fix(deps): update dependency ruby to v4

[renovate]

This PR contains the following updates:

Package	Update	Change
ruby (source)	major	3.4.9 → 4.0.2

---

Release Notes

ruby/ruby (ruby)

v4.0.2: 4.0.2

Compare Source

What's Changed

• Bug #​21941: Local variable becomes nil when YJIT enabled mid-method with fork/signal/ensure - Ruby - Ruby Issue Tracking System
• Bug #​21832: segfault with argument forwarding, when combined with splat & positional arg - Ruby - Ruby Issue Tracking System
• Bug #​21723: binding.irb raises a LoadError under bundle exec when Gemfile contains path: or git: - Ruby - Ruby Issue Tracking System
• Bug #​21847: Backport syntax_suggest 2.0.3 to supported branches - Ruby - Ruby Issue Tracking System
• Bug #​21866: Backport Fix for integer overflow checks in enumerator - Ruby - Ruby Issue Tracking System
• Bug #​21865: Crash on signal raise - Ruby - Ruby Issue Tracking System
• Bug #​21842: Encoding of rb_interned_str - Ruby - Ruby Issue Tracking System
• Bug #​21838: Rails seeing degradation (20% slowdown) related to Revision 079ef92b "Implement global allocatable slots and empty pages" (from Sep 5 2024) - Ruby - Ruby Issue Tracking System
• Bug #​21873: UnboundMethod#== returns false for methods from included/extended modules - Ruby - Ruby Issue Tracking System
• ZJIT: Avoid runtime exceptions from RubyVM::ZJIT.stats_string by k0kubun · Pull Request #​16139
• Bug #​21931: GC Crash in String#% (backport 726205b354d1068147719fb42e1de743f1838ef1) - Ruby - Ruby Issue Tracking System
• Bug #​21944: "Cannot allocate memory" with M:N threads or Ractors on a low RAM Linux machine - Ruby - Ruby Issue Tracking System
• Bug #​21946: and? predicate confused for leading and keyword - Ruby - Ruby Issue Tracking System
• Bug #​21927: Prism: misleading error message for forwarding in lambda argument - Ruby - Ruby Issue Tracking System
• Bug #​21925: Prism misparses standalone "in" pattern matching in "case/in" - Ruby - Ruby Issue Tracking System
• Bug #​21828: An incorrect warning message related to benchmark is shown when using benchmark-ips - Ruby - Ruby Issue Tracking System
• Bug #​21917: Unable to build 4.0.1 on AIX 7.2 - Ruby - Ruby Issue Tracking System
• Bug #​21945: Ripper lexes newline between identifier and and? as ignored newline - Ruby - Ruby Issue Tracking System
• Bug #​21947: Timeout.timeout doesn't use Timeout::ExitException when Fiber scheduler is in use. - Ruby - Ruby Issue Tracking System
• Bug #​21926: Thread#value on popen3 wait thread hangs in finalizer - Ruby - Ruby Issue Tracking System
• Bug #​21880: The ultra_safe mode of pstore bundled with Ruby 4.0 is broken. - Ruby - Ruby Issue Tracking System
• Bug #​21097: x = a rescue b in c and def f = a rescue b in c parsed differently between parse.y and prism - Ruby - Ruby Issue Tracking System

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

v4.0.1: 4.0.1

Compare Source

What's Changed

• Bug #​21812: Kernel#sleep without arguments returns immediately when subprocess exits in another thread (regression in Ruby 4.0) - Ruby - Ruby Issue Tracking System
• Bug #​21828: An incorrect warning message related to benchmark is shown when using benchmark-ips - Ruby - Ruby Issue Tracking System
• Bug #​21811: Fix underflow in Array#pack - Ruby - Ruby Issue Tracking System
• Bug #​21814: 0.pow(2,-9999999999999999990) should be zero - Ruby - Ruby Issue Tracking System
• Bug #​21819: A Data object should be frozen even if it has no members - Ruby - Ruby Issue Tracking System

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

v4.0.0: 4.0.0

See also:

• Release 3.5.0-preview1 · ruby/ruby
• Release 4.0.0-preview2 · ruby/ruby
• Release 4.0.0-preview3 · ruby/ruby

What's Changed

• Bump RDoc to 7.0.1 by st0012 · Pull Request #​15628
• make rb_singleton_class ractor safe by luke-gruber · Pull Request #​15591
• Remove assertion in encoded_iseq_trace_instrument by luke-gruber · Pull Request #​15616
• Bug #​21793: function name conflict of "mutex_trylock" on Solaris - Ruby - Ruby Issue Tracking System
• [DOC] small improvements to ractor class docs by luke-gruber · Pull Request #​15584
• Check for NULL fields in TYPEDDATA memsize functions by luke-gruber · Pull Request #​15633
• Feature #​21785: Add signed and unsigned LEB128 support to pack / unpack - Ruby - Ruby Issue Tracking System
• Fix rbs test failure caused by minitest6 by soutaro · Pull Request #​15643
• Fix: Do not check open_timeout twice by shioimm · Pull Request #​15626
• Fix: Specifying 0 should cause an immediate timeout by shioimm · Pull Request #​15641
• Bug #​21794: O_CLOEXEC is not available on Solaris 10 - Ruby - Ruby Issue Tracking System
• Fiber scheduler: invoke #io_write hook on IO flush by noteflakes · Pull Request #​15609
• Update NEWS.md for Fiber Scheduler by noteflakes · Pull Request #​15629
• Small documentation adjustments for new/updated features by zverok · Pull Request #​15634
• Add clarifications about the Enumerator.size by zverok · Pull Request #​15615
• Bug #​21792: 4.0.0-preview3: Build fails with --with-ext= when ENABLE_SHARED=yes: ruby/digest.h not found for rubyspec CAPI extensions - Ruby - Ruby Issue Tracking System
• [DOC] Enhancements for globals.md by BurdetteLamar · Pull Request #​15545
• Small improvements to doc/language/ractor.md by luke-gruber · Pull Request #​15588
• More doc improvements to ractor.md by luke-gruber · Pull Request #​15676
• Bump RDoc to 7.0.2 by st0012 · Pull Request #​15691
• [DOC] Improve ractor class docs (grammar, code examples) by luke-gruber · Pull Request #​15686
• [DOC] Languages in Examples by BurdetteLamar · Pull Request #​15697
• Bundle RBS 3.10.0 by soutaro · Pull Request #​15701
• Describe base code layout rules by zverok · Pull Request #​15696
• [DOC] Enhance Fiber::Scheduler docs by zverok · Pull Request #​15708
• [DOC] Cross-links between Japanese and English pages by BurdetteLamar · Pull Request #​15705
• ZJIT: Don't mark control-flow opcodes as invalidating locals by tekknolagi · Pull Request #​15694
• [DOC] Add back Rust 1.85.0 requirement to NEWS.md by chancancode · Pull Request #​15728

Note: This list is automatically generated by tool/gen-github-release.rb. Because of this, some commits may be missing.

Full Changelog

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates Ruby from 3.4.9 to 4.0.2, a major version upgrade spanning three releases (4.0.0, 4.0.1, 4.0.2).

Major Changes in Ruby 4.0

New Features:

• Ruby Box: Isolation/separation of monkey patches, global/class variables, and class/module definitions
• ZJIT Compiler: Next-generation JIT compiler (requires Rust 1.85.0+ to build, currently experimental)
• Ractor::Port: New messaging system replacing previous Ractor communication methods
• Set as Core Class: Set moved from stdlib to core, now implemented in C for better performance

Breaking Changes:

1. Set Class Changes: Set#inspect output format changed from #<Set: {1, 2, 3}> to Set[1, 2, 3]. Code depending on internal @hash variable will break
2. Removed Stdlib: CGI library removed from default gems (only cgi/escape remains), SortedSet requires separate gem installation
3. Process Creation: Kernel#open and IO with leading | removed (must use Kernel.system, backticks, or Open3)
4. Ractor API: Ractor.yield, #take, #close_outgoing, #close_incoming removed in favor of Ractor::Port
5. Binding API: Numbered parameters (_1, _2) and it no longer reported as local variables
6. Net::HTTP: No longer automatically sets Content-Type: application/x-www-form-urlencoded for requests with bodies
7. Process::Status: Operators & and >> removed (deprecated in 3.3)
8. *nil Unpacking: Now treated as "no arguments" without calling nil.to_a

Bug Fixes (4.0.1 → 4.0.2):

• Fixed local variable becomes nil when YJIT enabled mid-method with fork/signal/ensure (Bug #21941)
• Fixed segfault with argument forwarding combined with splat & positional arg (Bug #21832)
• Fixed binding.irb LoadError under bundle exec (Bug #21723)
• Fixed crash on signal raise (Bug #21865)
• Fixed GC crash in String#% (Bug #21931)
• Fixed "Cannot allocate memory" with M:N threads/Ractors on low RAM Linux (Bug #21944)
• Fixed Prism parser issues with pattern matching and lambda argument forwarding
• Fixed Timeout.timeout not using Timeout::ExitException with Fiber scheduler (Bug #21947)
• Fixed Rails performance degradation (20% slowdown) in memory allocator (Bug #21838)
• Fixed UnboundMethod#== returning false for methods from included/extended modules (Bug #21873)

Security Considerations

• No specific CVEs addressed in 4.0.0-4.0.2
• Note: Concurrent releases of Ruby 3.2.11 and 3.3.11 included zlib gem fix for CVE-2026-27820 (not directly related to this update)

🎯 Impact Scope Investigation

Usage Analysis in Codebase

Ruby Runtime Configuration:

• Location: Dockerfile:43, internal/sandbox/runtime.go:221-268
• Changes Required: Version number update only (handled by this PR)
• Installation Method: mise with ruby.compile=false setting

Current Ruby Usage:

1. Runtime Definition (internal/sandbox/runtime.go:221-268):

   • Command: /mise/installs/ruby/current/bin/ruby [entryFile]
   • Resource limits: 1024 MiB AS, 64 MiB Fsize, 256 MiB memory, 32 max PIDs
   • No restricted files
   • No dependency on Ruby stdlib features being removed

2. E2E Test Coverage (e2e/tests/runtime/ruby.yml):

   • 16 test cases covering: basic I/O, error handling, JSON, classes, blocks, strings, regex
   • Features Used: puts, require_relative, require 'json', JSON.parse/generate, Math::PI, exception handling, array/hash operations, string manipulation, regex
   • No Breaking Changes Detected: None of the test cases use Set, CGI, Process::Status#&/#>>, Ractor, pipe-based Kernel#open, or other removed features

3. Security Test Coverage (e2e/tests/security/*.yml):

   • Ruby used in various security tests (filesystem, network, syscall filtering)
   • Basic Ruby execution only, no advanced features

Dependency Impact:

• No other runtime dependencies on Ruby
• Go codebase only invokes Ruby binary via nsjail
• No shared libraries or FFI dependencies
• Mise tool supports Ruby 4.0.2 (confirmed available via mise-versions.jdx.dev)

Breaking Changes vs. Codebase Analysis

Breaking Change	Impact on Sandbox	Risk Level
Set API changes	❌ Not used	None
CGI/SortedSet removal	❌ Not used	None
Process creation via |	❌ Not used	None
Ractor API changes	❌ Not used	None
Binding API changes	❌ Not used	None
Net::HTTP changes	❌ Not used	None
Process::Status operators	❌ Not used	None
*nil unpacking	❌ Not used	None

Compatibility Verification:

• All E2E test features (JSON, Math, require_relative, exception handling) remain fully compatible
• Ruby stdlib features used in tests (json, math) are unaffected by breaking changes
• Basic language features (classes, blocks, iterators, strings, regex) have no breaking changes

💡 Recommended Actions

Immediate Actions

1. ✅ Merge PR: The update is safe to merge
2. ✅ Run E2E Tests: Execute docker compose down && docker compose up --build -d && go test -tags e2e ./e2e/... to verify all Ruby tests pass with 4.0.2
3. ✅ Monitor CI: Ensure all automated tests pass in CI/CD pipeline

Post-Merge Validation

1. Verify Ruby runtime installation completes successfully via mise in Docker build
2. Confirm all 16 Ruby E2E tests in e2e/tests/runtime/ruby.yml pass
3. Validate security tests using Ruby runtime continue to work as expected

No Migration Required

• No code changes needed in Go codebase
• No changes needed in Ruby test files
• No changes needed in nsjail configuration
• No changes needed in resource limits

Optional Future Considerations

• Monitor Ruby 4.0.x patch releases for additional bug fixes
• Consider documenting supported Ruby version for users submitting code via API
• Future: Evaluate ZJIT compiler when it reaches production stability (currently experimental)

🔗 Reference Links

Release Notes:

• Ruby 4.0.2 Release
• Ruby 4.0.1 Release
• Ruby 4.0.0 Release
• Ruby 4.0.0 Official Announcement
• Ruby 4.0.2 Official Announcement

Documentation:

• Ruby 4.0 Changes Reference
• Ruby 4.0 Adoption Guide
• Everything you need to know about Ruby 4.0
• Mise Ruby Plugin Documentation
• Mise Ruby 4.0.2 Version Availability

Bug Tracking:

• Full Changelog 4.0.1...4.0.2
• Full Changelog 4.0.0...4.0.1

Generated by koki-develop/claude-renovate-review