8.0.3

• Add release age option for --ensure-latest (#1989)
• Fix polymorphic_name SQLi false positive (Fredrico Franco)
• Fix logger behavior when loading config files (#2009)
• Handle application names with module prefixes (#2011)

8.0.2

• Reline console control should use stderr
• Fix logger cleanup based method (Imran Iqbal)

8.0.1

• Fix for disappearing cursor when no warnings are reported

8.0.0

• Complete revamp of scan progress output and logging
• --skip-libs removed (#1839
• --index-libs removed
• Fix qualified constant lookup to respect module/class context (Mike Dalessio)
• Fix singleton method prefixes (viralpraxis)
• Faster file globbing for templates (Mikael Henriksson)
• No longer produce weak dynamic render path warnings
• Replace Erubis with Erubi (#1970)

7.1.2

This was released on December 25, 2025

• Update ruby_parser to remove max version restriction (Chedli Bourguiba)
• Increase minimum Ruby version to 3.2.0
• Reduce SQL injection false positives from count (and other) calls (#1936)
• Remove more XSS false positives related to Haml attribute builder
• Update Minitest version to 6.0

7.1.1

• Exclude directories before searching for files (#1925)
• Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
• Fix SQL injection check for calculate method (Rohan Sharma)
• Check each side of or SQL arguments (#1935)
• Consider Tempfile.create.path as safe input (Ali Ismayilov)
• Fix false positive when calling with_content on ViewComponents (Peer Allan)
• Add FilePath#to_path for Ruby 3.5 compatibility (S.H.)
• Ignore attribute builder in Haml 6 (#1952)
• Word wrap text report output in pager

7.1.0

• Add Haml 6.x support (#1914, #1841, etc.)
• Support render model shortcut (#959, #1940, etc.)
• Add --ensure-no-obsolete-config-entries option (viralpraxis)
• Update JUnit report for CircleCI (Philippe Bernery)
• Improve ignored warnings layout in HTML report (Sebastien Savater)
• Only load escape functionality from cgi library (Earlopain)
• Add EOL dates for Rails 8.0 and Ruby 3.4
• Use lazy file lists for AppTree

7.0.2

• Fix error with empty BUNDLE_GEMFILE env variable

7.0.1

• Avoid warning on evaluation of plain strings (#1919)
• Enable use of custom/alternative Gemfiles (#1840, #1907)
• Fix error on directory with rb extension (viralpraxis)
• Support terminal-table 4.0 (Chedli Bourguiba)
• Better support Prism 1.4.0 (#1927)
• Only output timing for each file when using --debug

7.0.0

• Default to using Prism parser if available (disable with --no-prism)
• Disable following symbolic links by default (re-enable with --follow-symlinks)
• Remove updated entry in Brakeman ignore files (Toby Hsieh)
• Major changes to how rescanning works
• Fix hardcoded globally excluded paths (#1830)
• Always warn about deserializing from Marshal
• Update eval check to be a little noisier
• Output originalBaseUriIds for SARIF format report (#1889)
• Add step (and timing) for finding files
• Fix recursion when handling multiple assignment expressions (#1877)
• Fix array/hash unknown index handling
• Update terminal-table version
• Add CSV library as explicit dependency for Ruby 3.4 support
• Raise minimum Ruby version to 3.1