Dependencies: 2026-04-07

[lkacenja]

Summary

Addresses a backlog of Dependabot security alerts and folds in all open Dependabot PRs (#389–#398, #401–#403).

---

Rails & Rack (security)

Resolves ~30 Dependabot alerts across rack, activestorage, activesupport, actionview, actionpack, actiontext, json, nokogiri, loofah, and action_text-trix.

• rails 8.1.1 → 8.1.3
• rack 3.2.4 → 3.2.6
• devise 4.9.4 → 5.0.3 (major version bump)

---

npm (security)

• @hotwired/turbo-rails 8.0.12 → 8.0.23
• tailwindcss 3.4.1 → 3.4.19 — fixes picomatch ReDoS; removes minimatch, brace-expansion, and yaml from the dependency tree entirely

---

Python components (security)

• pillow 11.3.0 → 12.1.1 — out-of-bounds write in PSD image loading (document_inference)
• requests 2.32.5 → 2.33.0 — insecure temp file reuse (document_inference)
• black 25.1.0 → 26.3.1 — arbitrary file writes via cache file name (ci, evaluation)

---

Ruby gems (routine updates)

Closes stale Dependabot PRs #389–#398. All gems were already at or beyond the PR targets after the Rails update pulled them in: aws-sdk-s3, aws-sdk-lambda, aws-sdk-secretsmanager, turbo-rails,
bootsnap, view_component, debug, standard, brakeman, thruster.

---

GitHub Actions

Closes Dependabot PRs #401–#403.

• aws-actions/configure-aws-credentials v5 → v6
• actions/upload-artifact v6 → v7
• opentofu/setup-opentofu v1 → v2