Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 [security] Update rubocop-rails 2.25.1 → 2.26.1 (minor) #1351

Closed
wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Sep 8, 2024


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rails (2.25.1 → 2.26.1) · Repo · Changelog

Release Notes

2.26.1

Bug fixes

  • #1343: Fix false negatives for Rails/EnumSyntax for non-literal mappings. (@earlopain)
  • #1340: Fix a false positive for Rails/WhereEquals, Rails/WhereNot, and Rails/WhereRange when qualifying the database name. (@earlopain)

Changes

  • #1342: Change Rails/ApplicationRecord to ignore migrations. (@fatkodima)
  • #1350: Change Rails/EnumSyntax to autocorrect underscored options. (@fatkodima)

2.26.0

New features

Bug fixes

  • #1335: Fix an error for Rails/BulkChangeTable when the block for change_table is empty. (@earlopain)
  • #1325: Fix an error for Rails/RenderPlainText when the content type is passed as a constant. (@earlopain)
  • #1337: Fix an error for Rails/Validation when passing no arguments. (@earlopain)
  • #1330: Fix an error for Rails/WhereNot when using placeholder without second argument. (@earlopain)
  • #1311: Fix false negatives for Rails/ActionControllerFlashBeforeRender when using implicit render or rescue blocks. (@tldn0718)
  • #1313: Fix false positives for Rails/CompactBlank when using collection.reject!. (@koic)
  • #1319: Fix a false positive for Rails/RedundantPresenceValidationOnBelongsTo when removing presence would leave other non-validation options like allow_blank without validations. (@earlopain)
  • #1306: Make Rails/PluralizationGrammar aware of byte methods. (@earlopain)
  • #1302: Allow params receiver by default for Style/CollectionMethods. (@koic)
  • #1321: Fix an error for Rails/WhereEquals when the second argument is not yet typed (where("foo = ?", )). (@earlopain)

Changes

  • #1308: Change Rails/CompactBlank to handle select(&:present?). (@fatkodima)
  • #1303: Change Rails/IgnoredSkipActionFilterOption to handle multiple callbacks. (@fatkodima)
  • #1199: Make Rails/WhereEquals aware of where.not(...). (@earlopain)
  • #1003: Change Rails/RootPathnameMethods to detect offenses on Dir.[]. (@r7kamura)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 68 commits:

✳️ rubocop (1.65.1 → 1.66.1) · Repo · Changelog

Release Notes

1.66.1

Bug fixes

  • #13191: Fix an error for Style/IfWithSemicolon when using nested single-line if/;/end in block of if/else branches. (@koic)
  • #13178: Fix false positive for Style/EmptyLiteral with Hash.new([]). (@earlopain)
  • #13176: Fix crash in Style/EmptyElse when AllowComments: true and the else clause is missing. (@vlad-pisanov)
  • #13185: Fix false negatives in Style/MapIntoArray autocorrection when using ensure, def, defs and for. (@vlad-pisanov)

1.66.0

New features

  • #13077: Add new global StringLiteralsFrozenByDefault option for correct analysis with RUBYOPT=--enable=frozen-string-literal. (@earlopain)
  • #13080: Add new DocumentationExtension global option to serve documentation with extensions different than .html. (@earlopain)
  • #13074: Add new Lint/UselessNumericOperation cop to check for inconsequential numeric operations. (@zopolis4)
  • #13061: Add new Style/RedundantInterpolationUnfreeze cop to check for dup and @+ on interpolated strings in Ruby >= 3.0. (@earlopain)

Bug fixes

  • #13093: Fix an error for Lint/ImplicitStringConcatenation when implicitly concatenating a string literal with a line break and string interpolation. (@koic)
  • #13098: Fix an error for Style/IdenticalConditionalBranches when handling empty case branches. (@koic)
  • #13113: Fix an error for Style/IfWithSemicolon when a nested if with a semicolon is used. (@koic)
  • #13097: Fix an error for Style/InPatternThen when using alternative pattern matching deeply. (@koic)
  • #13159: Fix an error for Style/OneLineConditional when using if/then/else/end with multiple expressions in the then body. (@koic)
  • #13092: Fix an incorrect autocorrect for Layout/EmptyLineBetweenDefs when two method definitions are on the same line separated by a semicolon. (@koic)
  • #13116: Fix an incorrect autocorrect for Style/IfWithSemicolon when a single-line if/;/end has an argument in the then body expression. (@koic)
  • #13161: Fix incorrect autocorrect for Style/IfWithSemicolon when using multiple expressions in the else body. (@koic)
  • #13132: Fix incorrect autocorrect for Style/TrailingBodyOnMethodDefinition when an expression precedes a method definition on the same line with a semicolon. (@koic)
  • #13164: Fix incorrect autocorrect behavior for Layout/BlockAlignment when EnforcedStyleAlignWith: either (default). (@koic)
  • #13087: Fix an incorrect autocorrect for Style/MultipleComparison when expression with more comparisons precedes an expression with less comparisons. (@fatkodima)
  • #13172: Fix an error for Layout/EmptyLinesAroundExceptionHandlingKeywords when ensure or else and end are on the same line. (@koic)
  • #13107: Fix an error for Lint/ImplicitStringConcatenation when there are multiple adjacent string interpolation literals on the same line. (@koic)
  • #13111: Fix an error for Style/GuardClause when if clause is empty and correction would not fit on single line because of Layout/LineLength. (@earlopain)
  • #13137: Fix an error for Style/ParallelAssignment when using __FILE__. (@earlopain)
  • #13143: Fix an error during TargetRubyVersion detection if the gemspec is not valid syntax. (@earlopain)
  • #13131: Fix false negatives for Lint/Void when using ensure, defs and numblock. (@vlad-pisanov)
  • #13174: Fix false negatives for Style/MapIntoArray when initializing the destination using Array[], Array([]), or Array.new([]). (@vlad-pisanov)
  • #13173: Fix false negatives for Style/EmptyLiteral when using Array[], Hash[], Array.new([]) and Hash.new([]). (@vlad-pisanov)
  • #13126: Fix a false positive for Style/Alias when using multiple alias in def. (@koic)
  • #13085: Fix a false positive for Style/EmptyElse when a comment-only else is used after elsif and AllowComments: true is set. (@koic)
  • #13118: Fix a false positive for Style/MapIntoArray when splatting. (@earlopain)
  • #13105: Fix false positives for Style/ArgumentsForwarding when forwarding kwargs/block arg with non-matching additional args. (@koic)
  • #13139: Fix false positives for Style/RedundantCondition when using modifier if or unless. (@koic)
  • #13134: Fix false negative for Lint/Void when using using frozen literals. (@vlad-pisanov)
  • #13148: Fix incorrect autocorrect for Lint/EmptyConditionalBody when missing elsif body with end on the same line. (@koic)
  • #13109: Fix an error for the Lockfile parser when it contains incompatible BUNDLED WITH versions. (@earlopain)
  • #13112: Fix detection of TargetRubyVersion through the gemfile if the gemfile ruby version is below 2.7. (@earlopain)
  • #13155: Fixes an error when the server cache directory has too long path, causing rubocop to fail even with caching disabled. (@protocol7)

Changes

  • #13050: Allow get_!, set_!, get_?, set_?, get_=, and set_= in Naming/AccessorMethodName. (@koic)
  • #13103: Make Lint/UselessAssignment autocorrection safe. (@koic)
  • #13099: Make Style/RedundantRegexpArgument respect the EnforcedStyle of Style/StringLiterals. (@koic)
  • #13165: Remove dependency on the rexml gem. (@bquorning)
  • #13090: Require RuboCop AST 1.32.0+ to use RuboCop::AST::RationalNode. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.25.0 → 5.25.1) · Repo · Changelog

Release Notes

5.25.1 (from changelog)

  • 2 bug fixes:

    • Fix incompatibility caused by minitest-hooks & rails invading minitest internals.

    • Revert change from =~ to match? to allow for nil if $TERM undefined.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ parallel (indirect, 1.26.2 → 1.26.3) · Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ parser (indirect, 3.3.4.2 → 3.3.5.0) · Repo · Changelog

Release Notes

3.3.5.0 (from changelog)

API modifications:

  • Bump maintenance branches to 3.3.5 (#1039) (Koichi ITO)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ rexml (indirect, 3.3.5 → 3.3.7) · Repo · Changelog

Security Advisories 🚨

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

Release Notes

3.3.7

Improvements

  • Added local entity expansion limit methods

    • GH-192
    • GH-202
    • Reported by takuya kodama.
    • Patch by NAITOH Jun.
  • Removed explicit strscan dependency

    • GH-204
    • Patch by Bo Anderson.

Thanks

  • takuya kodama

  • NAITOH Jun

  • Bo Anderson

3.3.6

Improvements

  • Removed duplicated entity expansions for performance.

    • GH-194
    • Patch by Viktor Ivarsson.
  • Improved namespace conflicted attribute check performance. It was
    too slow for deep elements.

    • Reported by l33thaxor.

Fixes

  • Fixed a bug that default entity expansions are counted for
    security check. Default entity expansions should not be counted
    because they don't have a security risk.

  • Fixed a parser bug that parameter entity references in internal
    subsets are expanded. It's not allowed in the XML specification.

  • Fixed a stream parser bug that user-defined entity references in
    text aren't expanded.

Thanks

  • Viktor Ivarsson

  • NAITOH Jun

  • l33thaxor

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ rubocop-ast (indirect, 1.32.0 → 1.32.3) · Repo · Changelog

Release Notes

1.32.3 (from changelog)

Bug fixes

  • #310: Fix RuboCop::AST::DefNode#void_context? to handle class methods called initialize. ([@vlad-pisanov][])

1.32.1 (from changelog)

Changes

  • #309: Mark RuboCop::AST::EnsureNode as being in a void context. (@earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

🗑️ strscan (removed)


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Sep 8, 2024
@mitlib mitlib temporarily deployed to thesis-submit-pr-1351 September 8, 2024 09:47 Inactive
@coveralls
Copy link

Coverage Status

coverage: 98.313%. remained the same
when pulling bd33339 on depfu/update/rubocop-rails-2.26.1
into b2eab6b on main.

Copy link
Contributor Author

depfu bot commented Sep 11, 2024

Closing because this update has already been applied

@depfu depfu bot closed this Sep 11, 2024
@depfu depfu bot deleted the depfu/update/rubocop-rails-2.26.1 branch September 11, 2024 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants