[Security] Bump brakeman from 4.7.0 to 4.7.1

[dependabot-preview]

Bumps brakeman from 4.7.0 to 4.7.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

brakeman world writable files allow local privilege escalation
The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local
privilege escalation because of world-writable files. For example,
if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used,
a local user can insert malicious code into the
ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.

Patched versions: >= 4.7.1
Unaffected versions: <= 4.4.0

Release notes

Sourced from brakeman's releases.

4.7.1

• Sort text report by file and line (Jacob Evelyn)
• Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
• Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
• Check string length against limit before joining
• Fix flaky rails4 test (Adam Kiczula)
• Fix errors from frozen Symbol#to_s in Ruby 2.7
• Add release dates to each version in CHANGES (TheSpartan1980)

Changelog

Sourced from brakeman's changelog.

4.7.1 - 2019-10-29

• Check string length against limit before joining
• Fix errors from frozen Symbol#to_s in Ruby 2.7
• Fix flaky rails4 test (Adam Kiczula)
• Added release dates to each version in CHANGES (TheSpartan1980)
• Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
• Convert s(:lambda) to s(:call) in Sexp#block_call
• Sort text report by file and line (Jacob Evelyn)

Commits

• b2efd59 Bump to 4.7.1
• 46fcb34 Update CHANGES
• 23232f6 Merge pull request #1421 from presidentbeef/check_string_length_first
• 3f24340 Merge pull request #1420 from presidentbeef/symbol_to_s_2_7_0
• 23c017a Symbol#to_s returns frozen string in Ruby 2.7.0
• 25fad31 Merge pull request #1419 from adamkiczula/fix_flaky_test
• bfc6471 Fix flaky rails4 test
• 1cf56ca Merge pull request #1418 from TheSpartan1980/release-dates
• e0d1ff7 Update CHANGES.md
• da1cd50 Merge pull request #1411 from JacobEvelyn/master
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[coveralls]

Coverage remained the same at 96.998% when pulling 54fe25a on dependabot/bundler/brakeman-4.7.1 into f9c7c66 on develop.