Bump devise, rails, coffee-rails, sass-rails, mini_racer, paranoia, sidekiq and sinatra in /web

[dependabot]

Bumps devise, rails, coffee-rails, sass-rails, mini_racer, paranoia, sidekiq and sinatra. These dependencies needed to be updated together.
Updates devise from 4.7.3 to 5.0.4

Release notes

Sourced from devise's releases.

v5.0.4

https://github.com/heartcombo/devise/blob/v5.0.4/CHANGELOG.md#504---2026-05-08

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

v4.9.4

https://github.com/heartcombo/devise/blob/v4.9.4/CHANGELOG.md#494---2024-04-10

v4.9.3

https://github.com/heartcombo/devise/blob/v4.9.3/CHANGELOG.md#493---2023-10-11

v4.9.2

https://github.com/heartcombo/devise/blob/v4.9.2/CHANGELOG.md#unreleased

v4.9.1

https://github.com/heartcombo/devise/blob/v4.9.1/CHANGELOG.md#491---2023-03-31

v4.9.0

https://github.com/heartcombo/devise/blob/v4.9.0/CHANGELOG.md#490---2023-02-17

v4.8.1

No release notes provided.

v4.8.0

No release notes provided.

Changelog

Sourced from devise's changelog.

5.0.4 - 2026-05-08

• security fixes
  • Fix open redirect in FailureApp via unvalidated Referer header on non-GET session timeout. CVE-2026-40295 GHSA-jp94-3292-c3xv

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 GHSA-57hq-95w6-v4fc #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

• breaking changes

  • Drop support to Ruby < 2.7

  • Drop support to Rails < 7.0

  • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

  • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

  • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

  • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

  • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

  • Remove deprecated Devise.activerecord51? method.

  • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

    This is potentially a breaking change because Devise previously used the following order to find a secret key:

    app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
    

    Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

  • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

  • Change <br> tags separating form elements to wrapping them in <p> tags #5494

  • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

... (truncated)

Commits

• 9ea459d Release v5.0.4 with sec fix for timeoutable
• 025fe21 Merge commit from fork
• 7ca7ed9 Add GHSA link to the v5.0.3 sec fix changelog entry [ci skip]
• 605de86 Update links to https [ci skip]
• 5e3a8bf Bundle update
• 5d20277 Cleanup old Rails.version check for db migration path
• 4ffb0b7 Fix Gemfile for Rails 7.2, incorrectly testing against 7.1
• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• Additional commits viewable in compare view

Updates rails from 4.2.11.3 to 7.1.6

Release notes

Sourced from rails's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• 10a0f90 Upgrade sigstore gem to 0.2.2
• 4df996b Sync changelog
• 310c904 Merge pull request #55570 from zzak/8-0-sidekiq-issues
• c274de0 Merge pull request #55747 from skipkayhil/hm-kwzpqqkssmwtsunu
• 1d82970 Add the Action Cable configuration
• 8323dd6 Merge pull request #54164 from zzak/asto-test-mini_magick-deprecation-warning
• 4eb8085 Merge pull request #55812 from yahonda/bump-microsoftedge-version-to-latest
• d100e46 Don't load action cable in the activestorage dummy app
• 91fc9b2 Don't load sprockets-rails and propshaft in the same application
• Additional commits viewable in compare view

Updates coffee-rails from 4.1.1 to 5.0.0

Changelog

Sourced from coffee-rails's changelog.

5.0.0 (Apr 23, 2019)

• Remove support to Rails < 5.2.
• Support Rails 6.

4.2.2 (May 24, 2017)

• Support digest resolution for coffee templates.

4.2.1 (June 30, 2016)

• Fix error in the gem package.

4.2.0 (June 30, 2016)

• Override js_template hook in the Rails generator to allow Rails to be CoffeeScript agnostic.

Commits

• 32a2939 Prepare to 5.0.0
• 6507f0a Set the javascripts generator option as true in the railtie
• 5f0e005 Point to rails repository
• 74214e8 Merge pull request #114 from larouxn/rails_6_support
• eff9c00 Revert folder structure changes, remove --javascripts flag
• e7ce694 Fix for exclusively Rails 6
• 69e6782 TESTING, use my fork of Rails
• fc8c48c Conditionally use Rails 6 folder stucture
• 5df5816 Merge pull request #111 from larouxn/stop_testing_below_ruby_2.2
• 9bead93 Merge pull request #112 from larouxn/update_travis_jruby_version
• Additional commits viewable in compare view

Updates sass-rails from 5.0.7 to 5.1.0

Commits

• 9c98c84 Prepare to 5.1.0
• bcc0725 Merge branch 'rm-test-with-rails-6' into 5-0-stable
• 72e9e21 Make the tests pass with all supported versions of rails
• 1860306 Update the example applications
• 9dfddee Remove support to old Rails versions
• d2bfbe6 Remove support to old rubies
• 4fd9731 Allow Rails 6 and test with all versions
• See full diff in compare view

Updates mini_racer from 0.6.4 to 0.21.0

Changelog

Sourced from mini_racer's changelog.

• 0.21.0 - 16-04-2026

  • Add MiniRacer::Binary for returning Uint8Array to JavaScript from attached Ruby callbacks

• 0.20.0 - 24-02-2026

  • Add Snapshot.load to restore snapshots from binary data, enabling disk persistence

• 0.19.2 - 24-12-2025

  • upgrade to node 24.12.0

• 0.19.1 - 20-10-2025

  • JS code can now catch ruby exceptions - Ben Noordhuis
  • Retain string encoding when raising exceptions - Ben Noordhuis
  • Fix object identity bug with Ruby to JS conversion - Benjamin Wood

• 0.19.0 - 24-06-2025

  • upgrade to node 24.1.0

• 0.18.1 - 03-04-2025

  • Convert round doubles to fixnum for very big floats - this has better parity with JavaScript - Ben Noorhuis

• 0.18.0 - 05-03-2025

  • Time for a major release
  • Handle ActiveSupport TimeWithZone objects during serialization - Sam Saffron

• 0.18.0.pre1 - 06-02-2025

  • Updated to node 23.6.1.0

• 0.17.0.pre13 - 04-02-2025

  • Only issue idle GC once post dispatch - reduces CPU usage for auto cleanup - Sam Saffron

• 0.17.0.pre12 - 23-01-2025

  • Corrected off-by-one error with object serialization - Ben Noordhuis

• 0.17.0.pre11 - 21-01-2025

  • Corrected encoding bug with deserialization of strings - Ben Noordhuis

• 0.17.0.pre10 - 20-01-2025

  • Added back support for partially deserialized objects (objects that do not translate across boundaries are returned as Error properties) - Ben Noordhuis

• 0.17.0.pre9 - 13-01-2025

  • For backwards compatibility convert v8 return values to UTF-8 (invalidly encoded string still get returned using V8 encoding)

• 0.17.0.pre8 - 11-01-2025

  • Fix handling of UTF 32 LE and Ascii encoding strings - Ben Noordhuis
  • Handle rare edge case in V8 serialization - Ben Noordhuis

• 0.17.0.pre7 - 10-01-2025

  • Objects containing non serializable properties will return an Error object vs raising an exception. Ben Noordhuis
  • Truffle support was added back Eregon

... (truncated)

Commits

• 40d83a3 FEATURE: add Ruby-to-JS Uint8Array support (#406)
• 89e6eec Test on the latest TruffleRuby release and simplify CI (#405)
• afe08c2 Bump ruby/setup-ruby from 1.299.0 to 1.301.0 (#403)
• b0217fb Bump ruby/setup-ruby from 1.295.0 to 1.299.0 (#402)
• 9f5d0b2 Bump ruby/setup-ruby from 1.293.0 to 1.295.0 (#401)
• ac22e90 Bump ruby/setup-ruby from 1.286.0 to 1.293.0 (#400)
• 9df36f1 CI: adds macOS 26 to build matrix (#398)
• 7cfa8fd Introduce Snapshot.load (#395)
• 84d86bc Bump ruby/setup-ruby from 1.281.0 to 1.286.0 (#393)
• c740aa7 Bump ruby/setup-ruby from 1.276.0 to 1.281.0 (#390)
• Additional commits viewable in compare view

Updates paranoia from 2.4.3 to 2.6.4

Release notes

Sourced from paranoia's releases.

v2.6.4

What's Changed

• Bump actions/checkout from v2 to v4 by @​mishina2228 in rubysherpas/paranoia#550
• Support prebuilt counter cache association list by @​JoeDupuis in rubysherpas/paranoia#554
• fix: restore has_one with scope by @​zygzagZ in rubysherpas/paranoia#551
• 📝 Add Yard documentation for Paranoia::Query by @​cprodhomme in rubysherpas/paranoia#555

New Contributors

• @​JoeDupuis made their first contribution in rubysherpas/paranoia#554
• @​zygzagZ made their first contribution in rubysherpas/paranoia#551
• @​cprodhomme made their first contribution in rubysherpas/paranoia#555

Full Changelog: rubysherpas/paranoia@v2.6.3...v2.6.4

v2.6.3

• [Update supported Rails version in paranoia.gemspec #547](rubysherpas/paranoia@3bdb553)
• [Use paranoia_destroyed? instead of deleted? #545](rubysherpas/paranoia@4db17c2)
• [Minor optimization, removing unneeded variables #546](rubysherpas/paranoia@1db8402)
• [Rails 7.1 Release 🚀 #548](rubysherpas/paranoia@72a03f1)

v2.6.2 - Recursive restore with has_many/one through assocs (#441)

.

v2.6.1

No release notes provided.

v2.6.0

2.6.0

• #512 Quote table names; Mysql 8 has keywords that might match table names which cause an exception.
• #476 Fix syntax error in documentation.
• #485 Rollback transaction if destroy aborted.
• #522 Add failing tests for association with abort on destroy.
• #513 Fix create callback called on destroy.

v2.5.3

2.5.3

• #532 Fix: correct bug when sentinel_value is not a timestamp

  Hassanin Ahmed

• #531 Added test case to reproduce bug introduce in v2.5.1

  Sherif Elkassaby

• #529 Fix: Do not define a RSpec matcher when RSpec isn't present

  Sebastian Welther

v2.5.2

2.5.2

... (truncated)

Changelog

Sourced from paranoia's changelog.

2.6.4 - July 20, 2024

• #554 Support prebuilt counter cache association list (#554) Joé Dupuis
• #551 Fix: restore has_one with scope (#551) Paweł Charyło
• #555 📝 Add Yard documentation for Paranoia::Query (#555) Clément Prod'homme

2.6.3 - Oct 12, 2023

• #548 Add support for Rails 7.1 (#548) Indyarocks

2.6.2 - Jun 6, 2023

• #441 Recursive restore with has_many/one through assocs (#441) Emil Ong

2.6.1 - Nov 16, 2022

• #535 Allow to skip updating paranoia_destroy_attributes for records while really_destroy! Anton Bogdanov

2.6.0 - Mar 23, 2022

• #512 Quote table names; Mysql 8 has keywords that might match table names which cause an exception.
• #476 Fix syntax error in documentation.
• #485 Rollback transaction if destroy aborted.
• #522 Add failing tests for association with abort on destroy.
• #513 Fix create callback called on destroy.

2.5.3

• #532 Fix: correct bug when sentinel_value is not a timestamp Hassanin Ahmed
• #531 Added test case to reproduce bug introduce in v2.5.1 Sherif Elkassaby
• #529 Fix: Do not define a RSpec matcher when RSpec isn't present Sebastian Welther

2.5.2

• #526 Do not include tests files in packaged gem

  Jason Fleetwood-Boldt

• #492 Warn if acts_as_paranoid is called more than once on the same model

  Ignatius Reza

... (truncated)

Commits

• c3b432e Release v2.6.4: bump version and update Changelog
• 0f8a3bd 📝 Add Yard documentation for Paranoia::Query (#555)
• f68cb23 fix: restore has_one with scope (#551)
• de74493 Support prebuilt counter cache association list (#554)
• a0b7632 Bump actions/checkout from v2 to v4 (#550)
• 72a03f1 Rails 7.1 Release 🚀 (#548)
• 1db8402 Minor optimization, removing unneeded variables (#546)
• 4db17c2 Use paranoia_destroyed? instead of deleted? (#545)
• 3bdb553 Update supported Rails version in paranoia.gemspec (#547)
• c038be3 fix Minitest case
• Additional commits viewable in compare view

Updates sidekiq from 5.2.8 to 7.3.9

Changelog

Sourced from sidekiq's changelog.

7.3.9

• Only require activejob if necessary #6584 You might get uninitialized constant Sidekiq::ActiveJob if you require 'sidekiq' before require 'rails'.
• Fix iterable job cancellation #6589
• Web UI accessibility improvements #6604

7.3.8

• Fix dead tag links #6554
• Massive Web UI performance improvement, some pages up to 15x faster #6555

7.3.7

• Backport Sidekiq::Web.configure for compatibility with 8.0 #6532
• Backport url_params(key) and route_params(key) for compatibility with 8.0 #6532
• Various fixes for UI filtering #6508
• Tune inspect for internal S::Components to keep size managable #6553

7.3.6

• Forward compatibility fixes for Ruby 3.4
• Filtering in the Web UI now works via GET so you can bookmark a filtered view. #6497

7.3.5

• Reimplement retry_all and kill_all API methods to use ZPOPMIN, approximately 30-60% faster. #6481
• Add preload testing binary at examples/testing/sidekiq_boot to verify your Rails app boots correctly with Sidekiq Enterprise's app preloading.
• Fix circular require with ActiveJob adapter #6477
• Fix potential race condition leading to incorrect serialized values for CurrentAttributes #6475
• Restore missing elapsed time when default job logging is disabled

7.3.4

• Fix FrozenError when starting Sidekiq #6470

7.3.3

• Freeze global configuration once boot is complete, to avoid configuration race conditions [#6466, #6465]
• Sidekiq now warns if a job iteration takes longer than the -t timeout setting (defaults to 25 seconds)
• Iteration callbacks now have easy access to job arguments via the arguments method:

... (truncated)

Commits

• bf9afa4 chore: bump
• 922f37c Backport accessibility changes to 7-x branch (#6604)
• a235881 fix: ensure we load our version of the adapter, not Rails
• e0ccdb0 Fix iterable jobs cancellation (#6589)
• 57bdf45 Fix tests on ruby 3.4
• 886e434 Adjust railtie to avoid loading AJ driver before AJ, fixes #6584
• 71fbcd8 Use File::NULL
• 9e1810a Revert "Adjust batch pagination, fixes #6577"
• 1528704 Revert "remove bad merge contents"
• 6bd2e2b remove bad merge contents
• Additional commits viewable in compare view

Updates sinatra from 1.4.8 to 3.2.0

Changelog

Sourced from sinatra's changelog.

3.2.0 / 2023-12-29

• New: Add #except method to Sinatra::IndifferentHash (#1940)

• New: Use Exception#detailed_message to show backtrace (#1952)

• New: Add Sinatra::HamlHelpers to sinatra-contrib (#1960)

• Fix: Add base64 to rack-protection runtime dependencies (#1946)

• Fix: Avoid open-ended dependencies for sinatra-contrib and rack-protection (#1949)

• Fix: Helpful message when Sinatra::Runner times out (#1975)

• Fix: Ruby 3.3 + Bundler 2.5 compatibility (#1975)

#1940: sinatra/sinatra#1940 #1946: sinatra/sinatra#1946 #1949: sinatra/sinatra#1949 #1952: sinatra/sinatra#1952 #1960: sinatra/sinatra#1960 #1975: sinatra/sinatra#1975

3.1.0 / 2023-08-07

• New: Add sass support via sass-embedded #1911 by なつき

• New: Add start and stop callbacks #1913 by Jevin Sew

• New: Warn on dropping sessions #1900 by Jonathan del Strother

• New: Make Puma the default server #1924 by Patrik Ragnarsson

• Fix: Remove use of Tilt::Cache #1922 by Jeremy Evans (allows use of Tilt 2.2.0 without deprecation warning)

• Fix: rack-protection: specify rack version requirement #1932 by Patrik Ragnarsson

#1911: sinatra/sinatra#1911 #1913: sinatra/sinatra#1913 #1900: sinatra/sinatra#1900 #1924: sinatra/sinatra#1924 #1922: sinatra/sinatra#1922 #1932: sinatra/sinatra#1932

3.0.6 / 2023-04-11

• Fix: Add support to keep open streaming connections with Puma #1858 by Jordan Owens

• Fix: Avoid crash in uri helper on Integer input #1890 by Patrik Ragnarsson

... (truncated)

Commits

• 4e8fdb5 3.2.0 release (#1977)
• 3b75657 Revert "Shorter Sinatra::Runner timeout" (#1976)
• 1551ef7 Ruby 3.3 + Bundler 2.5 compatibility
• ca6b71c Helpful message when Sinatra::Runner times out
• 0e43702 Shorter Sinatra::Runner timeout
• cadbedd CI: move rack-protection to its own job (#1974)
• 5d844ee Add workflow for Trusted Publishing to RubyGems (#1970)
• 11119a8 CI: use latest rack-test release, not trunk (#1969)
• 2b89659 CI: avoid rdiscount >= 2.2.7.2 on truffleruby
• dcdebe9 CI: remove sinatra from rack-protection bundle
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.