Skip to content

fix(security): sync with upstream 1.8.1 + relax devise constraint for 5.x#4

Merged
Mat-Bit merged 8 commits intomainfrom
security/sync-and-devise-5-compat
Mar 26, 2026
Merged

fix(security): sync with upstream 1.8.1 + relax devise constraint for 5.x#4
Mat-Bit merged 8 commits intomainfrom
security/sync-and-devise-5-compat

Conversation

@Mat-Bit
Copy link
Copy Markdown

@Mat-Bit Mat-Bit commented Mar 25, 2026

Summary

  • Syncs fork with upstream tiddle 1.8.1 (from 1.8.0)
  • Relaxes devise dependency from < 5 to < 6 to unblock devise 5.0.3 upgrade

This allows consumers (rails-identity-service, works) to upgrade to devise 5.0.3 which fixes CVE-2026-32700 (confirmable "change email" race condition).

Tiddle only uses stable Devise APIs (Devise.add_module, Devise::Strategies::Authenticatable, Devise.token_generator) — no breaking changes expected.

Test plan

  • Tiddle's existing test suite passes with devise 5.0.3
  • rails-identity-service specs pass after upgrading tiddle + devise
  • works specs pass after upgrading tiddle + devise

🤖 Generated with Claude Code

adamniedzielski and others added 8 commits June 14, 2024 09:31
@adamniedzielski
Fix CI (adamniedzielski#94)
9585037 
* Fix Docker setup for Apple M2

* Drop support for Rails 5.2 and 6.0

* Drop support for Ruby 2.7

* Lock sqlite3 version
@adamniedzielski
Test with Rails 7.1 (adamniedzielski#95)
7fe42d7
@adamniedzielski
Test with new Rubies (adamniedzielski#96)
294607f
@adamniedzielski
Enable new cops (adamniedzielski#97)
45e2b04
@adamniedzielski
Simplify migrations in test (adamniedzielski#98)
bd2fb53
@adamniedzielski
Release 1.8.1 (adamniedzielski#99)
2d1293b
@Mat-Bit @claude
fix(security): relax devise constraint to allow devise 5.x
105d7ca 
Relaxes the devise dependency from `< 5` to `< 6` to allow
consumers to upgrade to devise 5.0.3 which fixes CVE-2026-32700
(confirmable race condition).

Tiddle uses only stable Devise APIs (Devise.add_module,
Devise::Strategies::Authenticatable, Devise.token_generator)
that are unchanged in devise 5.x.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Mat-Bit @claude
chore(ci): drop Rails 6.1 from test matrix
bea0711 
Rails 6.1 is EOL and incompatible with Ruby 3.x (LoggerThreadSafeLevel
errors). All consumers use Rails 7.2+.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Mat-Bit Mat-Bit requested a review from a team March 25, 2026 15:12
@Mat-Bit Mat-Bit merged commit 947151d into main Mar 26, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kmpzr kmpzr kmpzr approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Mat-Bit @kmpzr @adamniedzielski