🚨 [security] Update rubocop-rails 2.25.1 → 2.26.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rails (2.25.1 → 2.26.0) · Repo · Changelog

Release Notes

2.26.0

New features

• #1238: Add new Rails/EnumSyntax cop. (@maxprokopiev, @koic)
• #1309: Support Rails 7 syntax for Rails/EnumHash cop. (@ytjmt)
• #1298: Support Rails 7 syntax for Rails/EnumUniqueness cop. (@ytjmt)

Bug fixes

• #1335: Fix an error for Rails/BulkChangeTable when the block for change_table is empty. (@earlopain)
• #1325: Fix an error for Rails/RenderPlainText when the content type is passed as a constant. (@earlopain)
• #1337: Fix an error for Rails/Validation when passing no arguments. (@earlopain)
• #1330: Fix an error for Rails/WhereNot when using placeholder without second argument. (@earlopain)
• #1311: Fix false negatives for Rails/ActionControllerFlashBeforeRender when using implicit render or rescue blocks. (@tldn0718)
• #1313: Fix false positives for Rails/CompactBlank when using collection.reject!. (@koic)
• #1319: Fix a false positive for Rails/RedundantPresenceValidationOnBelongsTo when removing presence would leave other non-validation options like allow_blank without validations. (@earlopain)
• #1306: Make Rails/PluralizationGrammar aware of byte methods. (@earlopain)
• #1302: Allow params receiver by default for Style/CollectionMethods. (@koic)
• #1321: Fix an error for Rails/WhereEquals when the second argument is not yet typed (where("foo = ?", )). (@earlopain)

Changes

• #1308: Change Rails/CompactBlank to handle select(&:present?). (@fatkodima)
• #1303: Change Rails/IgnoredSkipActionFilterOption to handle multiple callbacks. (@fatkodima)
• #1199: Make Rails/WhereEquals aware of where.not(...). (@earlopain)
• #1003: Change Rails/RootPathnameMethods to detect offenses on Dir.[]. (@r7kamura)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 47 commits:

• Cut 2.26.0
• Update Changelog
• Merge pull request #1337 from Earlopain/validation-error
• Merge pull request #1336 from koic/add_new_rails_enum_syntax_cop
• Merge pull request #1309 from ytjmt/support-new-enum-syntax-for-enum-hash-cop
• [Fix #1238] Add new `Rails/EnumSyntax` cop
• Merge pull request #1335 from Earlopain/error-bulk-change-table
• Fix an error for `Rails/Validation` when passing no arguments
• Update `Rails/Validation` specs to modern style
• Merge pull request #1334 from Earlopain/cop-registry-deprecated
• Fix an error for `Rails/BulkChangeTable` when the block for `change_table` is empty
• Don't use deprecated `Cop.registry` in specs
• Update a changelog file name
• Merge pull request #1003 from r7kamura/root-pathname-methods-index
• Merge pull request #1323 from Earlopain/where-equal-not
• [Fix #1199] Make `Rails/WhereEquals` aware of `where.not(...)`
• Merge pull request #1330 from Earlopain/where-not-error
• Fix an error for `Rails/WhereNot` without second argument
• Merge pull request #1325 from Earlopain/render-plain-text-error
• Fix an error for `Rails/RenderPlainText` when the content type is passed as a constant
• Merge pull request #1321 from Earlopain/where-equal-error
• Fix an error for `Style/WhereEquals` when the second argument is not yet typed
• Merge pull request #1320 from Earlopain/rails-version-redundant-presence-validation
• [Fix #1319] Fix false positive for `RedundantPresenceValidationOnBelongsTo`
• Merge pull request #1316 from Uaitt/documentation-typo
• Correct typo in Rails/WhereEquals documentation
• Merge pull request #1311 from tldn0718/fix-false-negatives-for-action-controller-flash-before-render
• Merge pull request #1302 from koic/make_style_collection_compact_aware_of_params
• Allow `params` receiver by default for `Style/CollectionMethods`
• Merge pull request #1314 from biow0lf/fix-docs
• Use right ticks
• Merge pull request #1313 from koic/fix_false_positive_for_rails_compact_blank
• Fix false positives for `Rails/CompactBlank`
• Merge pull request #1310 from fatkodima/compact_blank-select_present
• Support Rails 7 syntax for Rails/EnumHash cop
• Fix false negatives for implicit render or rescue blocks
• Change `Rails/CompactBlank` to handle `select(&:present?)`
• Merge pull request #1307 from padarom/fix-pluck-in-where-documentation
• Suppress RuboCop offenses
• Clarify the wording of the `Rails/PluckInWhere` cop
• Merge pull request #1298 from ytjmt/support-new-enum-syntax-for-enum-uniqueness-cop
• Suppress RuboCop offense
• Merge pull request #1306 from Earlopain/pluralization-grammar-byte
• Make `Rails/PluralizationGrammar` aware of byte methods
• Merge pull request #1304 from fatkodima/ignored_skip_action_filter_option-multiple-callbacks
• Change `Rails/IgnoredSkipActionFilterOption` to handle multiple callbacks
• Switch back docs version to master

↗️ minitest (indirect, 5.25.0 → 5.25.1) · Repo · Changelog

Release Notes

5.25.1 (from changelog)

• 2 bug fixes:

  • Fix incompatibility caused by minitest-hooks & rails invading minitest internals.

  • Revert change from =~ to match? to allow for nil if $TERM undefined.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• prepped for release
• - Fix incompatibility caused by minitest-hooks & rails invading minitest internals.
• - Revert change from =~ to match? to allow for nil if $TERM undefined.

↗️ parallel (indirect, 1.26.2 → 1.26.3) · Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

• v1.26.3
• Merge pull request #351 from y-yagi/ensure_not_to_use_old_concurrent-ruby
• Ensure not to use old `concurrent-ruby`

↗️ rexml (indirect, 3.3.5 → 3.3.6) · Repo · Changelog

Security Advisories 🚨

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

Release Notes

3.3.6

Improvements

• Removed duplicated entity expansions for performance.

  • GH-194
  • Patch by Viktor Ivarsson.

• Improved namespace conflicted attribute check performance. It was
  too slow for deep elements.

  • Reported by l33thaxor.

Fixes

• Fixed a bug that default entity expansions are counted for
  security check. Default entity expansions should not be counted
  because they don't have a security risk.

  • GH-198
  • GH-199
  • Patch Viktor Ivarsson

• Fixed a parser bug that parameter entity references in internal
  subsets are expanded. It's not allowed in the XML specification.

  • GH-191
  • Patch by NAITOH Jun.

• Fixed a stream parser bug that user-defined entity references in
  text aren't expanded.

  • GH-200
  • Patch by NAITOH Jun.

Thanks

• Viktor Ivarsson

• NAITOH Jun

• l33thaxor

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Add 3.3.6 entry
• parser tree: improve namespace conflicted attribute check performance
• Fix a bug that Stream parser doesn't expand the user-defined entity references for "text" (#200)
• parser: keep the current namespaces instead of stack of Set
• parser: move duplicated end tag check to BaseParser
• test tree-parser: move common method to base class
• test: fix indent
• test: fix indent
• Use loop instead of recursive call for Element#namespace
• Use loop instead of recursive call for Element#root
• test: split duplicated attribute case and namespace conflict case
• Fix to not allow parameter entity references at internal subsets (#191)
• Fix RuntimeError in `REXML::Parsers::BaseParser` for valid feeds (#199)
• Improve `BaseParser#unnormalize` (#194)
• Bump version

↗️ rubocop-ast (indirect, 1.32.0 → 1.32.1) · Repo · Changelog

Release Notes

1.32.1 (from changelog)

Changes

• #309: Mark RuboCop::AST::EnsureNode as being in a void context. (@earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Cut 1.32.1
• Update Changelog
• Mark `RuboCop::AST::EnsureNode` as being in a void context.
• Fix readme CI badge (#308)
• Move test `Node#used?` predicate method definition
• Restore docs/antora.yml

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

coverage: 98.313%. remained the same
when pulling a0bc5fd on depfu/update/rubocop-rails-2.26.0
into b2eab6b on main.

[depfu]

Closed in favor of #1351.