Bump ruby to 3.2.0

[blue2cat]

Bumps ruby to 3.2.0 and bundler to 2.4.3

Ruby 3.2.0 introduces two features that improve Regex expression parsing.

From the 3.2.0 release notes:

Improved Regexp matching algorithm

Since Ruby 3.2, Regexp’s matching algorithm has been greatly improved by using a memoization technique.

# This match takes 10 sec. in Ruby 3.1, and 0.003 sec. in Ruby 3.2
/^a*b?a*$/ =~ "a" * 50000 + "x"

The improved matching algorithm allows most Regexp matching (about 90% in our experiments) to be completed in linear time.

Regexp timeout

The optimization above cannot be applied to some kind of regular expressions, such as those including advanced features (e.g., back-references or look-around), or with a huge fixed number of repetitions. As a fallback measure, a timeout feature for Regexp matches is also introduced.

[blue2cat]

Note: Ruby 3.2.0 removed taint-checking methods from the codebase, which appears to be causing the installation of Bundler v1 to fail.

[deivid-rodriguez]

Bundler will be updated in #6303.

Regarding Ruby, those regexp improvements do look appealing for us :) One issue is indeed what to do with Bundler 1. I see several options:

• Drop support for Bundler 1 before upgrading to Ruby 3.2. That effectively blocks the Ruby upgrade until we decide we're ready to drop Bundler 1.

• Monkey patch Bundler 1 to remove all taint/untaint. This seems doable but messy, specially since I think this is used in quite a few places.

• Let Bundler 2 also update lockfiles created with Bundler 1. This sounds a bit like cheating but I think it should be fine because the lockfile format has not really changed between Bundler 1 and Bundler 2.

I think the latter may be the best course of action because it allows us to effectively get rid of Bundler 1 internally, while still being able to provide updates to lockfiles locked to Bundler 1.

[jeffwidman]

Thanks for opening this PR.

I think the Bundler v1 discussion could easily become larger than just this PR, so I opened:

• Drop support for Bundler 1 #6457

So let's continue the discussion there about both short and long-term plans for Bundler v1?

[deivid-rodriguez]

Sure @jeffwidman, makes total sense to split that out, you beat me to that :)

[jurre]

I think it should be fine because the lockfile format has not really changed between Bundler 1 and Bundler 2.

We'd discussed this privately a bit already, just echo'ing that here, I have a concern around multiple sources, in bundler 2 those are split out in the lockfile. Bundler 1 might be able to handle the new format without issues, but if users were manually still upgrading using v1, they would experience massive diffs every time they update something after dependabot has touched the lockfile

[jurre]

Thinking about this more, if we can reasonably remove bundler 1 I am supportive, but last time I checked it still saw quite a lot of usage, so we might feel uncomfortable doing so. If we want to keep supporting it for a bit longer, how painful would it be to run two rubies side by side? We could leverage some ruby version switcher, or just install both in different paths and invoke them separately?

[jeffwidman]

TBH, the metrics I've seen internally for bundler 1 usage are so high that they don't smell right... Like they're insanely high compared to what I was expected. Especially because as repos move to ruby 3.2, they're going to hit this issue themselves and have to bump to bundler 2 anyway.

So that number I'd expect to start moving more than it has, which makes me suspect something might be amiss with how we've instrumented that data. I know both myself and Deivid have looked at the code and it looks correct, but as a triple-check I've been meaning to dig a bit deeper and find some open source repos that are emitting bundler 1 to the metrics and manually inspect them to see if they're truly using bundler 1, or if our metrics code is misattributing something.

Anyway, this is probably a conversation better had internally but wanted to mention it on this thread so we don't forget and prematurely invest a bunch of time into supporting bundler 1 / other Rubies until we're truly really confident in the data we're seeing.

[jeffwidman]

Another PR managed to workaround updating Ruby w/o updating bundler:

• Bump Ruby to 3.3.1 #9597