Puma has a CVE that affects versions prior to 3.12.6. I don't believe we're directly impacted but we should bump versions to close the CVE.

However, simply bumping the version results in test failures that need to be investigated further.

Note: see this issue comment for why we will not bump Puma to 3.12.6 for now: #178 (comment)

See also: #188

The linked issues in puma have been fixed, but bumping puma to 3.12.6 still causes test failures.