DefactoSoftware / Hours

Time registration that doesn't suck
https://happyhours.io
MIT License
1.04k stars 269 forks source link

Bump brakeman from 4.7.2 to 5.0.2 #594

Closed dependabot[bot] closed 3 years ago

dependabot[bot] commented 3 years ago

Bumps brakeman from 4.7.2 to 5.0.2.

Release notes

Sourced from brakeman's releases.

5.0.2

  • Fix Loofah version check

5.0.1

  • Support loading slim/smart (#1570)
  • Set more line numbers on Sexps (#1579)
  • Detect ::Rails.application.configure too (#1584)
  • Always ignore slice/only calls for mass assignment
  • Don't fail if $HOME/$USER are not defined
  • Convert splat array arguments to arguments
  • Bundle unreleased RubyParser changes

5.0.0

  • Scan (almost) all Ruby files in project
  • Revamp CSV report to a CSV list of warnings
  • Add Sonarqube report format (Adam England)
  • Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
  • Add check for potential HTTP verb confusion (#1432)
  • Add --[no-]skip-vendor option
  • Ignore uuid as a safe attribute
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Collapse __send__ calls
  • Set Rails configuration defaults based on load_defaults version
  • Update Ruby requirement to version 2.4.0
  • Suggest using --force if no Rails application is detected

5.0.0.pre1

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.1

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths (#1536)
  • Ensure RubyParser is passed file path as a String (#1534)
  • Support new Haml 5.2.0 escaping method (#1517)

4.10.0

4.9.1

  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Check chomped strings for SQL injection (#1509)
  • Always set line number for joined arrays (#1499)

... (truncated)

Changelog

Sourced from brakeman's changelog.

5.0.2 - 2021-06-07

  • Fix Loofah version check

5.0.1 - 2021-04-27

  • Detect ::Rails.application.configure too
  • Set more line numbers on Sexps
  • Support loading slim/smart
  • Don't fail if $HOME/$USER are not defined
  • Always ignore slice/only calls for mass assignment
  • Convert splat array arguments to arguments

5.0.0 - 2021-01-26

  • Ignore uuid as a safe attribute
  • Collapse __send__ calls
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Revamp CSV report to a CSV list of warnings
  • Set Rails configuration defaults based on load_defaults version
  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project

4.10.1 - 2020-12-24

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths
  • Ensure RubyParser is passed file path as a String
  • Support new Haml 5.2.0 escaping method

5.0.0.pre1 - 2020-11-17

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.0 - 2020-09-28

  • Add SARIF report format (Steve Winton)

... (truncated)

Commits
  • 37f3d81 Bump to 5.0.2
  • 24184fd Fix Loofah version check
  • eb2a8c5 Merge pull request #1600 from presidentbeef/array_push
  • c5f3f9c Merge pull request #1599 from presidentbeef/array_star
  • 92dccf0 Merge pull request #1598 from nebulab/main
  • 24ca235 Support Array#push like Array#<<
  • 36fec7c Adjust the copy of the interactive menu
  • 993d203 Array#join with empty array
  • f2d2fcb Array#join for single element arrays
  • 2246020 Support Array#* as Array#join
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 3 years ago

Superseded by #595.