Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).*
> **Arbitrary shell execution**
>
> Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1
Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).*
> ## 3.5.2
> * Generic.ControlStructures.DisallowYodaConditions now returns less false positives
> * False positives were being returned for array comparisions, or when performing some function calls
> * Squiz.WhiteSpace.SemicolonSpacing.Incorrect error message now escapes newlines and tabs
> * Provides a clearer error message as whitespace is now visible
> * Also allows for better output for report types such as CSV and XML
> * The error message for PSR12.Files.FileHeader.SpacingAfterBlock has been made clearer
> * It now uses the wording from the published PSR-12 standard to indicate that blocks must be separated by a blank line
> * Thanks to Craig Duncan for the patch
> * Fixed bug [#2654](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2654) : Incorrect indentation for arguments of multiline function calls
> * Fixed bug [#2656](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2656) : Squiz.WhiteSpace.MemberVarSpacing removes comments before first member var during auto fixing
> * Thanks to Juliette Reinders Folmer for the patch
> * Fixed bug [#2663](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2663) : Generic.NamingConventions.ConstructorName complains about old constructor in interfaces
> * Fixed bug [#2664](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2664) : PSR12.Files.OpenTag incorrectly identifies PHP file with only an opening tag
> * Fixed bug [#2665](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2665) : PSR12.Files.ImportStatement should not apply to traits
> * Fixed bug [#2673](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2673) : PSR12.Traits.UseDeclaration does not allow comments or blank lines between use statements
>
> ## 3.5.1
> * Very very verbose diff report output has slightly changed to improve readability
> * Output is printed when running PHPCS with the `--report=diff` and `-vvv` command line arguments
> * Fully qualified class names have been replaced with sniff codes
> * Tokens being changed now display the line number they are on
> * PSR2, PSR12, and PEAR standards now correctly check for blank lines at the start of function calls
> * This check has been missing from these standards, but has now been implemented
> * When using the PEAR standard, the error code is `PEAR.Functions.FunctionCallSignature.FirstArgumentPosition`
> * When using PSR2 or PSR12, the error code is `PSR2.Methods.FunctionCallSignature.FirstArgumentPosition`
> * `PSR12.ControlStructures.BooleanOperatorPlacement` no longer complains when multiple expressions appear on the same line
> * Previously, boolean operators were enforced to appear at the start or end of lines only
> * Boolean operators can now appear in the middle of the line
> * `PSR12.Files.FileHeader` no longer ignores comments preceding a `use`, `namespace`, or `declare` statement
> * `PSR12.Files.FileHeader` now allows a hashbang line at the top of the file
> * Fixed bug [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506) : PSR2 standard can't auto fix multi-line function call inside a string concat statement
> * Fixed bug [#2530](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2530) : PEAR.Commenting.FunctionComment does not support intersection types in comments
> * Fixed bug [#2615](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2615) : Constant visibility false positive on non-class constants
> * Fixed bug [#2616](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2616) : PSR12.Files.FileHeader false positive when file only contains docblock
> * Fixed bug [#2619](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2619) : PSR12.Files.FileHeader locks up when inline comment is the last content in a file
> * Fixed bug [#2621](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2621) : PSR12.Classes.AnonClassDeclaration.CloseBraceSameLine false positive for anon class passed as function argument
> * Thanks to Martins Sipenko for the patch
> * Fixed bug [#2623](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2623) : PSR12.ControlStructures.ControlStructureSpacing not ignoring indentation inside multi-line string arguments
> * Fixed bug [#2624](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2624) : PSR12.Traits.UseDeclaration doesnt apply the correct indent during auto fixing
> * Fixed bug [#2626](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2626) : PSR12.Files.FileHeader detects [@var](https://github.com/var) annotations as file docblocks
> * Fixed bug [#2628](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2628) : PSR12.Traits.UseDeclaration does not allow comments above a USE declaration
> * Fixed bug [#2632](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2632) : Incorrect indentation of lines starting with "static" inside closures
> * Fixed bug [#2641](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2641) : PSR12.Functions.NullableTypeDeclaration false positive when using new static()
>
> ## 3.5.0
> ## PSR-12 Standard Ready
>
> PHP_CodeSniffer has included an in-progress PSR-12 standard since 3.3.0, but this release includes the completed standard. You can now check your code using the PSR-12 standard:
> ```
> ... (truncated)
Commits
- [`65b12cd`](https://github.com/squizlabs/PHP_CodeSniffer/commit/65b12cdeaaa6cd276d4c3033a95b9b88b12701e7) Prepare for 3.5.2 release
- [`4d4c38c`](https://github.com/squizlabs/PHP_CodeSniffer/commit/4d4c38c096315b92d39a1bbb3f7a1334212d30e1) Fixed bug [#2673](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2673) : PSR12.Traits.UseDeclaration does not allow comments or blan...
- [`f6732bc`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f6732bc2918ab24ba80a7d14dd800179e973aed3) PHPCS doesn't use yoda conditions, so disallow them in the standard
- [`80a7c03`](https://github.com/squizlabs/PHP_CodeSniffer/commit/80a7c037f11d700b0d1c8838d2e3c3cc5ea229b0) Fixed coding standard error
- [`cc1069d`](https://github.com/squizlabs/PHP_CodeSniffer/commit/cc1069d03d44971587051b175846688bef24b4c9) Fixed bug [#2665](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2665) : PSR12.Files.ImportStatement should not apply to traits
- [`35256b6`](https://github.com/squizlabs/PHP_CodeSniffer/commit/35256b62d0169d87ac0eb9bf9b8fdaeff80f44ee) Fixed bug [#2663](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2663) : Generic.NamingConventions.ConstructorName complains about o...
- [`e7b0cce`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e7b0cce823ed2922e7d7106b92712dedb5c61125) Generic.ControlStructures.DisallowYodaConditions now returns less false posit...
- [`f2b6798`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f2b6798d9ba5670cd3b36569defe7981c5f68848) Fixed bug [#2664](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2664) : PSR12.Files.OpenTag incorrectly identifies PHP file with on...
- [`ae3aae4`](https://github.com/squizlabs/PHP_CodeSniffer/commit/ae3aae46a11e3978f088552160ccca13a01b28e1) Correct the return type of process when jumping to the end of the tokens
- [`1a36e9f`](https://github.com/squizlabs/PHP_CodeSniffer/commit/1a36e9fd6c126d5c7383df4ddce4abd9188ec5e4) Changelog for [#2660](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2660)
- Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/2.6.2...3.5.2)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps squizlabs/php_codesniffer from 2.6.2 to 3.5.2. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).* > **Arbitrary shell execution** > > Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).* > ## 3.5.2 > * Generic.ControlStructures.DisallowYodaConditions now returns less false positives > * False positives were being returned for array comparisions, or when performing some function calls > * Squiz.WhiteSpace.SemicolonSpacing.Incorrect error message now escapes newlines and tabs > * Provides a clearer error message as whitespace is now visible > * Also allows for better output for report types such as CSV and XML > * The error message for PSR12.Files.FileHeader.SpacingAfterBlock has been made clearer > * It now uses the wording from the published PSR-12 standard to indicate that blocks must be separated by a blank line > * Thanks to Craig Duncan for the patch > * Fixed bug [#2654](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2654) : Incorrect indentation for arguments of multiline function calls > * Fixed bug [#2656](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2656) : Squiz.WhiteSpace.MemberVarSpacing removes comments before first member var during auto fixing > * Thanks to Juliette Reinders Folmer for the patch > * Fixed bug [#2663](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2663) : Generic.NamingConventions.ConstructorName complains about old constructor in interfaces > * Fixed bug [#2664](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2664) : PSR12.Files.OpenTag incorrectly identifies PHP file with only an opening tag > * Fixed bug [#2665](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2665) : PSR12.Files.ImportStatement should not apply to traits > * Fixed bug [#2673](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2673) : PSR12.Traits.UseDeclaration does not allow comments or blank lines between use statements > > ## 3.5.1 > * Very very verbose diff report output has slightly changed to improve readability > * Output is printed when running PHPCS with the `--report=diff` and `-vvv` command line arguments > * Fully qualified class names have been replaced with sniff codes > * Tokens being changed now display the line number they are on > * PSR2, PSR12, and PEAR standards now correctly check for blank lines at the start of function calls > * This check has been missing from these standards, but has now been implemented > * When using the PEAR standard, the error code is `PEAR.Functions.FunctionCallSignature.FirstArgumentPosition` > * When using PSR2 or PSR12, the error code is `PSR2.Methods.FunctionCallSignature.FirstArgumentPosition` > * `PSR12.ControlStructures.BooleanOperatorPlacement` no longer complains when multiple expressions appear on the same line > * Previously, boolean operators were enforced to appear at the start or end of lines only > * Boolean operators can now appear in the middle of the line > * `PSR12.Files.FileHeader` no longer ignores comments preceding a `use`, `namespace`, or `declare` statement > * `PSR12.Files.FileHeader` now allows a hashbang line at the top of the file > * Fixed bug [#2506](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2506) : PSR2 standard can't auto fix multi-line function call inside a string concat statement > * Fixed bug [#2530](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2530) : PEAR.Commenting.FunctionComment does not support intersection types in comments > * Fixed bug [#2615](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2615) : Constant visibility false positive on non-class constants > * Fixed bug [#2616](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2616) : PSR12.Files.FileHeader false positive when file only contains docblock > * Fixed bug [#2619](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2619) : PSR12.Files.FileHeader locks up when inline comment is the last content in a file > * Fixed bug [#2621](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2621) : PSR12.Classes.AnonClassDeclaration.CloseBraceSameLine false positive for anon class passed as function argument > * Thanks to Martins Sipenko for the patch > * Fixed bug [#2623](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2623) : PSR12.ControlStructures.ControlStructureSpacing not ignoring indentation inside multi-line string arguments > * Fixed bug [#2624](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2624) : PSR12.Traits.UseDeclaration doesnt apply the correct indent during auto fixing > * Fixed bug [#2626](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2626) : PSR12.Files.FileHeader detects [@var](https://github.com/var) annotations as file docblocks > * Fixed bug [#2628](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2628) : PSR12.Traits.UseDeclaration does not allow comments above a USE declaration > * Fixed bug [#2632](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2632) : Incorrect indentation of lines starting with "static" inside closures > * Fixed bug [#2641](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2641) : PSR12.Functions.NullableTypeDeclaration false positive when using new static() > > ## 3.5.0 > ## PSR-12 Standard Ready > > PHP_CodeSniffer has included an in-progress PSR-12 standard since 3.3.0, but this release includes the completed standard. You can now check your code using the PSR-12 standard: > ``` > ... (truncated)Commits
- [`65b12cd`](https://github.com/squizlabs/PHP_CodeSniffer/commit/65b12cdeaaa6cd276d4c3033a95b9b88b12701e7) Prepare for 3.5.2 release - [`4d4c38c`](https://github.com/squizlabs/PHP_CodeSniffer/commit/4d4c38c096315b92d39a1bbb3f7a1334212d30e1) Fixed bug [#2673](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2673) : PSR12.Traits.UseDeclaration does not allow comments or blan... - [`f6732bc`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f6732bc2918ab24ba80a7d14dd800179e973aed3) PHPCS doesn't use yoda conditions, so disallow them in the standard - [`80a7c03`](https://github.com/squizlabs/PHP_CodeSniffer/commit/80a7c037f11d700b0d1c8838d2e3c3cc5ea229b0) Fixed coding standard error - [`cc1069d`](https://github.com/squizlabs/PHP_CodeSniffer/commit/cc1069d03d44971587051b175846688bef24b4c9) Fixed bug [#2665](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2665) : PSR12.Files.ImportStatement should not apply to traits - [`35256b6`](https://github.com/squizlabs/PHP_CodeSniffer/commit/35256b62d0169d87ac0eb9bf9b8fdaeff80f44ee) Fixed bug [#2663](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2663) : Generic.NamingConventions.ConstructorName complains about o... - [`e7b0cce`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e7b0cce823ed2922e7d7106b92712dedb5c61125) Generic.ControlStructures.DisallowYodaConditions now returns less false posit... - [`f2b6798`](https://github.com/squizlabs/PHP_CodeSniffer/commit/f2b6798d9ba5670cd3b36569defe7981c5f68848) Fixed bug [#2664](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2664) : PSR12.Files.OpenTag incorrectly identifies PHP file with on... - [`ae3aae4`](https://github.com/squizlabs/PHP_CodeSniffer/commit/ae3aae46a11e3978f088552160ccca13a01b28e1) Correct the return type of process when jumping to the end of the tokens - [`1a36e9f`](https://github.com/squizlabs/PHP_CodeSniffer/commit/1a36e9fd6c126d5c7383df4ddce4abd9188ec5e4) Changelog for [#2660](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2660) - Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/2.6.2...3.5.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)