devise_token_auth depends on vulnerable devise version

[danbartlett]

There is a new security alert in devise, that requires updating to 4.6.0 or later:

See: heartcombo/devise#4981

Unfortunately it seems devise_token_auth (v1.0.0) won't allow this update as it depends on < 4.6

$ bundle update devise
The dependency tzinfo-data (>= 0) will be unused by any of the platforms Bundler is installing for. Bundler is installing for ruby but the dependency is only for x86-mingw32, x86-mswin32, x64-mingw32, java. To add those platforms to the bundle, run `bundle lock --add-platform x86-mingw32 x86-mswin32 x64-mingw32 java`.
Fetching gem metadata from https://rubygems.org/..........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Bundler could not find compatible versions for gem "devise":
  In Gemfile:
    devise (>= 4.6.0)

    devise_token_auth was resolved to 1.0.0, which depends on
      devise (< 4.6, > 3.5.2)

$ bundle show devise_token_auth
/Users/danbartlett/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/devise_token_auth-1.0.0

[danbartlett]

Just realised I wasn't on the latest version of devise_token_auth. Once I updated to the latest version—1.1.0, via bundle update—this wasn't an issue and I could specify the minimum required version of devise without conflict 👌🏻