Skip to content

🚨 [security] Update rubocop-rspec 3.0.2 → 3.6.0 (minor) #898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Apr 19, 2025


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rspec (3.0.2 → 3.6.0) · Repo · Changelog

Release Notes

3.6.0

  • Fix false positive in RSpec/Pending, where it would mark the default block it as an offense. (@bquorning)
  • Fix issue when Style/ContextWording is configured with a Prefix being interpreted as a boolean, like on. (@sakuro)
  • Add new RSpec/IncludeExamples cop to enforce using it_behaves_like over include_examples. (@dvandersluis)
  • Change RSpec/ScatteredSetup to allow around hooks to be scattered. (@ydah)
  • Fix an error RSpec/ChangeByZero cop when without expect block. (@lee266)
  • Fix a false positive for RSpec/DescribedClass when SkipBlocks is true and numblocks are used. (@earlopain)

3.5.0

  • Don't let RSpec/PredicateMatcher replace respond_to? with two arguments with the RSpec respond_to matcher. (@bquorning)
  • Fix RSpec/PredicateMatcher support for eql and equal matchers. (@bquorning)
  • Pluginfy RuboCop RSpec. (@koic)

3.4.0

  • Fix RSpec/SortMetadata cop to limit sorting to trailing metadata arguments. (@cbliard)
  • Replace RSpec/StringAsInstanceDoubleConstant with RSpec/VerifiedDoubleReference configured to only support constant class references. (@corsonknowles)
  • Fix RSpec/EmptyExampleGroup cop false positive when a simple conditional is used inside an iterator. (@lovro-bikic)

3.3.0

  • Deprecate top_level_group? method from TopLevelGroup mixin as all of its callers were intentionally removed from Rubocop/RSpec. (@corsonknowles)
  • Fix false positive for RSpec/EmptyMetadata for splat kwargs. (@pirj)

3.2.0

  • Fix RSpec/VoidExpect to only operate inside an example block. (@corsonknowles)
  • Change RSpec/ContextWording cop to always report an offense when both Prefixes and AllowedPatterns are empty. (@ydah)
  • Add support for and and or compound matchers to RSpec/ChangeByZero cop. (@ydah)

3.1.0

  • Add RSpec/StringAsInstanceDoubleConstant to check for and correct strings used as instance_doubles. (@corsonknowles)
  • Fix false-positive for RSpec/UnspecifiedException when a method is literally named raise_exception. (@aarestad)
  • Fix false-positive for RSpec/UnspecifiedException when not_to raise_error is used within a block. (@aarestad, @G-Rath)

3.0.5

  • Fix false-negative and error for RSpec/MetadataStyle when non-literal args are used in metadata in EnforceStyle: hash. (@cbliard)
  • Improve offense message for RSpec/IndexedLet. (@earlopain)

3.0.4

  • Fix false-negative for UnspecifiedException when matcher is chained. (@r7kamura)

3.0.3

  • Add support for Unicode RIGHT SINGLE QUOTATION MARK in RSpec/ExampleWording. (@jdufresne)
  • Suppress deprecation warning for RSpec/MultipleExpectations, RSpec/MultipleMemoizedHelpers, and RSpec/NestedGroups cops. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ast (indirect, 2.4.2 → 2.4.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ json (indirect, 2.9.1 → 2.10.2) · Repo · Changelog

Security Advisories 🚨

🚨 Out-of-bounds Read in Ruby JSON Parser

Impact

A specially crafted document could cause an out of bound read, most likely resulting in a crash.

Versions 2.10.0 and 2.10.1 are impacted. Older versions are not.

Patches

Version 2.10.2 fixes the problem.

Workarounds

None.

Release Notes

2.10.2

What's Changed

  • Fix a potential crash in the C extension parser.
  • Raise a ParserError on all incomplete unicode escape sequence. This was the behavior until 2.10.0 unadvertently changed it.
  • Ensure document snippets that are included in parser errors don't include truncated multibyte characters.
  • Ensure parser error snippets are valid UTF-8.
  • Fix JSON::GeneratorError#detailed_message on Ruby < 3.2

Full Changelog: v2.10.1...v2.10.2

2.10.1 (from changelog)

  • Fix a compatibility issue with MultiJson.dump(obj, pretty: true): no implicit conversion of false into Proc (TypeError).

2.10.0

What's Changed

  • strict: true now accept symbols as values. Previously they'd only be accepted as hash keys.
  • The C extension Parser has been entirely reimplemented from scratch.
  • Introduced JSON::Coder as a new API allowing to customize how non native types are serialized in a non-global way.
  • Introduced JSON::Fragment to allow assembling cached fragments in a safe way.
  • The Java implementation of the generator received many optimizations.

Full Changelog: v2.9.1...v2.10.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 73 commits:

↗️ language_server-protocol (indirect, 3.17.0.3 → 3.17.0.4) · Repo · Changelog

Release Notes

3.17.0.4 (from changelog)

  • Add #close to Reader and Writer (#112)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.26.3 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ parser (indirect, 3.3.6.0 → 3.3.8.0) · Repo · Changelog

Release Notes

3.3.8.0 (from changelog)

API modifications:

  • Bump maintenance branches to 3.3.8 (#1077) (Koichi ITO)
  • YARD docs for Parser::CurrentRuby and Parser::Base#version (#1076) (Vince Broz)

3.3.7.4 (from changelog)

Bugs fixed:

  • lexer-strings.rb: Avoid an exception on utf8 surrogate pair codepoints (#1051) (Earlopain)
  • builder.rb: emit kwargs node for indexasgn when opted in (#1053) (Earlopain)
  • builder.rb: correctly handle ... forwarding to super with explicit block (#1049) (Earlopain)
  • numbered parameters are valid for pattern matching pinning (#1060) (Earlopain)

3.3.7.3 (from changelog)

API modifications:

  • Bump maintenance branches to 3.2.8 and 3.1.7 (#1074) (Koichi ITO)

3.3.7.2 (from changelog)

Features implemented:

  • add prism-specific node types (#1071) (Earlopain)

Bugs fixed:

  • builder.rb: fix hash value omission considering some local vars as constants (#1064) (Earlopain)

3.3.7.1 (from changelog)

API modifications:

  • parser/current: add -dev prefix to 3.4 branch (#1067) (Ilya Bylich)
  • parser/current: bump 3.2 branch to 3.2.7 (#1066) (Ilya Bylich)

3.3.7.0 (from changelog)

API modifications:

  • Bump maintenance branches to 3.3.7 (#1061) (Koichi ITO)
  • bump 3.4 branch, remove 3.0 from CI (EOL) (#1057) (Ilya Bylich)
  • assert that version-specific checks actually run against at least one version (#1050) (Earlopain)

Features implemented:

  • ruby34.y: reject return in singleton class (#1048) (Earlopain)

Bugs fixed:

  • Fix ruby-parse with a folder ending in .rb (#1047) (Earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

↗️ rubocop (indirect, 1.70.0 → 1.75.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop-ast (indirect, 1.37.0 → 1.44.1) · Repo · Changelog

Release Notes

1.44.1

Bug fixes

1.44.0

New features

  • #377: Support RuboCop::AST::Node#any_def_type? method. (@koic)

1.43.0

Changes

  • #374: Use the prism translation layer to analyze Ruby 3.4 by default. ([@Earlopain])
  • #373: Add prism as a runtime dependency. ([@Earlopain])

1.42.0

New features

  • #370: Support Prism::Translation::Parser35 for Ruby 3.5 parser (experimental). (@earlopain, @koic)

1.41.0

New features

1.40.0

Changes

  • #354: Use Prism::Translation::Parser::Builder when parsing with prism. (@earlopain)

1.39.0 (from changelog)

New features

  • #359: Enable reusable Prism parse result. (@koic)

1.38.1 (from changelog)

Bug fixes

  • #360: Fix an error when the Array core class contains a writer method before rubocop-ast loaded. (@earlopain)

1.38.0 (from changelog)

New features

  • #346: Add Node#loc? to determine if a node has a given location. (@dvandersluis)
  • #356: Added :any_block as an alias for :block and :numblock, use it with Node#any_block_type?. Also available in node patterns: {block numblock} can become any_block. (@earlopain)

Bug fixes

  • #323: Fix node captures inside of ?, +, and * repetition. (@earlopain)

Changes

  • #357: Support node groups in Node#each_descendant and similar traversal methods. (@earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 72 commits:

🆕 lint_roller (added, 1.1.0)

🆕 prism (added, 1.4.0)


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Apr 19, 2025
Copy link

Code Coverage

Package Line Rate Health
dynamoid 92%
Summary 92% (3533 / 3846)

Minimum allowed line rate is 90%

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants