Bump devise from 5.0.0 to 5.0.4

[dependabot]

Bumps devise from 5.0.0 to 5.0.4.

Release notes

Sourced from devise's releases.

v5.0.4

https://github.com/heartcombo/devise/blob/v5.0.4/CHANGELOG.md#504---2026-05-08

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

Changelog

Sourced from devise's changelog.

5.0.4 - 2026-05-08

• security fixes
  • Fix open redirect in FailureApp via unvalidated Referer header on non-GET session timeout. CVE-2026-40295 GHSA-jp94-3292-c3xv

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 GHSA-57hq-95w6-v4fc #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

Commits

• 9ea459d Release v5.0.4 with sec fix for timeoutable
• 025fe21 Merge commit from fork
• 7ca7ed9 Add GHSA link to the v5.0.3 sec fix changelog entry [ci skip]
• 605de86 Update links to https [ci skip]
• 5e3a8bf Bundle update
• 5d20277 Cleanup old Rails.version check for db migration path
• 4ffb0b7 Fix Gemfile for Rails 7.2, incorrectly testing against 7.1
• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)