In the light of CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix), which backend are you using? If it is the json gem, shouldnt the gemfile maybe force 2.3.0 instead of the ruby stdlib copy?
We mostly use Oj, but I guess there are some cases where json is still used directly.
I updated the dependency here:
In the mean time there are ruby releases for all branches from 2.4 up that have the security fix included in the intree json copy.