[bundler] Bump the monthly group with 2 updates

[dependabot]

Bumps the monthly group with 2 updates: actionpack and actionview.

Updates actionpack from 8.0.3 to 8.1.0

Release notes

Sourced from actionpack's releases.

8.1.0

Active Support

• Remove deprecated passing a Time object to Time#since.

  Rafael Mendonça França

• Remove deprecated Benchmark.ms method. It is now defined in the benchmark gem.

  Rafael Mendonça França

• Remove deprecated addition for Time instances with ActiveSupport::TimeWithZone.

  Rafael Mendonça França

• Remove deprecated support for to_time to preserve the system local time. It will now always preserve the receiver timezone.

  Rafael Mendonça França

• Deprecate config.active_support.to_time_preserves_timezone.

  Rafael Mendonça França

• Standardize event name formatting in assert_event_reported error messages.

  The event name in failure messages now uses .inspect (e.g., name: "user.created") to match assert_events_reported and provide type clarity between strings and symbols. This only affects tests that assert on the failure message format itself.

  George Ma

• Fix Enumerable#sole to return the full tuple instead of just the first element of the tuple.

  Olivier Bellone

• Fix parallel tests hanging when worker processes die abruptly.

  Previously, if a worker process was killed (e.g., OOM killed, kill -9) during parallel test execution, the test suite would hang forever waiting for the dead worker.

  Joshua Young

• Add config.active_support.escape_js_separators_in_json.

  Introduce a new framework default to skip escaping LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029) in JSON.

  Historically these characters were not valid inside JavaScript literal strings but that changed in ECMAScript 2019. As such it's no longer a concern in modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset.

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 8.1.0 (October 22, 2025)

• Submit test requests using as: :html with Content-Type: x-www-form-urlencoded

  Sean Doyle

• Add link-local IP ranges to ActionDispatch::RemoteIp default proxies.

  Link-local addresses (169.254.0.0/16 for IPv4 and fe80::/10 for IPv6) are now included in the default trusted proxy list, similar to private IP ranges.

  Adam Daniels

• remote_ip will no longer ignore IPs in X-Forwarded-For headers if they are accompanied by port information.

  Duncan Brown, Prevenios Marinos, Masafumi Koba, Adam Daniels

• Add action_dispatch.verbose_redirect_logs setting that logs where redirects were called from.

  Similar to active_record.verbose_query_logs and active_job.verbose_enqueue_logs, this adds a line in your logs that shows where a redirect was called from.

  Example:

  Redirected to http://localhost:3000/posts/1 ↳ app/controllers/posts_controller.rb:32:in `block (2 levels) in create' 

  Dennis Paagman

• Add engine route filtering and better formatting in bin/rails routes.

  Allow engine routes to be filterable in the routing inspector, and improve formatting of engine routing output.

  Before:

  > bin/rails routes -e engine_only No routes were found for this grep pattern. For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html. 

  After:

  > bin/rails routes -e engine_only Routes for application: No routes were found for this grep pattern. For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html. 
  

... (truncated)

Commits

• 1cdd190 Preparing for 8.1.0 release
• 62a109a Merge pull request #55947 from c0nspiracy/patch-1
• 0777f23 Merge pull request #55921 from skipkayhil/hm-ykpyzlmxovpttksv
• 4663af7 Merge pull request #55922 from Shopify/event_subscriber_additionss
• ca45ef1 Remove mention of raise_on_open_redirects from doc
• aebfa8b Merge pull request #55916 from skipkayhil/hm-notxxwqnxqlzzpku
• c44b9ed Merge pull request #50390 from seanpdoyle/issue-50345
• b4c069b Merge pull request #55906 from yahonda/ruby350-source-location-55889
• 1ace683 Preparing for 8.1.0.rc1 release
• 3001e18 Merge pull request #55904 from rails/rm-event-subscriber
• Additional commits viewable in compare view

Updates actionview from 8.0.3 to 8.1.0

Release notes

Sourced from actionview's releases.

8.1.0

Active Support

• Remove deprecated passing a Time object to Time#since.

  Rafael Mendonça França

• Remove deprecated Benchmark.ms method. It is now defined in the benchmark gem.

  Rafael Mendonça França

• Remove deprecated addition for Time instances with ActiveSupport::TimeWithZone.

  Rafael Mendonça França

• Remove deprecated support for to_time to preserve the system local time. It will now always preserve the receiver timezone.

  Rafael Mendonça França

• Deprecate config.active_support.to_time_preserves_timezone.

  Rafael Mendonça França

• Standardize event name formatting in assert_event_reported error messages.

  The event name in failure messages now uses .inspect (e.g., name: "user.created") to match assert_events_reported and provide type clarity between strings and symbols. This only affects tests that assert on the failure message format itself.

  George Ma

• Fix Enumerable#sole to return the full tuple instead of just the first element of the tuple.

  Olivier Bellone

• Fix parallel tests hanging when worker processes die abruptly.

  Previously, if a worker process was killed (e.g., OOM killed, kill -9) during parallel test execution, the test suite would hang forever waiting for the dead worker.

  Joshua Young

• Add config.active_support.escape_js_separators_in_json.

  Introduce a new framework default to skip escaping LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029) in JSON.

  Historically these characters were not valid inside JavaScript literal strings but that changed in ECMAScript 2019. As such it's no longer a concern in modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset.

... (truncated)

Changelog

Sourced from actionview's changelog.

Rails 8.1.0 (October 22, 2025)

• The BEGIN template annotation/comment was previously printed on the same line as the following element. We now insert a newline inside the comment so it spans two lines without adding visible whitespace to the HTML output to enhance readability.

  Before:

  <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb --><p>This is grand!</p> 

  After:

  <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb --><p>This is grand!</p> 

  Emmanuel Hayford

• Add structured events for Action View:

  • action_view.render_template
  • action_view.render_partial
  • action_view.render_layout
  • action_view.render_collection
  • action_view.render_start

  Gannon McGibbon

• Fix label with for option not getting prefixed by form namespace value

  Abeid Ahmed, Hartley McGuire

• Add fetchpriority to Link headers to match HTML generated by preload_link_tag.

  Guillermo Iguaran

• Add CSP nonce to Link headers generated by preload_link_tag.

  Alexander Gitter

• Allow current_page? to match against specific HTTP method(s) with a method: option.

  Ben Sheldon

• Remove autocomplete="off" on hidden inputs generated by the following tags:

  • form_tag, token_tag, method_tag

  As well as the hidden parameter fields included in button_to, check_box, select (with multiple) and file_field forms.

  nkulway

... (truncated)

Commits

• 1cdd190 Preparing for 8.1.0 release
• 1ace683 Preparing for 8.1.0.rc1 release
• d6f9f62 Make the Structured Event Subscriber emit events in format that are useful fo...
• 4ae5bfc Place template annotation on a separate line
• 7d12071 Micro optimize ActiveRecord::RuntimeRegistry
• d2518fa Merge pull request #55748 from Shopify/event_with_debug_helper
• 1e77699 Make all framework log subscribers API private
• 78857a3 Introduce with_debug_event_reporting to enable event reporter debug mode
• ebb01c5 Emit only one structured event per notification event
• b8d8b55 Merge pull request #55738 from skipkayhil/hm-nkxzsnnrqqlyrotw
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	actionpack@​8.0.3 ⏵ 8.1.0

View full report

[dependabot]

Superseded by #134.