Bump devise, rails and rubocop

[dependabot]

Bumps devise, rails and rubocop. These dependencies needed to be updated together.
Updates devise from 4.9.4 to 5.0.3

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 GHSA-57hq-95w6-v4fc #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

• breaking changes

  • Drop support to Ruby < 2.7

  • Drop support to Rails < 7.0

  • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

  • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

  • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

  • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

  • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

  • Remove deprecated Devise.activerecord51? method.

  • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

    This is potentially a breaking change because Devise previously used the following order to find a secret key:

    app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
    

    Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

  • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

  • Change <br> tags separating form elements to wrapping them in <p> tags #5494

  • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

    If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].

• enhancements

  • Add Rails 8 support.

... (truncated)

Commits

• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• 879f79f Bundle update
• 0f4493b Configure default permissions as read-only for the workflow
• 8c78576 Ignore test/** folder for GH default code scanning
• c9e655e Bundle update, clear dependabot security issues
• 3fd0610 Add a note to the changelog about an edge case issue some users ran into
• 5b008ed Release v5.0.2
• 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
• Additional commits viewable in compare view

Updates rails from 6.1.7.10 to 8.1.3

Release notes

Sourced from rails's releases.

8.1.3

Active Support

• Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

  When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

  Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

  After: hash.to_json # => {"custom_123":"value"}

  Dan Sharp

• Fix inflections to better handle overlapping acronyms.

  ActiveSupport::Inflector.inflections(:en) do |inflect|
    inflect.acronym "USD"
    inflect.acronym "USDC"
  end
  "USDC".underscore # => "usdc"

  Said Kaldybaev

• Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

  zzak

Active Model

• Fix Ruby 4.0 delegator warning when calling inspect on attributes.

  Hammad Khan

• Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

  The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Commits

• fa8f081 Preparing for 8.1.3 release
• 63cef3d Merge branch '8-1-sec' into 8-1-stable
• 1db4b89 Preparing for 8.1.2.1 release
• 1c7d1cf Update changelog
• e91694b Update CHANGELOG (8.1 only)
• 6752711 Fix XSS in debug exceptions copy-to-clipboard
• 63f5ad8 Skip blank attribute names in Action View tag helpers
• 8c9676b Prevent glob injection in ActiveStorage DiskService#delete_prefixed
• 9b06fbc Prevent path traversal in ActiveStorage DiskService
• ec1a0e2 Improve performance of NumberToDelimitedConverter
• Additional commits viewable in compare view

Updates rubocop from 1.86.0 to 1.86.1

Release notes

Sourced from rubocop's releases.

RuboCop v1.86.1

Bug fixes

• #11051: Fix Style/AccessModifierDeclarations inline autocorrect dropping comments between the access modifier and the following method definition. (@​dduugg)
• #14665: Cache plugin integration in CopHelper to avoid repeated loading. (@​55728)
• #15091: Fix Lint/DuplicateMethods false positives for anonymous classes in constant assignments and method return values. (@​eugeneius)
• #15055: Fix Lint/DuplicateMethods false positives with anonymous classes inside blocks (e.g. RSpec let, describe). (@​ShkumbinDelija)
• #15035: Exclude included_modules from Style/ModuleMemberExistenceCheck. (@​koic)
• #15087: Fix false positive for Style/RedundantLineContinuation when using interpolated string literals. (@​koic)
• #14361: Fix false positive in file_to_include? when a relative Include pattern matches a parent directory name in the absolute file path. (@​jonas054)
• #15090: Fix false positives for Layout/EmptyLineAfterGuardClause when consecutive guard clauses use and return. (@​eugeneius)
• #15070: Fix false positive for Lint/RedundantSafeNavigation when chained safe navigation is used in a conditional expression with InferNonNilReceiver enabled. (@​koic)
• #15074: Fix false positives in Style/RedundantParentheses when using parentheses around an endless range in assignment. (@​koic)
• #15048: Fix issue where the url_for is missing for Cops without instance methods. (@​Fryguy)
• #15051: Fix Style/RedundantParentheses handling of beginless ranges. (@​oggy)
• #14980: Fix Lint/Syntax zero-length diagnostic range for syntax errors at EOF. (@​55728)
• #15084: Handle heredocs with methods calls correctly when fixing guard clauses. (@​G-Rath)
• #11398: Fix incorrect Include path adjustment when local config overrides an inherited Include. (@​jonas054)
• #15092: Fix Layout/EndAlignment cop error on an empty begin. (@​viralpraxis)
• #15059: Fix an error in Layout/LineLength when SplitStrings option is enabled and __FILE__ is used. (@​jeromedalbert)
• #5876: Fix Lint/UnusedMethodArgument false positive when block argument is used via yield. (@​dduugg)
• #15093: Return tool execution errors instead of protocol errors in MCP server. (@​koic)

Changes

• #15005: Make Style/OneClassPerFile exclude spec/**/* and test/**/* by default. (@​koic)
• #15081: Relax parallel dependency to >= 1.10. (@​koic)
• #15063: Disable Style/RedundantStructKeywordInit cop by default. (@​koic)

Changelog

Sourced from rubocop's changelog.

1.86.1 (2026-04-09)

Bug fixes

• #11051: Fix Style/AccessModifierDeclarations inline autocorrect dropping comments between the access modifier and the following method definition. ([@​dduugg][])
• #14665: Cache plugin integration in CopHelper to avoid repeated loading. ([@​55728][])
• #15091: Fix Lint/DuplicateMethods false positives for anonymous classes in constant assignments and method return values. ([@​eugeneius][])
• #15055: Fix Lint/DuplicateMethods false positives with anonymous classes inside blocks (e.g. RSpec let, describe). ([@​ShkumbinDelija][])
• #15035: Exclude included_modules from Style/ModuleMemberExistenceCheck. ([@​koic][])
• #15087: Fix false positive for Style/RedundantLineContinuation when using interpolated string literals. ([@​koic][])
• #14361: Fix false positive in file_to_include? when a relative Include pattern matches a parent directory name in the absolute file path. ([@​jonas054][])
• #15090: Fix false positives for Layout/EmptyLineAfterGuardClause when consecutive guard clauses use and return. ([@​eugeneius][])
• #15070: Fix false positive for Lint/RedundantSafeNavigation when chained safe navigation is used in a conditional expression with InferNonNilReceiver enabled. ([@​koic][])
• #15074: Fix false positives in Style/RedundantParentheses when using parentheses around an endless range in assignment. ([@​koic][])
• #15048: Fix issue where the url_for is missing for Cops without instance methods. ([@​Fryguy][])
• #15051: Fix Style/RedundantParentheses handling of beginless ranges. ([@​oggy][])
• #14980: Fix Lint/Syntax zero-length diagnostic range for syntax errors at EOF. ([@​55728][])
• #15084: Handle heredocs with methods calls correctly when fixing guard clauses. ([@​G-Rath][])
• #11398: Fix incorrect Include path adjustment when local config overrides an inherited Include. ([@​jonas054][])
• #15092: Fix Layout/EndAlignment cop error on an empty begin. ([@​viralpraxis][])
• #15059: Fix an error in Layout/LineLength when SplitStrings option is enabled and __FILE__ is used. ([@​jeromedalbert][])
• #5876: Fix Lint/UnusedMethodArgument false positive when block argument is used via yield. ([@​dduugg][])
• #15093: Return tool execution errors instead of protocol errors in MCP server. ([@​koic][])

Changes

• #15005: Make Style/OneClassPerFile exclude spec/**/* and test/**/* by default. ([@​koic][])
• #15081: Relax parallel dependency to >= 1.10. ([@​koic][])
• #15063: Disable Style/RedundantStructKeywordInit cop by default. ([@​koic][])

Commits

• af80266 Cut 1.86.1
• eb504ce Update Changelog
• 9c8fe2c Merge pull request #15085 from G-Rath/fix-style-guard
• 11d796a Merge pull request #15093 from koic/fix_return_tool_execution_errors_instead_...
• 4450067 Return tool execution errors instead of protocol errors in MCP server
• ff64180 Merge pull request #15092 from viralpraxis/fix-an-error-for-layout-end-alignm...
• 11e04c0 Merge pull request #15091 from eugeneius/duplicate_methods_anonymous_classes
• b8deea4 Merge pull request #15090 from eugeneius/guard_clause_and_return
• e130020 Fix Layout/EndAlignment cop error on an empty begin
• 4808594 Fix DuplicateMethods for anonymous classes in constant assignments and methods
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.