Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).*
> **Arbitrary shell execution**
>
> Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1
Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).*
> ## 3.5.1
> * Very very verbose diff report output has slightly changed to improve readability
> * Output is printed when running PHPCS with the `--report=diff` and `-vvv` command line arguments
> * Fully qualified class names have been replaced with sniff codes
> * Tokens being changed now display the line number they are on
> * PSR2, PSR12, and PEAR standards now correctly check for blank lines at the start of function calls
> * This check has been missing from these standards, but has now been implemented
> * When using the PEAR standard, the error code is `PEAR.Functions.FunctionCallSignature.FirstArgumentPosition`
> * When using PSR2 or PSR12, the error code is `PSR2.Methods.FunctionCallSignature.FirstArgumentPosition`
> * `PSR12.ControlStructures.BooleanOperatorPlacement` no longer complains when multiple expressions appear on the same line
> * Previously, boolean operators were enforced to appear at the start or end of lines only
> * Boolean operators can now appear in the middle of the line
> * `PSR12.Files.FileHeader` no longer ignores comments preceding a `use`, `namespace`, or `declare` statement
> * `PSR12.Files.FileHeader` now allows a hashbang line at the top of the file
> * Fixed bug [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506) : PSR2 standard can't auto fix multi-line function call inside a string concat statement
> * Fixed bug [#2530](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2530) : PEAR.Commenting.FunctionComment does not support intersection types in comments
> * Fixed bug [#2615](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2615) : Constant visibility false positive on non-class constants
> * Fixed bug [#2616](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2616) : PSR12.Files.FileHeader false positive when file only contains docblock
> * Fixed bug [#2619](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2619) : PSR12.Files.FileHeader locks up when inline comment is the last content in a file
> * Fixed bug [#2621](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2621) : PSR12.Classes.AnonClassDeclaration.CloseBraceSameLine false positive for anon class passed as function argument
> * Thanks to Martins Sipenko for the patch
> * Fixed bug [#2623](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2623) : PSR12.ControlStructures.ControlStructureSpacing not ignoring indentation inside multi-line string arguments
> * Fixed bug [#2624](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2624) : PSR12.Traits.UseDeclaration doesnt apply the correct indent during auto fixing
> * Fixed bug [#2626](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2626) : PSR12.Files.FileHeader detects [@var](https://github.com/var) annotations as file docblocks
> * Fixed bug [#2628](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2628) : PSR12.Traits.UseDeclaration does not allow comments above a USE declaration
> * Fixed bug [#2632](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2632) : Incorrect indentation of lines starting with "static" inside closures
> * Fixed bug [#2641](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2641) : PSR12.Functions.NullableTypeDeclaration false positive when using new static()
>
> ## 3.5.0
> ## PSR-12 Standard Ready
>
> PHP_CodeSniffer has included an in-progress PSR-12 standard since 3.3.0, but this release includes the completed standard. You can now check your code using the PSR-12 standard:
> ```
> phpcs --standard=PSR12 /path/to/code
> ```
> Most of the errors found can also be automatically fixed by PHPCBF:
> ```
> phpcbf --standard=PSR12 /path/to/code
> ```
>
> ## Changelog
>
> * Added support for PHP 7.4 typed properties
> * The nullable operator is now tokenized as `T_NULLABLE` inside property types, as it is elsewhere
> * To get the type of a member var, use the `File::getMemberProperties()` method, which now contains a `type` array index
> * This contains the type of the member var, or a blank string if not specified
> * If the type is nullable, the return type will contain the leading `?`
> * If a type is specified, the position of the first token in the type will be set in a `type_token` array index
> * If a type is specified, the position of the last token in the type will be set in a `type_end_token` array index
> * If the type is nullable, a `nullable_type` array index will also be set to `TRUE`
> ... (truncated)
Commits
- [`82cd0f8`](https://github.com/squizlabs/PHP_CodeSniffer/commit/82cd0f854ceca17731d6d019c7098e3755c45060) Prepare for 3.5.1 release
- [`a24f6d4`](https://github.com/squizlabs/PHP_CodeSniffer/commit/a24f6d455a879922307717e3994d17f88f26c0ca) Fixed indent check when function is called inside an array declaration (ref #...
- [`da72d36`](https://github.com/squizlabs/PHP_CodeSniffer/commit/da72d365e302001e5487ff7a65ecd2cee6b4eb66) Additional fix for [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506)
- [`c11b324`](https://github.com/squizlabs/PHP_CodeSniffer/commit/c11b3248337ff61088132ac1a084e659913357f7) Fixed bug [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506) : PSR2 standard can't auto fix multi-line function call insid...
- [`f797a35`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f797a35dafabd9dddab3029e47f550ba7c615280) Fixed bug [#2530](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2530) : PEAR.Commenting.FunctionComment does not support intersecti...
- [`f5dc023`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f5dc023d23c55189105a6ce0f8d3ca586c73c7f2) Fixed bug [#2632](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2632) : Incorrect indentation of lines starting with static inside ...
- [`52e9819`](https://github.com/squizlabs/PHP_CodeSniffer/commit/52e98199fe8e33a3de98ff0eb1dc53a6550d3e80) PSR12.ControlStructures.BooleanOperatorPlacement no longer complains when mul...
- [`e487b6e`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e487b6ec0331765de90d1911b8313a55a84d7aa0) PSR2, PSR12, and PEAR standards now correctly check for blank lines at the st...
- [`33af624`](https://github.com/squizlabs/PHP_CodeSniffer/commit/33af624c167617ac1d27c6941b5435c51723fad8) Improved the changelog
- [`e10743c`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e10743cca14ebd4f0141a059f9b7c0b76d5f8f9b) Fixed bug [#2628](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2628) : PSR12.Traits.UseDeclaration does not allow comments above a...
- Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/2.6.2...3.5.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps squizlabs/php_codesniffer from 2.6.2 to 3.5.1. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).* > **Arbitrary shell execution** > > Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).* > ## 3.5.1 > * Very very verbose diff report output has slightly changed to improve readability > * Output is printed when running PHPCS with the `--report=diff` and `-vvv` command line arguments > * Fully qualified class names have been replaced with sniff codes > * Tokens being changed now display the line number they are on > * PSR2, PSR12, and PEAR standards now correctly check for blank lines at the start of function calls > * This check has been missing from these standards, but has now been implemented > * When using the PEAR standard, the error code is `PEAR.Functions.FunctionCallSignature.FirstArgumentPosition` > * When using PSR2 or PSR12, the error code is `PSR2.Methods.FunctionCallSignature.FirstArgumentPosition` > * `PSR12.ControlStructures.BooleanOperatorPlacement` no longer complains when multiple expressions appear on the same line > * Previously, boolean operators were enforced to appear at the start or end of lines only > * Boolean operators can now appear in the middle of the line > * `PSR12.Files.FileHeader` no longer ignores comments preceding a `use`, `namespace`, or `declare` statement > * `PSR12.Files.FileHeader` now allows a hashbang line at the top of the file > * Fixed bug [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506) : PSR2 standard can't auto fix multi-line function call inside a string concat statement > * Fixed bug [#2530](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2530) : PEAR.Commenting.FunctionComment does not support intersection types in comments > * Fixed bug [#2615](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2615) : Constant visibility false positive on non-class constants > * Fixed bug [#2616](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2616) : PSR12.Files.FileHeader false positive when file only contains docblock > * Fixed bug [#2619](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2619) : PSR12.Files.FileHeader locks up when inline comment is the last content in a file > * Fixed bug [#2621](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2621) : PSR12.Classes.AnonClassDeclaration.CloseBraceSameLine false positive for anon class passed as function argument > * Thanks to Martins Sipenko for the patch > * Fixed bug [#2623](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2623) : PSR12.ControlStructures.ControlStructureSpacing not ignoring indentation inside multi-line string arguments > * Fixed bug [#2624](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2624) : PSR12.Traits.UseDeclaration doesnt apply the correct indent during auto fixing > * Fixed bug [#2626](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2626) : PSR12.Files.FileHeader detects [@var](https://github.com/var) annotations as file docblocks > * Fixed bug [#2628](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2628) : PSR12.Traits.UseDeclaration does not allow comments above a USE declaration > * Fixed bug [#2632](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2632) : Incorrect indentation of lines starting with "static" inside closures > * Fixed bug [#2641](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2641) : PSR12.Functions.NullableTypeDeclaration false positive when using new static() > > ## 3.5.0 > ## PSR-12 Standard Ready > > PHP_CodeSniffer has included an in-progress PSR-12 standard since 3.3.0, but this release includes the completed standard. You can now check your code using the PSR-12 standard: > ``` > phpcs --standard=PSR12 /path/to/code > ``` > Most of the errors found can also be automatically fixed by PHPCBF: > ``` > phpcbf --standard=PSR12 /path/to/code > ``` > > ## Changelog > > * Added support for PHP 7.4 typed properties > * The nullable operator is now tokenized as `T_NULLABLE` inside property types, as it is elsewhere > * To get the type of a member var, use the `File::getMemberProperties()` method, which now contains a `type` array index > * This contains the type of the member var, or a blank string if not specified > * If the type is nullable, the return type will contain the leading `?` > * If a type is specified, the position of the first token in the type will be set in a `type_token` array index > * If a type is specified, the position of the last token in the type will be set in a `type_end_token` array index > * If the type is nullable, a `nullable_type` array index will also be set to `TRUE` > ... (truncated)Commits
- [`82cd0f8`](https://github.com/squizlabs/PHP_CodeSniffer/commit/82cd0f854ceca17731d6d019c7098e3755c45060) Prepare for 3.5.1 release - [`a24f6d4`](https://github.com/squizlabs/PHP_CodeSniffer/commit/a24f6d455a879922307717e3994d17f88f26c0ca) Fixed indent check when function is called inside an array declaration (ref #... - [`da72d36`](https://github.com/squizlabs/PHP_CodeSniffer/commit/da72d365e302001e5487ff7a65ecd2cee6b4eb66) Additional fix for [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506) - [`c11b324`](https://github.com/squizlabs/PHP_CodeSniffer/commit/c11b3248337ff61088132ac1a084e659913357f7) Fixed bug [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506) : PSR2 standard can't auto fix multi-line function call insid... - [`f797a35`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f797a35dafabd9dddab3029e47f550ba7c615280) Fixed bug [#2530](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2530) : PEAR.Commenting.FunctionComment does not support intersecti... - [`f5dc023`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f5dc023d23c55189105a6ce0f8d3ca586c73c7f2) Fixed bug [#2632](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2632) : Incorrect indentation of lines starting with static inside ... - [`52e9819`](https://github.com/squizlabs/PHP_CodeSniffer/commit/52e98199fe8e33a3de98ff0eb1dc53a6550d3e80) PSR12.ControlStructures.BooleanOperatorPlacement no longer complains when mul... - [`e487b6e`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e487b6ec0331765de90d1911b8313a55a84d7aa0) PSR2, PSR12, and PEAR standards now correctly check for blank lines at the st... - [`33af624`](https://github.com/squizlabs/PHP_CodeSniffer/commit/33af624c167617ac1d27c6941b5435c51723fad8) Improved the changelog - [`e10743c`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e10743cca14ebd4f0141a059f9b7c0b76d5f8f9b) Fixed bug [#2628](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2628) : PSR12.Traits.UseDeclaration does not allow comments above a... - Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/2.6.2...3.5.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)