A big week for security. Rails shipped a coordinated patch across all three maintained branches fixing up to 9 CVEs, while Starlette hit its 1.0 milestone after eight years. Meanwhile, Laravel 13.1 landed PHP 8.5 fixes, and a sharp-eyed contributor found an SSE injection bug in FastAPI.
Highlights
Ruby
Rails security releases: v7.2.3.1, v8.0.4.1, v8.1.2.1. A coordinated patch across all maintained branches addressing 8-9 CVEs. The fixes span Active Support (scientific notation injection in NumberConverter, SafeBuffer XSS bypass), Action View (blank attribute names generating exploitable HTML), Active Storage (metadata injection, path traversal in DiskService, DoS via oversized byte ranges), and — on 8.1.x only — an XSS in the DebugExceptions middleware. Update immediately. This Week in Rails covered the lead-up; expect broader coverage this week.
Solid Queue v1.4.0 adds dynamic recurring tasks. Previously, recurring jobs had to be defined statically in queue.yml. Now you can schedule them at runtime via SolidQueue.schedule_recurring_task with the same options as the YAML config. The release also includes an index hint for releasing blocked executions and a fix for an unintended FOR UPDATE query.
Nokogiri v1.19.2 upgrades Saxon-HE from 9.6 to 12.7 to clear CVE scanner false positives in JRuby transitive dependencies (JDOM, dom4j). MRI users are unaffected; the maintainers explicitly note this is not a security release.
Python
Starlette 1.0.0 — the ASGI framework that underpins FastAPI reached its first stable release after nearly eight years. Maintainer Marcelo Trylesinski wrote about the milestone, and Simon Willison explored what the 0.x-to-1.0 breaking changes mean for AI coding assistants trained on older APIs. With ~325 million downloads/month, this is a watershed moment for the async Python ecosystem.
PHP
Laravel v13.1.0 follows the Laravel 13 launch at Laracon EU with a bug fix for Batch::add() wiping queue assignments, PHP 8.5 deprecation warning fixes, and a new Uri::toString() method.
Twig v3.24.0 introduces an html_attr function and html_attr_relaxed escaping strategy that preserves characters like @ and [] for front-end frameworks (Alpine.js, Vue). Also adds null-safe operator short-circuiting and variable renaming in object destructuring. Covered on the Symfony blog.
Also Noteworthy
- Ruby:Karafka v2.5.8 patch
- Python:FastAPI 0.135.2 patch
- PHP:Doctrine DBAL 4.4.3, Laravel v12.55.1, Laravel v13.1.1
Recently Merged
Ruby
Nokogiri merged XSLT security documentation, adding warnings about untrusted stylesheets to match existing docs on RelaxNG, Schema, and Document classes.
Python
redis-py merged a type hints overhaul using @overload with self-type discrimination via Protocol markers. Type checkers can now correctly infer sync (T) vs. async (Awaitable[T]) return types across all core commands and the new VectorSet module.
PHP
Laravel merged an opt-out flag for worker job exception reporting. When queue events (JobExceptionOccurred, JobFailed) are already wired to monitoring, the worker’s duplicate reports cause alert noise for transient failures that retry and succeed. This gives teams using Scout, Sentry, or Flare fine-grained control.
In Development
Ruby
A PR for Doorkeeper fixes a gap where hash_application_secrets fallback: :plain never upgraded plain-text OAuth application secrets to the hashed strategy on access — unlike tokens and grants, which already did. A separate Rails issue proposes stripping leading whitespace in redirect_to URLs to avoid false PathRelativeRedirectError exceptions.
Python
A FastAPI PR fixes an SSE protocol injection vulnerability (CWE-116) where newlines in event and id fields could inject fabricated data: payloads — particularly relevant for streaming AI/LLM UIs. Separately, psf/requests is adding inline type annotations across the entire library, with strict pyright compliance and a new _types.py module. The maintainers are actively seeking community feedback.
Elixir
Finch has a PR adding runtime pool resize via Finch.set_pool_count/3, replacing persistent_term metrics with ETS to eliminate global GC penalties during scaling.
PHP
A Laravel issue documents a correctness bug where latestOfMany eager load constraints aren’t propagated to the inner subquery, silently returning wrong records.
Try Scout APM
Whether you’re patching Rails CVEs, upgrading to Starlette 1.0, or scaling Laravel 13 queues, Scout APM gives you the visibility to ship with confidence. Monitor Ruby, Python, PHP, and Elixir applications with no credit card required.
