Bump devise, rails and dotenv-rails

[dependabot]

Bumps devise, rails and dotenv-rails. These dependencies needed to be updated together.
Updates devise from 4.9.4 to 5.0.3

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

• breaking changes

  • Drop support to Ruby < 2.7

  • Drop support to Rails < 7.0

  • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

  • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

  • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

  • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

  • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

  • Remove deprecated Devise.activerecord51? method.

  • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

    This is potentially a breaking change because Devise previously used the following order to find a secret key:

    app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
    

    Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

  • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

  • Change <br> tags separating form elements to wrapping them in <p> tags #5494

  • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

    If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].

• enhancements

  • Add Rails 8 support.

... (truncated)

Commits

• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• 879f79f Bundle update
• 0f4493b Configure default permissions as read-only for the workflow
• 8c78576 Ignore test/** folder for GH default code scanning
• c9e655e Bundle update, clear dependabot security issues
• 3fd0610 Add a note to the changelog about an edge case issue some users ran into
• 5b008ed Release v5.0.2
• 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
• Additional commits viewable in compare view

Updates rails from 6.1.7.10 to 7.2.3

Release notes

Sourced from rails's releases.

7.2.3

Active Support

• Fix Enumerable#sole to return the full tuple instead of just the first element of the tuple.

  Olivier Bellone

• Fix parallel tests hanging when worker processes die abruptly.

  Previously, if a worker process was killed (e.g., OOM killed, kill -9) during parallel test execution, the test suite would hang forever waiting for the dead worker.

  Joshua Young

• ActiveSupport::FileUpdateChecker does not depend on Time.now to prevent unnecessary reloads with time travel test helpers

  Jan Grodowski

• Fix ActiveSupport::BroadcastLogger from executing a block argument for each logger (tagged, info, etc.).

  Jared Armstrong

• Fix ActiveSupport::HashWithIndifferentAccess#transform_keys! removing defaults.

  Hartley McGuire

• Fix ActiveSupport::HashWithIndifferentAccess#tranform_keys! to handle collisions.

  If the transformation would result in a key equal to another not yet transformed one, it would result in keys being lost.

  Before:

  >> {a: 1, b: 2}.with_indifferent_access.transform_keys!(&:succ)
  => {"c" => 1}

  After:

  >> {a: 1, b: 2}.with_indifferent_access.transform_keys!(&:succ)
  => {"c" => 1, "d" => 2}

  Jason T Johnson, Jean Boussier

• Fix ActiveSupport::Cache::MemCacheStore#read_multi to handle network errors.

  This method specifically wasn't handling network errors like other codepaths.

... (truncated)

Commits

• bb2bdef Preparing for 7.2.3 release
• fd7d30e Upgrade sigstore gem to 0.2.2
• 40e5415 Sync CHANGELOG
• 3245de1 Add sigstore-cli gem to the releaser toolset
• 35ad36a Merge pull request #55969 from rails/fix-explain-tests-mysql-9.5
• 3690a3a Merge pull request #55966 from alexanderadam/doc/remove_subclasses_documentat...
• 33f9043 Disable GCS tests in CI
• ebd0cfc Merge pull request #55947 from c0nspiracy/patch-1
• c4d7af0 Merge pull request #55948 from zzak/debug-rails-new-docker
• 1ed5ecc Use NPM trusted publishing for our NPM packages
• Additional commits viewable in compare view

Updates dotenv-rails from 3.1.8 to 3.2.0

Release notes

Sourced from dotenv-rails's releases.

v3.2.0

What's Changed

• Boost app startup time by removing to_sentence usage by @​ThomasCrambert in bkeepers/dotenv#534
• Handle parentheses in variables in commands by @​i7an in bkeepers/dotenv#540
• allow warning when a env var was not overwritten by @​grosser in bkeepers/dotenv#531
• fix a few small issues by @​grosser in bkeepers/dotenv#532

New Contributors

• @​ThomasCrambert made their first contribution in bkeepers/dotenv#534
• @​i7an made their first contribution in bkeepers/dotenv#540

Full Changelog: bkeepers/dotenv@v3.1.8...v3.2.0

Commits

• 34156bf Prepare for 3.2.0 release
• ab47820 Merge pull request #531 from grosser/grosser/warn
• fae6120 Merge branch 'main' into grosser/warn
• 4f510f4 Merge pull request #532 from grosser/grosser/fixes
• 959e1da Merge pull request #539 from bkeepers/dependabot/github_actions/actions/check...
• 041451e Update spec message
• b300f26 Bump actions/checkout from 4 to 6
• 5f4ca01 Merge branch 'main' into grosser/warn
• 209dca4 Merge pull request #540 from i7an/handle-parentheses
• 48c4956 Merge branch 'main' into handle-parentheses
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.