Build(deps-dev): Bump spring from 4.3.0 to 4.4.0 (#953)

rsmithlal · web-flow · commit a70d80068069 · 2025-08-08T13:48:26.000-02:30
Bumps [spring](https://github.com/rails/spring) from 4.3.0 to 4.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/spring/releases">spring's releases</a>.</em></p> <blockquote> <h2>4.4.0</h2> <h2>What's Changed</h2> <ul> <li>Revert the removal of UTF-8 force encoding in JSON loading by <a href="https://github.com/paracycle"><code>@​paracycle</code></a> in <a href="https://redirect.github.com/rails/spring/pull/738">rails/spring#738</a></li> <li>Shush the <code>backtrace_locations</code>, too by <a href="https://github.com/amomchilov"><code>@​amomchilov</code></a> in <a href="https://redirect.github.com/rails/spring/pull/740">rails/spring#740</a></li> <li>Recommend setting <code>enable_reloading</code> on newer Rails versions by <a href="https://github.com/nvasilevski"><code>@​nvasilevski</code></a> in <a href="https://redirect.github.com/rails/spring/pull/715">rails/spring#715</a></li> <li>Drop support to end-of-life Ruby versions by <a href="https://github.com/rafaelfranca"><code>@​rafaelfranca</code></a> in <a href="https://redirect.github.com/rails/spring/pull/743">rails/spring#743</a></li> <li>Prevent server crash by restarting child by <a href="https://github.com/prognostikos"><code>@​prognostikos</code></a> in <a href="https://redirect.github.com/rails/spring/pull/727">rails/spring#727</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/paracycle"><code>@​paracycle</code></a> made their first contribution in <a href="https://redirect.github.com/rails/spring/pull/738">rails/spring#738</a></li> <li><a href="https://github.com/vfonic"><code>@​vfonic</code></a> made their first contribution in <a href="https://redirect.github.com/rails/spring/pull/742">rails/spring#742</a></li> <li><a href="https://github.com/fynsta"><code>@​fynsta</code></a> made their first contribution in <a href="https://redirect.github.com/rails/spring/pull/722">rails/spring#722</a></li> <li><a href="https://github.com/amomchilov"><code>@​amomchilov</code></a> made their first contribution in <a href="https://redirect.github.com/rails/spring/pull/740">rails/spring#740</a></li> <li><a href="https://github.com/prognostikos"><code>@​prognostikos</code></a> made their first contribution in <a href="https://redirect.github.com/rails/spring/pull/728">rails/spring#728</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rails/spring/compare/v4.3.0...v4.4.0">https://github.com/rails/spring/compare/v4.3.0...v4.4.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/spring/blob/main/CHANGELOG.md">spring's changelog</a>.</em></p> <blockquote> <h2>4.4.0</h2> <ul> <li>Revert the removal of UTF-8 force encoding in JSON loading.</li> <li>Shush the <code>backtrace_locations</code> too.</li> <li>Recommend setting <code>enable_reloading</code> on newer Rails version.</li> <li>Drop support to end-of-life Ruby versions.</li> <li>Fixed a bug that would crash the server if sending IO to the child failed.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/spring/commit/ebfa6fb3e452741015ce9907db45e82a7fe13185"><code>ebfa6fb</code></a> Prepare for 4.4.0 release</li> <li><a href="https://github.com/rails/spring/commit/a60a2cfd5438a7011241dd19ca2b8e2bd595557d"><code>a60a2cf</code></a> Update CHANGELOG</li> <li><a href="https://github.com/rails/spring/commit/af6440b30a565bbcbdad08968c5d4547c649e378"><code>af6440b</code></a> Merge pull request <a href="https://redirect.github.com/rails/spring/issues/727">#727</a> from prognostikos/prevent-child-errors-from-crashing-...</li> <li><a href="https://github.com/rails/spring/commit/884859369f81c91cc45627f3889062092b6e4055"><code>8848593</code></a> Prevent server crash by restarting child</li> <li><a href="https://github.com/rails/spring/commit/5f2de871d9dc83a0e7db5854e5305fbfae3cd92a"><code>5f2de87</code></a> Officially drop support to Ruby 2.7 and 3.0</li> <li><a href="https://github.com/rails/spring/commit/e83bdee6a6b3bcb0a7f850ffd2115865a6b74f56"><code>e83bdee</code></a> Merge pull request <a href="https://redirect.github.com/rails/spring/issues/743">#743</a> from rails/rm-ci</li> <li><a href="https://github.com/rails/spring/commit/5819ef40f696e6bb2f33bea9c2c7bc9fa94b6007"><code>5819ef4</code></a> Merge pull request <a href="https://redirect.github.com/rails/spring/issues/728">#728</a> from prognostikos/refine-rails-version-documentation</li> <li><a href="https://github.com/rails/spring/commit/6b4e860a32252a65bcc3bc1338ad4cebec801793"><code>6b4e860</code></a> Merge pull request <a href="https://redirect.github.com/rails/spring/issues/715">#715</a> from Shopify/ask-to-set-enable-reloading-if-available</li> <li><a href="https://github.com/rails/spring/commit/74d6bd646b3b05adac324779ceeba47f4b9f83f9"><code>74d6bd6</code></a> Merge pull request <a href="https://redirect.github.com/rails/spring/issues/740">#740</a> from Shopify/amomchilov/shush-backtrace_locations</li> <li><a href="https://github.com/rails/spring/commit/181320770ff7f3f69a7be99b8eabfe9c38e9ca49"><code>1813207</code></a> Merge pull request <a href="https://redirect.github.com/rails/spring/issues/722">#722</a> from fynsta/patch-1</li> <li>Additional commits viewable in <a href="https://github.com/rails/spring/compare/v4.3.0...v4.4.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=spring&package-manager=bundler&previous-version=4.3.0&new-version=4.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml
@@ -1,18 +1,9 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow integrates Brakeman with GitHub's Code Scanning feature
-# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
-
 name: Brakeman Scan
 
 on:
   push:
     branches: [ "main" ]
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: [ "main" ]
   schedule:
     - cron: '26 3 * * 0'
@@ -22,37 +13,38 @@ permissions:
 
 jobs:
   brakeman-scan:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Brakeman Scan
+    # Option A: stay on latest (24.04) – requires up-to-date setup-ruby
     runs-on: ubuntu-latest
+    # Option B (fallback): force older image if you prefer
+    # runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
     steps:
-    # Checkout the repository to the GitHub Actions runner
-    - name: Checkout
-      uses: actions/checkout@v3
-
-    # Customize the ruby version depending on your needs
-    - name: Setup Ruby
-      uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
-      with:
-        ruby-version: '3.2'
-
-    - name: Setup Brakeman
-      env:
-        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
-      run: |
-        gem install brakeman --version $BRAKEMAN_VERSION
-
-    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
-    - name: Scan
-      continue-on-error: true
-      run: |
-        brakeman -f sarif -o output.sarif.json .
-
-    # Upload the SARIF file generated in the previous step
-    - name: Upload SARIF
-      uses: github/codeql-action/upload-sarif@v2
-      with:
-        sarif_file: output.sarif.json
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        # Use the rolling v1 tag so you get fixes for new runner images
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'   # or your exact patch, e.g. '3.2.2'
+          # bundler-cache not needed since we install brakeman directly
+
+      - name: Setup Brakeman
+        run: |
+          gem install brakeman
+
+      - name: Scan (SARIF)
+        continue-on-error: true
+        run: |
+          brakeman -f sarif -o output.sarif.json .
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: output.sarif.json
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -741,7 +741,7 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.13.1)
     simplecov_json_formatter (0.1.4)
-    spring (4.3.0)
+    spring (4.4.0)
     spring-watcher-listen (2.1.0)
       listen (>= 2.7, < 4.0)
       spring (>= 4)
