Skip to content

build(deps): bump the bundler group across 1 directory with 10 updates#313

Merged
werebus merged 1 commit intomainfrom
dependabot/bundler/bundler-afcd15cbdc
Apr 9, 2026
Merged

build(deps): bump the bundler group across 1 directory with 10 updates#313
werebus merged 1 commit intomainfrom
dependabot/bundler/bundler-afcd15cbdc

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 9, 2026

Bumps the bundler group with 8 updates in the / directory:

Package From To
puma 7.2.0 8.0.0
haml_lint 0.72.0 0.73.0
rubocop 1.86.0 1.86.1
addressable 2.8.9 2.9.0
bigdecimal 4.0.1 4.1.1
minitest 6.0.2 6.0.3
rack 3.2.5 3.2.6
rack-session 2.1.1 2.1.2

Updates puma from 7.2.0 to 8.0.0

Release notes

Sourced from puma's releases.

v8.0.0 - Into the Arena

Read our Version 8 Upgrade Guide.

  • Features

    • Add env["puma.mark_as_io_bound"] API and max_io_threads config to allow IO-bound requests to exceed the thread pool max, enabling better handling of mixed workloads (#3816, #3894)
    • Add single and cluster DSL hooks for mode-specific configuration (#3621)
    • Add on_force option to shutdown_debug to only dump thread backtraces on forced (non-graceful) shutdown (#3671)
    • Add API to dynamically update min and max thread counts at runtime via update_thread_pool_min_max and ServerPluginControl (#3658)
    • Use SIGPWR for thread backtrace dumps on Linux/JRuby where SIGINFO is unavailable (#3829)

  • Bugfixes

    • Fix phased restart for fork_worker to avoid forking from stale worker 0 when it has been replaced (#3853)

  • Performance

    • JRuby HTTP parser improvements: pre-allocated header keys, perfect hash lookup, reduced memory copies (#3838)
    • Cache downcased header key in str_headers to avoid redundant String#downcase calls, reducing allocations by ~50% per response (#3874)

  • Refactor

    • Collect env processing into dedicated client_env.rb module (#3582)
    • Move event to default configuration (#3872)

  • Docs

    • Add gRPC guide for configuring gRPC lifecycle hooks in clustered mode (#3885)
    • Add 7.0 upgrade guide, move 5.0/6.0 upgrade guides to docs directory (#3900)
    • Correct default values for persistent_timeout and worker_boot_timeout in DSL docs (#3912)
    • Add file descriptor limit warning in test helper for contributors (#3893)

  • Breaking changes

    • Default production bind address changed from 0.0.0.0 to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable (#3847)
Changelog

Sourced from puma's changelog.

8.0.0 / 2026-03-27

  • Features

    • Add env["puma.mark_as_io_bound"] API and max_io_threads config to allow IO-bound requests to exceed the thread pool max, enabling better handling of mixed workloads (#3816, #3894)
    • Add single and cluster DSL hooks for mode-specific configuration (#3621)
    • Add on_force option to shutdown_debug to only dump thread backtraces on forced (non-graceful) shutdown (#3671)
    • Add API to dynamically update min and max thread counts at runtime via update_thread_pool_min_max and ServerPluginControl (#3658)
    • Use SIGPWR for thread backtrace dumps on Linux/JRuby where SIGINFO is unavailable (#3829)

  • Bugfixes

    • Fix phased restart for fork_worker to avoid forking from stale worker 0 when it has been replaced (#3853)

  • Performance

    • JRuby HTTP parser improvements: pre-allocated header keys, perfect hash lookup, reduced memory copies (#3838)
    • Cache downcased header key in str_headers to avoid redundant String#downcase calls, reducing allocations by ~50% per response (#3874)

  • Refactor

    • Collect env processing into dedicated client_env.rb module (#3582)
    • Move event to default configuration (#3872)

  • Docs

    • Add gRPC guide for configuring gRPC lifecycle hooks in clustered mode (#3885)
    • Add 7.0 upgrade guide, move 5.0/6.0 upgrade guides to docs directory (#3900)
    • Correct default values for persistent_timeout and worker_boot_timeout in DSL docs (#3912)
    • Add file descriptor limit warning in test helper for contributors (#3893)

  • Breaking changes

    • Default production bind address changed from 0.0.0.0 to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable (#3847)
Commits
  • 08f63d4 Release v8.0.0 (#3914)
  • 7406cc1 Fix IPv4-mapped IPv6 addresses in REMOTE_ADDR and request logs (#3916)
  • e090243 Build(deps): Bump actions/checkout from 4 to 6 (#3915)
  • 7d5dca1 Update SECURITY.md, native Github vuln reports [ci skip] (#3913)
  • 66e6a32 Minor correction to defaults documented in dsl.rb (#3912)
  • 3788eca ci: limit rack-conform to main pushes and scope ragel PR runs (#3908)
  • 57b7799 ci: run turbo-rails only on latest stable Ruby and Rails (#3909)
  • 6685d6b ci: replace skip-duplicate jobs with concurrency and trigger filters (#3907)
  • 2848c82 ci: run push workflows only on main and release branches (#3906)
  • 97a37bb Add release pre-merge checks and align Release.md [ci skip] (#3904)
  • Additional commits viewable in compare view

Updates haml_lint from 0.72.0 to 0.73.0

Changelog

Sourced from haml_lint's changelog.

0.73.0

  • Relax parallel dependency from ~> 1.10 to >= 1.10
Commits

Updates rubocop from 1.86.0 to 1.86.1

Release notes

Sourced from rubocop's releases.

RuboCop v1.86.1

Bug fixes

  • #11051: Fix Style/AccessModifierDeclarations inline autocorrect dropping comments between the access modifier and the following method definition. (@​dduugg)
  • #14665: Cache plugin integration in CopHelper to avoid repeated loading. (@​55728)
  • #15091: Fix Lint/DuplicateMethods false positives for anonymous classes in constant assignments and method return values. (@​eugeneius)
  • #15055: Fix Lint/DuplicateMethods false positives with anonymous classes inside blocks (e.g. RSpec let, describe). (@​ShkumbinDelija)
  • #15035: Exclude included_modules from Style/ModuleMemberExistenceCheck. (@​koic)
  • #15087: Fix false positive for Style/RedundantLineContinuation when using interpolated string literals. (@​koic)
  • #14361: Fix false positive in file_to_include? when a relative Include pattern matches a parent directory name in the absolute file path. (@​jonas054)
  • #15090: Fix false positives for Layout/EmptyLineAfterGuardClause when consecutive guard clauses use and return. (@​eugeneius)
  • #15070: Fix false positive for Lint/RedundantSafeNavigation when chained safe navigation is used in a conditional expression with InferNonNilReceiver enabled. (@​koic)
  • #15074: Fix false positives in Style/RedundantParentheses when using parentheses around an endless range in assignment. (@​koic)
  • #15048: Fix issue where the url_for is missing for Cops without instance methods. (@​Fryguy)
  • #15051: Fix Style/RedundantParentheses handling of beginless ranges. (@​oggy)
  • #14980: Fix Lint/Syntax zero-length diagnostic range for syntax errors at EOF. (@​55728)
  • #15084: Handle heredocs with methods calls correctly when fixing guard clauses. (@​G-Rath)
  • #11398: Fix incorrect Include path adjustment when local config overrides an inherited Include. (@​jonas054)
  • #15092: Fix Layout/EndAlignment cop error on an empty begin. (@​viralpraxis)
  • #15059: Fix an error in Layout/LineLength when SplitStrings option is enabled and __FILE__ is used. (@​jeromedalbert)
  • #5876: Fix Lint/UnusedMethodArgument false positive when block argument is used via yield. (@​dduugg)
  • #15093: Return tool execution errors instead of protocol errors in MCP server. (@​koic)

Changes

  • #15005: Make Style/OneClassPerFile exclude spec/**/* and test/**/* by default. (@​koic)
  • #15081: Relax parallel dependency to >= 1.10. (@​koic)
  • #15063: Disable Style/RedundantStructKeywordInit cop by default. (@​koic)
Changelog

Sourced from rubocop's changelog.

1.86.1 (2026-04-09)

Bug fixes

  • #11051: Fix Style/AccessModifierDeclarations inline autocorrect dropping comments between the access modifier and the following method definition. ([@​dduugg][])
  • #14665: Cache plugin integration in CopHelper to avoid repeated loading. ([@​55728][])
  • #15091: Fix Lint/DuplicateMethods false positives for anonymous classes in constant assignments and method return values. ([@​eugeneius][])
  • #15055: Fix Lint/DuplicateMethods false positives with anonymous classes inside blocks (e.g. RSpec let, describe). ([@​ShkumbinDelija][])
  • #15035: Exclude included_modules from Style/ModuleMemberExistenceCheck. ([@​koic][])
  • #15087: Fix false positive for Style/RedundantLineContinuation when using interpolated string literals. ([@​koic][])
  • #14361: Fix false positive in file_to_include? when a relative Include pattern matches a parent directory name in the absolute file path. ([@​jonas054][])
  • #15090: Fix false positives for Layout/EmptyLineAfterGuardClause when consecutive guard clauses use and return. ([@​eugeneius][])
  • #15070: Fix false positive for Lint/RedundantSafeNavigation when chained safe navigation is used in a conditional expression with InferNonNilReceiver enabled. ([@​koic][])
  • #15074: Fix false positives in Style/RedundantParentheses when using parentheses around an endless range in assignment. ([@​koic][])
  • #15048: Fix issue where the url_for is missing for Cops without instance methods. ([@​Fryguy][])
  • #15051: Fix Style/RedundantParentheses handling of beginless ranges. ([@​oggy][])
  • #14980: Fix Lint/Syntax zero-length diagnostic range for syntax errors at EOF. ([@​55728][])
  • #15084: Handle heredocs with methods calls correctly when fixing guard clauses. ([@​G-Rath][])
  • #11398: Fix incorrect Include path adjustment when local config overrides an inherited Include. ([@​jonas054][])
  • #15092: Fix Layout/EndAlignment cop error on an empty begin. ([@​viralpraxis][])
  • #15059: Fix an error in Layout/LineLength when SplitStrings option is enabled and __FILE__ is used. ([@​jeromedalbert][])
  • #5876: Fix Lint/UnusedMethodArgument false positive when block argument is used via yield. ([@​dduugg][])
  • #15093: Return tool execution errors instead of protocol errors in MCP server. ([@​koic][])

Changes

  • #15005: Make Style/OneClassPerFile exclude spec/**/* and test/**/* by default. ([@​koic][])
  • #15081: Relax parallel dependency to >= 1.10. ([@​koic][])
  • #15063: Disable Style/RedundantStructKeywordInit cop by default. ([@​koic][])
Commits
  • af80266 Cut 1.86.1
  • eb504ce Update Changelog
  • 9c8fe2c Merge pull request #15085 from G-Rath/fix-style-guard
  • 11d796a Merge pull request #15093 from koic/fix_return_tool_execution_errors_instead_...
  • 4450067 Return tool execution errors instead of protocol errors in MCP server
  • ff64180 Merge pull request #15092 from viralpraxis/fix-an-error-for-layout-end-alignm...
  • 11e04c0 Merge pull request #15091 from eugeneius/duplicate_methods_anonymous_classes
  • b8deea4 Merge pull request #15090 from eugeneius/guard_clause_and_return
  • e130020 Fix Layout/EndAlignment cop error on an empty begin
  • 4808594 Fix DuplicateMethods for anonymous classes in constant assignments and methods
  • Additional commits viewable in compare view

Updates addressable from 2.8.9 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

  • fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

  • fixes ReDoS vulnerability in Addressable::Template#match
Commits
  • 0c3e858 Revving version and changelog
  • 91915c1 Fixing additional vulnerable paths
  • a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
  • 463a819 Regenerate gemspec on newer rubygems
  • 0afcb0b Improve from O(n^2) to O(n)
  • c87f768 Fix a ReDoS vulnerability in URI template matching
  • See full diff in compare view

Updates bigdecimal from 4.0.1 to 4.1.1

Release notes

Sourced from bigdecimal's releases.

v4.1.1

What's Changed

New Contributors

Full Changelog: ruby/bigdecimal@v4.1.0...v4.1.1

v4.1.0

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from bigdecimal's changelog.

4.1.1

4.1.0

Commits

Updates minitest from 6.0.2 to 6.0.3

Changelog

Sourced from minitest's changelog.

=== 6.0.3 / 2026-03-31

  • 1 bug fix:

    • assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (paddor)
Commits
  • 649b075 prepped for release
  • a2d0904 - assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (...
  • See full diff in compare view

Updates parallel from 1.27.0 to 2.0.0

Changelog

Sourced from parallel's changelog.

2.0.0

Changed

  • Require Ruby >= 3.3
  • Add Ruby 4 Ractor support

1.28.0

Fixed

  • Dump undumpable exceptions without cause if that fixes the issue
Commits

Updates rack from 3.2.5 to 3.2.6

Release notes

Sourced from rack's releases.

v3.2.6

Full Changelog: rack/rack@v3.2.5...v3.2.6

Changelog

Sourced from rack's changelog.

[3.2.6] - 2026-04-01

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
  • CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.
  • CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.
Commits
  • e1f22fd Bump patch version.
  • 31989fd Fix typo in test.
  • d268165 Fix test expectation.
  • 8f425de Add Ruby v4.0 to the test matrix.
  • bf83042 Drop EOL Rubies from external tests.
  • d50c4d3 Implement OBS unfolding for multipart requests per RFC 5322 2.2.3
  • bfb6914 Limit the number of quoted escapes during multipart parsing
  • b3e5945 Add Content-Length size check in Rack::Multipart::Parser
  • 7a8f326 Fix root prefix bug in Rack::Static
  • a57bc14 Only do a simple substitution on the x-accel-mapping paths
  • Additional commits viewable in compare view

Updates rack-session from 2.1.1 to 2.1.2

Release notes

Sourced from rack-session's releases.

v2.1.2

  • CVE-2026-39324 Don't fall back to unencrypted coder if encryptors are present.
Changelog

Sourced from rack-session's changelog.

v2.1.2

  • CVE-2026-39324 Don't fall back to unencrypted coder if encryptors are present.
Commits
  • 504367b Bump patch version.
  • f43638c Don't fall back to unencrypted coder if encryptors are present.
  • dadcfe6 Bump actions/checkout from 4 to 5 (#54)
  • 4eb9ea8 Add top level session spec to validate existing formats.
  • 8f94577 Add rails to external tests.
  • 38ea47d Allow the v2 encryptor to serialize messages with Marshal (#44)
  • 43f2e3a Fix compatibility with older Rubies.
  • 6a060b8 Support UTF-8 data when using the JSON serializer (#39)
  • 8ce0146 Fix auth_tag retrieval on JRuby (#32)
  • 7727185 Add AEAD encryption (#23)
  • See full diff in compare view

Updates regexp_parser from 2.11.3 to 2.12.0

Changelog

Sourced from regexp_parser's changelog.

[2.12.0] - 2026-04-04 - Janosch Müller

Added

  • support for new unicode properties of Ruby 4.0.0
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the bundler group across 1 directory with 10 updates
29d496a 
Bumps the bundler group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [puma](https://github.com/puma/puma) | `7.2.0` | `8.0.0` |
| [haml_lint](https://github.com/sds/haml-lint) | `0.72.0` | `0.73.0` |
| [rubocop](https://github.com/rubocop/rubocop) | `1.86.0` | `1.86.1` |
| [addressable](https://github.com/sporkmonger/addressable) | `2.8.9` | `2.9.0` |
| [bigdecimal](https://github.com/ruby/bigdecimal) | `4.0.1` | `4.1.1` |
| [minitest](https://github.com/minitest/minitest) | `6.0.2` | `6.0.3` |
| [rack](https://github.com/rack/rack) | `3.2.5` | `3.2.6` |
| [rack-session](https://github.com/rack/rack-session) | `2.1.1` | `2.1.2` |



Updates `puma` from 7.2.0 to 8.0.0
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v7.2.0...v8.0.0)

Updates `haml_lint` from 0.72.0 to 0.73.0
- [Release notes](https://github.com/sds/haml-lint/releases)
- [Changelog](https://github.com/sds/haml-lint/blob/main/CHANGELOG.md)
- [Commits](sds/haml-lint@v0.72.0...v0.73.0)

Updates `rubocop` from 1.86.0 to 1.86.1
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.86.0...v1.86.1)

Updates `addressable` from 2.8.9 to 2.9.0
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](sporkmonger/addressable@addressable-2.8.9...addressable-2.9.0)

Updates `bigdecimal` from 4.0.1 to 4.1.1
- [Release notes](https://github.com/ruby/bigdecimal/releases)
- [Changelog](https://github.com/ruby/bigdecimal/blob/master/CHANGES.md)
- [Commits](ruby/bigdecimal@v4.0.1...v4.1.1)

Updates `minitest` from 6.0.2 to 6.0.3
- [Changelog](https://github.com/minitest/minitest/blob/master/History.rdoc)
- [Commits](minitest/minitest@v6.0.2...v6.0.3)

Updates `parallel` from 1.27.0 to 2.0.0
- [Changelog](https://github.com/grosser/parallel/blob/master/CHANGELOG.md)
- [Commits](grosser/parallel@v1.27.0...v2.0.0)

Updates `rack` from 3.2.5 to 3.2.6
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v3.2.5...v3.2.6)

Updates `rack-session` from 2.1.1 to 2.1.2
- [Release notes](https://github.com/rack/rack-session/releases)
- [Changelog](https://github.com/rack/rack-session/blob/main/releases.md)
- [Commits](rack/rack-session@v2.1.1...v2.1.2)

Updates `regexp_parser` from 2.11.3 to 2.12.0
- [Changelog](https://github.com/ammar/regexp_parser/blob/master/CHANGELOG.md)
- [Commits](ammar/regexp_parser@v2.11.3...v2.12.0)

---
updated-dependencies:
- dependency-name: puma
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: bundler
- dependency-name: haml_lint
  dependency-version: 0.73.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: bundler
- dependency-name: rubocop
  dependency-version: 1.86.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: bundler
- dependency-name: addressable
  dependency-version: 2.9.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: bundler
- dependency-name: bigdecimal
  dependency-version: 4.1.1
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: bundler
- dependency-name: minitest
  dependency-version: 6.0.3
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: bundler
- dependency-name: parallel
  dependency-version: 2.0.0
  dependency-type: indirect
  update-type: version-update:semver-major
  dependency-group: bundler
- dependency-name: rack
  dependency-version: 3.2.6
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: bundler
- dependency-name: rack-session
  dependency-version: 2.1.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: bundler
- dependency-name: regexp_parser
  dependency-version: 2.12.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Apr 9, 2026
@werebus werebus merged commit 733285e into main Apr 9, 2026
4 checks passed
@werebus werebus deleted the dependabot/bundler/bundler-afcd15cbdc branch April 9, 2026 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@werebus werebus werebus approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@werebus