Bump bootsnap from 1.24.5 to 1.24.6

[dependabot]

Bumps bootsnap from 1.24.5 to 1.24.6.

Changelog

Sourced from bootsnap's changelog.

1.24.6

• Fix detection of Ruby bug #22023 on some patch versions of Ruby 3.4, and properly apply the workaround.

Commits

• 026e183 Release 1.24.6
• 263e346 Merge pull request #556 from byroot/remove-canary
• 7c31cd8 Check for [Bug #22023] by checking Ruby version rather than a canary
• 54eba76 Merge pull request #554 from byroot/namespace-overflow
• fe963d5 bs_cache_path: account for namespace length
• 7b42db6 Merge pull request #553 from arpitjain099/chore/declare-workflow-perms
• 113b184 ci: add permissions: contents: read to ci
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

Test coverage

91.64% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/27607709042

[cursor]

Dependabot assessment: bootsnap 1.24.5 → 1.24.6

Verdict: Safe to merge — lockfile-only patch bump; CI lint and full test suite passed on this commit.

Safety of merging

• bootsnap 1.24.6 fixes Ruby bug #22023 detection (version-based instead of a compile-time canary) and tightens cache-path length validation when a namespace is set. This project runs Ruby 4.0.5, which is above the affected 4.0.x range (< 4.0.4), so the ISeq workaround should not apply here.
• msgpack 1.8.2 (transitive) fixes a low-level Buffer#clear memory-reset bug (CVE-pending); this is a security improvement, not a regression risk.
• Bootsnap is only required from config/boot.rb; no application code depends on its API.

Concerns unlikely to be caught by tests:

• Boot-time / compile-cache behaviour — ISeq and YAML compile caching can differ subtly between bootsnap versions; the suite exercises app logic, not cold-boot or cache-hit paths.
• Stale bootsnap cache after deploy — if boot errors appear post-merge, clearing tmp/cache/bootsnap* on affected hosts is the usual fix (rare for patch bumps).
• msgpack C-extension edge cases — the buffer fix is in native code paths bootsnap uses for serialization; unlikely to surface in normal request/job specs.

Proposed fixes

None — no test failures, deprecations, or code changes required.

Local testing

Could not run the suite in this environment (no Docker/Ruby 4.0.5 available). Verified via GitHub Actions instead: lint and test both success on 8eed45c.

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}

[cursor]

Dependabot assessment: bootsnap 1.24.5 → 1.24.6

Verdict: safe to merge — no code changes required.

CI / local testing

• lint: pass (505 files, no offenses)
• test: pass (2467 examples, 0 failures)
• Local: Ruby/Docker unavailable in this environment; verification relied on GitHub Actions.

Safety of merging

Lockfile-only bump (bootsnap 1.24.6, transitive msgpack 1.8.2). Standard require 'bootsnap/setup' in config/boot.rb.

Concerns unlikely to be caught by the test suite:

• Boot-time caching — bootsnap optimises cold boot / compile-cache behaviour; specs exercise the app after boot, not cache correctness across fresh deploys or long-lived instances.
• msgpack 1.8.2 — fixes a MessagePack::Buffer pool reset bug (CVE-pending). Bootsnap uses msgpack for cache serialization; the suite does not directly exercise that low-level path.
• Limited functional delta on Ruby 4.0.5 — the 1.24.6 Ruby #22023 workaround mainly affects Ruby 3.3/3.4 and 4.0.0–4.0.3; this repo is on 4.0.5, so the practical change here is mostly the namespace path-length guard plus the msgpack patch.
• Persistent cache dirs — if a host reuses a bootsnap cache directory across gem upgrades, a process restart (or tmp/cache clear) is the usual recovery; not covered by CI.

Proposed fixes

None — CI is green and no new gem deprecations were observed from this bump.

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}