Skip to content

Upgrade to Devise 5.0.3#271

Draft
BenAkroyd wants to merge 3 commits intosolidusio:mainfrom
CandleScience:major-devise-bump
Draft

Upgrade to Devise 5.0.3#271
BenAkroyd wants to merge 3 commits intosolidusio:mainfrom
CandleScience:major-devise-bump

Conversation

@BenAkroyd
Copy link
Copy Markdown
Contributor

@BenAkroyd BenAkroyd commented Apr 7, 2026
edited
Loading

Summary

Updates and requires at least Devise to 5.0.3. Lesser versions have a security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2026-32700

Notably, with this jump to Devise 5.0.3...
Secret key resolution changed: Devise now uses application.secret_key_base directly instead of searching through credentials/secrets. Existing tokens (recoverable, lockable, confirmable) could be invalidated if the effective key changes.

Also, some deprecations are removed:
sign_in(resource, :bypass) — use bypass_sign_in instead
devise_error_messages! helper — use render "devise/shared/error_messages" partial
sign_in(resource, scope: :admin) keyword arg instead of positional
Devise::TestHelpers — use Devise::Test::ControllerHelpers

Of course, there is the vulnerability fix as well.

Checklist

Check out our PR guidelines for more details.

The following are mandatory for all PRs:

The following are not always needed:

  • 📖 I have updated the README to account for my changes.
  • 📑 I have documented new code with YARD.
  • 🛣️ I have opened a PR to update the guides.
  • ✅ I have added automated tests to cover my changes.
  • 📸 I have attached screenshots to demo visual changes.

@BenAkroyd
deps(devise): bump Devise to 5.0.3
a6a3759 
There is a security vulnerability on lower versions, update
accordingly. https://nvd.nist.gov/vuln/detail/CVE-2026-32700
@BenAkroyd BenAkroyd marked this pull request as draft April 7, 2026 18:37
BenAkroyd added 2 commits April 7, 2026 14:38
@BenAkroyd
fix: update mailer mock to use deliver_now for Devise 5 compatibility
853eb42 
Devise 5 changed send_devise_notification to call deliver_now instead
of deliver. The test double only stubbed deliver, causing a failure.
This is a test-only change — real ActionMailer objects respond to both
methods.
@BenAkroyd
chore: Bump version
f57901d 
With the major version upgrade of an important  dependency (devise),
a new minor version is warranted.
@BenAkroyd BenAkroyd force-pushed the major-devise-bump branch from dc9b280 to f57901d Compare April 7, 2026 18:38
@antonzaytsev
Copy link
Copy Markdown

antonzaytsev commented Apr 8, 2026

Hey @BenAkroyd — thanks for putting this together! We're running into CVE-2026-32700 downstream and this PR is exactly what we need to unblock the devise 5.x upgrade.

A few suggestions that might help get this merged smoothly:

  1. Widen the lower bound — changing from >= 4.1 to >= 5.0.3 drops devise 4.x support in one shot. Something like >= 4.1, < 6 (or even ~> 5.0 if 4.x is intentionally dropped) would give existing apps a migration window.

  2. Secret key migration note — the PR description mentions token invalidation risk from the secret key resolution change. A note in the CHANGELOG or README about how to verify the effective key didn't change would save adopters some debugging.

  3. CHANGELOG entry — a short entry for 2.6.0 covering the devise 5.x requirement and the deliverdeliver_now change would be helpful for anyone upgrading.

Happy to help test once this lands — we'll be one of the first consumers. Thanks again for tackling this!

@antonzaytsev antonzaytsev mentioned this pull request Apr 8, 2026
Closed
5 tasks
@antonzaytsev
Copy link
Copy Markdown

antonzaytsev commented Apr 8, 2026

@BenAkroyd 2.6.0 was just released today, it unblocks Devise v5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BenAkroyd @antonzaytsev