🚨 [security] Update rubocop-rspec 3.0.2 → 3.6.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rspec (3.0.2 → 3.6.0) · Repo · Changelog

Release Notes

3.6.0

• Fix false positive in RSpec/Pending, where it would mark the default block it as an offense. (@bquorning)
• Fix issue when Style/ContextWording is configured with a Prefix being interpreted as a boolean, like on. (@sakuro)
• Add new RSpec/IncludeExamples cop to enforce using it_behaves_like over include_examples. (@dvandersluis)
• Change RSpec/ScatteredSetup to allow around hooks to be scattered. (@ydah)
• Fix an error RSpec/ChangeByZero cop when without expect block. (@lee266)
• Fix a false positive for RSpec/DescribedClass when SkipBlocks is true and numblocks are used. (@earlopain)

3.5.0

• Don't let RSpec/PredicateMatcher replace respond_to? with two arguments with the RSpec respond_to matcher. (@bquorning)
• Fix RSpec/PredicateMatcher support for eql and equal matchers. (@bquorning)
• Pluginfy RuboCop RSpec. (@koic)

3.4.0

• Fix RSpec/SortMetadata cop to limit sorting to trailing metadata arguments. (@cbliard)
• Replace RSpec/StringAsInstanceDoubleConstant with RSpec/VerifiedDoubleReference configured to only support constant class references. (@corsonknowles)
• Fix RSpec/EmptyExampleGroup cop false positive when a simple conditional is used inside an iterator. (@lovro-bikic)

3.3.0

• Deprecate top_level_group? method from TopLevelGroup mixin as all of its callers were intentionally removed from Rubocop/RSpec. (@corsonknowles)
• Fix false positive for RSpec/EmptyMetadata for splat kwargs. (@pirj)

3.2.0

• Fix RSpec/VoidExpect to only operate inside an example block. (@corsonknowles)
• Change RSpec/ContextWording cop to always report an offense when both Prefixes and AllowedPatterns are empty. (@ydah)
• Add support for and and or compound matchers to RSpec/ChangeByZero cop. (@ydah)

3.1.0

• Add RSpec/StringAsInstanceDoubleConstant to check for and correct strings used as instance_doubles. (@corsonknowles)
• Fix false-positive for RSpec/UnspecifiedException when a method is literally named raise_exception. (@aarestad)
• Fix false-positive for RSpec/UnspecifiedException when not_to raise_error is used within a block. (@aarestad, @G-Rath)

3.0.5

• Fix false-negative and error for RSpec/MetadataStyle when non-literal args are used in metadata in EnforceStyle: hash. (@cbliard)
• Improve offense message for RSpec/IndexedLet. (@earlopain)

3.0.4

• Fix false-negative for UnspecifiedException when matcher is chained. (@r7kamura)

3.0.3

• Add support for Unicode RIGHT SINGLE QUOTATION MARK in RSpec/ExampleWording. (@jdufresne)
• Suppress deprecation warning for RSpec/MultipleExpectations, RSpec/MultipleMemoizedHelpers, and RSpec/NestedGroups cops. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ast (indirect, 2.4.2 → 2.4.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 10 commits:

• Bump version.
• Update CI matrix, remove redundant `context`s from specs (#42)
• Replace bacon with rspec (#41)
• Use latest ruby versions on test job (#39)
• Bump actions/checkout (#38)
• Use `require_relative` instead of `require` (#37)
• Update Rubies in CI (#35)
• Fix usage example for Sexp (#36)
• Fix broken link
• Fixnum is now spelled Integer (#33)

↗️ json (indirect, 2.9.1 → 2.10.2) · Repo · Changelog

Security Advisories 🚨

🚨 Out-of-bounds Read in Ruby JSON Parser

Impact

A specially crafted document could cause an out of bound read, most likely resulting in a crash.

Versions 2.10.0 and 2.10.1 are impacted. Older versions are not.

Patches

Version 2.10.2 fixes the problem.

Workarounds

None.

Release Notes

2.10.2

What's Changed

• Fix a potential crash in the C extension parser.
• Raise a ParserError on all incomplete unicode escape sequence. This was the behavior until 2.10.0 unadvertently changed it.
• Ensure document snippets that are included in parser errors don't include truncated multibyte characters.
• Ensure parser error snippets are valid UTF-8.
• Fix JSON::GeneratorError#detailed_message on Ruby < 3.2

Full Changelog: v2.10.1...v2.10.2

2.10.1 (from changelog)

• Fix a compatibility issue with MultiJson.dump(obj, pretty: true): no implicit conversion of false into Proc (TypeError).

2.10.0

What's Changed

• strict: true now accept symbols as values. Previously they'd only be accepted as hash keys.
• The C extension Parser has been entirely reimplemented from scratch.
• Introduced JSON::Coder as a new API allowing to customize how non native types are serialized in a non-global way.
• Introduced JSON::Fragment to allow assembling cached fragments in a safe way.
• The Java implementation of the generator received many optimizations.

Full Changelog: v2.9.1...v2.10.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 73 commits:

• Release 2.10.2
• Merge commit from fork
• Fix potential out of bound read in `json_string_unescape`.
• Merge pull request #762 from byroot/invalid-escape
• Raise a ParserError on all incomplete unicode escape sequence.
• Avoid fast-path IO writes when IO has ext enc
• Merge pull request #757 from rahim/fix-generator-error-no-method-error
• Fix JSON::GeneratorError#detailed_message with Ruby < 3.2
• Merge pull request #756 from byroot/utf8-snippets
• Ensure parser error snippets are valid UTF-8
• Merge pull request #753 from ioquatix/json-dump-options
• Pass through all options if present.
• Release 2.10.1
• Merge pull request #749 from byroot/fix-state-roundtrip
• Fix a compatibility issue with `MultiJson.dump(obj, pretty: true)`
• Update changelog
• Release 2.10.0
• Apply recent C optimizations to Java encoder (#725)
• Skip installing ragel on CI
• Merge pull request #745 from etiennebarrie/optimize-symbol-generation
• Merge pull request #746 from etiennebarrie/fix-json-coder-NaN-Infinity
• Optimize Symbol generation in strict mode
• Fix JSON::Coder to call as_json proc for NaN and Infinity
• Merge pull request #744 from eregon/optimize-utf8_to_json
• Optimize and cleanup #utf8_to_json
• Refactor further to expose the simpler escape search possible
• Merge pull request #742 from byroot/refactor-convert-utf8
• Refactor convert_UTF8_to_JSON to split searching and escaping code
• Merge pull request #741 from nobu/ctype-plain-char
• Avoid plain char for ctype macros
• Merge pull request #740 from Edouard-chin/ec-minor-fixed
• Few doc tweaks:
• Make benchmarks JRuby compatible
• Update changelog
• Merge pull request #718 from etiennebarrie/json-coder
• Allow JSON::Fragment to be used even in strict mode
• Introduce JSON::Coder
• Update gemspec URIs
• Add some JSON::Fragment documentation
• Merge pull request #735 from tompng/fix_invalid_number
• Reject invalid number: `-` `-.1` `-e0`
• Merge pull request #734 from tompng/error_on_invalid_comments
• Merge pull request #733 from tompng/unicode_escape_fix
• Raise parse error on invalid comments
• Fix parsing incomplete unicode escape "\uaaa"
• Fix JSON::Fragment#to_json signature
• Merge pull request #732 from etiennebarrie/fragment
• Introduce JSON::Fragment
• Fix a regression in the parser with leading /
• Merge pull request #731 from byroot/arm64-ci
• Test on aarch64 Ubuntu
• json_string_unescape: use memchr to search for backslashes
• Cleanup json_decode_float
• parser.c: Pass the JSON_ParserConfig pointer
• Use RSTRING_END
• Replace fbuffer by stack buffers or RB_ALLOCV in parser.c
• Implement write barriers for ParserConfig objects
• Cleanup c ext Rakefile
• Merge pull request #729 from byroot/handrolled
• Finalize Kevin's handrolled parser.
• Initial handrolled parser
• Refactor JSONFixturesTest
• Removed unnecessary sections
• Fix a method redefinition warning in C parser
• Merge pull request #728 from byroot/refactor-parser
• Refactor JSON::Ext::Parser to split configuration and parsing state
• Merge pull request #727 from etiennebarrie/remove-State-_generate
• Remove Generator::State#_generate
• Merge pull request #726 from ruby/support-bundled-gems
• Refactor to omit JSON::GenericObject tests
• Require "date"
• Merge pull request #724 from byroot/lookup-3
• Improve lookup tables for string escaping.

↗️ language_server-protocol (indirect, 3.17.0.3 → 3.17.0.4) · Repo · Changelog

Release Notes

3.17.0.4 (from changelog)

• Add #close to Reader and Writer (#112)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.26.3 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 4 commits:

• v1.27.0
• Merge pull request #355 from grosser/grosser/34
• skip
• ruby 3.4

↗️ parser (indirect, 3.3.6.0 → 3.3.8.0) · Repo · Changelog

Release Notes

3.3.8.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.8 (#1077) (Koichi ITO)
• YARD docs for Parser::CurrentRuby and Parser::Base#version (#1076) (Vince Broz)

3.3.7.4 (from changelog)

Bugs fixed:

• lexer-strings.rb: Avoid an exception on utf8 surrogate pair codepoints (#1051) (Earlopain)
• builder.rb: emit kwargs node for indexasgn when opted in (#1053) (Earlopain)
• builder.rb: correctly handle ... forwarding to super with explicit block (#1049) (Earlopain)
• numbered parameters are valid for pattern matching pinning (#1060) (Earlopain)

3.3.7.3 (from changelog)

API modifications:

• Bump maintenance branches to 3.2.8 and 3.1.7 (#1074) (Koichi ITO)

3.3.7.2 (from changelog)

Features implemented:

• add prism-specific node types (#1071) (Earlopain)

Bugs fixed:

• builder.rb: fix hash value omission considering some local vars as constants (#1064) (Earlopain)

3.3.7.1 (from changelog)

API modifications:

• parser/current: add -dev prefix to 3.4 branch (#1067) (Ilya Bylich)
• parser/current: bump 3.2 branch to 3.2.7 (#1066) (Ilya Bylich)

3.3.7.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.7 (#1061) (Koichi ITO)
• bump 3.4 branch, remove 3.0 from CI (EOL) (#1057) (Ilya Bylich)
• assert that version-specific checks actually run against at least one version (#1050) (Earlopain)

Features implemented:

• ruby34.y: reject return in singleton class (#1048) (Earlopain)

Bugs fixed:

• Fix ruby-parse with a folder ending in .rb (#1047) (Earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

• Bump version
• Update changelog.
• Update changelog.
• Bump version
• * Bump maintenance branches to 3.3.8 (#1077)
• * YARD docs for Parser::CurrentRuby and Parser::Base#version (#1076)
• Update README to specify Ruby version compatibility
• Update changelog.
• Update changelog.
• Bump version
• - lexer-strings.rb: Avoid an exception on utf8 surrogate pair codepoints (#1051)
• - builder.rb: emit `kwargs` node for `indexasgn` when opted in (#1053)
• - builder.rb: correctly handle `...` forwarding to super with explicit block (#1049)
• Supress warnings during parsing (#1013)
• - numbered parameters are valid for pattern matching pinning (#1060)
• Update changelog.
• Update changelog.
• Bump version
• * Bump maintenance branches to 3.2.8 and 3.1.7 (#1074)
• Tweak a terminology
• Document parser/prism migration path
• Update changelog.
• Update changelog.
• Bump version.
• + add prism-specific node types (#1071)
• Document the current state of the project in the readme (#1069)
• - builder.rb: fix hash value omission considering some local vars as constants (#1064)
• Update changelog.
• Update changelog.
• Bump version.
• * parser/current: add -dev prefix to 3.4 branch (#1067)
• * parser/current: bump 3.2 branch to 3.2.7 (#1066)
• Update changelog.
• Update changelog.
• Bump version.
• update CI config (bump JRuby version, drop MRI 3.0 branch) (#1062)
• * Bump maintenance branches to 3.3.7 (#1061)
• Revert "* bump 3.4 branch, remove 3.0 from CI (EOL) (#1057)" (#1058)
• * bump 3.4 branch, remove 3.0 from CI (EOL) (#1057)
• * assert that version-specific checks actually run against at least one version (#1050)
• + ruby34.y: reject `return` in singleton class (#1048)
• - Fix `ruby-parse` with a folder ending in `.rb` (#1047)
• Update changelog.

↗️ rubocop (indirect, 1.70.0 → 1.75.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop-ast (indirect, 1.37.0 → 1.44.1) · Repo · Changelog

Release Notes

1.44.1

Bug fixes

• #378: Fix flip-flop operator possible children nodes count. (@viralpraxis)

1.44.0

New features

• #377: Support RuboCop::AST::Node#any_def_type? method. (@koic)

1.43.0

Changes

• #374: Use the prism translation layer to analyze Ruby 3.4 by default. ([@Earlopain])
• #373: Add prism as a runtime dependency. ([@Earlopain])

1.42.0

New features

• #370: Support Prism::Translation::Parser35 for Ruby 3.5 parser (experimental). (@earlopain, @koic)

1.41.0

New features

• #365: Add support for itblock node for Ruby 3.4. (@earlopain)

1.40.0

Changes

• #354: Use Prism::Translation::Parser::Builder when parsing with prism. (@earlopain)

1.39.0 (from changelog)

New features

• #359: Enable reusable Prism parse result. (@koic)

1.38.1 (from changelog)

Bug fixes

• #360: Fix an error when the Array core class contains a writer method before rubocop-ast loaded. (@earlopain)

1.38.0 (from changelog)

New features

• #346: Add Node#loc? to determine if a node has a given location. (@dvandersluis)
• #356: Added :any_block as an alias for :block and :numblock, use it with Node#any_block_type?. Also available in node patterns: {block numblock} can become any_block. (@earlopain)

Bug fixes

• #323: Fix node captures inside of ?, +, and * repetition. (@earlopain)

Changes

• #357: Support node groups in Node#each_descendant and similar traversal methods. (@earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 72 commits:

• Cut 1.44.1
• Update Changelog
• Fix `flip-flop` operator possible children nodes count
• Restore docs/antora.yml
• Cut 1.44.0
• Update Changelog
• Add support `RuboCop::AST::Node#any_def_type?` method (#377)
• Restore docs/antora.yml
• Add release notes
• Cut 1.43.0
• Update Changelog
• Use the `prism` translation layer to analyze Ruby 3.4 by default
• Add `prism` as a dependency
• Restore docs/antora.yml
• Cut 1.42.0
• Update Changelog
• Support `Prism::Translation::Parser35` for Ruby 3.5 parser
• Remove a bit of backwards compat code
• Remove prism skips in tests
• Stop using `Parser::CurrentRuby`
• Restore docs/antora.yml
• Cut 1.41.0
• Update Changelog
• Add support for `itblock` node for Ruby 3.4 (#365)
• Revert "Don't show a deprecation warning for `EnsureNode#branch` just yet"
• Restore docs/antora.yml
• Cut 1.40.0
• Update Changelog
• Enforce a minimum version for prism
• Use the custom builder provided by prism
• Add a release note of 1.39.0
• Restore docs/antora.yml
• Cut 1.39.0
• Update Changelog
• Modify `def_callback` code to be easier to understand
• Enable reusable Prism parse result (#359)
• [Fix #348] Automate the process of GitHub release creation
• Fix current Rubocop offenses (#362)
• Restore docs/antora.yml
• Cut 1.38.1
• Update Changelog
• [Fix #360] Fix an error when the `Array` core class contains a writer method
• Fix a build error
• Use RuboCop RSpec 3.5 for development
• Suppress RuboCop's warnings
• Fix a build error
• Suppress RuboCop's offenses
• Restore docs/antora.yml
• Cut 1.38.0
• Update Changelog
• Update to use `Node#loc?`
• Add `Node#loc?` to determine if a node has a given location
• Add `Node#any_block_type?` to determine if a node is either a block or numblock
• Disable `InternalAffairs/LocationExpression` cop
• Test main specs against prism as well
• [Fix #323] Fix node captures inside of `?`, `+`, and `*` repetition
• Support node groups in `Node#each_descendant` and similar traversal methods
• Remove windows-specific CI step
• Simplify `internal_investigation`
• Add newlines between different jobs
• Use `bundler-cache` for `ruby/setup-ruby`
• Remove `TEST_QUEUE_WORKERS`
• Consistent naming of steps
• Import RuboCop spellcheck workflow
• Doc
• CI against an older RuboCop version
• Fix typo
• Better handle `LoadError`s from prism
• CI against Ruby 3.4 (#351)
• Fix current RuboCop offenses (#350)
• Refactor `ArrayNode#percent_literal?`
• Restore docs/antora.yml

🆕 lint_roller (added, 1.1.0)

🆕 prism (added, 1.4.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[github-actions]

Package	Line Rate	Health
dynamoid	92%	➖
Summary	92% (3533 / 3846)	➖

Minimum allowed line rate is 90%