From a6a3759e6d902d556251a9b450791e7efa3fc242 Mon Sep 17 00:00:00 2001
From: Ben Akroyd <ben@candlescience.com>
Date: Tue, 7 Apr 2026 14:12:45 -0400
Subject: [PATCH 1/3] deps(devise): bump Devise to 5.0.3

There is a security vulnerability on lower versions, update
accordingly. https://nvd.nist.gov/vuln/detail/CVE-2026-32700
---
 solidus_auth_devise.gemspec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solidus_auth_devise.gemspec b/solidus_auth_devise.gemspec
index 17c6102..488345f 100644
--- a/solidus_auth_devise.gemspec
+++ b/solidus_auth_devise.gemspec
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "deface", "~> 1.0"
-  spec.add_dependency "devise", ">= 4.1"
+  spec.add_dependency "devise", ">= 5.0.3"
   spec.add_dependency "devise-encryptable", "0.2.0"
   spec.add_dependency "solidus_core", [">= 3", "< 5"]
   spec.add_dependency "solidus_support", "~> 0.11"

From 853eb42191fdd89a6c8f4532d7d865a3807bb013 Mon Sep 17 00:00:00 2001
From: Ben Akroyd <ben@candlescience.com>
Date: Tue, 7 Apr 2026 14:25:21 -0400
Subject: [PATCH 2/3] fix: update mailer mock to use deliver_now for Devise 5
 compatibility
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Devise 5 changed send_devise_notification to call deliver_now instead
of deliver. The test double only stubbed deliver, causing a failure.
This is a test-only change — real ActionMailer objects respond to both
methods.
---
 spec/models/user_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 1583bea..54a6e20 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -12,7 +12,7 @@
     let(:user) { create(:user) }
 
     it "generates the reset password token" do
-      expect(Spree::UserMailer).to receive(:reset_password_instructions).with(user, anything, {}).and_return(double(deliver: true))
+      expect(Spree::UserMailer).to receive(:reset_password_instructions).with(user, anything, {}).and_return(double(deliver_now: true))
       expect { user.send_reset_password_instructions }.to change(user, :reset_password_token).to be_present
     end
 

From f57901d2ba363ccae192b58c475a21c6e55dbfda Mon Sep 17 00:00:00 2001
From: Ben Akroyd <ben@candlescience.com>
Date: Tue, 7 Apr 2026 14:15:22 -0400
Subject: [PATCH 3/3] chore: Bump version

With the major version upgrade of an important  dependency (devise),
a new minor version is warranted.
---
 lib/solidus_auth_devise/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/solidus_auth_devise/version.rb b/lib/solidus_auth_devise/version.rb
index 1b4d3c8..f09769a 100644
--- a/lib/solidus_auth_devise/version.rb
+++ b/lib/solidus_auth_devise/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SolidusAuthDevise
-  VERSION = "2.5.9"
+  VERSION = "2.6.0"
 end