🚨 [security] Update rubocop-rspec 2.27.1 → 3.0.1 (major)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rspec (2.27.1 → 3.0.1) · Repo · Changelog

Release Notes

3.0.1

• Bump RuboCop requirement to +1.61. (@ydah)

3.0.0

• Remove extracted cops in Capybara, FactoryBot and Rails departments. (@ydah)
• Remove RuboCop::RSpec::Language::NodePattern. (@ydah)
• Remove RSpec/FilePath cop. (@ydah)
• Remove RSpec/Capybara/FeatureMethods cop. If you are using this cop, change it to use RSpec/Dialect. (@ydah)
• Add new RSpec/MissingExpectationTargetMethod cop. (@krororo)
• Fix an error for RSpec/ScatteredSetup when one of the hooks is an empty block. (@earlopain)

These previously pending cops are now enabled by default: RSpec/BeEmpty, RSpec/BeEq, RSpec/BeNil, RSpec/ChangeByZero, RSpec/ClassCheck, RSpec/ContainExactly, RSpec/DuplicatedMetadata, RSpec/EmptyMetadata, RSpec/EmptyOutput, RSpec/Eq, RSpec/ExcessiveDocstringSpacing, RSpec/ExpectInLet, RSpec/IdenticalEqualityAssertion, RSpec/IndexedLet, RSpec/IsExpectedSpecify, RSpec/MatchArray, RSpec/MetadataStyle, RSpec/NoExpectationExample, RSpec/PendingWithoutReason, RSpec/ReceiveMessages, RSpec/RedundantAround, RSpec/RedundantPredicateMatcher, RSpec/RemoveConst, RSpec/RepeatedSubjectCall, RSpec/SkipBlockInsideExample, RSpec/SortMetadata, RSpec/SpecFilePathFormat, RSpec/SpecFilePathSuffix, RSpec/SubjectDeclaration, RSpec/UndescriptiveLiteralsDescription, and RSpec/VerifiedDoubleReference.

Read more about how to upgrade in https://docs.rubocop.org/rubocop-rspec/upgrade_to_version_3.html

2.31.0

• Support AutoCorrect: contextual option for LSP. (@ydah)

2.30.0

• Add new RSpec/ExpectInLet cop. (@yasu551)

2.29.2

• Fix beginless and endless range bug for RepeatedIncludeExample cop. (@hasghari)
• Fix a false positive for RSpec/RepeatedSubjectCall when subject is used as argument to function call. (@K-S-A)

2.29.1

• Fix an error in the default configuration. (@ydah)

2.29.0

• Fix an autocorrect error for RSpec/ExpectActual. (@bquorning)
• Add new RSpec/UndescriptiveLiteralsDescription cop. (@ydah)
• Add new RSpec/EmptyOutput cop. (@bquorning)

2.28.0

• Extract RSpec Rails cops to a separate repository, rubocop-rspec_rails. The rubocop-rspec_rails repository is a dependency of rubocop-rspec and the cops related to rspec-rails are aliased (RSpec/Rails/Foo == RSpecRails/Foo) until v3.0 is released, so the change will be invisible to users until then. (@ydah)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ rubocop (1.63.4 → 1.64.1) · Repo · Changelog

Release Notes

1.64.1

Bug fixes

• #12951: Fix an error for Style/Copyright when AutocorrectNotice is missing. (@koic)
• #12932: Fix end position of diagnostic for LSP. (@ksss)
• #12926: Fix a false positive for Style/SuperArguments when the methods block argument is reassigned before super. (@earlopain)
• #12931: Fix false positives for Style/RedundantLineContinuation when line continuations involve break, next, or yield with a return value. (@koic)
• #12924: Fix false positives for Style/SendWithLiteralMethodName when public_send argument is a method name that cannot be autocorrected. (@koic)

1.64.0

New features

• #12904: Add new either_consistent SupportedShorthandSyntax to Style/HashSyntax. (@pawelma)
• #12842: Add new Style/SendWithLiteralMethodName cop. (@koic)
• #12309: Add new Style/SuperArguments cop. (@earlopain)
• #12917: Suggest correct formatter name for --format command line option. (@koic)
• #12242: Support AllowModifiersOnAttrs option for Style/AccessModifierDeclarations. (@krororo)
• #11585: Support AllowedMethods for Style/DocumentationMethod. (@koic)

Bug fixes

• #7189: Fix a false positive for Style/Copyright when using multiline copyright notice. (@koic)
• #12914: Fix a false negative for Layout/EmptyComment when using an empty comment next to code after comment line. (@koic)
• #12919: Fix false negatives for Style/ArgumentsForwarding when forward target is super. (@koic)
• #12923: Fix false negatives for Style/ArgumentsForwarding when forward target is safe navigation method. (@koic)
• #12894: Fix false positives for Style/MapIntoArray when using each without receiver with << to build an array. (@koic)
• #12876: Fix an error for the lockfile parser if a gemfile exists but a lockfile doesn't. (@earlopain)
• #12888: Fix --no-exclude-limit generating a todo with Max config instead of listing everything out with Exclude. (@earlopain)
• #12898: Fix an error for TargetRailsVersion when parsing from the lockfile with prerelease rails. (@earlopain)

Changes

• #12908: Add rubocop-rspec back to suggested extensions when rspec-rails is in use. (@pirj)
• #12884: Align output from cop.documentation_url with --show-docs-url when passing a config as argument. (@earlopain)
• #12905: Support ActiveSupportExtensionsEnabled for Style/SymbolProc. (@koic)
• #12897: Respect user's intentions with workspace/executeCommand LSP method. (@koic)

1.63.5

Bug fixes

• #12877: Fix an infinite loop error for Layout/FirstArgumentIndentation when specifying EnforcedStyle: with_fixed_indentation of Layout/ArrayAlignment. (@koic)
• #12873: Fix an error for Metrics/BlockLength when the CountAsOne config is invalid. (@koic)
• #12881: Fix incorrect autocorrect when Style/NumericPredicate is used with negations. (@fatkodima)
• #12882: Fix Layout/CommentIndentation for comment-only pattern matching. (@nekketsuuu)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.24.0 → 1.25.1) · Repo

Commits

See the full diff on Github. The new version differs by 19 commits:

• v1.25.1
• Merge pull request #347 from Earlopain/speedup-windows-cpu
• Improve speed for `Get-CimInstance`
• v1.25.0
• Merge pull request #346 from Earlopain/drop-win32ole
• Add Ruby 3.3 to CI
• Bump `sqlite3` to solve compilation failures with latest lib
• Bump `actions/checkout` to v4
• Remove dependency on `win32ole`
• Merge pull request #344 from grosser/grosser/read
• example for proc usage
• Merge pull request #343 from grosser/grosser/bump
• rubocop: fix assignment in condition
• update rubocop
• fix rubocop
• update ruby requirements
• Merge pull request #341 from MITSUBOSHI/remove-unneeded-travis-env
• Remove unneeded ENV['TRAVIS'] from spec
• thx for the pr

↗️ parser (indirect, 3.3.1.0 → 3.3.3.0) · Repo · Changelog

Release Notes

3.3.2.0 (from changelog)

API modifications:

• Bump 3.3 branch to 3.3.2 (Ilya Bylich)
• Bump 3.1 branch to 3.1.6 (#1014) (Koichi ITO)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Update changelog.
• Bump version.
• * Bump maintenance branches to 3.3.3 (#1023)
• * Bump Racc to 1.8.0 (#1018)
• Update changelog.
• Update changelog.
• Bump version.
• bump actions/checkout to v4
• * Bump 3.3 branch to 3.3.2
• * Bump 3.1 branch to 3.1.6 (#1014)
• Update changelog.

↗️ racc (indirect, 1.7.3 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0

What's Changed

• Generate jar to build gem by @nobu in #255
• Fix trivial typos by @ydah in #257
• Try to fix test failure with Ruby 3.3 by @hsbt in #260
• Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
• Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
• Add more grammars by @nurse in #222
• Exclude 2.5 on macos-latest by @nobu in #263
• Drop code for Ruby 1.6 by @nobu in #264
• Refactor command line options by @nobu in #265
• Change encode EUC-JP to UTF-8 by @ydah in #267
• Organize README.ja.rdoc by @ydah in #266
• Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
• Bump up v1.8.0 by @yui-knk in #268

New Contributors

• @ydah made their first contribution in #257
• @nurse made their first contribution in #222

Full Changelog: v1.7.3...v1.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

• Merge pull request #268 from yui-knk/v1.8.0
• Bump up v1.8.0
• Merge pull request #262 from yui-knk/support_expect_bang
• Support `error_on_expect_mismatch` declaration in Racc grammar file
• Merge pull request #266 from ydah/fix-readme-ja
• Merge pull request #267 from ydah/change-encode
• Change encode EUC-JP to UTF-8
• Update Racc link in README.ja.rdoc
• Change Requirement to match README.rdoc
• Merge pull request #265 from nobu/options
• Simplify `--runtime-version` option
• Make `--help` success
• Omit the default exit value
• Abort instead of puts and exit
• Merge pull request #264 from nobu/drop-ruby1.6
• Merge pull request #263 from nobu/old-version-on-macos
• Exclude 2.5 on macos-latest
• Drop code for Ruby 1.6
• Merge pull request #222 from nurse/add-more-grammars
• Merge pull request #259 from zenspider/zenspider/stdin
• Reformat the rdoc so it renders correctly both locally and on github.
• Allow racc cmdline to read from stdin if no path specified.
• Merge pull request #260 from ruby/try-to-fix-3-3
• Don't use bundle exec to avoid warning of Ruby 3.3
• Ignore jar artifact
• Remove stale code
• Merge pull request #257 from ydah/fix-typos
• Fix trivial typos
• Merge pull request #255 from nobu/build-java

↗️ regexp_parser (indirect, 2.9.0 → 2.9.2) · Repo · Changelog

Release Notes

2.9.2 (from changelog)

Fixed

• made the MFA requirement for changes to this gem visible on rubygems
  • thanks to Geremia Taglialatela

2.9.1 (from changelog)

Fixed

• fixed unnecessary $LOAD_PATH searches at load time
  • thanks to Koichi ITO

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• Release v2.9.2
• Merge pull request #91 from tagliala/security/opt-in-for-mfa
• Opt-in for MFA requirement explicitly
• Merge pull request #92 from tagliala/chore/fix-typos
• Fix typos
• Release v2.9.1
• Unify CHANGELOG formatting
• Simplify path slightly
• Merge pull request #90 from koic/use_require_relative
• Use `require_relative` in the Regexp::Parser codebase

↗️ rexml (indirect, 3.2.6 → 3.3.0) · Repo · Changelog

Security Advisories 🚨

🚨 REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Release Notes

3.3.0

Improvements

• Added support for strscan 0.7.0 installed with Ruby 2.6.
  • GH-142
  • Reported by Fernando Trigoso.

Thanks

• Fernando Trigoso

3.2.9

Improvements

• Added support for old strscan.

  • GH-132
  • Reported by Adam

• Improved attribute value parse performance.

  • GH-135
  • Patch by NAITOH Jun.

• Improved REXML::Node#each_recursive performance.

  • GH-134
  • GH-139
  • Patch by Hiroya Fujinami.

• Improved text parse performance.

  • Reported by mprogrammer.

Thanks

• Adam
• NAITOH Jun
• Hiroya Fujinami
• mprogrammer

3.2.8

Fixes

• Suppressed a warning

3.2.7

Improvements

• Improve parse performance by using StringScanner.

  • GH-106

  • GH-107

  • GH-108

  • GH-109

  • GH-112

  • GH-113

  • GH-114

  • GH-115

  • GH-116

  • GH-117

  • GH-118

  • GH-119

  • GH-121

  • Patch by NAITOH Jun.

• Improved parse performance when an attribute has many <s.

  • GH-124

Fixes

• XPath: Fixed a bug of normalize_space(array).

  • GH-110

  • GH-111

  • Patch by flatisland.

• XPath: Fixed a bug that wrong position is used with nested path.

  • GH-110

  • GH-122

  • Reported by jcavalieri.

  • Patch by NAITOH Jun.

• Fixed a bug that an exception message can't be generated for
  invalid encoding XML.

  • GH-29

  • GH-123

  • Reported by DuKewu.

  • Patch by NAITOH Jun.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 52 commits:

• Add 3.3.0 entry
• ci: don't use Ruby 2.5 for gem test
• Add support for strscan 0.7.0 installed with Ruby 2.6
• ci document: use the latest Ruby
• news: fix a typo
• Bump version
• Add 3.2.9 entry
• Improve text parse performance
• Improve `Node#each_recursive` performance (#139)
• test: reduce the number of rehearsal executions
• test: improve name
• benchmark: Remove non-parsing operations from the DOM case (#136)
• Optimize Source#read_until method (#135)
• Source#read_until: Add missing position move on all read
• Add missing encode for custom term
• Fix the NEWS.md and change PR reference that fixes CVE-2024-35176 (#133)
• Use /#{Regexp.escape}/ instead of Regexp.union
• Add support for old strscan
• Bump version
• Add 3.2.8 entry
• Remove an unused variable (#128)
• Suppress a warning
• ci: install only gems required for running tests (#129)
• Add missing Thanks section
• Bump version
• Add 3.2.7 entry
• Read quoted attributes in chunks (#126)
• Exclude older than 2.6 on macos-14
• Move development dependencies to Gemfile (#124)
• Fix a problem that parse exception message can't be generated for invalid encoding XML (#123)
• xpath: Fix wrong position with nested path (#122)
• Change `attribute.has_key?(name)` to ` attributes[name]`. (#121)
• Optimize the parse_attributes method to use `Source#match` to parse XML. (#119)
• Make the test suite compatible with `--enable-frozen-string-literal` (#120)
• Separate `IOSource#ensure_buffer` from `IOSource#match`. (#118)
• Remove `Source#string=` method (#117)
• source: Remove unnecessary string length comparisons in the case of string comparisons (#116)
• Use more StringScanner based API to parse XML (#114)
• test: Fix invalid XML with spaces before the XML declaration (#115)
• Stop specifying the gem version of strscan in benchmarks. (#113)
• Remove unnecessary checks in baseparser (#112)
• xpath: Fix normalize_space(array) case (#111)
• Change loop in parse_attributes to `while true`. (#109)
• Reduce calls to StringScanner.new() (#108)
• Use `@scanner << readline` instead of `@scanner.string = @scanner.rest + readline` (#107)
• Reduce calls to `Source#buffer`(`StringScanner#rest`) (#106)
• Use string scanner with baseparser (#105)
• Add parse benchmark (#104)
• Use reusing workflow for Ruby versions (#103)
• CI: Add ruby-3.3 (#102)
• build(deps): bump actions/checkout from 3 to 4 (#101)
• Bump version

🆕 strscan (added, 3.1.0)

🗑️ rubocop-capybara (removed)

🗑️ rubocop-factory_bot (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu[bot]]

Closed in favor of #496.