Bump the dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the dependencies group with 11 updates in the / directory:

Package	From	To
rails	8.1.2	8.1.3
sqlite3	2.9.0	2.9.2
bootsnap	1.21.1	1.23.0
web-console	4.2.1	4.3.0
rspec-rails	8.0.2	8.0.4
tzinfo-data	1.2025.3	1.2026.1
devise	5.0.0	5.0.3
rails-html-sanitizer	1.6.2	1.7.0
secure_headers	7.1.0	7.2.0
honeybadger	6.3.0	6.5.3
faraday	2.14.0	2.14.1

Updates rails from 8.1.2 to 8.1.3

Release notes

Sourced from rails's releases.

8.1.3

Active Support

• Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

  When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

  Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

  After: hash.to_json # => {"custom_123":"value"}

  Dan Sharp

• Fix inflections to better handle overlapping acronyms.

  ActiveSupport::Inflector.inflections(:en) do |inflect|
    inflect.acronym "USD"
    inflect.acronym "USDC"
  end
  "USDC".underscore # => "usdc"

  Said Kaldybaev

• Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

  zzak

Active Model

• Fix Ruby 4.0 delegator warning when calling inspect on attributes.

  Hammad Khan

• Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

  The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Commits

• fa8f081 Preparing for 8.1.3 release
• 63cef3d Merge branch '8-1-sec' into 8-1-stable
• 1db4b89 Preparing for 8.1.2.1 release
• 1c7d1cf Update changelog
• e91694b Update CHANGELOG (8.1 only)
• 6752711 Fix XSS in debug exceptions copy-to-clipboard
• 63f5ad8 Skip blank attribute names in Action View tag helpers
• 8c9676b Prevent glob injection in ActiveStorage DiskService#delete_prefixed
• 9b06fbc Prevent path traversal in ActiveStorage DiskService
• ec1a0e2 Improve performance of NumberToDelimitedConverter
• Additional commits viewable in compare view

Updates sqlite3 from 2.9.0 to 2.9.2

Release notes

Sourced from sqlite3's releases.

2.9.2 / 2026-03-15

• Vendored sqlite is updated to v3.51.3 (from v3.51.2). #688 @​flavorjones

SHA256 Checksums

eeb86db55645b85327ba75129e3614658d974bf4da8fdc87018a0d42c59f6e42  sqlite3-2.9.2-aarch64-linux-gnu.gem
4feff91fb8c2b13688da34b5627c9d1ed9cedb3ee87a7114ec82209147f07a6d  sqlite3-2.9.2-aarch64-linux-musl.gem
1ee2eb06b5301aaf5ce343a6e88d99ac932d95202d7b350f0e7b6d8d588580d7  sqlite3-2.9.2-arm-linux-gnu.gem
8ca0de6aceede968de0394e22e95d549834c4d8e318f69a92a52f049878a0057  sqlite3-2.9.2-arm-linux-musl.gem
d15bd9609a05f9d54930babe039585efc8cadd57517c15b64ec7dfa75158a5e9  sqlite3-2.9.2-arm64-darwin.gem
b1b10d8c45a495b1e5b6338f7baa11297522bb9809b01e7e575090edd685953e  sqlite3-2.9.2-x64-mingw-ucrt.gem
066bc904522f8a7072236a81237c03a4a1dfe070a25107e392de03d1e4ad0e6d  sqlite3-2.9.2-x86-linux-gnu.gem
6503c76278f5e8629b12b6518ff43a9a4f6d9381de73f0b086c9fa1226db5ede  sqlite3-2.9.2-x86-linux-musl.gem
ed691b5021674d72582d03c5a38e89634b961902735fb6225273892805421d13  sqlite3-2.9.2-x86_64-darwin.gem
dce83ffcb7e72f9f7aeb6e5404f15d277a45332fe18ccce8a8b3ed51e8d23aee  sqlite3-2.9.2-x86_64-linux-gnu.gem
e8dd906a613f13b60f6d47ae9dda376384d9de1ab3f7e3f2fdf2fd18a871a2d7  sqlite3-2.9.2-x86_64-linux-musl.gem
86814150714b6b06a328d083f46408e7a4a83b5f0a9673ed934ee3a1cb7a73b1  sqlite3-2.9.2.gem

2.9.1 / 2026-02-28

• Vendored sqlite is updated to v3.51.2 (from v3.51.1). #683 @​flavorjones

---

SHA256 checksums:

85535ddf1c37f116ebebe0330bbbffc2ccb55d09f69717a565f8cfb35142f136  sqlite3-2.9.1-aarch64-linux-gnu.gem
646a28a655fc0298ff4266de0af89b66477a2d9ad65cebb5abad190bb64ed092  sqlite3-2.9.1-aarch64-linux-musl.gem
ed25696b0fb4694ca4f47287eaaa9e0d46a0a0c92990c453743d6ab6b4f51fa0  sqlite3-2.9.1-arm-linux-gnu.gem
82ca90eefe50935c827ab0c8dffff5219f57b5da0c92039e3e27f7dbccc9e992  sqlite3-2.9.1-arm-linux-musl.gem
e0cc5521aa03361e2da56635f3745242510b0b98c4608a3824b7e31ab2e7ffb9  sqlite3-2.9.1-arm64-darwin.gem
ffae7b4c712f4e29cef2a95125bb2144624e4c675fb5c19175231a20f128dfd1  sqlite3-2.9.1-x64-mingw-ucrt.gem
c3517e6f0df1f3a99fb73c5b0e6f02fc93b3b6b2ca0de72cb6d3956153310603  sqlite3-2.9.1-x86-linux-gnu.gem
2216ab52dbff54bbc5ea87789e02c60f1c749f7ce052cef36da542ecc9aadc25  sqlite3-2.9.1-x86-linux-musl.gem
5ce2c05eed8dc7c6debd560e2c5960e36521652b9a43bc3e42bc431db600c36f  sqlite3-2.9.1-x86_64-darwin.gem
1cbb644204ed143e5c96f6d59b5c571ba6f18b18a9dc5aa11c101187ff227afd  sqlite3-2.9.1-x86_64-linux-gnu.gem
bbd50dd1caca78b6c069701d9009ef714461495985d4c374ea1a1def061ba67c  sqlite3-2.9.1-x86_64-linux-musl.gem
f6ddc2ec850434ac14498944da9d768fe154dbcd4163fc9e173a524d95e2f887  sqlite3-2.9.1.gem

Changelog

Sourced from sqlite3's changelog.

2.9.2 / 2026-03-15

• Vendored sqlite is updated to v3.51.3 (from v3.51.2). #688 @​flavorjones

2.9.1 / 2026-02-28

• Vendored sqlite is updated to v3.51.2 (from v3.51.1). #683 @​flavorjones

Commits

• efc56aa version bump to v2.9.2
• 8635618 doc: new automated release process
• 7aa6736 Merge pull request #690 from sparklemotion/publish-pipeline
• 05c922b version bump to v2.9.2.rc2
• 21a4782 dev: update test-gem-build to support a release flag
• a57b168 ci: add release pipeline for publishing gems to RubyGems
• e1c65b1 version bump to v2.9.2.rc1
• 63f6cbd ci: skeleton for release.yml
• 8c3c0a0 Merge pull request #689 from sparklemotion/harden-github-actions
• 9ebda35 ci: address zizmor artipacked and template-injection
• Additional commits viewable in compare view

Updates bootsnap from 1.21.1 to 1.23.0

Release notes

Sourced from bootsnap's releases.

v1.23.0

What's Changed

• Require Ruby 2.7.
• Fix support for absolute paths in BOOTSNAP_IGNORE_DIRECTORIES.

Full Changelog: rails/bootsnap@v1.22.0...v1.23.0

v1.22.0

What's Changed

• Proper fix for the opendir crash.
• Add bootsnap/rake for cleaning the bootsnap cache as part of rake clobber.

Full Changelog: rails/bootsnap@v1.21.1...v1.22.0

Changelog

Sourced from bootsnap's changelog.

1.23.0

• Require Ruby 2.7.
• Fix support for absolute paths in BOOTSNAP_IGNORE_DIRECTORIES.

1.22.0

• Better fix for the opendir crash.
• Add bootsnap/rake for cleaning the bootsnap cache as part of rake clobber.

Commits

• 7b04583 Release 1.23.0
• 32e709d Merge pull request #530 from fxn/readdir
• 8326783 Handle readdir errors in bs_rb_scan_dir()
• 7807284 Merge pull request #528 from Umofomia/path-scanner-cleanup
• c30155d Fix bundle path check and consolidate common code in PathScanner
• c2ef9a3 Merge pull request #526 from Umofomia/claw--fix-ignored-directories-absolute-...
• 93c35b8 LoadPathScanner: Avoid computing the absolute path when not needed
• 2bf7aa4 Fix absolute path support for ignored directories in PathScanner.native_call
• 749bf76 Merge pull request #527 from byroot/ruby-2.7
• 5241189 Require Ruby 2.7
• Additional commits viewable in compare view

Updates web-console from 4.2.1 to 4.3.0

Release notes

Sourced from web-console's releases.

v4.3.0

What's Changed

• Drop unused dependency on activemodel by @​sambostock in rails/web-console#336
• Use × as close button instead of letter X by @​luiscobot in rails/web-console#338
• Always permit IPv4-mapped IPv6 loopback addresses by @​zunda in rails/web-console#342
• Fix CI by @​fatkodima in rails/web-console#345
• Fix compatiblity with latest rails by @​fatkodima in rails/web-console#344

Changelog

Sourced from web-console's changelog.

4.3.0

• #342 Always permit IPv4-mapped IPv6 loopback addresses ([@​zunda]).
• Fixed Rails 8.2.0.alpha support
• Drop Rails 7.2 support
• Drop Ruby 3.1 support

Commits

• 90e3474 Release 4.3.0
• bdbb391 Merge pull request #344 from fatkodima/fix-filter-proxies
• 950462c Fix compatiblity with latest rails
• c1f9252 Merge pull request #345 from fatkodima/fix-ci
• 6bc7159 Fix CI
• 859bc60 Merge pull request #342 from zunda/bind-on-ipv6
• c66460a Always permit IPv4-mapped IPv6 loopback addresses
• f3d437c Merge pull request #338 from luiscobot/patch-1
• 5383121 replace close icon with ×
• 9a5c089 Merge pull request #336 from sambostock/drop-active-model
• Additional commits viewable in compare view

Updates rspec-rails from 8.0.2 to 8.0.4

Changelog

Sourced from rspec-rails's changelog.

8.0.4 / 2026-03-10

Full Changelog

Released to relax version constraint for rspec to allow 4.0.0.beta1.

8.0.3 / 2026-02-17

Full Changelog

Bug Fixes:

• Fix insertion order of controller prefix in the view lookup_context. (Stephen Nelson, #2749)
• Ensure rails stats looks for specs using application root rather than working directory. (Marvin Tangpos, #2879)

Commits

• 222fb55 Drop compatibility check rails version to 8.0.0
• 769a3c4 v8.0.4
• 0549e59 Merge pull request #2895 from rspec/add-rspec-4-ci-check
• 58d0380 Fix changelog link
• aa37b05 Drop main from maintenance branch
• 7ec5827 v8.0.3
• a7b0ad4 Merge pull request #2882 from tylerhunt/fix-error-typo
• 42d3a65 Add note about supported versions
• d547cb8 Bump actions/checkout from 5 to 6
• 8530dd4 Bump actions/checkout from 4 to 5
• Additional commits viewable in compare view

Updates tzinfo-data from 1.2025.3 to 1.2026.1

Release notes

Sourced from tzinfo-data's releases.

v1.2026.1

Based on version 2026a of the IANA Time Zone Database (https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/message/ASPLBE3A4BAEXIOQ3KZ6EJSJWBU6L53G/).

Commits

• 5e9d667 Update to tzdata version 2026a.
• 3a03d35 Rebuild modules for 2026 (adding an additional year of future data).
• 73971d9 Update copyright years.
• f73295c Update to Ruby 4.0.
• See full diff in compare view

Updates devise from 5.0.0 to 5.0.3

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

Commits

• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• 879f79f Bundle update
• 0f4493b Configure default permissions as read-only for the workflow
• 8c78576 Ignore test/** folder for GH default code scanning
• c9e655e Bundle update, clear dependabot security issues
• 3fd0610 Add a note to the changelog about an edge case issue some users ran into
• 5b008ed Release v5.0.2
• 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.6.2 to 1.7.0

Release notes

Sourced from rails-html-sanitizer's releases.

v1.7.0 / 2026-02-24

• Add Rails::HTML::Sanitizer.allowed_uri? which delegates to Loofah::HTML5::Scrub.allowed_uri?, allowing the Rails framework to check URI safety without a direct dependency on Loofah.

  The minimum Loofah dependency is now ~> 2.25.

  Mike Dalessio @​flavorjones

Changelog

Sourced from rails-html-sanitizer's changelog.

v1.7.0 / 2026-02-24

• Add Rails::HTML::Sanitizer.allowed_uri? which delegates to Loofah::HTML5::Scrub.allowed_uri?, allowing the Rails framework to check URI safety without a direct dependency on Loofah.

  The minimum Loofah dependency is now ~> 2.25.

  Mike Dalessio

Commits

• a8a0413 version bump to v1.7.0
• ea9e7a4 Merge pull request #214 from rails/add-allowed-uri
• f26dc35 Add Rails::HTML::Sanitizer.allowed_uri? delegating to Loofah
• cc83f51 Merge pull request #213 from rails/flavorjones/ruby-4-support
• ee54515 dev: ruby 4 support
• 2a8fe89 Merge pull request #208 from rails/dependabot/bundler/rack-3.1.17
• 2b0ecc7 build(deps-dev): bump rack from 3.1.16 to 3.1.17
• c7ab9f2 Merge pull request #206 from rails/dependabot/bundler/rack-3.1.16
• 0283ca4 build(deps-dev): bump rack from 3.1.14 to 3.1.16
• ba7a284 Merge pull request #204 from rails/dependabot/bundler/rack-3.1.14
• Additional commits viewable in compare view

Updates secure_headers from 7.1.0 to 7.2.0

Release notes

Sourced from secure_headers's releases.

v7.2.0

Release notes

What's Changed

• Remove non-lowercase headers in Rails default configuration by @​obrie github/secure_headers#551
• Fix compatibility with Rack 3 by @​deril github/secure_headers#555
• Normalize domains with trailing slashes by @​keithamus github/secure_headers#477
• Add tests for hash generation by @​rahearn github/secure_headers#485
• Add Configuration.disable! by @​fletchto99 github/secure_headers#568
• Don't set upgrade-insecure-requests-directive for HTTP requests by @​fletchto99 github/secure_headers#570
• Add cgi dependency for ruby 4.0 support by @​vcsjones github/secure_headers#560
• Update rubocop configuration for ruby 4.0 support by @​rei-moo github/secure_headers#561
• Fix code style by @​tmaier github/secure_headers#563
• Fix typos by @​myersg86 github/secure_headers#546

Full Changelog: github/secure_headers@v7.1.0...v7.2.0

Commits

• f224144 Bump Version to 7.2.0 (#581)
• 4111d49 fix
• 920e2ba Apply suggestions from code review
• 91bb8e3 update release workflow to publish ruby gem automatically
• 7f83b93 7.2 release (#566)
• b13d4b6 Bump ruby/setup-ruby from 1.287.0 to 1.288.0 (#579)
• 46e8335 Bump ruby/setup-ruby from 1.287.0 to 1.288.0
• 6788e52 Bump ruby/setup-ruby from 1.286.0 to 1.287.0 (#578)
• 72fbd02 Bump ruby/setup-ruby from 1.286.0 to 1.287.0
• bf06602 Bump ruby/setup-ruby from 1.281.0 to 1.286.0 (#577)
• Additional commits viewable in compare view

Updates honeybadger from 6.3.0 to 6.5.3

Release notes

Sourced from honeybadger's releases.

v6.5.3

6.5.3 (2026-03-25)

Bug Fixes

• restrict sidekiq cluster metrics collection to server processes (#798) (78562d5)

v6.5.2

6.5.2 (2026-03-02)

Bug Fixes

• change logs about missing metrics values to debug (#792) (8316f4e)

v6.5.1

6.5.1 (2026-03-02)

Bug Fixes

• reduce metric cardinality for cache and SQL insights (#789) (56fed2b)
• round metric duration values to 2 decimal places (#790) (fbf14d7)

v6.5.0

6.5.0 (2026-02-27)

Features

• add Active Job metrics collection (#787) (cb97bd8)

v6.4.1

6.4.1 (2026-02-25)

Bug Fixes

• defer ActiveJob callback registration via on_load hook (#783) (2003726), closes #782

v6.4.0

6.4.0 (2026-02-18)

Features

• attach environment to Insights event payloads (#780) (97d1db1)

v6.3.1

... (truncated)

Changelog

Sourced from honeybadger's changelog.

6.5.3 (2026-03-25)

Bug Fixes

• restrict sidekiq cluster metrics collection to server processes (#798) (78562d5)

6.5.2 (2026-03-02)

Bug Fixes

• change logs about missing metrics values to debug (#792) (8316f4e)

6.5.1 (2026-03-02)

Bug Fixes

• reduce metric cardinality for cache and SQL insights (#789) (56fed2b)
• round metric duration values to 2 decimal places (#790) (fbf14d7)

6.5.0 (2026-02-27)

Features

• add Active Job metrics collection (#787) (cb97bd8)

6.4.1 (2026-02-25)

Bug Fixes

• defer ActiveJob callback registration via on_load hook (#783) (2003726), closes #782

6.4.0 (2026-02-18)

Features

• attach environment to Insights event payloads (#780) (97d1db1)

6.3.1 (2026-02-12)

Bug Fixes

• prevent thread leak in EventsWorker#kill! (#778) (09ad0f7)

Commits

• f1cc647 chore(master): release 6.5.3 (#800)
• 78562d5 fix: restrict sidekiq cluster metrics collection to server processes (#798)
• 841f7bb chore(ci): add timeouts to workflows
• a7a316f chore(master): release 6.5.2 (#793)
• 8316f4e fix: change logs about missing metrics values to debug (#792)
• 653b14c chore(master): release 6.5.1 (#791)
• fbf14d7 fix: round metric duration values to 2 decimal places (#790)
• 56fed2b fix: reduce metric cardinality for cache and SQL insights (#789)
• 2db6808 chore(master): release 6.5.0 (#788)
• cb97bd8 feat: add Active Job metrics collection (#787)
• Additional commits viewable in compare view

Updates faraday from 2.14.0 to 2.14.1

Release notes

Sourced from faraday's releases.

v2.14.1

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @​Copilot in lostisland/faraday#1642
• Add RFC document for Options architecture refactoring plan by @​Copilot in lostisland/faraday#1644
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in lostisland/faraday#1655
• Explicit top-level namespace reference by @​c960657 in lostisland/faraday#1657

New Contributors

• @​Copilot made their first contribution in lostisland/faraday#1642

Full Changelog: lostisland/faraday@v2.14.0...v2.14.1

Commits

• 16cbd38 Version bump to 2.14.1
• a6d3a3a Merge commit from fork
• b23f710 Explicit top-level namespace reference (#1657)
• 49ba4ac Bump actions/checkout from 5 to 6 (#1655)
• 51a49bc Ensure Claude reads the guidelines and allow to plan in a gitignored .ai/PLAN...
• 894f65c Add RFC document for Options architecture refactoring plan (#1644)
• 397e3de Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot ...
• d98c65c Update Faraday-specific AI agent guidelines
• 56c18ec Add AI agent guidelines specific to Faraday repository
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions