Will It Vibe logoWill It Vibe?
RAILS-024Low severity-4 points

update_all/delete_all bypasses callbacks and validations

Part of Code Quality & Syntax, which counts for 20% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

update_all and delete_all issue a single SQL statement directly and skip ActiveRecord callbacks and validations entirely, so before_save hooks, uniqueness checks, and updated_at all silently do not run. This is often intentional for bulk operations, so treat a finding here as a prompt to confirm rather than as a bug.

Why it matters

update_all and delete_all issue a single UPDATE or DELETE statement straight to the database and skip every ActiveRecord callback and validation: before_save hooks do not run, uniqueness and presence validations are not checked, updated_at is not touched unless the call sets it explicitly. This is often exactly what is wanted for a bulk operation, but when it is used out of habit instead of intentionally, it quietly breaks whatever invariants those callbacks were enforcing.

How to fix it

Confirm this bulk update is intentional and that skipping callbacks and validations is acceptable for this specific case; if so, no change is needed beyond a comment noting why. If the callbacks matter (an audit log, a cache invalidation, a dependent recalculation), replace update_all/delete_all with find_each combined with individual update!/destroy calls, accepting the performance cost in exchange for correctness.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Code Quality & Syntax checks