🚨 [security] Update rubocop-rails 2.28.0 → 2.30.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rails (2.28.0 → 2.30.0) · Repo · Changelog

Release Notes

2.30.0

New features

• #1434: Pluginfy RuboCop Rails. (@koic)

Bug fixes

• #1071: Fix Rails/FilePath cop to correctly handle File.join with variables and ignore leading and multiple slashes in string literal arguments for Rails.root.join and File.join. (@ydakuka)
• #912: Enhance Rails/Delegate by adding delegation detection for self.class, constants, class variables, global variables, and instance variables. (@ydakuka)

2.29.1

Bug fixes

• #1423: Fix an error for Rails/StrongParametersExpect when using permit with no arguments. (@koic)
• #1417: Fix an incorrect autocorrect for Rails/StrongParametersExpect when using a leading dot multiline call to require with permit. (@koic)
• #1356: Enhance Rails/DuplicateAssociation to handle alias. (@ydakuka)
• #1389: Handle TypeError caused by passing array literals as arguments to File methods in Rails/FilePath cop. (@ydakuka)
• #1389: Handle TypeError caused by passing array literals as arguments to File methods in Rails/RootPathnameMethods cop. (@ydakuka)
• #1228: Enhance Rails/SaveBang to properly handle instance variables. (@ydakuka)

2.29.0

New features

• #1407: Add new Rails/MultipleRoutePaths cop. (@koic)
• #1358: Add new Rails/StrongParametersExpect cop. (@koic)

Bug fixes

• #1409: Fix an error for Rails/ReversibleMigration when calling drop_table without any arguments. (@earlopain)
• #1397: Fix an incorrect autocorrect for Rails/TimeZone when Time.new has a string argument. (@mterada1228)
• #1406: Fix autocorrection for Rails/IndexBy and Rails/IndexWith when map { ... }.to_h is enclosed in another block. (@franzliedke, @eugeneius)
• #1404: Update Rails/IndexBy and Rails/IndexWith to support numbered block parameters. (@eugeneius)
• #1405: Fix autocorrection for Rails/IndexWith when the value is a hash literal without braces. (@koic, @eugeneius)
• #1414: Fix Rails/HttpPositionalArguments cop false positives with arguments forwarding. (@viralpraxis)

Changes

• #1410: Make registered cops aware of AllCops: MigratedSchemaVersion. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 75 commits:

• Cut 2.30.0
• Update Changelog
• Use RuboCop Performance 1.24 for development
• Merge pull request #1434 from koic/pluginfy_with_lint_roller
• Pluginfy RuboCop Rails
• Merge pull request #1441 from koic/fix_an_error_for_rails_delegate_cop
• Fix an error for `Rails/Delegate`
• Merge pull request #1438 from ydakuka/912-add-more-delegation-targets-to-rails-delegate
• Suppress RuboCop's offense
• [Fix rubocop#912] Enhance `Rails/Delegate` by adding delegation detection for `self.class`, constants, instance variables, and class variables
• Merge pull request #1433 from ydakuka/1071-fix-an-error-occurring-in-the-rails-file-path-cop-when-file-join-is-used-with-a-variable
• [Fix rubocop#1071] Fix `Rails/FilePath` cop to correctly handle `File.join` with variables and ignore leading and multiple slashes in string literal arguments for `Rails.root.join` and `File.join`
• Suppress redundant configuration logging for rubocop-rails
• Avoid unnecessary `send`
• Suppress RuboCop's offenses
• Add `shared_context` for Rails 8.1
• Merge pull request #1432 from dvandersluis/use-node-groups
• Use node groups in node patterns to replace unions of types
• Use `Node#any_block_type?`
• Fix a build error
• Remove a redundant config in spec_helper.rb
• Switch back docs version to master
• Cut 2.29.1
• Update Changelog
• Apply `bundle exec rubocop --regenerate-todo`
• Merge pull request #1419 from ydakuka/fix/enhance-rails-duplicate-association-to-handle-alias
• [Fix rubocop#1356] Enhance Rails/DuplicateAssociation to handle alias
• Merge pull request #1415 from ydakuka/fix/typeerror_in_the_file_path_cop
• [Fix rubocop#1389] Handle TypeError caused by an array in Rails/FilePath cop
• Merge pull request #1424 from koic/fix_an_error_for_rails_strong_parameters_expect
• Merge pull request #1416 from ydakuka/fix/typeerror_in_the_root_pathname_methods_cop
• [Fix #1423] Fix an error for `Rails/StrongParametersExpect`
• [Fix rubocop#1389] Handle TypeError caused by an array in Rails/RootPathname cop
• Merge pull request #1421 from ydakuka/fix/enhance-rails-save-bang-to-properly-handle-instance-variables
• [Fix rubocop#1228] Enhance Rails/SaveBang to properly handle instance variables
• Merge pull request #1420 from koic/fix_an_incorrect_autocorrect_for_rails_strong_parameters_expect
• [Fix #1417] Fix an incorrect autocorrect for `Rails/StrongParametersExpect`
• Switch back docs version to master
• Cut 2.29.0
• Update Changelog
• Merge pull request #1414 from viralpraxis/fix-rails-http-positional-arguments-cop-false-positives-on-forwarded-args
• Merge pull request #1412 from koic/add_new_rails_strong_parameters_expect_cop
• Merge pull request #1411 from koic/make_registered_cops_aware_of_all_cops_migrated_schema_version
• Fix `Rails/HttpPositionalArguments` cop false positives with arguments forwarding
• Add new `Rails/StrongParametersExpect` cop
• Add missing `Include` paths for `Rails/MultipleRoutePaths`
• [Fix #1410] Make registered cops aware of `AllCops: MigratedSchemaVersion`
• Merge pull request #1407 from koic/add_new_rails_multiple_route_paths_cop
• Merge pull request #1409 from Earlopain/reversible-migration-error
• Fix an error for `Rails/ReversibleMigration` when calling `drop_table` without any arguments
• Remove a useless constant
• Add new `Rails/MultipleRoutePaths` cop
• Merge pull request #1406 from eugeneius/index_by_index_with_enclosing_block
• Merge pull request #1405 from eugeneius/index_with_hash_literal_without_braces
• Fix autocorrection for `Rails/IndexBy` and `Rails/IndexWith` when `map { ... }.to_h` is enclosed in another block
• Fix autocorrection for `Rails/IndexWith` when the value is a hash literal without braces
• Remove a useless gem file
• Merge pull request #1404 from eugeneius/index_by_index_with_numblock
• Use RuboCop RSpec 3.3 for development
• Bump license years to 2025
• Update `Rails/IndexBy` and `Rails/IndexWith` to support numbered block parameters
• Merge pull request #1403 from koic/ci_against_ruby_34
• CI against Ruby 3.4
• Merge pull request #1402 from Earlopain/ci-sync
• Merge pull request #1397 from mterada1228/fix-rails-timezone
• Fix an incorrect autocorrect for `Rails/TimeZone` when Time.new has a string argument
• Various other small workflow changes from rubocop
• Add options to the actions-codespell configuration to check hidden files and file name
• Improve the configuration options of the yamllint-github-action
• CI: Move internal_investigation to linting.yml
• CI: Consistent naming of steps
• Add GitHub token permissions for workflows
• Suppress RuboCop offenses
• Fix a typo
• Switch back docs version to master

✳️ rubocop (1.71.1 → 1.72.2) · Repo · Changelog

Release Notes

1.72.2

Bug fixes

• #13853: Fix exclusion of relative paths in plugin's AllCops: Exclude as expected. (@koic)
• #13844: Fix an error for Style/RedundantFormat when a template argument is used without keyword arguments. (@koic)
• #13857: Fix an error for Style/RedundantFormat when numeric placeholders is used in the template argument. (@koic)
• #13861: Fix ArgumentError related to two deprecated AllowedPattern APIs. (@koic)
• #13849: Fix an error for Lint/UselessConstantScoping when multiple assigning to constants after private access modifier. (@koic)
• #13856: Fix false positives for Lint/UselessConstantScoping when a constant is used after private access modifier with arguments. (@koic)

Changes

• #13846: Mark Style/RedundantFormat as unsafe autocorrect. (@koic)

1.72.1

Bug fixes

• #13836: Fix an error for Style/RedundantParentheses when a different expression appears before a range literal. (@koic)
• #13839: Fix false positives for Lint/RedundantTypeConversion when passing block arguments when generating a Hash or a Set. (@koic)

Changes

• #13839: Extension plugin is loaded automatically with require 'rubocop/rspec/support'. (@koic)

1.72.0

New features

• #13740: Add new Lint/CopDirectiveSyntax cop. (@kyanagi)
• #13800: Add new Lint/SuppressedExceptionInNumberConversion cop. (@koic)
• #13702: Add new Lint/RedundantTypeConversion cop. (@dvandersluis)
• #13831: Add new Lint/UselessConstantScoping cop. (@koic)
• #13793: Add new Style/RedundantFormat cop to check for uses of format or sprintf with only a single string argument. (@dvandersluis)
• #13581: Add new InternalAffairs/LocationExists cop to check for code that can be replaced with Node#loc? or Node#loc_is?. (@dvandersluis)
• #13661: Make server mode detect local paths in .rubocop.yml under inherit_from and require for automatically restart. (@koic)
• #13721: Naming/PredicateName: Optionally use Sorbet to detect predicate methods. (@issyl0)
• #6012: Support RuboCop extension plugin. (@koic)

Bug fixes

• #13807: Fix false negatives for Style/RedundantParentheses when chaining [] method calls. (@koic)
• #13788: Fix false negatives for Style/RedundantParentheses when [] method is called with variable or constant receivers. (@koic)
• #13811: Fix false negatives for Style/RedundantParentheses when handling range literals with redundant parentheses. (@koic)
• #13796: Fix crash in Layout/EmptyLinesAroundMethodBody for endless methods. (@dvandersluis)
• #13817: Fix false positive for format specifier with non-numeric precision. (@dvandersluis)
• #12672: Fix false positives for Lint/FormatParameterMismatch when the width value is interpolated. (@dvandersluis)
• #12795: Fix Layout/BlockAlignment for blocks that are the body of an endless method. (@dvandersluis)
• #13822: Fix undefined method Logger when processing watched file notifications. (@vinistock)
• #13805: Make the language_server-protocol dependency version stricter. (@koic)

1.71.2

Bug fixes

• #13782: Fix an error Layout/ElseAlignment when else is part of a numblock. (@earlopain)
• #13395: Fix a false positive for Lint/UselessAssignment when assigning in branch and block. (@pCosta99)
• #13783: Fix a false positive for Lint/Void when each numblock with conditional expressions that has multiple statements. (@earlopain)
• #13787: Fix incorrect autocorrect for Style/ExplicitBlockArgument when using arguments of zsuper in method definition. (@koic)
• #13785: Fix Style/EachWithObject cop error in case of single block argument. (@viralpraxis)
• #13781: Fix a false positive for Lint/UnmodifiedReduceAccumulator when omitting the accumulator in a nested numblock. (@earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.3.4 → 1.3.5) · Repo · Changelog

Release Notes

1.3.5

What's Changed

• Remove dependency on logger by @eregon in #1062
• Avoid error when member is present on ancestor class by @francesmcmullin in #1068
• Set rake-compiler source and target to Java 8 by @headius in #1071
• chore: fix typos by @chenrui333 in #1076

New Contributors

• @francesmcmullin made their first contribution in #1068
• @chenrui333 made their first contribution in #1076

Full Changelog: v1.3.4...v1.3.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Release concurrent-ruby 1.3.5 and concurrent-ruby-edge 0.7.2
• chore: fix typos (#1076)
• Set rake-compiler source and target to Java 8 (#1071)
• Improve ancestor classes spec
• Avoid error when member is present on ancestor class
• Remove dependency on logger

↗️ i18n (indirect, 1.14.6 → 1.14.7) · Repo · Changelog

Release Notes

1.14.7

What's Changed

• Ruby 3.4 Hash#inspect compatibility. by @voxik in #709
• Removed (annoying) post-install message that was triggering on all Rubies, rather than the specified versions.

Full Changelog: v1.14.6...v1.14.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Bump to 1.14.7
• remove post-install message
• Merge pull request #709 from voxik/ruby-3.4
• Add Rails 7.2 and 8.0 into test matrix.
• Adjust the test matrix for Rails 8.1
• Add `base64` / `mutex_m` dependencies for Rails 6.1
• Ruby 3.4 `Hash#inspect` compatibility.
• Add 'ruby-head' to test matrix

↗️ json (indirect, 2.9.1 → 2.10.1) · Repo · Changelog

Release Notes

2.10.1 (from changelog)

• Fix a compatibility issue with MultiJson.dump(obj, pretty: true): no implicit conversion of false into Proc (TypeError).

2.10.0

What's Changed

• strict: true now accept symbols as values. Previously they'd only be accepted as hash keys.
• The C extension Parser has been entirely reimplemented from scratch.
• Introduced JSON::Coder as a new API allowing to customize how non native types are serialized in a non-global way.
• Introduced JSON::Fragment to allow assembling cached fragments in a safe way.
• The Java implementation of the generator received many optimizations.

Full Changelog: v2.9.1...v2.10.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 61 commits:

• Release 2.10.1
• Merge pull request #749 from byroot/fix-state-roundtrip
• Fix a compatibility issue with `MultiJson.dump(obj, pretty: true)`
• Update changelog
• Release 2.10.0
• Apply recent C optimizations to Java encoder (#725)
• Skip installing ragel on CI
• Merge pull request #745 from etiennebarrie/optimize-symbol-generation
• Merge pull request #746 from etiennebarrie/fix-json-coder-NaN-Infinity
• Optimize Symbol generation in strict mode
• Fix JSON::Coder to call as_json proc for NaN and Infinity
• Merge pull request #744 from eregon/optimize-utf8_to_json
• Optimize and cleanup #utf8_to_json
• Refactor further to expose the simpler escape search possible
• Merge pull request #742 from byroot/refactor-convert-utf8
• Refactor convert_UTF8_to_JSON to split searching and escaping code
• Merge pull request #741 from nobu/ctype-plain-char
• Avoid plain char for ctype macros
• Merge pull request #740 from Edouard-chin/ec-minor-fixed
• Few doc tweaks:
• Make benchmarks JRuby compatible
• Update changelog
• Merge pull request #718 from etiennebarrie/json-coder
• Allow JSON::Fragment to be used even in strict mode
• Introduce JSON::Coder
• Update gemspec URIs
• Add some JSON::Fragment documentation
• Merge pull request #735 from tompng/fix_invalid_number
• Reject invalid number: `-` `-.1` `-e0`
• Merge pull request #734 from tompng/error_on_invalid_comments
• Merge pull request #733 from tompng/unicode_escape_fix
• Raise parse error on invalid comments
• Fix parsing incomplete unicode escape "\uaaa"
• Fix JSON::Fragment#to_json signature
• Merge pull request #732 from etiennebarrie/fragment
• Introduce JSON::Fragment
• Fix a regression in the parser with leading /
• Merge pull request #731 from byroot/arm64-ci
• Test on aarch64 Ubuntu
• json_string_unescape: use memchr to search for backslashes
• Cleanup json_decode_float
• parser.c: Pass the JSON_ParserConfig pointer
• Use RSTRING_END
• Replace fbuffer by stack buffers or RB_ALLOCV in parser.c
• Implement write barriers for ParserConfig objects
• Cleanup c ext Rakefile
• Merge pull request #729 from byroot/handrolled
• Finalize Kevin's handrolled parser.
• Initial handrolled parser
• Refactor JSONFixturesTest
• Removed unnecessary sections
• Fix a method redefinition warning in C parser
• Merge pull request #728 from byroot/refactor-parser
• Refactor JSON::Ext::Parser to split configuration and parsing state
• Merge pull request #727 from etiennebarrie/remove-State-_generate
• Remove Generator::State#_generate
• Merge pull request #726 from ruby/support-bundled-gems
• Refactor to omit JSON::GenericObject tests
• Require "date"
• Merge pull request #724 from byroot/lookup-3
• Improve lookup tables for string escaping.

↗️ parser (indirect, 3.3.7.0 → 3.3.7.1) · Repo · Changelog

Release Notes

3.3.7.1 (from changelog)

API modifications:

• parser/current: add -dev prefix to 3.4 branch (#1067) (Ilya Bylich)
• parser/current: bump 3.2 branch to 3.2.7 (#1066) (Ilya Bylich)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

• Update changelog.
• Bump version.
• * parser/current: add -dev prefix to 3.4 branch (#1067)
• * parser/current: bump 3.2 branch to 3.2.7 (#1066)
• Update changelog.

↗️ rack (indirect, 2.2.10 → 2.2.11) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Log Injection in Rack::CommonLogger

Summary

Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.

Details

When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.

Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.

Mitigation

• Update to the latest version of Rack.

Commits

See the full diff on Github. The new version differs by 2 commits:

• Bump patch version.
• Escape non-printable characters when logging.

🆕 lint_roller (added, 1.1.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #735.