[codex] finish pending Dependabot updates

[justin808]

Supersedes #1413, #1401, #1398, and #1397.

This replacement branch carries the pending Dependabot updates on top of current main:

• addressable 2.8.0 -> 2.9.0
• rack 2.2.22 -> 2.2.23
• root picomatch 2.3.1 -> 2.3.2
• test/dummy picomatch 2.3.1 -> 2.3.2

One manual correction is included: the raw Dependabot addressable lockfile resolved public_suffix to 7.0.5, but public_suffix 7.x requires Ruby >= 3.2. This repo still tests Ruby 2.7, so the compatible locked resolution is public_suffix 5.1.1.

Local validation:

• mise x node@20.19.0 -- yarn install --frozen-lockfile
• mise x ruby@2.7.8 node@20.19.0 -- bundle _2.4.9_ exec rake test
• env PACKAGE_JSON_FALLBACK_MANAGER=yarn_classic mise x ruby@2.7.8 node@20.19.0 -- bundle _2.4.9_ exec rake test
• mise x node@20.19.0 -- yarn
• mise x ruby@2.7.8 node@20.19.0 -- bundle _2.4.9_ exec rake react:update
• mise x ruby@2.7.8 node@20.19.0 -- bundle _2.4.9_ exec rake ujs:update

[claude]

Code Review

This is a clean, well-scoped dependency maintenance PR. Here's my assessment:

Summary of Changes

Dependency	Type	Old	New
addressable	Ruby gem	2.8.0	2.9.0
public_suffix	Ruby gem (transitive)	4.0.6	5.1.1
rack	Ruby gem	2.2.22	2.2.23
picomatch	JS (root)	2.3.1	2.3.2
picomatch	JS (test/dummy)	2.3.1	2.3.2

---

Positives

Security: rack 2.2.23 is a patch release that includes a security fix — this update is valuable and should be prioritized.

Ruby compatibility handling: The manual correction pinning public_suffix to 5.1.1 instead of 7.0.5 is the right call. public_suffix 7.x requires Ruby >= 3.2, and this repo's CI matrix includes Ruby 2.7. Without this correction, bundle exec would fail on Ruby 2.7. This is well-explained in the PR description.

Consolidation: Bundling 4 Dependabot PRs into one with a clean description referencing the superseded PRs (#1413, #1401, #1398, #1397) is good housekeeping.

---

Observations

Registry URL change in test/dummy/yarn.lock: The old picomatch entry used registry.npmjs.org while the new one uses registry.yarnpkg.com. This is expected — both resolve to the same CDN, and Yarn Classic normalizes to registry.yarnpkg.com on re-lock. Not a concern.

addressable dependency range widening: The public_suffix constraint widened from < 5.0 to < 8.0 (upstream-driven, part of addressable 2.9.0's gemspec). It's correctly paired with the 5.1.1 pin so Ruby 2.7 compatibility is preserved.

---

CI Status

Rubocop passes across all tested Ruby versions (2.7, 3.0, 3.1, 3.2, 3.3). The Ruby test suite and CodeQL scans were still in progress at time of review — recommend waiting for those to complete before merging.

---

Overall: LGTM once CI passes. The manual public_suffix correction is the only non-trivial judgment call here and it's correct. No source code changes; purely lockfile updates.

[claude]

PR Review: [codex] finish pending Dependabot updates

Overall this is a clean, well-considered dependency update. The PR description is thorough and the local validation steps are appreciated.

What's good

public_suffix version pinning (5.1.1 instead of 7.x) — This is the most important judgment call in the PR and it's correct. addressable 2.9.0 relaxed its constraint to < 8.0, which would have allowed Bundler to resolve public_suffix 7.x, but that gem requires Ruby >= 3.2 and this repo still tests Ruby 2.7. Manually locking to 5.1.1 is the right compatible resolution.

CI cache key fix — Adding matrix.js_package_manager.name to the dummy-app-node-modules-cache key is a genuine correctness fix. Without it, different package managers in the matrix share the same cache slot and can pollute each other's node_modules. This should have been there from the start.

rack 2.2.23 — Rack patch releases typically address security issues; this is worth picking up promptly.

Minor observations

1. test/dummy/yarn.lock registry URL changed — The old entry used https://registry.npmjs.org/... while the new picomatch 2.3.2 entry uses https://registry.yarnpkg.com/.... Both resolve to the same package (Yarn's registry proxies npm), the integrity hash is correct, and the rest of the file uses yarnpkg.com, so this is fine. Just worth noting in case anyone spots the discrepancy during review.

2. Non-dependency change bundled in — The CI cache key fix is mixed in with the dependency updates. Not a problem functionally, but if there's a convention for keeping CI changes in separate PRs you may want to note it for future reference.

3. Ruby 2.7 EOL — Not a concern for this PR specifically, but since Ruby 2.7 reached EOL in March 2023, dropping it from the test matrix in a future PR would allow resolving public_suffix to the latest 7.x without manual intervention.

Verdict

The changes are correct and low-risk. The public_suffix pinning is careful work that prevents a silent Ruby version incompatibility. The lock files look accurate. Good to merge.