🚨 [security] Update rubocop-rails 2.27.0 → 2.30.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rails (2.27.0 → 2.30.1) · Repo · Changelog

Release Notes

2.30.1

Bug fixes

• #1442: Fix an incorrect behavior when using AllCops: TargetRailsVersion. (@koic)
• #1444: Fix an incorrect behavior when using AllCops: MigratedSchemaVersion. (@koic)

2.30.0

New features

• #1434: Pluginfy RuboCop Rails. (@koic)

Bug fixes

• #1071: Fix Rails/FilePath cop to correctly handle File.join with variables and ignore leading and multiple slashes in string literal arguments for Rails.root.join and File.join. (@ydakuka)
• #912: Enhance Rails/Delegate by adding delegation detection for self.class, constants, class variables, global variables, and instance variables. (@ydakuka)

2.29.1

Bug fixes

• #1423: Fix an error for Rails/StrongParametersExpect when using permit with no arguments. (@koic)
• #1417: Fix an incorrect autocorrect for Rails/StrongParametersExpect when using a leading dot multiline call to require with permit. (@koic)
• #1356: Enhance Rails/DuplicateAssociation to handle alias. (@ydakuka)
• #1389: Handle TypeError caused by passing array literals as arguments to File methods in Rails/FilePath cop. (@ydakuka)
• #1389: Handle TypeError caused by passing array literals as arguments to File methods in Rails/RootPathnameMethods cop. (@ydakuka)
• #1228: Enhance Rails/SaveBang to properly handle instance variables. (@ydakuka)

2.29.0

New features

• #1407: Add new Rails/MultipleRoutePaths cop. (@koic)
• #1358: Add new Rails/StrongParametersExpect cop. (@koic)

Bug fixes

• #1409: Fix an error for Rails/ReversibleMigration when calling drop_table without any arguments. (@earlopain)
• #1397: Fix an incorrect autocorrect for Rails/TimeZone when Time.new has a string argument. (@mterada1228)
• #1406: Fix autocorrection for Rails/IndexBy and Rails/IndexWith when map { ... }.to_h is enclosed in another block. (@franzliedke, @eugeneius)
• #1404: Update Rails/IndexBy and Rails/IndexWith to support numbered block parameters. (@eugeneius)
• #1405: Fix autocorrection for Rails/IndexWith when the value is a hash literal without braces. (@koic, @eugeneius)
• #1414: Fix Rails/HttpPositionalArguments cop false positives with arguments forwarding. (@viralpraxis)

Changes

• #1410: Make registered cops aware of AllCops: MigratedSchemaVersion. (@koic)

2.28.0

New features

• #1383: Introduce AllCops: MigratedSchemaVersion config. (@koic)

Bug fixes

• #1390: Fix an incorrect autocorrect for Rails/SelectMap when select has no receiver and method chains are used. (@masato-bkn)
• #1382: Fix false negatives for Rails/RedundantActiveRecordAllMethod when using all method in block. (@masato-bkn)
• #1397: Fix Rails/FilePath cop error on join method with implicit receiver. (@viralpraxis)
• #1398: Fix Rails/FilePath cop error in case of extra operations in Rails.root interpolation. (@viralpraxis)
• #1392: Fix Rails/FilePath cop error with rescued Rails.root. (@viralpraxis)

Changes

• #1388: Modify Rails/Pluck to ignore map/collect when used inside blocks to prevent potential N+1 queries. (@masato-bkn)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ rubocop (1.71.1 → 1.72.2) · Repo · Changelog

Release Notes

1.72.2

Bug fixes

• #13853: Fix exclusion of relative paths in plugin's AllCops: Exclude as expected. (@koic)
• #13844: Fix an error for Style/RedundantFormat when a template argument is used without keyword arguments. (@koic)
• #13857: Fix an error for Style/RedundantFormat when numeric placeholders is used in the template argument. (@koic)
• #13861: Fix ArgumentError related to two deprecated AllowedPattern APIs. (@koic)
• #13849: Fix an error for Lint/UselessConstantScoping when multiple assigning to constants after private access modifier. (@koic)
• #13856: Fix false positives for Lint/UselessConstantScoping when a constant is used after private access modifier with arguments. (@koic)

Changes

• #13846: Mark Style/RedundantFormat as unsafe autocorrect. (@koic)

1.72.1

Bug fixes

• #13836: Fix an error for Style/RedundantParentheses when a different expression appears before a range literal. (@koic)
• #13839: Fix false positives for Lint/RedundantTypeConversion when passing block arguments when generating a Hash or a Set. (@koic)

Changes

• #13839: Extension plugin is loaded automatically with require 'rubocop/rspec/support'. (@koic)

1.72.0

New features

• #13740: Add new Lint/CopDirectiveSyntax cop. (@kyanagi)
• #13800: Add new Lint/SuppressedExceptionInNumberConversion cop. (@koic)
• #13702: Add new Lint/RedundantTypeConversion cop. (@dvandersluis)
• #13831: Add new Lint/UselessConstantScoping cop. (@koic)
• #13793: Add new Style/RedundantFormat cop to check for uses of format or sprintf with only a single string argument. (@dvandersluis)
• #13581: Add new InternalAffairs/LocationExists cop to check for code that can be replaced with Node#loc? or Node#loc_is?. (@dvandersluis)
• #13661: Make server mode detect local paths in .rubocop.yml under inherit_from and require for automatically restart. (@koic)
• #13721: Naming/PredicateName: Optionally use Sorbet to detect predicate methods. (@issyl0)
• #6012: Support RuboCop extension plugin. (@koic)

Bug fixes

• #13807: Fix false negatives for Style/RedundantParentheses when chaining [] method calls. (@koic)
• #13788: Fix false negatives for Style/RedundantParentheses when [] method is called with variable or constant receivers. (@koic)
• #13811: Fix false negatives for Style/RedundantParentheses when handling range literals with redundant parentheses. (@koic)
• #13796: Fix crash in Layout/EmptyLinesAroundMethodBody for endless methods. (@dvandersluis)
• #13817: Fix false positive for format specifier with non-numeric precision. (@dvandersluis)
• #12672: Fix false positives for Lint/FormatParameterMismatch when the width value is interpolated. (@dvandersluis)
• #12795: Fix Layout/BlockAlignment for blocks that are the body of an endless method. (@dvandersluis)
• #13822: Fix undefined method Logger when processing watched file notifications. (@vinistock)
• #13805: Make the language_server-protocol dependency version stricter. (@koic)

1.71.2

Bug fixes

• #13782: Fix an error Layout/ElseAlignment when else is part of a numblock. (@earlopain)
• #13395: Fix a false positive for Lint/UselessAssignment when assigning in branch and block. (@pCosta99)
• #13783: Fix a false positive for Lint/Void when each numblock with conditional expressions that has multiple statements. (@earlopain)
• #13787: Fix incorrect autocorrect for Style/ExplicitBlockArgument when using arguments of zsuper in method definition. (@koic)
• #13785: Fix Style/EachWithObject cop error in case of single block argument. (@viralpraxis)
• #13781: Fix a false positive for Lint/UnmodifiedReduceAccumulator when omitting the accumulator in a nested numblock. (@earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.3.4 → 1.3.5) · Repo · Changelog

Release Notes

1.3.5

What's Changed

• Remove dependency on logger by @eregon in #1062
• Avoid error when member is present on ancestor class by @francesmcmullin in #1068
• Set rake-compiler source and target to Java 8 by @headius in #1071
• chore: fix typos by @chenrui333 in #1076

New Contributors

• @francesmcmullin made their first contribution in #1068
• @chenrui333 made their first contribution in #1076

Full Changelog: v1.3.4...v1.3.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Release concurrent-ruby 1.3.5 and concurrent-ruby-edge 0.7.2
• chore: fix typos (#1076)
• Set rake-compiler source and target to Java 8 (#1071)
• Improve ancestor classes spec
• Avoid error when member is present on ancestor class
• Remove dependency on logger

↗️ i18n (indirect, 1.14.6 → 1.14.7) · Repo · Changelog

Release Notes

1.14.7

What's Changed

• Ruby 3.4 Hash#inspect compatibility. by @voxik in #709
• Removed (annoying) post-install message that was triggering on all Rubies, rather than the specified versions.

Full Changelog: v1.14.6...v1.14.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Bump to 1.14.7
• remove post-install message
• Merge pull request #709 from voxik/ruby-3.4
• Add Rails 7.2 and 8.0 into test matrix.
• Adjust the test matrix for Rails 8.1
• Add `base64` / `mutex_m` dependencies for Rails 6.1
• Ruby 3.4 `Hash#inspect` compatibility.
• Add 'ruby-head' to test matrix

↗️ json (indirect, 2.9.1 → 2.10.1) · Repo · Changelog

Release Notes

2.10.1 (from changelog)

• Fix a compatibility issue with MultiJson.dump(obj, pretty: true): no implicit conversion of false into Proc (TypeError).

2.10.0

What's Changed

• strict: true now accept symbols as values. Previously they'd only be accepted as hash keys.
• The C extension Parser has been entirely reimplemented from scratch.
• Introduced JSON::Coder as a new API allowing to customize how non native types are serialized in a non-global way.
• Introduced JSON::Fragment to allow assembling cached fragments in a safe way.
• The Java implementation of the generator received many optimizations.

Full Changelog: v2.9.1...v2.10.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 61 commits:

• Release 2.10.1
• Merge pull request #749 from byroot/fix-state-roundtrip
• Fix a compatibility issue with `MultiJson.dump(obj, pretty: true)`
• Update changelog
• Release 2.10.0
• Apply recent C optimizations to Java encoder (#725)
• Skip installing ragel on CI
• Merge pull request #745 from etiennebarrie/optimize-symbol-generation
• Merge pull request #746 from etiennebarrie/fix-json-coder-NaN-Infinity
• Optimize Symbol generation in strict mode
• Fix JSON::Coder to call as_json proc for NaN and Infinity
• Merge pull request #744 from eregon/optimize-utf8_to_json
• Optimize and cleanup #utf8_to_json
• Refactor further to expose the simpler escape search possible
• Merge pull request #742 from byroot/refactor-convert-utf8
• Refactor convert_UTF8_to_JSON to split searching and escaping code
• Merge pull request #741 from nobu/ctype-plain-char
• Avoid plain char for ctype macros
• Merge pull request #740 from Edouard-chin/ec-minor-fixed
• Few doc tweaks:
• Make benchmarks JRuby compatible
• Update changelog
• Merge pull request #718 from etiennebarrie/json-coder
• Allow JSON::Fragment to be used even in strict mode
• Introduce JSON::Coder
• Update gemspec URIs
• Add some JSON::Fragment documentation
• Merge pull request #735 from tompng/fix_invalid_number
• Reject invalid number: `-` `-.1` `-e0`
• Merge pull request #734 from tompng/error_on_invalid_comments
• Merge pull request #733 from tompng/unicode_escape_fix
• Raise parse error on invalid comments
• Fix parsing incomplete unicode escape "\uaaa"
• Fix JSON::Fragment#to_json signature
• Merge pull request #732 from etiennebarrie/fragment
• Introduce JSON::Fragment
• Fix a regression in the parser with leading /
• Merge pull request #731 from byroot/arm64-ci
• Test on aarch64 Ubuntu
• json_string_unescape: use memchr to search for backslashes
• Cleanup json_decode_float
• parser.c: Pass the JSON_ParserConfig pointer
• Use RSTRING_END
• Replace fbuffer by stack buffers or RB_ALLOCV in parser.c
• Implement write barriers for ParserConfig objects
• Cleanup c ext Rakefile
• Merge pull request #729 from byroot/handrolled
• Finalize Kevin's handrolled parser.
• Initial handrolled parser
• Refactor JSONFixturesTest
• Removed unnecessary sections
• Fix a method redefinition warning in C parser
• Merge pull request #728 from byroot/refactor-parser
• Refactor JSON::Ext::Parser to split configuration and parsing state
• Merge pull request #727 from etiennebarrie/remove-State-_generate
• Remove Generator::State#_generate
• Merge pull request #726 from ruby/support-bundled-gems
• Refactor to omit JSON::GenericObject tests
• Require "date"
• Merge pull request #724 from byroot/lookup-3
• Improve lookup tables for string escaping.

↗️ parser (indirect, 3.3.7.0 → 3.3.7.1) · Repo · Changelog

Release Notes

3.3.7.1 (from changelog)

API modifications:

• parser/current: add -dev prefix to 3.4 branch (#1067) (Ilya Bylich)
• parser/current: bump 3.2 branch to 3.2.7 (#1066) (Ilya Bylich)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

• Update changelog.
• Bump version.
• * parser/current: add -dev prefix to 3.4 branch (#1067)
• * parser/current: bump 3.2 branch to 3.2.7 (#1066)
• Update changelog.

↗️ rack (indirect, 2.2.10 → 2.2.11) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Log Injection in Rack::CommonLogger

Summary

Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.

Details

When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.

Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.

Mitigation

• Update to the latest version of Rack.

Commits

See the full diff on Github. The new version differs by 2 commits:

• Bump patch version.
• Escape non-printable characters when logging.

🆕 lint_roller (added, 1.1.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #564.