Skip to content

Bump the bundler group across 1 directory with 14 updates#860

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/backend/bundler-ba490ecc3c
Open

Bump the bundler group across 1 directory with 14 updates#860
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/backend/bundler-ba490ecc3c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps the bundler group with 9 updates in the /backend directory:

Package From To
puma 5.6.8 7.2.1
devise 4.9.4 5.0.4
rack-cors 2.0.1 2.0.2
addressable 2.8.7 2.9.0
faraday 1.8.0 1.10.6
jwt 2.3.0 2.10.3
net-imap 0.5.12 0.5.15
websocket-driver 0.7.6 0.8.1
yard 0.9.36 0.9.44

Updates puma from 5.6.8 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

v7.2.0 - On The Corner

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)
  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)
  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)
  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)
  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list
  • CI

v7.1.0

7.1.0 / 2025-10-16 - Neon Witch

neon_witch

  • Features

... (truncated)

Changelog

Sourced from puma's changelog.

7.2.1 / 2026-05-27

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

7.2.0 / 2026-01-20

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)
  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)
  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)
  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)
  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list
  • CI

7.1.0 / 2025-10-16

  • Features

    • Introduce after_worker_shutdown hook (#3707)
    • Reintroduce keepalive "fast inline" behavior. Provides faster (8x on JRuby & 1.4x on Ruby) pipeline processing (#3794)
  • Bugfixes

    • Skip reading zero bytes when request body is buffered (#3795)
    • Fix PUMA_LOG_CONFIG=1 logging twice with prune_bundler enabled (#3778)

... (truncated)

Commits

Updates devise from 4.9.4 to 5.0.4

Release notes

Sourced from devise's releases.

v5.0.4

https://github.com/heartcombo/devise/blob/v5.0.4/CHANGELOG.md#504---2026-05-08

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.4 - 2026-05-08

5.0.3 - 2026-03-16

5.0.2 - 2026-02-18

  • enhancements
    • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
      • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
    • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

  • bug fixes
    • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

  • breaking changes
    • Drop support to Ruby < 2.7

    • Drop support to Rails < 7.0

    • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

    • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

    • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

    • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

    • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

    • Remove deprecated Devise.activerecord51? method.

    • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

      This is potentially a breaking change because Devise previously used the following order to find a secret key:

      app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
      

      Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

    • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

    • Change <br> tags separating form elements to wrapping them in <p> tags #5494

    • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

... (truncated)

Commits
  • 9ea459d Release v5.0.4 with sec fix for timeoutable
  • 025fe21 Merge commit from fork
  • 7ca7ed9 Add GHSA link to the v5.0.3 sec fix changelog entry [ci skip]
  • 605de86 Update links to https [ci skip]
  • 5e3a8bf Bundle update
  • 5d20277 Cleanup old Rails.version check for db migration path
  • 4ffb0b7 Fix Gemfile for Rails 7.2, incorrectly testing against 7.1
  • 2f80920 Release v5.0.3
  • 5334707 Add CVE to changelog [ci skip]
  • 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
  • Additional commits viewable in compare view

Updates rack-cors from 2.0.1 to 2.0.2

Changelog

Sourced from rack-cors's changelog.

2.0.2 - 2024-03-04

Changed

Commits

Updates addressable from 2.8.7 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

  • fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

  • fixes ReDoS vulnerability in Addressable::Template#match

Addressable 2.8.9

  • Reduce gem size by excluding test files (#569)
  • No need for bundler as development dependency (#571, 5fc1d93)
  • idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

#569: sporkmonger/addressable#569 #571: sporkmonger/addressable#571 #564: sporkmonger/addressable#564

Addressable 2.8.8

  • Replace the unicode.data blob by a ruby constant (#561)
  • Allow public_suffix 7 (#558)

#561: sporkmonger/addressable#561 #558: sporkmonger/addressable#558

Commits
  • 0c3e858 Revving version and changelog
  • 91915c1 Fixing additional vulnerable paths
  • a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
  • 463a819 Regenerate gemspec on newer rubygems
  • 0afcb0b Improve from O(n^2) to O(n)
  • c87f768 Fix a ReDoS vulnerability in URI template matching
  • 0d7e9b2 Fix links for 2.8.9 in CHANGELOG (#573)
  • e209120 Update version, gemspec, and CHANGELOG for 2.8.9 (#572)
  • 3875874 Reduce gem size by excluding test files (#569)
  • 3e57cc6 CI: back to windows-2022 for MRI job
  • Additional commits viewable in compare view

Updates bcrypt from 3.1.20 to 3.1.22

Release notes

Sourced from bcrypt's releases.

v3.1.22

What's Changed

Full Changelog: bcrypt-ruby/bcrypt-ruby@v3.1.21...v3.1.22

v3.1.21

What's Changed

New Contributors

Full Changelog: bcrypt-ruby/bcrypt-ruby@v3.1.20...v3.1.21

Changelog

Sourced from bcrypt's changelog.

3.1.22 Mar 18 2026

3.1.21 Dec 31 2025

  • Use constant time comparisons
  • Mark as Ractor safe
Commits
  • 831ce64 Merge commit from fork
  • 32e687e bump version update changelog
  • 5faa274 Fix integer overflow in JRuby BCrypt rounds calculation
  • aafc033 Merge pull request #294 from bcrypt-ruby/fix-publishing
  • 01f947a fix env url
  • 92ca1d6 Merge pull request #293 from bcrypt-ruby/truffleruby-ci-alt-implementation
  • 4d1d95b Add TruffleRuby in CI
  • 36a04a2 Merge pull request #291 from tenderlove/fix-publishing
  • 01cc688 Move compilation after bundle install
  • 82e6c4c Merge pull request #290 from tenderlove/bump
  • Additional commits viewable in compare view

Updates concurrent-ruby from 1.3.5 to 1.3.7

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

v1.3.6

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.5...v1.3.6

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

Release v1.3.6 (13 December 2025)

concurrent-ruby:

Commits
  • 4c8fc28 Release 1.3.7
  • d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
  • 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
  • 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
  • 2825cfa Cleanup spec
  • 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
  • 1974b47 Add Ruby 4.0 in CI
  • df8706d Add SECURITY.md (#1104)
  • 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
  • 9b2dbf7 Bump actions/deploy-pages from 4 to 5
  • Additional commits viewable in compare view

Updates erb from 6.0.0 to 6.0.4

Release notes

Sourced from erb's releases.

v6.0.4

Full Changelog: ruby/erb@v6.0.3...v6.0.4

v6.0.3

What's Changed

New Contributors

Full Changelog: ruby/erb@v6.0.1...v6.0.3

v6.0.2

What's Changed

New Contributors

Full Changelog: ruby/erb@v6.0.1...v6.0.2

v6.0.1.1

Full Changelog: ruby/erb@v6.0.1...v6.0.1.1

v6.0.1

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from erb's changelog.

6.0.4

  • Prohibit def_method on marshal-loaded ERB instances

6.0.3

6.0.2

  • Freeze src in ERB#initialize for Ractor compatibility ruby/erb#105

6.0.1.1

  • Prohibit def_method on marshal-loaded ERB instances

6.0.1

  • Freeze ERB::Compiler::TrimScanner::ERB_STAG for Ractor compatibility
Commits
  • 4d2b45e Version 6.0.4
  • 9d017be Prohibit def_method on marshal-loaded ERB instances
  • 9c8fa8a Version 6.0.3
  • 0ebc6ae Bump rubygems/release-gem from 1.1.2 to 1.2.0
  • 25a729a Bump step-security/harden-runner from 2.15.0 to 2.16.1
  • 9820802 Bump actions/create-github-app-token from 2 to 3
  • 2611366 Bump lewagon/wait-on-check-action from 1.5.0 to 1.6.0
  • 890d87f Use github.token instead of missing MATZBOT_DEPENDABOT_MERGE_TOKEN secret
  • afc32b6 Fix dependabot auto-merge by using GH_TOKEN env var
  • 2fd0a6b fix: exclude some files from published gem (#108)
  • Additional commits viewable in compare view

Updates faraday from 1.8.0 to 1.10.6

Release notes

Sourced from faraday's releases.

v1.10.6

What's Changed

New Contributors

Full Changelog: lostisland/faraday@v1.10.5...v1.10.6

v1.10.5

What's Changed

Full Changelog: lostisland/faraday@v1.10.4...v1.10.5

v1.10.4

What's Changed

Full Changelog: lostisland/faraday@v1.10.3...v1.10.4

v1.10.3

What's Changed

New Contributors

Full Changelog: lostisland/faraday@v1.10.2...v1.10.3

v1.10.2

What's Changed

Full Changelog: lostisland/faraday@v1.10.1...v1.10.2

v1.10.1

What's Changed

New Contributors

Full Changelog: lostisland/faraday@v1.10.0...v1.10.1

v1.10.0

What's Changed

... (truncated)

Changelog

Sourced from faraday's changelog.

Faraday Changelog

The changelog has moved!

This file is not being updated anymore. Instead, please check the Releases page.

2.2.0 (2022-02-03)

  • Reintroduce the possibility to register middleware with symbols, strings or procs in #1391

2.1.0 (2022-01-15)

2.0.1 (2022-01-05)

2.0.0 (2022-01-04)

The next major release is here, and it comes almost 2 years after the release of v1.0!

This release changes the way you use Faraday and embraces a new paradigm of Faraday as an ecosystem, rather than a library.

What does that mean? It means that Faraday is less of a bundled tool and more of a framework for the community to build on top of.

As a result, all adapters and some middleware have moved out and are now shipped as standalone gems 🙌!

But this doesn't mean that upgrading from Faraday 1.x to Faraday 2.0 should be hard, in fact we've listed everything you need to do in the UPGRADING.md doc.

Moreover, we've setup a new awesome-faraday repository that will showcase a curated list of adapters and middleware 😎.

This release was the result of the efforts of the core team and all the contributors, new and old, that have helped achieve this milestone 👏.

What's Changed

... (truncated)

Commits

Bumps the bundler group with 9 updates in the /backend directory:

| Package | From | To |
| --- | --- | --- |
| [puma](https://github.com/puma/puma) | `5.6.8` | `7.2.1` |
| [devise](https://github.com/heartcombo/devise) | `4.9.4` | `5.0.4` |
| [rack-cors](https://github.com/cyu/rack-cors) | `2.0.1` | `2.0.2` |
| [addressable](https://github.com/sporkmonger/addressable) | `2.8.7` | `2.9.0` |
| [faraday](https://github.com/lostisland/faraday) | `1.8.0` | `1.10.6` |
| [jwt](https://github.com/jwt/ruby-jwt) | `2.3.0` | `2.10.3` |
| [net-imap](https://github.com/ruby/net-imap) | `0.5.12` | `0.5.15` |
| [websocket-driver](https://github.com/faye/websocket-driver-ruby) | `0.7.6` | `0.8.1` |
| [yard](https://github.com/lsegal/yard) | `0.9.36` | `0.9.44` |



Updates `puma` from 5.6.8 to 7.2.1
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v5.6.8...v7.2.1)

Updates `devise` from 4.9.4 to 5.0.4
- [Release notes](https://github.com/heartcombo/devise/releases)
- [Changelog](https://github.com/heartcombo/devise/blob/main/CHANGELOG.md)
- [Commits](heartcombo/devise@v4.9.4...v5.0.4)

Updates `rack-cors` from 2.0.1 to 2.0.2
- [Changelog](https://github.com/cyu/rack-cors/blob/master/CHANGELOG.md)
- [Commits](cyu/rack-cors@v2.0.1...v2.0.2)

Updates `addressable` from 2.8.7 to 2.9.0
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](sporkmonger/addressable@addressable-2.8.7...addressable-2.9.0)

Updates `bcrypt` from 3.1.20 to 3.1.22
- [Release notes](https://github.com/bcrypt-ruby/bcrypt-ruby/releases)
- [Changelog](https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/CHANGELOG)
- [Commits](bcrypt-ruby/bcrypt-ruby@v3.1.20...v3.1.22)

Updates `concurrent-ruby` from 1.3.5 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](ruby-concurrency/concurrent-ruby@v1.3.5...v1.3.7)

Updates `erb` from 6.0.0 to 6.0.4
- [Release notes](https://github.com/ruby/erb/releases)
- [Changelog](https://github.com/ruby/erb/blob/master/NEWS.md)
- [Commits](ruby/erb@v6.0.0...v6.0.4)

Updates `faraday` from 1.8.0 to 1.10.6
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday@v1.8.0...v1.10.6)

Updates `jwt` from 2.3.0 to 2.10.3
- [Release notes](https://github.com/jwt/ruby-jwt/releases)
- [Changelog](https://github.com/jwt/ruby-jwt/blob/main/CHANGELOG.md)
- [Commits](jwt/ruby-jwt@v2.3.0...v2.10.3)

Updates `net-imap` from 0.5.12 to 0.5.15
- [Release notes](https://github.com/ruby/net-imap/releases)
- [Commits](ruby/net-imap@v0.5.12...v0.5.15)

Updates `nokogiri` from 1.18.10 to 1.19.4
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.18.10...v1.19.4)

Updates `rack` from 2.2.21 to 3.2.6
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v2.2.21...v3.2.6)

Updates `websocket-driver` from 0.7.6 to 0.8.1
- [Changelog](https://github.com/faye/websocket-driver-ruby/blob/main/CHANGELOG.md)
- [Commits](faye/websocket-driver-ruby@0.7.6...0.8.1)

Updates `yard` from 0.9.36 to 0.9.44
- [Release notes](https://github.com/lsegal/yard/releases)
- [Changelog](https://github.com/lsegal/yard/blob/main/CHANGELOG.md)
- [Commits](lsegal/yard@v0.9.36...v0.9.44)

---
updated-dependencies:
- dependency-name: puma
  dependency-version: 7.2.1
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: devise
  dependency-version: 5.0.4
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: rack-cors
  dependency-version: 2.0.2
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: addressable
  dependency-version: 2.9.0
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: bcrypt
  dependency-version: 3.1.22
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: erb
  dependency-version: 6.0.4
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: faraday
  dependency-version: 1.10.6
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: jwt
  dependency-version: 2.10.3
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: net-imap
  dependency-version: 0.5.15
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-version: 1.19.4
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rack
  dependency-version: 3.2.6
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: websocket-driver
  dependency-version: 0.8.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: yard
  dependency-version: 0.9.44
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants