Bump the ruby-dependencies group with 3 updates

[dependabot]

Bumps the ruby-dependencies group with 3 updates: puma, bootsnap and spring.

Updates puma from 8.0.1 to 8.0.2

Release notes

Sourced from puma's releases.

v8.0.2

• Bugfixes
  • Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies (#3944)
  • Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections (#3944)

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Changelog

Sourced from puma's changelog.

8.0.2 / 2026-05-27

• Bugfixes
  • Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies (#3944)
  • Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections (#3944)

Commits

• 8085b75 Release v8.0.2 (#3945)
• 439c613 8.0.2 backport (#3944)
• See full diff in compare view

Updates bootsnap from 1.24.1 to 1.24.5

Release notes

Sourced from bootsnap's releases.

v1.24.4

What's Changed

• Fix several compatibility issues with Ruby 4.0.4, particularly the should not compile with coverage error. See #547.
• Fix Bootsnap.enable_frozen_string_literal to work even when coverage is enabled. Unfortunately only possible on Ruby 4.0.4+. On older rubies if coverage is enabled a warning will be issued and the feature won't work.
• Reduced cache files header size from 64 to 32 bytes, and got rid of the random padding element.
• Avoid leaking a private method in Object when testing for Parse.y bugs.

Full Changelog: rails/bootsnap@v1.24.3...v1.24.4

v1.24.3

• Fix the 1.24.2 workaround to parse Ruby files with UTF-8 even when the LANG environment variable is unset or set to C.

Full Changelog: rails/bootsnap@v1.24.2...v1.24.3

v1.24.2

What's Changed

• Workaround two Ruby bugs in RubyVM::InstructionSequence.compile_file, that were causing files to be loaded with the old Ruby parser instead of Prism, causing issues with some pattern matching syntax. Ref: https://bugs.ruby-lang.org/issues/22023

Full Changelog: rails/bootsnap@v1.24.1...v1.24.2

Changelog

Sourced from bootsnap's changelog.

1.24.5

• No longer load the config file by default when setup is done manually. This is so cli applications like homebrew don't mistakenly load another app's boostnap config.

1.24.4

• Fix several compatibility issues with Ruby 4.0.4, particularly the should not compile with coverage error. See #547.
• Fix Bootsnap.enable_frozen_string_literal to work even when coverage is enabled. Unfortunately only possible on Ruby 4.0.4+. On older rubies if coverage is enabled a warning will be issued and the feature won't work.
• Reduced cache files header size from 64 to 32 bytes, and got rid of the random padding element.
• Avoid leaking a private method in Object when testing for Parse.y bugs.

1.24.3

• Fix the 1.24.2 workaround to parse Ruby files with UTF-8 even when the LANG environment variable is unset or set to C.

1.24.2

• Workaround two Ruby bugs in RubyVM::InstructionSequence.compile_file, that were causing files to be loaded with the old Ruby parser instead of Prism, causing issues with some pattern matching syntax. Ref: https://bugs.ruby-lang.org/issues/22023

Commits

• d6ca050 Release 1.24.5
• 579aa0e Merge pull request #552 from byroot/fix-bootsnap-config
• 2884e89 Only load config file is directed to by .setup
• 103a92b Merge pull request #551 from byroot/enable-fstr-global
• 33c927d Update compiler options when global options change
• 122db7f Simplify enable_frozen_string_literal(app_only: false)
• 0d8a0a6 Release 1.24.4
• 6ccc5eb Merge pull request #550 from byroot/fstr-and-coverage
• 86e9586 Make Bootsnap.enable_frozen_string_literal work even with coverage on
• 36c2224 Merge pull request #549 from byroot/integration-tests
• Additional commits viewable in compare view

Updates spring from 4.4.2 to 4.6.0

Release notes

Sourced from spring's releases.

4.6.0

What's Changed

• Add Spring.allow_reloading_disabled opt-in by @​Korri in rails/spring#755

Full Changelog: rails/spring@v4.5.0...v4.6.0

4.5.0

What's Changed

• Add Spring.after_environment_load hook for post-Rails preloading by @​jahfer in rails/spring#754
• Don't crash on client disconnect (Server and Application) by @​Korri in rails/spring#751
• Eagerly preload framework base classes by @​Korri in rails/spring#752
• Do not load configuration options from .railsrc when generating dummy app by @​sebroeder in rails/spring#543
• Run without error if spring is in uninstalled group by @​mkllnk in rails/spring#684

New Contributors

• @​jahfer made their first contribution in rails/spring#754
• @​Korri made their first contribution in rails/spring#751
• @​sebroeder made their first contribution in rails/spring#543
• @​mkllnk made their first contribution in rails/spring#684
• @​boddhisattva made their first contribution in rails/spring#537

Full Changelog: rails/spring@v4.4.2...v4.5.0

Changelog

Sourced from spring's changelog.

4.6.0

• Add Spring.dangerously_allow_disabling_reloading opt-in to skip the :ensure_reloading_is_enabled initializer check, so projects that want to run with config.cache_classes = true / config.enable_reloading = false can. The default behavior (refuse to boot) is unchanged, as using this option requires a Rails application that uses lazy-loader for everything (most importantly, routes & i18n translations).

4.5.0

• Skip spring without error if spring is not in installed bundler groups.

• Adds a Spring.after_environment_load hook that runs immediately after the Rails application environment is loaded in the Spring server process, but before GC.compact/Process.warmup and before the server enters its wait loop. This hook enables applications to preload expensive test infrastructure (e.g. test helpers, fixture caches, datastore connections) into the Spring server so that forked test workers inherit that work via copy-on-write instead of paying it on every invocation.

• Fixed crashes when a client disconnects mid-handshake (e.g. on connect timeout). Previously, Errno::EPIPE raised in Spring::Server#serve or Spring::Application#serve would propagate up through the accept loop and kill the process, leaving a stale socket that broke every subsequent client. Both crash sites are now rescued, including writes that happen inside the rescue Exception handler in Application#serve while reporting an earlier failure to the gone client.

• Eagerly autoload framework base classes (ActionMailer::Base, ActionController::Base, ActionController::API) at the end of preload so their ActiveSupport.on_load hooks fire in the parent process. Without this, the reloader probe in #serve materializes Rails internals (notably Action View's CacheExpiry::ViewReloader) in a half-initialized state and triggers an expensive FileUpdateChecker rebuild on every prepend_view_path inside each fork. See rails/rails#51308 for the lazy-init contract this aligns with.

4.4.0

• Revert the removal of UTF-8 force encoding in JSON loading.
• Shush the backtrace_locations too.
• Recommend setting enable_reloading on newer Rails version.
• Drop support to end-of-life Ruby versions.
• Fixed a bug that would crash the server if sending IO to the child failed.

4.3.0

• Fix reloading issue in Ruby 3.3.
• Fixed compatibility with --enable-frozen-string-literal.
• Add embeded engines to default reload matcher.

4.2.1

• Added Spring.connect_timeout and Spring.boot_timeout to allow to increase timeout for larger apps.
• Spring.connect_timeout now default to 5 seconds instead of 1.

4.2.0

... (truncated)

Commits

• b7f7970 Prepare for 4.6.0
• 2ce1228 Merge pull request #755 from Korri/Korri/allow-disabled-reloading
• 84d5c98 Add Spring.allow_reloading_disabled opt-in
• b2fad71 Update development version to 4.0.3
• 4e2bc90 Prepare 4.5.0
• 3ca3498 Merge pull request #537 from boddhisattva/update-readme
• 373254f Fix CHANGELOG entry
• 45ae60e Merge pull request #684 from mkllnk/consider-only-requested-gems
• f4935f8 Run without error if spring in uninstalled group
• 306851f Specify file name where custom application root is required [ci skip]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions