🚨 [security] Update rubocop 1.65.0 → 1.65.1 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop (1.65.0 → 1.65.1) · Repo · Changelog

Release Notes

1.65.1

New features

• #13068: Add config validation to Naming/PredicateName to check that all ForbiddenPrefixes are being checked. (@maxjacobson)

Bug fixes

• #13051: Fix an error for Lint/FloatComparison when comparing with rational literal. (@koic)
• #13065: Fix an error for Lint/UselessAssignment when same name variables are assigned using chained assignment. (@koic)
• #13062: Fix an error for Style/InvertibleUnlessCondition when using empty parenthesis as condition. (@earlopain)
• #11438: Explicitly load fileutils before calculating before_us. (@r7kamura)
• #13044: Fix false negatives for Lint/ImplicitStringConcatenation when using adjacent string interpolation literals on the same line. (@koic)
• #13083: Fix a false positive for Style/GlobalStdStream when using namespaced constants like Foo::STDOUT. (@earlopain)
• #13081: Fix a false positive for Style/ZeroLengthPredicate when using safe navigation and non-zero comparison. (@fatkodima)
• #13041: Fix false positives for Lint/UselessAssignment when pattern match variable is assigned and used in a block. (@koic)
• #13076: Fix an incorrect autocorrect for Naming/RescuedExceptionsVariableName when using hash value omission. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 41 commits:

• Cut 1.65.1
• Update Changelog
• Merge pull request #13083 from Earlopain/false-positive-global-std-stream
• Fix false positive for `Style/GlobalStdStream` for namespaced constants
• Clarify docs in Naming/PredicateName
• Add a validate_config for Naming/PredicateName
• Merge pull request #13079 from koic/fix_incorrect_autocorrect_for_naming_rescued_exceptions_variable_name
• Merge pull request #13081 from fatkodima/zero_length_predicate-false-positive
• Fix a false positive for `Style/ZeroLengthPredicate` when using safe navigation and non-zero comparison
• [Fix #13076] Fix an incorrect autocorrect for `Naming/RescuedExceptionsVariableName`
• Merge pull request #13075 from koic/mark_broken_on_prism_for_broken_specs_for_ruby34_with_prism
• Mark `broken_on: :prism` for broken specs using Ruby 3.4.0dev with Prism
• Enable branch coverage
• [Fix #11438] Explicitly load `fileutils` before calculating `before_us`
• [Doc] Tweak the doc of `Layout/AssignmentIndentation`
• Merge pull request #13071 from Earlopain/bump-simplecov
• Bump `simplecov`
• Merge pull request #13069 from Earlopain/regexp_parser_cruft
• Drop `regexp_parser` < 2.0 compatibility code
• Merge pull request #13066 from koic/fix_an_error_for_lint_useless_assignment_cop
• [Fix #13065] Fix an error for `Lint/UselessAssignment`
• Merge pull request #13062 from Earlopain/invertible-unless-empty-braces
• Fix an error for `Style/InvertibleUnlessCondition` when using empty parenthesis as condition
• Remove an unused private method
• [Docs] Fix code example for `Lint/ShadowingOuterLocalVariable`
• [Docs] Consistent usage of `@example`
• Clarify how to specify the number of parallel processes
• Fix a typo
• [Docs] Tweak the v1 Upgrade Notes
• [Fix #13044] Fix false negatives for `Lint/ImplicitStringConcatenation`
• [Fix #13051] Fix an error for `Lint/FloatComparison`
• Merge pull request #13043 from koic/fix_false_positives_for_lint_useless_assignment
• Merge pull request #13047 from m11o/feature/fix-warning
• Use `support_autocorrect?` class method.
• [Fix #13041] Fix false positives for `Lint/UselessAssignment`
• Merge pull request #13040 from koic/tweak_autocorrect_for_style_sole_nested_conditional
• Tweak autocorrect for `Style/SoleNestedConditional`
• Use `RuboCop::AST::Node#equals_asgn?`
• [Docs] Tweak the doc of `Style/EvalWithLocation`
• Remove an unused private method
• Reset the docs version

↗️ racc (indirect, 1.8.0 → 1.8.1) · Repo · Changelog

Release Notes

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Merge pull request #275 from yui-knk/v1.8.1
• Bump up v1.8.1
• Merge pull request #273 from ydah/fix-filepath-lineno
• Add test code for TestRaccCommand
• Fix file path and line number errors when using `+`, `*` and `()`
• Merge pull request #274 from ydah/rename-docs-main
• Fix RDoc main file to "README.rdoc"
• Merge pull request #271 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/racc
• Merge pull request #270 from koic/fix_a_typo
• Fix a typo
• Added BSDL to gemspec
• Update license files same as ruby/ruby
• Merge pull request #269 from koic/use_require_relative
• Use `require_relative` in the Racc codebase

↗️ rexml (indirect, 3.3.2 → 3.3.4) · Repo · Changelog

Security Advisories 🚨

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

• https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

Release Notes

3.3.4

Fixes

• Fixed a bug that REXML::Security isn't defined when
  REXML::Parsers::StreamParser is used and
  rexml/parsers/streamparser is only required.
  • GH-189
  • Patch by takuya kodama.

Thanks

• takuya kodama

3.3.3

Improvements

• Added support for detecting invalid XML that has unsupported
  content before root element

  • GH-184
  • Patch by NAITOH Jun.

• Added support for REXML::Security.entity_expansion_limit= and
  REXML::Security.entity_expansion_text_limit= in SAX2 and pull
  parsers

  • GH-187
  • Patch by NAITOH Jun.

• Added more tests for invalid XMLs.

  • GH-183
  • Patch by Watson.

• Added more performance tests.

  • Patch by Watson.

• Improved parse performance.

  • GH-186
  • Patch by tomoya ishida.

Thanks

• NAITOH Jun

• Watson

• tomoya ishida

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

• Add 3.3.4 entry
• Add missing rexml/security require in rexml/parsers/baseparser.rb (#189)
• Bump version
• Add 3.3.3 entry
• test: add a performance test for attribute list declaration
• test: fix wrong test name
• test: use double quote for string literal
• test: don't use abbreviated name
• test: add a performance test for PI with many tabs
• parse pi: improve invalid case detection
• test: fix a typo
• test: use double quote for string literal
• test: add performance tests for entity declaration
• test: use double quote for string literal
• test: add a performance test for %...; in document declaration
• test: use double quote for string literal
• test: fix location
• Fix source.match performance without specifying term string (#186)
• Add support for XML entity expansion limitation in SAX and pull parsers (#187)
• Add more invalid test cases for parsing entitly declaration (#183)
• Add support for detecting invalid XML that has unsupported content before root element (#184)
• Fix method scope in test in order to invoke the tests properly and fix exception message (#182)
• Add missing references in 3.3.2 entry
• Bump version

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #511.

[depfu]

Closed in favor of #511.