🚨 [security] Update activestorage 8.0.2 → 8.0.2.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ activestorage (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 Active Storage allowed transformation methods that were potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default.

The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters.

This has been assigned the CVE identifier CVE-2025-24293.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1

Impact

This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary input.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.

Strict validation of user supplied methods and parameters should be performed as well as having a strong ImageMagick security policy deployed.

Credits

Thank you lio346 for reporting this!

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

✳️ base64 (0.2.0 → 0.3.0) · Repo

Release Notes

0.3.0

What's Changed

• Provide a 'Changelog' link on rubygems.org/gems/base64 by @mark-young-atg in #18
• Exclude older than 2.6 on macos-14 by @nobu in #21
• Add RBS signature and testing by @ksss in #25
• Enabled trusted publisher for rubygems.org by @hsbt in #29
• [DOC] Tweaks for module Base64 by @BurdetteLamar in #23

New Contributors

• @mark-young-atg made their first contribution in #18
• @nobu made their first contribution in #21
• @ksss made their first contribution in #25

Full Changelog: v0.2.0...v0.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• v0.3.0
• [DOC] Tweaks for module Base64
• Enabled trusted publisher for rubygems.org
• Add RBS signature and testing (#25)
• Update file list on gemspec
• Update license files same as ruby/ruby
• Merge pull request #21 from ruby/old-version-on-macos
• Exclude older than 2.6 on macos-14
• Merge pull request #18 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/base64

✳️ benchmark (0.4.0 → 0.4.1) · Repo

Release Notes

0.4.1

What's Changed

• Document that default FORMAT includes total time by @paarthmadan in #12

New Contributors

• @paarthmadan made their first contribution in #12

Full Changelog: v0.4.0...v0.4.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

• v0.4.1
• Merge pull request #12 from paarthmadan/correct-format-documentation
• Merge pull request #33 from ruby/dependabot/github_actions/step-security/harden-runner-2.12.0
• Bump step-security/harden-runner from 2.11.1 to 2.12.0
• Merge pull request #32 from ruby/dependabot/github_actions/step-security/harden-runner-2.11.1
• Bump step-security/harden-runner from 2.11.0 to 2.11.1
• Merge pull request #31 from ruby/dependabot/github_actions/step-security/harden-runner-2.11.0
• Bump step-security/harden-runner from 2.10.4 to 2.11.0
• Merge pull request #30 from ruby/dependabot/github_actions/step-security/harden-runner-2.10.4
• Bump step-security/harden-runner from 2.10.3 to 2.10.4
• Merge pull request #29 from ruby/dependabot/github_actions/step-security/harden-runner-2.10.3
• Bump step-security/harden-runner from 2.10.2 to 2.10.3
• Merge pull request #28 from ruby/dependabot/github_actions/rubygems/release-gem-1.1.1
• Bump rubygems/release-gem from 1.1.0 to 1.1.1
• Fixed version number of rubygems/release-gem
• Merge pull request #26 from ruby/dependabot/github_actions/rubygems/release-gem-9e85cb11501bebc2ae661c1500176316d3987059
• Merge pull request #27 from ruby/dependabot/github_actions/step-security/harden-runner-2.10.2
• Bump step-security/harden-runner from 2.10.1 to 2.10.2
• Bump rubygems/release-gem

✳️ bigdecimal (3.1.9 → 3.2.2) · Repo · Changelog

Release Notes

3.2.2

What's Changed

• Make precision calculation in bigdecimal.div(value, 0) gc-compaction safe by @tompng in #339

Full Changelog: v3.2.1...v3.2.2

3.2.1

What's Changed

• Enabled trusted publisher for rubygems.org by @hsbt in #333
• Fix division precision limit by @tompng in #335

Full Changelog: v3.2.0...v3.2.1

3.2.0

What's Changed

• Fix spec NoMethodError message for .allocator on truffle Ruby by @mrzasa in #313
• Remove outdated BigMath.atan document that refers to convergence by @tompng in #318
• Add a precision assertion to BigMath test by @tompng in #316
• Use Ractor#value as Ractor#take is removed by @ko1 in #327
• Indent multiline call-seq comment by @tompng in #311
• Integrate BigDecimal_div and BigDecimal_div2 by @tompng in #329
• Fix division rounding by @tompng in #330

New Contributors

• @tompng made their first contribution in #318
• @ko1 made their first contribution in #327

Full Changelog: v3.1.9...v3.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

• Bump version to 3.2.2
• Update CHANGES for 3.2.2
• Make precision calculation in bigdecimal.div(value, 0) gc-compaction safe (#339)
• Bump version to 3.2.1
• CHANGES: Add v3.2.1 entries
• Merge pull request #335 from tompng/div_with_preclimit_fix
• Apply preclimit in BigDecimal_div2 when specified prec is 0
• Enabled trusted publisher for rubygems.org (#333)
• Bump version to 3.2.0
• Add dev:version:bump rake task
• CHANGES: Add v3.2.0 entries
• Fix division rounding (#330)
• Integrate BigDecimal_div and BigDecimal_div2 (#329)
• [DOC] Indent multiline call-seq comment (#311)
• Merge pull request #327 from ko1/ractor_value
• Use `Ractor#value` as `Ractor#take` is removed
• Add a precision assertion to BigMath test (#316)
• Merge pull request #318 from tompng/rm_atan_convergence_comment
• Merge pull request #313 from mrzasa/fix-no-allocator-on-truffle
• Remove outdated BigMath.atan document that referrs to convergence
• Fix spec NoMethodError message for .allocator on truffle Ruby

✳️ rails (8.0.2 → 8.0.2.1) · Repo

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ actioncable (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ actionmailbox (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

↗️ actionmailer (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ actionpack (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ actiontext (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ actionview (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ activejob (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ activemodel (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ activerecord (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 Active Record logging vulnerable to ANSI escape injection

This vulnerability has been assigned the CVE identifier CVE-2025-55193

Impact

The ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences.

Releases

The fixed releases are available at the normal locations.

Credits

Thanks to lio346 for reporting this vulnerability

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ activesupport (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

↗️ drb (indirect, 2.2.1 → 2.2.3) · Repo · Changelog

Release Notes

2.2.3

Improvement

• Added support for "Changelog" link in RubyGems.org page.

  • GH-30
  • Patch by Mark Young

• Dropped ObjectSpace._id2ref dependency because
  ObjectSpace._id2ref is deprecated. Drb::WeakIdConv is
  meaningless by this. So it's deprecated. Use the default ID
  converter instead.

  • GH-35
  • https://bugs.ruby-lang.org/issues/15711

Fixes

• SSL: Fixed wrong certificate version.
  • GH-29

Thanks

• Mark Young

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Bump version
• Fix building and publishing package
• Bump version
• Add 2.2.2 entry
• Use more specific changelog page
• Add support for Trusted Publishing
• Merge InvokeMethod18Mixin into InvokeMethod (#37)
• Add safety comment about x509 cert versioning rule (#34)
• Avoid use of id2ref for weak mapping (#35)
• Merge pull request #29 from jeremyevans/fix-openssl-cert-version
• Merge pull request #33 from ruby/docs-fix-links
• [doc] Update links
• Merge pull request #30 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/drb
• Fix wrong certificate version

↗️ nokogiri (indirect, 1.18.8 → 1.18.9) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri patches vendored libxml2 to resolve multiple CVEs

Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.

Impact and severity

CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

Affected Versions

• Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

Patched Versions

• Nokogiri >= 1.18.9

Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

References

• #3526
• https://nvd.nist.gov/vuln/detail/CVE-2025-6021
• https://nvd.nist.gov/vuln/detail/CVE-2025-6170
• https://nvd.nist.gov/vuln/detail/CVE-2025-49794
• https://nvd.nist.gov/vuln/detail/CVE-2025-49795
• https://nvd.nist.gov/vuln/detail/CVE-2025-49796

Release Notes

1.18.9

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

sha256 checksums

5bcfdf7aa8d1056a7ad5e52e1adffc64ef53d12d0724fbc6f458a3af1a4b9e32  nokogiri-1.18.9-aarch64-linux-gnu.gem
55e9e6ca46c4ad1715e313f407d8481d15be1e3b65d9f8e52ba1c124d01676a7  nokogiri-1.18.9-aarch64-linux-musl.gem
eea3f1f06463ff6309d3ff5b88033c4948d0da1ab3cc0a3a24f63c4d4a763979  nokogiri-1.18.9-arm64-darwin.gem
fe611ae65880e445a9c0f650d52327db239f3488626df4173c05beafd161d46e  nokogiri-1.18.9-arm-linux-gnu.gem
935605e14c0ba17da18d203922440bf6c0676c602659278d855d4622d756a324  nokogiri-1.18.9-arm-linux-musl.gem
ac5a7d93fd0e3cef388800b037407890882413feccca79eb0272a2715a82fa33  nokogiri-1.18.9.gem
1fe5b7aa4a054eda689a969bb4e03999960a6ea806582d327207d687168bceb5  nokogiri-1.18.9-java.gem
6b4fc1523aa0370c78653e38c94cb50e7f3ab786425de66ba7ad24222c1164a3  nokogiri-1.18.9-x64-mingw-ucrt.gem
e0d2deb03d3d7af8016e8c9df5ff4a7d692159cefb135cbb6a4109f265652348  nokogiri-1.18.9-x86_64-darwin.gem
b52f5defedc53d14f71eeaaf990da66b077e1918a2e13088b6a96d0230f44360  nokogiri-1.18.9-x86_64-linux-gnu.gem
e69359d6240c17e64cc9f43970d54f13bfc7b8cc516b819228f687e953425e69  nokogiri-1.18.9-x86_64-linux-musl.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• version bump to v1.18.9
• Apply upstream patches to address multiple vulnerabilities (#3526)
• Apply upstream patches to address multiple vulnerabilities

↗️ rack (indirect, 3.1.15 → 3.2.0) · Repo · Changelog

Security Advisories 🚨

🚨 ReDoS Vulnerability in Rack::Multipart handle_mime_head

Summary

There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571.

Details

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Credits

Thanks to scyoon for reporting this to the Rails security team

Release Notes

3.2.0 (from changelog)

This release continues Rack's evolution toward a cleaner, more efficient foundation while maintaining backward compatibility for most applications. The breaking changes primarily affect deprecated functionality, so most users should experience a smooth upgrade with improved performance and standards compliance.

SPEC Changes

• Request environment keys must now be strings. (#2310, @jeremyevans)
• Add nil as a valid return from a Response body.to_path (#2318, [@MSP-Greg])
• Rack::Lint#check_header_value is relaxed, only disallowing CR/LF/NUL characters. (#2354, @ioquatix)

Added

• Introduce Rack::VERSION constant. (#2199, @ioquatix)
• ISO-2022-JP encoded parts within MIME Multipart sections of an HTTP request body will now be converted to UTF-8. (#2245, @nappa)
• Add Rack::Request#query_parser= to allow setting the query parser to use. (#2349, @jeremyevans)
• Add Rack::Request#form_pairs to access form data as raw key-value pairs, preserving duplicate keys. (#2351, @matthewd)

Changed

• Invalid cookie keys will now raise an error. (#2193, @ioquatix)
• Rack::MediaType#params now handles empty strings. (#2229, @jeremyevans)
• Avoid unnecessary calls to the ip_filter lambda to evaluate Request#ip (#2287, [@willbryant])
• Only calculate Request#ip once per request (#2292, [@willbryant])
• Rack::Builder #use, #map, and #run methods now return nil. (#2355, @ioquatix)
• Directly close the body in Rack::ConditionalGet when the response is 304 Not Modified. (#2353, @ioquatix)
• Directly close the body in Rack::Head when the request method is HEAD(#2360, @skipkayhil)

Deprecated

• Rack::Auth::AbstractRequest#request is deprecated without replacement. (#2229, @jeremyevans)
• Rack::Request#parse_multipart (private method designed to be overridden in subclasses) is deprecated without replacement. (#2229, @jeremyevans)

Removed

• Rack::Request#values_at is removed. (#2200, @ioquatix)
• Rack::Logger is removed with no replacement. (#2196, @ioquatix)
• Automatic cache invalidation in Rack::Request#{GET,POST} has been removed. (#2230, @jeremyevans)
• Support for CGI::Cookie has been removed. (#2332, @ioquatix)

Fixed

• Rack::RewindableInput::Middleware no longer wraps a nil input. (#2259, @tt)
• Fix NoMethodError in Rack::Request#wrap_ipv6 when x-forwarded-host is empty. (#2270, @oieioi)
• Fix the specification for SERVER_PORT which was incorrectly documented as required to be an Integer if present - it must be a String containing digits only. (#2296, @ioquatix)
• SERVER_NAME and HTTP_HOST are now more strictly validated according to the relevant specifications. (#2298, @ioquatix)
• Rack::Lint now disallows PATH_INFO="" SCRIPT_NAME="". (#2298, @jeremyevans)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-dom-testing (indirect, 2.2.0 → 2.3.0) · Repo · Changelog

Release Notes

2.3.0

What's Changed

• Add assert_not_dom, refute_dom, assert_not_select, refute_select & refute_dom_equal by @joshuay03 in #113
• Raise an error when given a block with a 0 element assertion by @joshuay03 in #116
• Raise an error when provided an invalid Range, or invalid :minimum and :maximum by @joshuay03 in #115
• assert_dom :text collapses whitespace by @jyeharry in #123

New Contributors

• @joshuay03 made their first contribution in #113
• @m-nakamura145 made their first contribution in #118
• @jyeharry made their first contribution in #122

Full Changelog: v2.2.0...v2.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

• Prepare for 2.3.0
• No need for CHANGELOG file. Use GitHub Releases instead
• Add release workflow
• Merge pull request #123 from jyeharry/feature/assert_dom-ignore-whitespace-v2
• Collapse whitespace from :text but not :html
• Add failing test for assert_dom collapsing whitespace
• Merge pull request #122 from jyeharry/feature/assert_dom-ignore-whitespace
• Add strict parameter to assert_dom
• Add failing test for assert_dom collapsing whitespace
• Add macos to supported platforms in Gemfile.lock
• ci: run tests once a week on a timer
• Merge pull request #124 from rails/flavorjones-dep-logger-fix
• ci: drop jruby where unsupported, pin concurrent-ruby where needed
• ci: insert Rails 7.2 and 8.0 into the testing matrix
• dep: bundle update
• Merge pull request #118 from m-nakamura145/update-checkout-action
• Update checkout action version
• doc: introduce a CHANGELOG.md file
• Merge pull request #117 from rails/flavorjones-ci-20240113
• ci: add mutex_m to the rails 7.0 gemfile
• dep: bundle update
• Merge pull request #115 from joshuay03/raise-an-error-for-invalid-ranges
• Merge pull request #116 from joshuay03/raise-an-error-for-no-elements-with-block
• Raise an error when given a block with a 0 element assertion
• Raise an error when provided an invalid Range, or invalid :minimum and :maximum
• Merge pull request #113 from joshuay03/feature/refute-and-assert-not-for-dom-and-dom-equal
• Merge pull request #114 from flavorjones/flavorjones-update-ci-matrix-2024-01
• Add `assert_not_dom`, `refute_dom`, `assert_not_select`, `refute_select` & `refute_dom_equal`
• ci: update ci matrix with rails 7.1 and ruby 3.3

↗️ railties (indirect, 8.0.2 → 8.0.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 8.0.2.1 release
• Update CHANGELOGs
• Call inspect on ids in RecordNotFound error
• Active Storage: Remove dangerous transformations

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)