Bump devise from 4.8.1 to 4.9.3

[dependabot]

Bumps devise from 4.8.1 to 4.9.3.

Release notes

Sourced from devise's releases.

v4.9.2

https://github.com/heartcombo/devise/blob/main/CHANGELOG.md#492---2023-04-03

v4.9.1

https://github.com/heartcombo/devise/blob/v4.9.1/CHANGELOG.md#491---2023-03-31

v4.9.0

https://github.com/heartcombo/devise/blob/v4.9.0/CHANGELOG.md#490---2023-02-17

Changelog

Sourced from devise's changelog.

4.9.3 - 2023-10-11

• enhancements
  • Add support for Rails 7.1.
  • Add Devise.deprecator to integrate with new application deprecators in Rails 7.1. (@​soartec-lab, @​etiennebarrie)

4.9.2 - 2023-04-03

• deprecations
  • Bring back Devise.activerecord51? and deprecate it, in order to avoid breakage with some libraries that apparently relied on it.

4.9.1 - 2023-03-31

• enhancements

  • Allow resource class scopes to override the global configuration for sign_in_after_reset_password behaviour. #5429 @​mattr
  • Refactor conditional dirty tracking logic to a centralized module to simplify usage throughout the codebase. #5575
  • Improve support for Devise in apps with Active Record and Mongoid ORMs loaded, so it does not incorrectly uses new Active Record dirty tracking APIs with a Mongoid Devise model. #5576

• bug fixes

  • Failure app will respond with configured redirect_status instead of error_status if the recall app returns a redirect status (300..399) #5573
  • Fix frozen string exception in validatable. #5563 #5465 @​mameier

4.9.0 - 2023-02-17

• enhancements
  • Add support for Ruby 3.1/3.2.
  • Add support for Hotwire + Turbo, default in Rails 7+.

    • Devise uses the latest responders version (v3.1.0 or higher), which allows configuring the status used for validation error responses (error_status) and for redirects after POST/PUT/PATCH/DELETE requests (redirect_status). For backwards compatibility, Devise keeps error_status as :ok which returns a 200 OK response, and redirect_status to :found which returns a 302 Found response, but you can configure it to return 422 Unprocessable Entity and 303 See Other respectively, to match the behavior expected by Hotwire/Turbo:

      # config/initializers/devise.rb
      Devise.setup do |config|
        # ...
        config.responder.error_status = :unprocessable_entity
        config.responder.redirect_status = :see_other
        # ...
      end

      These configs are already generated by default with new apps, and existing apps may opt-in as described above. Trying to set these with an older version of responders will issue a warning and have no effect, so please upgrade the responders version if you're upgrading Devise for this integration. Note that these defaults may change in future versions of Devise, to better match the Rails + Hotwire/Turbo defaults across the board.

    • If you have a custom responder set on your application and expect it to affect Devise as well, you may need to override the Devise responder entirely with config.responder = MyApplicationResponder, so that it uses your custom one. The main reason Devise uses a custom responder is to be able to configure the statuses as described above, but you can also change that config on your own responder if you want. Check the responders readme for more info on that.

    • If you have created a custom responder and/or failure app just to customize responses for better Hotwire/Turbo integration, they should no longer be necessary.

    • :turbo_stream is now treated as a navigational format, so it works like HTML navigation when using Turbo. Note: if you relied on :turbo_stream to be treated as a non-navigational format before, you can reconfigure your navigational_formats in the Devise initializer file to exclude it.

    • OmniAuth "Sign in with" links were changed to buttons that generate HTML forms with method=POST, instead of using link + method=POST that required rails-ujs to work. Since rails-ujs is no longer the default for new Rails apps, this allows the OmniAuth buttons to work in any scenario, with or without rails-ujs and/or Turbo. This only affects apps that are using the default devise/shared/_links.html.erb partial from Devise with OmniAuth enabled.

    • The "Cancel my account" button was changed to include the data-turbo-confirm option, so that it works with both rails-ujs and Turbo by default.

    • Devise does not provide "sign out" links/buttons in its shared views, but if you're using sign_out_via with :delete (the default), and are using links with method: :delete, those need to be updated with data: { turbo_method: :delete } instead for Turbo.

    • Check this upgrade guide for more detailed information.

Commits

• 1d66580 Release v4.9.3
• dcbfb32 Merge pull request #5640 from nmaggioni/nm_config_template_typo
• c146b25 Better clarify need to override internal_methods
• 9a08620 Update changelog with Rails 7.1 mention [ci skip]
• 407f223 Fix test warning about deprecated cache format in Rails 7.1
• f2a42ab Ensure _prefixes is not available as an action method on controllers
• 218d14a Lock ubuntu version to 20.04 to workaround older Ruby build issues
• 501ae58 Lock loofah on Rails <= 5.2
• 373d83c Use Bundler 1.x with Ruby <= 2.2
• fb7faf7 Fix code to support older versions of Ruby
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.