build(deps): bump the bundler group across 1 directory with 8 updates

[dependabot]

Bumps the bundler group with 8 updates in the / directory:

Package	From	To
puma	8.0.0	8.0.1
bigdecimal	4.1.1	4.1.2
json	2.19.3	2.19.5
minitest	6.0.3	6.0.6
multi_xml	0.8.1	0.9.0
mustermann	3.0.4	3.1.1
parallel	2.0.0	2.1.0
rake	13.3.1	13.4.2

Updates puma from 8.0.0 to 8.0.1

Release notes

Sourced from puma's releases.

v8.0.1

• Bugfixes

  • Fix prune_bundler stripping user-configured BUNDLE_* env vars (e.g. BUNDLE_WITHOUT) on re-exec, which caused workers to crash on boot (#3929)

• Performance

  • Use blocks for debug logging to avoid creating log messages when debug is disabled (#3920)

• Docs

  • Fix incorrect hook names in gRPC docs (#3923)
  • Reword v8 upgrade guide IPv6 bullet for clarity (#3928)

Changelog

Sourced from puma's changelog.

8.0.1 / 2026-04-27

• Bugfixes

  • Fix prune_bundler stripping user-configured BUNDLE_* env vars (e.g. BUNDLE_WITHOUT) on re-exec, which caused workers to crash on boot (#3929)

• Performance

  • Use blocks for debug logging to avoid creating log messages when debug is disabled (#3920)

• Docs

  • Fix incorrect hook names in gRPC docs (#3923)
  • Reword v8 upgrade guide IPv6 bullet for clarity (#3928)

Commits

• cee7e61 Release v8.0.1 (#3932)
• f955caf Fix prune_bundler stripping user-configured BUNDLE_* env vars on re-exec (#3929)
• 97996aa ci: test_error_logger.rb - fix TruffleRuby error (#3930)
• 03825bc Build(deps): Bump actions/github-script from 8 to 9 (#3925)
• 053efae Reword v8 upgrade guide ipv6 bullet (#3928)
• b19f35a Fix incorrect hook names in gRPC docs (#3923)
• eeabe4b Use blocks for debug logging to avoid creating messages if debug disabled (#3...
• See full diff in compare view

Updates bigdecimal from 4.1.1 to 4.1.2

Release notes

Sourced from bigdecimal's releases.

v4.1.2

What's Changed

• Optimize BigDecimal#to_s by @​byroot in ruby/bigdecimal#519
• Fix calloc-transposed-args warning by @​nobu in ruby/bigdecimal#520
• Use '0'+n for converting single digit to char by @​tompng in ruby/bigdecimal#521
• Revert "Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits" by @​tompng in ruby/bigdecimal#522
• BigMath.exp overflow/underflow check by @​tompng in ruby/bigdecimal#523
• Fix unary minus on unsigned type warning by @​tompng in ruby/bigdecimal#525
• Update dtoa to version from Ruby 4.0 by @​jhawthorn in ruby/bigdecimal#528
• Bump version to v4.1.2 by @​tompng in ruby/bigdecimal#529

New Contributors

• @​jhawthorn made their first contribution in ruby/bigdecimal#528

Full Changelog: ruby/bigdecimal@v4.1.1...v4.1.2

Changelog

Sourced from bigdecimal's changelog.

4.1.2

• Fix dtoa Ractor-safety bug. Update dtoa to version from Ruby 4.0 GH-528

  @​jhawthorn

• Optimize BigDecimal#to_s GH-519

  @​byroot

Commits

• 9160561 Bump version to v4.1.2 (#529)
• 8050ec7 Update dtoa to version from Ruby 4.0 (#528)
• f8a02b2 Merge pull request #526 from ruby/dependabot/github_actions/step-security/har...
• ac9a5cd Bump step-security/harden-runner from 2.16.1 to 2.17.0
• 6b51b99 Fix unary minus on unsigned type warning (#525)
• 50b80b1 BigMath.exp overflow/underflow check (#523)
• fc54487 Revert "Add a workaround for slow BigDecimal#to_f when it has large N_signifi...
• 72937b7 Use '0'+n for converting single digit to char (#521)
• 8ac1498 Merge pull request #517 from ruby/dependabot/github_actions/rubygems/release-...
• 3c89db5 Merge pull request #518 from ruby/dependabot/github_actions/step-security/har...
• Additional commits viewable in compare view

Updates json from 2.19.3 to 2.19.5

Release notes

Sourced from json's releases.

v2.19.5

What's Changed

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

Full Changelog: ruby/json@v2.19.4...v2.19.5

v2.19.4

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: ruby/json@v2.19.2...v2.19.4

Changelog

Sourced from json's changelog.

2026-05-04 (2.19.5)

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

2026-04-19 (2.19.4)

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Commits

• 4a1a4a4 Release 2.19.5
• f6ca597 Avoid spamming too many deprecations while parsing
• fa0671c Test TruffleRuby release in CI for improved stability
• cfbe356 Force ensure_valid_encoding to be inlined.
• 4ef7a45 Use RB_ENC_CODERANGE to first check the cached coderange before calling rb_en...
• 7dd6b63 Fix typo in changelog
• 6688a81 Release 2.19.4
• f1e6163 Fix references to NAN and INFINITY in documentation comments
• 18d5475 Reduce warnings
• 1072482 Fix parsing of negative out of bound floats.
• Additional commits viewable in compare view

Updates minitest from 6.0.3 to 6.0.6

Changelog

Sourced from minitest's changelog.

=== 6.0.6 / 2026-04-30

• 2 bug fixes:

  • Fix using assert_equal/same/nil w/ BasicObject by comparing w/ nil == exp. (mtasaka)
  • Removed private Assertions#_where as it is no longer used.

=== 6.0.5 / 2026-04-20

• 2 bug fixes:

  • Avoid circular requires in lib/minitest/server_plugin.rb.
  • Raise TypeError if assert_raises is passed anything but modules/classes.

=== 6.0.4 / 2026-04-14

• 1 bug fix:

  • Fixed refute_predicate to call assert_respond_to w/ include_all:true like assert_predicate does. (jparker)

Commits

• f6180b0 prepped for release
• 23bc7f2 - Removed private Assertions#_where as it is no longer used.
• c471347 - Fix using assert_equal/same/nil w/ BasicObject by comparing w/ nil == exp...
• 89c3e62 Branching minitest to version 6.0.5
• 6790f86 - Raise TypeError if assert_raises is passed anything but modules/classes.
• 235fa5b - Avoid circular requires in lib/minitest/server_plugin.rb.
• 5f0482e prepped for release
• b12f87f - Fixed refute_predicate to call assert_respond_to w/ include_all:true like a...
• See full diff in compare view

Updates multi_xml from 0.8.1 to 0.9.0

Changelog

Sourced from multi_xml's changelog.

0.9.0

• Add MultiXML.with_parser for fiber-local scoped parser overrides, matching MultiJSON.with_adapter. The override lives in Fiber[:multi_xml_parser], so concurrent fibers and threads each see their own parser without racing on a shared module variable; nested calls save and restore the previous value.
• Add MultiXML.parse_options / MultiXML.parse_options= for process-wide default options, matching MultiJSON.parse_options. Accepts a Hash or a callable (Proc/lambda); a callable receives the call-site hash as its sole positional argument so defaults can be computed per-call. Defaults merge between DEFAULT_OPTIONS and call-site overrides.
• Introduce MultiXML::Parser base module — built-in parsers declare their backend exception class via a ParseError constant, matching the MultiJSON::Adapter convention. Custom parsers can either extend MultiXML::Parser and define ParseError or keep defining a .parse_error method directly; both styles are accepted.
• Add MultiXML::ParserLoadError, raised when the parser spec is invalid, requiring the parser file raises LoadError, or the resolved parser doesn't satisfy the contract (must respond to .parse and define either a ParseError constant or a .parse_error method). Inherits from ArgumentError and carries the original exception's class name in its message, matching MultiJSON::AdapterError.
• Rename MultiXml constant to MultiXML (all caps), matching the style of MultiJSON. The old MultiXml constant continues to work but emits a one-time deprecation warning on first use and will be removed in v1.0.
• Add MultiXML.load as a deprecated alias for MultiXML.parse, matching the style of MultiJSON.load → MultiJSON.parse. Will be removed in v1.0.
• Rename the :symbolize_keys option to :symbolize_names, matching Ruby stdlib's JSON.parse and MultiJSON. The old option continues to work but emits a one-time deprecation warning; it will be removed in v1.0.
• Add :namespaces option to MultiXML.parse for consistent namespace handling across parsers — two modes produce byte-identical output on every backend:
  • :strip (default) — drop xmlns declarations and prefixes; keeps today's libxml/nokogiri output so most users see no change
  • :preserve — keep source prefixes (e.g. "atom:rel") and surface xmlns / xmlns:* declarations as attributes
• Fix REXML keeping attribute prefixes ("gd:etag") while other backends stripped them (#31)
• Fix Ox prepending namespace prefixes to element names ("aws:Item") when other backends didn't (#30)
• Handle namespaced attribute name collisions consistently across backends. When attributes with different prefixes strip to the same local name (e.g. foo:id and bar:id both becoming id), values are collected in an array in document order, with attribute values ahead of any colliding child elements. The libxml SAX parser falls back to its DOM backend in this case since the SAX callback drops attribute prefixes.
• Fix Ox mixed-content text aggregation in the SAX parser
• Raise ArgumentError on an unknown :namespaces mode
• undasherize_keys now runs only in :strip mode so prefixed keys aren't rewritten under :preserve
• Reorder PARSER_PREFERENCE so oga is tried before rexml, matching the throughput ranking in the bundled benchmark suite. Affects auto-detection only when neither ox, libxml-ruby, nor nokogiri is available; explicitly selecting a parser is unchanged.
• Use a TruffleRuby-specific PARSER_PREFERENCE ordering (rexml, libxml, oga, nokogiri) since TruffleRuby's JIT favors pure-Ruby parsers and penalizes FFI-bound ones. On other engines the default ordering is unchanged.
• Add a parser benchmark suite (rake benchmark) and document per-engine throughput rankings in the README. CI verifies that PARSER_PREFERENCE matches the benchmark ranking on MRI, JRuby, and TruffleRuby.
• Restore JRuby support (dropped in 0.8.0) and add TruffleRuby (native + JVM) to the CI matrix, matching the test coverage of MultiJSON. TruffleRuby is excluded from Windows runners since the setup-ruby action doesn't support it there.
• Add Ruby 4.0 to the CI matrix
• Support libxml-ruby 6.0.0 by switching from require "libxml" (removed in 6.0) to require "libxml-ruby", which is present in both 5.x and 6.x
• Drop redundant ::Psych::SyntaxError declaration from the RBS signature to fix a "Different superclasses are specified" type-checking error under rbs v4

Commits

• f785ca1 Bump version to 0.9.0
• 9164cc4 Skip Ox tests on TruffleRuby
• d4887e3 Replace benchmark scores in README with per-engine preference table
• af45aad Tolerate noise in PARSER_PREFERENCE verifier
• d6f805e Add TruffleRuby-specific PARSER_PREFERENCE
• 4143002 Verify PARSER_PREFERENCE on JRuby in addition to MRI
• d770884 Verify PARSER_PREFERENCE matches benchmark ranking in CI
• 182fa34 Reorder PARSER_PREFERENCE to match benchmark throughput
• 8b1c84b Refresh benchmark ranking table in README
• 9c0e7e1 Promote benchmark:parsers to a top-level rake benchmark task
• Additional commits viewable in compare view

Updates mustermann from 3.0.4 to 3.1.1

Changelog

Sourced from mustermann's changelog.

Changelog

Mustermann follows Semantic Versioning 2.0. Anything documented in the README or via YARD and not declared private is part of the public API.

Unreleased changes

Mustermann 4.0.1

Performance improvements

• Reduce memory usage by deduplicating internal data structures. This is especially effective when using large Mustermann::Set objects. #159 #160 @​byroot

Stable Releases

Mustermann 4.0.0 (2026-04-27)

Breaking changes

• Mustermann::Pattern#match will now return Mustermann::Match instead of either MatchData or Mustermann::SimpleMatch. This object behaves similar to the previous return values, but also implements #params and #pattern.
• Moved Mustermann::Mapper and Mustermann::PatternCache from mustermann to mustermann-contrib.
• Removed special code for Sinatra 1.x. If you want to use Mustermann with Sinatra, please upgrade to any of the Sinatra versions released since 2017.

New features

• Mustermann::Rails now supports Rails up to version 8.2 (previously 5.0).
• Added Mustermann::Hybrid, a pattern that's a union of Sinatra, Rails and URI Template syntax. It is designed to be as compatible as possible with all three syntaxes.
• Added Mustermann::Set to mustermann, which is a collection of patterns with associated values, designed for building routing tables that dispatch efficiently as the number of routes grows.
• Reintroduce Mustermann::Router, now based on Mustermann::Set, for demonstration purposes and use in small applications or middleware. Simple and fast.
• The capture option now supports special class and symbol values, that both set an expected capture pattern and define a params converter.
• Mustermann::Pattern#+ and Mustermann::Pattern#| now return single patterns instead of composite patterns in significantly more cases, like having non-overlapping captures.
• Nicer inspect and pretty_print for patterns and other objects.

Here's an example using Mustermann::Hybrid, Mustermann::Set, and the new capture options:

require "mustermann/set"
set = Mustermann::Set.new(type: :hybrid, capture: { id: Integer, user_id: Integer, slug: :slug })
adding values is optional
set.add "/users",                "users.index"
set.add "/users/:id",            "users.show"
set.add "/posts",                "posts.index"
set.add "/users/:user_id/posts", "posts.index"
set.add "/posts/:id(-:slug)",    "posts.show" # slug is optional
match = set.match("/posts/42-awesome-post")
id is automatically converted to an Integer, and slug is available as a string
</tr></table>

... (truncated)

Commits

• 7445f32 remove visualizer injection into inspect and pretty_print, fixes #153
• e7721d8 Fix markup in README
• a33272b Move Rails pattern documentation from mustermann-contrib to mustermann
• 5cfd230 Fix code example
• 656eb61 Fix typo
• 518fb7e Increase version to 3.1.1
• 8fd53a0 Improve Mustermann::Pattern#hash to reduce the chance of collisions on JRuby ...
• 6b1eddc fix load order issue when loading mustermann/expander directly
• c163eaf Merge branch 'main' into reduce-gem-size
• 418233e bump version to 3.1.0
• Additional commits viewable in compare view

Updates parallel from 2.0.0 to 2.1.0

Changelog

Sourced from parallel's changelog.

2.1.0

Added

• support different serializers
• support for HMac verified serializer to secure hardened environments

2.0.1

Added

• require mfa for gem release

Commits

• cd5ba09 v2.1.0
• 71eb9a3 Merge pull request #373 from grosser/grosser/hmac
• 1fdf79a prevent pipe injection
• fa1cc25 Merge pull request #372 from tagliala/chore/remove-regex-match
• 9aed9a4 Prefer String#include? and match? over =~
• de62c89 Merge pull request #371 from tagliala/chore/remove-old-spec
• 1df9204 Remove stale Darwin hwprefs spec
• d20c207 Merge pull request #368 from grosser/grosser/speed
• a55c3bc speed up tests
• f9c570b v2.0.1
• Additional commits viewable in compare view

Updates rake from 13.3.1 to 13.4.2

Commits

• 503b8ec v13.4.2
• 46038e7 Merge pull request #723 from ruby/fix/testopts-preserve-existing-value
• 604a3d9 Isolate TESTOPTS env in TestRakeTestTask setup/teardown
• 5886caa Preserve ENV["TESTOPTS"] when verbose is enabled
• 92193ac v13.4.1
• b74be0b Merge pull request #721 from ruby/fix/add-options-to-gemspec
• 829f66d Add lib/rake/options.rb to gemspec
• 2d55bc4 v13.4.0
• 1415070 Exclude dependabot updates from release note
• b3dc948 Merge pull request #713 from pvdb/simplify_standard_system_dir
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions