Skip to content

Bump devise from 4.9.4 to 5.0.3#319

Merged
matt-bernhardt merged 1 commit intomainfrom
dependabot/bundler/devise-5.0.3
Apr 1, 2026
Merged

Bump devise from 4.9.4 to 5.0.3#319
matt-bernhardt merged 1 commit intomainfrom
dependabot/bundler/devise-5.0.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 17, 2026
edited
Loading

Bumps devise from 4.9.4 to 5.0.3.

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

  • security fixes
    • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #5783 #5784

5.0.2 - 2026-02-18

  • enhancements
    • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
      • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
    • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

  • bug fixes
    • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

  • breaking changes

    • Drop support to Ruby < 2.7

    • Drop support to Rails < 7.0

    • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

    • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

    • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

    • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

    • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

    • Remove deprecated Devise.activerecord51? method.

    • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

      This is potentially a breaking change because Devise previously used the following order to find a secret key:

      app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base

      Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

    • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

    • Change <br> tags separating form elements to wrapping them in <p> tags #5494

    • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

      If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].

  • enhancements

    • Add Rails 8 support.

... (truncated)

Commits
  • 2f80920 Release v5.0.3
  • 5334707 Add CVE to changelog [ci skip]
  • 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
  • 879f79f Bundle update
  • 0f4493b Configure default permissions as read-only for the workflow
  • 8c78576 Ignore test/** folder for GH default code scanning
  • c9e655e Bundle update, clear dependabot security issues
  • 3fd0610 Add a note to the changelog about an edge case issue some users ran into
  • 5b008ed Release v5.0.2
  • 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Mar 17, 2026
@mitlib mitlib temporarily deployed to tacos-api-pipeline-pr-319 March 17, 2026 18:07 Inactive
@dependabot dependabot bot force-pushed the dependabot/bundler/devise-5.0.3 branch from 6adcbe6 to 0568ce0 Compare April 1, 2026 17:52
@matt-bernhardt
Copy link
Copy Markdown
Member

matt-bernhardt commented Apr 1, 2026

@dependabot rebase

@dependabot
Bump devise from 4.9.4 to 5.0.3
76f4529 
Bumps [devise](https://github.com/heartcombo/devise) from 4.9.4 to 5.0.3.
- [Release notes](https://github.com/heartcombo/devise/releases)
- [Changelog](https://github.com/heartcombo/devise/blob/main/CHANGELOG.md)
- [Commits](heartcombo/devise@v4.9.4...v5.0.3)

---
updated-dependencies:
- dependency-name: devise
  dependency-version: 5.0.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/bundler/devise-5.0.3 branch from 0568ce0 to 76f4529 Compare April 1, 2026 17:55
@matt-bernhardt matt-bernhardt merged commit f647a4a into main Apr 1, 2026
3 checks passed
@dependabot dependabot bot deleted the dependabot/bundler/devise-5.0.3 branch April 1, 2026 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matt-bernhardt @mitlib