🚨 [security] Update rubocop 1.65.1 → 1.68.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop (1.65.1 → 1.68.0) · Repo · Changelog

Release Notes

1.68.0

New features

• #13050: Add new Style/BitwisePredicate cop. (@koic)
• #12140: Add new Style/CombinableDefined cop. (@dvandersluis)
• #12988: Add new Style/AmbiguousEndlessMethodDefinition cop. (@dvandersluis)
• #11514: Add new Lint/UnescapedBracketInRegexp cop. (@dvandersluis)
• #13360: Add AllowSteepAnnotation config option to Layout/LeadingCommentSpace. (@tk0miya)
• #13146: Add new IgnoreDuplicateElseBranch option to Lint/DuplicateBranch. (@fatkodima)
• #13171: Add new Style/SafeNavigationChainLength cop. (@fatkodima)
• #13252: Add new Style/KeywordArgumentsMerging cop. (@fatkodima)

Bug fixes

• #13401: Fix a false negative for Style/RedundantLineContinuation when there is a line continuation at the EOF. (@koic)
• #13368: Fix an incorrect autocorrect for Naming/BlockForwarding with Style/ExplicitBlockArgument. (@koic)
• #13391: Fix deserialization of unknown encoding offenses. (@earlopain)
• #13348: Ensure Style/BlockDelimiters autocorrection does not move other code between the block and comment. (@dvandersluis)
• #13382: Fix an error during error handling for custom ruby extractors when the extractor is a class. (@earlopain)
• #13309: Fix a false negative for Lint/UselessAssignment cop when there is a useless assignment followed by a block. (@pCosta99)
• #13255: Fix false negatives for Style/MapIntoArray when using non-splatted arguments. (@vlad-pisanov)
• #13356: Fix a false positive for Layout/SpaceBeforeBrackets when there is a dot before []=. (@earlopain)
• #13365: Fix false positives for Lint/SafeNavigationConsistency when using safe navigation on the LHS with operator method on the RHS of &&. (@koic)
• #13390: Fix false positives for Style/GuardClause when using a local variable assigned in a conditional expression in a branch. (@koic)
• #13337: Fix false positives for Style/RedundantLineContinuation when required line continuations for && is used with an assignment after a line break. (@koic)
• #13387: Fix false positives in Style/RedundantParentheses when parentheses are used around method chain with do...end block in keyword argument. (@koic)
• #13341: Fix false positives for Lint/SafeNavigationChain when a safe navigation operator is used with a method call as the RHS operand of && for the same receiver. (@koic)
• #13324: Fix --disable-uncorrectable to not insert a comment inside a string continuation. (@dvandersluis)
• #13364: Fix incorrect autocorrect with Lint/UselessAssignment a multiple assignment or for contains an inner assignment. (@dvandersluis)
• #13353: Fix an incorrect autocorrect for Style/BlockDelimiters when EnforcedStyle: semantic is set and used with Layout/SpaceInsideBlockBraces. (@koic)
• #13361: Fix false positives for Style/RedundantInterpolationUnfreeze and Style/RedundantFreeze when strings contain interpolated global, instance, and class variables. (@vlad-pisanov)
• #13343: Prevent Layout/LineLength from breaking up a method with arguments chained onto a heredoc delimiter. (@dvandersluis)
• #13374: Return exit code 0 with --display-only-correctable and --display-only-safe-correctable when no offenses are displayed. (@dvandersluis)
• #13193: Fix false positive in Style/MultipleComparison when ComparisonsThreshold exceeds 2. (@fatkodima,@vlad-pisanov)
• #13325: Fix an incorrect autocorrect for Lint/NonAtomicFileOperation when using a postfix unless for file existence checks before creating a file, in cases with Dir.mkdir. (@kotaro0522)
• #13397: Update PercentLiteralCorrector to be able to write pairs of delimiters without excessive escaping. (@dvandersluis)
• #13336: Update Style/SafeNavigation to not autocorrect if the RHS of an and node is an or node. (@dvandersluis)
• #13378: When removing parens in Style/TernaryParentheses with a send node condition, ensure its arguments are parenthesized. (@dvandersluis)

Changes

• #13347: When running rubocop -V, show the analysis Ruby version of the current directory. (@earlopain)

1.67.0

New features

• #13259: Add new Lint/DuplicateSetElement cop. (@koic)
• #13223: Add AllowRBSInlineAnnotation config option to Layout/LeadingCommentSpace to support RBS::Inline style annotation comments. (@tk0miya)
• #13310: Display analysis Ruby version in rubocop -V. (@koic)

Bug fixes

• #13314: Fix a false negative for Style/Semicolon when using a semicolon between a closing parenthesis after a line break and a consequent expression. (@koic)
• #13217: Fix a false positive in Lint/ParenthesesAsGroupedExpression with compound ranges. (@gsamokovarov)
• #13268: Fix a false positive for Style/BlockDelimiters when a single line do-end block with an inline rescue with a semicolon before rescue. (@koic)
• #13298: Fix an error for Layout/AccessModifierIndentation when the access modifier is on the same line as the class definition. (@koic)
• #13198: Fix an error for Style/OneLineConditional when using nested if/then/else/end. (@koic)
• #13316: Fix an incorrect autocorrect for Lint/ImplicitStringConcatenation with Lint/TripleQuotes when string literals with triple quotes are used. (@koic)
• #13220: Fix an incorrect autocorrect for Style/ArgumentsForwarding when using only forwarded arguments in brackets. (@koic)
• #13202: Fix an incorrect autocorrect for Style/CombinableLoops when looping over the same data with different block variable names. (@koic)
• #13291: Fix an incorrect autocorrect for Style/RescueModifier when using modifier rescue for method call with heredoc argument. (@koic)
• #13226: Fix --auto-gen-config when passing an absolute config path. (@earlopain)
• #13225: Avoid syntax error when correcting Style/OperatorMethodCall with / operations followed by a parenthesized argument. (@dvandersluis)
• #13235: Fix an error for Style/IfUnlessModifier when multiline if that fits on one line and using implicit method call with hash value omission syntax. (@koic)
• #13219: Fix a false positive for Style/ArgumentsForwarding with Ruby 3.0 and optional position arguments. (@earlopain)
• #13271: Fix a false positive for Lint/AmbiguousRange when using rational literals. (@koic)
• #13260: Fix a false positive for Lint/RedundantSafeNavigation with namespaced constants. (@earlopain)
• #13224: Fix false positives for Style/OperatorMethodCall with named forwarding. (@earlopain)
• #13213: Fix false positives for Style/AccessModifierDeclarations when AllowModifiersOnAttrs: true and using splat with a percent symbol array, or with a constant. (@koic)
• #13145: Fix false positives for Style/RedundantLineContinuation when line continuations with comparison operator and the LHS is wrapped in parentheses. (@koic)
• #12875: Fix false positive for Style/ArgumentsForwarding when argument is used inside a block. (@dvandersluis)
• #13239: Fix false positive for Style/CollectionCompact when using delete_if. (@masato-bkn)
• #13210: Fix omit_parentheses style for pattern match with value omission in single-line branch. (@gsamokovarov)
• #13149: Handle crashes in custom Ruby extractors more gracefully. (@earlopain)
• #13319: Handle literal forward slashes inside a regexp in Lint/LiteralInInterpolation. (@dvandersluis)
• #13208: Fix an incorrect autocorrect for Style/IfWithSemicolon when single-line if/;/end when the then body contains a method call with [] or []=. (@koic)
• #13318: Prevent modifying blocks with Style/HashEachMethods if the hash is modified within the block. (@dvandersluis)
• #13293: Fix TargetRubyVersion from a gemspec when the gemspec is not named like the folder it is located in. (@earlopain)
• #13211: Fix wrong autocorrect for Style/GuardClause when using heredoc without else branch. (@earlopain)
• #13215: Fix wrong autocorrect for Lint/BigDecimalNew when using ::BigDecimal.new. (@earlopain)
• #13215: Fix wrong autocorrect for Style/MethodCallWithArgsParentheses with EnforcedStyle: omit_parentheses and whitespace. (@earlopain)
• #13302: Fix incompatible autocorrect between Style/RedundantBegin and Style/BlockDelimiters with EnforcedStyle: braces_for_chaining. (@earlopain)

Changes

• #13221: Do not group accessors having RBS::Inline annotation comments in Style/AccessorGrouping. (@tk0miya)
• #13286: Add AllowedMethods configuration to Layout/FirstMethodArgumentLineBreak. (@dvandersluis)
• #13110: Add support in Style/ArgumentsForwarding for detecting forwarding of all anonymous arguments. (@dvandersluis)
• #13222: Allow to write RBS::Inline annotation comments after method definition in Style/CommentedKeyword. (@tk0miya)
• #13253: Emit a deprecation when custom cops inherit from RuboCop::Cop::Cop. (@earlopain)
• #13300: Set EnforcedShorthandSyntax: either by default for Style/HashSyntax. (@koic)
• #13254: Enhance the autocorrect for Naming/InclusiveLanguage when a sole suggestion is set. (@koic)
• #13232: Make server mode aware of auto-restart for local config update. (@koic)
• #13270: Make Style/SelectByRegexp aware of filter in Ruby version 2.6 or above. (@masato-bkn)
• #9816: Refine Lint/SafeNavigationConsistency cop to check that the safe navigation operator is applied consistently and without excess or deficiency. (@koic)
• #13256: Report and correct more Style/SafeNavigation offenses. (@dvandersluis)
• #13245: Support filter/filter! in Style/CollectionCompact. (@masato-bkn)
• #13281: Support Ruby 3.4 for Lint/UriRegexp to avoid obsolete API. (@koic)
• #13229: Update Style/MapIntoArray to be able to handle arrays created using [].tap. (@dvandersluis)
• #13305: Update Style/ReturnNilInPredicateMethodDefinition to detect implicit nil returns inside if. (@dvandersluis)
• #13327: Make server mode aware of auto-restart for .rubocop_todo.yml update. (@koic)

1.66.1

Bug fixes

• #13191: Fix an error for Style/IfWithSemicolon when using nested single-line if/;/end in block of if/else branches. (@koic)
• #13178: Fix false positive for Style/EmptyLiteral with Hash.new([]). (@earlopain)
• #13176: Fix crash in Style/EmptyElse when AllowComments: true and the else clause is missing. (@vlad-pisanov)
• #13185: Fix false negatives in Style/MapIntoArray autocorrection when using ensure, def, defs and for. (@vlad-pisanov)

1.66.0

New features

• #13077: Add new global StringLiteralsFrozenByDefault option for correct analysis with RUBYOPT=--enable=frozen-string-literal. (@earlopain)
• #13080: Add new DocumentationExtension global option to serve documentation with extensions different than .html. (@earlopain)
• #13074: Add new Lint/UselessNumericOperation cop to check for inconsequential numeric operations. (@zopolis4)
• #13061: Add new Style/RedundantInterpolationUnfreeze cop to check for dup and @+ on interpolated strings in Ruby >= 3.0. (@earlopain)

Bug fixes

• #13093: Fix an error for Lint/ImplicitStringConcatenation when implicitly concatenating a string literal with a line break and string interpolation. (@koic)
• #13098: Fix an error for Style/IdenticalConditionalBranches when handling empty case branches. (@koic)
• #13113: Fix an error for Style/IfWithSemicolon when a nested if with a semicolon is used. (@koic)
• #13097: Fix an error for Style/InPatternThen when using alternative pattern matching deeply. (@koic)
• #13159: Fix an error for Style/OneLineConditional when using if/then/else/end with multiple expressions in the then body. (@koic)
• #13092: Fix an incorrect autocorrect for Layout/EmptyLineBetweenDefs when two method definitions are on the same line separated by a semicolon. (@koic)
• #13116: Fix an incorrect autocorrect for Style/IfWithSemicolon when a single-line if/;/end has an argument in the then body expression. (@koic)
• #13161: Fix incorrect autocorrect for Style/IfWithSemicolon when using multiple expressions in the else body. (@koic)
• #13132: Fix incorrect autocorrect for Style/TrailingBodyOnMethodDefinition when an expression precedes a method definition on the same line with a semicolon. (@koic)
• #13164: Fix incorrect autocorrect behavior for Layout/BlockAlignment when EnforcedStyleAlignWith: either (default). (@koic)
• #13087: Fix an incorrect autocorrect for Style/MultipleComparison when expression with more comparisons precedes an expression with less comparisons. (@fatkodima)
• #13172: Fix an error for Layout/EmptyLinesAroundExceptionHandlingKeywords when ensure or else and end are on the same line. (@koic)
• #13107: Fix an error for Lint/ImplicitStringConcatenation when there are multiple adjacent string interpolation literals on the same line. (@koic)
• #13111: Fix an error for Style/GuardClause when if clause is empty and correction would not fit on single line because of Layout/LineLength. (@earlopain)
• #13137: Fix an error for Style/ParallelAssignment when using __FILE__. (@earlopain)
• #13143: Fix an error during TargetRubyVersion detection if the gemspec is not valid syntax. (@earlopain)
• #13131: Fix false negatives for Lint/Void when using ensure, defs and numblock. (@vlad-pisanov)
• #13174: Fix false negatives for Style/MapIntoArray when initializing the destination using Array[], Array([]), or Array.new([]). (@vlad-pisanov)
• #13173: Fix false negatives for Style/EmptyLiteral when using Array[], Hash[], Array.new([]) and Hash.new([]). (@vlad-pisanov)
• #13126: Fix a false positive for Style/Alias when using multiple alias in def. (@koic)
• #13085: Fix a false positive for Style/EmptyElse when a comment-only else is used after elsif and AllowComments: true is set. (@koic)
• #13118: Fix a false positive for Style/MapIntoArray when splatting. (@earlopain)
• #13105: Fix false positives for Style/ArgumentsForwarding when forwarding kwargs/block arg with non-matching additional args. (@koic)
• #13139: Fix false positives for Style/RedundantCondition when using modifier if or unless. (@koic)
• #13134: Fix false negative for Lint/Void when using using frozen literals. (@vlad-pisanov)
• #13148: Fix incorrect autocorrect for Lint/EmptyConditionalBody when missing elsif body with end on the same line. (@koic)
• #13109: Fix an error for the Lockfile parser when it contains incompatible BUNDLED WITH versions. (@earlopain)
• #13112: Fix detection of TargetRubyVersion through the gemfile if the gemfile ruby version is below 2.7. (@earlopain)
• #13155: Fixes an error when the server cache directory has too long path, causing rubocop to fail even with caching disabled. (@protocol7)

Changes

• #13050: Allow get_!, set_!, get_?, set_?, get_=, and set_= in Naming/AccessorMethodName. (@koic)
• #13103: Make Lint/UselessAssignment autocorrection safe. (@koic)
• #13099: Make Style/RedundantRegexpArgument respect the EnforcedStyle of Style/StringLiterals. (@koic)
• #13165: Remove dependency on the rexml gem. (@bquorning)
• #13090: Require RuboCop AST 1.32.0+ to use RuboCop::AST::RationalNode. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json (indirect, 2.7.2 → 2.7.5) · Repo · Changelog

Release Notes

2.7.5

What's Changed

• Fix a memory leak when #to_json methods raise an exception.
• Gracefully handle formatting configs being set to nil instead of "".
• Workaround another issue caused by conflicting versions of both json_pure and json being loaded.

Full Changelog: v2.7.4...v2.7.5

2.7.4

What's Changed

• Workaround a bug in 3.4.8 and older rubygems/rubygems#6490.
  This bug would cause some gems with native extension to fail during compilation.
• Workaround different versions of json and json_pure being loaded (not officially supported).
• Make json_pure Ractor compatible.

Full Changelog: v2.7.3...v2.7.4

2.7.3

What's Changed

• Numerous performance optimizations in JSON.generate and JSON.dump (up to 2 times faster).
• Limit the size of ParserError exception messages, only include up to 32 bytes of the unparseable source.
• Fix json-pure's Object#to_json to accept non state arguments
• Fix multiline comment support in json-pure.
• Fix JSON.parse to no longer mutate the argument encoding when passed an ASCII-8BIT string.
• Fix String#to_json to raise on invalid encoding in json-pure.
• Delete code that was based on CVTUTF.
• Use the pure-Ruby generator on TruffleRuby.
• Fix strict mode in json-pure to not break on Integer.

JSON.dump Performance

JSON.dump is now much faster, and on par or faster than alternative implementations:

== Encoding citm_catalog.json (500298 bytes)
ruby 3.4.0preview2 (2024-10-07 master 32c733f57b) +YJIT +PRISM [arm64-darwin23]
Warming up --------------------------------------
        json (2.7.3)   123.000 i/100ms
                  oj   124.000 i/100ms
Calculating -------------------------------------
        json (2.7.3)      1.312k (± 1.8%) i/s  (761.91 μs/i) -      6.642k in   5.062192s
                  oj      1.278k (± 2.0%) i/s  (782.35 μs/i) -      6.448k in   5.046587s
Comparison:

json (2.7.2):      884.0 i/s

json (2.7.3):     1312.5 i/s - 1.48x  faster

oj:     1278.2 i/s - 1.45x  faster

== Encoding twitter.json (466906 bytes)
ruby 3.4.0preview2 (2024-10-07 master 32c733f57b) +YJIT +PRISM [arm64-darwin23]
Warming up --------------------------------------
        json (2.7.3)   213.000 i/100ms
                  oj   222.000 i/100ms
Calculating -------------------------------------
        json (2.7.3)      2.140k (± 2.8%) i/s  (467.19 μs/i) -     10.863k in   5.079099s
                  oj      2.303k (± 3.2%) i/s  (434.27 μs/i) -     11.544k in   5.018239s

Comparison:
        json (2.7.2):     1250.5 i/s
                  oj:     2302.7 i/s - 1.84x  faster
        json (2.7.3):     2140.5 i/s - 1.71x  faster

Full Changelog: ruby/json@v2.7.2...v2.7.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parser (indirect, 3.3.4.2 → 3.3.5.1) · Repo · Changelog

Release Notes

3.3.5.1 (from changelog)

API modifications:

• Bump maintenance branches to 3.2.6 (#1044) (Koichi ITO)

3.3.5.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.5 (#1039) (Koichi ITO)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Update changelog.
• Bump version.
• * Bump maintenance branches to 3.2.6 (#1044)
• Update my name and copyright.
• Update changelog.
• Update changelog.
• Bump version.
• * Bump maintenance branches to 3.3.5 (#1039)
• Remove `benchmark` dependency from the runner (#1038)

↗️ rexml (indirect, 3.3.6 → 3.3.9) · Repo · Changelog

Security Advisories 🚨

🚨 REXML ReDoS vulnerability

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

• https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

Release Notes

3.3.9

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character
  reference.

Thanks

• NAITOH Jun

3.3.8

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for
  the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

3.3.7

Improvements

• Added local entity expansion limit methods

  • GH-192
  • GH-202
  • Reported by takuya kodama.
  • Patch by NAITOH Jun.

• Removed explicit strscan dependency

  • GH-204
  • Patch by Bo Anderson.

Thanks

• takuya kodama

• NAITOH Jun

• Bo Anderson

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• Add 3.3.9 entry
• parser: fix a bug that &#0x...; is accepted as a character reference
• test: fix indent
• Fix `IOSource#readline` for `@pending_buffer` (#215)
• Optimize `IOSource#read_until` method (#210)
• Bump version
• test: avoid using needless non ASCII characters
• Add 3.3.8 entry
• Fix handling with "xml:" prefixed namespace (#208)
• Optimize SAX2Parser#get_namespace (#207)
• Bump version
• Add 3.3.7 entry
• ci document: suppress a ostruct warning
• ci document: fix method forwarding with recent Ruby
• Remove strscan dependency declaration from gemspec (#204)
• Add local entity expansion limit methods (#202)
• Bump version

↗️ rubocop-ast (indirect, 1.32.1 → 1.33.0) · Repo · Changelog

Release Notes

1.33.0 (from changelog)

New features

• #203: Add classes for masgn and mlhs nodes. (@dvandersluis)
• #204: Add VarNode class for lvar, ivar, cvar and gvar node types. (@dvandersluis)

1.32.3 (from changelog)

Bug fixes

• #310: Fix RuboCop::AST::DefNode#void_context? to handle class methods called initialize. ([@vlad-pisanov][])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

• Cut 1.33.0
• Update Changelog
• Add classes for `masgn` and `mlhs` nodes.
• Add `VarNode` class for `lvar`, `ivar`, `cvar` and `gvar` node types.
• Refactor `CasgnNode` and `ConstNode` to extract common functionality to `ConstantNode` mixin.
• Fix warning when executing `rubocop` with `bundle exec`
• Enhance rake debug tasks
• Document named captures
• Fix RuboCop offense (#321)
• Remove useless "&". Thanks @dvandersluis
• Use Prism 1.1+
• Suppress RuboCop offenses
• Bump `simplecov` (#316)
• Restore docs/antora.yml
• Cut 1.32.3
• Update Changelog
• Fix `RuboCop::AST::DefNode#void_context?` to handle class methods called `initialize`
• Suppress a Ruby 3.4's obsoleted warning in test
• Cut 1.32.2
• Optimize forwarded calls
• Restore docs/antora.yml
• Bump paambaati/codeclimate-action from 8.0.0 to 9.0.0 (#311)

↗️ unicode-display_width (indirect, 2.5.0 → 2.6.0) · Repo · Changelog

Release Notes

2.6.0 (from changelog)

• Unicode 16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• Release v2.6.0
• Update Unicode version number
• Unicode 16.0
• Update license year
• Wait for Windows CI to include 3.3
• README: Update list of supported Rubies
• Update CI Rubies: Add Ruby 3.3

🗑️ strscan (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)