Vulnerabilities fixed
*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/ba52a15a-2b93-4015-a23f-cf186b286a5c).*
> **CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')**
> The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
>
> Affected versions: < 2.0.0, >= 1.0.0; < 2.8.1, >= 2.0.0
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).*
> **Arbitrary shell execution**
>
> Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1
Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).*
> ## 3.3.2
> * Fixed a problem where the report cache was not being cleared when the sniffs inside a standard were updated
> * The info report (`--report=info`) now has improved formatting for metrics that span multiple lines
> * Thanks to Juliette Reinders Folmer for the patch
> * The unit test runner now skips `.bak` files when looking for test cases
> * Thanks to Juliette Reinders Folmer for the patch
> * The Squiz standard now ensures underscores are not used to indicate visibility of private members vars and methods
> * Previously, this standard enforced the use of underscores
> * `Generic.PHP.NoSilencedErrors` error messages now contain a code snippet to show the context of the error
> * Thanks to Juliette Reinders Folmer for the patch
> * `Squiz.Arrays.ArrayDeclaration` no longer reports errors for a comma on a line new after a here/nowdoc
> * Also stops a parse error being generated when auto-fixing
> * The `SpaceBeforeComma` error message has been changed to only have one data value instead of two
> * `Squiz.Commenting.FunctionComment` no longer errors when trying to fix indents of multi-line param comments
> * `Squiz.Formatting.OperatorBracket` now correctly fixes statements that contain strings
> * `Squiz.PHP.CommentedOutCode` now ignores more [**-style**](https://github.com/-style) annotations and includes better comment block detection
> * Thanks to Juliette Reinders Folmer for the patch
> * Fixed a problem where referencing a relative file path in a ruleset XML file could add unnecessary sniff exclusions
> * This didn't actually exclude anything, but caused verbose output to list strange exclusion rules
> * Fixed bug [#2110](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2110) : Squiz.WhiteSpace.FunctionSpacing is removing indents from the start of functions when fixing
> * Thanks to Juliette Reinders Folmer for the patch
> * Fixed bug [#2115](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2115) : Squiz.Commenting.VariableComment not checking var types when the [**var**](https://github.com/var) line contains a comment
> * Fixed bug [#2120](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2120) : Tokenizer fails to match T_INLINE_ELSE when used after function call containing closure
> * Fixed bug [#2121](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2121) : Squiz.PHP.DisallowMultipleAssignments false positive in while loop conditions
> * Thanks to Juliette Reinders Folmer for the patch
> * Fixed bug [#2127](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2127) : File::findExtendedClassName() doesn't support nested classes
> * Thanks to Juliette Reinders Folmer for the patch
> * Fixed bug [#2138](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2138) : Tokenizer detects wrong token for php ::class feature with spaces
> * Fixed bug [#2143](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2143) : PSR2.Namespaces.UseDeclaration does not properly fix "use function" and "use const" statements
> * Thanks to Chris Wilkinson for the patch
> * Fixed bug [#2144](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2144) : Squiz.Arrays.ArrayDeclaration does incorrect align calculation in array with cyrillic keys
> * Fixed bug [#2146](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2146) : Zend.Files.ClosingTag removes closing tag from end of file without inserting a semicolon
> * Fixed bug [#2151](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2151) : XML schema not updated with the new array property syntax
>
> ## 3.3.1
> ## HHVM Support Dropped
> Support for HHVM has been dropped due to recent unfixed bugs and HHVM's refocus on Hack only. Thanks to Walt Sorensen and Juliette Reinders Folmer for helping to remove all HHVM exceptions from the core.
>
> ## Other Changes
> * The `full` report (the default report) now has improved word wrapping for multi-line messages and sniff codes
> * Thanks to Juliette Reinders Folmer for the patch
> * The `summary` report now sorts files based on their directory location instead of just a basic string sort
> * Thanks to Juliette Reinders Folmer for the patch
> * The `source` report now orders error codes by name when they have the same number of errors
> * Thanks to Juliette Reinders Folmer for the patch
> * The `junit` report no longer generates validation errors with the Jenkins xUnit plugin
> * Thanks to Nikolay Geo for the patch
> * `Generic.Commenting.DocComment` no longer generates the `SpacingBeforeTags` error if tags are the first content in the docblock
> * The sniff will still generate a `MissingShort` error if there is no short comment
> * This allows the `MissingShort` error to be suppressed in a ruleset to make short descriptions optional
> ... (truncated)
Commits
- [`6ad2835`](https://github.com/squizlabs/PHP_CodeSniffer/commit/6ad28354c04b364c3c71a34e4a18b629cc3b231e) Prepare for 3.3.2 release
- [`632c8f3`](https://github.com/squizlabs/PHP_CodeSniffer/commit/632c8f395b16bf8ceeaab8b16a500a70fac7473b) Fix typos in code comments and documentation
- [`e64a980`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e64a980f7bc5a68a4d720e3e74f68d3997bf919e) Fixed bug [#2146](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2146) : Zend.Files.ClosingTag removes closing tag from end of file ...
- [`cc5c930`](https://github.com/squizlabs/PHP_CodeSniffer/commit/cc5c930e7566dac14fbbf40e0557d707969fde5f) Fixed bug [#2151](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2151) : XML schema not updated with the new array property syntax
- [`32351dd`](https://github.com/squizlabs/PHP_CodeSniffer/commit/32351dd7f7b2582587b8582888ab00108dee6b27) Fixed bug [#2144](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2144) : Squiz.Arrays.ArrayDeclaration does incorrect align calculat...
- [`b0ee3ee`](https://github.com/squizlabs/PHP_CodeSniffer/commit/b0ee3ee6ca2eb72b3f68e1f2bde5578ee0ac1506) Changelog for [#2143](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2143)
- [`c4062af`](https://github.com/squizlabs/PHP_CodeSniffer/commit/c4062af472f11b21c7668e7a518270cacd0740a3) Merge branch 'use-function-const' of https://github.com/thewilkybarkid/PHP_Co...
- [`2908150`](https://github.com/squizlabs/PHP_CodeSniffer/commit/2908150b78965726147f9849e4169cde482083a0) Stop function and const being lost in UseDeclarationSniff
- [`a06ff3b`](https://github.com/squizlabs/PHP_CodeSniffer/commit/a06ff3b2893f4374e6e4c7c5dc4a0ef606d177ee) Squiz.Arrays.ArrayDeclaration no longer reports errors for a comma on a line ...
- [`a874a64`](https://github.com/squizlabs/PHP_CodeSniffer/commit/a874a6490084d99fcf89de03f0f0126f769cf606) Changelog for [#2139](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2139)
- Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/1.5.6...3.3.2)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.
You can always request more updates by clicking Bump now in your Dependabot dashboard.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps squizlabs/php_codesniffer from 1.5.6 to 3.3.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/ba52a15a-2b93-4015-a23f-cf186b286a5c).* > **CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')** > The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. > > Affected versions: < 2.0.0, >= 1.0.0; < 2.8.1, >= 2.0.0 *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/squizlabs/php_codesniffer/2017-03-01.yaml).* > **Arbitrary shell execution** > > Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1Release notes
*Sourced from [squizlabs/php_codesniffer's releases](https://github.com/squizlabs/PHP_CodeSniffer/releases).* > ## 3.3.2 > * Fixed a problem where the report cache was not being cleared when the sniffs inside a standard were updated > * The info report (`--report=info`) now has improved formatting for metrics that span multiple lines > * Thanks to Juliette Reinders Folmer for the patch > * The unit test runner now skips `.bak` files when looking for test cases > * Thanks to Juliette Reinders Folmer for the patch > * The Squiz standard now ensures underscores are not used to indicate visibility of private members vars and methods > * Previously, this standard enforced the use of underscores > * `Generic.PHP.NoSilencedErrors` error messages now contain a code snippet to show the context of the error > * Thanks to Juliette Reinders Folmer for the patch > * `Squiz.Arrays.ArrayDeclaration` no longer reports errors for a comma on a line new after a here/nowdoc > * Also stops a parse error being generated when auto-fixing > * The `SpaceBeforeComma` error message has been changed to only have one data value instead of two > * `Squiz.Commenting.FunctionComment` no longer errors when trying to fix indents of multi-line param comments > * `Squiz.Formatting.OperatorBracket` now correctly fixes statements that contain strings > * `Squiz.PHP.CommentedOutCode` now ignores more [**-style**](https://github.com/-style) annotations and includes better comment block detection > * Thanks to Juliette Reinders Folmer for the patch > * Fixed a problem where referencing a relative file path in a ruleset XML file could add unnecessary sniff exclusions > * This didn't actually exclude anything, but caused verbose output to list strange exclusion rules > * Fixed bug [#2110](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2110) : Squiz.WhiteSpace.FunctionSpacing is removing indents from the start of functions when fixing > * Thanks to Juliette Reinders Folmer for the patch > * Fixed bug [#2115](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2115) : Squiz.Commenting.VariableComment not checking var types when the [**var**](https://github.com/var) line contains a comment > * Fixed bug [#2120](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2120) : Tokenizer fails to match T_INLINE_ELSE when used after function call containing closure > * Fixed bug [#2121](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2121) : Squiz.PHP.DisallowMultipleAssignments false positive in while loop conditions > * Thanks to Juliette Reinders Folmer for the patch > * Fixed bug [#2127](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2127) : File::findExtendedClassName() doesn't support nested classes > * Thanks to Juliette Reinders Folmer for the patch > * Fixed bug [#2138](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2138) : Tokenizer detects wrong token for php ::class feature with spaces > * Fixed bug [#2143](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2143) : PSR2.Namespaces.UseDeclaration does not properly fix "use function" and "use const" statements > * Thanks to Chris Wilkinson for the patch > * Fixed bug [#2144](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2144) : Squiz.Arrays.ArrayDeclaration does incorrect align calculation in array with cyrillic keys > * Fixed bug [#2146](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2146) : Zend.Files.ClosingTag removes closing tag from end of file without inserting a semicolon > * Fixed bug [#2151](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2151) : XML schema not updated with the new array property syntax > > ## 3.3.1 > ## HHVM Support Dropped > Support for HHVM has been dropped due to recent unfixed bugs and HHVM's refocus on Hack only. Thanks to Walt Sorensen and Juliette Reinders Folmer for helping to remove all HHVM exceptions from the core. > > ## Other Changes > * The `full` report (the default report) now has improved word wrapping for multi-line messages and sniff codes > * Thanks to Juliette Reinders Folmer for the patch > * The `summary` report now sorts files based on their directory location instead of just a basic string sort > * Thanks to Juliette Reinders Folmer for the patch > * The `source` report now orders error codes by name when they have the same number of errors > * Thanks to Juliette Reinders Folmer for the patch > * The `junit` report no longer generates validation errors with the Jenkins xUnit plugin > * Thanks to Nikolay Geo for the patch > * `Generic.Commenting.DocComment` no longer generates the `SpacingBeforeTags` error if tags are the first content in the docblock > * The sniff will still generate a `MissingShort` error if there is no short comment > * This allows the `MissingShort` error to be suppressed in a ruleset to make short descriptions optional > ... (truncated)Commits
- [`6ad2835`](https://github.com/squizlabs/PHP_CodeSniffer/commit/6ad28354c04b364c3c71a34e4a18b629cc3b231e) Prepare for 3.3.2 release - [`632c8f3`](https://github.com/squizlabs/PHP_CodeSniffer/commit/632c8f395b16bf8ceeaab8b16a500a70fac7473b) Fix typos in code comments and documentation - [`e64a980`](https://github.com/squizlabs/PHP_CodeSniffer/commit/e64a980f7bc5a68a4d720e3e74f68d3997bf919e) Fixed bug [#2146](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2146) : Zend.Files.ClosingTag removes closing tag from end of file ... - [`cc5c930`](https://github.com/squizlabs/PHP_CodeSniffer/commit/cc5c930e7566dac14fbbf40e0557d707969fde5f) Fixed bug [#2151](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2151) : XML schema not updated with the new array property syntax - [`32351dd`](https://github.com/squizlabs/PHP_CodeSniffer/commit/32351dd7f7b2582587b8582888ab00108dee6b27) Fixed bug [#2144](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2144) : Squiz.Arrays.ArrayDeclaration does incorrect align calculat... - [`b0ee3ee`](https://github.com/squizlabs/PHP_CodeSniffer/commit/b0ee3ee6ca2eb72b3f68e1f2bde5578ee0ac1506) Changelog for [#2143](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2143) - [`c4062af`](https://github.com/squizlabs/PHP_CodeSniffer/commit/c4062af472f11b21c7668e7a518270cacd0740a3) Merge branch 'use-function-const' of https://github.com/thewilkybarkid/PHP_Co... - [`2908150`](https://github.com/squizlabs/PHP_CodeSniffer/commit/2908150b78965726147f9849e4169cde482083a0) Stop function and const being lost in UseDeclarationSniff - [`a06ff3b`](https://github.com/squizlabs/PHP_CodeSniffer/commit/a06ff3b2893f4374e6e4c7c5dc4a0ef606d177ee) Squiz.Arrays.ArrayDeclaration no longer reports errors for a comma on a line ... - [`a874a64`](https://github.com/squizlabs/PHP_CodeSniffer/commit/a874a6490084d99fcf89de03f0f0126f769cf606) Changelog for [#2139](https://github-redirect.dependabot.com/squizlabs/PHP_CodeSniffer/issues/2139) - Additional commits viewable in [compare view](https://github.com/squizlabs/PHP_CodeSniffer/compare/1.5.6...3.3.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.
You can always request more updates by clicking
Bump nowin your Dependabot dashboard.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.