When a PDF is used for both printing and displaying. It will most likely
contain a crop box in order to hide print margins when displaying the PDF.

Use Poppler's parameter to automatically use the crop box (visible box)
rather than the media box (printable box) in order to remove those margins
when drawing the PDF.

See https://manpages.debian.org/testing/poppler-utils/pdftoppm.1.en.html

* Public services don’t respect `:disposition`, `:filename`, or `:content_type`.
* `:expires_in` is optional.

Guard against the case where ActiveStorage.verifier isn't yet initialized at load time.

Yes, you're not supposed to load AR models in initializers, but it's easy to do accidentally as long as we don't prevent it. We should be resilient against it wherever practical.

Prevent XSS where unsafe content is served inline on the application origin.

Follows up on #34477. References 06ab7b27 and d40284b1.

Some video formats, such as WebM, do not store duration information at
the level of the video stream.  Instead, the duration is stored as part
of the container format information.

This commit modifies `VideoAnalyzer` to use the duration from the video
container when the duration from the video stream is not available.

Fixes #40130.

Follow-up to #40013.

Newly created `Blob`s may not be uploaded yet, so do not try to update
their service metadata.

An Active Storage `Blob` must be identified before it can be reliably
validated.  For direct uploads, a `Blob` is identified when it is
attached, rather than when it is created.

Before this commit, the sequence of events when attaching a `Blob` was:

1. Find the `Blob`.
2. Assign the `Blob` to an `Attachment`.
3. Save the owner record.
4. Save the `Attachment`.
5. Identify the `Blob`'s true `content_type` from its file.
6. Save the `Blob`.

This meant that the owner record's validations might not see the
`Blob`'s true `content_type`.

After this commit, the sequence of events will be:

1. Find the `Blob`.
2. Identify the `Blob`'s true `content_type` from its file.
3. Assign the `Blob` to an `Attachment`.
4. Save the owner record.
5. Save the `Attachment`.
6. Save the `Blob`.

Thus the `Blob`'s true `content_type` will be available when running the
owner record's validations.

Closes #37411.

This commit fixes the "resized variation of BMP blob" test.

By default `create_file_blob` use "image/jpeg" as content type,
since this test does not specify the correct `content_type` for
a `*.bmp` image ("image/bmp") the `ActiveStorage::Variant#specification`
consider the blob as a web image which causes the variant to return a
`*.bmp` URL and a "BMP" type, this is an incorrect behavior since if you
upload a `*.bmp` image the variant will have a PNG format with "image/png"
as content type.

After this change the test will cover the current activestorage behavior.

Changes:

* Specify correct `content_type` on "resized variation of BMP blob" test.
* Change asserts to cover the current activestorage behavior.

Currently `delete` is used on the `purge` and `purge_later` methods,
that prevent any callbacks to be triggered which causes the parent
model to not be updated when an attachment is purged. This behaviour
cause issues on some caching strategies as reported here: https://github.com/rails/rails/issues/39858

Changes:

* Add `record&.touch` on `attachment#purge`
* Add `record&.touch` on `attachment#purge_later`
* Remove extra blank line on attachment.rb
* Add tests which are failing before this change and pass after the change

Error entries appear in the log when we request ActiveStorage
controllers (`ActiveStorage::Representations::ProxyController#show`,
`ActiveStorage::Blobs::ProxyController#show`).

These entries look like: "Couldn't find template for digesting:
active_storage/representations/proxy/show".

These controllers use the method
`ActionController::ConditionalGet#http_cache_forever`,
and therefore `ActionController::ConditionalGet#combine_etags` method,
and therefore `ActionController::EtagWithTemplateDigest` module via
`etaggers` array.

`ActionController::EtagWithTemplateDigest` module requires a template
(view).

We have no views in ActiveStorage, so `EtagWithTemplateDigest` is
now turned off in ActiveStorage controllers by
`etag_with_template_digest` class attribute.

This change swaps the CommonJS require() syntax in the Webpacker
application.js pack template file and in documentation examples with ES
module import syntax.

Benefits of this change include:

Provides continuity with the larger frontend community: Arguably, one of
the main draws in adopting Webpacker is its integration with Babel to
support ES module syntax. For a fresh Rails install with Webpacker, the
application.js file will be the first impression most Rails developers
have with webpack and Webpacker.  Most of the recent documentation and
examples they will find online for using other libraries will be based
on ES module syntax.

Reduces confusion: Developers commonly add ES imports to their
application.js pack, typically by following online examples, which means
mixing require() and import statements in a single file. This leads to
confusion and unnecessary friction about differences between require()
and import.

Embraces browser-friendliness: The ES module syntax forward-looking and
is meant to be supported in browsers. On the other hand, require()
syntax is synchronous by design and not browser-supported as CommonJS
originally was adopted in Node.js for server-side JavaScript. That
webpack supports require() syntax is merely a convenience.

Encourages best practices regarding optimization: webpack can statically
analyze ES modules and "tree-shake", i.e., strip out unused exports from
the final build (given certain conditions are met, including
`sideEffects: false` designation in package.json).

Fixes that calling e.g. `url_for @user.avatar` would return an incorrect URL resulting in a 404. The Active Storage URL helper ends up calling ActiveStorage::Attachment#signed_id, which previously delegated to ActiveStorage::Blob#signed_id but changed to return a signed *attachment* ID in 1a3dc42c.

The Active Storage controllers pass signed IDs to ActiveStorage::Blob.find_signed, so we need signed blob IDs.

Prior to this commit, a `dup`ed record and its originating record would
share the same `Attached` proxy objects.  Those proxy objects, in turn,
would point to the same `Attachment` associations, causing changes made
through the proxy interface to affect both records.

This exact test exists in `one_test.rb`.  It was probably overlooked
after being copied and pasted.

They may be cached for existing apps upgrading to 6.1. Follows up on #34477.

whitelist_headers support added in 1.48.0:
https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md#1480-2019-08-30

- Add the configuration option for annotating templates with file names to the generated app.
- Add `annotate_rendered_view_with_filenames` option to configuring guide.

[CVE-2020-8162]

References dfb5a82b.

In the past, we sometimes hit missing `Symbol#start_with?` and
`Symbol#end_with?`.

https://github.com/rails/rails/commit/63256bc5d7dd77b2cce82df46c53249dab2dc2a8
https://github.com/rails/rails/commit/a8e812964d711fa03843e76ae50f5ff81cdc9e00

So I proposed `Symbol#start_with?` and `Symbol#end_with?` to allow duck
typing that methods for String and Symbol, then now it is available in
Ruby 2.7.

https://bugs.ruby-lang.org/issues/16348

Using `String#starts_with?` and `String#ends_with?` could not be gained
that conveniency, so it is preferable to not use these in the future.

The less we depend on require_dependency, the better.

This reverts commit 43503bdf.

Closes #37701.

I wrote this shell script to find words from the Rails repo,
so I can paste them into https://www.horsepaste.com/ for
the [codenames game](https://en.m.wikipedia.org/wiki/Codenames_(board_game)).

```bash
git grep -Il '' | \
  grep -v -E "CHANGELOG|Gemfile|gemspec|package\.json|yarn\.lock" | \
  xargs cat | \
  sed '/[^ ]\{10,\}/d' | \
  sed 's/\([A-Z]\)/ \1/g' | \
  tr 'A-Z' 'a-z' | \
  tr -c -s 'a-z' '\n' | \
  sed '/^.\{0,3\}$/d' | \
  sort | \
  uniq | \
  tr '\n' ',' | \
  pbcopy
```

You can see the result in https://www.horsepaste.com/rails-fixed.
Click "Next game" to cycle the words.

Found some typos in the codebase from this 😂

This is how I generated the list of possible typos:

```bash
git grep -Il '' | \
  grep -v -E "CHANGELOG|Gemfile|gemspec|package\.json|yarn\.lock" | \
  xargs cat | \
  sed '/[^ ]\{10,\}/d' | \
  sed 's/\([A-Z]\)/ \1/g' | \
  tr 'A-Z' 'a-z' | \
  tr -c -s 'a-z' '\n' | \
  sed '/^.\{0,3\}$/d' | \
  sort | \
  uniq | \
  aspell --ignore-case list
```

I manually reviewed the list and made the corrections
in this commit. The rest on the list are either:

* Bugs in my script: it split things like "doesn't" into
  "doesn" and "t", if find things like `#ffffff` and
  extracts "ffffff" as a word, etc
* British spelling: honour, optimised
* Foreign words: bonjour, espanol
* Names: nginx, hanekawa
* Technical words: mutex, xhtml
* Portmanteau words: autosave, nodelist
* Invented words: camelize, coachee
* Shortened words: attrs, repo
* Deliberate typos: hllo, hillo (used in code examples, etc)
* Lorem ipsum words: arcu, euismod

This is the [output](https://gist.github.com/chancancode/eb0b573d667dc31906f33f1fb0b22313)
of the script *after* fixing the typos included in this
commit. In theory, someone can run that command again in
the future and compare the output to catch new typos (i.e.
using my list to filter out known typos).

Limitations: the aspell dictionary could be wrong, I
could have miss things, and my script ignores words that
are less than 3 characters or longer than 10 characters.

Add `config.active_storage.web_image_content_types` to allow applications
to add content types (like `image/webp`) in which variants can be processed,
instead of letting those images be converted to the fallback PNG format.

As a developer, when looking at a page in my web browser, it's sometimes
difficult to figure out which template(s) are being used to render the page.

config.action_view.annotate_template_file_names adds HTML comments to the
rendered output indicating where each template begins and ends.
Co-authored-by: NAaron Patterson <tenderlove@github.com>

* require, require_relative, load by double quotes

We're getting rid of all single quote usage, unless it serves a specific purpose, as per the general style guide.