DEPS: Bump the gems group across 1 directory with 9 updates

[dependabot]

Bumps the gems group with 9 updates in the / directory:

Package	From	To
commonmarker	2.7.0	2.8.1
lefthook	2.1.5	2.1.6
puma	7.2.0	8.0.0
rake	13.3.1	13.4.2
bigdecimal	4.1.1	4.1.2
flay	2.14.3	2.14.4
json	2.19.3	2.19.4
mustermann	3.0.4	3.1.1
rubocop	1.86.0	1.86.1

Updates commonmarker from 2.7.0 to 2.8.1

Release notes

Sourced from commonmarker's releases.

v2.8.1

What's Changed

• fix: re-release 2.8.1 due to publishing error by @​gjtorikian in gjtorikian/commonmarker#456
• [skip test] Release v2.8.1 by @​github-actions[bot] in gjtorikian/commonmarker#457

Full Changelog: gjtorikian/commonmarker@v2.8.0...v2.8.1

v2.8.0

What's Changed

• Fix typo in Cargo.toml comment by @​55728 in gjtorikian/commonmarker#449
• Bump rb-sys from 0.9.124 to 0.9.126 by @​dependabot[bot] in gjtorikian/commonmarker#451
• docs: clarify which extensions and plugins are enabled by default by @​55728 in gjtorikian/commonmarker#453
• Bump comrak from 0.51.0 to 0.52.0 by @​dependabot[bot] in gjtorikian/commonmarker#450
• [skip test] Release v2.8.0 by @​github-actions[bot] in gjtorikian/commonmarker#454

New Contributors

• @​55728 made their first contribution in gjtorikian/commonmarker#449

Full Changelog: gjtorikian/commonmarker@v2.7.0...v2.8.0

Changelog

Sourced from commonmarker's changelog.

[v2.8.1] - 14-04-2026

What's Changed

• fix: re-release 2.8.1 due to publishing error by @​gjtorikian in gjtorikian/commonmarker#456

Full Changelog: gjtorikian/commonmarker@v2.8.0...v2.8.1

[v2.8.0] - 12-04-2026

What's Changed

• Fix typo in Cargo.toml comment by @​55728 in gjtorikian/commonmarker#449
• Bump rb-sys from 0.9.124 to 0.9.126 by @​dependabot[bot] in gjtorikian/commonmarker#451
• docs: clarify which extensions and plugins are enabled by default by @​55728 in gjtorikian/commonmarker#453
• Bump comrak from 0.51.0 to 0.52.0 by @​dependabot[bot] in gjtorikian/commonmarker#450

New Contributors

• @​55728 made their first contribution in gjtorikian/commonmarker#449

Full Changelog: gjtorikian/commonmarker@v2.7.0...v2.8.0

Commits

• 31016cf Merge pull request #457 from gjtorikian/release/v2.8.1
• 8087370 [skip test] update changelog
• 6da0eef Merge pull request #456 from gjtorikian/new-fix-release
• bc2c4c4 fix: re-release 2.8.1 due to publishing error
• 3ad6390 Merge pull request #454 from gjtorikian/release/v2.8.0
• 72f3e61 [skip test] update changelog
• 69192fe Merge pull request #450 from gjtorikian/dependabot/cargo/comrak-0.52.0
• 13729a4 Add build.rs to fix Windows mingw Oniguruma symbol collision
• a5044e2 Fix Windows mingw build: allow multiple Oniguruma definitions
• 66ed2e1 Merge branch 'main' into dependabot/cargo/comrak-0.52.0
• Additional commits viewable in compare view

Updates lefthook from 2.1.5 to 2.1.6

Release notes

Sourced from lefthook's releases.

v2.1.6

Changelog

• bf73ea2f1ea5468c9af7a6f06b5ef8cd43e66040 fix(packaging): do not pipe stdout and stderr (#1382)
• 04da00697cd8a6241023c1962feb720eeaa62698 fix(windows): normalize lefthook path for sh script (#1383)
• de9597a1bf456d2cf0fbcb8816858b6e5cf6b609 fix: log full scoped name for skipped jobs (#1291)
• eb3e70dbbd2442200ec8ff2140a3ee9daa7d9e70 fix: normalize root to always include trailing slash before path replacement (#1381)
• f90f3f570ef9227ddf345a79cec687dac41a5d31 fix: skip pty allocation when stdout is not a terminal (#1393)

Changelog

Sourced from lefthook's changelog.

2.1.6 (2026-04-16)

• fix: normalize lefthook path for sh script (#1383) by @​AndrewKahr
• fix: normalize root to always include trailing slash before path replacement (#1381) by @​Copilot
• fix: skip pty allocation when stdout is not a terminal (#1393) by @​technicalpickles
• docs: upgrade docmd (#1391) by @​mrexox
• fix: log full scoped name for skipped jobs (#1291) by @​scop
• fix: do not pipe stdout and stderr (#1382) by @​mrexox

Commits

• 679ce27 2.1.6: fixes for Windows and AI tools execution
• 04da006 fix(windows): normalize lefthook path for sh script (#1383)
• eb3e70d fix: normalize root to always include trailing slash before path replacemen...
• f90f3f5 fix: skip pty allocation when stdout is not a terminal (#1393)
• 1481e9d docs: upgrade docmd (#1391)
• de9597a fix: log full scoped name for skipped jobs (#1291)
• bf73ea2 fix(packaging): do not pipe stdout and stderr (#1382)
• See full diff in compare view

Updates puma from 7.2.0 to 8.0.0

Release notes

Sourced from puma's releases.

v8.0.0 - Into the Arena

Read our Version 8 Upgrade Guide.

• Features

  • Add env["puma.mark_as_io_bound"] API and max_io_threads config to allow IO-bound requests to exceed the thread pool max, enabling better handling of mixed workloads (#3816, #3894)
  • Add single and cluster DSL hooks for mode-specific configuration (#3621)
  • Add on_force option to shutdown_debug to only dump thread backtraces on forced (non-graceful) shutdown (#3671)
  • Add API to dynamically update min and max thread counts at runtime via update_thread_pool_min_max and ServerPluginControl (#3658)
  • Use SIGPWR for thread backtrace dumps on Linux/JRuby where SIGINFO is unavailable (#3829)

• Bugfixes

  • Fix phased restart for fork_worker to avoid forking from stale worker 0 when it has been replaced (#3853)

• Performance

  • JRuby HTTP parser improvements: pre-allocated header keys, perfect hash lookup, reduced memory copies (#3838)
  • Cache downcased header key in str_headers to avoid redundant String#downcase calls, reducing allocations by ~50% per response (#3874)

• Refactor

  • Collect env processing into dedicated client_env.rb module (#3582)
  • Move event to default configuration (#3872)

• Docs

  • Add gRPC guide for configuring gRPC lifecycle hooks in clustered mode (#3885)
  • Add 7.0 upgrade guide, move 5.0/6.0 upgrade guides to docs directory (#3900)
  • Correct default values for persistent_timeout and worker_boot_timeout in DSL docs (#3912)
  • Add file descriptor limit warning in test helper for contributors (#3893)

• Breaking changes

  • Default production bind address changed from 0.0.0.0 to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable (#3847)

Changelog

Sourced from puma's changelog.

8.0.0 / 2026-03-27

• Features

  • Add env["puma.mark_as_io_bound"] API and max_io_threads config to allow IO-bound requests to exceed the thread pool max, enabling better handling of mixed workloads (#3816, #3894)
  • Add single and cluster DSL hooks for mode-specific configuration (#3621)
  • Add on_force option to shutdown_debug to only dump thread backtraces on forced (non-graceful) shutdown (#3671)
  • Add API to dynamically update min and max thread counts at runtime via update_thread_pool_min_max and ServerPluginControl (#3658)
  • Use SIGPWR for thread backtrace dumps on Linux/JRuby where SIGINFO is unavailable (#3829)

• Bugfixes

  • Fix phased restart for fork_worker to avoid forking from stale worker 0 when it has been replaced (#3853)

• Performance

  • JRuby HTTP parser improvements: pre-allocated header keys, perfect hash lookup, reduced memory copies (#3838)
  • Cache downcased header key in str_headers to avoid redundant String#downcase calls, reducing allocations by ~50% per response (#3874)

• Refactor

  • Collect env processing into dedicated client_env.rb module (#3582)
  • Move event to default configuration (#3872)

• Docs

  • Add gRPC guide for configuring gRPC lifecycle hooks in clustered mode (#3885)
  • Add 7.0 upgrade guide, move 5.0/6.0 upgrade guides to docs directory (#3900)
  • Correct default values for persistent_timeout and worker_boot_timeout in DSL docs (#3912)
  • Add file descriptor limit warning in test helper for contributors (#3893)

• Breaking changes

  • Default production bind address changed from 0.0.0.0 to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable (#3847)

Commits

• 08f63d4 Release v8.0.0 (#3914)
• 7406cc1 Fix IPv4-mapped IPv6 addresses in REMOTE_ADDR and request logs (#3916)
• e090243 Build(deps): Bump actions/checkout from 4 to 6 (#3915)
• 7d5dca1 Update SECURITY.md, native Github vuln reports [ci skip] (#3913)
• 66e6a32 Minor correction to defaults documented in dsl.rb (#3912)
• 3788eca ci: limit rack-conform to main pushes and scope ragel PR runs (#3908)
• 57b7799 ci: run turbo-rails only on latest stable Ruby and Rails (#3909)
• 6685d6b ci: replace skip-duplicate jobs with concurrency and trigger filters (#3907)
• 2848c82 ci: run push workflows only on main and release branches (#3906)
• 97a37bb Add release pre-merge checks and align Release.md [ci skip] (#3904)
• Additional commits viewable in compare view

Updates rake from 13.3.1 to 13.4.2

Commits

• 503b8ec v13.4.2
• 46038e7 Merge pull request #723 from ruby/fix/testopts-preserve-existing-value
• 604a3d9 Isolate TESTOPTS env in TestRakeTestTask setup/teardown
• 5886caa Preserve ENV["TESTOPTS"] when verbose is enabled
• 92193ac v13.4.1
• b74be0b Merge pull request #721 from ruby/fix/add-options-to-gemspec
• 829f66d Add lib/rake/options.rb to gemspec
• 2d55bc4 v13.4.0
• 1415070 Exclude dependabot updates from release note
• b3dc948 Merge pull request #713 from pvdb/simplify_standard_system_dir
• Additional commits viewable in compare view

Updates bigdecimal from 4.1.1 to 4.1.2

Release notes

Sourced from bigdecimal's releases.

v4.1.2

What's Changed

• Optimize BigDecimal#to_s by @​byroot in ruby/bigdecimal#519
• Fix calloc-transposed-args warning by @​nobu in ruby/bigdecimal#520
• Use '0'+n for converting single digit to char by @​tompng in ruby/bigdecimal#521
• Revert "Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits" by @​tompng in ruby/bigdecimal#522
• BigMath.exp overflow/underflow check by @​tompng in ruby/bigdecimal#523
• Fix unary minus on unsigned type warning by @​tompng in ruby/bigdecimal#525
• Update dtoa to version from Ruby 4.0 by @​jhawthorn in ruby/bigdecimal#528
• Bump version to v4.1.2 by @​tompng in ruby/bigdecimal#529

New Contributors

• @​jhawthorn made their first contribution in ruby/bigdecimal#528

Full Changelog: ruby/bigdecimal@v4.1.1...v4.1.2

Changelog

Sourced from bigdecimal's changelog.

4.1.2

• Fix dtoa Ractor-safety bug. Update dtoa to version from Ruby 4.0 GH-528

  @​jhawthorn

• Optimize BigDecimal#to_s GH-519

  @​byroot

Commits

• 9160561 Bump version to v4.1.2 (#529)
• 8050ec7 Update dtoa to version from Ruby 4.0 (#528)
• f8a02b2 Merge pull request #526 from ruby/dependabot/github_actions/step-security/har...
• ac9a5cd Bump step-security/harden-runner from 2.16.1 to 2.17.0
• 6b51b99 Fix unary minus on unsigned type warning (#525)
• 50b80b1 BigMath.exp overflow/underflow check (#523)
• fc54487 Revert "Add a workaround for slow BigDecimal#to_f when it has large N_signifi...
• 72937b7 Use '0'+n for converting single digit to char (#521)
• 8ac1498 Merge pull request #517 from ruby/dependabot/github_actions/rubygems/release-...
• 3c89db5 Merge pull request #518 from ruby/dependabot/github_actions/step-security/har...
• Additional commits viewable in compare view

Updates flay from 2.14.3 to 2.14.4

Changelog

Sourced from flay's changelog.

=== 2.14.4 / 2026-04-14

• 2 bug fixes:

  • Fix Sexp#[] to return empty sexp if indicies run off the end. (slbug)
  • Loosened dependency on ruby2ruby to catch up and drop ruby_parser.

Commits

• See full diff in compare view

Updates json from 2.19.3 to 2.19.4

Release notes

Sourced from json's releases.

v2.19.4

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: ruby/json@v2.19.2...v2.19.4

Changelog

Sourced from json's changelog.

2026-04-19 (2.19.4)

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Commits

• 6688a81 Release 2.19.4
• f1e6163 Fix references to NAN and INFINITY in documentation comments
• 18d5475 Reduce warnings
• 1072482 Fix parsing of negative out of bound floats.
• 20454ba Fix handling out of of range exponent in numbers
• 0e99fcb Fix json generation for symbols on TruffleRuby
• ac0670b Keep Integer#to_json optimized and adapt the test
• 35db859 Avoid extra String#+@ calls, interpolated strings are already mutable
• d0b47b0 Avoid method redefinition warnings in test_broken_bignum
• e871d07 test_broken_bignum: avoid fork and subprocess for robustness
• Additional commits viewable in compare view

Updates mustermann from 3.0.4 to 3.1.1

Changelog

Sourced from mustermann's changelog.

Changelog

Mustermann follows Semantic Versioning 2.0. Anything documented in the README or via YARD and not declared private is part of the public API.

Upcoming Releases

Mustermann 4.0.0

Breaking changes

• Mustermann::Pattern#match will now return Mustermann::Match instead of either MatchData or Mustermann::SimpleMatch. This object behaves similar to the previous return values, but also implements #params and #pattern. Positional access to captures is no longer supported.
• Moved Mustermann::Mapper and Mustermann::PatternCache from mustermann to mustermann-contrib.
• Removed special code for Sinatra 1.x. If you want to use Mustermann with Sinatra, please upgrade to any of the Sinatra versions released since 2017.

New features

• Mustermann::Rails now supports Rails up to version 8.2 (previously 5.0).
• Add Mustermann::Hybrid, a pattern that's a union of Sinatra, Rails and URI Template syntax. It is designed to be as compatible as possible with all three syntaxes.
• Added Mustermann::Set to mustermann, which is a collection of patterns with associated values, designed for building routing tables that dispatch efficiently as the number of routes grows.
• Reintroduce Mustermann::Router, now based on Mustermann::Set, for demonstration purposes and use in small applications or middleware. Simple and fast.

Performance improvements

• Small to moderate improvements for compiling complex patterns. Major improvements for simple patterns, which are common in web applications.
• Automatically switch between different matching algorithms for Mustermann::Set based on number of patterns. This makes it blazing fast both for small and large sets of patterns.
• Major performance improvements for Mustermann::Mapper, as it is based on Mustermann::Set now, and can dispatch in logarithmic time instead of linear time.
• Major speed improvements for sub-segment patterns with optional elements (like a format at the end of a path). These patterns are common in web applications.

Scenario	Improvement over 3.1
Simple pattern compilation	6x speedup
Complex pattern compilation	30% speedup
Simple param extraction	2.4x speedup
Complex param extraction	70% speedup
Matching a simple pattern	Same performance
Matching a complex pattern	8x speedup
Matching against 1k patterns	20x to 350x speedup
Matching against 10k patterns	200x to 3500x speedup

Numbers are based on simple and realistic patterns run on MRI Ruby 4.0 on a MacBook Pro. The improvements you will see may vary based on your Ruby implementation, platform and patterns used.

Simple and complex in the above table refer to patterns with only static segments or captures matching exactly one segment each (like /resource/:id or /:controller/:action) versus patterns with more complex captures (like /resource/*path/:id or /resource/:id(.:format)?). The matching improvements against 1k and 10k patterns assume the new Mustermann::Set is used. Otherwise the difference should be in line with the single pattern matching improvements.

Housekeeping

• Drop support for Ruby before 3.3.0 (all EOL now).
• Improve documentation. Add more examples and explanations. Split individual pattern types into separate pages.
• Document how to implement custom pattern types.
• Add code of conduct and contributing guidelines. Add AI policy.

... (truncated)

Commits

• 97a46ad v3.1.1
• 7445f32 remove visualizer injection into inspect and pretty_print, fixes #153
• e7721d8 Fix markup in README
• a33272b Move Rails pattern documentation from mustermann-contrib to mustermann
• 5cfd230 Fix code example
• 656eb61 Fix typo
• 518fb7e Increase version to 3.1.1
• 8fd53a0 Improve Mustermann::Pattern#hash to reduce the chance of collisions on JRuby ...
• c01b375 Small README improvements
• 408bf34 update changelog
• Additional commits viewable in compare view

Updates rubocop from 1.86.0 to 1.86.1

Release notes

Sourced from rubocop's releases.

RuboCop v1.86.1

Bug fixes

• #11051: Fix Style/AccessModifierDeclarations inline autocorrect dropping comments between the access modifier and the following method definition. (@​dduugg)
• #14665: Cache plugin integration in CopHelper to avoid repeated loading. (@​55728)
• #15091: Fix Lint/DuplicateMethods false positives for anonymous classes in constant assignments and method return values. (@​eugeneius)
• #15055: Fix Lint/DuplicateMethods false positives with anonymous classes inside blocks (e.g. RSpec let, describe). (@​ShkumbinDelija)
• #15035: Exclude included_modules from Style/ModuleMemberExistenceCheck. (@​koic)
• #15087: Fix false positive for Style/RedundantLineContinuation when using interpolated string literals. (@​koic)
• #14361: Fix false positive in file_to_include? when a relative Include pattern matches a parent directory name in the absolute file path. (@​jonas054)
• #15090: Fix false positives for Layout/EmptyLineAfterGuardClause when consecutive guard clauses use and return. (@​eugeneius)
• #15070: Fix false positive for Lint/RedundantSafeNavigation when chained safe navigation is used in a conditional expression with InferNonNilReceiver enabled. (@​koic)
• #15074: Fix false positives in Style/RedundantParentheses when using parentheses around an endless range in assignment. (@​koic)
• #15048: Fix issue where the url_for is missing for Cops without instance methods. (@​Fryguy)
• #15051: Fix Style/RedundantParentheses handling of beginless ranges. (@​oggy)
• #14980: Fix Lint/Syntax zero-length diagnostic range for syntax errors at EOF. (@​55728)
• #15084: Handle heredocs with methods calls correctly when fixing guard clauses. (@​G-Rath)
• #11398: Fix incorrect Include path adjustment when local config overrides an inherited Include. (@​jonas054)
• #15092: Fix Layout/EndAlignment cop error on an empty begin. (@​viralpraxis)
• #15059: Fix an error in Layout/LineLength when SplitStrings option is enabled and __FILE__ is used. (@​jeromedalbert)
• #5876: Fix Lint/UnusedMethodArgument false positive when block argument is used via yield. (@​dduugg)
• #15093: Return tool execution errors instead of protocol errors in MCP server. (@​koic)

Changes

• #15005: Make Style/OneClassPerFile exclude spec/**/* and test/**/* by default. (@​koic)
• #15081: Relax parallel dependency to >= 1.10. (@​koic)
• #15063: Disable Style/RedundantStructKeywordInit cop by default. (@​koic)

Changelog

Sourced from rubocop's changelog.

1.86.1 (2026-04-09)

Bug fixes

• #11051: Fix Style/AccessModifierDeclarations inline autocorrect dropping comments between the access modifier and the following method definition. ([@​dduugg][])
• #14665: Cache plugin integration in CopHelper to avoid repeated loading. ([@​55728][])
• #15091: Fix Lint/DuplicateMethods false positives for anonymous classes in constant assignments and method return values. ([@​eugeneius][])
• #15055: Fix Lint/DuplicateMethods false positives with anonymous classes inside blocks (e.g. RSpec let, describe). ([@​ShkumbinDelija][])
• #15035: Exclude included_modules from Style/ModuleMemberExistenceCheck. ([@​koic][])
• #15087: Fix false positive for Style/RedundantLineContinuation when using interpolated string literals. ([@​koic][])
• #14361: Fix false positive in file_to_include? when a relative Include pattern matches a parent directory name in the absolute file path. ([@​jonas054][])
• #15090: Fix false positives for Layout/EmptyLineAfterGuardClause when consecutive guard clauses use and return. ([@​eugeneius][])
• #15070: Fix false positive for Lint/RedundantSafeNavigation when chained safe navigation is used in a conditional expression with InferNonNilReceiver enabled. ([@​koic][])
• #15074: Fix false positives in Style/RedundantParentheses when using parentheses around an endless range in assignment. ([@​koic][])
• #15048: Fix issue where the url_for is missing for Cops without instance methods. ([@​Fryguy][])
• #15051: Fix Style/RedundantParentheses handling of beginless ranges. ([@​oggy][])
• #14980: Fix Lint/Syntax zero-length diagnostic range for syntax errors at EOF. ([@​55728][])
• #15084: Handle heredocs with methods calls correctly when fixing guard clauses. ([@​G-Rath][])
• #11398: Fix incorrect Include path adjustment when local config overrides an inherited Include. ([@​jonas054][])
• #15092: Fix Layout/EndAlignment cop error on an empty begin. ([@​viralpraxis][])
• #15059: Fix an error in Layout/LineLength when SplitStrings option is enabled and __FILE__ is used. ([@​jeromedalbert][])
• #5876: Fix Lint/UnusedMethodArgument false positive when block argument is used via yield. ([@​dduugg][])
• #15093: Return tool execution errors instead of protocol errors in MCP server. ([@​koic][])

Changes

• #15005: Make Style/OneClassPerFile exclude spec/**/* and test/**/* by default. ([@​koic][])
• #15081: Relax parallel dependency to >= 1.10. ([@​koic][])
• #15063: Disable Style/RedundantStructKeywordInit cop by default. ([@​koic][])

Commits

• af80266 Cut 1.86.1
• eb504ce Update Changelog
• 9c8fe2c Merge pull request #15085 from G-Rath/fix-style-guard
• 11d796a Merge pull request #15093 from koic/fix_return_tool_execution_errors_instead_...
• 4450067 Return tool execution errors instead of protocol errors in MCP server
• ff64180 Merge pull request #15092 from viralpraxis/fix-an-error-for-layout-end-alignm...
• 11e04c0 Merge pull request #15091 from eugeneius/duplicate_methods_anonymous_classes
• b8deea4 Merge pull request #15090 from eugeneius/guard_clause_and_return
• e130020 Fix Layout/EndAlignment cop error on an empty begin
• 4808594 Fix DuplicateMethods for anonymous classes in constant assignments and methods
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions