Skip to content

Bump the dependencies group across 1 directory with 22 updates#431

Closed
dependabot[bot] wants to merge 1 commit into
stagingfrom
dependabot/bundler/dependencies-b32faa8665
Closed

Bump the dependencies group across 1 directory with 22 updates#431
dependabot[bot] wants to merge 1 commit into
stagingfrom
dependabot/bundler/dependencies-b32faa8665

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown

Bumps the dependencies group with 22 updates in the / directory:

Package From To
jbuilder 2.14.1 2.15.1
bootsnap 1.24.4 1.24.6
strong_migrations 2.7.0 2.8.0
omniauth-microsoft_graph 2.1.0 2.2.0
doorkeeper 5.9.0 5.9.3
doorkeeper-i18n 5.2.8 5.2.9
doorkeeper-openid_connect 1.9.0 1.10.3
faraday 2.14.2 2.14.3
dalli 5.0.2 5.0.5
opentelemetry-instrumentation-all 0.93.0 0.94.0
marcel 1.1.0 1.2.1
aws-sdk-s3 1.222.0 1.226.0
image_processing 1.14.0 2.0.2
danger 9.5.3 9.6.0
listen 3.9.0 3.10.0
overcommit 0.69.0 0.71.0
brakeman 8.0.4 8.0.5
jwt 2.10.2 2.10.3
puma 8.0.1 8.0.2
selenium-webdriver 4.44.0 4.45.0
annotaterb 4.22.0 4.23.0
database_consistency 3.0.4 3.0.5

Updates jbuilder from 2.14.1 to 2.15.1

Release notes

Sourced from jbuilder's releases.

v2.15.1

What's Changed

New Contributors

Full Changelog: rails/jbuilder@v2.15.0...v2.15.1

v2.15.0

What's Changed

New Contributors

Full Changelog: rails/jbuilder@v2.14.1...v2.15.0

Commits
  • 31eb6e9 Prepare for 2.15.1
  • 154b0fe Merge pull request #617 from rails/rm-fix-616
  • d3e763b Fix partial for Active Model when extra locals are passed in
  • 018083d Prepare for 2.15.0
  • 72cf067 Update devcontainer image to Ruby 4.0.4 and add devcontainer-lock.json
  • d35a962 Merge pull request #615 from taketo1113/ci-rails8.1-ruby4.0
  • cc42e7e CI: Add Rails 8.1 & Ruby 4.0 to CI Matrix
  • cd7482e Merge pull request #613 from affinity/moberegger/fix-inline-partial-locals-be
  • 58283a0 Merge pull request #612 from affinity/moberegger/optimize-_map_collection
  • 09ca3e1 Merge pull request #603 from taketo1113/update-rack-unprocessable_content
  • Additional commits viewable in compare view

Updates bootsnap from 1.24.4 to 1.24.6

Changelog

Sourced from bootsnap's changelog.

1.24.6

  • Fix detection of Ruby bug #22023 on some patch versions of Ruby 3.4, and properly apply the workaround.

1.24.5

  • No longer load the config file by default when setup is done manually. This is so cli applications like homebrew don't mistakenly load another app's boostnap config.
Commits
  • 026e183 Release 1.24.6
  • 263e346 Merge pull request #556 from byroot/remove-canary
  • 7c31cd8 Check for [Bug #22023] by checking Ruby version rather than a canary
  • 54eba76 Merge pull request #554 from byroot/namespace-overflow
  • fe963d5 bs_cache_path: account for namespace length
  • 7b42db6 Merge pull request #553 from arpitjain099/chore/declare-workflow-perms
  • 113b184 ci: add permissions: contents: read to ci
  • d6ca050 Release 1.24.5
  • 579aa0e Merge pull request #552 from byroot/fix-bootsnap-config
  • 2884e89 Only load config file is directed to by .setup
  • Additional commits viewable in compare view

Updates strong_migrations from 2.7.0 to 2.8.0

Changelog

Sourced from strong_migrations's changelog.

2.8.0 (2026-05-14)

  • Added check for rename_enum_value
Commits

Updates omniauth-microsoft_graph from 2.1.0 to 2.2.0

Commits
  • 30d84c4 bump version 2.2.0 as 2.1.0 already exists (#51)
  • 8688404 bump version 2.1.0 (#50)
  • c8d9639 Fix email domain up domain case sensitive comparison (#42)
  • ad4fd02 Update sinatra requirement from ~> 2.2 to ~> 4.1 in the bundler group (#40)
  • 764ebe7 Relax version constraint for jwt gem (#49)
  • See full diff in compare view

Updates doorkeeper from 5.9.0 to 5.9.3

Release notes

Sourced from doorkeeper's releases.

v5.9.3

  • #1834 Fix default allow_token_introspection returning false when a custom application_class is configured. The default proc compared application objects with ==, which fails when the authorized client and the introspected token's application are resolved as different classes (e.g. a base Doorkeeper::Application vs. a configured subclass) even though they reference the same record. It now compares application ids instead.
  • #1832 Fix confusing belongs_to :owner side effect: Doorkeeper::Models::Ownership is now included only when enable_application_owner? is set (read at include time), so models no longer expose a misleading owner association/reflection when the application owner feature is disabled and the schema lacks the owner columns.

v5.9.2

  • #1822#1823#1825 Update Rubocop config, auto-corrections and codebase cleanup.
  • #1830 Fix NameError: uninitialized constant ApplicationRecord on rails db:seed (and other non-eager-loading flows) caused by on_load(:active_record) firing re-entrantly during ApplicationRecord autoload. The orm hooks no longer depend on ActiveSupport.on_load(:active_record); model concerns (Ownership, PolymorphicResourceOwner::ForAccessGrant, PolymorphicResourceOwner::ForAccessToken) are now wired up from each Mixins::* included block, which fires at parent-class autoload time — after Doorkeeper.configure has applied user settings and without re-entering the AR load chain.
    • Upgrade note: fully custom model classes that don't include Doorkeeper::Orm::ActiveRecord::Mixins::{Application,AccessToken,AccessGrant} will no longer auto-receive Ownership / PolymorphicResourceOwner concerns (previously injected by run_orm_hooks via the configured class name). Either inherit from the Doorkeeper default model, include the corresponding Mixins::* module, or include the concerns directly.

v5.9.1

  • #1781 Honor handle_auth_errors :raise in AuthorizationsController#authorize_response

  • #1795 Fix: detailed error 'insufficient_scope' in protected resources 403s

  • #1797 Fix doorkeeper:db:cleanup rake task failure on PostgreSQL

  • #1800 Set @grant_type in ClientCredentialsRequest and RefreshTokenRequest constructors so request.grant_type returns the correct value in hooks like before_successful_strategy_response.

  • #1802 Fix filter_parameters not applied when Doorkeeper.configure is called inside to_prepare.

  • #1804 Use ActiveSupport.on_load(:active_record) in ORM hooks to prevent loading ActiveRecord models too early

  • #1806 Fix token revocation bypass for public clients (RFC 7009)

  • #1815 Expose current_resource_owner as a view helper in Doorkeeper::ApplicationController.

  • #1818 Fix token introspection returning exp: 0 for non-expiring tokens.

  • #1784 Remove hardcoded colons from view templates, move punctuation to i18n translation strings.

    [IMPORTANT]: if you have customized Doorkeeper views (authorizations/new, authorizations/show, applications/show) or overridden the default en.yml translations, you may need to update them. Colons are no longer hardcoded in the views — they are now part of the translation strings. Update the doorkeeper-i18n gem to get the updated translations for all locales.

  • #1820 Remove dead wildcard presence check in Scopes#dynamic_scope_match? (internal cleanup, no behavior change).

  • #1822 Update Rubocop config, auto-corrections.

  • #1823 Update Rubocop config, part 2.

  • #1825 Update Rubocop config, part 3.

  • #1821 Fix noisy Could not find command "no_previous_refresh_token_column?" Thor output during the PreviousRefreshTokenGenerator spec by stubbing the underlying DB column check instead of the generator's private method (test-only change).

Changelog

Sourced from doorkeeper's changelog.

5.9.3

  • #1834 Fix default allow_token_introspection returning false when a custom application_class is configured. The default proc compared application objects with ==, which fails when the authorized client and the introspected token's application are resolved as different classes (e.g. a base Doorkeeper::Application vs. a configured subclass) even though they reference the same record. It now compares application ids instead.
  • #1832 Fix confusing belongs_to :owner side effect: Doorkeeper::Models::Ownership is now included only when enable_application_owner? is set (read at include time), so models no longer expose a misleading owner association/reflection when the application owner feature is disabled and the schema lacks the owner columns.

5.9.2

  • #1822#1823#1825 Update Rubocop config, auto-corrections and codebase cleanup.
  • #1830 Fix NameError: uninitialized constant ApplicationRecord on rails db:seed (and other non-eager-loading flows) caused by on_load(:active_record) firing re-entrantly during ApplicationRecord autoload. The orm hooks no longer depend on ActiveSupport.on_load(:active_record); model concerns (Ownership, PolymorphicResourceOwner::ForAccessGrant, PolymorphicResourceOwner::ForAccessToken) are now wired up from each Mixins::* included block, which fires at parent-class autoload time — after Doorkeeper.configure has applied user settings and without re-entering the AR load chain.
    • Upgrade note: fully custom model classes that don't include Doorkeeper::Orm::ActiveRecord::Mixins::{Application,AccessToken,AccessGrant} will no longer auto-receive Ownership / PolymorphicResourceOwner concerns (previously injected by run_orm_hooks via the configured class name). Either inherit from the Doorkeeper default model, include the corresponding Mixins::* module, or include the concerns directly.

5.9.1

  • #1781 Honor handle_auth_errors :raise in AuthorizationsController#authorize_response

  • #1795 Fix: detailed error 'insufficient_scope' in protected resources 403s

  • #1797 Fix doorkeeper:db:cleanup rake task failure on PostgreSQL

  • #1800 Set @grant_type in ClientCredentialsRequest and RefreshTokenRequest constructors so request.grant_type returns the correct value in hooks like before_successful_strategy_response.

  • #1802 Fix filter_parameters not applied when Doorkeeper.configure is called inside to_prepare.

  • #1804 Use ActiveSupport.on_load(:active_record) in ORM hooks to prevent loading ActiveRecord models too early

  • #1806 Fix token revocation bypass for public clients (RFC 7009)

  • #1815 Expose current_resource_owner as a view helper in Doorkeeper::ApplicationController.

  • #1818 Fix token introspection returning exp: 0 for non-expiring tokens.

  • #1784 Remove hardcoded colons from view templates, move punctuation to i18n translation strings.

    [IMPORTANT]: if you have customized Doorkeeper views (authorizations/new, authorizations/show, applications/show) or overridden the default en.yml translations, you may need to update them. Colons are no longer hardcoded in the views — they are now part of the translation strings. Update the doorkeeper-i18n gem to get the updated translations for all locales.

  • #1820 Remove dead wildcard presence check in Scopes#dynamic_scope_match? (internal cleanup, no behavior change).

  • #1822 Update Rubocop config, auto-corrections.

  • #1823 Update Rubocop config, part 2.

  • #1825 Update Rubocop config, part 3.

  • #1821 Fix noisy Could not find command "no_previous_refresh_token_column?" Thor output during the PreviousRefreshTokenGenerator spec by stubbing the underlying DB column check instead of the generator's private method (test-only change).

Commits
  • 4737ffe Release 5.9.3 🎉
  • 90e4976 Merge pull request #1834 from 55728/fix/1833-allow-token-introspection-custom...
  • bc3d9e5 Merge pull request #1832 from 55728/experiment/1831-gate-ownership
  • 155ce8c Fix allow_token_introspection default for custom application_class (#1833)
  • 1c7ef35 Gate belongs_to :owner on enable_application_owner? at include time
  • f278711 Release 5.9.2 🎉
  • d83beb8 Merge pull request #1830 from 55728/refactor/1828-mixins-included-no-on-load
  • ab58c37 Wire model concerns from Mixin included blocks, drop on_load(:active_record)
  • 3666790 [ci skip] AGENTS.md update
  • 7ae6104 [ci skip] AGENTS.md update
  • Additional commits viewable in compare view

Updates doorkeeper-i18n from 5.2.8 to 5.2.9

Release notes

Sourced from doorkeeper-i18n's releases.

v5.2.9

  • #73 Add colons to translations
  • #74 Fix untranslated English fragment in Japanese locale
Commits

Updates doorkeeper-openid_connect from 1.9.0 to 1.10.3

Release notes

Sourced from doorkeeper-openid_connect's releases.

v1.10.3

  • #308 Fix NameError: uninitialized constant Auth::ApplicationRecord on boot when using a namespaced custom access grant model (e.g. Auth::OAuthAccessGrant < ApplicationRecord). Since v1.10.0 (#241) the openid_request association was wired inside an ActiveSupport.on_load(:active_record) block, which fires while ActiveRecord::Base is first loaded and constantizes the grant model too early. The association is now added from Doorkeeper's AccessGrant mixin included callback — at the model's own load time, without constantizing — mirroring the fix doorkeeper made in #1830 (#306)

v1.10.2

  • #315 Drop support for EOL Ruby 3.1 (EOL 2025-03-25) and require Ruby >= 3.2. i18n 1.15.0 uses the Fiber[] storage API which only exists on Ruby 3.2+, so the Ruby 3.1 CI row no longer loads; the matrix now tests Ruby 3.2 as the minimum
  • #316 Set fail-fast: false in CI matrix so a single failing job no longer cancels the rest
  • #303 execute account selection even without owner, and select_account_for_resource_owner can now receive nil as the first argument.
  • #304 allow handle auth_time per grant
  • #305 Document the auth_time_from_access_token config option in the README (per-grant auth_time), clarifying that it only affects the ID Token auth_time claim and not max_age enforcement
  • #307 Fix bundle exec rake server for the test application
  • #313 Move Configuration documentation from README to Wiki
  • #312 Raise Errors::MissingRequiredClaim instead of silently dropping a blank REQUIRED ID Token claim (iss/sub/aud/exp/iat) in IdToken#as_json, which previously could emit a non-conformant ID Token (OIDC Core 1.0 §2). OPTIONAL claims such as nonce/auth_time are still omitted when blank
  • #311 Include the REQUIRED client_secret_expires_at member (value 0, never expires) in the Dynamic Client Registration response whenever a client_secret is issued (RFC 7591 §3.2.1 / OpenID Connect Dynamic Client Registration 1.0 §3.2)
  • #309 Add a browser dashboard to the test application (spec/dummy) for exercising the OpenID Connect endpoints by hand — replacing the rails console + curl workflow with forms for Setup, Discovery, Authorization (code / implicit / PKCE / nonce / prompt / max_age), token exchange, UserInfo, introspection and revocation

v1.10.1

  • #294 Drop stale Metrics/ClassLength and Metrics/BlockLength overrides from .rubocop_todo.yml
  • #293 Drop Naming/VariableNumber from .rubocop_todo.yml and normalise test variable names
  • #291 Document multi-namespace mount pattern for multiple resource owner models (#192)
  • #292 Drop formatting cops from .rubocop_todo.yml and align trailing-comma style with upstream doorkeeper
  • #296 Fix the prompt parameter being rejected with invalid_request when it contains leading or duplicate spaces (e.g. prompt=%20none) — blank entries in the space-delimited value are now ignored
  • #299 Raise InvalidConfiguration when the issuer config resolves to a blank value instead of silently advertising an empty issuer in the discovery document. Since v1.10.0 an arity-2 issuer block receives (resource_owner, application) — both nil in the discovery context — so a block relying on the old v1.9.0 request argument could return nil and produce a discovery issuer that mismatched the ID token iss (#298)

v1.10.0

  • #241 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see Doorkeeper PR)
  • #242 Fix NoMethodError for openid_request in testing environments.
  • #246 Fix at_hash to use correct hash algorithm based on signing_algorithm
  • #250 Return configured issuer instead of root_url in WebFinger response (thanks to @​sato11 for the original work in #172)
  • #248 Fix max_age always triggering reauthentication when auth_time_from_resource_owner returns Integer
  • #254 Breaking: Omit expires_in from the response_type=id_token response (OIDC Core §3.2.2.5 — expires_in represents the Access Token lifetime; it is still returned for response_type=id_token token)
  • #252 Treat auth_time_from_resource_owner as optional in IdToken — omit auth_time claim when unconfigured instead of raising InvalidConfiguration
  • #256 Accept non-callable values (symbol / string) for the protocol config option, matching the pattern used by issuer / signing_algorithm / signing_key / expiration
  • #258 Skip IdToken construction on password grants without the openid scope
  • #259 Skip IdToken construction on authorization code grants without the openid scope
  • #261 Fix obsolete RuboCop configuration (require:plugins:, RSpec/FilePath split, remove Capybara/FeatureMethods)
  • #263 Security/Breaking: Determine dynamically registered client's confidential flag from token_endpoint_auth_method per RFC 7591 — previously every dynamically registered client was created as public (confidential: false), which let callers authenticate with only client_id (by_uid_and_secret(uid, nil) bypass). Default is now client_secret_basic (confidential); none produces a public client; unsupported values (e.g. private_key_jwt) are rejected with invalid_client_metadata. Also derive token_endpoint_auth_methods_supported in the response from Doorkeeper.configuration.client_credentials_methods instead of a hardcoded list, matching #236
  • #264 Apply safe RuboCop autocorrections and fix resulting artifacts
  • #265 Add Dynamic Client Registration section to README
  • #266 Validate application_type, response_types, and grant_types parameters in dynamic client registration per RFC 7591 — reject unsupported values with invalid_client_metadata and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
  • #267 Add authorize_dynamic_client_registration config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to request, params, request.headers, etc.) and falsy return values reject the request with 401 invalid_token. Default is nil so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
  • #268 Update Dynamic Client Registration README for validated metadata parameters
  • #269 Document authorize_dynamic_client_registration in README
  • #270 Document the unified issuer block signature in README
  • #278 Test against Ruby 4.0.
  • #271 Security: Add auth_time_from_session config for per-session max_age enforcement. The legacy auth_time_from_resource_owner cannot distinguish between concurrent sessions and is now deprecated for max_age use (see #150)
  • #272 Document auth_time_from_session in README (follow-up to #271)
  • #273 Security/Hardening: Merge framework-controlled registered claims last — iss/sub/aud/exp/iat/nonce/auth_time for the ID Token and sub for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).
  • #276 Get RuboCop to zero offenses: fix Lint/MissingSuper in IdTokenResponse, replace puts with warn for deprecation notices, and modernise spec style
  • #277 Fix README inaccuracies (signing_algorithm description and link, discovery_url_options endpoint list, oauth-authorization-server route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token
  • #279 Return account_selection_required when a prompt=select_account handler does not generate a response, per OIDC Core 1.0 §3.1.2.6 — previously the authorization silently continued without account selection. Adds the missing Errors::AccountSelectionRequired class, mirroring the existing login_required backstop for reauthenticate_resource_owner

... (truncated)

Changelog

Sourced from doorkeeper-openid_connect's changelog.

v1.10.3 (2026-06-23)

  • #308 Fix NameError: uninitialized constant Auth::ApplicationRecord on boot when using a namespaced custom access grant model (e.g. Auth::OAuthAccessGrant < ApplicationRecord). Since v1.10.0 (#241) the openid_request association was wired inside an ActiveSupport.on_load(:active_record) block, which fires while ActiveRecord::Base is first loaded and constantizes the grant model too early. The association is now added from Doorkeeper's AccessGrant mixin included callback — at the model's own load time, without constantizing — mirroring the fix doorkeeper made in #1830 (#306)

v1.10.2 (2026-06-22)

  • #315 Drop support for EOL Ruby 3.1 (EOL 2025-03-25) and require Ruby >= 3.2. i18n 1.15.0 uses the Fiber[] storage API which only exists on Ruby 3.2+, so the Ruby 3.1 CI row no longer loads; the matrix now tests Ruby 3.2 as the minimum
  • #316 Set fail-fast: false in CI matrix so a single failing job no longer cancels the rest
  • #303 execute account selection even without owner, and select_account_for_resource_owner can now receive nil as the first argument.
  • #304 allow handle auth_time per grant
  • #305 Document the auth_time_from_access_token config option in the README (per-grant auth_time), clarifying that it only affects the ID Token auth_time claim and not max_age enforcement
  • #307 Fix bundle exec rake server for the test application
  • #313 Move Configuration documentation from README to Wiki
  • #312 Raise Errors::MissingRequiredClaim instead of silently dropping a blank REQUIRED ID Token claim (iss/sub/aud/exp/iat) in IdToken#as_json, which previously could emit a non-conformant ID Token (OIDC Core 1.0 §2). OPTIONAL claims such as nonce/auth_time are still omitted when blank
  • #311 Include the REQUIRED client_secret_expires_at member (value 0, never expires) in the Dynamic Client Registration response whenever a client_secret is issued (RFC 7591 §3.2.1 / OpenID Connect Dynamic Client Registration 1.0 §3.2)
  • #309 Add a browser dashboard to the test application (spec/dummy) for exercising the OpenID Connect endpoints by hand — replacing the rails console + curl workflow with forms for Setup, Discovery, Authorization (code / implicit / PKCE / nonce / prompt / max_age), token exchange, UserInfo, introspection and revocation

v1.10.1 (2026-06-03)

  • #294 Drop stale Metrics/ClassLength and Metrics/BlockLength overrides from .rubocop_todo.yml
  • #293 Drop Naming/VariableNumber from .rubocop_todo.yml and normalise test variable names
  • #291 Document multi-namespace mount pattern for multiple resource owner models (#192)
  • #292 Drop formatting cops from .rubocop_todo.yml and align trailing-comma style with upstream doorkeeper
  • #296 Fix the prompt parameter being rejected with invalid_request when it contains leading or duplicate spaces (e.g. prompt=%20none) — blank entries in the space-delimited value are now ignored
  • #299 Raise InvalidConfiguration when the issuer config resolves to a blank value instead of silently advertising an empty issuer in the discovery document. Since v1.10.0 an arity-2 issuer block receives (resource_owner, application) — both nil in the discovery context — so a block relying on the old v1.9.0 request argument could return nil and produce a discovery issuer that mismatched the ID token iss (#298)

v1.10.0 (2026-06-01)

[!IMPORTANT]

  • Breaking (arity-2 issuer blocks): resolve_issuer now dispatches arity-2 blocks with (resource_owner, application) in all contexts, including discovery. In v1.9.0 DiscoveryController passed request as the first argument; existing arity-2 blocks that relied on this receive (nil, nil) in v1.10.0 and should migrate to arity-3 — see #298 for details and migration examples
  • #241 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see Doorkeeper PR)
  • #242 Fix NoMethodError for openid_request in testing environments.
  • #246 Fix at_hash to use correct hash algorithm based on signing_algorithm
  • #250 Return configured issuer instead of root_url in WebFinger response (thanks to @​sato11 for the original work in #172)
  • #248 Fix max_age always triggering reauthentication when auth_time_from_resource_owner returns Integer
  • #254 Breaking: Omit expires_in from the response_type=id_token response (OIDC Core §3.2.2.5 — expires_in represents the Access Token lifetime; it is still returned for response_type=id_token token)
  • #252 Treat auth_time_from_resource_owner as optional in IdToken — omit auth_time claim when unconfigured instead of raising InvalidConfiguration
  • #256 Accept non-callable values (symbol / string) for the protocol config option, matching the pattern used by issuer / signing_algorithm / signing_key / expiration
  • #258 Skip IdToken construction on password grants without the openid scope
  • #259 Skip IdToken construction on authorization code grants without the openid scope
  • #261 Fix obsolete RuboCop configuration (require:plugins:, RSpec/FilePath split, remove Capybara/FeatureMethods)
  • #263 Security/Breaking: Determine dynamically registered client's confidential flag from token_endpoint_auth_method per RFC 7591 — previously every dynamically registered client was created as public (confidential: false), which let callers authenticate with only client_id (by_uid_and_secret(uid, nil) bypass). Default is now client_secret_basic (confidential); none produces a public client; unsupported values (e.g. private_key_jwt) are rejected with invalid_client_metadata. Also derive token_endpoint_auth_methods_supported in the response from Doorkeeper.configuration.client_credentials_methods instead of a hardcoded list, matching #236
  • #264 Apply safe RuboCop autocorrections and fix resulting artifacts
  • #265 Add Dynamic Client Registration section to README
  • #266 Validate application_type, response_types, and grant_types parameters in dynamic client registration per RFC 7591 — reject unsupported values with invalid_client_metadata and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
  • #267 Add authorize_dynamic_client_registration config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to request, params, request.headers, etc.) and falsy return values reject the request with 401 invalid_token. Default is nil so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
  • #268 Update Dynamic Client Registration README for validated metadata parameters
  • #269 Document authorize_dynamic_client_registration in README

... (truncated)

Commits
  • 0de04e0 Merge pull request #319 from 55728/release/v1.10.3
  • 83c1682 Release 1.10.3 🎉
  • e4eaff6 Merge pull request #308 from 55728/fix/306-remove-on-load-active-record
  • dba2c84 Merge pull request #318 from 55728/release/v1.10.2
  • 58eede2 Merge pull request #309 from 55728/feature/dummy-oidc-dashboard
  • 967648d Release 1.10.2 🎉
  • 25ab038 Merge pull request #316 from 55728/ci/fail-fast-false
  • 149c363 Merge pull request #315 from 55728/fix/314-drop-ruby-3.1
  • f4e9caa Set fail-fast: false in CI matrix
  • 808c76c Drop EOL Ruby 3.1, require Ruby >= 3.2
  • Additional commits viewable in compare view

Updates faraday from 2.14.2 to 2.14.3

Release notes

Sourced from faraday's releases.

v2.14.3

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

New Contributors

Full Changelog: lostisland/faraday@v2.14.2...v2.14.3

Commits

Updates dalli from 5.0.2 to 5.0.5

Changelog

Sourced from dalli's changelog.

5.0.5

Performance:

  • Batch multi-key commands into a single write to reduce packet overhead (#1107)

    • With TCP_NODELAY set on sockets, each write call emits a separate packet; the meta protocol was calling write up to 3 times per key in multi-key operations (get_multi, set_multi, delete_multi), significantly increasing network traffic compared to the old binary protocol
    • Multi-key request paths now buffer all per-key commands into a single binary string and flush once; single-key paths combine the write and flush into one flushed_write call
    • Thanks to Jean Boussier for this contribution
  • Avoid repeated RUBY_ENGINE checks on every socket read (#1103)

    • Moved the JRuby branch from a runtime if inside ConnectionManager#read to a class-level conditional method definition, so the check happens once at load time rather than on every read call
    • Thanks to Jean Boussier for this contribution
  • Eliminate per-call array allocations in ResponseProcessor (#1104)

    • Token sets passed to error_on_unexpected! (e.g. [VA, EN, HD]) were allocated as new arrays on every invocation; replaced with frozen constants defined once at class load time
    • Thanks to Jean Boussier for this contribution
  • Avoid string copies when building request commands in RequestFormatter (#1106)

    • Changed cmd + TERMINATOR to cmd << TERMINATOR; since cmd is always a mutable string, the in-place append avoids copying the entire command string just to append two bytes
    • Thanks to Jean Boussier for this contribution

5.0.4

Bug fixes:

    ...

    Description has been truncated

Bumps the dependencies group with 22 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [jbuilder](https://github.com/rails/jbuilder) | `2.14.1` | `2.15.1` |
| [bootsnap](https://github.com/rails/bootsnap) | `1.24.4` | `1.24.6` |
| [strong_migrations](https://github.com/ankane/strong_migrations) | `2.7.0` | `2.8.0` |
| [omniauth-microsoft_graph](https://github.com/synth/omniauth-microsoft_graph) | `2.1.0` | `2.2.0` |
| [doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) | `5.9.0` | `5.9.3` |
| [doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) | `5.2.8` | `5.2.9` |
| [doorkeeper-openid_connect](https://github.com/doorkeeper-gem/doorkeeper-openid_connect) | `1.9.0` | `1.10.3` |
| [faraday](https://github.com/lostisland/faraday) | `2.14.2` | `2.14.3` |
| [dalli](https://github.com/petergoldstein/dalli) | `5.0.2` | `5.0.5` |
| [opentelemetry-instrumentation-all](https://github.com/open-telemetry/opentelemetry-ruby-contrib) | `0.93.0` | `0.94.0` |
| [marcel](https://github.com/rails/marcel) | `1.1.0` | `1.2.1` |
| [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) | `1.222.0` | `1.226.0` |
| [image_processing](https://github.com/janko/image_processing) | `1.14.0` | `2.0.2` |
| [danger](https://github.com/danger/danger) | `9.5.3` | `9.6.0` |
| [listen](https://github.com/guard/listen) | `3.9.0` | `3.10.0` |
| [overcommit](https://github.com/sds/overcommit) | `0.69.0` | `0.71.0` |
| [brakeman](https://github.com/presidentbeef/brakeman) | `8.0.4` | `8.0.5` |
| [jwt](https://github.com/jwt/ruby-jwt) | `2.10.2` | `2.10.3` |
| [puma](https://github.com/puma/puma) | `8.0.1` | `8.0.2` |
| [selenium-webdriver](https://github.com/SeleniumHQ/selenium) | `4.44.0` | `4.45.0` |
| [annotaterb](https://github.com/drwl/annotaterb) | `4.22.0` | `4.23.0` |
| [database_consistency](https://github.com/djezzzl/database_consistency) | `3.0.4` | `3.0.5` |



Updates `jbuilder` from 2.14.1 to 2.15.1
- [Release notes](https://github.com/rails/jbuilder/releases)
- [Commits](rails/jbuilder@v2.14.1...v2.15.1)

Updates `bootsnap` from 1.24.4 to 1.24.6
- [Release notes](https://github.com/rails/bootsnap/releases)
- [Changelog](https://github.com/rails/bootsnap/blob/main/CHANGELOG.md)
- [Commits](rails/bootsnap@v1.24.4...v1.24.6)

Updates `strong_migrations` from 2.7.0 to 2.8.0
- [Changelog](https://github.com/ankane/strong_migrations/blob/master/CHANGELOG.md)
- [Commits](ankane/strong_migrations@v2.7.0...v2.8.0)

Updates `omniauth-microsoft_graph` from 2.1.0 to 2.2.0
- [Release notes](https://github.com/synth/omniauth-microsoft_graph/releases)
- [Changelog](https://github.com/synth/omniauth-microsoft_graph/blob/main/CHANGELOG.md)
- [Commits](synth/omniauth-microsoft_graph@2.1.0...2.2.0)

Updates `doorkeeper` from 5.9.0 to 5.9.3
- [Release notes](https://github.com/doorkeeper-gem/doorkeeper/releases)
- [Changelog](https://github.com/doorkeeper-gem/doorkeeper/blob/main/CHANGELOG.md)
- [Commits](doorkeeper-gem/doorkeeper@v.5.9.0...v5.9.3)

Updates `doorkeeper-i18n` from 5.2.8 to 5.2.9
- [Release notes](https://github.com/doorkeeper-gem/doorkeeper-i18n/releases)
- [Commits](https://github.com/doorkeeper-gem/doorkeeper-i18n/commits/v5.2.9)

Updates `doorkeeper-openid_connect` from 1.9.0 to 1.10.3
- [Release notes](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/releases)
- [Changelog](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md)
- [Commits](doorkeeper-gem/doorkeeper-openid_connect@v1.9.0...v1.10.3)

Updates `faraday` from 2.14.2 to 2.14.3
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday@v2.14.2...v2.14.3)

Updates `dalli` from 5.0.2 to 5.0.5
- [Changelog](https://github.com/petergoldstein/dalli/blob/main/CHANGELOG.md)
- [Commits](petergoldstein/dalli@v5.0.2...v5.0.5)

Updates `opentelemetry-instrumentation-all` from 0.93.0 to 0.94.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases)
- [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-all/v0.93.0...opentelemetry-instrumentation-all/v0.94.0)

Updates `marcel` from 1.1.0 to 1.2.1
- [Release notes](https://github.com/rails/marcel/releases)
- [Commits](rails/marcel@v1.1.0...v1.2.1)

Updates `aws-sdk-s3` from 1.222.0 to 1.226.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `image_processing` from 1.14.0 to 2.0.2
- [Changelog](https://github.com/janko/image_processing/blob/master/CHANGELOG.md)
- [Commits](janko/image_processing@v1.14.0...v2.0.2)

Updates `danger` from 9.5.3 to 9.6.0
- [Release notes](https://github.com/danger/danger/releases)
- [Changelog](https://github.com/danger/danger/blob/master/CHANGELOG.md)
- [Commits](danger/danger@v9.5.3...v9.6.0)

Updates `listen` from 3.9.0 to 3.10.0
- [Release notes](https://github.com/guard/listen/releases)
- [Commits](guard/listen@v3.9.0...v3.10.0)

Updates `overcommit` from 0.69.0 to 0.71.0
- [Release notes](https://github.com/sds/overcommit/releases)
- [Changelog](https://github.com/sds/overcommit/blob/main/CHANGELOG.md)
- [Commits](sds/overcommit@v0.69.0...v0.71.0)

Updates `brakeman` from 8.0.4 to 8.0.5
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](presidentbeef/brakeman@v8.0.4...v8.0.5)

Updates `jwt` from 2.10.2 to 2.10.3
- [Release notes](https://github.com/jwt/ruby-jwt/releases)
- [Changelog](https://github.com/jwt/ruby-jwt/blob/main/CHANGELOG.md)
- [Commits](jwt/ruby-jwt@v2.10.2...v2.10.3)

Updates `puma` from 8.0.1 to 8.0.2
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v8.0.1...v8.0.2)

Updates `selenium-webdriver` from 4.44.0 to 4.45.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](SeleniumHQ/selenium@selenium-4.44.0...selenium-4.45.0)

Updates `annotaterb` from 4.22.0 to 4.23.0
- [Changelog](https://github.com/drwl/annotaterb/blob/main/CHANGELOG.md)
- [Commits](drwl/annotaterb@v4.22.0...v4.23.0)

Updates `database_consistency` from 3.0.4 to 3.0.5
- [Changelog](https://github.com/djezzzl/database_consistency/blob/master/CHANGELOG.md)
- [Commits](djezzzl/database_consistency@v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: jbuilder
  dependency-version: 2.15.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: bootsnap
  dependency-version: 1.24.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: strong_migrations
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: omniauth-microsoft_graph
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: doorkeeper
  dependency-version: 5.9.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: doorkeeper-i18n
  dependency-version: 5.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: doorkeeper-openid_connect
  dependency-version: 1.10.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: faraday
  dependency-version: 2.14.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: dalli
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: opentelemetry-instrumentation-all
  dependency-version: 0.94.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: marcel
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: aws-sdk-s3
  dependency-version: 1.226.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: image_processing
  dependency-version: 2.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: danger
  dependency-version: 9.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: listen
  dependency-version: 3.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: overcommit
  dependency-version: 0.71.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: brakeman
  dependency-version: 8.0.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: jwt
  dependency-version: 2.10.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: puma
  dependency-version: 8.0.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: selenium-webdriver
  dependency-version: 4.45.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: annotaterb
  dependency-version: 4.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: database_consistency
  dependency-version: 3.0.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Jun 29, 2026
@erictheise erictheise closed this Jul 1, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/bundler/dependencies-b32faa8665 branch July 1, 2026 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant