fix(deps): update dependency ruby to v4

[renovate]

This PR contains the following updates:

Package	Update	Change
ruby (source)	major	3.4.9 → 4.0.3

---

Release Notes

ruby/ruby (ruby)

v4.0.3: 4.0.3

Compare Source

What's Changed

• Prohibit def_method on marshal-loaded ERB instances (CVE-2026-41316)

Full Changelog

v4.0.2: 4.0.2

Compare Source

What's Changed

• Bug #​21941: Local variable becomes nil when YJIT enabled mid-method with fork/signal/ensure - Ruby - Ruby Issue Tracking System
• Bug #​21832: segfault with argument forwarding, when combined with splat & positional arg - Ruby - Ruby Issue Tracking System
• Bug #​21723: binding.irb raises a LoadError under bundle exec when Gemfile contains path: or git: - Ruby - Ruby Issue Tracking System
• Bug #​21847: Backport syntax_suggest 2.0.3 to supported branches - Ruby - Ruby Issue Tracking System
• Bug #​21866: Backport Fix for integer overflow checks in enumerator - Ruby - Ruby Issue Tracking System
• Bug #​21865: Crash on signal raise - Ruby - Ruby Issue Tracking System
• Bug #​21842: Encoding of rb_interned_str - Ruby - Ruby Issue Tracking System
• Bug #​21838: Rails seeing degradation (20% slowdown) related to Revision 079ef92b "Implement global allocatable slots and empty pages" (from Sep 5 2024) - Ruby - Ruby Issue Tracking System
• Bug #​21873: UnboundMethod#== returns false for methods from included/extended modules - Ruby - Ruby Issue Tracking System
• ZJIT: Avoid runtime exceptions from RubyVM::ZJIT.stats_string by k0kubun · Pull Request #​16139
• Bug #​21931: GC Crash in String#% (backport 726205b354d1068147719fb42e1de743f1838ef1) - Ruby - Ruby Issue Tracking System
• Bug #​21944: "Cannot allocate memory" with M:N threads or Ractors on a low RAM Linux machine - Ruby - Ruby Issue Tracking System
• Bug #​21946: and? predicate confused for leading and keyword - Ruby - Ruby Issue Tracking System
• Bug #​21927: Prism: misleading error message for forwarding in lambda argument - Ruby - Ruby Issue Tracking System
• Bug #​21925: Prism misparses standalone "in" pattern matching in "case/in" - Ruby - Ruby Issue Tracking System
• Bug #​21828: An incorrect warning message related to benchmark is shown when using benchmark-ips - Ruby - Ruby Issue Tracking System
• Bug #​21917: Unable to build 4.0.1 on AIX 7.2 - Ruby - Ruby Issue Tracking System
• Bug #​21945: Ripper lexes newline between identifier and and? as ignored newline - Ruby - Ruby Issue Tracking System
• Bug #​21947: Timeout.timeout doesn't use Timeout::ExitException when Fiber scheduler is in use. - Ruby - Ruby Issue Tracking System
• Bug #​21926: Thread#value on popen3 wait thread hangs in finalizer - Ruby - Ruby Issue Tracking System
• Bug #​21880: The ultra_safe mode of pstore bundled with Ruby 4.0 is broken. - Ruby - Ruby Issue Tracking System
• Bug #​21097: x = a rescue b in c and def f = a rescue b in c parsed differently between parse.y and prism - Ruby - Ruby Issue Tracking System

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

v4.0.1: 4.0.1

Compare Source

What's Changed

• Bug #​21812: Kernel#sleep without arguments returns immediately when subprocess exits in another thread (regression in Ruby 4.0) - Ruby - Ruby Issue Tracking System
• Bug #​21828: An incorrect warning message related to benchmark is shown when using benchmark-ips - Ruby - Ruby Issue Tracking System
• Bug #​21811: Fix underflow in Array#pack - Ruby - Ruby Issue Tracking System
• Bug #​21814: 0.pow(2,-9999999999999999990) should be zero - Ruby - Ruby Issue Tracking System
• Bug #​21819: A Data object should be frozen even if it has no members - Ruby - Ruby Issue Tracking System

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

v4.0.0: 4.0.0

See also:

• Release 3.5.0-preview1 · ruby/ruby
• Release 4.0.0-preview2 · ruby/ruby
• Release 4.0.0-preview3 · ruby/ruby

What's Changed

• Bump RDoc to 7.0.1 by st0012 · Pull Request #​15628
• make rb_singleton_class ractor safe by luke-gruber · Pull Request #​15591
• Remove assertion in encoded_iseq_trace_instrument by luke-gruber · Pull Request #​15616
• Bug #​21793: function name conflict of "mutex_trylock" on Solaris - Ruby - Ruby Issue Tracking System
• [DOC] small improvements to ractor class docs by luke-gruber · Pull Request #​15584
• Check for NULL fields in TYPEDDATA memsize functions by luke-gruber · Pull Request #​15633
• Feature #​21785: Add signed and unsigned LEB128 support to pack / unpack - Ruby - Ruby Issue Tracking System
• Fix rbs test failure caused by minitest6 by soutaro · Pull Request #​15643
• Fix: Do not check open_timeout twice by shioimm · Pull Request #​15626
• Fix: Specifying 0 should cause an immediate timeout by shioimm · Pull Request #​15641
• Bug #​21794: O_CLOEXEC is not available on Solaris 10 - Ruby - Ruby Issue Tracking System
• Fiber scheduler: invoke #io_write hook on IO flush by noteflakes · Pull Request #​15609
• Update NEWS.md for Fiber Scheduler by noteflakes · Pull Request #​15629
• Small documentation adjustments for new/updated features by zverok · Pull Request #​15634
• Add clarifications about the Enumerator.size by zverok · Pull Request #​15615
• Bug #​21792: 4.0.0-preview3: Build fails with --with-ext= when ENABLE_SHARED=yes: ruby/digest.h not found for rubyspec CAPI extensions - Ruby - Ruby Issue Tracking System
• [DOC] Enhancements for globals.md by BurdetteLamar · Pull Request #​15545
• Small improvements to doc/language/ractor.md by luke-gruber · Pull Request #​15588
• More doc improvements to ractor.md by luke-gruber · Pull Request #​15676
• Bump RDoc to 7.0.2 by st0012 · Pull Request #​15691
• [DOC] Improve ractor class docs (grammar, code examples) by luke-gruber · Pull Request #​15686
• [DOC] Languages in Examples by BurdetteLamar · Pull Request #​15697
• Bundle RBS 3.10.0 by soutaro · Pull Request #​15701
• Describe base code layout rules by zverok · Pull Request #​15696
• [DOC] Enhance Fiber::Scheduler docs by zverok · Pull Request #​15708
• [DOC] Cross-links between Japanese and English pages by BurdetteLamar · Pull Request #​15705
• ZJIT: Don't mark control-flow opcodes as invalidating locals by tekknolagi · Pull Request #​15694
• [DOC] Add back Rust 1.85.0 requirement to NEWS.md by chancancode · Pull Request #​15728

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Version Jump: Ruby 3.4.9 → 4.0.3 (Major version upgrade)

Major Changes:

• Ruby 4.0.0 (Dec 25, 2025): Major release celebrating Ruby's 30th anniversary
• Ruby 4.0.1 (Jan 13, 2026): Bug fixes for sleep, Array#pack, pow, Data object
• Ruby 4.0.2 (Mar 16, 2026): Bug fixes for YJIT, argument forwarding, binding.irb, enumerator, signal handling, encoding, GC, Prism parser issues
• Ruby 4.0.3 (Latest): Security fix for CVE-2026-41316 (ERB deserialization vulnerability)

Breaking Changes:

1. Fiddle gem moved to bundled gem status: Fiddle is no longer a default gem and requires explicit Gemfile entry
2. Standard library changes: benchmark, irb, logger, ostruct, pstore, rdoc, readline, reline moved to bundled gems
3. CGI library removed: Only cgi/escape functions retained
4. Ractor API overhaul: Ractor.yield and Ractor#take removed, replaced with Ractor::Port mechanism
5. Set class reimplementation: Internal @hash instance variable removed, behavior changes
6. Net::HTTP behavior change: No longer automatically sets Content-Type header to application/x-www-form-urlencoded
7. Binding methods: Numbered parameters (_1, _2) no longer appear in local_variables
8. Language changes: Lines starting with &&/|| or and/or now recognized as continuations

Security Fixes:

• CVE-2026-41316: ERB deserialization vulnerability allowing arbitrary code execution via Marshal.load on untrusted data (fixed in 4.0.3)

New Features:

• ZJIT compiler (experimental): New JIT compiler requiring Rust 1.85.0+, enabled with --zjit flag (not production-ready)
• Ruby Box (experimental): Isolated execution environments for definitions
• Ractor improvements: Performance optimizations and new Ractor::Port API

🎯 Impact Scope Investigation

Direct Usage Locations:

1. Dockerfile (line 43): ARG RUBY_VERSION=4.0.3
2. mise.toml (line 8): ruby = "4.0.3"
3. internal/sandbox/runtime.go (lines 222-283): Ruby runtime configuration
4. internal/sandbox/defaults/ruby/Gemfile: Pre-installed gem configuration
5. internal/sandbox/defaults/ruby/Gemfile.lock: Bundler 2.6.9

Critical Dependency: The sandbox pre-installs the fiddle gem (1.1.8) which is used in:

• E2E test: e2e/tests/runtime/ruby.yml (line 374-398) - Tests fiddle availability
• Security test: e2e/tests/security/dynamic_linker_attack.yml (line 86-106) - Tests that fiddle cannot load arbitrary shared objects

Breaking Change Impact:

• CRITICAL: In Ruby 4.0, fiddle became a bundled gem (no longer default gem)
• The existing Gemfile already includes gem "fiddle", "1.1.8", which means the sandbox architecture is already prepared for this change
• The Bundler setup with BUNDLE_PATH=/mise/ruby-bundle and RUBYOPT=-rbundler/setup ensures fiddle remains accessible

Test Compatibility:

• Ruby E2E tests use basic Ruby features (puts, classes, JSON, arrays, exceptions, regex) - fully compatible
• Security tests expect specific error patterns from fiddle - compatible (fiddle behavior unchanged, only loading mechanism)
• E2E test regex patterns use \\d+\\.\\d+\\.\\d+ for version matching - version-agnostic and compatible

Rust Version Compatibility:

• Sandbox uses Rust 1.94.1 (Dockerfile line 74, mise.toml line 9)
• Ruby 4.0's ZJIT compiler requires Rust 1.85.0+ only if building Ruby with ZJIT enabled
• The sandbox uses pre-built Ruby binaries from mise, not building from source
• No conflict: ZJIT requirement does not affect the sandbox

Backward Compatibility:

• No code in the sandbox uses removed APIs (Ractor, Process::Status operators, CGI, SortedSet)
• No custom Set subclasses or reliance on internal @hash instance variable
• No code parsing backtraces that would break from internal frame filtering
• Gemfile/Gemfile.lock are restricted files (users cannot override) - safe

💡 Recommended Actions

Required Actions:

1. Verify Bundler Version Compatibility:

   • Current Gemfile.lock shows BUNDLED WITH 2.6.9
   • Ruby 4.0.3 ships with its own Bundler version
   • Action: After Docker build, verify Bundler compatibility with the existing Gemfile.lock

2. Update Rust Toolchain Reference (Optional):

   • internal/sandbox/runtime.go:487 hardcodes RUSTUP_TOOLCHAIN=1.94.1
   • This is for the Rust runtime (sandbox user code), not Ruby
   • Action: No change required (separate concern)

3. Monitor E2E Test Results:

   • Wait for CI/CD pipeline completion to verify all Ruby E2E tests pass
   • Specifically monitor: e2e/tests/runtime/ruby.yml and e2e/tests/runtime/ruby_stdin.yml
   • Security tests in e2e/tests/security/dynamic_linker_attack.yml must still pass

4. Validate Fiddle Gem Availability:

   • Confirm fiddle gem loads successfully via Bundler setup
   • Test that require 'fiddle' works in sandbox execution
   • Verify Fiddle::SIZEOF_VOIDP returns expected value (8 on amd64/arm64)

Merge Decision:

✅ Safe to merge AFTER:

• All E2E tests pass (currently pending)
• Build completes successfully (currently pending)
• No regression in fiddle gem functionality

⚠️ Risk Level: LOW-MEDIUM

• Main concern: fiddle gem loading mechanism change
• Mitigation: Existing Gemfile already includes fiddle explicitly
• Ruby 4.0 is designed for backward compatibility with 3.x code

Post-Merge Monitoring:

• Monitor production logs for any Ruby-related errors
• Watch for Bundler-related issues or gem loading failures
• Verify security sandbox isolation remains effective

🔗 Reference Links

Official Ruby Documentation:

• Ruby 4.0.0 Released
• Ruby 4.0.3 Release Notes
• CVE-2026-41316 Security Advisory

Upgrade Guides:

• Ruby 4.0 Adoption Guide
• Ruby 4.0 Changes - Ruby Changes
• Everything you need to know about Ruby 4.0 - Honeybadger

Bundled Gems:

• Preparing for Ruby 4.0: Ten Gems Moving to Bundled
• Standard Gems: fiddle

ZJIT Compiler:

• ZJIT Documentation - Ruby 4.0
• Ruby 4.0 Released With Ruby Box Isolation and New ZJIT Compiler

Generated by koki-develop/claude-renovate-review