Skip to content

Bump devise and rails#4

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/bundler/multi-62d88e3961
Open

Bump devise and rails#4
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/bundler/multi-62d88e3961

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Mar 17, 2026

Bumps devise and rails. These dependencies needed to be updated together.
Updates devise from 1.2.1 to 5.0.3

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

v4.9.4

https://github.com/heartcombo/devise/blob/v4.9.4/CHANGELOG.md#494---2024-04-10

v4.9.3

https://github.com/heartcombo/devise/blob/v4.9.3/CHANGELOG.md#493---2023-10-11

v4.9.2

https://github.com/heartcombo/devise/blob/v4.9.2/CHANGELOG.md#unreleased

v4.9.1

https://github.com/heartcombo/devise/blob/v4.9.1/CHANGELOG.md#491---2023-03-31

v4.9.0

https://github.com/heartcombo/devise/blob/v4.9.0/CHANGELOG.md#490---2023-02-17

v4.8.1

No release notes provided.

v4.8.0

No release notes provided.

v4.7.1

No release notes provided.

v4.7.0

No release notes provided.

v4.6.2

No release notes provided.

v4.6.1

No release notes provided.

v4.6.0

No release notes provided.

... (truncated)

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

  • security fixes
    • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #5783 #5784

5.0.2 - 2026-02-18

  • enhancements
    • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
      • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
    • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

  • bug fixes
    • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

  • breaking changes

    • Drop support to Ruby < 2.7

    • Drop support to Rails < 7.0

    • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

    • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

    • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

    • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

    • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

    • Remove deprecated Devise.activerecord51? method.

    • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

      This is potentially a breaking change because Devise previously used the following order to find a secret key:

      app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base

      Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

    • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

    • Change <br> tags separating form elements to wrapping them in <p> tags #5494

    • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

      If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].

  • enhancements

    • Add Rails 8 support.

... (truncated)

Commits
  • 2f80920 Release v5.0.3
  • 5334707 Add CVE to changelog [ci skip]
  • 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
  • 879f79f Bundle update
  • 0f4493b Configure default permissions as read-only for the workflow
  • 8c78576 Ignore test/** folder for GH default code scanning
  • c9e655e Bundle update, clear dependabot security issues
  • 3fd0610 Add a note to the changelog about an edge case issue some users ran into
  • 5b008ed Release v5.0.2
  • 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
  • Additional commits viewable in compare view

Updates rails from 3.0.10 to 8.1.2

Release notes

Sourced from rails's releases.

8.1.2

Active Support

  • Make delegate and delegate_missing_to work in BasicObject subclasses.

    Rafael Mendonça França

  • Fix Inflectors when using a locale that fallbacks to :en.

    Said Kaldybaev

  • Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

    Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

    Now the method consistently always return UTF-8 strings.

    Jean Boussier

  • Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

    Previously it would return an invalid time.

    Dmytro Rymar

  • Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

    Mikey Gough

  • Fix ActiveSupport::Inflector.humanize with international characters.

    ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

    Jose Luis Duran

Active Model

  • No changes.

Active Record

  • Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Commits
  • d7c8ae6 Preparing for 8.1.2 release
  • 695ac6d Update Gemfile.lock
  • 01263f1 Merge pull request #56512 from byroot/remove-minitest-ci
  • 3ea2701 CHANGELOG sync
  • d3fe83f Merge pull request #56541 from rails/remove-system-test-from-default-ci-template
  • 5283514 Merge pull request #56012 from jmalcic/restore-default-adc-for-gcs-iam-client
  • 53e82ef Merge pull request #56534 from khasinski/fix-sqlite3-schema-dump-default-nil
  • d2509f8 Allow backburner warning
  • 8c48fd1 Merge pull request #56535 from eglitobias/8-1-stable
  • adcface Fix PostgreSQL schema_search_path after reconnect and reset
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump devise and rails
ad4d92a 
Bumps [devise](https://github.com/heartcombo/devise) and [rails](https://github.com/rails/rails). These dependencies needed to be updated together.

Updates `devise` from 1.2.1 to 5.0.3
- [Release notes](https://github.com/heartcombo/devise/releases)
- [Changelog](https://github.com/heartcombo/devise/blob/main/CHANGELOG.md)
- [Commits](heartcombo/devise@v1.2.1...v5.0.3)

Updates `rails` from 3.0.10 to 8.1.2
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](rails/rails@v3.0.10...v8.1.2)

---
updated-dependencies:
- dependency-name: devise
  dependency-version: 5.0.3
  dependency-type: direct:production
- dependency-name: rails
  dependency-version: 8.1.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants