🚨 [security] Update rubocop 1.64.1 → 1.66.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop (1.64.1 → 1.66.0) · Repo · Changelog

Release Notes

1.66.0

New features

• #13077: Add new global StringLiteralsFrozenByDefault option for correct analysis with RUBYOPT=--enable=frozen-string-literal. (@earlopain)
• #13080: Add new DocumentationExtension global option to serve documentation with extensions different than .html. (@earlopain)
• #13074: Add new Lint/UselessNumericOperation cop to check for inconsequential numeric operations. (@zopolis4)
• #13061: Add new Style/RedundantInterpolationUnfreeze cop to check for dup and @+ on interpolated strings in Ruby >= 3.0. (@earlopain)

Bug fixes

• #13093: Fix an error for Lint/ImplicitStringConcatenation when implicitly concatenating a string literal with a line break and string interpolation. (@koic)
• #13098: Fix an error for Style/IdenticalConditionalBranches when handling empty case branches. (@koic)
• #13113: Fix an error for Style/IfWithSemicolon when a nested if with a semicolon is used. (@koic)
• #13097: Fix an error for Style/InPatternThen when using alternative pattern matching deeply. (@koic)
• #13159: Fix an error for Style/OneLineConditional when using if/then/else/end with multiple expressions in the then body. (@koic)
• #13092: Fix an incorrect autocorrect for Layout/EmptyLineBetweenDefs when two method definitions are on the same line separated by a semicolon. (@koic)
• #13116: Fix an incorrect autocorrect for Style/IfWithSemicolon when a single-line if/;/end has an argument in the then body expression. (@koic)
• #13161: Fix incorrect autocorrect for Style/IfWithSemicolon when using multiple expressions in the else body. (@koic)
• #13132: Fix incorrect autocorrect for Style/TrailingBodyOnMethodDefinition when an expression precedes a method definition on the same line with a semicolon. (@koic)
• #13164: Fix incorrect autocorrect behavior for Layout/BlockAlignment when EnforcedStyleAlignWith: either (default). (@koic)
• #13087: Fix an incorrect autocorrect for Style/MultipleComparison when expression with more comparisons precedes an expression with less comparisons. (@fatkodima)
• #13172: Fix an error for Layout/EmptyLinesAroundExceptionHandlingKeywords when ensure or else and end are on the same line. (@koic)
• #13107: Fix an error for Lint/ImplicitStringConcatenation when there are multiple adjacent string interpolation literals on the same line. (@koic)
• #13111: Fix an error for Style/GuardClause when if clause is empty and correction would not fit on single line because of Layout/LineLength. (@earlopain)
• #13137: Fix an error for Style/ParallelAssignment when using __FILE__. (@earlopain)
• #13143: Fix an error during TargetRubyVersion detection if the gemspec is not valid syntax. (@earlopain)
• #13131: Fix false negatives for Lint/Void when using ensure, defs and numblock. (@vlad-pisanov)
• #13174: Fix false negatives for Style/MapIntoArray when initializing the destination using Array[], Array([]), or Array.new([]). (@vlad-pisanov)
• #13173: Fix false negatives for Style/EmptyLiteral when using Array[], Hash[], Array.new([]) and Hash.new([]). (@vlad-pisanov)
• #13126: Fix a false positive for Style/Alias when using multiple alias in def. (@koic)
• #13085: Fix a false positive for Style/EmptyElse when a comment-only else is used after elsif and AllowComments: true is set. (@koic)
• #13118: Fix a false positive for Style/MapIntoArray when splatting. (@earlopain)
• #13105: Fix false positives for Style/ArgumentsForwarding when forwarding kwargs/block arg with non-matching additional args. (@koic)
• #13139: Fix false positives for Style/RedundantCondition when using modifier if or unless. (@koic)
• #13134: Fix false negative for Lint/Void when using using frozen literals. (@vlad-pisanov)
• #13148: Fix incorrect autocorrect for Lint/EmptyConditionalBody when missing elsif body with end on the same line. (@koic)
• #13109: Fix an error for the Lockfile parser when it contains incompatible BUNDLED WITH versions. (@earlopain)
• #13112: Fix detection of TargetRubyVersion through the gemfile if the gemfile ruby version is below 2.7. (@earlopain)
• #13155: Fixes an error when the server cache directory has too long path, causing rubocop to fail even with caching disabled. (@protocol7)

Changes

• #13050: Allow get_!, set_!, get_?, set_?, get_=, and set_= in Naming/AccessorMethodName. (@koic)
• #13103: Make Lint/UselessAssignment autocorrection safe. (@koic)
• #13099: Make Style/RedundantRegexpArgument respect the EnforcedStyle of Style/StringLiterals. (@koic)
• #13165: Remove dependency on the rexml gem. (@bquorning)
• #13090: Require RuboCop AST 1.32.0+ to use RuboCop::AST::RationalNode. (@koic)

1.65.1

New features

• #13068: Add config validation to Naming/PredicateName to check that all ForbiddenPrefixes are being checked. (@maxjacobson)

Bug fixes

• #13051: Fix an error for Lint/FloatComparison when comparing with rational literal. (@koic)
• #13065: Fix an error for Lint/UselessAssignment when same name variables are assigned using chained assignment. (@koic)
• #13062: Fix an error for Style/InvertibleUnlessCondition when using empty parenthesis as condition. (@earlopain)
• #11438: Explicitly load fileutils before calculating before_us. (@r7kamura)
• #13044: Fix false negatives for Lint/ImplicitStringConcatenation when using adjacent string interpolation literals on the same line. (@koic)
• #13083: Fix a false positive for Style/GlobalStdStream when using namespaced constants like Foo::STDOUT. (@earlopain)
• #13081: Fix a false positive for Style/ZeroLengthPredicate when using safe navigation and non-zero comparison. (@fatkodima)
• #13041: Fix false positives for Lint/UselessAssignment when pattern match variable is assigned and used in a block. (@koic)
• #13076: Fix an incorrect autocorrect for Naming/RescuedExceptionsVariableName when using hash value omission. (@koic)

1.65.0

New features

• #13030: Add new Gemspec/AddRuntimeDependency cop. (@koic)

Bug fixes

• #12954: Fix a false negative for Style/ArgumentsForwarding when arguments forwarding in yield. (@koic)
• #13033: Fix a false positive for Layout/SpaceAroundOperators when using multiple spaces between an operator and a tailing comment. (@koic)
• #12885: Fix a false positive for Lint/ToEnumArguments when enumerator is created for another method. (@koic)
• #13018: Fix a false positive for Style/MethodCallWithArgsParentheses when EnforcedStyle: omit_parentheses is set and parenthesized method call is used before constant resolution. (@koic)
• #12986: Fix a false positive for Style/RedundantBegin when endless method definition with rescue. (@koic)
• #12985: Fix an error for Style/RedundantRegexpCharacterClass when using regexp_parser gem 2.3.1 or older. (@koic)
• #13010: Fix an error for Style/SuperArguments when the hash argument is or-assigned. (@koic)
• #13023: Fix an error for Style/SymbolProc when using lambda -> with one argument and multiline do...end block. (@koic)
• #12989: Fix an error for the inherit_gem config when the Gemfile contains an uninstalled git gem. (@earlopain)
• #12975: Fix an error for the inherit_gem config when running RuboCop without bundler and no Gemfile exists. (@earlopain)
• #12997: Fix an error for Lint/UnmodifiedReduceAccumulator when the block is empty. (@earlopain)
• #12979: Fix false negatives for Lint/Void when void expression with guard clause is not on last line. (@koic)
• #12716: Fix false negatives for Lint/Void when using parenthesized void operators. (@koic)
• #12471: Fix false negatives for Style/ZeroLengthPredicate when using safe navigation operator. (@koic)
• #12960: Fix false positives for Lint/NestedMethodDefinition when definition of method on variable. (@koic)
• #13012: Fix false positives for Style/HashExcept when using reject and calling include? method with bang. (@koic)
• #12983: Fix false positives for Style/SendWithLiteralMethodName using send with writer method name. (@koic)
• #12957: Fix false positives for Style/SuperArguments when calling super in a block. (@koic)

Changes

• #12970: Add CountModifierForms option to Metrics/BlockNesting and set it to false by default. (@koic)
• #13032: Display warning messages for deprecated APIs. (@koic)
• #13031: Enable YJIT by default in server mode. (@koic)
• #12557: Make server mode aware of auto-restart for bundle update. (@koic)
• #12616: Make Style/MapCompactWithConditionalBlock aware of filter_map. (@koic)
• #13035: Support autocorrect for Lint/ImplicitStringConcatenation. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.24.0 → 1.26.3) · Repo

Commits

See the full diff on Github. The new version differs by 29 commits:

• v1.26.3
• Merge pull request #351 from y-yagi/ensure_not_to_use_old_concurrent-ruby
• Ensure not to use old `concurrent-ruby`
• v1.26.2
• Revert "Revert "Merge pull request #348 from y-yagi/use_available_processor_count""
• v1.26.1
• Revert "Merge pull request #348 from y-yagi/use_available_processor_count"
• v1.26.0
• Merge pull request #348 from y-yagi/use_available_processor_count
• Use cgroups aware processor count by default
• v1.25.1
• Merge pull request #347 from Earlopain/speedup-windows-cpu
• Improve speed for `Get-CimInstance`
• v1.25.0
• Merge pull request #346 from Earlopain/drop-win32ole
• Add Ruby 3.3 to CI
• Bump `sqlite3` to solve compilation failures with latest lib
• Bump `actions/checkout` to v4
• Remove dependency on `win32ole`
• Merge pull request #344 from grosser/grosser/read
• example for proc usage
• Merge pull request #343 from grosser/grosser/bump
• rubocop: fix assignment in condition
• update rubocop
• fix rubocop
• update ruby requirements
• Merge pull request #341 from MITSUBOSHI/remove-unneeded-travis-env
• Remove unneeded ENV['TRAVIS'] from spec
• thx for the pr

↗️ parser (indirect, 3.3.2.0 → 3.3.4.2) · Repo · Changelog

Release Notes

3.3.4.1 (from changelog)

API modifications:

• Bump 3.2 branch to 3.2.5. (#1036) (Ilya Bylich)
• Bump Racc to 1.8.1 (#1031) (Koichi ITO)

Bugs fixed:

• builder.rb: catch encoding errors when parsing invalid encoding regexp (#1033) (Earlopain)

3.3.4.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.4 (#1027) (Koichi ITO)

3.3.3.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.3 (#1023) (Koichi ITO)
• Bump Racc to 1.8.0 (#1018) (Koichi ITO)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

• Update changelog.
• Bump version.
• - Fix errros in the ascii specs of RuboCop (#1037)
• Update changelog.
• Update changelog.
• Bump version.
• * Bump 3.2 branch to 3.2.5. (#1036)
• - builder.rb: catch encoding errors when parsing invalid encoding regexp (#1033)
• * Bump Racc to 1.8.1 (#1031)
• Suppress Ruby 3.4's warning (#1028)
• Update changelog.
• Update changelog.
• Bump version.
• * Bump maintenance branches to 3.3.4 (#1027)
• Update changelog.
• Update changelog.
• Bump version.
• * Bump maintenance branches to 3.3.3 (#1023)
• * Bump Racc to 1.8.0 (#1018)
• Update changelog.

↗️ racc (indirect, 1.8.0 → 1.8.1) · Repo · Changelog

Release Notes

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Merge pull request #275 from yui-knk/v1.8.1
• Bump up v1.8.1
• Merge pull request #273 from ydah/fix-filepath-lineno
• Add test code for TestRaccCommand
• Fix file path and line number errors when using `+`, `*` and `()`
• Merge pull request #274 from ydah/rename-docs-main
• Fix RDoc main file to "README.rdoc"
• Merge pull request #271 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/racc
• Merge pull request #270 from koic/fix_a_typo
• Fix a typo
• Added BSDL to gemspec
• Update license files same as ruby/ruby
• Merge pull request #269 from koic/use_require_relative
• Use `require_relative` in the Racc codebase

↗️ rexml (indirect, 3.3.4 → 3.3.6) · Repo · Changelog

Security Advisories 🚨

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

• https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

Release Notes

3.3.6

Improvements

• Removed duplicated entity expansions for performance.

  • GH-194
  • Patch by Viktor Ivarsson.

• Improved namespace conflicted attribute check performance. It was
  too slow for deep elements.

  • Reported by l33thaxor.

Fixes

• Fixed a bug that default entity expansions are counted for
  security check. Default entity expansions should not be counted
  because they don't have a security risk.

  • GH-198
  • GH-199
  • Patch Viktor Ivarsson

• Fixed a parser bug that parameter entity references in internal
  subsets are expanded. It's not allowed in the XML specification.

  • GH-191
  • Patch by NAITOH Jun.

• Fixed a stream parser bug that user-defined entity references in
  text aren't expanded.

  • GH-200
  • Patch by NAITOH Jun.

Thanks

• Viktor Ivarsson

• NAITOH Jun

• l33thaxor

3.3.5

Fixes

• Fixed a bug that REXML::Security.entity_expansion_text_limit
  check has wrong text size calculation in SAX and pull parsers.
  • GH-193
  • GH-195
  • Reported by Viktor Ivarsson.
  • Patch by NAITOH Jun.

Thanks

• Viktor Ivarsson

• NAITOH Jun

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Add 3.3.6 entry
• parser tree: improve namespace conflicted attribute check performance
• Fix a bug that Stream parser doesn't expand the user-defined entity references for "text" (#200)
• parser: keep the current namespaces instead of stack of Set
• parser: move duplicated end tag check to BaseParser
• test tree-parser: move common method to base class
• test: fix indent
• test: fix indent
• Use loop instead of recursive call for Element#namespace
• Use loop instead of recursive call for Element#root
• test: split duplicated attribute case and namespace conflict case
• Fix to not allow parameter entity references at internal subsets (#191)
• Fix RuntimeError in `REXML::Parsers::BaseParser` for valid feeds (#199)
• Improve `BaseParser#unnormalize` (#194)
• Bump version
• Add 3.3.5 entry
• Fix calculation of Security.entity_expansion_text_limit in SAX/pull parsers (#195)
• Bump version

↗️ rubocop-ast (indirect, 1.31.3 → 1.32.1) · Repo · Changelog

Release Notes

1.32.1 (from changelog)

Changes

• #309: Mark RuboCop::AST::EnsureNode as being in a void context. (@earlopain)

1.32.0 (from changelog)

New features

• #304: Add RuboCop::AST::RationalNode. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

• Cut 1.32.1
• Update Changelog
• Mark `RuboCop::AST::EnsureNode` as being in a void context.
• Fix readme CI badge (#308)
• Move test `Node#used?` predicate method definition
• Restore docs/antora.yml
• Cut 1.32.0
• Update Changelog
• Add `RuboCop::AST::RationalNode`
• Remove `Range#minmax` refinement (#307)
• Link the node pattern debugger in docs
• [Docs] Update the doc of Node Types
• Suppress RuboCop offense
• Lift the deprecation from `ArrayNode#each_value`
• Move `rubocop:disable` comments out of documentation
• Define `recursive_*literal?` methods using macro
• Bump paambaati/codeclimate-action from 5.0.0 to 8.0.0 (#294)
• Fix a build error (#296)
• Fix an error when running RuboCop RSpec 3.0
• Suppress RuboCop offenses
• Use Prism 0.28+ for development (#292)
• This has been failing for ages, remove for now
• Restore docs/antora.yml

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)