chore(deps): [security] bump devise from 3.5.6 to 4.7.2

[dependabot-preview]

Bumps devise from 3.5.6 to 4.7.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Devise Gem for Ruby confirmation token validation with a blank string Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. However, there is no scenario within Devise itself in which such database records would exist.

Patched versions: >= 4.7.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

Patched versions: >= 4.6.0 Unaffected versions: none

Changelog

Sourced from devise's changelog.

4.7.2 - 2020-06-10

• enhancements

  • Increase default stretches to 12 (by @sergey-alekseev)
  • Ruby 2.7 support (kwarg warnings removed)

• bug fixes

  • Generate scoped views with proper scoped errors partial (by @shobhitic)
  • Allow to set scoped already_authenticated error messages (by @gurgelrenan)

4.7.1 - 2019-09-06

• bug fixes
  • Fix an edge case where records with a blank confirmation_token could be confirmed (by @tegon)
  • Fix typo inside update_needs_confirmation i18n key (by @lslm)

4.7.0 - 2019-08-19

• enhancements

  • Support Rails 6.0
  • Update CI to rails 6.0.0.beta3 (by @tunnes)
  • refactor method name to be more consistent (by @saiqulhaq)
  • Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)

• bug fixes

  • Add autocomplete="new-password" to password_confirmation fields (by @ferrl)
  • Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)

4.6.2 - 2019-03-26

• bug fixes
  • Revert "Set encrypted_password to nil when password is set to nil" since it broke backward compatibility with existing applications. See more on heartcombo/devise#5033 (by @mracos)

4.6.1 - 2019-02-11

• bug fixes
  • Check if root_path is defined with #respond_to? instead of #present (by @tegon)

4.6.0 - 2019-02-07

• enhancements

  • Allow to skip email and password change notifications (by @iorme1)
  • Include the use of nil for allow_unconfirmed_access_for in the docs (by @joaumg)
  • Ignore useless files into the .gem file (by @huacnlee)
  • Explain the code that prevents enumeration attacks inside Devise::Strategies::DatabaseAuthenticatable (by @tegon)
  • Refactor the devise_error_messages! helper to render a partial (by @prograhamer)
  • Add an option (Devise.sign_in_after_change_password) to not automatically sign in a user after changing a password (by @knjko)

• bug fixes

  • Fix missing comma in Simple Form generator (by @colinross)

Commits

• 16f27b3 Bump to v4.7.2
• 87108ad Merge pull request #5250 from hyuraku/remove_useless_rails51
• 6d37e32 remove useless rails51? method
• a3c0c65 Devise no longer supports Rails 3.2 since version 4 [ci skip]
• 2c1b5fb Update changelog with latest [ci skip]
• 50f820a Use master of Rails controller testing gem to remove Ruby 2.7 warning
• 34d9053 Remove unnecessary monkey-patch of test helpers with Rails 5+
• 94be5fb Remove mocha deprecation warning
• 14a3084 Simplify the view generator with scoped views
• bbbff3a Add changelog entry for #5067 [ci skip]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #47.