The Wire · Showcase
Rails hardens CurrentAttributes isolation, ships composite key value object
By RepoJournal · Filed · About Rails
A critical fix prevents request state leakage in CurrentAttributes, while new composite key infrastructure consolidates scattered logic across the ORM.
Rails plugged a dangerous isolation hole in CurrentAttributes by rejecting :attributes as a declared attribute name [1]. Declaring an attribute with that name shadowed the internal reader/writer that reset() relies on, causing per-request state to leak across requests. The INVALID_ATTRIBUTE_NAMES denylist had caught most problematic names, but :attributes slipped through. This ships as a safeguard against subtle, production-grade state corruption bugs.
On the composite key front, Rails introduced ActiveRecord::PrimaryKey, a value object that ends the scattered `is_a?(Array)` checks littering finders, relations, associations, and counter cache logic [2]. Each site was rebuilding where hashes, type casts, and primary key inference independently. The value object encapsulates the single-column vs. composite distinction behind a clean interface (`composite?`, `col`), with follow-up commits applying it across remaining branches [4] [5].
Rails is also laying groundwork for Ractor safety by introducing a preparation mechanism for applications to make their procs shareable [3]. This addresses edge cases where application code prevents Rails from automatically making procs Ractor-safe, which will matter as concurrency tooling matures.
Action items
- → Review CurrentAttributes usage if you declare custom attributes; reject :attributes as a name rails/rails [plan]
- → Track composite key value object refactor if you maintain composite key code; the interface is now stable rails/rails [monitor]
- → Audit route resolution procs for Ractor isolation if you target concurrent Ruby releases rails/rails [monitor]
References
- [1] Reject attribute names that shadow CurrentAttributes methods rails/rails
- [2] Introduce ActiveRecord::PrimaryKey value object for composite keys rails/rails
- [3] Introduce a new mechanism for applications to prepare for ractor safety ↗ rails/rails
- [4] Refactor Composite Primary Key implementation by using polymorphism ↗ rails/rails
- [5] Apply PrimaryKey value object to remaining composite-key branches rails/rails
FAQ
- What changed in Rails on June 12, 2026?
- A critical fix prevents request state leakage in CurrentAttributes, while new composite key infrastructure consolidates scattered logic across the ORM.
- What should Rails teams do about it?
- Review CurrentAttributes usage if you declare custom attributes; reject :attributes as a name • Track composite key value object refactor if you maintain composite key code; the interface is now stable • Audit route resolution procs for Ractor isolation if you target concurrent Ruby releases
- Which Rails repositories shipped on June 12, 2026?
- rails/rails