Bump the dependencies group across 1 directory with 21 updates

[dependabot]

Bumps the dependencies group with 21 updates in the / directory:

Package	From	To
jbuilder	2.14.1	2.15.1
bootsnap	1.24.4	1.24.6
strong_migrations	2.7.0	2.8.0
omniauth-microsoft_graph	2.1.0	2.2.0
doorkeeper	5.9.0	5.9.3
doorkeeper-i18n	5.2.8	5.2.9
doorkeeper-openid_connect	1.9.0	1.10.2
faraday	2.14.2	2.14.3
dalli	5.0.2	5.0.5
opentelemetry-instrumentation-all	0.93.0	0.94.0
marcel	1.1.0	1.2.1
aws-sdk-s3	1.222.0	1.226.0
image_processing	1.14.0	2.0.2
danger	9.5.3	9.6.0
listen	3.9.0	3.10.0
overcommit	0.69.0	0.71.0
brakeman	8.0.4	8.0.5
jwt	2.10.2	2.10.3
puma	8.0.1	8.0.2
selenium-webdriver	4.44.0	4.45.0
database_consistency	3.0.4	3.0.5

Updates jbuilder from 2.14.1 to 2.15.1

Release notes

Sourced from jbuilder's releases.

v2.15.1

What's Changed

• Fix partial for Active Model when extra locals are passed in by @​rafaelfranca in rails/jbuilder#617

New Contributors

• @​rafaelfranca made their first contribution in rails/jbuilder#617

Full Changelog: rails/jbuilder@v2.15.0...v2.15.1

v2.15.0

What's Changed

• Optimize KeyFormatter on cache hits by @​moberegger in rails/jbuilder#607
• Make method_missing private by @​alexceder in rails/jbuilder#614
• Optimize array! and set! by @​moberegger in rails/jbuilder#604
• Use :unprocessable_content for scaffolds with Rack 3.1 or higher by @​taketo1113 in rails/jbuilder#603
• Optimize _map_collection by @​moberegger in rails/jbuilder#612
• fix: Preserve locals when rendering inline partial for object by @​moberegger in rails/jbuilder#613

New Contributors

• @​mayur-kambariya made their first contribution in rails/jbuilder#609
• @​alexceder made their first contribution in rails/jbuilder#614
• @​taketo1113 made their first contribution in rails/jbuilder#603

Full Changelog: rails/jbuilder@v2.14.1...v2.15.0

Commits

• 31eb6e9 Prepare for 2.15.1
• 154b0fe Merge pull request #617 from rails/rm-fix-616
• d3e763b Fix partial for Active Model when extra locals are passed in
• 018083d Prepare for 2.15.0
• 72cf067 Update devcontainer image to Ruby 4.0.4 and add devcontainer-lock.json
• d35a962 Merge pull request #615 from taketo1113/ci-rails8.1-ruby4.0
• cc42e7e CI: Add Rails 8.1 & Ruby 4.0 to CI Matrix
• cd7482e Merge pull request #613 from affinity/moberegger/fix-inline-partial-locals-be
• 58283a0 Merge pull request #612 from affinity/moberegger/optimize-_map_collection
• 09ca3e1 Merge pull request #603 from taketo1113/update-rack-unprocessable_content
• Additional commits viewable in compare view

Updates bootsnap from 1.24.4 to 1.24.6

Changelog

Sourced from bootsnap's changelog.

1.24.6

• Fix detection of Ruby bug #22023 on some patch versions of Ruby 3.4, and properly apply the workaround.

1.24.5

• No longer load the config file by default when setup is done manually. This is so cli applications like homebrew don't mistakenly load another app's boostnap config.

Commits

• 026e183 Release 1.24.6
• 263e346 Merge pull request #556 from byroot/remove-canary
• 7c31cd8 Check for [Bug #22023] by checking Ruby version rather than a canary
• 54eba76 Merge pull request #554 from byroot/namespace-overflow
• fe963d5 bs_cache_path: account for namespace length
• 7b42db6 Merge pull request #553 from arpitjain099/chore/declare-workflow-perms
• 113b184 ci: add permissions: contents: read to ci
• d6ca050 Release 1.24.5
• 579aa0e Merge pull request #552 from byroot/fix-bootsnap-config
• 2884e89 Only load config file is directed to by .setup
• Additional commits viewable in compare view

Updates strong_migrations from 2.7.0 to 2.8.0

Changelog

Sourced from strong_migrations's changelog.

2.8.0 (2026-05-14)

• Added check for rename_enum_value

Commits

• a0d8963 Version bump to 2.8.0 [skip ci]
• 49c0ba7 Updated readme [skip ci]
• b54aff7 Updated readme [skip ci]
• 44ea6d5 Added check for rename_enum_value
• See full diff in compare view

Updates omniauth-microsoft_graph from 2.1.0 to 2.2.0

Commits

• 30d84c4 bump version 2.2.0 as 2.1.0 already exists (#51)
• 8688404 bump version 2.1.0 (#50)
• c8d9639 Fix email domain up domain case sensitive comparison (#42)
• ad4fd02 Update sinatra requirement from ~> 2.2 to ~> 4.1 in the bundler group (#40)
• 764ebe7 Relax version constraint for jwt gem (#49)
• See full diff in compare view

Updates doorkeeper from 5.9.0 to 5.9.3

Release notes

Sourced from doorkeeper's releases.

v5.9.3

• #1834 Fix default allow_token_introspection returning false when a custom application_class is configured. The default proc compared application objects with ==, which fails when the authorized client and the introspected token's application are resolved as different classes (e.g. a base Doorkeeper::Application vs. a configured subclass) even though they reference the same record. It now compares application ids instead.
• #1832 Fix confusing belongs_to :owner side effect: Doorkeeper::Models::Ownership is now included only when enable_application_owner? is set (read at include time), so models no longer expose a misleading owner association/reflection when the application owner feature is disabled and the schema lacks the owner columns.

v5.9.2

• #1822#1823#1825 Update Rubocop config, auto-corrections and codebase cleanup.
• #1830 Fix NameError: uninitialized constant ApplicationRecord on rails db:seed (and other non-eager-loading flows) caused by on_load(:active_record) firing re-entrantly during ApplicationRecord autoload. The orm hooks no longer depend on ActiveSupport.on_load(:active_record); model concerns (Ownership, PolymorphicResourceOwner::ForAccessGrant, PolymorphicResourceOwner::ForAccessToken) are now wired up from each Mixins::* included block, which fires at parent-class autoload time — after Doorkeeper.configure has applied user settings and without re-entering the AR load chain.
  • Upgrade note: fully custom model classes that don't include Doorkeeper::Orm::ActiveRecord::Mixins::{Application,AccessToken,AccessGrant} will no longer auto-receive Ownership / PolymorphicResourceOwner concerns (previously injected by run_orm_hooks via the configured class name). Either inherit from the Doorkeeper default model, include the corresponding Mixins::* module, or include the concerns directly.

v5.9.1

• #1781 Honor handle_auth_errors :raise in AuthorizationsController#authorize_response

• #1795 Fix: detailed error 'insufficient_scope' in protected resources 403s

• #1797 Fix doorkeeper:db:cleanup rake task failure on PostgreSQL

• #1800 Set @grant_type in ClientCredentialsRequest and RefreshTokenRequest constructors so request.grant_type returns the correct value in hooks like before_successful_strategy_response.

• #1802 Fix filter_parameters not applied when Doorkeeper.configure is called inside to_prepare.

• #1804 Use ActiveSupport.on_load(:active_record) in ORM hooks to prevent loading ActiveRecord models too early

• #1806 Fix token revocation bypass for public clients (RFC 7009)

• #1815 Expose current_resource_owner as a view helper in Doorkeeper::ApplicationController.

• #1818 Fix token introspection returning exp: 0 for non-expiring tokens.

• #1784 Remove hardcoded colons from view templates, move punctuation to i18n translation strings.

  [IMPORTANT]: if you have customized Doorkeeper views (authorizations/new, authorizations/show, applications/show) or overridden the default en.yml translations, you may need to update them. Colons are no longer hardcoded in the views — they are now part of the translation strings. Update the doorkeeper-i18n gem to get the updated translations for all locales.

• #1820 Remove dead wildcard presence check in Scopes#dynamic_scope_match? (internal cleanup, no behavior change).

• #1822 Update Rubocop config, auto-corrections.

• #1823 Update Rubocop config, part 2.

• #1825 Update Rubocop config, part 3.

• #1821 Fix noisy Could not find command "no_previous_refresh_token_column?" Thor output during the PreviousRefreshTokenGenerator spec by stubbing the underlying DB column check instead of the generator's private method (test-only change).

Changelog

Sourced from doorkeeper's changelog.

5.9.3

• #1834 Fix default allow_token_introspection returning false when a custom application_class is configured. The default proc compared application objects with ==, which fails when the authorized client and the introspected token's application are resolved as different classes (e.g. a base Doorkeeper::Application vs. a configured subclass) even though they reference the same record. It now compares application ids instead.
• #1832 Fix confusing belongs_to :owner side effect: Doorkeeper::Models::Ownership is now included only when enable_application_owner? is set (read at include time), so models no longer expose a misleading owner association/reflection when the application owner feature is disabled and the schema lacks the owner columns.

5.9.2

• #1822#1823#1825 Update Rubocop config, auto-corrections and codebase cleanup.
• #1830 Fix NameError: uninitialized constant ApplicationRecord on rails db:seed (and other non-eager-loading flows) caused by on_load(:active_record) firing re-entrantly during ApplicationRecord autoload. The orm hooks no longer depend on ActiveSupport.on_load(:active_record); model concerns (Ownership, PolymorphicResourceOwner::ForAccessGrant, PolymorphicResourceOwner::ForAccessToken) are now wired up from each Mixins::* included block, which fires at parent-class autoload time — after Doorkeeper.configure has applied user settings and without re-entering the AR load chain.
  • Upgrade note: fully custom model classes that don't include Doorkeeper::Orm::ActiveRecord::Mixins::{Application,AccessToken,AccessGrant} will no longer auto-receive Ownership / PolymorphicResourceOwner concerns (previously injected by run_orm_hooks via the configured class name). Either inherit from the Doorkeeper default model, include the corresponding Mixins::* module, or include the concerns directly.

5.9.1

• #1781 Honor handle_auth_errors :raise in AuthorizationsController#authorize_response

• #1795 Fix: detailed error 'insufficient_scope' in protected resources 403s

• #1797 Fix doorkeeper:db:cleanup rake task failure on PostgreSQL

• #1800 Set @grant_type in ClientCredentialsRequest and RefreshTokenRequest constructors so request.grant_type returns the correct value in hooks like before_successful_strategy_response.

• #1802 Fix filter_parameters not applied when Doorkeeper.configure is called inside to_prepare.

• #1804 Use ActiveSupport.on_load(:active_record) in ORM hooks to prevent loading ActiveRecord models too early

• #1806 Fix token revocation bypass for public clients (RFC 7009)

• #1815 Expose current_resource_owner as a view helper in Doorkeeper::ApplicationController.

• #1818 Fix token introspection returning exp: 0 for non-expiring tokens.

• #1784 Remove hardcoded colons from view templates, move punctuation to i18n translation strings.

  [IMPORTANT]: if you have customized Doorkeeper views (authorizations/new, authorizations/show, applications/show) or overridden the default en.yml translations, you may need to update them. Colons are no longer hardcoded in the views — they are now part of the translation strings. Update the doorkeeper-i18n gem to get the updated translations for all locales.

• #1820 Remove dead wildcard presence check in Scopes#dynamic_scope_match? (internal cleanup, no behavior change).

• #1822 Update Rubocop config, auto-corrections.

• #1823 Update Rubocop config, part 2.

• #1825 Update Rubocop config, part 3.

• #1821 Fix noisy Could not find command "no_previous_refresh_token_column?" Thor output during the PreviousRefreshTokenGenerator spec by stubbing the underlying DB column check instead of the generator's private method (test-only change).

Commits

• 4737ffe Release 5.9.3 🎉
• 90e4976 Merge pull request #1834 from 55728/fix/1833-allow-token-introspection-custom...
• bc3d9e5 Merge pull request #1832 from 55728/experiment/1831-gate-ownership
• 155ce8c Fix allow_token_introspection default for custom application_class (#1833)
• 1c7ef35 Gate belongs_to :owner on enable_application_owner? at include time
• f278711 Release 5.9.2 🎉
• d83beb8 Merge pull request #1830 from 55728/refactor/1828-mixins-included-no-on-load
• ab58c37 Wire model concerns from Mixin included blocks, drop on_load(:active_record)
• 3666790 [ci skip] AGENTS.md update
• 7ae6104 [ci skip] AGENTS.md update
• Additional commits viewable in compare view

Updates doorkeeper-i18n from 5.2.8 to 5.2.9

Release notes

Sourced from doorkeeper-i18n's releases.

v5.2.9

• #73 Add colons to translations
• #74 Fix untranslated English fragment in Japanese locale

Commits

• See full diff in compare view

Updates doorkeeper-openid_connect from 1.9.0 to 1.10.2

Release notes

Sourced from doorkeeper-openid_connect's releases.

v1.10.2

• #315 Drop support for EOL Ruby 3.1 (EOL 2025-03-25) and require Ruby >= 3.2. i18n 1.15.0 uses the Fiber[] storage API which only exists on Ruby 3.2+, so the Ruby 3.1 CI row no longer loads; the matrix now tests Ruby 3.2 as the minimum
• #316 Set fail-fast: false in CI matrix so a single failing job no longer cancels the rest
• #303 execute account selection even without owner, and select_account_for_resource_owner can now receive nil as the first argument.
• #304 allow handle auth_time per grant
• #305 Document the auth_time_from_access_token config option in the README (per-grant auth_time), clarifying that it only affects the ID Token auth_time claim and not max_age enforcement
• #307 Fix bundle exec rake server for the test application
• #313 Move Configuration documentation from README to Wiki
• #312 Raise Errors::MissingRequiredClaim instead of silently dropping a blank REQUIRED ID Token claim (iss/sub/aud/exp/iat) in IdToken#as_json, which previously could emit a non-conformant ID Token (OIDC Core 1.0 §2). OPTIONAL claims such as nonce/auth_time are still omitted when blank
• #311 Include the REQUIRED client_secret_expires_at member (value 0, never expires) in the Dynamic Client Registration response whenever a client_secret is issued (RFC 7591 §3.2.1 / OpenID Connect Dynamic Client Registration 1.0 §3.2)
• #309 Add a browser dashboard to the test application (spec/dummy) for exercising the OpenID Connect endpoints by hand — replacing the rails console + curl workflow with forms for Setup, Discovery, Authorization (code / implicit / PKCE / nonce / prompt / max_age), token exchange, UserInfo, introspection and revocation

v1.10.1

• #294 Drop stale Metrics/ClassLength and Metrics/BlockLength overrides from .rubocop_todo.yml
• #293 Drop Naming/VariableNumber from .rubocop_todo.yml and normalise test variable names
• #291 Document multi-namespace mount pattern for multiple resource owner models (#192)
• #292 Drop formatting cops from .rubocop_todo.yml and align trailing-comma style with upstream doorkeeper
• #296 Fix the prompt parameter being rejected with invalid_request when it contains leading or duplicate spaces (e.g. prompt=%20none) — blank entries in the space-delimited value are now ignored
• #299 Raise InvalidConfiguration when the issuer config resolves to a blank value instead of silently advertising an empty issuer in the discovery document. Since v1.10.0 an arity-2 issuer block receives (resource_owner, application) — both nil in the discovery context — so a block relying on the old v1.9.0 request argument could return nil and produce a discovery issuer that mismatched the ID token iss (#298)

v1.10.0

• #241 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see Doorkeeper PR)
• #242 Fix NoMethodError for openid_request in testing environments.
• #246 Fix at_hash to use correct hash algorithm based on signing_algorithm
• #250 Return configured issuer instead of root_url in WebFinger response (thanks to @​sato11 for the original work in #172)
• #248 Fix max_age always triggering reauthentication when auth_time_from_resource_owner returns Integer
• #254 Breaking: Omit expires_in from the response_type=id_token response (OIDC Core §3.2.2.5 — expires_in represents the Access Token lifetime; it is still returned for response_type=id_token token)
• #252 Treat auth_time_from_resource_owner as optional in IdToken — omit auth_time claim when unconfigured instead of raising InvalidConfiguration
• #256 Accept non-callable values (symbol / string) for the protocol config option, matching the pattern used by issuer / signing_algorithm / signing_key / expiration
• #258 Skip IdToken construction on password grants without the openid scope
• #259 Skip IdToken construction on authorization code grants without the openid scope
• #261 Fix obsolete RuboCop configuration (require: → plugins:, RSpec/FilePath split, remove Capybara/FeatureMethods)
• #263 Security/Breaking: Determine dynamically registered client's confidential flag from token_endpoint_auth_method per RFC 7591 — previously every dynamically registered client was created as public (confidential: false), which let callers authenticate with only client_id (by_uid_and_secret(uid, nil) bypass). Default is now client_secret_basic (confidential); none produces a public client; unsupported values (e.g. private_key_jwt) are rejected with invalid_client_metadata. Also derive token_endpoint_auth_methods_supported in the response from Doorkeeper.configuration.client_credentials_methods instead of a hardcoded list, matching #236
• #264 Apply safe RuboCop autocorrections and fix resulting artifacts
• #265 Add Dynamic Client Registration section to README
• #266 Validate application_type, response_types, and grant_types parameters in dynamic client registration per RFC 7591 — reject unsupported values with invalid_client_metadata and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
• #267 Add authorize_dynamic_client_registration config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to request, params, request.headers, etc.) and falsy return values reject the request with 401 invalid_token. Default is nil so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
• #268 Update Dynamic Client Registration README for validated metadata parameters
• #269 Document authorize_dynamic_client_registration in README
• #270 Document the unified issuer block signature in README
• #278 Test against Ruby 4.0.
• #271 Security: Add auth_time_from_session config for per-session max_age enforcement. The legacy auth_time_from_resource_owner cannot distinguish between concurrent sessions and is now deprecated for max_age use (see #150)
• #272 Document auth_time_from_session in README (follow-up to #271)
• #273 Security/Hardening: Merge framework-controlled registered claims last — iss/sub/aud/exp/iat/nonce/auth_time for the ID Token and sub for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).
• #276 Get RuboCop to zero offenses: fix Lint/MissingSuper in IdTokenResponse, replace puts with warn for deprecation notices, and modernise spec style
• #277 Fix README inaccuracies (signing_algorithm description and link, discovery_url_options endpoint list, oauth-authorization-server route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token
• #279 Return account_selection_required when a prompt=select_account handler does not generate a response, per OIDC Core 1.0 §3.1.2.6 — previously the authorization silently continued without account selection. Adds the missing Errors::AccountSelectionRequired class, mirroring the existing login_required backstop for reauthenticate_resource_owner
• #275 Return login_required for max_age reauthentication when prompt=none, instead of triggering the interactive reauthenticate_resource_owner flow (OIDC Core §3.1.2.1)
• #284 Document acr / amr claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the claim DSL, with callouts for the response: and scope: defaults that silently bite
• #288 Document offline_access scope recipe in README — show how to wire use_refresh_token with scope-based filtering for OIDC offline access

... (truncated)

Changelog

Sourced from doorkeeper-openid_connect's changelog.

v1.10.2 (2026-06-22)

• #315 Drop support for EOL Ruby 3.1 (EOL 2025-03-25) and require Ruby >= 3.2. i18n 1.15.0 uses the Fiber[] storage API which only exists on Ruby 3.2+, so the Ruby 3.1 CI row no longer loads; the matrix now tests Ruby 3.2 as the minimum
• #316 Set fail-fast: false in CI matrix so a single failing job no longer cancels the rest
• #303 execute account selection even without owner, and select_account_for_resource_owner can now receive nil as the first argument.
• #304 allow handle auth_time per grant
• #305 Document the auth_time_from_access_token config option in the README (per-grant auth_time), clarifying that it only affects the ID Token auth_time claim and not max_age enforcement
• #307 Fix bundle exec rake server for the test application
• #313 Move Configuration documentation from README to Wiki
• #312 Raise Errors::MissingRequiredClaim instead of silently dropping a blank REQUIRED ID Token claim (iss/sub/aud/exp/iat) in IdToken#as_json, which previously could emit a non-conformant ID Token (OIDC Core 1.0 §2). OPTIONAL claims such as nonce/auth_time are still omitted when blank
• #311 Include the REQUIRED client_secret_expires_at member (value 0, never expires) in the Dynamic Client Registration response whenever a client_secret is issued (RFC 7591 §3.2.1 / OpenID Connect Dynamic Client Registration 1.0 §3.2)
• #309 Add a browser dashboard to the test application (spec/dummy) for exercising the OpenID Connect endpoints by hand — replacing the rails console + curl workflow with forms for Setup, Discovery, Authorization (code / implicit / PKCE / nonce / prompt / max_age), token exchange, UserInfo, introspection and revocation

v1.10.1 (2026-06-03)

• #294 Drop stale Metrics/ClassLength and Metrics/BlockLength overrides from .rubocop_todo.yml
• #293 Drop Naming/VariableNumber from .rubocop_todo.yml and normalise test variable names
• #291 Document multi-namespace mount pattern for multiple resource owner models (#192)
• #292 Drop formatting cops from .rubocop_todo.yml and align trailing-comma style with upstream doorkeeper
• #296 Fix the prompt parameter being rejected with invalid_request when it contains leading or duplicate spaces (e.g. prompt=%20none) — blank entries in the space-delimited value are now ignored
• #299 Raise InvalidConfiguration when the issuer config resolves to a blank value instead of silently advertising an empty issuer in the discovery document. Since v1.10.0 an arity-2 issuer block receives (resource_owner, application) — both nil in the discovery context — so a block relying on the old v1.9.0 request argument could return nil and produce a discovery issuer that mismatched the ID token iss (#298)

v1.10.0 (2026-06-01)

[!IMPORTANT]

• Breaking (arity-2 issuer blocks): resolve_issuer now dispatches arity-2 blocks with (resource_owner, application) in all contexts, including discovery. In v1.9.0 DiscoveryController passed request as the first argument; existing arity-2 blocks that relied on this receive (nil, nil) in v1.10.0 and should migrate to arity-3 — see #298 for details and migration examples

• #241 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see Doorkeeper PR)
• #242 Fix NoMethodError for openid_request in testing environments.
• #246 Fix at_hash to use correct hash algorithm based on signing_algorithm
• #250 Return configured issuer instead of root_url in WebFinger response (thanks to @​sato11 for the original work in #172)
• #248 Fix max_age always triggering reauthentication when auth_time_from_resource_owner returns Integer
• #254 Breaking: Omit expires_in from the response_type=id_token response (OIDC Core §3.2.2.5 — expires_in represents the Access Token lifetime; it is still returned for response_type=id_token token)
• #252 Treat auth_time_from_resource_owner as optional in IdToken — omit auth_time claim when unconfigured instead of raising InvalidConfiguration
• #256 Accept non-callable values (symbol / string) for the protocol config option, matching the pattern used by issuer / signing_algorithm / signing_key / expiration
• #258 Skip IdToken construction on password grants without the openid scope
• #259 Skip IdToken construction on authorization code grants without the openid scope
• #261 Fix obsolete RuboCop configuration (require: → plugins:, RSpec/FilePath split, remove Capybara/FeatureMethods)
• #263 Security/Breaking: Determine dynamically registered client's confidential flag from token_endpoint_auth_method per RFC 7591 — previously every dynamically registered client was created as public (confidential: false), which let callers authenticate with only client_id (by_uid_and_secret(uid, nil) bypass). Default is now client_secret_basic (confidential); none produces a public client; unsupported values (e.g. private_key_jwt) are rejected with invalid_client_metadata. Also derive token_endpoint_auth_methods_supported in the response from Doorkeeper.configuration.client_credentials_methods instead of a hardcoded list, matching #236
• #264 Apply safe RuboCop autocorrections and fix resulting artifacts
• #265 Add Dynamic Client Registration section to README
• #266 Validate application_type, response_types, and grant_types parameters in dynamic client registration per RFC 7591 — reject unsupported values with invalid_client_metadata and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
• #267 Add authorize_dynamic_client_registration config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to request, params, request.headers, etc.) and falsy return values reject the request with 401 invalid_token. Default is nil so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
• #268 Update Dynamic Client Registration README for validated metadata parameters
• #269 Document authorize_dynamic_client_registration in README
• #270 Document the unified issuer block signature in README
• #278 Test against Ruby 4.0.
• #271 Security: Add auth_time_from_session config for per-session max_age enforcement. The legacy auth_time_from_resource_owner cannot distinguish between concurrent sessions and is now deprecated for max_age use (see #150)
• #272 Document auth_time_from_session in README (follow-up to #271)

... (truncated)

Commits

• dba2c84 Merge pull request #318 from 55728/release/v1.10.2
• 58eede2 Merge pull request #309 from 55728/feature/dummy-oidc-dashboard
• 967648d Release 1.10.2 🎉
• 25ab038 Merge pull request #316 from 55728/ci/fail-fast-false
• 149c363 Merge pull request #315 from 55728/fix/314-drop-ruby-3.1
• f4e9caa Set fail-fast: false in CI matrix
• 808c76c Drop EOL Ruby 3.1, require Ruby >= 3.2
• db6e4a9 Merge pull request #311 from 55728/fix/dcr-client-secret-expires-at
• 54f79bf Merge pull request #312 from 55728/fix/id-token-required-claim-guard
• b2538cb Raise on blank REQUIRED ID Token claims instead of dropping them
• Additional commits viewable in compare view

Updates faraday from 2.14.2 to 2.14.3

Release notes

Sourced from faraday's releases.

v2.14.3

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

• Upgrade CI lint step from Ruby 3 to 4 by @​larouxn in lostisland/faraday#1673
• feat(test): add Stubs#clear to remove all stubs by @​SAY-5 in lostisland/faraday#1675

New Contributors

• @​SAY-5 made their first contribution in lostisland/faraday#1675

Full Changelog: lostisland/faraday@v2.14.2...v2.14.3

Commits

• f1ace87 Version bump to 2.14.3
• 36764bf Merge commit from fork
• 59334e0 feat(test): add Stubs#clear to remove all stubs (#1675)
• 469f25c Upgrade CI lint step from Ruby 3 to 4 (#1673)
• See full diff in compare view

Updates dalli from 5.0.2 to 5.0.5

Changelog

Sourced from dalli's changelog.

5.0.5

Performance:

• Batch multi-key commands into a single write to reduce packet overhead (#1107)

  • With TCP_NODELAY set on sockets, each write call emits a separate packet; the meta protocol was calling write up to 3 times per key in multi-key operations (get_multi, set_multi, delete_multi), significantly increasing network traffic compared to the old binary protocol
  • Multi-key request paths now buffer all per-key commands into a single binary string and flush once; single-key paths combine the write and flush into one flushed_write call
  • Thanks to Jean Boussier for this contribution

• Avoid repeated RUBY_ENGINE checks on every socket read (#1103)

  • Moved the JRuby branch from a runtime if inside ConnectionManager#read to a class-level conditional method definition, so the check happens once at load time rather than on every read call
  • Thanks to Jean Boussier for this contribution

• Eliminate per-call array allocations in ResponseProcessor (#1104)

  • Token sets passed to error_on_unexpected! (e.g. [VA, EN, HD]) were allocated as new arrays on every invocation; replaced with frozen constants defined once at class load time
  • Thanks to Jean Boussier for this contribution

• Avoid string copies when building request commands in RequestFormatter (#1106)

  • Changed cmd + TERMINATOR to cmd << TERMINATOR; since cmd is always a mutable string, the in-place append avoids copying the entire command string just to append two bytes
  • Thanks to Jean Boussier for this contribution

5.0.4

Bug fixes:

• Fix string_fastpath flag collision with compression (