chore(deps): update dependency devise to v5.0.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
devise (changelog)	5.0.0 → 5.0.3

GitHub Vulnerability Alerts

CVE-2026-32700

Impact

A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option (the default when using Confirmable with email changes).

By sending two concurrent email change requests, an attacker can desynchronize the confirmation_token and unconfirmed_email fields. The confirmation token is sent to an email the attacker controls, but the unconfirmed_email in the database points to a victim's email address. When the attacker uses the token, the victim's email is confirmed on the attacker's account.

Patches

This is patched in Devise v5.0.3. Users should upgrade as soon as possible.

Workarounds

Applications can override this specific method from Devise models to force unconfirmed_email to be persisted when unchanged: (assuming your model is User)

class User < ApplicationRecord
  protected

  def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
    unconfirmed_email_will_change!
    super
  end
end

Note: Mongoid does not seem to respect that will_change! should force the attribute to be persisted, even if it did not really change, so you might have to implement a workaround similar to Devise by setting changed_attributes["unconfirmed_email"] = nil as well.

---

Release Notes

heartcombo/devise (devise)

v5.0.3

Compare Source

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #​5783 #​5784

v5.0.2

Compare Source

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #​5825
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #​5826

v5.0.1

Compare Source

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #​5822

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.59%. Comparing base (502d857) to head (31328f1).

Additional details and impacted files

@@           Coverage Diff            @@
##           staging    #1244   +/-   ##
========================================
  Coverage    77.59%   77.59%           
========================================
  Files           54       54           
  Lines         1406     1406           
========================================
  Hits          1091     1091           
  Misses         315      315           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.