🚨 [security] Update rubocop 1.62.1 → 1.64.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop (1.62.1 → 1.64.0) · Repo · Changelog

Release Notes

1.64.0

New features

• #12904: Add new either_consistent SupportedShorthandSyntax to Style/HashSyntax. (@pawelma)
• #12842: Add new Style/SendWithLiteralMethodName cop. (@koic)
• #12309: Add new Style/SuperArguments cop. (@earlopain)
• #12917: Suggest correct formatter name for --format command line option. (@koic)
• #12242: Support AllowModifiersOnAttrs option for Style/AccessModifierDeclarations. (@krororo)
• #11585: Support AllowedMethods for Style/DocumentationMethod. (@koic)

Bug fixes

• #7189: Fix a false positive for Style/Copyright when using multiline copyright notice. (@koic)
• #12914: Fix a false negative for Layout/EmptyComment when using an empty comment next to code after comment line. (@koic)
• #12919: Fix false negatives for Style/ArgumentsForwarding when forward target is super. (@koic)
• #12923: Fix false negatives for Style/ArgumentsForwarding when forward target is safe navigation method. (@koic)
• #12894: Fix false positives for Style/MapIntoArray when using each without receiver with << to build an array. (@koic)
• #12876: Fix an error for the lockfile parser if a gemfile exists but a lockfile doesn't. (@earlopain)
• #12888: Fix --no-exclude-limit generating a todo with Max config instead of listing everything out with Exclude. (@earlopain)
• #12898: Fix an error for TargetRailsVersion when parsing from the lockfile with prerelease rails. (@earlopain)

Changes

• #12908: Add rubocop-rspec back to suggested extensions when rspec-rails is in use. (@pirj)
• #12884: Align output from cop.documentation_url with --show-docs-url when passing a config as argument. (@earlopain)
• #12890: Support ActiveSupportExtensionsEnabled for Style/SymbolProc. (@koic)
• #12897: Respect user's intentions with workspace/executeCommand LSP method. (@koic)

1.63.5

Bug fixes

• #12877: Fix an infinite loop error for Layout/FirstArgumentIndentation when specifying EnforcedStyle: with_fixed_indentation of Layout/ArrayAlignment. (@koic)
• #12873: Fix an error for Metrics/BlockLength when the CountAsOne config is invalid. (@koic)
• #12881: Fix incorrect autocorrect when Style/NumericPredicate is used with negations. (@fatkodima)
• #12882: Fix Layout/CommentIndentation for comment-only pattern matching. (@nekketsuuu)

1.63.4

Bug fixes

• #12871: Fix an error for rubocop -V when .rubocop.yml contains ERB. (@earlopain)
• #12862: Fix a false positive for Style/RedundantLineContinuation when line continuations involve return with a return value. (@koic)
• #12664: Fix handling of textDocument/diagnostic. (@muxcmux)
• #12865: Fix Rails Cops, which weren't reporting any violations unless running with bundle exec. (@amomchilov)

1.63.3

Bug fixes

• #12857: Fix false negatives for Lint/UnreachableCode when using pattern matching. (@koic)
• #12852: Fix an error for Lint/EmptyFile in formatters when using cache. (@earlopain)
• #12848: Fix an error that occurs in RuboCop::Lockfile when the constant Bundler is uninitialized. (@koic)

Changes

• #12855: Set custom program name for the built-in LSP server. (@koic)

1.63.2

Bug fixes

• #12843: Fix an error for Lint/MixedCaseRange when a character between Z and a is used in the regexp range. (@koic)
• #12846: Fix an error for RuboCop::Lockfile when there is no Bundler environment. (@koic)
• #12832: Fix an error for Style/ArgumentsForwarding when using block arg in nested method definitions. (@koic)
• #12841: Fix false negatives for Lint/UnreachableLoop when using pattern matching. (@koic)
• #12835: Allow global offenses to be disabled by directive comments. (@earlopain)

Changes

• #12845: Exclude debug/open_nonstop from Lint/Debugger by default. (@koic)

1.63.1

Bug fixes

• #12828: Fix a false positive for Lint/AssignmentInCondition if assigning inside a method call. (@earlopain)
• #12823: Fixed "uninitialized constant RuboCop::Lockfile::Bundler", caused when running RuboCop without bundler exec on codebases that use rubocop-rails. (@amomchilov)

1.63.0

New features

• #11878: Add new Style/MapIntoArray cop. (@ymap)
• #12186: Add new requires_gem API for declaring which gems a Cop needs. (@amomchilov)

Bug fixes

• #12769: Fix a false positive for Lint/RedundantWithIndex when calling with_index with receiver and a block. (@koic)
• #12547: Added a comment recommending upgrading to the latest version of Rubocop in the error text when an Infinite loop detected error occurs. (@Hiroto-Iizuka)
• #12782: Fix an error for Style/Alias with EnforcedStyle: prefer_alias when calling alias_method with fewer than 2 arguments. (@earlopain)
• #12781: Fix an error for Style/ExactRegexpMatch when calling match without a receiver. (@earlopain)
• #12780: Fix an error for Style/RedundantEach when using reverse_each.each without a block. (@earlopain)
• #12731: Treat &. the same way as . for setter methods in Lint/AssignmentInCondition. (@jonas054)
• #12793: Fix false positives for Style/RedundantLineContinuation when using line continuation with modifier. (@koic)
• #12807: Fix false positives for Naming/BlockForwarding when using explicit block forwarding in block method and others. (@koic)
• #12796: Fix false positives for Style/EvalWithLocation when using eval with a line number from a method call or a variable. (@koic)
• #12794: Fix false positives for Style/RedundantArgument when when single-quoted strings for cntrl character. (@koic)
• #12797: Fix false positives for Style/RedundantLineContinuation when using line continuations with && or || operator in assignment. (@koic)
• #12793: Fix false positives for Style/RedundantLineContinuation when multi-line continuations with operators. (@koic)
• #12801: Fix incorrect autocorrect for Style/CollectionCompact when using delete_if. (@koic)
• #12789: Make Style/RedundantPercentQ safe on multiline strings. (@boardfish)
• #12802: Return global offenses for Naming/FileName and Naming/InclusiveLanguage for empty files. (@earlopain)
• #12804: Return global offenses for Style/Copyright when the file is empty. (@earlopain)

Changes

• #12813: Add rubocop-rspec_rails to suggested extensions and extension doc. (@ydah)
• #12820: Add support more Capybara debugger entry points for Lint/Debugger. (@ydah)
• #12676: Adjust offending range in LSP. (@koic)
• #12815: Ignore Rakefile.rb in Naming/FileName in the default config. (@artur-intech)
• #12800: Handle empty obsoletion config. (@sambostock)
• #12721: Make Lint/Debugger aware of ruby/debug requires. (@earlopain)
• #12817: Make rubocop -V display rubocop-rspec_rails version when using it. (@ydah)
• #12180: Replace regex with Bundler::LockfileParser. (@amomchilov)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json (indirect, 2.7.1 → 2.7.2) · Repo · Changelog

Release Notes

2.7.2

What's Changed

• Use rb_sym2str instead of SYM2ID by @jhawthorn in #561
• Fix memory leak when exception is raised during JSON generation by @peterzhu2118 in #574
• Remove references to "19" methods in JRuby by @headius in #576
• Make OpenStruct support as optional by @hsbt in #565
• Autoload JSON::GenericObject to avoid require ostruct warning in Ruby 3.4 by @tompng in #577
• Warn to install ostruct if json couldn't load it by @hsbt in #578

New Contributors

• @mperham made their first contribution in #571
• @peterzhu2118 made their first contribution in #574

Full Changelog: v2.7.1...v2.7.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

• Bump up 2.7.2
• Merge pull request #578 from flori/warn-bundled-gems
• Warn to install ostruct if json couldn't load it
• Merge pull request #577 from tompng/autoload_generic_object
• Merge pull request #576 from headius/no_19_jruby_methods
• Autoload GenericObject to avoid require ostruct warning in Ruby 3.4
• Remove references to "19" methods in JRuby
• Merge pull request #575 from flori/refine-ci
• Exclude 2.3-2.5 on macos-14 iamge
• Added JRuby 9.4
• TruffleRuby 24 is broken
• Added latest stable versions of macOS
• macOS 11 is EOL today
• Merge pull request #574 from peterzhu2118/generator-mem-leak
• Fix memory leak when exception is raised during JSON generation
• Merge pull request #571 from mperham/patch-1
• Update README.md
• Merge pull request #565 from flori/optional-ostruct
• Make OpenStruct support as optional
• Merge pull request #561 from jhawthorn/rb_sym2str
• Use rb_sym2str instead of SYM2ID

↗️ parser (indirect, 3.3.0.5 → 3.3.1.0) · Repo · Changelog

Release Notes

3.3.1.0 (from changelog)

API modifications:

• Bump parser branches to 3.0.7, 3.1.5, 3.2.4, 3.3.1 (#1011) (Ilya Bylich)
• Use require_relative in the Parser codebase (#1003) (Koichi ITO)

Features implemented:

• ruby{33,34}.y: allow blocks inherit anonymous args. (#1010) (Ilya Bylich)
• Raise a more specific error when encountering an unknown magic comment encoding (#999) (Earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Update changelog.
• Bump version.
• * Bump parser branches to 3.0.7, 3.1.5, 3.2.4, 3.3.1 (#1011)
• + ruby{33,34}.y: allow blocks inherit anonymous args. (#1010)
• `action.rb` doc fixes (#1008)
• * Use `require_relative` in the Parser codebase (#1003)
• Use `AST::Processor::Mixin` instead of deprecated `AST::Processor` (#1000)
• + Raise a more specific error when encountering an unknown magic comment encoding (#999)
• Update changelog.

↗️ racc (indirect, 1.7.3 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0

What's Changed

• Generate jar to build gem by @nobu in #255
• Fix trivial typos by @ydah in #257
• Try to fix test failure with Ruby 3.3 by @hsbt in #260
• Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
• Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
• Add more grammars by @nurse in #222
• Exclude 2.5 on macos-latest by @nobu in #263
• Drop code for Ruby 1.6 by @nobu in #264
• Refactor command line options by @nobu in #265
• Change encode EUC-JP to UTF-8 by @ydah in #267
• Organize README.ja.rdoc by @ydah in #266
• Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
• Bump up v1.8.0 by @yui-knk in #268

New Contributors

• @ydah made their first contribution in #257
• @nurse made their first contribution in #222

Full Changelog: v1.7.3...v1.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

• Merge pull request #268 from yui-knk/v1.8.0
• Bump up v1.8.0
• Merge pull request #262 from yui-knk/support_expect_bang
• Support `error_on_expect_mismatch` declaration in Racc grammar file
• Merge pull request #266 from ydah/fix-readme-ja
• Merge pull request #267 from ydah/change-encode
• Change encode EUC-JP to UTF-8
• Update Racc link in README.ja.rdoc
• Change Requirement to match README.rdoc
• Merge pull request #265 from nobu/options
• Simplify `--runtime-version` option
• Make `--help` success
• Omit the default exit value
• Abort instead of puts and exit
• Merge pull request #264 from nobu/drop-ruby1.6
• Merge pull request #263 from nobu/old-version-on-macos
• Exclude 2.5 on macos-latest
• Drop code for Ruby 1.6
• Merge pull request #222 from nurse/add-more-grammars
• Merge pull request #259 from zenspider/zenspider/stdin
• Reformat the rdoc so it renders correctly both locally and on github.
• Allow racc cmdline to read from stdin if no path specified.
• Merge pull request #260 from ruby/try-to-fix-3-3
• Don't use bundle exec to avoid warning of Ruby 3.3
• Ignore jar artifact
• Remove stale code
• Merge pull request #257 from ydah/fix-typos
• Fix trivial typos
• Merge pull request #255 from nobu/build-java

↗️ regexp_parser (indirect, 2.9.0 → 2.9.2) · Repo · Changelog

Release Notes

2.9.2 (from changelog)

Fixed

• made the MFA requirement for changes to this gem visible on rubygems
  • thanks to Geremia Taglialatela

2.9.1 (from changelog)

Fixed

• fixed unnecessary $LOAD_PATH searches at load time
  • thanks to Koichi ITO

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• Release v2.9.2
• Merge pull request #91 from tagliala/security/opt-in-for-mfa
• Opt-in for MFA requirement explicitly
• Merge pull request #92 from tagliala/chore/fix-typos
• Fix typos
• Release v2.9.1
• Unify CHANGELOG formatting
• Simplify path slightly
• Merge pull request #90 from koic/use_require_relative
• Use `require_relative` in the Regexp::Parser codebase

↗️ rexml (indirect, 3.2.6 → 3.2.8) · Repo · Changelog

Security Advisories 🚨

🚨 REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Release Notes

3.2.8

Fixes

• Suppressed a warning

3.2.7

Improvements

• Improve parse performance by using StringScanner.

  • GH-106

  • GH-107

  • GH-108

  • GH-109

  • GH-112

  • GH-113

  • GH-114

  • GH-115

  • GH-116

  • GH-117

  • GH-118

  • GH-119

  • GH-121

  • Patch by NAITOH Jun.

• Improved parse performance when an attribute has many <s.

  • GH-124

Fixes

• XPath: Fixed a bug of normalize_space(array).

  • GH-110

  • GH-111

  • Patch by flatisland.

• XPath: Fixed a bug that wrong position is used with nested path.

  • GH-110

  • GH-122

  • Reported by jcavalieri.

  • Patch by NAITOH Jun.

• Fixed a bug that an exception message can't be generated for
  invalid encoding XML.

  • GH-29

  • GH-123

  • Reported by DuKewu.

  • Patch by NAITOH Jun.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

• Add 3.2.8 entry
• Remove an unused variable (#128)
• Suppress a warning
• ci: install only gems required for running tests (#129)
• Add missing Thanks section
• Bump version
• Add 3.2.7 entry
• Read quoted attributes in chunks (#126)
• Exclude older than 2.6 on macos-14
• Move development dependencies to Gemfile (#124)
• Fix a problem that parse exception message can't be generated for invalid encoding XML (#123)
• xpath: Fix wrong position with nested path (#122)
• Change `attribute.has_key?(name)` to ` attributes[name]`. (#121)
• Optimize the parse_attributes method to use `Source#match` to parse XML. (#119)
• Make the test suite compatible with `--enable-frozen-string-literal` (#120)
• Separate `IOSource#ensure_buffer` from `IOSource#match`. (#118)
• Remove `Source#string=` method (#117)
• source: Remove unnecessary string length comparisons in the case of string comparisons (#116)
• Use more StringScanner based API to parse XML (#114)
• test: Fix invalid XML with spaces before the XML declaration (#115)
• Stop specifying the gem version of strscan in benchmarks. (#113)
• Remove unnecessary checks in baseparser (#112)
• xpath: Fix normalize_space(array) case (#111)
• Change loop in parse_attributes to `while true`. (#109)
• Reduce calls to StringScanner.new() (#108)
• Use `@scanner << readline` instead of `@scanner.string = @scanner.rest + readline` (#107)
• Reduce calls to `Source#buffer`(`StringScanner#rest`) (#106)
• Use string scanner with baseparser (#105)
• Add parse benchmark (#104)
• Use reusing workflow for Ruby versions (#103)
• CI: Add ruby-3.3 (#102)
• build(deps): bump actions/checkout from 3 to 4 (#101)
• Bump version

↗️ rubocop-ast (indirect, 1.31.2 → 1.31.3) · Repo · Changelog

Release Notes

1.31.3 (from changelog)

Bug fixes

• #289: Fix an error during parsing when encountering unknown encodings in the encoding magic comment. (@Earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Cut 1.31.3
• Update Changelog
• Handle encoding error from the parser gem
• Workaround for incompatibilities between Prism 0.24.0 and 0.25.0 (#290)
• Update org name from rubocop-hq to rubocop
• Suppress a RuboCop's offense
• Add CHANGELOG entry.
• Restore docs/antora.yml

🆕 strscan (added, 3.1.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

coverage: 99.216%. remained the same
when pulling e22994f on depfu/update/rubocop-1.64.0
into e1318ec on main.

[depfu]

Closed in favor of #1315.