🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.
Patches
The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
Patches
The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.
Improved namespace conflicted attribute check performance. It was
too slow for deep elements.
Reported by l33thaxor.
Fixes
Fixed a bug that default entity expansions are counted for
security check. Default entity expansions should not be counted
because they don't have a security risk.
#13077: Add new global StringLiteralsFrozenByDefault option for correct analysis with RUBYOPT=--enable=frozen-string-literal. (@earlopain)
#13080: Add new DocumentationExtension global option to serve documentation with extensions different than .html. (@earlopain)
#13074: Add new Lint/UselessNumericOperation cop to check for inconsequential numeric operations. (@zopolis4)
#13061: Add new Style/RedundantInterpolationUnfreeze cop to check for dup and @+ on interpolated strings in Ruby >= 3.0. (@earlopain)
Bug fixes
#13093: Fix an error for Lint/ImplicitStringConcatenation when implicitly concatenating a string literal with a line break and string interpolation. (@koic)
#13098: Fix an error for Style/IdenticalConditionalBranches when handling empty case branches. (@koic)
#13113: Fix an error for Style/IfWithSemicolon when a nested if with a semicolon is used. (@koic)
#13097: Fix an error for Style/InPatternThen when using alternative pattern matching deeply. (@koic)
#13159: Fix an error for Style/OneLineConditional when using if/then/else/end with multiple expressions in the then body. (@koic)
#13092: Fix an incorrect autocorrect for Layout/EmptyLineBetweenDefs when two method definitions are on the same line separated by a semicolon. (@koic)
#13116: Fix an incorrect autocorrect for Style/IfWithSemicolon when a single-line if/;/end has an argument in the then body expression. (@koic)
#13161: Fix incorrect autocorrect for Style/IfWithSemicolon when using multiple expressions in the else body. (@koic)
#13132: Fix incorrect autocorrect for Style/TrailingBodyOnMethodDefinition when an expression precedes a method definition on the same line with a semicolon. (@koic)
#13164: Fix incorrect autocorrect behavior for Layout/BlockAlignment when EnforcedStyleAlignWith: either (default). (@koic)
#13087: Fix an incorrect autocorrect for Style/MultipleComparison when expression with more comparisons precedes an expression with less comparisons. (@fatkodima)
#13172: Fix an error for Layout/EmptyLinesAroundExceptionHandlingKeywords when ensure or else and end are on the same line. (@koic)
#13107: Fix an error for Lint/ImplicitStringConcatenation when there are multiple adjacent string interpolation literals on the same line. (@koic)
#13111: Fix an error for Style/GuardClause when if clause is empty and correction would not fit on single line because of Layout/LineLength. (@earlopain)
#13137: Fix an error for Style/ParallelAssignment when using __FILE__. (@earlopain)
#13143: Fix an error during TargetRubyVersion detection if the gemspec is not valid syntax. (@earlopain)
#13131: Fix false negatives for Lint/Void when using ensure, defs and numblock. (@vlad-pisanov)
#13174: Fix false negatives for Style/MapIntoArray when initializing the destination using Array[], Array([]), or Array.new([]). (@vlad-pisanov)
#13173: Fix false negatives for Style/EmptyLiteral when using Array[], Hash[], Array.new([]) and Hash.new([]). (@vlad-pisanov)
#13126: Fix a false positive for Style/Alias when using multiple alias in def. (@koic)
#13085: Fix a false positive for Style/EmptyElse when a comment-only else is used after elsif and AllowComments: true is set. (@koic)
#13118: Fix a false positive for Style/MapIntoArray when splatting. (@earlopain)
#13105: Fix false positives for Style/ArgumentsForwarding when forwarding kwargs/block arg with non-matching additional args. (@koic)
#13139: Fix false positives for Style/RedundantCondition when using modifier if or unless. (@koic)
#13134: Fix false negative for Lint/Void when using using frozen literals. (@vlad-pisanov)
#13148: Fix incorrect autocorrect for Lint/EmptyConditionalBody when missing elsif body with end on the same line. (@koic)
#13109: Fix an error for the Lockfile parser when it contains incompatible BUNDLED WITH versions. (@earlopain)
#13112: Fix detection of TargetRubyVersion through the gemfile if the gemfile ruby version is below 2.7. (@earlopain)
#13155: Fixes an error when the server cache directory has too long path, causing rubocop to fail even with caching disabled. (@protocol7)
Changes
#13050: Allow get_!, set_!, get_?, set_?, get_=, and set_= in Naming/AccessorMethodName. (@koic)
#13103: Make Lint/UselessAssignment autocorrection safe. (@koic)
#13099: Make Style/RedundantRegexpArgument respect the EnforcedStyle of Style/StringLiterals. (@koic)
#13030: Add new Gemspec/AddRuntimeDependency cop. (@koic)
Bug fixes
#12954: Fix a false negative for Style/ArgumentsForwarding when arguments forwarding in yield. (@koic)
#13033: Fix a false positive for Layout/SpaceAroundOperators when using multiple spaces between an operator and a tailing comment. (@koic)
#12885: Fix a false positive for Lint/ToEnumArguments when enumerator is created for another method. (@koic)
#13018: Fix a false positive for Style/MethodCallWithArgsParentheses when EnforcedStyle: omit_parentheses is set and parenthesized method call is used before constant resolution. (@koic)
#12986: Fix a false positive for Style/RedundantBegin when endless method definition with rescue. (@koic)
#12985: Fix an error for Style/RedundantRegexpCharacterClass when using regexp_parser gem 2.3.1 or older. (@koic)
#13010: Fix an error for Style/SuperArguments when the hash argument is or-assigned. (@koic)
#13023: Fix an error for Style/SymbolProc when using lambda -> with one argument and multiline do...end block. (@koic)
#12989: Fix an error for the inherit_gem config when the Gemfile contains an uninstalled git gem. (@earlopain)
#12975: Fix an error for the inherit_gem config when running RuboCop without bundler and no Gemfile exists. (@earlopain)
#12997: Fix an error for Lint/UnmodifiedReduceAccumulator when the block is empty. (@earlopain)
#12979: Fix false negatives for Lint/Void when void expression with guard clause is not on last line. (@koic)
#12716: Fix false negatives for Lint/Void when using parenthesized void operators. (@koic)
#12471: Fix false negatives for Style/ZeroLengthPredicate when using safe navigation operator. (@koic)
#12960: Fix false positives for Lint/NestedMethodDefinition when definition of method on variable. (@koic)
#13012: Fix false positives for Style/HashExcept when using reject and calling include? method with bang. (@koic)
#12983: Fix false positives for Style/SendWithLiteralMethodName using send with writer method name. (@koic)
#12957: Fix false positives for Style/SuperArguments when calling super in a block. (@koic)
Changes
#12970: Add CountModifierForms option to Metrics/BlockNesting and set it to false by default. (@koic)
#13032: Display warning messages for deprecated APIs. (@koic)
#13031: Enable YJIT by default in server mode. (@koic)
#12557: Make server mode aware of auto-restart for bundle update. (@koic)
#12616: Make Style/MapCompactWithConditionalBlock aware of filter_map. (@koic)
#13035: Support autocorrect for Lint/ImplicitStringConcatenation. (@koic)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
1 week ago
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rubocop-performance (1.20.2 → 1.22.1) · Repo · Changelog
Release Notes
1.22.1
1.22.0
1.21.1
1.21.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ rexml (3.3.1 → 3.3.7) · Repo · Changelog
Security Advisories 🚨
🚨 REXML denial of service vulnerability
🚨 REXML DoS vulnerability
🚨 REXML DoS vulnerability
🚨 REXML denial of service vulnerability
Release Notes
3.3.7
3.3.6
3.3.5
3.3.4
3.3.3
3.3.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ parallel (indirect, 1.25.1 → 1.26.3) · Repo
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ parser (indirect, 3.3.3.0 → 3.3.5.0) · Repo · Changelog
Release Notes
3.3.5.0 (from changelog)
3.3.4.1 (from changelog)
3.3.4.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ racc (indirect, 1.8.0 → 1.8.1) · Repo · Changelog
Release Notes
1.8.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rubocop (indirect, 1.64.1 → 1.66.1) · Repo · Changelog
Release Notes
1.66.1
1.66.0
1.65.1
1.65.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rubocop-ast (indirect, 1.31.3 → 1.32.3) · Repo · Changelog
Release Notes
1.32.3 (from changelog)
1.32.1 (from changelog)
1.32.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ unicode-display_width (indirect, 2.5.0 → 2.6.0) · Repo · Changelog
Release Notes
2.6.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
🗑️ strscan (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands