🚨 [security] Update rubocop: 0.83.0 → 0.85.1 (major)

[depfu]

👉 This PR is queued up to get rebased by Depfu

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop (0.83.0 → 0.85.1) · Repo · Changelog

Release Notes

0.85.1

Bug fixes

• #8083: Fix an error for Lint/MixedRegexpCaptureTypes cop when using a regular expression that cannot be processed by regexp_parser gem. (@koic)
• #8081: Fix a false positive for Lint/SuppressedException when empty rescue block in do block. (@koic)
• #8096: Fix a false positive for Lint/SuppressedException when empty rescue block in defs. (@koic)
• #8108: Fix infinite loop in Layout/HeredocIndentation auto-correct. (@jonas054)
• #8042: Fix raising error in Lint::FormatParameterMismatch when it handles invalid format strings and add new offense. (@andrykonchin)

0.85.0

New features

• #6289: Add new CheckDefinitionPathHierarchy option for Naming/FileName. (@jschneid)
• #8055: Add new Style/RedundantRegexpCharacterClass cop. (@owst)
• #8069: New option for expect_offense to help format offense templates. (@marcandre)
• #7908: Add new Style/RedundantRegexpEscape cop. (@owst)
• #7978: Add new option OnlyFor to the Bundler/GemComment cop. (@ric2b)
• #8063: Add new AllowedNames option for Naming/ClassAndModuleCamelCase. (@tejasbubane)
• #8050: New option --display-only-failed that can be used with --format junit. Speeds up test report processing for large codebases and helps address the sorts of concerns raised at mikian/rubocop-junit-formatter #18. (@burnettk)
• #7746: Add new Lint/MixedRegexpCaptureTypes cop. (@pocke)

Bug fixes

• #8008: Fix an error for Lint/SuppressedException when empty rescue block in def. (@koic)
• #8012: Fix an incorrect autocorrect for Lint/DeprecatedOpenSSLConstant when deprecated OpenSSL constant is used in a block. (@koic)
• #8017: Fix a false positive for Lint/SuppressedException when empty rescue with comment in def. (@koic)
• #7990: Fix resolving inherit_gem in remote configs. (@CvX)
• #8035: Fix a false positive for Lint/DeprecatedOpenSSLConstant when using double quoted string argument. (@koic)
• #7971: Fix an issue where --disable-uncorrectable would not update uncorrected code with rubocop:todo. (@rrosenblum)
• #8035: Fix a false positive for Lint/DeprecatedOpenSSLConstant when argument is a variable, method, or consntant. (@koic)

Changes

• #8056: (Breaking) Remove support for unindent/active_support/powerpack from Layout/HeredocIndentation, so it only recommends using squiggy heredoc. (@bquorning)

0.84.0

New features

• #7735: NodePattern and AST classes have been moved to the rubocop-ast gem. (@marcandre)
• #7950: Add new Lint/DeprecatedOpenSSLConstant cop. (@bdewater)
• #7976: Add AllowAliasSyntax and AllowedMethods options for Layout/EmptyLinesAroundAttributeAccessor. (@koic)
• #7984: New rake task "check_commit" will run rspec and rubocop on files touched by the last commit. (@marcandre)

Bug fixes

• #7953: Fix an error for Lint/AmbiguousOperator when a method with no arguments is used in advance. (@koic)
• #7962: Fix a false positive for Lint/ParenthesesAsGroupedExpression when heredoc has a space between the same string as the method name and (. (@koic)
• #7967: Style/SlicingWithRange cop now supports any expression as its first index. (@zverok)
• #7972: Fix an incorrect autocrrect for Style/HashSyntax when using a return value uses return. (@koic)
• #7886: Fix a bug in AllowComments logic in Lint/SuppressedException. (@jonas054)
• #7991: Fix an error for Layout/EmptyLinesAroundAttributeAccessor when attribute method is method chained. (@koic)
• #7993: Fix a false positive for Migration/DepartmentName when a disable comment contains an unexpected character for department name. (@koic)

Changes

• #7952: (Breaking) Change the max line length of Layout/LineLength to 120 by default. (@koic)
• #7959: Change enforced style to conditionals for Style/AndOr. (@koic)
• #7985: Add EnforcedStyle for Style/DoubleNegation cop and allow double nagation in contexts that use boolean as a return value. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ capybara (3.31.0 → 3.32.2) · Repo · Changelog

Release Notes

3.32.2 (from changelog)

Release date: 2020-05-16

Fixed

• Don't use lazy enumerator with JRuby due to leaking threads
• Ruby 2.7 deprecation warning when registering Webrick [Jon Zeppieri]
• have_text description [Juan Pablo Rinaldi]

3.32.1 (from changelog)

Release date: 2020-04-05

Fixed

• Rapid set now respects field maxlength (Issue #2332)
• Only patch pause into legacy actions in Selenium < 4 (Issue #2334)

3.32.0 (from changelog)

Release date: 2020-03-29

Added

• Support delay setting on click with Selenium
• Implement rapid set for values longer thn 30 characters in text fields with Selenium

Fixed

• Result#[] and negative max on ranges (Issue #2302/2303) [Jeremy Evans]
• RackTest form submission rewrites query string when using GET method
• Ruby 2.7 deprecation warnings in RSpec matcher proxies

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ast (indirect, 2.4.0 → 2.4.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

• Bump version.
• Fixed AST::Node#updated to always return a copy. (#25)
• Removed unused dependencies from gemspec.
• update ci
• bump rake
• Only ship the necessary library files in the gem artifact
• Fix typo.

↗️ parallel (indirect, 1.19.1 → 1.19.2) · Repo

Commits

See the full diff on Github. The new version differs by 6 commits:

• v1.19.2
• Merge pull request #277 from grosser/grosser/timeout
• Allow timeout usage inside of threads
• simplify activerecord wording
• Merge pull request #272 from kakra/fixes/issue-150
• docs: Improve notes about ActiveRecord

↗️ parser (indirect, 2.7.1.2 → 2.7.1.3) · Repo · Changelog

Release Notes

2.7.1.3 (from changelog)

API modifications:

• fixed all warnings. tests are running in verbose mode now. (#685) (Ilya Bylich)

Features implemented:

• ruby-[parse, rewrite]: add legacy switches (#699) (Marc-André Lafortune)
• Added Parser::Source::Range#to_range. (#697) (Ilya Bylich)
• ruby28.y: support rescue modifier in endless method definition. (#696) (Ilya Bylich)
• ruby28.y: unify kwrest and no-kwrest rules. (#694) (Ilya Bylich)
• ruby28.y: add right hand assignment (#682) (Vladimir Dementyev)

Bugs fixed:

• fix Comment.associate for postfix conditions/loops (#688) (Marc-André Lafortune)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

• Update changelog.
• Bump version.
• + ruby-[parse, rewrite]: add legacy switches (#699)
• update travis matrix (add truffleruby, remove rubinius) (#695)
• make sure that all nodes are known for AST::Processor. (#698)
• + Added Parser::Source::Range#to_range. (#697)
• + ruby28.y: support rescue modifier in endless method definition. (#696)
• + ruby28.y: unify kwrest and no-kwrest rules. (#694)
• - fix Comment.associate for postfix conditions/loops (#688)
• Allow creating of Buffer with source (#693)
• * fixed all warnings. tests are running in verbose mode now. (#685)
• + ruby28.y: add right hand assignment (#682)

↗️ public_suffix (indirect, 4.0.3 → 4.0.5) · Repo · Changelog

Release Notes

4.0.5 (from changelog)

Changed

• Updated definitions.

4.0.4 (from changelog)

Changed

• Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

• Release 4.0.5
• Update tests.yml
• Update tests.yml
• Add CI workflow
• Add project metadata to the gemspec (#172)
• Update definitions
• Create codecov.yml
• Update Travis badge link
• Release 4.0.3
• Update definitions
• Update to Rubocop 0.81.0
• Update rubocop requirement from 0.80.0 to 0.80.1 (#170)
• Update rubocop requirement from 0.79.0 to 0.80.0 (#169)
• Update SECURITY.md
• Update README.md
• Update README.md
• Update .gitignore
• Update definitions
• Sync up my Rubocop default file
• Move development dependencies from gemspec to Bundle

↗️ rack (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Security Advisories 🚨

🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Impact

An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.

Workarounds

If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:

module Rack
  module Utils
    module_function def parse_cookies_header(header)
      return {} unless header
      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
        next if cookie.empty?
        key, value = cookie.split('=', 2)
        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
      end
    end
  end
end

Commits

See the full diff on Github. The new version differs by 2 commits:

• bump version
• When parsing cookies, only decode the values

↗️ regexp_parser (indirect, 1.6.0 → 1.7.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 8 commits:

• Release v1.7.1
• Support informal delimiter literals (#64)
• Fix typo
• Release v1.7.0
• Merge pull request #62 from pocke/return-enumerator
• Make traverse/each_expression to return an Enumerator if they're called without a block
• Stop running tests for very old Rubies
• Fix warnings in specs on Ruby 2.7

🆕 rubocop-ast (added, 0.0.3)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[lkocman]

@depfu rebase

[lkocman]

Failed on ruby 2.7 test run. See Issue #815

[depfu]

Closing because this update has already been applied

[lkocman]

@depfu rebase