fix(deps): update dependency ruby to v3.4.9

[renovate]

This PR contains the following updates:

Package	Update	Change
ruby (source)	patch	3.4.8 → 3.4.9

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Ruby 3.4.9 Release (March 11, 2026)

Ruby 3.4.9 is a patch release that includes critical bug fixes and a security update:

Security Fix:

• CVE-2026-27820: Buffer overflow vulnerability in Zlib::GzipReader. The zstream_buffer_ungets function fails to guarantee the backing Ruby string has enough capacity before the memmove shifts existing data, potentially leading to memory corruption. The bundled zlib gem has been updated to version 3.2.3 or later to address this vulnerability.

Bug Fixes (11 critical issues resolved):

• Fixed undefined behavior in string processing
• Resolved integer overflow in IO::Buffer that could lead to out-of-bounds memory access
• Corrected splatted argument mutation with unexpected keyword arguments
• Fixed parser instruction generation differences between parse.y and prism
• Fixed 0.pow(2,-9999999999999999990) to return zero correctly
• Ensured Data objects are frozen even without members
• Fixed underflow in Array#pack
• Resolved 20% slowdown regression in garbage collection
• Fixed GC crash in String#% operations
• Addressed potential deadlocks in Process.fork
• Corrected UnboundMethod#== for methods from included/extended modules

Breaking Changes:

• None reported. This is a backward-compatible patch release.

🎯 Impact Scope Investigation

Files Requiring Updates:

The PR only updates the Dockerfile (line 42: ARG RUBY_VERSION=3.4.9), but additional files contain hardcoded references to Ruby 3.4.8 that will cause runtime failures:

1. internal/sandbox/runtime.go (lines 228, 232, 236):

   • Hardcoded Ruby binary path: /mise/installs/ruby/3.4.8/bin/ruby
   • Hardcoded bind mount path: /mise/installs/ruby/3.4.8
   • Hardcoded PATH environment variable: PATH=/mise/installs/ruby/3.4.8/bin:/usr/bin:/bin

2. e2e/tests/security/dynamic_linker_attack.yml:

   • Expected error output contains hardcoded path /mise/installs/ruby/3.4.8/lib/ruby/3.4.0/fiddle.rb

3. e2e/tests/security/filesystem.yml:

   • Test code references hardcoded path /mise/installs/ruby/3.4.8/test

Impact Analysis:

• The Docker image will install Ruby 3.4.9 at /mise/installs/ruby/3.4.9/
• The Go runtime configuration still references the old path /mise/installs/ruby/3.4.8/
• This mismatch will cause all Ruby sandbox executions to fail because the binary won't be found at the expected path
• E2E tests will fail due to path mismatches in expected output

Dependency Impact:

• No other language runtimes are affected (Node.js, Go, Python, Rust, TypeScript, Bash)
• No changes to nsjail configuration or security policies required
• Resource limits and sandbox isolation settings remain unchanged

💡 Recommended Actions

Required Code Changes:

1. Update internal/sandbox/runtime.go (lines 228, 232, 236):

   // Change from:
   return []string{"/mise/installs/ruby/3.4.8/bin/ruby", entryFile}
   return []BindMount{{Src: "/mise/installs/ruby/3.4.8", Dst: "/mise/installs/ruby/3.4.8"}}
   return []string{"PATH=/mise/installs/ruby/3.4.8/bin:/usr/bin:/bin"}
   
   // To:
   return []string{"/mise/installs/ruby/3.4.9/bin/ruby", entryFile}
   return []BindMount{{Src: "/mise/installs/ruby/3.4.9", Dst: "/mise/installs/ruby/3.4.9"}}
   return []string{"PATH=/mise/installs/ruby/3.4.9/bin:/usr/bin:/bin"}

2. Update e2e/tests/security/dynamic_linker_attack.yml:

   • Replace all occurrences of /mise/installs/ruby/3.4.8/ with /mise/installs/ruby/3.4.9/
   • Update expected stderr/output paths from 3.4.8 to 3.4.9

3. Update e2e/tests/security/filesystem.yml:

   • Replace /mise/installs/ruby/3.4.8/test with /mise/installs/ruby/3.4.9/test

Testing Steps:

1. Apply all code changes mentioned above
2. Rebuild Docker image: docker compose down && docker compose up --build -d
3. Run E2E tests: go test -tags e2e ./e2e/...
4. Verify all Ruby runtime tests pass: e2e/tests/runtime/ruby.yml
5. Verify security tests pass with updated paths

Merge Strategy:

• DO NOT merge the PR as-is — it will break Ruby runtime execution
• Either:
  • Request the PR author to include the Go code and E2E test updates, OR
  • Merge this PR along with a follow-up commit that updates all hardcoded paths

Security Considerations:

• The zlib CVE-2026-27820 fix is important for production environments
• The bug fixes address memory safety issues and potential crashes
• No new security vulnerabilities introduced by this update

🔗 Reference Links

• Ruby 3.4.9 Release Announcement
• Ruby 3.4.9 GitHub Release
• CVE-2026-27820 Security Advisory
• RubySec Advisory CVE-2026-27820
• Ruby 3.4.8 Release Notes

Generated by koki-develop/claude-renovate-review