Bump devise, rails, byebug and pry-byebug

[dependabot]

Bumps devise, rails, byebug and pry-byebug. These dependencies needed to be updated together.
Updates devise from 4.9.4 to 5.0.3

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

• breaking changes

  • Drop support to Ruby < 2.7

  • Drop support to Rails < 7.0

  • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

  • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

  • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

  • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

  • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

  • Remove deprecated Devise.activerecord51? method.

  • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

    This is potentially a breaking change because Devise previously used the following order to find a secret key:

    app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
    

    Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

  • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

  • Change <br> tags separating form elements to wrapping them in <p> tags #5494

  • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

    If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].

• enhancements

  • Add Rails 8 support.

... (truncated)

Commits

• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• 879f79f Bundle update
• 0f4493b Configure default permissions as read-only for the workflow
• 8c78576 Ignore test/** folder for GH default code scanning
• c9e655e Bundle update, clear dependabot security issues
• 3fd0610 Add a note to the changelog about an edge case issue some users ran into
• 5b008ed Release v5.0.2
• 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
• Additional commits viewable in compare view

Updates rails from 6.1.7.8 to 7.0.10

Release notes

Sourced from rails's releases.

7.0.10

See https://github.com/rails/rails/releases/tag/v7.0.9 for information about this release.

7.0.9

Active Support

• Fix ActiveSupport::Notifications.publish_event to preserve units.

  This solves the incorrect reporting of time spent running Active Record asynchronous queries (by a factor 1000).

  Jean Boussier

• Fix ActiveSupport::Deprecation to handle blaming generated code

  Jean Boussier, fatkodima

• Fix #to_fs(:human_size) to correctly work with negative numbers.

  Earlopain

• Add bigdecimal as Active Support dependency that is a bundled gem candidate for Ruby 3.4.

  bigdecimal 3.1.4 or higher version will be installed. Ruby 2.7 and 3.0 users who want bigdecimal version 2.0.0 or 3.0.0 behavior as a default gem, pin the bigdecimal version in your application Gemfile.

  Koichi ITO

• Ensure {down,up}case_first returns non-frozen string.

  Jonathan Hefner

• Add drb, mutex_m and base64 that are bundled gem candidates for Ruby 3.4

  Yasuo Honda

• Fix delete_matched for file cache store to work with keys longer than the max filename size.

  fatkodima and Jonathan Hefner

• Fix MemoryStore to prevent race conditions when incrementing or decrementing.

  Pierre Jambet

• Fix MemoryStore to preserve entries TTL when incrementing or decrementing

  This is to be more consistent with how MemCachedStore and RedisCacheStore behaves.

... (truncated)

Commits

• f4321f7 Preparing for 7.0.10 release
• 4c6876c Use NPM trusted publishing for our NPM packages
• 1a5613e Preparing for 7.0.9 release
• 78f8e91 Fix test for Ruby 3.0 and Firefox options
• 0a8898b Upgrade sigstore gem to 0.2.2
• 727ba59 Sync changelog
• cee4950 Merge pull request #55747 from skipkayhil/hm-kwzpqqkssmwtsunu
• 245dd03 Merge pull request #50724 from aeroastro/feature/fix-minitest-dependency
• 6c51e4c Merge pull request #54164 from zzak/asto-test-mini_magick-deprecation-warning
• 3e8c6da Merge pull request #55812 from yahonda/bump-microsoftedge-version-to-latest
• Additional commits viewable in compare view

Updates byebug from 11.1.3 to 13.0.0

Release notes

Sourced from byebug's releases.

13.0.0

Fixed

• #924: Use typed data APIs to fix Ruby 4.0 deprecation ([@​nobu]).
• #876: Add explicit require of stringio ([@​pabloh]).
• #909: Avoid loading readline at all to play nice with Ruby 4.0.
• #905: Make reline an explicit dependency to fix Ruby 3.4 warnings.
• #824: Improve startup by loading IRB lazily ([@​pocke]).
• #848: Grammar fixes in GUIDE.md ([@​alexymik]).
• #804: Fix typo in context.rb documentation ([@​ono-max]).

Removed

• Support for MRI 3.1. Byebug no longer installs on this platform.

... (truncated)

Changelog

Sourced from byebug's changelog.

[13.0.0] - 2026-01-15

Fixed

• #924: Use typed data APIs to fix Ruby 4.0 deprecation ([@​nobu]).
• #876: Add explicit require of stringio ([@​pabloh]).
• #909: Avoid loading readline at all to play nice with Ruby 4.0.
• #905: Make reline an explicit dependency to fix Ruby 3.4 warnings.
• #824: Improve startup by loading IRB lazily ([@​pocke]).
• #848: Grammar fixes in GUIDE.md ([@​alexymik]).
• #804: Fix typo in context.rb documentation ([@​ono-max]).

Removed

• Support for MRI 3.1. Byebug no longer installs on this platform.

[12.0.0] - 2025-03-25

Changed

• #690: break without any arguments now sets a breakpoint on the current line, just like gdb ([@​sergioro9]).

Fixed

• #741: Small consistency issues in help messages.
• #743: untracevar command crashing when giving a non existent global variable.
• #744: Another punctuation tweak in enable breakpoints help message.
• #736: Skip warning about $SAFE global variable on ruby 2.7 when listing global variables.

Added

• #847 and #850: Support for MRI 3.1, 3.2, and 3.3 ([@​marshall-lee]).
• #688: where command now receives an optional numeric argument <n> to print the nth first frames ([@​sergioro9].

Removed

• Support for MRI 2.4, 2.5, 2.6, 2.7, and 3.0. Byebug no longer installs on this platform.

Commits

• aff6440 Get ready for 13.0.0 release (#933)
• ecbf2e6 Bump irb from 1.15.2 to 1.15.3 (#919)
• fbf77e4 Bump mdl from 0.13.0 to 0.15.0 in /gemfiles/lint (#923)
• 3a75957 Bump yard from 0.9.37 to 0.9.38 in /gemfiles/lint (#925)
• 5f35116 Bump yard from 0.9.37 to 0.9.38 (#926)
• 18cdb7d Bump reline from 0.6.2 to 0.6.3 (#921)
• 5e09b34 Bump minitest from 5.26.0 to 5.27.0 (#927)
• 2e5beca Bump rake-compiler from 1.3.0 to 1.3.1 (#928)
• ad3a454 Bump rubocop from 1.81.6 to 1.82.1 in /gemfiles/lint (#930)
• 1712bc6 Bump uri from 1.0.3 to 1.0.4 (#932)
• Additional commits viewable in compare view

Updates pry-byebug from 3.10.1 to 3.12.0

Release notes

Sourced from pry-byebug's releases.

3.12.0

Added

• Allow usage with Byebug 13 (#466).
• Allow pry 0.16 (#462).

Removed

• Support for Ruby 3.1. Pry-byebug no longer installs on these platforms (#467).

3.11.0

Added

• Byebug 12 compatibility, with Ruby 3.1, 3.2, and 3.3 support (#434).
• Support for pry 0.15 (#428).

Removed

• Support for Ruby 2.7, and 3.0. Pry-byebug no longer installs on these platforms (#433).

Changelog

Sourced from pry-byebug's changelog.

3.12.0 (2026-01-16)

Added

• Allow usage with Byebug 13 (#466).
• Allow pry 0.16 (#462).

Removed

• Support for Ruby 3.1. Pry-byebug no longer installs on these platforms (#467).

3.11.0 (2025-03-28)

Added

• Byebug 12 compatibility, with Ruby 3.1, 3.2, and 3.3 support (#434).
• Support for pry 0.15 (#428).

Removed

• Support for Ruby 2.7, and 3.0. Pry-byebug no longer installs on these platforms (#433).

Commits

• 0b5aea2 Get ready for 3.12.0 release (#469)
• 366bc8f bundle update unicode-emoji (#468)
• 2a8240a Merge pull request #466 from Jack12816/upstream-rubyb34-bb13
• 18606e6 Update minimum supported version in README
• 4a18acf Allow byebug 13
• 4aa7268 Drop support for Ruby 3.1 (#467)
• c53a349 Update pry requirement from >= 0.13, < 0.16 to >= 0.13, < 0.17 (#462)
• 7cc4b24 Bump minitest-bisect from 1.7.0 to 1.8.0 (#463)
• 4509cce Bump mdl from 0.13.0 to 0.14.0 (#464)
• 63c9111 Bump faraday-retry from 2.3.2 to 2.4.0 (#465)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.