chore(deps): update dependency brakeman to v7

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
brakeman (source, changelog)	'~> 5.2.3' -> '~> 7.0.2'

---

Release Notes

presidentbeef/brakeman (brakeman)

v7.0.2

Compare Source

• Fix error with empty BUNDLE_GEMFILE env variable

v7.0.1

Compare Source

• Avoid warning on evaluation of plain strings
• Enable use of custom/alternative Gemfiles
• Fix error on directory with rb extension (viralpraxis)
• Support terminal-table 4.0 (Chedli Bourguiba)
• Better support Prism 1.4.0
• Only output timing for each file when using --debug

v7.0.0

Compare Source

• Always warn about deserializing from Marshal
• Output originalBaseUriIds for SARIF format report
• Default to using Prism parser if available (disable with --no-prism)
• Update terminal-table version to use latest
• Update eval check to be a little noisier
• Fix array/hash unknown index handling
• Disable following symbolic links by default, re-enable with --follow-symlinks
• Add step (and timing) for finding files
• Add CSV library as explicit dependency for Ruby 3.4 support
• Major changes to how rescanning works
• Raise minimum Ruby version to 3.1
• Fix hardcoded globally excluded paths
• Remove updated entry in Brakeman ignore files (Toby Hsieh)
• Fix recursion when handling multiple assignment expressions

v6.2.2

Compare Source

• Ignore more native gems when building gem
• Revamp command injection in pipeline* calls
• New end-of-support dates for Rails

v6.2.1

Just a packaging fix for brakeman.gem

v6.2.0

• Add --show-ignored option (Gabriel Zayas)
• Add optional support for Prism parser
• Warn about unscoped finds with find_by!
• Treat ::X and X the same, for now (Jill Klang)
• Fix compatibility with default frozen string literals (Jean Boussier)
• Remediation advice for command injection (Nicholas Barone)
• Fix Ruby warnings in test suite (Jean Boussier)
• Support YAML aliases in secret configs (Chedli Bourguiba)
• Add initial Rails 8 support (Ron Shinall)
• Handle mass assignment with splats
• Add support for symbolic links (Lu Zhu)

v6.1.2

Compare Source

• Update Highline to 3.0
• Add EOL date for Ruby 3.3.0
• Avoid copying Sexps that are too large
• Avoid detecting ViewComponentContrib::Base as dynamic render paths (vividmuimui)
• Remove deprecated use of Kernel#open("|...")
• Remove safe_yaml gem dependency
• Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)

v6.1.1

Compare Source

• Handle racc as a default gem in Ruby 3.3.0

v6.1.0

Compare Source

• Add --timing to add timing duration for scan steps
• Fix keyword splats in filter arguments
• Add check for unfiltered search with Ransack
• Fix class method lookup in parent classes
• Handle class << self
• Add PG::Connection.escape_string as a SQL sanitization method (Joévin Soulenq)

v6.0.1

Compare Source

• Accept strings for load_defaults version

v6.0.0

Compare Source

• Add obsolete fingerprints to comparison report
• Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
• Scan directories that include the word public
• Raise minimum Ruby version to 3.0
• Drop support for Ruby 1.8/1.9 syntax
• Fix end-of-life dates for Ruby
• Fix false positive with content_tag in newer Rails

v5.4.1

Compare Source

• Fix file/line location for EOL software warnings
• Revise checking for request.env to only consider request headers
• Add redirect_back and redirect_back_or_to to open redirect check
• Support Rails 7 redirect options
• Add Rails 6.1 and 7.0 default configuration values
• Prevent redirects using url_from being marked as unsafe (Lachlan Sylvester)
• Warn about unscoped find for find_by(id: ...)
• Support presence, presence_in and in?
• Fix issue with if expressions in when clauses

v5.4.0

Compare Source

• Use relative paths for CodeClimate report format (Mike Poage)
• Add check for weak RSA key sizes and padding modes
• Handle multiple values and splats in case/when
• Ignore more model methods in redirects
• Add check for absolute paths issue with Pathname
• Fix load_rails_defaults overwriting settings in the Rails application (James Gregory-Monk)

v5.3.1

Compare Source

• Fix version range for CVE-2022-32209

v5.3.0

Compare Source

• Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
• Load rexml as a Brakeman dependency
• Fix "full call" information propagating unnecessarily
• Add check for CVE-2022-32209
• Add CWE information to warnings (Stephen Aghaulor)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.13%. Comparing base (17bff68) to head (b595be6).
Report is 5 commits behind head on staging.

Additional details and impacted files

@@           Coverage Diff            @@
##           staging    #1061   +/-   ##
========================================
  Coverage    75.13%   75.13%           
========================================
  Files           53       53           
  Lines         1102     1102           
========================================
  Hits           828      828           
  Misses         274      274           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.