fix(deps): update dependency ruby to v4

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
ruby (source)	major	3.4.9 → 4.0.2	4.0.3

---

Release Notes

ruby/ruby (ruby)

v4.0.2: 4.0.2

Compare Source

What's Changed

• Bug #​21941: Local variable becomes nil when YJIT enabled mid-method with fork/signal/ensure - Ruby - Ruby Issue Tracking System
• Bug #​21832: segfault with argument forwarding, when combined with splat & positional arg - Ruby - Ruby Issue Tracking System
• Bug #​21723: binding.irb raises a LoadError under bundle exec when Gemfile contains path: or git: - Ruby - Ruby Issue Tracking System
• Bug #​21847: Backport syntax_suggest 2.0.3 to supported branches - Ruby - Ruby Issue Tracking System
• Bug #​21866: Backport Fix for integer overflow checks in enumerator - Ruby - Ruby Issue Tracking System
• Bug #​21865: Crash on signal raise - Ruby - Ruby Issue Tracking System
• Bug #​21842: Encoding of rb_interned_str - Ruby - Ruby Issue Tracking System
• Bug #​21838: Rails seeing degradation (20% slowdown) related to Revision 079ef92b "Implement global allocatable slots and empty pages" (from Sep 5 2024) - Ruby - Ruby Issue Tracking System
• Bug #​21873: UnboundMethod#== returns false for methods from included/extended modules - Ruby - Ruby Issue Tracking System
• ZJIT: Avoid runtime exceptions from RubyVM::ZJIT.stats_string by k0kubun · Pull Request #​16139
• Bug #​21931: GC Crash in String#% (backport 726205b354d1068147719fb42e1de743f1838ef1) - Ruby - Ruby Issue Tracking System
• Bug #​21944: "Cannot allocate memory" with M:N threads or Ractors on a low RAM Linux machine - Ruby - Ruby Issue Tracking System
• Bug #​21946: and? predicate confused for leading and keyword - Ruby - Ruby Issue Tracking System
• Bug #​21927: Prism: misleading error message for forwarding in lambda argument - Ruby - Ruby Issue Tracking System
• Bug #​21925: Prism misparses standalone "in" pattern matching in "case/in" - Ruby - Ruby Issue Tracking System
• Bug #​21828: An incorrect warning message related to benchmark is shown when using benchmark-ips - Ruby - Ruby Issue Tracking System
• Bug #​21917: Unable to build 4.0.1 on AIX 7.2 - Ruby - Ruby Issue Tracking System
• Bug #​21945: Ripper lexes newline between identifier and and? as ignored newline - Ruby - Ruby Issue Tracking System
• Bug #​21947: Timeout.timeout doesn't use Timeout::ExitException when Fiber scheduler is in use. - Ruby - Ruby Issue Tracking System
• Bug #​21926: Thread#value on popen3 wait thread hangs in finalizer - Ruby - Ruby Issue Tracking System
• Bug #​21880: The ultra_safe mode of pstore bundled with Ruby 4.0 is broken. - Ruby - Ruby Issue Tracking System
• Bug #​21097: x = a rescue b in c and def f = a rescue b in c parsed differently between parse.y and prism - Ruby - Ruby Issue Tracking System

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

v4.0.1: 4.0.1

Compare Source

What's Changed

• Bug #​21812: Kernel#sleep without arguments returns immediately when subprocess exits in another thread (regression in Ruby 4.0) - Ruby - Ruby Issue Tracking System
• Bug #​21828: An incorrect warning message related to benchmark is shown when using benchmark-ips - Ruby - Ruby Issue Tracking System
• Bug #​21811: Fix underflow in Array#pack - Ruby - Ruby Issue Tracking System
• Bug #​21814: 0.pow(2,-9999999999999999990) should be zero - Ruby - Ruby Issue Tracking System
• Bug #​21819: A Data object should be frozen even if it has no members - Ruby - Ruby Issue Tracking System

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

v4.0.0: 4.0.0

See also:

• Release 3.5.0-preview1 · ruby/ruby
• Release 4.0.0-preview2 · ruby/ruby
• Release 4.0.0-preview3 · ruby/ruby

What's Changed

• Bump RDoc to 7.0.1 by st0012 · Pull Request #​15628
• make rb_singleton_class ractor safe by luke-gruber · Pull Request #​15591
• Remove assertion in encoded_iseq_trace_instrument by luke-gruber · Pull Request #​15616
• Bug #​21793: function name conflict of "mutex_trylock" on Solaris - Ruby - Ruby Issue Tracking System
• [DOC] small improvements to ractor class docs by luke-gruber · Pull Request #​15584
• Check for NULL fields in TYPEDDATA memsize functions by luke-gruber · Pull Request #​15633
• Feature #​21785: Add signed and unsigned LEB128 support to pack / unpack - Ruby - Ruby Issue Tracking System
• Fix rbs test failure caused by minitest6 by soutaro · Pull Request #​15643
• Fix: Do not check open_timeout twice by shioimm · Pull Request #​15626
• Fix: Specifying 0 should cause an immediate timeout by shioimm · Pull Request #​15641
• Bug #​21794: O_CLOEXEC is not available on Solaris 10 - Ruby - Ruby Issue Tracking System
• Fiber scheduler: invoke #io_write hook on IO flush by noteflakes · Pull Request #​15609
• Update NEWS.md for Fiber Scheduler by noteflakes · Pull Request #​15629
• Small documentation adjustments for new/updated features by zverok · Pull Request #​15634
• Add clarifications about the Enumerator.size by zverok · Pull Request #​15615
• Bug #​21792: 4.0.0-preview3: Build fails with --with-ext= when ENABLE_SHARED=yes: ruby/digest.h not found for rubyspec CAPI extensions - Ruby - Ruby Issue Tracking System
• [DOC] Enhancements for globals.md by BurdetteLamar · Pull Request #​15545
• Small improvements to doc/language/ractor.md by luke-gruber · Pull Request #​15588
• More doc improvements to ractor.md by luke-gruber · Pull Request #​15676
• Bump RDoc to 7.0.2 by st0012 · Pull Request #​15691
• [DOC] Improve ractor class docs (grammar, code examples) by luke-gruber · Pull Request #​15686
• [DOC] Languages in Examples by BurdetteLamar · Pull Request #​15697
• Bundle RBS 3.10.0 by soutaro · Pull Request #​15701
• Describe base code layout rules by zverok · Pull Request #​15696
• [DOC] Enhance Fiber::Scheduler docs by zverok · Pull Request #​15708
• [DOC] Cross-links between Japanese and English pages by BurdetteLamar · Pull Request #​15705
• ZJIT: Don't mark control-flow opcodes as invalidating locals by tekknolagi · Pull Request #​15694
• [DOC] Add back Rust 1.85.0 requirement to NEWS.md by chancancode · Pull Request #​15728

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Major Changes in Ruby 4.0.0:

• First major version release since Ruby 3.0 (December 25, 2025)
• Introduction of Ruby::Box for object wrapping and ZJIT JIT compiler (experimental)
• Ractor API cleanup: Removed Ractor.yield, Ractor#take, and close methods
• Enhanced concurrency with fixes for Ractor deadlocks and race conditions
• Improved error messages (ArgumentError now shows both caller and callee context)

Breaking Changes:

1. Standard library removals:

   • CGI library removed (only cgi/escape remains)
   • SortedSet removed completely
   • Several gems moved to bundled gems: benchmark, fiddle, logger, ostruct, pstore, rdoc

2. Core behavior changes:

   • Process::Status#& and #>> operators removed
   • Net::HTTP no longer auto-sets Content-Type header for requests with body
   • *nil no longer calls nil.to_a
   • Binding#local_variables excludes numbered parameters (_1, _2) and it
   • Lines beginning with &&, ||, and, or now continue the previous line

3. Set class reimplemented in C:

   • Internal @hash instance variable no longer exists
   • #inspect output format changed from #<Set: {1, 2, 3}> to Set[1, 2, 3]
   • #to_set arguments deprecated

4. API deprecations:

   • ObjectSpace._id2ref deprecated

Bug Fixes (4.0.1 and 4.0.2):

• Fixed YJIT local variable corruption with fork/signal/ensure (#21941)
• Fixed segfault with argument forwarding and splat (#21832)
• Fixed GC crashes and memory allocation issues
• Fixed encoding and threading issues
• Parser fixes for Prism (new default parser)

Security Considerations:

• No critical security CVEs mentioned in 4.0.0-4.0.2 releases
• Bug fixes primarily address stability and correctness issues

🎯 Impact Scope Investigation

Direct Impact on Codebase:

1. E2E Test File Requiring Update (e2e/tests/security/dynamic_linker_attack.yml:101-102):

   • Hardcoded Ruby version path 3.4.0 in expected error messages
   • Path will change from /mise/installs/ruby/current/lib/ruby/3.4.0/fiddle.rb to /mise/installs/ruby/current/lib/ruby/4.0.0/fiddle.rb
   • Action Required: Update expected stderr/output strings to match Ruby 4.0.0 paths

2. Runtime Test Coverage (e2e/tests/runtime/ruby.yml):

   • Uses basic Ruby features: puts, require 'json', require_relative, classes, error handling
   • No breaking changes detected in tested features
   • All test cases use backward-compatible Ruby syntax and APIs

3. Runtime Implementation (internal/sandbox/runtime.go:223-268):

   • Ruby runtime configuration is version-agnostic
   • Uses symlink /mise/installs/ruby/current (version-independent)
   • No code changes required

4. Dependencies on Standard Library:

   • ✅ json - Core library, unaffected
   • ✅ fiddle - Moved to bundled gem but still included by default
   • ✅ No usage of removed libraries (CGI, SortedSet)
   • ✅ No usage of deprecated APIs (Process::Status#&, Net::HTTP auto-headers)

Compatibility Analysis:

• Ruby code in E2E tests uses only stable, backward-compatible features
• No reliance on breaking changes (Set internals, Binding API, splat behavior)
• Test code does not use logical operator line continuation edge cases

💡 Recommended Actions

Required Changes:

1. Update E2E Test File (Priority: High):

   File: e2e/tests/security/dynamic_linker_attack.yml
   Lines: 101-102
   
   Change:
   - stderr: "/mise/installs/ruby/current/lib/ruby/3.4.0/fiddle.rb:93:..."
   - output: "/mise/installs/ruby/current/lib/ruby/3.4.0/fiddle.rb:93:..."
   
   To:
   - stderr: "/mise/installs/ruby/current/lib/ruby/4.0.0/fiddle.rb:93:..."
   - output: "/mise/installs/ruby/current/lib/ruby/4.0.0/fiddle.rb:93:..."

2. Verification Steps (Post-merge):

   • Run full E2E test suite: go test -tags e2e ./e2e/...
   • Verify all Ruby runtime tests pass
   • Verify security tests (especially dynamic_linker_attack) produce expected output

3. Optional Improvements (Future consideration):

   • Consider making version paths in E2E tests more resilient using regex patterns instead of exact version strings
   • Monitor Ruby 4.0.3 release (marked as "Pending" in PR) for potential security fixes

Migration Complexity:

• Low - Single file change required (1 test expectation update)
• No production code changes needed
• No API breaking changes affecting sandbox functionality

Rollback Plan:

• If issues arise, revert Dockerfile change and E2E test update
• Ruby 3.4.9 remains supported upstream through at least end of 2026

🔗 Reference Links

• Ruby 4.0.0 Official Release Notes
• Ruby 4.0 Breaking Changes - Ruby Changes
• Ruby 4.0 Adoption Guide - RubyLearning Blog
• Ruby 4.0.2 Release on GitHub
• Everything You Need to Know About Ruby 4.0 - Honeybadger

Generated by koki-develop/claude-renovate-review