chore(deps): bump concurrent-ruby from 1.3.6 to 1.3.7

[dependabot]

Bumps concurrent-ruby from 1.3.6 to 1.3.7.

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

• CVE-2026-54904 AtomicReference#update livelocks when the stored value is Float::NAN. Fix by @​joshuay03 and @​eregon
• CVE-2026-54905 ReentrantReadWriteLock read-count overflow grants a write lock without exclusivity. Fix by @​joshuay03
• CVE-2026-54906 ReadWriteLock allows wrong-thread write release and stray read-release counter corruption. Fix by @​joshuay03
• concurrent-ruby-ext: fix build on Darwin 32-bit by @​barracuda156 in ruby-concurrency/concurrent-ruby#1064
• Add SECURITY.md by @​eregon in ruby-concurrency/concurrent-ruby#1104
• Add Ruby 4.0 in CI by @​eregon in ruby-concurrency/concurrent-ruby#1106

New Contributors

• @​barracuda156 made their first contribution in ruby-concurrency/concurrent-ruby#1064

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

• See the release notes on GitHub.

Commits

• 4c8fc28 Release 1.3.7
• d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
• 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
• 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
• 2825cfa Cleanup spec
• 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
• 1974b47 Add Ruby 4.0 in CI
• df8706d Add SECURITY.md (#1104)
• 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
• 9b2dbf7 Bump actions/deploy-pages from 4 to 5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

⚠️ This PR needs to target a release branch before it can merge to master.

All changes — including hotfixes, dependency bumps, and feature work — should flow through a rel/* branch rather than merging directly to master. This keeps commit history clean and ensures every change is tied to a release.

To fix: change the base branch of this PR to the appropriate rel/* branch when available. You can do this without closing the PR — use the base branch dropdown at the top of the PR.

• If this is CI/tooling work, rename your branch with a ci/ prefix and this check will pass
• If this is documentation-only work, rename your branch with a docs/ prefix and this check will pass

Override: In exceptional circumstances, a maintainer may add the manual-merge label to bypass this check and merge directly to master. This should be used sparingly — it skips the release branch entirely and may result in changes not being included in a release or loss of commit attribution if not handled carefully.

Enforced by the pr-target-check workflow.

[github-actions]

⚠️ This PR needs to target a release branch before it can merge to master.

All changes — including hotfixes, dependency bumps, and feature work — should flow through a rel/* branch rather than merging directly to master. This keeps commit history clean and ensures every change is tied to a release.

To fix: change the base branch of this PR to the appropriate rel/* branch when available. You can do this without closing the PR — use the base branch dropdown at the top of the PR.

• If this is CI/tooling work, rename your branch with a ci/ prefix and this check will pass
• If this is documentation-only work, rename your branch with a docs/ prefix and this check will pass

Override: In exceptional circumstances, a maintainer may add the manual-merge label to bypass this check and merge directly to master. This should be used sparingly — it skips the release branch entirely and may result in changes not being included in a release or loss of commit attribution if not handled carefully.

Enforced by the pr-target-check workflow.