Skip to content

Bump the bundler group across 1 directory with 7 updates#2076

Merged
ArtOfCode- merged 2 commits into
art/rails-8from
dependabot/bundler/bundler-dc99e79422
Jul 2, 2026
Merged

Bump the bundler group across 1 directory with 7 updates#2076
ArtOfCode- merged 2 commits into
art/rails-8from
dependabot/bundler/bundler-dc99e79422

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the bundler group with 5 updates in the / directory:

Package From To
puma 5.6.9 7.2.1
devise 4.9.4 5.0.4
css_parser 2.0.0 2.1.0
faraday 2.14.2 2.14.3
net-imap 0.6.3 0.6.4.1

Updates puma from 5.6.9 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

v7.2.0 - On The Corner

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)
  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)
  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)
  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)
  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list
  • CI

v7.1.0

7.1.0 / 2025-10-16 - Neon Witch

neon_witch

  • Features

... (truncated)

Changelog

Sourced from puma's changelog.

7.2.1 / 2026-05-27

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

7.2.0 / 2026-01-20

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)
  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)
  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)
  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)
  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list
  • CI

7.1.0 / 2025-10-16

  • Features

    • Introduce after_worker_shutdown hook (#3707)
    • Reintroduce keepalive "fast inline" behavior. Provides faster (8x on JRuby & 1.4x on Ruby) pipeline processing (#3794)
  • Bugfixes

    • Skip reading zero bytes when request body is buffered (#3795)
    • Fix PUMA_LOG_CONFIG=1 logging twice with prune_bundler enabled (#3778)

... (truncated)

Commits

Updates devise from 4.9.4 to 5.0.4

Release notes

Sourced from devise's releases.

v5.0.4

https://github.com/heartcombo/devise/blob/v5.0.4/CHANGELOG.md#504---2026-05-08

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.4 - 2026-05-08

5.0.3 - 2026-03-16

5.0.2 - 2026-02-18

  • enhancements
    • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
      • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
    • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

  • bug fixes
    • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

  • breaking changes
    • Drop support to Ruby < 2.7

    • Drop support to Rails < 7.0

    • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

    • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

    • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

    • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

    • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

    • Remove deprecated Devise.activerecord51? method.

    • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

      This is potentially a breaking change because Devise previously used the following order to find a secret key:

      app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
      

      Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

    • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

    • Change <br> tags separating form elements to wrapping them in <p> tags #5494

    • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

... (truncated)

Commits
  • 9ea459d Release v5.0.4 with sec fix for timeoutable
  • 025fe21 Merge commit from fork
  • 7ca7ed9 Add GHSA link to the v5.0.3 sec fix changelog entry [ci skip]
  • 605de86 Update links to https [ci skip]
  • 5e3a8bf Bundle update
  • 5d20277 Cleanup old Rails.version check for db migration path
  • 4ffb0b7 Fix Gemfile for Rails 7.2, incorrectly testing against 7.1
  • 2f80920 Release v5.0.3
  • 5334707 Add CVE to changelog [ci skip]
  • 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
  • Additional commits viewable in compare view

Updates concurrent-ruby from 1.3.6 to 1.3.7

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

Commits
  • 4c8fc28 Release 1.3.7
  • d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
  • 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
  • 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
  • 2825cfa Cleanup spec
  • 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
  • 1974b47 Add Ruby 4.0 in CI
  • df8706d Add SECURITY.md (#1104)
  • 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
  • 9b2dbf7 Bump actions/deploy-pages from 4 to 5
  • Additional commits viewable in compare view

Updates css_parser from 2.0.0 to 2.1.0

Changelog

Sourced from css_parser's changelog.

Version 2.1.0

  • Validate ssl when pulling files via https
Commits

Updates erb from 6.0.3 to 6.0.4

Release notes

Sourced from erb's releases.

v6.0.4

Full Changelog: ruby/erb@v6.0.3...v6.0.4

Changelog

Sourced from erb's changelog.

6.0.4

  • Prohibit def_method on marshal-loaded ERB instances
Commits

Updates faraday from 2.14.2 to 2.14.3

Release notes

Sourced from faraday's releases.

v2.14.3

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

New Contributors

Full Changelog: lostisland/faraday@v2.14.2...v2.14.3

Commits

Updates net-imap from 0.6.3 to 0.6.4.1

Release notes

Sourced from net-imap's releases.

v0.6.4.1

What's Changed

🔒 Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.6.4. Please see the linked security advisories for more information.

  • (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8) This vulnerability depends how the server interprets non-synchronizing literals. The connection is not vulnerable if the server supports non-synchronizing literals.
  • (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
  • (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66) This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.

Added

Fixed

Documentation

Other Changes

Miscellaneous

Full Changelog: ruby/net-imap@v0.6.4...v0.6.4.1

v0.6.4

What's Changed

... (truncated)

Commits
  • 357f3b5 🔖 Bump version to 0.6.4.1
  • e066b83 🔀 Merge pull request #701 from ruby/security/validate-non_sync_literal-support
  • 0ea9eba ✅ Fix flaky tests for MacOS, TruffleRuby
  • 5cad699 🔀 Merge pull request #700 from ruby/security/fix-raw_data-trailing-literal-ma...
  • 5a0af4a 🔀 Merge pull request #699 from ruby/security/validate-enable-arguments
  • b9d1972 🔀 Merge pull request #698 from ruby/security/validate-quoted-data
  • 07e002b ♻️ Use QuotedString internally to send quoted string
  • ae9f83b ♻️ Extract str.bytesize lvar in send_literal
  • d6ddd29 🐛 Prevent trailing {0} in RawData validation
  • 1f97168 🥅 Validate #enable arguments are all atoms
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the bundler group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [puma](https://github.com/puma/puma) | `5.6.9` | `7.2.1` |
| [devise](https://github.com/heartcombo/devise) | `4.9.4` | `5.0.4` |
| [css_parser](https://github.com/premailer/css_parser) | `2.0.0` | `2.1.0` |
| [faraday](https://github.com/lostisland/faraday) | `2.14.2` | `2.14.3` |
| [net-imap](https://github.com/ruby/net-imap) | `0.6.3` | `0.6.4.1` |



Updates `puma` from 5.6.9 to 7.2.1
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v5.6.9...v7.2.1)

Updates `devise` from 4.9.4 to 5.0.4
- [Release notes](https://github.com/heartcombo/devise/releases)
- [Changelog](https://github.com/heartcombo/devise/blob/main/CHANGELOG.md)
- [Commits](heartcombo/devise@v4.9.4...v5.0.4)

Updates `concurrent-ruby` from 1.3.6 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7)

Updates `css_parser` from 2.0.0 to 2.1.0
- [Changelog](https://github.com/premailer/css_parser/blob/master/CHANGELOG.md)
- [Commits](premailer/css_parser@v2.0.0...v2.1.0)

Updates `erb` from 6.0.3 to 6.0.4
- [Release notes](https://github.com/ruby/erb/releases)
- [Changelog](https://github.com/ruby/erb/blob/master/NEWS.md)
- [Commits](ruby/erb@v6.0.3...v6.0.4)

Updates `faraday` from 2.14.2 to 2.14.3
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday@v2.14.2...v2.14.3)

Updates `net-imap` from 0.6.3 to 0.6.4.1
- [Release notes](https://github.com/ruby/net-imap/releases)
- [Commits](ruby/net-imap@v0.6.3...v0.6.4.1)

---
updated-dependencies:
- dependency-name: puma
  dependency-version: 7.2.1
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: devise
  dependency-version: 5.0.4
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: css_parser
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: erb
  dependency-version: 6.0.4
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: faraday
  dependency-version: 2.14.3
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: net-imap
  dependency-version: 0.6.4.1
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Jun 30, 2026
@ArtOfCode- ArtOfCode- changed the base branch from develop to art/rails-8 July 2, 2026 14:03
@ArtOfCode- ArtOfCode- merged commit 4d9cc6e into art/rails-8 Jul 2, 2026
@ArtOfCode- ArtOfCode- deleted the dependabot/bundler/bundler-dc99e79422 branch July 2, 2026 14:04
@ArtOfCode-

Copy link
Copy Markdown
Member

There's some major version changes here - I've merged into rails-8, let's get this deployed to dev to poke at.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant