bridge_troll icon indicating copy to clipboard operation
bridge_troll copied to clipboard

Published 20 hours ago verified publisher icon railsbridge

Bump devise from 4.7.3 to 4.9.0

Open dependabot[bot] opened this issue 2 years ago • 1 comments

Bumps devise from 4.7.3 to 4.9.0.

Release notes

Sourced from devise's releases.

v4.9.0

https://github.com/heartcombo/devise/blob/v4.9.0/CHANGELOG.md#490---2023-02-17

v4.8.1

No release notes provided.

v4.8.0

No release notes provided.

Changelog

Sourced from devise's changelog.

4.9.0 - 2023-02-17

  • enhancements
    • Add support for Ruby 3.1/3.2.
    • Add support for Hotwire + Turbo, default in Rails 7+.

      • Devise uses the latest responders version (v3.1.0 or higher), which allows configuring the status used for validation error responses (error_status) and for redirects after POST/PUT/PATCH/DELETE requests (redirect_status). For backwards compatibility, Devise keeps error_status as :ok which returns a 200 OK response, and redirect_status to :found which returns a 302 Found response, but you can configure it to return 422 Unprocessable Entity and 303 See Other respectively, to match the behavior expected by Hotwire/Turbo:

        # config/initializers/devise.rb
Devise.setup do |config|
  # ...
  config.responder.error_status = :unprocessable_entity
  config.responder.redirect_status = :see_other
  # ...
end

        These configs are already generated by default with new apps, and existing apps may opt-in as described above. Trying to set these with an older version of responders will issue a warning and have no effect, so please upgrade the responders version if you're upgrading Devise for this integration. Note that these defaults may change in future versions of Devise, to better match the Rails + Hotwire/Turbo defaults across the board.

      • If you have a custom responder set on your application and expect it to affect Devise as well, you may need to override the Devise responder entirely with config.responder = MyApplicationResponder, so that it uses your custom one. The main reason Devise uses a custom responder is to be able to configure the statuses as described above, but you can also change that config on your own responder if you want. Check the responders readme for more info on that.

      • If you have created a custom responder and/or failure app just to customize responses for better Hotwire/Turbo integration, they should no longer be necessary.

      • :turbo_stream is now treated as a navigational format, so it works like HTML navigation when using Turbo. Note: if you relied on :turbo_stream to be treated as a non-navigational format before, you can reconfigure your navigational_formats in the Devise initializer file to exclude it.

      • OmniAuth "Sign in with" links were changed to buttons that generate HTML forms with method=POST, instead of using link + method=POST that required rails-ujs to work. Since rails-ujs is no longer the default for new Rails apps, this allows the OmniAuth buttons to work in any scenario, with or without rails-ujs and/or Turbo. This only affects apps that are using the default devise/shared/_links.html.erb partial from Devise with OmniAuth enabled.

      • The "Cancel my account" button was changed to include the data-turbo-confirm option, so that it works with both rails-ujs and Turbo by default.

      • Devise does not provide "sign out" links/buttons in its shared views, but if you're using sign_out_via with :delete (the default), and are using links with method: :delete, those need to be updated with data: { turbo_method: :delete } instead for Turbo.

      • Check this upgrade guide for more detailed information.

4.8.1 - 2021-12-16

  • enhancements
    • Add support for Rails 7.0. Please note that Turbo integration is not fully supported by Devise yet.

4.8.0 - 2021-04-29

  • enhancements

    • Devise now enables the upgrade of OmniAuth 2+. Previously Devise would raise an error if you'd try to upgrade. Please note that OmniAuth 2 is considered a security upgrade and recommended to everyone. You can read more about the details (and possible necessary changes to your app as part of the upgrade) in their release notes. Devise's OmniAuth Overview wiki was also updated to cover OmniAuth 2.0 requirements.
      • Note that the upgrade required Devise shared links that initiate the OmniAuth flow to be changed to method: :post, which is now a requirement for OmniAuth, part of the security improvement. If you have copied and customized the Devise shared links partial to your app, or if you have other links in your app that initiate the OmniAuth flow, they will have to be updated to use method: :post, or changed to use buttons (e.g. button_to) to work with OmniAuth 2. (if you're using links with method: :post, make sure your app has rails-ujs or jquery-ujs included in order for these links to work properly.)
      • As part of the OmniAuth 2.0 upgrade you might also need to add the omniauth-rails_csrf_protection gem to your app if you don't have it already. (and you don't want to roll your own code to verify requests.) Check the OmniAuth v2 release notes for more info.
    • Introduce Lockable#reset_failed_attempts! model method to reset failed attempts counter to 0 after the user signs in.
      • This logic existed inside the lockable warden hook and is triggered automatically after the user signs in. The new model method is an extraction to allow you to override it in the application to implement things like switching to a write database if you're using the new multi-DB infrastructure from Rails for example, similar to how it's already possible with Trackable#update_tracked_fields!.
    • Add support for Ruby 3.
    • Add support for Rails 6.1.
    • Move CI to GitHub Actions.

  • deprecations

    • Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION is deprecated in favor of Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION (@​hanachin)
Commits
  • 7f419bf Release Devise v4.9.0
  • 44f0fd7 Update copyright year [ci skip]
  • 2d655ea Merge pull request #5554 from JunichiIto/fix-unhappy-markup
  • 49ed129 Replce p tag with div since p tags cannot contain other block elements
  • 8e2e3f6 Merge pull request #5548 from heartcombo/ca-turbo
  • 31c4f31 Tweak comment about overriding Devise.responder
  • 8606e1e Expand changelog/readme with info about Turbo vs rails-ujs behavior
  • 2df5efc Add post install message pointing to the changelog and new upgrade guide
  • 43c349a Point version to v4.9.0.alpha for now
  • 0d392fa Use the released version of responders v3.1.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Feb 20 '23 12:02 dependabot[bot]

Codecov Report

Base: 91.18% // Head: 91.18% // No change to project coverage :thumbsup:

Coverage data is based on head (e0e4be9) compared to base (b0358a2). Patch has no changes to coverable lines.

:mega: This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1291   +/-   ##
=======================================
  Coverage   91.18%   91.18%           
=======================================
  Files         111      111           
  Lines        2700     2700           
=======================================
  Hits         2462     2462           
  Misses        238      238

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

codecov-commenter avatar Feb 20 '23 12:02 codecov-commenter

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot[bot] avatar May 20 '25 14:05 dependabot[bot]