Remove deprecated Benchmark.ms method. It is now defined in the benchmark gem.

  Rafael Mendonça França

• Remove deprecated addition for Time instances with ActiveSupport::TimeWithZone.

  Rafael Mendonça França

• Remove deprecated support for to_time to preserve the system local time. It will now always preserve the receiver timezone.

  Rafael Mendonça França

• Deprecate config.active_support.to_time_preserves_timezone.

  Rafael Mendonça França

• Standardize event name formatting in assert_event_reported error messages.

  The event name in failure messages now uses .inspect (e.g., name: "user.created") to match assert_events_reported and provide type clarity between strings and symbols. This only affects tests that assert on the failure message format itself.

  George Ma

• Fix Enumerable#sole to return the full tuple instead of just the first element of the tuple.

  Olivier Bellone

• Fix parallel tests hanging when worker processes die abruptly.

  Previously, if a worker process was killed (e.g., OOM killed, kill -9) during parallel test execution, the test suite would hang forever waiting for the dead worker.

  Joshua Young

• Add config.active_support.escape_js_separators_in_json.

  Introduce a new framework default to skip escaping LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029) in JSON.

  Historically these characters were not valid inside JavaScript literal strings but that changed in ECMAScript 2019. As such it's no longer a concern in modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset.

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 8.1.0 (October 22, 2025)

• Submit test requests using as: :html with Content-Type: x-www-form-urlencoded

  Sean Doyle

• Add link-local IP ranges to ActionDispatch::RemoteIp default proxies.

  Link-local addresses (169.254.0.0/16 for IPv4 and fe80::/10 for IPv6) are now included in the default trusted proxy list, similar to private IP ranges.

  Adam Daniels

• remote_ip will no longer ignore IPs in X-Forwarded-For headers if they are accompanied by port information.

  Duncan Brown, Prevenios Marinos, Masafumi Koba, Adam Daniels

• Add action_dispatch.verbose_redirect_logs setting that logs where redirects were called from.

  Similar to active_record.verbose_query_logs and active_job.verbose_enqueue_logs, this adds a line in your logs that shows where a redirect was called from.

  Example:

  Redirected to http://localhost:3000/posts/1 ↳ app/controllers/posts_controller.rb:32:in `block (2 levels) in create' 

  Dennis Paagman

• Add engine route filtering and better formatting in bin/rails routes.

  Allow engine routes to be filterable in the routing inspector, and improve formatting of engine routing output.

  Before:

  > bin/rails routes -e engine_only No routes were found for this grep pattern. For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html. 

  After:

  > bin/rails routes -e engine_only Routes for application: No routes were found for this grep pattern. For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html. 
  

... (truncated)

Commits

• 1cdd190 Preparing for 8.1.0 release
• 62a109a Merge pull request #55947 from c0nspiracy/patch-1
• 0777f23 Merge pull request #55921 from skipkayhil/hm-ykpyzlmxovpttksv
• 4663af7 Merge pull request #55922 from Shopify/event_subscriber_additionss
• ca45ef1 Remove mention of raise_on_open_redirects from doc
• aebfa8b Merge pull request #55916 from skipkayhil/hm-notxxwqnxqlzzpku
• c44b9ed Merge pull request #50390 from seanpdoyle/issue-50345
• b4c069b Merge pull request #55906 from yahonda/ruby350-source-location-55889
• 1ace683 Preparing for 8.1.0.rc1 release
• 3001e18 Merge pull request #55904 from rails/rm-event-subscriber
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	actionpack@​8.0.3 ⏵ 8.1.0

View full report

[dependabot]

Superseded by #131.