[Security] Bump squizlabs/php_codesniffer from 2.7.0 to 3.4.0

[dependabot-preview]

Bumps squizlabs/php_codesniffer from 2.7.0 to 3.4.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected versions: < 2.0.0, >= 1.0.0; < 2.8.1, >= 2.0.0

Sourced from The PHP Security Advisories Database.

Arbitrary shell execution

Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1

Release notes

Sourced from squizlabs/php_codesniffer's releases.

3.4.0

Deprecations

Generic.Formatting.NoSpaceAfterCast Sniff

The Generic.Formatting.NoSpaceAfterCast sniff has been deprecated and will be removed in version 4.

The functionality of this sniff is now available in the Generic.Formatting.SpaceAfterCast sniff. Include the Generic.Formatting.SpaceAfterCast sniff and set the spacing property to 0 to retain the existing functionality. As soon as possible, replace all instances of the old sniff code with the new sniff code and property setting in your ruleset.xml files. The existing sniff will continue to work until version 4 has been released.

Other Changes

• Rule include patterns in a ruleset.xml file are now evaluated as OR instead of AND
  • Previously, a file had to match every include pattern and no exclude patterns to be included
  • Now, a file must match at least one include pattern and no exclude patterns to be included
  • This is a bug fix as include patterns are already documented to work this way
• New token T_BITWISE_NOT added for the bitwise not operator
  • This token was previously tokenized as T_NONE
  • Any sniffs specifically looking for T_NONE tokens with a tilde as the contents must now also look for T_BITWISE_NOT
  • Sniffs can continue looking for T_NONE as well as T_BITWISE_NOT to support older PHP_CodeSniffer versions
• All types of binary casting are now tokenzied as T_BINARY_CAST
  • Previously, the b in b"some string with $var" would be a T_BINARY_CAST, but only when the string contained a var
  • This change ensures the b is always tokenized as T_BINARY_CAST
  • This change also converts (binary) from T_STRING_CAST to T_BINARY_CAST
  • Thanks to Juliette Reinders Folmer for the help with this patch
• Array properties set inside a ruleset.xml file can now extend a previous value instead of always overwriting it
  • e.g., if you include a ruleset that defines forbidden functions, can you now add to that list instead of having to redefine it
  • To use this feature, add extend="true" to the property tag
    • e.g., <property name="forbiddenFunctionNames" type="array" extend="true">
  • Thanks to Michael Moravec for the patch
• If $XDG_CACHE_HOME is set and points to a valid directory, it will be used for caching instead of the system temp directory
• PHPCBF now disables parallel running if you are passing content on STDIN
  • Stops an error from being shown after the fixed output is printed
• The progress report now shows files with tokenizer errors as skipped (S) instead of a warning (W)
  • The tokenizer error is still displayed in reports as normal
  • Thanks to Juliette Reinders Folmer for the patch
• The Squiz standard now ensures there is no space between an increment/decrement operator and its variable
• The File::getMethodParamaters() method now includes a has_body array index in the return value
  • TRUE if the method has no body (as with abstract and interface methods) or FALSE otherwise
  • Thanks to Chris Wilkinson for the patch
• The File::getTokensAsString() method now throws an exception if the $start param is invalid
  • If the $length param is invalid, an empty string will be returned
  • Stops an infinite loop when the function is passed invalid data
  • Thanks to Juliette Reinders Folmer for the patch
• Added new Generic.CodeAnalysis.EmptyPHPStatement sniff
  • Warns when it finds empty PHP open/close tag combinations or superfluous semicolons
  • Thanks to Juliette Reinders Folmer for the contribution
• Added new Generic.Formatting.SpaceBeforeCast sniff
  • Ensures there is exactly 1 space before a type cast, unless the cast statement is indented or mutli-line
  • Thanks to Juliette Reinders Folmer for the contribution
• Added new Generic.VersionControl.GitMergeConflict sniff

... (truncated)

Commits

• 379deb9 Prepare for 3.4.0 release
• 802470d Merge branch 'patch-1' of https://github.com/diegocardoso93/PHP_CodeSniffer
• 4274b5a PHPCBF now disables parallel running if you are passing content on STDIN
• 1784eb4 Various documentation fixes
• fa614f6 PSR2 rulesets: improve inline documentation
• ab6caa0 Changelog + minor error message change for #2234
• aed6c39 Merge branch 'feature/2057-generic-spaceaftercast-adjustable-spacing' of http...
• 698847b Changelog + minor error message change for #2233
• 67103d7 Merge branch 'feature/2057-generic-spaceafternot-adjustable-spacing' of https...
• 08020e3 Typo
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will not automatically merge this PR because it includes an out-of-range update to a development dependency.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.