Bumps the dependencies group with 5 updates: | Package | From | To | | --- | --- | --- | | [bootsnap](https://github.com/rails/bootsnap) | `1.24.5` | `1.24.6` | | [doorkeeper-openid_connect](https://github.com/doorkeeper-gem/doorkeeper-openid_connect) | `1.9.0` | `1.10.1` | | [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) | `1.224.0` | `1.225.0` | | [image_processing](https://github.com/janko/image_processing) | `2.0.1` | `2.0.2` | | [overcommit](https://github.com/sds/overcommit) | `0.69.0` | `0.70.0` |
Updates `bootsnap` from 1.24.5 to 1.24.6 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/bootsnap/blob/main/CHANGELOG.md";>bootsnap's changelog</a>.</em></p> <blockquote> <h1>1.24.6</h1> <ul> <li>Fix detection of Ruby bug <a href="https://redirect.github.com/rails/bootsnap/issues/22023";>#22023</a> on some patch versions of Ruby 3.4, and properly apply the workaround.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/bootsnap/commit/026e183e7f4f4f0eab52d6b9eebafe548cde08a2";><code>026e183</code></a> Release 1.24.6</li> <li><a href="https://github.com/rails/bootsnap/commit/263e34652b4884da97b5e4974ef53fce5753b890";><code>263e346</code></a> Merge pull request <a href="https://redirect.github.com/rails/bootsnap/issues/556";>#556</a> from byroot/remove-canary</li> <li><a href="https://github.com/rails/bootsnap/commit/7c31cd81f39285ed43898377ff8af2dcf0d851e9";><code>7c31cd8</code></a> Check for [Bug <a href="https://redirect.github.com/rails/bootsnap/issues/22023";>#22023</a>] by checking Ruby version rather than a canary</li> <li><a href="https://github.com/rails/bootsnap/commit/54eba7643b359d85d518374af9e8b126a25a99d7";><code>54eba76</code></a> Merge pull request <a href="https://redirect.github.com/rails/bootsnap/issues/554";>#554</a> from byroot/namespace-overflow</li> <li><a href="https://github.com/rails/bootsnap/commit/fe963d56fc5981eb5c08f4352ca2937226ef2c48";><code>fe963d5</code></a> bs_cache_path: account for namespace length</li> <li><a href="https://github.com/rails/bootsnap/commit/7b42db6610163d682fb27f986f7155882844ba2e";><code>7b42db6</code></a> Merge pull request <a href="https://redirect.github.com/rails/bootsnap/issues/553";>#553</a> from arpitjain099/chore/declare-workflow-perms</li> <li><a href="https://github.com/rails/bootsnap/commit/113b184cc52613c543af3e8155cab24851fd9d35";><code>113b184</code></a> ci: add permissions: contents: read to ci</li> <li>See full diff in <a href="https://github.com/rails/bootsnap/compare/v1.24.5...v1.24.6";>compare view</a></li> </ul> </details> <br /> Updates `doorkeeper-openid_connect` from 1.9.0 to 1.10.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/releases";>doorkeeper-openid_connect's releases</a>.</em></p> <blockquote> <h2>v1.10.1</h2> <ul> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/294";>#294</a> Drop stale <code>Metrics/ClassLength</code> and <code>Metrics/BlockLength</code> overrides from <code>.rubocop_todo.yml</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/293";>#293</a> Drop <code>Naming/VariableNumber</code> from <code>.rubocop_todo.yml</code> and normalise test variable names</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/291";>#291</a> Document multi-namespace mount pattern for multiple resource owner models (<a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/192";>#192</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/292";>#292</a> Drop formatting cops from <code>.rubocop_todo.yml</code> and align trailing-comma style with upstream doorkeeper</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/296";>#296</a> Fix the <code>prompt</code> parameter being rejected with <code>invalid_request</code> when it contains leading or duplicate spaces (e.g. <code>prompt=%20none</code>) — blank entries in the space-delimited value are now ignored</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/299";>#299</a> Raise <code>InvalidConfiguration</code> when the <code>issuer</code> config resolves to a blank value instead of silently advertising an empty <code>issuer</code> in the discovery document. Since v1.10.0 an arity-2 <code>issuer</code> block receives <code>(resource_owner, application)</code> — both <code>nil</code> in the discovery context — so a block relying on the old v1.9.0 request argument could return <code>nil</code> and produce a discovery <code>issuer</code> that mismatched the ID token <code>iss</code> (<a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298";>#298</a>)</li> </ul> <h2>v1.10.0</h2> <ul> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/241";>#241</a> Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper/pull/1804";>Doorkeeper PR</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/242";>#242</a> Fix <code>NoMethodError</code> for openid_request in testing environments.</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/246";>#246</a> Fix <code>at_hash</code> to use correct hash algorithm based on <code>signing_algorithm</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/250";>#250</a> Return configured <code>issuer</code> instead of <code>root_url</code> in WebFinger response (thanks to <a href="https://github.com/sato11";><code>@sato11</code></a> for the original work in <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/172";>#172</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/248";>#248</a> Fix <code>max_age</code> always triggering reauthentication when <code>auth_time_from_resource_owner</code> returns Integer</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/254";>#254</a> <strong>Breaking:</strong> Omit <code>expires_in</code> from the <code>response_type=id_token</code> response (OIDC Core §3.2.2.5 — <code>expires_in</code> represents the Access Token lifetime; it is still returned for <code>response_type=id_token token</code>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/252";>#252</a> Treat <code>auth_time_from_resource_owner</code> as optional in <code>IdToken</code> — omit <code>auth_time</code> claim when unconfigured instead of raising <code>InvalidConfiguration</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/256";>#256</a> Accept non-callable values (symbol / string) for the <code>protocol</code> config option, matching the pattern used by <code>issuer</code> / <code>signing_algorithm</code> / <code>signing_key</code> / <code>expiration</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/258";>#258</a> Skip <code>IdToken</code> construction on password grants without the <code>openid</code> scope</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/259";>#259</a> Skip <code>IdToken</code> construction on authorization code grants without the <code>openid</code> scope</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/261";>#261</a> Fix obsolete RuboCop configuration (<code>require:</code> → <code>plugins:</code>, <code>RSpec/FilePath</code> split, remove <code>Capybara/FeatureMethods</code>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/263";>#263</a> <strong>Security/Breaking:</strong> Determine dynamically registered client's <code>confidential</code> flag from <code>token_endpoint_auth_method</code> per RFC 7591 — previously every dynamically registered client was created as public (<code>confidential: false</code>), which let callers authenticate with only <code>client_id</code> (<code>by_uid_and_secret(uid, nil)</code> bypass). Default is now <code>client_secret_basic</code> (confidential); <code>none</code> produces a public client; unsupported values (e.g. <code>private_key_jwt</code>) are rejected with <code>invalid_client_metadata</code>. Also derive <code>token_endpoint_auth_methods_supported</code> in the response from <code>Doorkeeper.configuration.client_credentials_methods</code> instead of a hardcoded list, matching <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/236";>#236</a></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/264";>#264</a> Apply safe RuboCop autocorrections and fix resulting artifacts</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/265";>#265</a> Add Dynamic Client Registration section to README</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/266";>#266</a> Validate <code>application_type</code>, <code>response_types</code>, and <code>grant_types</code> parameters in dynamic client registration per RFC 7591 — reject unsupported values with <code>invalid_client_metadata</code> and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/267";>#267</a> Add <code>authorize_dynamic_client_registration</code> config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to <code>request</code>, <code>params</code>, <code>request.headers</code>, etc.) and falsy return values reject the request with <code>401 invalid_token</code>. Default is <code>nil</code> so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/268";>#268</a> Update Dynamic Client Registration README for validated metadata parameters</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/269";>#269</a> Document <code>authorize_dynamic_client_registration</code> in README</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/270";>#270</a> Document the unified issuer block signature in README</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/278";>#278</a> Test against Ruby 4.0.</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/271";>#271</a> <strong>Security:</strong> Add <code>auth_time_from_session</code> config for per-session <code>max_age</code> enforcement. The legacy <code>auth_time_from_resource_owner</code> cannot distinguish between concurrent sessions and is now deprecated for <code>max_age</code> use (see <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/150";>#150</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/272";>#272</a> Document <code>auth_time_from_session</code> in README (follow-up to <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/271";>#271</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/273";>#273</a> <strong>Security/Hardening:</strong> Merge framework-controlled registered claims last — <code>iss</code>/<code>sub</code>/<code>aud</code>/<code>exp</code>/<code>iat</code>/<code>nonce</code>/<code>auth_time</code> for the ID Token and <code>sub</code> for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/276";>#276</a> Get RuboCop to zero offenses: fix <code>Lint/MissingSuper</code> in <code>IdTokenResponse</code>, replace <code>puts</code> with <code>warn</code> for deprecation notices, and modernise spec style</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/277";>#277</a> Fix README inaccuracies (<code>signing_algorithm</code> description and link, <code>discovery_url_options</code> endpoint list, <code>oauth-authorization-server</code> route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/279";>#279</a> Return <code>account_selection_required</code> when a <code>prompt=select_account</code> handler does not generate a response, per <a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthError";>OIDC Core 1.0 §3.1.2.6</a> — previously the authorization silently continued without account selection. Adds the missing <code>Errors::AccountSelectionRequired</code> class, mirroring the existing <code>login_required</code> backstop for <code>reauthenticate_resource_owner</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/275";>#275</a> Return <code>login_required</code> for <code>max_age</code> reauthentication when <code>prompt=none</code>, instead of triggering the interactive <code>reauthenticate_resource_owner</code> flow (OIDC Core §3.1.2.1)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/284";>#284</a> Document <code>acr</code> / <code>amr</code> claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the <code>claim</code> DSL, with callouts for the <code>response:</code> and <code>scope:</code> defaults that silently bite</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/288";>#288</a> Document <code>offline_access</code> scope recipe in README — show how to wire <code>use_refresh_token</code> with scope-based filtering for OIDC offline access</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/281";>#281</a> Fix <code>NoMethodError</code> / <code>DoubleRenderError</code> when <code>resource_owner_authenticator</code> redirects with a truthy non-model value (e.g. <code>current_user || redirect_to(login_url)</code>). Normalize the leaked value to <code>nil</code> when <code>performed?</code> and add missing <code>if owner</code> guard on <code>select_account</code>.</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/285";>#285</a> Document custom <code>jwks_uri</code> path pattern in README — show how to advertise a non-default path in the discovery document using Rails' <code>direct</code> URL helper</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/283";>#283</a> Support multiple signing keys in the JWKS response — <code>signing_key</code> now also accepts an array (and callables returning an array). The first entry is the active key used to sign new ID tokens; the remaining entries are published in the JWKS so clients can still validate tokens signed with a retired key during a rotation window. Single-value and callable forms continue to work unchanged</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/286";>#286</a> Allow claims to be assigned to multiple scopes via <code>scope: [:profile, :all_data]</code> — the claim is returned whenever the access token grants any of the listed scopes. <strong>Note:</strong> the previously implicit <code>Claim#scope=</code> writer (from <code>attr_accessor :scope</code>) is no longer provided; rebuild the claim instead of mutating it</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/287";>#287</a> Add <code>apply_prompt_to_non_oidc_requests</code> option to honor the <code>prompt</code> parameter on plain OAuth requests that do not include the <code>openid</code> scope</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/282";>#282</a> Allow <code>prompt=none</code> reauthorization with a narrower subset of previously-granted scopes (issue <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/63";>#63</a>). Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; previously these requests returned <code>consent_required</code>.</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/290";>#290</a> Freeze <code>Claim#scopes</code> and <code>Claim#response</code> arrays at construction so callers can't accidentally mutate the claim's internal state from outside</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/297";>#297</a> Fix the generated initializer's <code>issuer</code> example referencing an undefined <code>request</code> local (the block parameter is <code>_request</code>), which raised <code>NameError</code> when copied verbatim</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md";>doorkeeper-openid_connect's changelog</a>.</em></p> <blockquote> <h2>v1.10.1 (2026-06-03)</h2> <ul> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/294";>#294</a> Drop stale <code>Metrics/ClassLength</code> and <code>Metrics/BlockLength</code> overrides from <code>.rubocop_todo.yml</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/293";>#293</a> Drop <code>Naming/VariableNumber</code> from <code>.rubocop_todo.yml</code> and normalise test variable names</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/291";>#291</a> Document multi-namespace mount pattern for multiple resource owner models (<a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/192";>#192</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/292";>#292</a> Drop formatting cops from <code>.rubocop_todo.yml</code> and align trailing-comma style with upstream doorkeeper</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/296";>#296</a> Fix the <code>prompt</code> parameter being rejected with <code>invalid_request</code> when it contains leading or duplicate spaces (e.g. <code>prompt=%20none</code>) — blank entries in the space-delimited value are now ignored</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/299";>#299</a> Raise <code>InvalidConfiguration</code> when the <code>issuer</code> config resolves to a blank value instead of silently advertising an empty <code>issuer</code> in the discovery document. Since v1.10.0 an arity-2 <code>issuer</code> block receives <code>(resource_owner, application)</code> — both <code>nil</code> in the discovery context — so a block relying on the old v1.9.0 request argument could return <code>nil</code> and produce a discovery <code>issuer</code> that mismatched the ID token <code>iss</code> (<a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298";>#298</a>)</li> </ul> <h2>v1.10.0 (2026-06-01)</h2> <blockquote> <p>[!IMPORTANT]</p> <ul> <li><strong>Breaking (arity-2 issuer blocks):</strong> <code>resolve_issuer</code> now dispatches arity-2 blocks with <code>(resource_owner, application)</code> in all contexts, including discovery. In v1.9.0 <code>DiscoveryController</code> passed <code>request</code> as the first argument; existing arity-2 blocks that relied on this receive <code>(nil, nil)</code> in v1.10.0 and should migrate to arity-3 — see <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298";>#298</a> for details and migration examples</li> </ul> </blockquote> <ul> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/241";>#241</a> Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper/pull/1804";>Doorkeeper PR</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/242";>#242</a> Fix <code>NoMethodError</code> for openid_request in testing environments.</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/246";>#246</a> Fix <code>at_hash</code> to use correct hash algorithm based on <code>signing_algorithm</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/250";>#250</a> Return configured <code>issuer</code> instead of <code>root_url</code> in WebFinger response (thanks to <a href="https://github.com/sato11";><code>@sato11</code></a> for the original work in <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/172";>#172</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/248";>#248</a> Fix <code>max_age</code> always triggering reauthentication when <code>auth_time_from_resource_owner</code> returns Integer</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/254";>#254</a> <strong>Breaking:</strong> Omit <code>expires_in</code> from the <code>response_type=id_token</code> response (OIDC Core §3.2.2.5 — <code>expires_in</code> represents the Access Token lifetime; it is still returned for <code>response_type=id_token token</code>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/252";>#252</a> Treat <code>auth_time_from_resource_owner</code> as optional in <code>IdToken</code> — omit <code>auth_time</code> claim when unconfigured instead of raising <code>InvalidConfiguration</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/256";>#256</a> Accept non-callable values (symbol / string) for the <code>protocol</code> config option, matching the pattern used by <code>issuer</code> / <code>signing_algorithm</code> / <code>signing_key</code> / <code>expiration</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/258";>#258</a> Skip <code>IdToken</code> construction on password grants without the <code>openid</code> scope</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/259";>#259</a> Skip <code>IdToken</code> construction on authorization code grants without the <code>openid</code> scope</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/261";>#261</a> Fix obsolete RuboCop configuration (<code>require:</code> → <code>plugins:</code>, <code>RSpec/FilePath</code> split, remove <code>Capybara/FeatureMethods</code>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/263";>#263</a> <strong>Security/Breaking:</strong> Determine dynamically registered client's <code>confidential</code> flag from <code>token_endpoint_auth_method</code> per RFC 7591 — previously every dynamically registered client was created as public (<code>confidential: false</code>), which let callers authenticate with only <code>client_id</code> (<code>by_uid_and_secret(uid, nil)</code> bypass). Default is now <code>client_secret_basic</code> (confidential); <code>none</code> produces a public client; unsupported values (e.g. <code>private_key_jwt</code>) are rejected with <code>invalid_client_metadata</code>. Also derive <code>token_endpoint_auth_methods_supported</code> in the response from <code>Doorkeeper.configuration.client_credentials_methods</code> instead of a hardcoded list, matching <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/236";>#236</a></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/264";>#264</a> Apply safe RuboCop autocorrections and fix resulting artifacts</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/265";>#265</a> Add Dynamic Client Registration section to README</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/266";>#266</a> Validate <code>application_type</code>, <code>response_types</code>, and <code>grant_types</code> parameters in dynamic client registration per RFC 7591 — reject unsupported values with <code>invalid_client_metadata</code> and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/267";>#267</a> Add <code>authorize_dynamic_client_registration</code> config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to <code>request</code>, <code>params</code>, <code>request.headers</code>, etc.) and falsy return values reject the request with <code>401 invalid_token</code>. Default is <code>nil</code> so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/268";>#268</a> Update Dynamic Client Registration README for validated metadata parameters</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/269";>#269</a> Document <code>authorize_dynamic_client_registration</code> in README</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/270";>#270</a> Document the unified issuer block signature in README</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/278";>#278</a> Test against Ruby 4.0.</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/271";>#271</a> <strong>Security:</strong> Add <code>auth_time_from_session</code> config for per-session <code>max_age</code> enforcement. The legacy <code>auth_time_from_resource_owner</code> cannot distinguish between concurrent sessions and is now deprecated for <code>max_age</code> use (see <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/150";>#150</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/272";>#272</a> Document <code>auth_time_from_session</code> in README (follow-up to <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/271";>#271</a>)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/273";>#273</a> <strong>Security/Hardening:</strong> Merge framework-controlled registered claims last — <code>iss</code>/<code>sub</code>/<code>aud</code>/<code>exp</code>/<code>iat</code>/<code>nonce</code>/<code>auth_time</code> for the ID Token and <code>sub</code> for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/276";>#276</a> Get RuboCop to zero offenses: fix <code>Lint/MissingSuper</code> in <code>IdTokenResponse</code>, replace <code>puts</code> with <code>warn</code> for deprecation notices, and modernise spec style</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/277";>#277</a> Fix README inaccuracies (<code>signing_algorithm</code> description and link, <code>discovery_url_options</code> endpoint list, <code>oauth-authorization-server</code> route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/279";>#279</a> Return <code>account_selection_required</code> when a <code>prompt=select_account</code> handler does not generate a response, per <a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthError";>OIDC Core 1.0 §3.1.2.6</a> — previously the authorization silently continued without account selection. Adds the missing <code>Errors::AccountSelectionRequired</code> class, mirroring the existing <code>login_required</code> backstop for <code>reauthenticate_resource_owner</code></li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/275";>#275</a> Return <code>login_required</code> for <code>max_age</code> reauthentication when <code>prompt=none</code>, instead of triggering the interactive <code>reauthenticate_resource_owner</code> flow (OIDC Core §3.1.2.1)</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/284";>#284</a> Document <code>acr</code> / <code>amr</code> claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the <code>claim</code> DSL, with callouts for the <code>response:</code> and <code>scope:</code> defaults that silently bite</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/288";>#288</a> Document <code>offline_access</code> scope recipe in README — show how to wire <code>use_refresh_token</code> with scope-based filtering for OIDC offline access</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/281";>#281</a> Fix <code>NoMethodError</code> / <code>DoubleRenderError</code> when <code>resource_owner_authenticator</code> redirects with a truthy non-model value (e.g. <code>current_user || redirect_to(login_url)</code>). Normalize the leaked value to <code>nil</code> when <code>performed?</code> and add missing <code>if owner</code> guard on <code>select_account</code>.</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/285";>#285</a> Document custom <code>jwks_uri</code> path pattern in README — show how to advertise a non-default path in the discovery document using Rails' <code>direct</code> URL helper</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/283";>#283</a> Support multiple signing keys in the JWKS response — <code>signing_key</code> now also accepts an array (and callables returning an array). The first entry is the active key used to sign new ID tokens; the remaining entries are published in the JWKS so clients can still validate tokens signed with a retired key during a rotation window. Single-value and callable forms continue to work unchanged</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/286";>#286</a> Allow claims to be assigned to multiple scopes via <code>scope: [:profile, :all_data]</code> — the claim is returned whenever the access token grants any of the listed scopes. <strong>Note:</strong> the previously implicit <code>Claim#scope=</code> writer (from <code>attr_accessor :scope</code>) is no longer provided; rebuild the claim instead of mutating it</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/287";>#287</a> Add <code>apply_prompt_to_non_oidc_requests</code> option to honor the <code>prompt</code> parameter on plain OAuth requests that do not include the <code>openid</code> scope</li> <li><a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/282";>#282</a> Allow <code>prompt=none</code> reauthorization with a narrower subset of previously-granted scopes (issue <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/63";>#63</a>). Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; previously these requests returned <code>consent_required</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/401e5fcdcd875205f9ae0b69a125e854ea472654";><code>401e5fc</code></a> Merge pull request <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/301";>#301</a> from 55728/release/v1.10.1</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/6ab16258090665eefa6205b77f2d7a9cf112fdc5";><code>6ab1625</code></a> Release 1.10.1 🎉</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/5620cfe0aaf0dddd9b48f4d780329826129533a2";><code>5620cfe</code></a> Merge pull request <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/299";>#299</a> from 55728/fix/issue-298-blank-issuer-guard</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/fbf4f687cda74b88f3c36668b879d786f460b631";><code>fbf4f68</code></a> Merge pull request <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/296";>#296</a> from 55728/fix/prompt-leading-whitespace</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/f8ca5af5d56779e094969b92612853f7dad71c82";><code>f8ca5af</code></a> Merge pull request <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/300";>#300</a> from 55728/docs/changelog-v1.10.0-arity-2-breaking-note</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/7ce74737b477857c170c7ebb6fb48178501d3ff1";><code>7ce7473</code></a> Add breaking-change note for arity-2 issuer blocks to v1.10.0 CHANGELOG</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/4d4e791d0c52234addbfc1ef88305661e9967f40";><code>4d4e791</code></a> Raise on blank issuer in resolve_issuer (<a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298";>#298</a>)</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/aed9af51f73d3424593f6ede314ee36cddab8759";><code>aed9af5</code></a> Merge pull request <a href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/292";>#292</a> from 55728/chore/rubocop-todo-phase1-formatting</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/2c7b8147210734ddc0326aaf0b93f6e0b6311db5";><code>2c7b814</code></a> Reformat cramped multiline closers to avoid ,) and ,]</li> <li><a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/63dcfa639ba49d0f67f3c8d0745072d110d619b2";><code>63dcfa6</code></a> Set hash/argument indentation to consistent style</li> <li>Additional commits viewable in <a href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/compare/v1.9.0...v1.10.1";>compare view</a></li> </ul> </details> <br /> Updates `aws-sdk-s3` from 1.224.0 to 1.225.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md";>aws-sdk-s3's changelog</a>.</em></p> <blockquote> <h2>1.225.0 (2026-06-02)</h2> <ul> <li>Feature - Adding new BDD representation of endpoint ruleset</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/aws/aws-sdk-ruby/commits";>compare view</a></li> </ul> </details> <br /> Updates `image_processing` from 2.0.1 to 2.0.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/janko/image_processing/blob/master/CHANGELOG.md";>image_processing's changelog</a>.</em></p> <blockquote> <h2>2.0.2 (2026-06-03)</h2> <ul> <li>Raise <code>LoadError</code> instead of <code>ImageProcessing::Error</code> when soft dependencies are missing (<a href="https://github.com/bdewater-thatch";><code>@bdewater-thatch</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/janko/image_processing/commit/7d89c0196cc369428126bcba075ff53485099ef2";><code>7d89c01</code></a> Bump to 2.0.2</li> <li><a href="https://github.com/janko/image_processing/commit/7f3830410f15ed2eac601f5b638dd2e5365f4243";><code>7f38304</code></a> Create a new <code>LoadError</code> for missing dependencies</li> <li><a href="https://github.com/janko/image_processing/commit/996862c803e85c14988b556a7f42f3c8f9d2aa96";><code>996862c</code></a> Warn and reraise LoadError instead of raising custom error (<a href="https://redirect.github.com/janko/image_processing/issues/143";>#143</a>)</li> <li><a href="https://github.com/janko/image_processing/commit/a64dbd59ece625934b9fe2c7749b45758c5f915a";><code>a64dbd5</code></a> Inline dhash-vips</li> <li>See full diff in <a href="https://github.com/janko/image_processing/compare/v2.0.1...v2.0.2";>compare view</a></li> </ul> </details> <br /> Updates `overcommit` from 0.69.0 to 0.70.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sds/overcommit/releases";>overcommit's releases</a>.</em></p> <blockquote> <h2>0.70.0</h2> <h2>What's Changed</h2> <ul> <li>Add oxc pre-commit hooks by <a href="https://github.com/benmelz";><code>@benmelz</code></a> in <a href="https://redirect.github.com/sds/overcommit/pull/879";>sds/overcommit#879</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sds/overcommit/compare/v0.69.0...v0.70.0";>https://github.com/sds/overcommit/compare/v0.69.0...v0.70.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sds/overcommit/blob/main/CHANGELOG.md";>overcommit's changelog</a>.</em></p> <blockquote> <h2>0.70.0</h2> <ul> <li>Add <code>oxfmt</code> and <code>oxlint</code> pre-commit hooks</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sds/overcommit/commit/141b0aedd314bb01983eab9653aa034799c68e92";><code>141b0ae</code></a> Cut version 0.70.0 (<a href="https://redirect.github.com/sds/overcommit/issues/880";>#880</a>)</li> <li><a href="https://github.com/sds/overcommit/commit/032af772175087eb2e5f0026dcbfa30c8112b35b";><code>032af77</code></a> Add oxc pre-commit hooks (<a href="https://redirect.github.com/sds/overcommit/issues/879";>#879</a>)</li> <li><a href="https://github.com/sds/overcommit/commit/92b22f0b50b1fe7d83a9fb3103976a74ca8cbb18";><code>92b22f0</code></a> Add Ruby 3.4 and 4.0 to CI matrix (<a href="https://redirect.github.com/sds/overcommit/issues/878";>#878</a>)</li> <li>See full diff in <a href="https://github.com/sds/overcommit/compare/v0.69.0...v0.70.0";>compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> You can view, comment on, or merge this pull request online at: https://github.com/openstreetmap/openstreetmap-website/pull/7131 -- Commit Summary -- * Bump the dependencies group with 5 updates -- File Changes -- M Gemfile.lock (24) -- Patch Links -- https://github.com/openstreetmap/openstreetmap-website/pull/7131.patch https://github.com/openstreetmap/openstreetmap-website/pull/7131.diff -- Reply to this email directly or view it on GitHub: https://github.com/openstreetmap/openstreetmap-website/pull/7131 You are receiving this because you are subscribed to this thread. Message ID: <openstreetmap/openstreetmap-website/pull/[email protected]>
_______________________________________________ rails-dev mailing list [email protected] https://lists.openstreetmap.org/listinfo/rails-dev
