fix(deps): update dependency ruby to v3.4.9

[renovate]

This PR contains the following updates:

Package	Update	Change
ruby (source)	patch	3.4.8 → 3.4.9

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Ruby 3.4.9 is a maintenance release published on March 11, 2026, primarily focusing on bug fixes and a critical security patch. Key changes include:

Security Fixes:

• CVE-2026-27820: Buffer overflow vulnerability in Zlib::GzipReader - The zstream_buffer_ungets function failed to guarantee sufficient backing string capacity before memmove operations, potentially leading to memory corruption. Fixed by updating the bundled zlib gem to version 3.2.3.

Bug Fixes (19 commits across 28 files):

• Fixed miscompilation on x86-64-v2 due to undefined behavior in search_nonascii (replaced unsafe pointer casting with safe memcpy)
• Added integer overflow validation in IO::Buffer operations
• Corrected negative bignum modulo calculations
• Fixed Data object freezing for objects without members
• Resolved segmentation faults in argument forwarding with splat operators via new pushtoarray instruction
• Prevented excessive major GC cycles by allowing heap growth when slots are available
• Protected temporary arrays in rb_str_format_m from premature garbage collection
• Fixed post-fork deadlock on th->interrupt_lock by reinitializing locks in child processes
• Corrected UnboundMethod#== to properly compare methods from included/extended modules
• Updated objspace_dump to skip freed method entries when call caches are invalidated

Breaking Changes:

• None identified. This is a standard patch release maintaining backward compatibility within the 3.4.x series.

🎯 Impact Scope Investigation

Direct Usage:
Ruby 3.4.9 is installed in the Docker image as a sandboxed runtime for executing user-submitted Ruby code. The runtime is accessed via:

• internal/sandbox/runtime.go:223-268 - Ruby runtime implementation (rubyRuntime struct)
• Dockerfile line 43 - Version specification via RUBY_VERSION ARG
• Binary path: /mise/installs/ruby/current/bin/ruby (bind-mounted read-only into nsjail)

Testing Coverage:

• E2E test suite at e2e/tests/runtime/ruby.yml validates core Ruby functionality (hello world, error handling, JSON, classes, regex, etc.)
• Security tests across multiple files validate filesystem isolation, seccomp filtering, and namespace restrictions

Dependency Impact:

• Ruby is managed independently via mise and has no direct dependency conflicts with other runtimes (Node.js, Go, Python, Rust, Bash)
• The zlib gem update (3.2.3) is bundled with Ruby and does not affect other language runtimes
• No changes to nsjail configuration, resource limits, or sandbox isolation required

Configuration Files:

• Only the Dockerfile requires modification (already done in PR fix(deps): update dependency ruby to v3.4.9 #28)
• No changes needed to runtime.go, nsjail configs, or seccomp policies

💡 Recommended Actions

Immediate Actions:

1. Merge the PR - This is a safe patch release with critical security fixes and no breaking changes
2. Run E2E tests - Execute docker compose down && docker compose up --build -d followed by go test -tags e2e ./e2e/... to validate Ruby runtime functionality after the upgrade
3. Monitor post-deployment - Verify Ruby sandbox executions work as expected in production

No Code Changes Required:

• The version bump in the Dockerfile is the only necessary change
• All existing Ruby code, tests, and configurations remain compatible
• Resource limits (Limits() in runtime.go:251-266) remain appropriate for Ruby 3.4.9

Security Considerations:

• CVE-2026-27820 addresses a memory corruption vulnerability in zlib compression operations
• While the sandbox environment already provides strong isolation (nsjail namespaces, seccomp, cgroups), applying this security patch eliminates a potential attack vector
• No additional hardening measures required

🔗 Reference Links

• Ruby 3.4.9 Release Announcement
• CVE-2026-27820 Security Advisory
• GitHub Commit Comparison: v3_4_8...v3_4_9
• RubySec Advisory for CVE-2026-27820

Generated by koki-develop/claude-renovate-review