build(deps): bump the bundler group with 4 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the bundler group with 4 updates: thor, json, nokogiri and rubocop-ast.

Updates thor from 1.3.2 to 1.4.0

Release notes

Sourced from thor's releases.

1.4.0

What's Changed

• Lazily load YAML by @​deivid-rodriguez in rails/thor#892
• Fix encoding error when trying to show a diff: by @​Edouard-chin in rails/thor#898
• fix: Unsafe shell command constructed from library input by @​odaysec in rails/thor#897
• Use git difftool for merge.tool identifiers by @​moguls753 in rails/thor#900
• feat: support gsub_file erroring if gsub doesn't change anything, and add gsub_file! by @​G-Rath in rails/thor#877

New Contributors

• @​hlascelles made their first contribution in rails/thor#893
• @​Edouard-chin made their first contribution in rails/thor#898
• @​odaysec made their first contribution in rails/thor#897
• @​moguls753 made their first contribution in rails/thor#900
• @​G-Rath made their first contribution in rails/thor#877
• @​Uaitt made their first contribution in rails/thor#891

Full Changelog: rails/thor@v1.3.2...v1.4.0

Commits

• 518ae0f Prepare for 1.4.0
• b4879f0 Update devcontainer configuration
• 40412ec Merge pull request #904 from rails/revert-893-use-secure-thor-link
• ae7cd4f Revert "Use secure whatisthor.com link"
• b73c346 Merge pull request #890 from Uaitt/update-gh-action-versions
• b14cfd4 Merge pull request #891 from Uaitt/correct-typo-in-comment
• 048bbdd Merge pull request #877 from G-Rath/gsub_file-error-on-no-change
• 13bd825 Merge pull request #900 from moguls753/main
• 536b790 Merge pull request #897 from odaysec/patch-1
• 094bd41 Merge pull request #898 from Edouard-chin/ec-encoding
• Additional commits viewable in compare view

Updates json from 2.12.2 to 2.13.0

Release notes

Sourced from json's releases.

v2.13.0

What's Changed

• Add new allow_duplicate_key parsing options. By default a warning is now emitted when a duplicated key is encountered. In json 3.0 an error will be raised.
• Optimize parsing further using SIMD to scan strings.

Full Changelog: ruby/json@v2.12.2...v2.13.0

Changelog

Sourced from json's changelog.

2025-05-23 (2.13.0)

• Add new allow_duplicate_key parsing options. By default a warning is now emitted when a duplicated key is encountered. In json 3.0 an error will be raised.
• Optimize parsing further using SIMD to scan strings.

Commits

• 8d08494 Release 2.13.0
• 37e6890 Fix mistake in jruby Rakefile
• 9b6ac43 Merge pull request #825 from samyron/fix-jruby-java-build
• 90680fa Use File::PATH_SEPARATOR instead of java.lang.System.getProperty.
• b362c08 Use the platform native path.separator when building using JRuby.
• a497c71 Improve consistency of code style
• c5af1b6 Merge pull request #823 from nobu/have_func-headers
• 95fb084 Run have_func with the header providing the declarations
• 829f4bc Merge pull request #822 from byroot/simd-remove-cpu-init
• d3317b9 Stop calling __builtin_cpu_init
• Additional commits viewable in compare view

Updates nokogiri from 1.18.8 to 1.18.9

Release notes

Sourced from nokogiri's releases.

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

5bcfdf7aa8d1056a7ad5e52e1adffc64ef53d12d0724fbc6f458a3af1a4b9e32  nokogiri-1.18.9-aarch64-linux-gnu.gem
55e9e6ca46c4ad1715e313f407d8481d15be1e3b65d9f8e52ba1c124d01676a7  nokogiri-1.18.9-aarch64-linux-musl.gem
eea3f1f06463ff6309d3ff5b88033c4948d0da1ab3cc0a3a24f63c4d4a763979  nokogiri-1.18.9-arm64-darwin.gem
fe611ae65880e445a9c0f650d52327db239f3488626df4173c05beafd161d46e  nokogiri-1.18.9-arm-linux-gnu.gem
935605e14c0ba17da18d203922440bf6c0676c602659278d855d4622d756a324  nokogiri-1.18.9-arm-linux-musl.gem
ac5a7d93fd0e3cef388800b037407890882413feccca79eb0272a2715a82fa33  nokogiri-1.18.9.gem
1fe5b7aa4a054eda689a969bb4e03999960a6ea806582d327207d687168bceb5  nokogiri-1.18.9-java.gem
6b4fc1523aa0370c78653e38c94cb50e7f3ab786425de66ba7ad24222c1164a3  nokogiri-1.18.9-x64-mingw-ucrt.gem
e0d2deb03d3d7af8016e8c9df5ff4a7d692159cefb135cbb6a4109f265652348  nokogiri-1.18.9-x86_64-darwin.gem
b52f5defedc53d14f71eeaaf990da66b077e1918a2e13088b6a96d0230f44360  nokogiri-1.18.9-x86_64-linux-gnu.gem
e69359d6240c17e64cc9f43970d54f13bfc7b8cc516b819228f687e953425e69  nokogiri-1.18.9-x86_64-linux-musl.gem

Changelog

Sourced from nokogiri's changelog.

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

Commits

• 1dcd8ce version bump to v1.18.9
• a05d2b4 Apply upstream patches to address multiple vulnerabilities (#3526)
• 947a55e Apply upstream patches to address multiple vulnerabilities
• See full diff in compare view

Updates rubocop-ast from 1.45.1 to 1.46.0

Release notes

Sourced from rubocop-ast's releases.

RuboCop AST v1.46.0

New features

• #379: Support RuboCop::AST::ComplexNode. ([@​koic][])

Bug fixes

• #380: Fix RuboCop::AST::NumericNode#sign? to return boolean. ([@​viralpraxis][])

Changelog

Sourced from rubocop-ast's changelog.

1.46.0 (2025-07-16)

New features

• #379: Support RuboCop::AST::ComplexNode. ([@​koic][])

Bug fixes

• #380: Fix RuboCop::AST::NumericNode#sign? to return boolean. ([@​viralpraxis][])

Commits

• 9cba9c7 Cut 1.46.0
• b3469e4 Update Changelog
• 745ae82 Support RuboCop::AST::ComplexNode
• c8a2a52 Fix RuboCop::AST::NumericNode#sign? to return boolean
• 8c26dbb Suppress a RuboCop's offense
• 4f97e54 Suppress RuboCop's offenses
• 993e9ea Add release notes
• 73ad40b Restore docs/antora.yml
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions