Use at least Devise 4.6 for security patch

tvdeyen · tvdeyen · commit 45230021f2b3 · 2019-04-01T14:53:36.000+02:00
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the `Devise::Models::Lockable` class not being concurrency safe.
diff --git a/alchemy-devise.gemspec b/alchemy-devise.gemspec
@@ -17,7 +17,7 @@ Gem::Specification.new do |s|
   s.test_files = Dir["spec/**/*"]
 
   s.add_dependency "alchemy_cms", [">= 4.1.0.beta", "< 4.99"]
-  s.add_dependency "devise",      [">= 4.0", "< 4.99"]
+  s.add_dependency "devise",      [">= 4.6.0", "< 4.99"]
 
   s.add_development_dependency "capybara"
   s.add_development_dependency "factory_bot_rails"
