…king specs

* Run tests against Ruby 3.2

* Declare `DependencyLoader#new` with `ruby2_keywords` to fix Ruby 3.2.0

When adding a middleware that receives keyword arguments in the
constructor, the call from `DependencyLoader#new` fails because
the method is not defined using `ruby2_keywords`.

This adds the required `ruby2_keywords` declaration to
`DependencyLoader#new`, fixing the tests and getting Faraday v1.x
working with Ruby 3.2.0.

Fixes #1479.

Co-authored-by: Matt <iMacTia@users.noreply.github.com>

… are correctly autoloaded (#1595)

Protocol-relative URLs (e.g. `//evil.com/path`) bypassed the existing
relative-URL guard in `build_exclusive_url`, allowing an attacker-controlled
URL to override the connection's base host. The `//` prefix matched the
`/` check in `start_with?`, so these URLs were passed through to
`URI#+` which treated them as authority references, replacing the host.

Extend the guard condition so that URLs starting with `//` are prefixed
with `./`, neutralizing the authority component and keeping requests
scoped to the configured base host.

This backport maintains backward compatibility with the 1.x branch's
colon-escaping behavior for opaque URIs like `service:search`.

Security: CVE-2026-25765, GHSA-33mh-2634-fwr2

Co-authored-by: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

The CVE-2026-25765 security fix added an additional conditional check
to build_exclusive_url, increasing complexity metrics from 13 to 15.
Update the rubocop_todo.yml thresholds to reflect this acceptable
increase for security purposes.

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>