diff --git a/.yardopts b/.yardopts
new file mode 100644
index 0000000000..4419be7d6b
--- /dev/null
+++ b/.yardopts
@@ -0,0 +1,3 @@
+--markup markdown
+--hide-void-return
+--tag safety:"Cop Safety Information"
diff --git a/docs/modules/ROOT/pages/cops_rails.adoc b/docs/modules/ROOT/pages/cops_rails.adoc
index 26b0448e0a..b5d99fe9c7 100644
--- a/docs/modules/ROOT/pages/cops_rails.adoc
+++ b/docs/modules/ROOT/pages/cops_rails.adoc
@@ -78,6 +78,11 @@ skip_after_filter :do_stuff
Checks that ActiveRecord aliases are not used. The direct method names
are more clear and easier to read.
+=== Safety
+
+This cop is unsafe because custom `update_attributes` method call was changed to
+`update` but the method name remained same in the method definition.
+
=== Examples
[source,ruby]
@@ -309,7 +314,12 @@ after_update_commit :log_update_action
| 2.5
|===
-This cop checks that controllers subclass ApplicationController.
+This cop checks that controllers subclass `ApplicationController`.
+
+=== Safety
+
+This cop's autocorrection is unsafe because it may let the logic from `ApplicationController`
+sneak into a controller that is not purposed to inherit logic common among other controllers.
=== Examples
@@ -338,7 +348,12 @@ end
| 2.5
|===
-This cop checks that jobs subclass ApplicationJob with Rails 5.0.
+This cop checks that jobs subclass `ApplicationJob` with Rails 5.0.
+
+=== Safety
+
+This cop's autocorrection is unsafe because it may let the logic from `ApplicationJob`
+sneak into a job that is not purposed to inherit logic common among other jobs.
=== Examples
@@ -367,7 +382,12 @@ end
| 2.5
|===
-This cop checks that mailers subclass ApplicationMailer with Rails 5.0.
+This cop checks that mailers subclass `ApplicationMailer` with Rails 5.0.
+
+=== Safety
+
+This cop's autocorrection is unsafe because it may let the logic from `ApplicationMailer`
+sneak into a mail that is not purposed to inherit logic common among other mailers.
=== Examples
@@ -396,7 +416,13 @@ end
| 2.5
|===
-This cop checks that models subclass ApplicationRecord with Rails 5.0.
+This cop checks that models subclass `ApplicationRecord` with Rails 5.0.
+
+=== Safety
+
+This cop's autocorrection is unsafe because it may let the logic from `ApplicationRecord`
+sneak into an Active Record model that is not purposed to inherit logic common among other
+Active Record models.
=== Examples
@@ -432,6 +458,13 @@ quoted asterisk (e.g. `my_model`.`*`). This causes the
database to look for a column named `*` (or `"*"`) as opposed
to expanding the column list as one would likely expect.
+=== Safety
+
+This cop's autocorrection is unsafe because it turns a quoted `*` into
+an SQL `*`, unquoted. `*` is a valid column name in certain databases
+supported by Rails, and even though it is usually a mistake,
+it might denote legitimate access to a column named `*`.
+
=== Examples
[source,ruby]
@@ -637,15 +670,17 @@ end
This cop checks for code that can be written with simpler conditionals
using `Object#blank?` defined by Active Support.
-This cop is marked as unsafe auto-correction, because `' '.empty?` returns false,
-but `' '.blank?` returns true. Therefore, auto-correction is not compatible
-if the receiver is a non-empty blank string, tab, or newline meta characters.
-
Interaction with `Style/UnlessElse`:
The configuration of `NotPresent` will not produce an offense in the
context of `unless else` if `Style/UnlessElse` is inabled. This is
to prevent interference between the auto-correction of the two cops.
+=== Safety
+
+This cop is unsafe auto-correction, because `' '.empty?` returns false,
+but `' '.blank?` returns true. Therefore, auto-correction is not compatible
+if the receiver is a non-empty blank string, tab, or newline meta characters.
+
=== Examples
==== NilOrEmpty: true (default)
@@ -1187,6 +1222,11 @@ This cop checks dynamic `find_by_*` methods.
Use `find_by` instead of dynamic method.
See. https://rails.rubystyle.guide#find_by
+=== Safety
+
+It is certainly unsafe when not configured properly, i.e. user-defined `find_by_xxx`
+method is not added to cop's `AllowedMethods`.
+
=== Examples
[source,ruby]
@@ -2407,6 +2447,8 @@ end
This cop checks that methods specified in the filter's `only` or
`except` options are defined within the same class or module.
+=== Safety
+
You can technically specify methods of superclass or methods added by
mixins on the filter, but these can confuse developers. If you specify
methods that are defined in other classes or modules, you should
@@ -2563,6 +2605,11 @@ This cop enforces that mailer names end with `Mailer` suffix.
Without the `Mailer` suffix it isn't immediately apparent what's a mailer
and which views are related to the mailer.
+=== Safety
+
+This cop's autocorrection is unsafe because renaming a constant is
+always an unsafe operation.
+
=== Examples
[source,ruby]
@@ -2658,8 +2705,10 @@ match 'photos/:id', to: 'photos#show', via: :all
This cop enforces the use of `collection.exclude?(obj)`
over `!collection.include?(obj)`.
-It is marked as unsafe by default because false positive will occur for
-a receiver object that do not have `exclude?` method. (e.g. `IPAddr`)
+=== Safety
+
+This cop is unsafe because false positive will occur for
+receiver objects that do not have an `exclude?` method. (e.g. `IPAddr`)
=== Examples
@@ -2769,6 +2818,11 @@ scope :chronological, -> { order(created_at: :asc) }
This cop checks for the use of output calls like puts and print
+=== Safety
+
+This cop's autocorrection is unsafe because depending on the Rails log level configuration,
+changing from `puts` to `Rails.logger.debug` could result in no output being shown.
+
=== Examples
[source,ruby]
@@ -2886,6 +2940,14 @@ Using `pluck` followed by `first` creates an intermediate array, which
`pick` avoids. When called on an Active Record relation, `pick` adds a
limit to the query so that only one value is fetched from the database.
+=== Safety
+
+This cop is unsafe because `pluck` is defined on both `ActiveRecord::Relation` and `Enumerable`,
+whereas `pick` is only defined on `ActiveRecord::Relation` in Rails 6.0. This was addressed
+in Rails 6.1 via rails/rails#38760, at which point the cop is safe.
+
+See: https://github.com/rubocop/rubocop-rails/pull/249
+
=== Examples
[source,ruby]
@@ -2952,6 +3014,10 @@ Post.published.pluck(:title)
This cop enforces the use of `ids` over `pluck(:id)` and `pluck(primary_key)`.
+=== Safety
+
+This cop is unsafe if the receiver object is not an Active Record object.
+
=== Examples
[source,ruby]
@@ -2995,11 +3061,13 @@ and can be replaced with `select`.
Since `pluck` is an eager method and hits the database immediately,
using `select` helps to avoid additional database queries.
-This cop has two different enforcement modes. When the EnforcedStyle
-is conservative (the default) then only calls to `pluck` on a constant
+This cop has two different enforcement modes. When the `EnforcedStyle`
+is `conservative` (the default) then only calls to `pluck` on a constant
(i.e. a model class) in the `where` is used as offenses.
-When the EnforcedStyle is aggressive then all calls to `pluck` in the
+=== Safety
+
+When the `EnforcedStyle` is `aggressive` then all calls to `pluck` in the
`where` is used as offenses. This may lead to false positives
as the cop cannot replace to `select` between calls to `pluck` on an
`ActiveRecord::Relation` instance vs a call to `pluck` on an `Array` instance.
@@ -3231,6 +3299,12 @@ following conditions:
* The task does not need application code.
* The task invokes the `:environment` task.
+=== Safety
+
+Probably not a problem in most cases, but it is possible that calling `:environment` task
+will break a behavior. It's also slower. E.g. some task that only needs one gem to be
+loaded to run will run significantly faster without loading the whole application.
+
=== Examples
[source,ruby]
@@ -3533,7 +3607,10 @@ end
This cop checks if the value of the option `class_name`, in
the definition of a reflection is a string.
-It is marked as unsafe because it cannot be determined whether
+
+=== Safety
+
+This cop is unsafe because it cannot be determined whether
constant or method return value specified to `class_name` is a string.
=== Examples
@@ -4206,10 +4283,20 @@ foo&.bar { |e| e.baz }
This cop checks to make sure safe navigation isn't used with `blank?` in
a conditional.
+=== Safety
+
While the safe navigation operator is generally a good idea, when
checking `foo&.blank?` in a conditional, `foo` being `nil` will actually
do the opposite of what the author intends.
+For example:
+
+[source,ruby]
+----
+foo&.blank? #=> nil
+foo.blank? #=> true
+----
+
=== Examples
[source,ruby]
@@ -4257,6 +4344,26 @@ that behavior can be turned off with `AllowImplicitReturn: false`.
You can permit receivers that are giving false positives with
`AllowedReceivers: []`
+=== Safety
+
+This cop's autocorrection is unsafe because a custom `update` method call would be changed to `update!`,
+but the method name in the definition would be unchanged.
+
+[source,ruby]
+----
+# Original code
+def update_attributes
+end
+
+update_attributes
+
+# After running rubocop --safe-auto-correct
+def update_attributes
+end
+
+update
+----
+
=== Examples
[source,ruby]
@@ -4552,6 +4659,9 @@ user.touch
|===
Checks SQL heredocs to use `.squish`.
+
+=== Safety
+
Some SQL syntax (e.g. PostgreSQL comments and functions) requires newlines
to be preserved in order to work, thus auto-correction for this cop is not safe.
@@ -4617,6 +4727,10 @@ then only use of `Time.zone` is allowed.
When EnforcedStyle is 'flexible' then it's also allowed
to use `Time#in_time_zone`.
+=== Safety
+
+This cop's autocorrection is unsafe because it may change handling time.
+
=== Examples
[source,ruby]
@@ -4743,6 +4857,8 @@ as the cop cannot distinguish between calls to pluck on an
ActiveRecord::Relation vs a call to pluck on an
ActiveRecord::Associations::CollectionProxy.
+=== Safety
+
This cop is unsafe because the behavior may change depending on the
database collation.
Autocorrect is disabled by default for this cop since it may generate
@@ -4993,6 +5109,11 @@ validates :foo, uniqueness: true
This cop identifies places where manually constructed SQL
in `where` can be replaced with `where(attribute: value)`.
+=== Safety
+
+This cop's autocorrection is unsafe because is may change SQL.
+See: https://github.com/rubocop/rubocop-rails/issues/403
+
=== Examples
[source,ruby]
@@ -5036,6 +5157,8 @@ then the cop enforces `exists?(...)` over `where(...).exists?`.
When EnforcedStyle is 'where' then the cop enforces
`where(...).exists?` over `exists?(...)`.
+=== Safety
+
This cop is unsafe for auto-correction because the behavior may change on the following case:
[source,ruby]
diff --git a/lib/rubocop/cop/rails/active_record_aliases.rb b/lib/rubocop/cop/rails/active_record_aliases.rb
index 11feb6bc24..5dfcdfb4cd 100644
--- a/lib/rubocop/cop/rails/active_record_aliases.rb
+++ b/lib/rubocop/cop/rails/active_record_aliases.rb
@@ -6,6 +6,10 @@ module Rails
# Checks that ActiveRecord aliases are not used. The direct method names
# are more clear and easier to read.
#
+ # @safety
+ # This cop is unsafe because custom `update_attributes` method call was changed to
+ # `update` but the method name remained same in the method definition.
+ #
# @example
# #bad
# Book.update_attributes!(author: 'Alice')
diff --git a/lib/rubocop/cop/rails/application_controller.rb b/lib/rubocop/cop/rails/application_controller.rb
index 968536e951..9bdde9de72 100644
--- a/lib/rubocop/cop/rails/application_controller.rb
+++ b/lib/rubocop/cop/rails/application_controller.rb
@@ -3,7 +3,11 @@
module RuboCop
module Cop
module Rails
- # This cop checks that controllers subclass ApplicationController.
+ # This cop checks that controllers subclass `ApplicationController`.
+ #
+ # @safety
+ # This cop's autocorrection is unsafe because it may let the logic from `ApplicationController`
+ # sneak into a controller that is not purposed to inherit logic common among other controllers.
#
# @example
#
diff --git a/lib/rubocop/cop/rails/application_job.rb b/lib/rubocop/cop/rails/application_job.rb
index b2791a317b..48adfe0185 100644
--- a/lib/rubocop/cop/rails/application_job.rb
+++ b/lib/rubocop/cop/rails/application_job.rb
@@ -3,7 +3,11 @@
module RuboCop
module Cop
module Rails
- # This cop checks that jobs subclass ApplicationJob with Rails 5.0.
+ # This cop checks that jobs subclass `ApplicationJob` with Rails 5.0.
+ #
+ # @safety
+ # This cop's autocorrection is unsafe because it may let the logic from `ApplicationJob`
+ # sneak into a job that is not purposed to inherit logic common among other jobs.
#
# @example
#
diff --git a/lib/rubocop/cop/rails/application_mailer.rb b/lib/rubocop/cop/rails/application_mailer.rb
index 409424d761..5da982a80b 100644
--- a/lib/rubocop/cop/rails/application_mailer.rb
+++ b/lib/rubocop/cop/rails/application_mailer.rb
@@ -3,7 +3,11 @@
module RuboCop
module Cop
module Rails
- # This cop checks that mailers subclass ApplicationMailer with Rails 5.0.
+ # This cop checks that mailers subclass `ApplicationMailer` with Rails 5.0.
+ #
+ # @safety
+ # This cop's autocorrection is unsafe because it may let the logic from `ApplicationMailer`
+ # sneak into a mail that is not purposed to inherit logic common among other mailers.
#
# @example
#
diff --git a/lib/rubocop/cop/rails/application_record.rb b/lib/rubocop/cop/rails/application_record.rb
index c2fe267076..0fba2a3e7b 100644
--- a/lib/rubocop/cop/rails/application_record.rb
+++ b/lib/rubocop/cop/rails/application_record.rb
@@ -3,7 +3,12 @@
module RuboCop
module Cop
module Rails
- # This cop checks that models subclass ApplicationRecord with Rails 5.0.
+ # This cop checks that models subclass `ApplicationRecord` with Rails 5.0.
+ #
+ # @safety
+ # This cop's autocorrection is unsafe because it may let the logic from `ApplicationRecord`
+ # sneak into an Active Record model that is not purposed to inherit logic common among other
+ # Active Record models.
#
# @example
#
diff --git a/lib/rubocop/cop/rails/arel_star.rb b/lib/rubocop/cop/rails/arel_star.rb
index 5af9f33642..6135c584ca 100644
--- a/lib/rubocop/cop/rails/arel_star.rb
+++ b/lib/rubocop/cop/rails/arel_star.rb
@@ -10,6 +10,12 @@ module Rails
# database to look for a column named `*` (or `"*"`) as opposed
# to expanding the column list as one would likely expect.
#
+ # @safety
+ # This cop's autocorrection is unsafe because it turns a quoted `*` into
+ # an SQL `*`, unquoted. `*` is a valid column name in certain databases
+ # supported by Rails, and even though it is usually a mistake,
+ # it might denote legitimate access to a column named `*`.
+ #
# @example
# # bad
# MyTable.arel_table["*"]
diff --git a/lib/rubocop/cop/rails/blank.rb b/lib/rubocop/cop/rails/blank.rb
index 40ba2a615c..14c54cd257 100644
--- a/lib/rubocop/cop/rails/blank.rb
+++ b/lib/rubocop/cop/rails/blank.rb
@@ -6,15 +6,16 @@ module Rails
# This cop checks for code that can be written with simpler conditionals
# using `Object#blank?` defined by Active Support.
#
- # This cop is marked as unsafe auto-correction, because `' '.empty?` returns false,
- # but `' '.blank?` returns true. Therefore, auto-correction is not compatible
- # if the receiver is a non-empty blank string, tab, or newline meta characters.
- #
# Interaction with `Style/UnlessElse`:
# The configuration of `NotPresent` will not produce an offense in the
# context of `unless else` if `Style/UnlessElse` is inabled. This is
# to prevent interference between the auto-correction of the two cops.
#
+ # @safety
+ # This cop is unsafe auto-correction, because `' '.empty?` returns false,
+ # but `' '.blank?` returns true. Therefore, auto-correction is not compatible
+ # if the receiver is a non-empty blank string, tab, or newline meta characters.
+ #
# @example NilOrEmpty: true (default)
# # Converts usages of `nil? || empty?` to `blank?`
#
diff --git a/lib/rubocop/cop/rails/dynamic_find_by.rb b/lib/rubocop/cop/rails/dynamic_find_by.rb
index 1ef798f9cc..2999c0d649 100644
--- a/lib/rubocop/cop/rails/dynamic_find_by.rb
+++ b/lib/rubocop/cop/rails/dynamic_find_by.rb
@@ -7,6 +7,10 @@ module Rails
# Use `find_by` instead of dynamic method.
# See. https://rails.rubystyle.guide#find_by
#
+ # @safety
+ # It is certainly unsafe when not configured properly, i.e. user-defined `find_by_xxx`
+ # method is not added to cop's `AllowedMethods`.
+ #
# @example
# # bad
# User.find_by_name(name)
diff --git a/lib/rubocop/cop/rails/lexically_scoped_action_filter.rb b/lib/rubocop/cop/rails/lexically_scoped_action_filter.rb
index 851a4dab6d..266d57e0d2 100644
--- a/lib/rubocop/cop/rails/lexically_scoped_action_filter.rb
+++ b/lib/rubocop/cop/rails/lexically_scoped_action_filter.rb
@@ -6,13 +6,14 @@ module Rails
# This cop checks that methods specified in the filter's `only` or
# `except` options are defined within the same class or module.
#
- # You can technically specify methods of superclass or methods added by
- # mixins on the filter, but these can confuse developers. If you specify
- # methods that are defined in other classes or modules, you should
- # define the filter in that class or module.
- #
- # If you rely on behaviour defined in the superclass actions, you must
- # remember to invoke `super` in the subclass actions.
+ # @safety
+ # You can technically specify methods of superclass or methods added by
+ # mixins on the filter, but these can confuse developers. If you specify
+ # methods that are defined in other classes or modules, you should
+ # define the filter in that class or module.
+ #
+ # If you rely on behaviour defined in the superclass actions, you must
+ # remember to invoke `super` in the subclass actions.
#
# @example
# # bad
diff --git a/lib/rubocop/cop/rails/mailer_name.rb b/lib/rubocop/cop/rails/mailer_name.rb
index d55983d194..c5ab074ff5 100644
--- a/lib/rubocop/cop/rails/mailer_name.rb
+++ b/lib/rubocop/cop/rails/mailer_name.rb
@@ -8,6 +8,10 @@ module Rails
# Without the `Mailer` suffix it isn't immediately apparent what's a mailer
# and which views are related to the mailer.
#
+ # @safety
+ # This cop's autocorrection is unsafe because renaming a constant is
+ # always an unsafe operation.
+ #
# @example
# # bad
# class User < ActionMailer::Base
diff --git a/lib/rubocop/cop/rails/negate_include.rb b/lib/rubocop/cop/rails/negate_include.rb
index f4442e0367..34bd3f7d57 100644
--- a/lib/rubocop/cop/rails/negate_include.rb
+++ b/lib/rubocop/cop/rails/negate_include.rb
@@ -6,8 +6,9 @@ module Rails
# This cop enforces the use of `collection.exclude?(obj)`
# over `!collection.include?(obj)`.
#
- # It is marked as unsafe by default because false positive will occur for
- # a receiver object that do not have `exclude?` method. (e.g. `IPAddr`)
+ # @safety
+ # This cop is unsafe because false positive will occur for
+ # receiver objects that do not have an `exclude?` method. (e.g. `IPAddr`)
#
# @example
# # bad
diff --git a/lib/rubocop/cop/rails/output.rb b/lib/rubocop/cop/rails/output.rb
index a06b98b8e4..eff7b68c5c 100644
--- a/lib/rubocop/cop/rails/output.rb
+++ b/lib/rubocop/cop/rails/output.rb
@@ -5,6 +5,10 @@ module Cop
module Rails
# This cop checks for the use of output calls like puts and print
#
+ # @safety
+ # This cop's autocorrection is unsafe because depending on the Rails log level configuration,
+ # changing from `puts` to `Rails.logger.debug` could result in no output being shown.
+ #
# @example
# # bad
# puts 'A debug message'
diff --git a/lib/rubocop/cop/rails/pick.rb b/lib/rubocop/cop/rails/pick.rb
index 3cc8e7ddbe..f6ecd0a9e2 100644
--- a/lib/rubocop/cop/rails/pick.rb
+++ b/lib/rubocop/cop/rails/pick.rb
@@ -9,6 +9,13 @@ module Rails
# `pick` avoids. When called on an Active Record relation, `pick` adds a
# limit to the query so that only one value is fetched from the database.
#
+ # @safety
+ # This cop is unsafe because `pluck` is defined on both `ActiveRecord::Relation` and `Enumerable`,
+ # whereas `pick` is only defined on `ActiveRecord::Relation` in Rails 6.0. This was addressed
+ # in Rails 6.1 via rails/rails#38760, at which point the cop is safe.
+ #
+ # See: https://github.com/rubocop/rubocop-rails/pull/249
+ #
# @example
# # bad
# Model.pluck(:a).first
diff --git a/lib/rubocop/cop/rails/pluck_id.rb b/lib/rubocop/cop/rails/pluck_id.rb
index c1740830bb..0193d5b284 100644
--- a/lib/rubocop/cop/rails/pluck_id.rb
+++ b/lib/rubocop/cop/rails/pluck_id.rb
@@ -5,6 +5,9 @@ module Cop
module Rails
# This cop enforces the use of `ids` over `pluck(:id)` and `pluck(primary_key)`.
#
+ # @safety
+ # This cop is unsafe if the receiver object is not an Active Record object.
+ #
# @example
# # bad
# User.pluck(:id)
diff --git a/lib/rubocop/cop/rails/pluck_in_where.rb b/lib/rubocop/cop/rails/pluck_in_where.rb
index 9db913b6fd..145b0bd4bd 100644
--- a/lib/rubocop/cop/rails/pluck_in_where.rb
+++ b/lib/rubocop/cop/rails/pluck_in_where.rb
@@ -9,14 +9,15 @@ module Rails
# Since `pluck` is an eager method and hits the database immediately,
# using `select` helps to avoid additional database queries.
#
- # This cop has two different enforcement modes. When the EnforcedStyle
- # is conservative (the default) then only calls to `pluck` on a constant
+ # This cop has two different enforcement modes. When the `EnforcedStyle`
+ # is `conservative` (the default) then only calls to `pluck` on a constant
# (i.e. a model class) in the `where` is used as offenses.
#
- # When the EnforcedStyle is aggressive then all calls to `pluck` in the
- # `where` is used as offenses. This may lead to false positives
- # as the cop cannot replace to `select` between calls to `pluck` on an
- # `ActiveRecord::Relation` instance vs a call to `pluck` on an `Array` instance.
+ # @safety
+ # When the `EnforcedStyle` is `aggressive` then all calls to `pluck` in the
+ # `where` is used as offenses. This may lead to false positives
+ # as the cop cannot replace to `select` between calls to `pluck` on an
+ # `ActiveRecord::Relation` instance vs a call to `pluck` on an `Array` instance.
#
# @example
# # bad
diff --git a/lib/rubocop/cop/rails/rake_environment.rb b/lib/rubocop/cop/rails/rake_environment.rb
index 97f69830b0..f750732676 100644
--- a/lib/rubocop/cop/rails/rake_environment.rb
+++ b/lib/rubocop/cop/rails/rake_environment.rb
@@ -14,6 +14,11 @@ module Rails
# * The task does not need application code.
# * The task invokes the `:environment` task.
#
+ # @safety
+ # Probably not a problem in most cases, but it is possible that calling `:environment` task
+ # will break a behavior. It's also slower. E.g. some task that only needs one gem to be
+ # loaded to run will run significantly faster without loading the whole application.
+ #
# @example
# # bad
# task :foo do
diff --git a/lib/rubocop/cop/rails/reflection_class_name.rb b/lib/rubocop/cop/rails/reflection_class_name.rb
index c7504934da..69ffac76df 100644
--- a/lib/rubocop/cop/rails/reflection_class_name.rb
+++ b/lib/rubocop/cop/rails/reflection_class_name.rb
@@ -5,8 +5,10 @@ module Cop
module Rails
# This cop checks if the value of the option `class_name`, in
# the definition of a reflection is a string.
- # It is marked as unsafe because it cannot be determined whether
- # constant or method return value specified to `class_name` is a string.
+ #
+ # @safety
+ # This cop is unsafe because it cannot be determined whether
+ # constant or method return value specified to `class_name` is a string.
#
# @example
# # bad
diff --git a/lib/rubocop/cop/rails/safe_navigation_with_blank.rb b/lib/rubocop/cop/rails/safe_navigation_with_blank.rb
index 960ca85846..99067f4d7e 100644
--- a/lib/rubocop/cop/rails/safe_navigation_with_blank.rb
+++ b/lib/rubocop/cop/rails/safe_navigation_with_blank.rb
@@ -6,9 +6,18 @@ module Rails
# This cop checks to make sure safe navigation isn't used with `blank?` in
# a conditional.
#
- # While the safe navigation operator is generally a good idea, when
- # checking `foo&.blank?` in a conditional, `foo` being `nil` will actually
- # do the opposite of what the author intends.
+ # @safety
+ # While the safe navigation operator is generally a good idea, when
+ # checking `foo&.blank?` in a conditional, `foo` being `nil` will actually
+ # do the opposite of what the author intends.
+ #
+ # For example:
+ #
+ # [source,ruby]
+ # ----
+ # foo&.blank? #=> nil
+ # foo.blank? #=> true
+ # ----
#
# @example
# # bad
diff --git a/lib/rubocop/cop/rails/save_bang.rb b/lib/rubocop/cop/rails/save_bang.rb
index d9c7206a3a..c4d7cbc3b9 100644
--- a/lib/rubocop/cop/rails/save_bang.rb
+++ b/lib/rubocop/cop/rails/save_bang.rb
@@ -25,6 +25,25 @@ module Rails
# You can permit receivers that are giving false positives with
# `AllowedReceivers: []`
#
+ # @safety
+ # This cop's autocorrection is unsafe because a custom `update` method call would be changed to `update!`,
+ # but the method name in the definition would be unchanged.
+ #
+ # [source,ruby]
+ # ----
+ # # Original code
+ # def update_attributes
+ # end
+ #
+ # update_attributes
+ #
+ # # After running rubocop --safe-auto-correct
+ # def update_attributes
+ # end
+ #
+ # update
+ # ----
+ #
# @example
#
# # bad
diff --git a/lib/rubocop/cop/rails/squished_sql_heredocs.rb b/lib/rubocop/cop/rails/squished_sql_heredocs.rb
index 834969bc91..6a93980fbb 100644
--- a/lib/rubocop/cop/rails/squished_sql_heredocs.rb
+++ b/lib/rubocop/cop/rails/squished_sql_heredocs.rb
@@ -5,8 +5,10 @@ module Cop
module Rails
#
# Checks SQL heredocs to use `.squish`.
- # Some SQL syntax (e.g. PostgreSQL comments and functions) requires newlines
- # to be preserved in order to work, thus auto-correction for this cop is not safe.
+ #
+ # @safety
+ # Some SQL syntax (e.g. PostgreSQL comments and functions) requires newlines
+ # to be preserved in order to work, thus auto-correction for this cop is not safe.
#
# @example
# # bad
diff --git a/lib/rubocop/cop/rails/time_zone.rb b/lib/rubocop/cop/rails/time_zone.rb
index 90ef9d5ff9..4053b8a74a 100644
--- a/lib/rubocop/cop/rails/time_zone.rb
+++ b/lib/rubocop/cop/rails/time_zone.rb
@@ -14,6 +14,9 @@ module Rails
# When EnforcedStyle is 'flexible' then it's also allowed
# to use `Time#in_time_zone`.
#
+ # @safety
+ # This cop's autocorrection is unsafe because it may change handling time.
+ #
# @example
# # bad
# Time.now
diff --git a/lib/rubocop/cop/rails/uniq_before_pluck.rb b/lib/rubocop/cop/rails/uniq_before_pluck.rb
index 290c30e158..58e54df2b4 100644
--- a/lib/rubocop/cop/rails/uniq_before_pluck.rb
+++ b/lib/rubocop/cop/rails/uniq_before_pluck.rb
@@ -18,10 +18,11 @@ module Rails
# ActiveRecord::Relation vs a call to pluck on an
# ActiveRecord::Associations::CollectionProxy.
#
- # This cop is unsafe because the behavior may change depending on the
- # database collation.
- # Autocorrect is disabled by default for this cop since it may generate
- # false positives.
+ # @safety
+ # This cop is unsafe because the behavior may change depending on the
+ # database collation.
+ # Autocorrect is disabled by default for this cop since it may generate
+ # false positives.
#
# @example EnforcedStyle: conservative (default)
# # bad
diff --git a/lib/rubocop/cop/rails/where_equals.rb b/lib/rubocop/cop/rails/where_equals.rb
index 515d4db25f..8dfb79120b 100644
--- a/lib/rubocop/cop/rails/where_equals.rb
+++ b/lib/rubocop/cop/rails/where_equals.rb
@@ -6,6 +6,10 @@ module Rails
# This cop identifies places where manually constructed SQL
# in `where` can be replaced with `where(attribute: value)`.
#
+ # @safety
+ # This cop's autocorrection is unsafe because is may change SQL.
+ # See: https://github.com/rubocop/rubocop-rails/issues/403
+ #
# @example
# # bad
# User.where('name = ?', 'Gabe')
diff --git a/lib/rubocop/cop/rails/where_exists.rb b/lib/rubocop/cop/rails/where_exists.rb
index fb4146430c..71d33ff62d 100644
--- a/lib/rubocop/cop/rails/where_exists.rb
+++ b/lib/rubocop/cop/rails/where_exists.rb
@@ -11,16 +11,17 @@ module Rails
# When EnforcedStyle is 'where' then the cop enforces
# `where(...).exists?` over `exists?(...)`.
#
- # This cop is unsafe for auto-correction because the behavior may change on the following case:
+ # @safety
+ # This cop is unsafe for auto-correction because the behavior may change on the following case:
#
- # [source,ruby]
- # ----
- # Author.includes(:articles).where(articles: {id: id}).exists?
- # #=> Perform `eager_load` behavior (`LEFT JOIN` query) and get result.
+ # [source,ruby]
+ # ----
+ # Author.includes(:articles).where(articles: {id: id}).exists?
+ # #=> Perform `eager_load` behavior (`LEFT JOIN` query) and get result.
#
- # Author.includes(:articles).exists?(articles: {id: id})
- # #=> Perform `preload` behavior and `ActiveRecord::StatementInvalid` error occurs.
- # ----
+ # Author.includes(:articles).exists?(articles: {id: id})
+ # #=> Perform `preload` behavior and `ActiveRecord::StatementInvalid` error occurs.
+ # ----
#
# @example EnforcedStyle: exists (default)
# # bad