Consolidate main dependency updates

[justin808]

Summary

• consolidate Dependabot dependency updates against main, including Bootsnap 1.24.1, Puma 8.0.1, Rails 8.1.3, Brakeman 8.0.4, Propshaft 1.3.2, Selenium WebDriver 4.43.0, Solid Queue 1.4.0, Thruster 0.1.20, Web Console 4.3.0, and related indirect updates
• add explicit Ruby/Node version files so ruby/setup-ruby can resolve the CI Ruby version on Dependabot and regular PRs
• install pnpm/Node dependencies in CI before Rails tests, because the test helper compiles React on Rails/Shakapacker assets
• pin Puma 8 to bind on 0.0.0.0 by default, with PUMA_BIND_HOST available as an override, to preserve Docker/Kamal/Thruster connectivity after Puma's IPv6 default-bind change
• keep Shakapacker on gem/npm 9.5.0; Shakapacker 10 still needs a coordinated gem and npm package upgrade

Validation

• pnpm install --frozen-lockfile
• bin/rails react_on_rails:generate_packs
• pnpm exec tsc --noEmit
• bin/shakapacker
• PORT=3999 PUMA_BIND_HOST=127.0.0.1 bundle exec puma -C config/puma.rb
• PGHOST=localhost PGPORT=55432 PGUSER=postgres PGPASSWORD=postgres bin/rails db:test:prepare test
• PGHOST=localhost PGPORT=55432 PGUSER=postgres PGPASSWORD=postgres bin/rails db:test:prepare test:system
• bin/rubocop -f github
• bin/brakeman --no-pager
• bin/bundler-audit

Supersedes

• open Dependabot PRs Bump bootsnap from 1.23.0 to 1.24.0 #16 and Bump puma from 7.2.0 to 8.0.1 #17
• previously closed Dependabot PRs Bump actions/upload-artifact from 4 to 7 #1, Bump actions/cache from 4 to 5 #2, Bump kamal from 2.10.1 to 2.11.0 #3, Bump brakeman from 8.0.2 to 8.0.4 #4, Bump rails from 8.1.2 to 8.1.3 #5, Bump thruster from 0.1.18 to 0.1.20 #7, Bump puma from 7.2.0 to 8.0.0 #8, Bump web-console from 4.2.1 to 4.3.0 #9, Bump solid_queue from 1.3.2 to 1.4.0 #10, Bump selenium-webdriver from 4.41.0 to 4.43.0 #11, Bump propshaft from 1.3.1 to 1.3.2 #14
• does not supersede Shakapacker 10 PR Bump shakapacker from 9.5.0 to 10.0.0 #6; that remains intentionally separate

---

Note

Medium Risk
Moderate risk due to core framework/server and security-tool dependency upgrades and a Puma bind default change that could affect connectivity in some environments. CI/test changes may also surface new failures if Node/pnpm or asset generation assumptions differ across runners.

Overview
Consolidates a batch of dependency upgrades (notably Rails 8.1.3, Puma 8.0.1, Bootsnap 1.24.1, Brakeman 8.0.4, Solid Queue 1.4.0, Selenium 4.43.0, plus indirect updates) and adjusts bin/brakeman to stop forcing --ensure-latest.

CI is updated to pin toolchain versions via new .ruby-version/.tool-versions, install Node/pnpm dependencies before running Rails tests/system tests, and bump GitHub Actions used for caching/artifact upload.

Runtime/test behavior changes include binding Puma to 0.0.0.0 by default (configurable via PUMA_BIND_HOST), adding a committed db/schema.rb, and ensuring tests generate React-on-Rails packs before compiling assets in test/test_helper.rb.

^{Reviewed by Cursor Bugbot for commit 48d9a6b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5c0f9bdf-069d-4249-ac88-4f0d4a2d95e7

📥 Commits

Reviewing files that changed from the base of the PR and between 79f9b81 and 48d9a6b.

⛔ Files ignored due to path filters (1)

• Gemfile.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• .github/workflows/ci.yml
• .ruby-version
• .tool-versions
• bin/brakeman
• config/puma.rb
• db/schema.rb
• test/test_helper.rb

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/main-dependabot-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 13 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR consolidates multiple Dependabot dependency updates (Rails 8.1.3, Puma 8.0.1, Brakeman 8.0.4, Solid Queue 1.4.0, and others), adds Ruby/Node version files for CI, threads pnpm/Node setup into the test and system-test CI jobs, and fixes Puma 8's IPv6-first bind change by explicitly defaulting to 0.0.0.0. The changes are well-scoped and the validation steps are thorough.

Confidence Score: 4/5

Safe to merge; only a P2 style finding around the removed --ensure-latest Brakeman flag.

All changes are straightforward dependency bumps, CI plumbing, and a well-justified Puma bind-host fix. The single finding is a P2 (removal of --ensure-latest from Brakeman), which does not block merging but is worth addressing.

bin/brakeman — removal of --ensure-latest slightly weakens the security scanner version gate

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds pnpm/Node.js setup steps before Ruby in test and system-test jobs so JS assets are compiled before the test suite starts; bumps action versions (cache v5, upload-artifact v7)
.ruby-version	New file pinning Ruby to 3.4.3 so ruby/setup-ruby can resolve the version in CI without relying on Gemfile
.tool-versions	New asdf tool-versions file declaring Ruby 3.4.3 and Node 24.8.0 for local dev and CI alignment
Gemfile.lock	Consolidates Dependabot updates: Rails 8.1.3, Puma 8.0.1, Bootsnap 1.24.1, Brakeman 8.0.4, Propshaft 1.3.2, Selenium 4.43.0, Solid Queue 1.4.0, Thruster 0.1.20, Web Console 4.3.0, plus many transitive updates
bin/brakeman	Removes --ensure-latest flag, dropping the CI gate that required Brakeman to always be the most current release
config/puma.rb	Adds explicit bind host (0.0.0.0 default, overridable via PUMA_BIND_HOST) to the port directive to preserve Docker/Kamal connectivity after Puma 8's IPv6-first default-bind change
db/schema.rb	New minimal schema file (version: 0, plpgsql extension only) committed for the first time so db:schema:load works in CI
test/test_helper.rb	Adds react_on_rails:generate_packs invocation before the shakapacker compile step so all required JS packs exist before asset compilation

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CI Trigger: push/PR] --> B{Job}

    B --> C[scan_ruby]
    B --> D[lint]
    B --> E[test]
    B --> F[system-test]

    C --> C1[Checkout]
    C1 --> C2[Setup Ruby]
    C2 --> C3[bin/brakeman --no-pager]
    C3 --> C4[bin/bundler-audit]

    D --> D1[Checkout]
    D1 --> D2[Setup Ruby]
    D2 --> D3[RuboCop cache]
    D3 --> D4[bin/rubocop]

    E --> E1[Install apt packages]
    E1 --> E2[Checkout]
    E2 --> E3[Setup pnpm + Node NEW]
    E3 --> E4[pnpm install --frozen-lockfile NEW]
    E4 --> E5[Setup Ruby]
    E5 --> E6[bin/rails db:test:prepare test]

    F --> F1[Install apt packages]
    F1 --> F2[Checkout]
    F2 --> F3[Setup pnpm + Node NEW]
    F3 --> F4[pnpm install --frozen-lockfile NEW]
    F4 --> F5[Setup Ruby]
    F5 --> F6[bin/rails db:test:prepare test:system]
    F6 --> F7{failure?}
    F7 -->|yes| F8[upload-artifact screenshots]

Loading

_{Reviews (1): Last reviewed commit: "Consolidate main dependency updates" | Re-trigger Greptile}

[greptile-apps]

--ensure-latest flag removed

The --ensure-latest flag caused Brakeman to exit non-zero if it wasn't the most current release, which enforced keeping the scanner up-to-date as a CI gate. Removing it means future CI runs will silently pass even if a newer Brakeman version with additional checks is available. Since Brakeman was just bumped to 8.0.4 in this same PR the flag would pass today, so it might be worth re-adding now that the version is current.