Upgrade Ruby to 4.0.3

[Bo98]

What are you trying to accomplish?

Dependabot does not currently support Ruby 4.0 and updates (including security updates) are now failing:

Handled error whilst updating erb: tool_version_not_supported {"tool-name": "ruby", "detected-version": ">= 4.0", "supported-versions": "1.8.7, 1.9.3, 2.0.0, 2.1.10, 2.2.10, 2.3.8, 2.4.10, 2.5.9, 2.6.9, 2.7.6, 3.0.6, 3.1.6, 3.2.8, 3.3.8, 3.4.8"}

Ruby 4.0 has been out for a few months so let's try get Dependabot to support it.

This pull request does a couple other things to support the upgrade:

• Replaces parser/current with the Prism translation layer for parser.
  • parser/current does not support Ruby 4.0 (and didn't exactly support 3.4 fully either).
  • Prism however doesn't have a nice replacement for TreeRewriter right now: Modifying AST and generating source code ruby/prism#3466
  • You can however use Prism with Parser::TreeRewriter by using the translation layer. This is what RuboCop also does.
  • While parser/current is no longer supported in Ruby 4.0, the rest of the parser gem still is.
  • Therefore this is probably all we need to close Migrate from parser to prism #12403 for now, unless you want to keep it open for when Prism adds the rewriting API.
• Updates require "cgi" to require "cgi/escape".
  • The cgi gem was removed in Ruby 4.0, except for cgi/escape which is all we need anyway.
  • There was many files that required it but didn't use it so some of the requires have been shifted around to reflect where CGI escaping was really used.

Anything you want to highlight for special attention from reviewers?

This pull request does not update RubyGems/Bundler to 4.0. This can be done separately and is tracked in #13934. I've explored it a bit and it doesn't seem too difficult to do but may require a decision on whether a dual install of Bundler v2 and v4 needs to be kept around in the container for multiple global sources support (the rest of the changes seems to be backwards comaptible enough).

How will you know you've accomplished your goal?

Ruby 4.0 projects no longer error when Dependabot tries to update them.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
  • I ran the Bundler test suite as running them all locally seems difficult.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Updates Dependabot Core’s Ruby runtime/tooling to support Ruby 4.0 projects (and avoid Ruby 4 incompatibilities), including switching Bundler rewriters off parser/current and adjusting CGI requires.

Changes:

• Upgrade the Dependabot runtime Ruby version to 4.0.3 (Docker + dev tooling) and extend Bundler’s supported Ruby version selection to include Ruby 4.0.
• Replace parser/current usage with Prism’s translation layer for Bundler Gemfile/gemspec rewriting while keeping Parser::TreeRewriter.
• Update CGI requires for Ruby 4 compatibility (remove unused require "cgi"; use require "cgi/escape" where escaping/unescaping is needed) and adjust related specs/fixtures.

Reviewed changes

Copilot reviewed 47 out of 48 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
Dockerfile.updater-core	Bumps base Ruby image to 4.0.3-bookworm.
.ruby-version	Updates repo Ruby version to 4.0.3.
.devcontainer/devcontainer.json	Updates devcontainer Ruby feature to 4.0.3.
bundler/lib/dependabot/bundler/file_updater/ruby_requirement_setter.rb	Adds Ruby 4.0.3 to supported versions; switches parsing to Prism translation.
bundler/lib/dependabot/bundler/file_updater/requirement_replacer.rb	Switches parsing from parser/current to Prism translation.
bundler/lib/dependabot/bundler/file_updater/git_source_remover.rb	Switches parsing from parser/current to Prism translation.
bundler/lib/dependabot/bundler/file_updater/git_pin_replacer.rb	Switches parsing from parser/current to Prism translation.
bundler/lib/dependabot/bundler/file_updater/gemspec_sanitizer.rb	Switches parsing from parser/current to Prism translation.
bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb	Updates injected Ruby “spec” versions used during Bundler resolution.
bundler/spec/dependabot/bundler/file_updater/ruby_requirement_setter_spec.rb	Updates expectations for new Ruby patch versions; adds Ruby 4.0 coverage.
bundler/spec/fixtures/projects/bundler2/gemfile_require_ruby_4_0/Gemfile	Adds fixture for a Ruby 4.0-required project.
bundler/spec/fixtures/projects/bundler2/gemfile_require_ruby_4_0/Gemfile.lock	Adds fixture lockfile for the Ruby 4.0-required project.
bundler/spec/fixtures/projects/bundler2/gemfile_require_ruby_4_0/example.gemspec	Adds fixture gemspec requiring Ruby >= 4.0.0.
python/lib/dependabot/python/package/package_details_fetcher.rb	Switches to require "cgi/escape" (uses CGI HTML unescaping).
python/lib/dependabot/python/authed_url_builder.rb	Adds require "cgi/escape" for CGI.escape usage.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb	Adds require "cgi/escape" to support CGI.unescape under Ruby 4.
bun/lib/dependabot/bun/file_parser.rb	Adds require "cgi/escape" to support CGI.unescape under Ruby 4.
python/lib/dependabot/python/update_checker/latest_version_finder.rb	Removes unused require "cgi".
common/lib/dependabot/package/package_latest_version_finder.rb	Removes unused require "cgi".
terraform/lib/dependabot/terraform/package/package_details_fetcher.rb	Removes unused require "cgi".
swift/lib/dependabot/swift/package/package_details_fetcher.rb	Removes unused require "cgi".
opentofu/lib/dependabot/opentofu/package/package_details_fetcher.rb	Removes unused require "cgi".
pub/lib/dependabot/pub/package/package_details_fetcher.rb	Removes unused require "cgi".
pub/spec/dependabot/pub/package/package_details_fetcher_spec.rb	Removes unused require "cgi" in spec.
hex/lib/dependabot/hex/package/package_details_fetcher.rb	Removes unused require "cgi".
helm/lib/dependabot/helm/package/package_details_fetcher.rb	Removes unused require "cgi".
github_actions/lib/dependabot/github_actions/package/package_details_fetcher.rb	Removes unused require "cgi".
git_submodules/lib/dependabot/git_submodules/package/package_details_fetcher.rb	Removes unused require "cgi".
git_submodules/spec/dependabot/git_submodules/package/package_details_fetcher_spec.rb	Removes unused require "cgi" in spec.
cargo/lib/dependabot/cargo/package/package_details_fetcher.rb	Removes unused require "cgi".
composer/lib/dependabot/composer/package/package_details_fetcher.rb	Removes unused require "cgi".
elm/lib/dependabot/elm/package/package_details_fetcher.rb	Removes unused require "cgi".
elm/spec/dependabot/elm/package/package_details_fetcher_spec.rb	Removes unused require "cgi" in spec.
devcontainers/lib/dependabot/devcontainers/package/package_details_fetcher.rb	Removes unused require "cgi".
devcontainers/spec/dependabot/devcontainers/package/package_details_fetcher_spec.rb	Removes unused require "cgi" in spec.
common/spec/dependabot/pull_request_updater/github_spec.rb	Adds require "cgi/escape" for CGI.escape usage in spec.
common/spec/dependabot/pull_request_updater/gitlab_spec.rb	Adds require "cgi/escape" for CGI.escape usage in spec.
common/spec/dependabot/pull_request_creator/pr_name_prefixer_spec.rb	Adds require "cgi/escape" for CGI.escape usage in spec.
common/spec/dependabot/pull_request_creator/message_builder_spec.rb	Adds require "cgi/escape" for CGI.escape usage in spec.
common/spec/dependabot/pull_request_creator/labeler_spec.rb	Adds require "cgi/escape" for CGI.escape usage in spec.
common/spec/dependabot/pull_request_creator/gitlab_spec.rb	Adds require "cgi/escape" for CGI.escape usage in spec.
common/spec/dependabot/pull_request_creator/azure_spec.rb	Adds require "cgi/escape" for CGI.escape usage in spec.