Skip to content

Bump brakeman from 4.10.1 to 5.2.0#174

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/bundler/brakeman-5.2.0
Closed

Bump brakeman from 4.10.1 to 5.2.0#174
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/bundler/brakeman-5.2.0

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Dec 20, 2021

Bumps brakeman from 4.10.1 to 5.2.0.

Release notes

Sourced from brakeman's releases.

5.2.0

  • Initial Rails 7 support (#1653)
  • Require Ruby 2.5.0+ (#1649)
  • Fix issue with calls to foo.root in routes (#1640)
  • Ignore I18n.locale in SQL queries (#1597)
  • Do not treat sanitize_sql_like as safe
  • Add new checks for unsupported Ruby and Rails version
  • Bundled version of ruby_parser updated to 3.18.1

5.1.2

  • Updated ruby_parser (Ryan Davis)
  • Fix issue where the previous output is still visible (Jason Frey)
  • Handle cases where enums are not symbols (#1627)
  • Support newer Haml with ::Haml::AttributeBuilder.build
  • Fix sorting with nil line numbers

5.1.1

  • Unrefactor IgnoreConfig's use of Brakeman::FilePath

(Fixes bugs with -I and also relative paths for -i.)

5.1.0

  • Report Formats
  • Performance
    • Read and parse files in parallel
  • Ruby Interpretation
    • Initial support for ActiveRecord enums (#1492)
    • Interprocedural dataflow from very simple class methods
    • Support Array#fetch and Hash#fetch (#1571)
    • Support Array#push
    • Support Array#*
    • Better Array#join support
    • Support Hash#values and Hash#values_at
    • Support Hash#include?
  • SQL Injection
    • Update SQL injection check for Rails 6.0/6.1
    • Add --sql-safe-methods option (Esty Scheiner)
    • Ignore dates in SQL
    • Ignore sanitize_sql_like in SQL (#1571)
    • Ignore method calls on numbers in SQL (#1571)
  • Other Fixes
    • Ignore renderables in dynamic render path check (Brad Parker)
    • Fix false positive in command injection with Open3.capture (Richard Fitzgerald)
    • Fix infinite loop on mixin self-includes (Andrew Szczepanski)
    • Check for user-controlled evaluation even if it's a call target (#1590)
  • Refactoring

... (truncated)

Changelog

Sourced from brakeman's changelog.

5.2.0 - 2021-12-15

  • Initial Rails 7 support
  • Require Ruby 2.5.0+
  • Fix issue with calls to foo.root in routes
  • Ignore I18n.locale in SQL queries
  • Do not treat sanitize_sql_like as safe
  • Add new checks for unsupported Ruby and Rails versions

5.1.2 - 2021-10-28

  • Handle cases where enums are not symbols
  • Support newer Haml with ::Haml::AttributeBuilder.build
  • Fix issue where the previous output is still visible (Jason Frey)
  • Fix warning sorting with nil line numbers
  • Update for latest RubyParser (Ryan Davis)

5.1.1 - 2021-07-19

  • Unrefactor IgnoreConfig's use of Brakeman::FilePath

5.1.0 - 2021-07-19

  • Initial support for ActiveRecord enums
  • Support Hash#include?
  • Interprocedural dataflow from very simple class methods
  • Fix SARIF report when checks have no description (Eli Block)
  • Add ignored warnings to SARIF report (Eli Block)
  • Add --sql-safe-methods option (Esty Scheiner)
  • Update SQL injection check for Rails 6.0/6.1
  • Fix false positive in command injection with Open3.capture (Richard Fitzgerald)
  • Fix infinite loop on mixin self-includes (Andrew Szczepanski)
  • Ignore dates in SQL
  • Refactor cookie?/param? methods (Keenan Brock)
  • Ignore renderables in dynamic render path check (Brad Parker)
  • Support Array#push
  • Better Array#join support
  • Adjust copy of --interactive menu (Elia Schito)
  • Support Array#*
  • Better method definition tracking and lookup
  • Support Hash#values and Hash#values_at
  • Check for user-controlled evaluation even if it's a call target
  • Support Array#fetch and Hash#fetch
  • Ignore sanitize_sql_like in SQL
  • Ignore method calls on numbers in SQL
  • Add GitHub Actions format (Klaus Badelt)
  • Read and parse files in parallel

5.0.4 - 2021-06-08

... (truncated)

Commits
  • 8ccf86b Bump to 5.2.0
  • 264a744 Fix up tests from merges
  • 616a648 Add check for unsupported Rails/Ruby (#1660)
  • 413fd4b Merge pull request #1657 from presidentbeef/unignore_sanitize_sql_like
  • ae2c2b9 Merge pull request #1659 from presidentbeef/bump_ruby_version
  • 440ff75 Merge pull request #1658 from presidentbeef/ignore_locale_in_sql
  • c2abcbc Do not treat sanitize_sql_like as safe
  • e3981c1 Ignore I18N.locale in SQL
  • e05a6e8 Merge pull request #1655 from presidentbeef/root_in_routes
  • 743eebd Calls to root in routes might not be root to:...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump brakeman from 4.10.1 to 5.2.0
550eea8 
Bumps [brakeman](https://github.com/presidentbeef/brakeman) from 4.10.1 to 5.2.0.
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](presidentbeef/brakeman@v4.10.1...v5.2.0)

---
updated-dependencies:
- dependency-name: brakeman
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot mentioned this pull request Dec 20, 2021
Closed
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Feb 2, 2022

Superseded by #190.

@dependabot dependabot bot closed this Feb 2, 2022
@dependabot dependabot bot deleted the dependabot/bundler/brakeman-5.2.0 branch February 2, 2022 04:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants