[Security] Bump devise from 4.2.0 to 4.7.3

[dependabot-preview]

Bumps devise from 4.2.0 to 4.7.3. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Devise Gem for Ruby confirmation token validation with a blank string Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. However, there is no scenario within Devise itself in which such database records would exist.

Patched versions: >= 4.7.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

Patched versions: >= 4.6.0 Unaffected versions: none

Changelog

Sourced from devise's changelog.

4.7.3 - 2020-09-20

• bug fixes
  • Do not modify :except option given to #serializable_hash. (by @dpep)
  • Fix thor deprecation when running the devise generator. (by @deivid-rodriguez)
  • Fix hanging tests for streaming controllers using Devise. (by @afn)

4.7.2 - 2020-06-10

• enhancements

  • Increase default stretches to 12 (by @sergey-alekseev)
  • Ruby 2.7 support (kwarg warnings removed)

• bug fixes

  • Generate scoped views with proper scoped errors partial (by @shobhitic)
  • Allow to set scoped already_authenticated error messages (by @gurgelrenan)

4.7.1 - 2019-09-06

• bug fixes
  • Fix an edge case where records with a blank confirmation_token could be confirmed (by @tegon)
  • Fix typo inside update_needs_confirmation i18n key (by @lslm)

4.7.0 - 2019-08-19

• enhancements

  • Support Rails 6.0
  • Update CI to rails 6.0.0.beta3 (by @tunnes)
  • refactor method name to be more consistent (by @saiqulhaq)
  • Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)

• bug fixes

  • Add autocomplete="new-password" to password_confirmation fields (by @ferrl)
  • Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)

4.6.2 - 2019-03-26

• bug fixes
  • Revert "Set encrypted_password to nil when password is set to nil" since it broke backward compatibility with existing applications. See more on heartcombo/devise#5033 (by @mracos)

4.6.1 - 2019-02-11

• bug fixes
  • Check if root_path is defined with #respond_to? instead of #present (by @tegon)

4.6.0 - 2019-02-07

• enhancements
  • Allow to skip email and password change notifications (by @iorme1)
  • Include the use of nil for allow_unconfirmed_access_for in the docs (by @joaumg)

Commits

• f6e8d90 Release 4.7.3
• f6a6d4c Revert "Replace BLACKLIST_FOR_SERIALIZATION with DENYLIST_FOR_SERIALIZATION"
• 8f949ed Revert "Deprecate BLACKLIST_FOR_SERIALIZATION on all supported Rails versions"
• f12be55 Update changelog [ci skip]
• 4896a9b Update bundle
• eed641d Add spaces around method arguments when setting default values
• 97aa37b Use assert_empty minitest helper
• 15135f7 User assert_includes/refute_includes minitest helpers
• e39b9b9 Fix order of arguments for assert_equal on tests
• 4a5e7a9 Switch to https for git repos in the lock file
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #133.