In the light of CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix) | Ruby, which backend are you using? If it is the json gem, shouldnt the gemfile maybe force 2.3.0 instead of the ruby stdlib copy?
We mostly use Oj, but I guess there are some cases where json is still used directly.
I updated the dependency here:
https://review.discourse.org/t/dev-upgrade-json-gem-and-add-explicit-dependency/10016
In the mean time there are ruby releases for all branches from 2.4 up that have the security fix included in the intree json copy.