Vulnerabilities fixed
*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/ba52a15a-2b93-4015-a23f-cf186b286a5c).*
> **CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')**
> The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
>
> Affected versions: < 2.0.0, >= 1.0.0; < 2.8.1, >= 2.0.0
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).*
> **Arbitrary shell execution**
>
> Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1
Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).*
> ## 3.4.0
> ## Deprecations
>
> ### Generic.Formatting.NoSpaceAfterCast Sniff
>
> The `Generic.Formatting.NoSpaceAfterCast` sniff has been deprecated and will be removed in version 4.
>
> The functionality of this sniff is now available in the `Generic.Formatting.SpaceAfterCast` sniff. Include the `Generic.Formatting.SpaceAfterCast` sniff and set the `spacing` property to `0` to retain the existing functionality. As soon as possible, replace all instances of the old sniff code with the new sniff code and property setting in your ruleset.xml files. The existing sniff will continue to work until version 4 has been released.
>
> ## Other Changes
>
> * Rule include patterns in a ruleset.xml file are now evaluated as **OR** instead of **AND**
> * Previously, a file had to match every include pattern and no exclude patterns to be included
> * Now, a file must match at least one include pattern and no exclude patterns to be included
> * This is a bug fix as include patterns are already documented to work this way
> * New token `T_BITWISE_NOT` added for the bitwise not operator
> * This token was previously tokenized as `T_NONE`
> * Any sniffs specifically looking for `T_NONE` tokens with a tilde as the contents must now also look for `T_BITWISE_NOT`
> * Sniffs can continue looking for `T_NONE` as well as `T_BITWISE_NOT` to support older PHP_CodeSniffer versions
> * All types of binary casting are now tokenzied as `T_BINARY_CAST`
> * Previously, the `b` in `b"some string with $var"` would be a `T_BINARY_CAST`, but only when the string contained a var
> * This change ensures the `b` is always tokenized as `T_BINARY_CAST`
> * This change also converts `(binary)` from `T_STRING_CAST` to `T_BINARY_CAST`
> * Thanks to Juliette Reinders Folmer for the help with this patch
> * Array properties set inside a ruleset.xml file can now extend a previous value instead of always overwriting it
> * e.g., if you include a ruleset that defines forbidden functions, can you now add to that list instead of having to redefine it
> * To use this feature, add `extend="true"` to the property tag
> * e.g., ``
> * Thanks to Michael Moravec for the patch
> * If `$XDG_CACHE_HOME` is set and points to a valid directory, it will be used for caching instead of the system temp directory
> * PHPCBF now disables parallel running if you are passing content on STDIN
> * Stops an error from being shown after the fixed output is printed
> * The progress report now shows files with tokenizer errors as skipped (**S**) instead of a warning (**W**)
> * The tokenizer error is still displayed in reports as normal
> * Thanks to Juliette Reinders Folmer for the patch
> * The Squiz standard now ensures there is no space between an increment/decrement operator and its variable
> * The `File::getMethodParamaters()` method now includes a `has_body` array index in the return value
> * TRUE if the method has no body (as with abstract and interface methods) or FALSE otherwise
> * Thanks to Chris Wilkinson for the patch
> * The `File::getTokensAsString()` method now throws an exception if the `$start` param is invalid
> * If the `$length` param is invalid, an empty string will be returned
> * Stops an infinite loop when the function is passed invalid data
> * Thanks to Juliette Reinders Folmer for the patch
> * Added new `Generic.CodeAnalysis.EmptyPHPStatement` sniff
> * Warns when it finds empty PHP open/close tag combinations or superfluous semicolons
> * Thanks to Juliette Reinders Folmer for the contribution
> * Added new `Generic.Formatting.SpaceBeforeCast` sniff
> * Ensures there is exactly 1 space before a type cast, unless the cast statement is indented or mutli-line
> * Thanks to Juliette Reinders Folmer for the contribution
> * Added new `Generic.VersionControl.GitMergeConflict` sniff
> ... (truncated)
Commits
- [`379deb9`](https://github.com/squizlabs/PHP_CodeSniffer/commit/379deb987e26c7cd103a7b387aea178baec96e48) Prepare for 3.4.0 release
- [`802470d`](https://github.com/squizlabs/PHP_CodeSniffer/commit/802470def82ff28bd29f8c6d9977bb1d1b70ffa6) Merge branch 'patch-1' of https://github.com/diegocardoso93/PHP_CodeSniffer
- [`4274b5a`](https://github.com/squizlabs/PHP_CodeSniffer/commit/4274b5a139f0305443ed1b6709448bb9b3a45a4f) PHPCBF now disables parallel running if you are passing content on STDIN
- [`1784eb4`](https://github.com/squizlabs/PHP_CodeSniffer/commit/1784eb4077f393e64786d10e32f7fe8f7e29e228) Various documentation fixes
- [`fa614f6`](https://github.com/squizlabs/PHP_CodeSniffer/commit/fa614f64bda6cc4f405d33d8a4befbc29f7f09ba) PSR2 rulesets: improve inline documentation
- [`ab6caa0`](https://github.com/squizlabs/PHP_CodeSniffer/commit/ab6caa0a7e23bbe48d8a12c5c7a3c2f1ab1dad9e) Changelog + minor error message change for [#2234](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2234)
- [`aed6c39`](https://github.com/squizlabs/PHP_CodeSniffer/commit/aed6c397d1119c1c7ab43ccca46f7b3c4086117d) Merge branch 'feature/2057-generic-spaceaftercast-adjustable-spacing' of http...
- [`698847b`](https://github.com/squizlabs/PHP_CodeSniffer/commit/698847b3d9d4bb6f9e91f5b111aa5a245a928ad5) Changelog + minor error message change for [#2233](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2233)
- [`67103d7`](https://github.com/squizlabs/PHP_CodeSniffer/commit/67103d736d68ef8bbde97f53a3bcdf8be4024bdf) Merge branch 'feature/2057-generic-spaceafternot-adjustable-spacing' of https...
- [`08020e3`](https://github.com/squizlabs/PHP_CodeSniffer/commit/08020e360d258148b6e0f94a5c783a505ba498e5) Typo
- Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/1.5.6...3.4.0)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.
You can always request more updates by clicking Bump now in your Dependabot dashboard.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps squizlabs/php_codesniffer from 1.5.6 to 3.4.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/ba52a15a-2b93-4015-a23f-cf186b286a5c).* > **CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')** > The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. > > Affected versions: < 2.0.0, >= 1.0.0; < 2.8.1, >= 2.0.0 *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).* > **Arbitrary shell execution** > > Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).* > ## 3.4.0 > ## Deprecations > > ### Generic.Formatting.NoSpaceAfterCast Sniff > > The `Generic.Formatting.NoSpaceAfterCast` sniff has been deprecated and will be removed in version 4. > > The functionality of this sniff is now available in the `Generic.Formatting.SpaceAfterCast` sniff. Include the `Generic.Formatting.SpaceAfterCast` sniff and set the `spacing` property to `0` to retain the existing functionality. As soon as possible, replace all instances of the old sniff code with the new sniff code and property setting in your ruleset.xml files. The existing sniff will continue to work until version 4 has been released. > > ## Other Changes > > * Rule include patterns in a ruleset.xml file are now evaluated as **OR** instead of **AND** > * Previously, a file had to match every include pattern and no exclude patterns to be included > * Now, a file must match at least one include pattern and no exclude patterns to be included > * This is a bug fix as include patterns are already documented to work this way > * New token `T_BITWISE_NOT` added for the bitwise not operator > * This token was previously tokenized as `T_NONE` > * Any sniffs specifically looking for `T_NONE` tokens with a tilde as the contents must now also look for `T_BITWISE_NOT` > * Sniffs can continue looking for `T_NONE` as well as `T_BITWISE_NOT` to support older PHP_CodeSniffer versions > * All types of binary casting are now tokenzied as `T_BINARY_CAST` > * Previously, the `b` in `b"some string with $var"` would be a `T_BINARY_CAST`, but only when the string contained a var > * This change ensures the `b` is always tokenized as `T_BINARY_CAST` > * This change also converts `(binary)` from `T_STRING_CAST` to `T_BINARY_CAST` > * Thanks to Juliette Reinders Folmer for the help with this patch > * Array properties set inside a ruleset.xml file can now extend a previous value instead of always overwriting it > * e.g., if you include a ruleset that defines forbidden functions, can you now add to that list instead of having to redefine it > * To use this feature, add `extend="true"` to the property tag > * e.g., `Commits
- [`379deb9`](https://github.com/squizlabs/PHP_CodeSniffer/commit/379deb987e26c7cd103a7b387aea178baec96e48) Prepare for 3.4.0 release - [`802470d`](https://github.com/squizlabs/PHP_CodeSniffer/commit/802470def82ff28bd29f8c6d9977bb1d1b70ffa6) Merge branch 'patch-1' of https://github.com/diegocardoso93/PHP_CodeSniffer - [`4274b5a`](https://github.com/squizlabs/PHP_CodeSniffer/commit/4274b5a139f0305443ed1b6709448bb9b3a45a4f) PHPCBF now disables parallel running if you are passing content on STDIN - [`1784eb4`](https://github.com/squizlabs/PHP_CodeSniffer/commit/1784eb4077f393e64786d10e32f7fe8f7e29e228) Various documentation fixes - [`fa614f6`](https://github.com/squizlabs/PHP_CodeSniffer/commit/fa614f64bda6cc4f405d33d8a4befbc29f7f09ba) PSR2 rulesets: improve inline documentation - [`ab6caa0`](https://github.com/squizlabs/PHP_CodeSniffer/commit/ab6caa0a7e23bbe48d8a12c5c7a3c2f1ab1dad9e) Changelog + minor error message change for [#2234](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2234) - [`aed6c39`](https://github.com/squizlabs/PHP_CodeSniffer/commit/aed6c397d1119c1c7ab43ccca46f7b3c4086117d) Merge branch 'feature/2057-generic-spaceaftercast-adjustable-spacing' of http... - [`698847b`](https://github.com/squizlabs/PHP_CodeSniffer/commit/698847b3d9d4bb6f9e91f5b111aa5a245a928ad5) Changelog + minor error message change for [#2233](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2233) - [`67103d7`](https://github.com/squizlabs/PHP_CodeSniffer/commit/67103d736d68ef8bbde97f53a3bcdf8be4024bdf) Merge branch 'feature/2057-generic-spaceafternot-adjustable-spacing' of https... - [`08020e3`](https://github.com/squizlabs/PHP_CodeSniffer/commit/08020e360d258148b6e0f94a5c783a505ba498e5) Typo - Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/1.5.6...3.4.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.
You can always request more updates by clicking
Bump nowin your Dependabot dashboard.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.