🚨 [security] Update rubocop 1.63.4 → 1.64.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop (1.63.4 → 1.64.0) · Repo · Changelog

Release Notes

1.64.0

New features

• #12904: Add new either_consistent SupportedShorthandSyntax to Style/HashSyntax. (@pawelma)
• #12842: Add new Style/SendWithLiteralMethodName cop. (@koic)
• #12309: Add new Style/SuperArguments cop. (@earlopain)
• #12917: Suggest correct formatter name for --format command line option. (@koic)
• #12242: Support AllowModifiersOnAttrs option for Style/AccessModifierDeclarations. (@krororo)
• #11585: Support AllowedMethods for Style/DocumentationMethod. (@koic)

Bug fixes

• #7189: Fix a false positive for Style/Copyright when using multiline copyright notice. (@koic)
• #12914: Fix a false negative for Layout/EmptyComment when using an empty comment next to code after comment line. (@koic)
• #12919: Fix false negatives for Style/ArgumentsForwarding when forward target is super. (@koic)
• #12923: Fix false negatives for Style/ArgumentsForwarding when forward target is safe navigation method. (@koic)
• #12894: Fix false positives for Style/MapIntoArray when using each without receiver with << to build an array. (@koic)
• #12876: Fix an error for the lockfile parser if a gemfile exists but a lockfile doesn't. (@earlopain)
• #12888: Fix --no-exclude-limit generating a todo with Max config instead of listing everything out with Exclude. (@earlopain)
• #12898: Fix an error for TargetRailsVersion when parsing from the lockfile with prerelease rails. (@earlopain)

Changes

• #12908: Add rubocop-rspec back to suggested extensions when rspec-rails is in use. (@pirj)
• #12884: Align output from cop.documentation_url with --show-docs-url when passing a config as argument. (@earlopain)
• #12890: Support ActiveSupportExtensionsEnabled for Style/SymbolProc. (@koic)
• #12897: Respect user's intentions with workspace/executeCommand LSP method. (@koic)

1.63.5

Bug fixes

• #12877: Fix an infinite loop error for Layout/FirstArgumentIndentation when specifying EnforcedStyle: with_fixed_indentation of Layout/ArrayAlignment. (@koic)
• #12873: Fix an error for Metrics/BlockLength when the CountAsOne config is invalid. (@koic)
• #12881: Fix incorrect autocorrect when Style/NumericPredicate is used with negations. (@fatkodima)
• #12882: Fix Layout/CommentIndentation for comment-only pattern matching. (@nekketsuuu)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 59 commits:

• Cut 1.64
• Update Changelog
• [Fix #12309] Add new `Style/SuperArguments` cop
• Fix false negatives for `Style/ArgumentsForwarding`
• [Fix #12242] Support `AllowModifiersOnAttrs` option for `Style/AccessModifierDeclarations`
• [Fix #12919] Fix false negatives for `Style/ArgumentsForwarding`
• Rename new SupportedShorthandSyntax from consistent_either to either_consistent
• Fix non existing wording in HashShorthandSyntax method name
• Add changelog/new_add_new_consistent_either.md
• Add new `consistent_either` SupportedShorthandSyntax to Style/HashSyntax
• Remove warnings during tests when overwriting encoding
• Suggest correct formatter name
• Remove redundant method overwrite
• [Fix #11585] Support `AllowedMethods` for `Style/DocumentationMethod`
• Avoid some warnings "too many arguments for format string"
• [Fix #12884] Allow `cop_class.documentation_url` to take a config
• [Fix #12842] Add new `Style/SendWithLiteralMethodName` cop
• Fix a false negative for `Layout/EmptyComment`
• Merge pull request #12912 from koic/use_the_latest_prism_for_development
• Use the latest Prism for development
• Also suggest rubocop-rspec for those using rspec-rails (#12908)
• Merge pull request #12897 from koic/update_workspace_execute_command_lsp_method
• Support `AllCops:ActiveSupportExtensionsEnabled` for `Style/SymbolProc`
• LSP: Don't advertise support for Pull Diagnostics
• Merge pull request #12902 from Earlopain/max-with-no-exclude-limit
• Merge pull request #12901 from Earlopain/bundler-gemfile-error
• [Fix #12888] Fix `--no-exclude-limit` for cops with `Max` config option
• [Fix #12876] Fix lockfile parsing if only the gemfile exists
• Merge pull request #12899 from Earlopain/rails-prerelease-versions
• [Fix #12898] Fix parsing of `TargetRailsVersion` for prerelases
• Merge pull request #12896 from koic/fix_false_positives_for_style_map_into_array
• Respect user's intentions with `workspace/executeCommand` LSP method
• [Fix #12894] Fix false positives for `Style/MapIntoArray`
• Merge pull request #12895 from koic/fix_a_false_positive_for_style_copyright
• [Fix #7189] Fix a false positive for `Style/Copyright`
• Use `cop_config` instead of redundant `for_cop` with self cop name
• Reset the docs version
• Cut 1.63.5
• Update Changelog
• Merge pull request #12890 from koic/add_ostruct_to_gemfile
• Workaround for Ruby's warning in YARD
• Merge pull request #12886 from koic/suppress_interrupt_exception_for_lsp
• Fix a build error
• Fix docs for `Style/SpecialGlobalVars` `use_builtin_english_names`
• Suppress `Interrupt` exception for LSP
• Correct some example descriptions
• Merge pull request #12882 from nekketsuuu/nekketsuuu-case-in-comment
• Merge pull request #12881 from fatkodima/fix-numeric_predicate-autocorrect
• Fix `Layout/CommentIndentation` for comment-only pattern matching
• Fix incorrect autocorrect when `Style/NumericPredicate` is used with negations
• Add documentation and log information for enabling YJIT in LSP
• Add a forgotten period at the end of some offense message
• Merge pull request #12877 from koic/fix_an_error_for_layout_first_array_element_indentation
• Fix an infinite loop error for `Layout/FirstArgumentIndentation`
• Merge pull request #12874 from koic/fix_an_error_for_metrics_block_length
• [Fix #12873] Fix an error for `Metrics/BlockLength`
• [Docs] Tweak cops_layout_footer.adoc
• Use `require_relative`
• Reset the docs version

↗️ racc (indirect, 1.7.3 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0

What's Changed

• Generate jar to build gem by @nobu in #255
• Fix trivial typos by @ydah in #257
• Try to fix test failure with Ruby 3.3 by @hsbt in #260
• Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
• Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
• Add more grammars by @nurse in #222
• Exclude 2.5 on macos-latest by @nobu in #263
• Drop code for Ruby 1.6 by @nobu in #264
• Refactor command line options by @nobu in #265
• Change encode EUC-JP to UTF-8 by @ydah in #267
• Organize README.ja.rdoc by @ydah in #266
• Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
• Bump up v1.8.0 by @yui-knk in #268

New Contributors

• @ydah made their first contribution in #257
• @nurse made their first contribution in #222

Full Changelog: v1.7.3...v1.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

• Merge pull request #268 from yui-knk/v1.8.0
• Bump up v1.8.0
• Merge pull request #262 from yui-knk/support_expect_bang
• Support `error_on_expect_mismatch` declaration in Racc grammar file
• Merge pull request #266 from ydah/fix-readme-ja
• Merge pull request #267 from ydah/change-encode
• Change encode EUC-JP to UTF-8
• Update Racc link in README.ja.rdoc
• Change Requirement to match README.rdoc
• Merge pull request #265 from nobu/options
• Simplify `--runtime-version` option
• Make `--help` success
• Omit the default exit value
• Abort instead of puts and exit
• Merge pull request #264 from nobu/drop-ruby1.6
• Merge pull request #263 from nobu/old-version-on-macos
• Exclude 2.5 on macos-latest
• Drop code for Ruby 1.6
• Merge pull request #222 from nurse/add-more-grammars
• Merge pull request #259 from zenspider/zenspider/stdin
• Reformat the rdoc so it renders correctly both locally and on github.
• Allow racc cmdline to read from stdin if no path specified.
• Merge pull request #260 from ruby/try-to-fix-3-3
• Don't use bundle exec to avoid warning of Ruby 3.3
• Ignore jar artifact
• Remove stale code
• Merge pull request #257 from ydah/fix-typos
• Fix trivial typos
• Merge pull request #255 from nobu/build-java

↗️ regexp_parser (indirect, 2.9.0 → 2.9.2) · Repo · Changelog

Release Notes

2.9.2 (from changelog)

Fixed

• made the MFA requirement for changes to this gem visible on rubygems
  • thanks to Geremia Taglialatela

2.9.1 (from changelog)

Fixed

• fixed unnecessary $LOAD_PATH searches at load time
  • thanks to Koichi ITO

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• Release v2.9.2
• Merge pull request #91 from tagliala/security/opt-in-for-mfa
• Opt-in for MFA requirement explicitly
• Merge pull request #92 from tagliala/chore/fix-typos
• Fix typos
• Release v2.9.1
• Unify CHANGELOG formatting
• Simplify path slightly
• Merge pull request #90 from koic/use_require_relative
• Use `require_relative` in the Regexp::Parser codebase

↗️ rexml (indirect, 3.2.6 → 3.2.8) · Repo · Changelog

Security Advisories 🚨

🚨 REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Release Notes

3.2.8

Fixes

• Suppressed a warning

3.2.7

Improvements

• Improve parse performance by using StringScanner.

  • GH-106

  • GH-107

  • GH-108

  • GH-109

  • GH-112

  • GH-113

  • GH-114

  • GH-115

  • GH-116

  • GH-117

  • GH-118

  • GH-119

  • GH-121

  • Patch by NAITOH Jun.

• Improved parse performance when an attribute has many <s.

  • GH-124

Fixes

• XPath: Fixed a bug of normalize_space(array).

  • GH-110

  • GH-111

  • Patch by flatisland.

• XPath: Fixed a bug that wrong position is used with nested path.

  • GH-110

  • GH-122

  • Reported by jcavalieri.

  • Patch by NAITOH Jun.

• Fixed a bug that an exception message can't be generated for
  invalid encoding XML.

  • GH-29

  • GH-123

  • Reported by DuKewu.

  • Patch by NAITOH Jun.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

• Add 3.2.8 entry
• Remove an unused variable (#128)
• Suppress a warning
• ci: install only gems required for running tests (#129)
• Add missing Thanks section
• Bump version
• Add 3.2.7 entry
• Read quoted attributes in chunks (#126)
• Exclude older than 2.6 on macos-14
• Move development dependencies to Gemfile (#124)
• Fix a problem that parse exception message can't be generated for invalid encoding XML (#123)
• xpath: Fix wrong position with nested path (#122)
• Change `attribute.has_key?(name)` to ` attributes[name]`. (#121)
• Optimize the parse_attributes method to use `Source#match` to parse XML. (#119)
• Make the test suite compatible with `--enable-frozen-string-literal` (#120)
• Separate `IOSource#ensure_buffer` from `IOSource#match`. (#118)
• Remove `Source#string=` method (#117)
• source: Remove unnecessary string length comparisons in the case of string comparisons (#116)
• Use more StringScanner based API to parse XML (#114)
• test: Fix invalid XML with spaces before the XML declaration (#115)
• Stop specifying the gem version of strscan in benchmarks. (#113)
• Remove unnecessary checks in baseparser (#112)
• xpath: Fix normalize_space(array) case (#111)
• Change loop in parse_attributes to `while true`. (#109)
• Reduce calls to StringScanner.new() (#108)
• Use `@scanner << readline` instead of `@scanner.string = @scanner.rest + readline` (#107)
• Reduce calls to `Source#buffer`(`StringScanner#rest`) (#106)
• Use string scanner with baseparser (#105)
• Add parse benchmark (#104)
• Use reusing workflow for Ruby versions (#103)
• CI: Add ruby-3.3 (#102)
• build(deps): bump actions/checkout from 3 to 4 (#101)
• Bump version

🆕 strscan (added, 3.1.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #402.