v3.5.0.rc4

Security Fix

• Only allow safe method_name calls on reflexes (resolves CVE-2024-28121, click here to learn more) by @marcoroth, thanks to @FelixMartel for reporting this!

Changed

• Don't choose first controller if no matching StimulusReflex-enabled controller was found by @marcoroth in #670
• Export StimulusReflexController constant by @marcoroth in #672

Fixed

• Fix exception in ActionCable channel due to reflexes overwriting each other's data by @alexander-makarenko in #663
• Fix reflex_data keyword argument by @brunoenten in #673
• Fix undefined package_json during Yarn install by @mattboldt in #676
• Fix ReflexData parsing by @Matt-Yorkley in #688

Docs

• Update setup docs by @julianrubisch in #645
• Update mrujs link on docs by @cpgo in #675
• Fix typo in Step 2 of Setup Docs by @ryanmansfield in #680

Dependencies

• Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in #671
• Bump vite from 4.3.9 to 4.5.2 by @dependabot in #681
• Bump rack from 2.2.7 to 2.2.8.1 by @dependabot in #690
• Bump ip from 1.1.8 to 1.1.9 by @dependabot in #685

New Contributors

• @alexander-makarenko made their first contribution in #663
• @cpgo made their first contribution in #675
• @brunoenten made their first contribution in #673
• @mattboldt made their first contribution in #676
• @ryanmansfield made their first contribution in #680
• @FelixMartel made their first contribution in GHSA-f78j-4w3g-4q65

Commits

Full Changelog: v3.5.0.rc3...v3.5.0.rc4