search

backdrop-contrib / coder_review

"Developer module" which reviews your code identifying coding style problems and where updates to the API are required.
GNU General Public License v2.0
1 stars 7 forks source link

Bump squizlabs/php_codesniffer from 1.5.6 to 2.8.1 #20

Open dependabot[bot] opened 2 years ago

dependabot[bot] commented 2 years ago

Bumps squizlabs/php_codesniffer from 1.5.6 to 2.8.1.

Release notes

Sourced from squizlabs/php_codesniffer's releases.

2.8.1

Security Advisory

  • This release contains a fix for a security advisory related to the improper handling of shell commands
    • Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
    • A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
    • All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
      • e.g., you run PHPCS over libraries that you did not write
      • e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
      • e.g., you allow external tool paths to be set by user-defined values
    • If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
      • The diff report
      • The notify-send report
      • The Generic.PHP.Syntax sniff
      • The Generic.Debug.CSSLint sniff
      • The Generic.Debug.ClosureLinter sniff
      • The Generic.Debug.JSHint sniff
      • The Squiz.Debug.JSLint sniff
      • The Squiz.Debug.JavaScriptLint sniff
      • The Zend.Debug.CodeAnalyzer sniff
    • Thanks to Klaus Purer for the report

Other Changes

  • The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
  • PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
  • PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
  • Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
    • It would previously report that only one argument is allowed per line
  • Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
  • Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
  • Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
    • Thanks to Juliette Reinders Folmer for the patch
  • Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
    • As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
  • Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
  • Fixed bug #1340 : STDIN file contents not being populated in some cases
    • Thanks to David Biňovec for the patch
  • Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines
  • Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing
    • Thanks to Algirdas Gurevicius for the patch
  • Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char
    • Thanks to Algirdas Gurevicius for the patch
  • Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces
  • Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop

2.8.0

  • The Internal.NoCodeFound error is no longer generated for content sourced from STDIN
    • This should stop some Git hooks generating errors because PHPCS is trying to process the refs passed on STDIN
  • Squiz.Commenting.DocCommentAlignment now checks comments on class properties defined using the VAR keyword
    • Thanks to Klaus Purer for the patch
  • The getMethodParameters() method now recognises "self" as a valid type hint

... (truncated)

Commits
  • d7cf0d8 Prepare for 2.8.1 release
  • 254ced6 Escape the notify-send path when getting the version number
  • 029305e Code that uses shell_exec() and exec() now escapes cmds and args in case PHPC...
  • b7c84a0 PEAR.Functions.FunctionDeclaration now reports an error for blank lines found...
  • 244d084 Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for bla...
  • b7fdd3e PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank ...
  • ca8f28c Adding missing test file
  • 69d07ba Added new test file
  • 63f0957 Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing er...
  • 7a99e69 Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator (...
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/backdrop-contrib/coder_review/network/alerts).