Skip to content

chore(deps): bump puma from 7.2.0 to 8.0.0#2570

Merged
mroderick merged 1 commit intomasterfrom
dependabot/bundler/puma-8.0.0
Apr 16, 2026
Merged

chore(deps): bump puma from 7.2.0 to 8.0.0#2570
mroderick merged 1 commit intomasterfrom
dependabot/bundler/puma-8.0.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 13, 2026

Bumps puma from 7.2.0 to 8.0.0.

Release notes

Sourced from puma's releases.

v8.0.0 - Into the Arena

Read our Version 8 Upgrade Guide.

  • Features

    • Add env["puma.mark_as_io_bound"] API and max_io_threads config to allow IO-bound requests to exceed the thread pool max, enabling better handling of mixed workloads (#3816, #3894)
    • Add single and cluster DSL hooks for mode-specific configuration (#3621)
    • Add on_force option to shutdown_debug to only dump thread backtraces on forced (non-graceful) shutdown (#3671)
    • Add API to dynamically update min and max thread counts at runtime via update_thread_pool_min_max and ServerPluginControl (#3658)
    • Use SIGPWR for thread backtrace dumps on Linux/JRuby where SIGINFO is unavailable (#3829)

  • Bugfixes

    • Fix phased restart for fork_worker to avoid forking from stale worker 0 when it has been replaced (#3853)

  • Performance

    • JRuby HTTP parser improvements: pre-allocated header keys, perfect hash lookup, reduced memory copies (#3838)
    • Cache downcased header key in str_headers to avoid redundant String#downcase calls, reducing allocations by ~50% per response (#3874)

  • Refactor

    • Collect env processing into dedicated client_env.rb module (#3582)
    • Move event to default configuration (#3872)

  • Docs

    • Add gRPC guide for configuring gRPC lifecycle hooks in clustered mode (#3885)
    • Add 7.0 upgrade guide, move 5.0/6.0 upgrade guides to docs directory (#3900)
    • Correct default values for persistent_timeout and worker_boot_timeout in DSL docs (#3912)
    • Add file descriptor limit warning in test helper for contributors (#3893)

  • Breaking changes

    • Default production bind address changed from 0.0.0.0 to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable (#3847)
Changelog

Sourced from puma's changelog.

8.0.0 / 2026-03-27

  • Features

    • Add env["puma.mark_as_io_bound"] API and max_io_threads config to allow IO-bound requests to exceed the thread pool max, enabling better handling of mixed workloads (#3816, #3894)
    • Add single and cluster DSL hooks for mode-specific configuration (#3621)
    • Add on_force option to shutdown_debug to only dump thread backtraces on forced (non-graceful) shutdown (#3671)
    • Add API to dynamically update min and max thread counts at runtime via update_thread_pool_min_max and ServerPluginControl (#3658)
    • Use SIGPWR for thread backtrace dumps on Linux/JRuby where SIGINFO is unavailable (#3829)

  • Bugfixes

    • Fix phased restart for fork_worker to avoid forking from stale worker 0 when it has been replaced (#3853)

  • Performance

    • JRuby HTTP parser improvements: pre-allocated header keys, perfect hash lookup, reduced memory copies (#3838)
    • Cache downcased header key in str_headers to avoid redundant String#downcase calls, reducing allocations by ~50% per response (#3874)

  • Refactor

    • Collect env processing into dedicated client_env.rb module (#3582)
    • Move event to default configuration (#3872)

  • Docs

    • Add gRPC guide for configuring gRPC lifecycle hooks in clustered mode (#3885)
    • Add 7.0 upgrade guide, move 5.0/6.0 upgrade guides to docs directory (#3900)
    • Correct default values for persistent_timeout and worker_boot_timeout in DSL docs (#3912)
    • Add file descriptor limit warning in test helper for contributors (#3893)

  • Breaking changes

    • Default production bind address changed from 0.0.0.0 to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable (#3847)
Commits
  • 08f63d4 Release v8.0.0 (#3914)
  • 7406cc1 Fix IPv4-mapped IPv6 addresses in REMOTE_ADDR and request logs (#3916)
  • e090243 Build(deps): Bump actions/checkout from 4 to 6 (#3915)
  • 7d5dca1 Update SECURITY.md, native Github vuln reports [ci skip] (#3913)
  • 66e6a32 Minor correction to defaults documented in dsl.rb (#3912)
  • 3788eca ci: limit rack-conform to main pushes and scope ragel PR runs (#3908)
  • 57b7799 ci: run turbo-rails only on latest stable Ruby and Rails (#3909)
  • 6685d6b ci: replace skip-duplicate jobs with concurrency and trigger filters (#3907)
  • 2848c82 ci: run push workflows only on main and release branches (#3906)
  • 97a37bb Add release pre-merge checks and align Release.md [ci skip] (#3904)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump puma from 7.2.0 to 8.0.0
d2b0286 
Bumps [puma](https://github.com/puma/puma) from 7.2.0 to 8.0.0.
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v7.2.0...v8.0.0)

---
updated-dependencies:
- dependency-name: puma
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies ruby Pull requests that update Ruby code labels Apr 13, 2026
@mroderick
Copy link
Copy Markdown
Collaborator

mroderick commented Apr 16, 2026

Dependency Upgrade Review: puma v7.2.0 → v8.0.0

PR Scope

Dependency-only — Only changes Gemfile and Gemfile.lock. No code changes.

Changes in Dependency

Major version upgrade (7.2.0 → 8.0.0) with these key changes:

Breaking change:

  • Default production bind address changed from 0.0.0.0 (IPv4) to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable

New features:

  • IO-bound requests can exceed thread pool max via max_io_threads config
  • Runtime thread pool updates via update_thread_pool_min_max
  • New single and cluster DSL hooks for mode-specific config
  • shutdown_debug on_force: option for forced shutdowns only

Bug fixes & performance:

  • Phased restart fix for fork_worker mode
  • JRuby HTTP parser improvements
  • ~50% reduction in header key allocations

Usage in Repository

Puma is used as the production web server via config/puma.rb:

  • No explicit bind directive — relies on Puma defaults
  • Uses port helper which lets Puma handle binding internally
  • Heroku deployment (Procfile: bundle exec puma -C config/puma.rb)
  • Capybara tests also use Puma: Capybara.server = :puma, { Silent: true }

Compatibility Assessment

Likely Compatible — The breaking IPv6 change should not affect this application because:

  1. Heroku handles this internally — Heroku sets PORT env var and manages routing; the dyno binding is abstracted away
  2. Dual-stack systems work fine — Per Puma's upgrade guide, systems supporting both IPv4 and IPv6 (like Heroku) will continue to work
  3. No explicit bind configuration — The app doesn't set bind with explicit IP or rely on specific IP behavior
  4. No health checks parsing IP addresses — The codebase doesn't appear to have monitoring that expects specific IP formatting

Test Coverage

  • Capybara feature tests use Puma as the server
  • No specific unit tests for Puma configuration
  • The test suite should catch basic server startup issues

Confidence Rating

Medium-High — This is a major version bump with a documented breaking change, but:

  • The app uses standard Rails/Puma patterns
  • Heroku deployment abstracts away network binding concerns
  • No custom Puma plugins or hooks that would be affected
  • Puma 8 is stable (released March 2026)

Recommendation: Safe to merge, but monitor production deploy for any binding-related issues (unlikely on Heroku).

mroderick
mroderick approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mroderick mroderick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved after dependency upgrade review. See comment for full analysis. This upgrade is safe to merge for Heroku deployment.

@mroderick mroderick merged commit e473bfe into master Apr 16, 2026
16 checks passed
@mroderick mroderick deleted the dependabot/bundler/puma-8.0.0 branch April 16, 2026 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mroderick mroderick mroderick approved these changes

Assignees

No one assigned

Labels

dependencies ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mroderick