search

brave / security-action

Composite GitHub CI Action containing the minimal viable security lint for brave repositories
Mozilla Public License 2.0
17 stars 6 forks source link

chore(deps): update dependency brakeman to v6.2.1 #666

Closed renovate[bot] closed 3 months ago

renovate[bot] commented 3 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
brakeman (source, changelog) '6.1.2' -> '6.2.1' age adoption passing confidence

Release Notes

presidentbeef/brakeman (brakeman) ### [`v6.2.1`](https://togithub.com/presidentbeef/brakeman/blob/HEAD/CHANGES.md#621---2024-08-22) Just a packaging fix for brakeman.gem ### [`v6.2.0`](https://togithub.com/presidentbeef/brakeman/blob/HEAD/CHANGES.md#620---2024-08-22) - Add `--show-ignored` option (Gabriel Zayas) - Add optional support for Prism parser - Warn about unscoped finds with `find_by!` - Treat `::X` and `X` the same, for now (Jill Klang) - Fix compatibility with default frozen string literals (Jean Boussier) - Remediation advice for command injection (Nicholas Barone) - Fix Ruby warnings in test suite (Jean Boussier) - Support YAML aliases in secret configs (Chedli Bourguiba) - Add initial Rails 8 support (Ron Shinall) - Handle mass assignment with splats - Add support for symbolic links (Lu Zhu)

Configuration

πŸ“… Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

github-actions[bot] commented 3 months ago

[puLL-Merge] - presidentbeef/brakeman@v6.1.2..v6.2.1

Here's my review of the pull request:

Description

This PR introduces several updates and new features to the Brakeman gem:

  1. Added support for Rails 8
  2. Implemented a new --show-ignored option
  3. Added support for the Prism parser
  4. Enhanced warning detection for unscoped finds with find_by!
  5. Improved handling of symbolic links
  6. Updated dependencies and compatibility fixes
Changes ### Changes 1. `.circleci/config.yml`: - Updated Ruby options for running tests 2. `CHANGES.md`: - Added changelog entries for versions 6.2.0 and 6.2.1 3. `Dockerfile`: - Updated base image to Ruby 3.3-alpine 4. `OPTIONS.md` and `README.md`: - Added documentation for the new `--show-ignored` option 5. `build.rb`: - Excluded 'strscan' from unshifted directories 6. `gem_common.rb`: - Updated dependencies and added 'csv' as a development dependency 7. `lib/brakeman.rb`: - Added `show_ignored` option to default options 8. `lib/brakeman/app_tree.rb`: - Implemented support for symbolic links in file globbing 9. `lib/brakeman/checks/check_session_settings.rb`: - Added support for YAML aliases in secrets config 10. `lib/brakeman/checks/check_unscoped_find.rb`: - Added `find_by!` to the list of checked methods 11. `lib/brakeman/file_parser.rb`: - Added optional support for the Prism parser 12. `lib/brakeman/options.rb`: - Added options for Rails 8 and Prism parser support 13. `lib/brakeman/parsers/erubis_patch.rb`: - Added patch for Erubis compatibility with frozen string literals 14. Various test files: - Updated and added tests for new features and Rails 8 support

Possible Issues

Security Hotspots

None identified. The changes appear to enhance security by improving warning detection and adding support for newer Rails versions.