Devise 4.2.0: Updating from 3.x

Quick highlights of updating to Devise 4.2.0 from version 3.5.5

It was time to stop putting it off and unlock the Devise gem version in the Gemfile.

The following is working with a simple Rails 4.2 example app. (The idea is to make updates like this before tackling a Rails 5 update. Create a solid starting point.)

Thankfully, Devise has an easy to read CHANGELOG. Well worth taking the time to go through.

I suspect what’s going to catch a lot of people is this (as of version 4.0):

Devise no longer supports Rails 3.2 and 4.0.

Devise no longer supports Ruby 1.9 and 2.0.

(It’s the ‘no longer supporting Ruby 2.0’ that tripped me up initially …)

The code change that will make your Rails 4.2 app crash is:

The ‘devise_parameter_sanitize’ API has changed: The ‘for’ method was deprecated in favor of ‘permit’

In my example app this was a quick fix. Change devise_parameter_sanitizer.for to devise_parameter_sanitizer.permit in configure_permitted_parameters:

There’s more of an explanation with some examples in the Devise README section.

A deprecation message appeared when I updated to Ruby 2.2.5 and Rails 4.2.7 along with Devise 4.2.0 and Rspec 3.5:

To handle this, in the rspec configuration, I needed to replace this (just as the message said):

with this:


Have any of the files created by the generators changed?

Out of curiosity I was wondering if there are any changes to the default files created by the Devise generators on a new install. The following are from diffs between version 3.5.5 and 4.2.0.


Aside from clarifying updates to the wording in comments, there are a few differences in Devise 4.2.0:

  • You can now easily set a parent mailer different from ActionMailer::Base (more):
  • You can now tell Devise to skip reloading routes on an eager load.
  • The default config.stretches was changed from 10 to 11.
  • The default password length was changed from 8..72 to 6..128
  • The config.email_regexp was modified and is now uncommented by default:

    Old: # config.email_regexp = /\A[^@]+@[^@]+\z/
    New: config.email_regexp = /\A[^@\s]+@[^@\s]+\z/


Diff didn’t find any differences in the default settings.


The only difference in the default views is a warning message added to the registration edit regarding the minimum password length.