🚨 [security] Update rubocop-performance 1.19.1 → 1.22.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-performance (1.19.1 → 1.22.1) · Repo · Changelog

Release Notes

1.22.1

Bug fixes

• #468: Fix false positives for Performance/BigDecimalWithNumericArgument when using float argument for BigDecimal. (@koic)

1.22.0

Bug fixes

• #454: Fix false positives for Performance/BigDecimalWithNumericArgument when using BigDecimal 3.1+. (@koic)

Changes

• #385: Disable Performance/BlockGivenWithExplicitBlock by default. (@earlopain)
• #407: Make Performance/DoubleStartEndWith aware of safe navigation. (@earlopain)

1.21.1

Bug fixes

• #452: Fix an error for Performance/RedundantEqualityComparisonBlock when the block is empty. (@earlopain)

1.21.0

New features

• #446: Support Prism as a Ruby parser (experimental). (@koic)

Bug fixes

• #437: Fix a false positive for Performance/ChainArrayAllocation when using select with block argument after select. (@koic)
• #448: Fix a false positive for Performance/RedundantBlockCall when using block.call with block argument. (@koic)

Changes

• #240: Disable Performance/Casecmp cop by default. (@parkerfinch)

1.20.2 (from changelog)

Bug fixes

• #425: Fix a false positive for Performance/StringIdentifierArgument when using string interpolation with methods that don't support symbols with :: inside them. (@earlopain)

1.20.1

Bug fixes

• #428: Fix false negatives for Performance/StringIdentifierArgument when using multiple string arguments. (@koic)

1.20.0

New features

• #384: Support optimized String#dup for Performance/UnfreezeString when Ruby 3.3+. (@koic)

Bug fixes

• #374: Fix an error for Performance/MapMethodChain when using map method chain without receiver. (@koic)
• #386: Fix a false negative for Performance/StringIdentifierArgument when using string interpolation. (@earlopain)
• #419: Make Performance/Count, Performance/FixedSize, Performance/FlatMap, Performance/InefficientHashSearch, Performance/RangeInclude, Performance/RedundantSortBlock, Performance/ReverseFirst, Performance/SelectMap, Performance/Size, Performance/SortReverse, and Performance/TimesMap cops aware of safe navigation operator. (@koic)
• #390: Fix a false negative for Performance/ReverseEach when safe navigation is between reverse and each. (@fatkodima)
• #401: Make Performance/Sum aware of safe navigation operator. (@koic)

Changes

• #389: Improve Performance/MapCompact to handle more safe navigation calls. (@fatkodima)
• #395: Enhance Performance/StringInclude to handle === method. (@fatkodima)
• #388: Require RuboCop 1.30+ as runtime dependency. (@koic)
• #380: Require RuboCop AST 1.30.0+. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ rubocop (1.64.1 → 1.66.1) · Repo · Changelog

Release Notes

1.66.1

Bug fixes

• #13191: Fix an error for Style/IfWithSemicolon when using nested single-line if/;/end in block of if/else branches. (@koic)
• #13178: Fix false positive for Style/EmptyLiteral with Hash.new([]). (@earlopain)
• #13176: Fix crash in Style/EmptyElse when AllowComments: true and the else clause is missing. (@vlad-pisanov)
• #13185: Fix false negatives in Style/MapIntoArray autocorrection when using ensure, def, defs and for. (@vlad-pisanov)

1.66.0

New features

• #13077: Add new global StringLiteralsFrozenByDefault option for correct analysis with RUBYOPT=--enable=frozen-string-literal. (@earlopain)
• #13080: Add new DocumentationExtension global option to serve documentation with extensions different than .html. (@earlopain)
• #13074: Add new Lint/UselessNumericOperation cop to check for inconsequential numeric operations. (@zopolis4)
• #13061: Add new Style/RedundantInterpolationUnfreeze cop to check for dup and @+ on interpolated strings in Ruby >= 3.0. (@earlopain)

Bug fixes

• #13093: Fix an error for Lint/ImplicitStringConcatenation when implicitly concatenating a string literal with a line break and string interpolation. (@koic)
• #13098: Fix an error for Style/IdenticalConditionalBranches when handling empty case branches. (@koic)
• #13113: Fix an error for Style/IfWithSemicolon when a nested if with a semicolon is used. (@koic)
• #13097: Fix an error for Style/InPatternThen when using alternative pattern matching deeply. (@koic)
• #13159: Fix an error for Style/OneLineConditional when using if/then/else/end with multiple expressions in the then body. (@koic)
• #13092: Fix an incorrect autocorrect for Layout/EmptyLineBetweenDefs when two method definitions are on the same line separated by a semicolon. (@koic)
• #13116: Fix an incorrect autocorrect for Style/IfWithSemicolon when a single-line if/;/end has an argument in the then body expression. (@koic)
• #13161: Fix incorrect autocorrect for Style/IfWithSemicolon when using multiple expressions in the else body. (@koic)
• #13132: Fix incorrect autocorrect for Style/TrailingBodyOnMethodDefinition when an expression precedes a method definition on the same line with a semicolon. (@koic)
• #13164: Fix incorrect autocorrect behavior for Layout/BlockAlignment when EnforcedStyleAlignWith: either (default). (@koic)
• #13087: Fix an incorrect autocorrect for Style/MultipleComparison when expression with more comparisons precedes an expression with less comparisons. (@fatkodima)
• #13172: Fix an error for Layout/EmptyLinesAroundExceptionHandlingKeywords when ensure or else and end are on the same line. (@koic)
• #13107: Fix an error for Lint/ImplicitStringConcatenation when there are multiple adjacent string interpolation literals on the same line. (@koic)
• #13111: Fix an error for Style/GuardClause when if clause is empty and correction would not fit on single line because of Layout/LineLength. (@earlopain)
• #13137: Fix an error for Style/ParallelAssignment when using __FILE__. (@earlopain)
• #13143: Fix an error during TargetRubyVersion detection if the gemspec is not valid syntax. (@earlopain)
• #13131: Fix false negatives for Lint/Void when using ensure, defs and numblock. (@vlad-pisanov)
• #13174: Fix false negatives for Style/MapIntoArray when initializing the destination using Array[], Array([]), or Array.new([]). (@vlad-pisanov)
• #13173: Fix false negatives for Style/EmptyLiteral when using Array[], Hash[], Array.new([]) and Hash.new([]). (@vlad-pisanov)
• #13126: Fix a false positive for Style/Alias when using multiple alias in def. (@koic)
• #13085: Fix a false positive for Style/EmptyElse when a comment-only else is used after elsif and AllowComments: true is set. (@koic)
• #13118: Fix a false positive for Style/MapIntoArray when splatting. (@earlopain)
• #13105: Fix false positives for Style/ArgumentsForwarding when forwarding kwargs/block arg with non-matching additional args. (@koic)
• #13139: Fix false positives for Style/RedundantCondition when using modifier if or unless. (@koic)
• #13134: Fix false negative for Lint/Void when using using frozen literals. (@vlad-pisanov)
• #13148: Fix incorrect autocorrect for Lint/EmptyConditionalBody when missing elsif body with end on the same line. (@koic)
• #13109: Fix an error for the Lockfile parser when it contains incompatible BUNDLED WITH versions. (@earlopain)
• #13112: Fix detection of TargetRubyVersion through the gemfile if the gemfile ruby version is below 2.7. (@earlopain)
• #13155: Fixes an error when the server cache directory has too long path, causing rubocop to fail even with caching disabled. (@protocol7)

Changes

• #13050: Allow get_!, set_!, get_?, set_?, get_=, and set_= in Naming/AccessorMethodName. (@koic)
• #13103: Make Lint/UselessAssignment autocorrection safe. (@koic)
• #13099: Make Style/RedundantRegexpArgument respect the EnforcedStyle of Style/StringLiterals. (@koic)
• #13165: Remove dependency on the rexml gem. (@bquorning)
• #13090: Require RuboCop AST 1.32.0+ to use RuboCop::AST::RationalNode. (@koic)

1.65.1

New features

• #13068: Add config validation to Naming/PredicateName to check that all ForbiddenPrefixes are being checked. (@maxjacobson)

Bug fixes

• #13051: Fix an error for Lint/FloatComparison when comparing with rational literal. (@koic)
• #13065: Fix an error for Lint/UselessAssignment when same name variables are assigned using chained assignment. (@koic)
• #13062: Fix an error for Style/InvertibleUnlessCondition when using empty parenthesis as condition. (@earlopain)
• #11438: Explicitly load fileutils before calculating before_us. (@r7kamura)
• #13044: Fix false negatives for Lint/ImplicitStringConcatenation when using adjacent string interpolation literals on the same line. (@koic)
• #13083: Fix a false positive for Style/GlobalStdStream when using namespaced constants like Foo::STDOUT. (@earlopain)
• #13081: Fix a false positive for Style/ZeroLengthPredicate when using safe navigation and non-zero comparison. (@fatkodima)
• #13041: Fix false positives for Lint/UselessAssignment when pattern match variable is assigned and used in a block. (@koic)
• #13076: Fix an incorrect autocorrect for Naming/RescuedExceptionsVariableName when using hash value omission. (@koic)

1.65.0

New features

• #13030: Add new Gemspec/AddRuntimeDependency cop. (@koic)

Bug fixes

• #12954: Fix a false negative for Style/ArgumentsForwarding when arguments forwarding in yield. (@koic)
• #13033: Fix a false positive for Layout/SpaceAroundOperators when using multiple spaces between an operator and a tailing comment. (@koic)
• #12885: Fix a false positive for Lint/ToEnumArguments when enumerator is created for another method. (@koic)
• #13018: Fix a false positive for Style/MethodCallWithArgsParentheses when EnforcedStyle: omit_parentheses is set and parenthesized method call is used before constant resolution. (@koic)
• #12986: Fix a false positive for Style/RedundantBegin when endless method definition with rescue. (@koic)
• #12985: Fix an error for Style/RedundantRegexpCharacterClass when using regexp_parser gem 2.3.1 or older. (@koic)
• #13010: Fix an error for Style/SuperArguments when the hash argument is or-assigned. (@koic)
• #13023: Fix an error for Style/SymbolProc when using lambda -> with one argument and multiline do...end block. (@koic)
• #12989: Fix an error for the inherit_gem config when the Gemfile contains an uninstalled git gem. (@earlopain)
• #12975: Fix an error for the inherit_gem config when running RuboCop without bundler and no Gemfile exists. (@earlopain)
• #12997: Fix an error for Lint/UnmodifiedReduceAccumulator when the block is empty. (@earlopain)
• #12979: Fix false negatives for Lint/Void when void expression with guard clause is not on last line. (@koic)
• #12716: Fix false negatives for Lint/Void when using parenthesized void operators. (@koic)
• #12471: Fix false negatives for Style/ZeroLengthPredicate when using safe navigation operator. (@koic)
• #12960: Fix false positives for Lint/NestedMethodDefinition when definition of method on variable. (@koic)
• #13012: Fix false positives for Style/HashExcept when using reject and calling include? method with bang. (@koic)
• #12983: Fix false positives for Style/SendWithLiteralMethodName using send with writer method name. (@koic)
• #12957: Fix false positives for Style/SuperArguments when calling super in a block. (@koic)

Changes

• #12970: Add CountModifierForms option to Metrics/BlockNesting and set it to false by default. (@koic)
• #13032: Display warning messages for deprecated APIs. (@koic)
• #13031: Enable YJIT by default in server mode. (@koic)
• #12557: Make server mode aware of auto-restart for bundle update. (@koic)
• #12616: Make Style/MapCompactWithConditionalBlock aware of filter_map. (@koic)
• #13035: Support autocorrect for Lint/ImplicitStringConcatenation. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.24.0 → 1.26.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parser (indirect, 3.3.2.0 → 3.3.5.0) · Repo · Changelog

Release Notes

3.3.5.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.5 (#1039) (Koichi ITO)

3.3.4.1 (from changelog)

API modifications:

• Bump 3.2 branch to 3.2.5. (#1036) (Ilya Bylich)
• Bump Racc to 1.8.1 (#1031) (Koichi ITO)

Bugs fixed:

• builder.rb: catch encoding errors when parsing invalid encoding regexp (#1033) (Earlopain)

3.3.4.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.4 (#1027) (Koichi ITO)

3.3.3.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.3 (#1023) (Koichi ITO)
• Bump Racc to 1.8.0 (#1018) (Koichi ITO)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.8.0 → 1.8.1) · Repo · Changelog

Release Notes

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rexml (indirect, 3.2.8 → 3.3.7) · Repo · Changelog

Security Advisories 🚨

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

• https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

• https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

Release Notes

3.3.7

Improvements

• Added local entity expansion limit methods

  • GH-192
  • GH-202
  • Reported by takuya kodama.
  • Patch by NAITOH Jun.

• Removed explicit strscan dependency

  • GH-204
  • Patch by Bo Anderson.

Thanks

• takuya kodama

• NAITOH Jun

• Bo Anderson

3.3.6

Improvements

• Removed duplicated entity expansions for performance.

  • GH-194
  • Patch by Viktor Ivarsson.

• Improved namespace conflicted attribute check performance. It was
  too slow for deep elements.

  • Reported by l33thaxor.

Fixes

• Fixed a bug that default entity expansions are counted for
  security check. Default entity expansions should not be counted
  because they don't have a security risk.

  • GH-198
  • GH-199
  • Patch Viktor Ivarsson

• Fixed a parser bug that parameter entity references in internal
  subsets are expanded. It's not allowed in the XML specification.

  • GH-191
  • Patch by NAITOH Jun.

• Fixed a stream parser bug that user-defined entity references in
  text aren't expanded.

  • GH-200
  • Patch by NAITOH Jun.

Thanks

• Viktor Ivarsson

• NAITOH Jun

• l33thaxor

3.3.5

Fixes

• Fixed a bug that REXML::Security.entity_expansion_text_limit
  check has wrong text size calculation in SAX and pull parsers.
  • GH-193
  • GH-195
  • Reported by Viktor Ivarsson.
  • Patch by NAITOH Jun.

Thanks

• Viktor Ivarsson

• NAITOH Jun

3.3.4

Fixes

• Fixed a bug that REXML::Security isn't defined when
  REXML::Parsers::StreamParser is used and
  rexml/parsers/streamparser is only required.
  • GH-189
  • Patch by takuya kodama.

Thanks

• takuya kodama

3.3.3

Improvements

• Added support for detecting invalid XML that has unsupported
  content before root element

  • GH-184
  • Patch by NAITOH Jun.

• Added support for REXML::Security.entity_expansion_limit= and
  REXML::Security.entity_expansion_text_limit= in SAX2 and pull
  parsers

  • GH-187
  • Patch by NAITOH Jun.

• Added more tests for invalid XMLs.

  • GH-183
  • Patch by Watson.

• Added more performance tests.

  • Patch by Watson.

• Improved parse performance.

  • GH-186
  • Patch by tomoya ishida.

Thanks

• NAITOH Jun

• Watson

• tomoya ishida

3.3.2

Improvements

• Improved parse performance.

  • GH-160
  • Patch by NAITOH Jun.

• Improved parse performance.

  • GH-169
  • GH-170
  • GH-171
  • GH-172
  • GH-173
  • GH-174
  • GH-175
  • GH-176
  • GH-177
  • Patch by Watson.

• Added support for raising a parse exception when an XML has extra
  content after the root element.

  • GH-161
  • Patch by NAITOH Jun.

• Added support for raising a parse exception when an XML
  declaration exists in wrong position.

  • GH-162
  • Patch by NAITOH Jun.

• Removed needless a space after XML declaration in pretty print mode.

  • GH-164
  • Patch by NAITOH Jun.

• Stopped to emit :text event after the root element.

  • GH-167
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that SAX2 parser doesn't expand predefined entities for
  characters callback.
  • GH-168
  • Patch by NAITOH Jun.

Thanks

• NAITOH Jun

• Watson

3.3.1

Improvements

• Added support for detecting malformed top-level comments.

  • GH-145
  • Patch by Hiroya Fujinami.

• Improved REXML::Element#attribute performance.

  • GH-146
  • Patch by Hiroya Fujinami.

• Added support for detecting malformed <!--> comments.

  • GH-147
  • Patch by Hiroya Fujinami.

• Added support for detecting unclosed DOCTYPE.

  • GH-152
  • Patch by Hiroya Fujinami.

• Added changlog_uri metadata to gemspec.

  • GH-156
  • Patch by fynsta.

• Improved parse performance.

  • GH-157
  • GH-158
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that large XML can't be parsed.

  • GH-154
  • Patch by NAITOH Jun.

• Fixed a bug that private constants are visible.

  • GH-155
  • Patch by NAITOH Jun.

Thanks

• Hiroya Fujinami

• NAITOH Jun

• fynsta

3.3.0

Improvements

• Added support for strscan 0.7.0 installed with Ruby 2.6.
  • GH-142
  • Reported by Fernando Trigoso.

Thanks

• Fernando Trigoso

3.2.9

Improvements

• Added support for old strscan.

  • GH-132
  • Reported by Adam

• Improved attribute value parse performance.

  • GH-135
  • Patch by NAITOH Jun.

• Improved REXML::Node#each_recursive performance.

  • GH-134
  • GH-139
  • Patch by Hiroya Fujinami.

• Improved text parse performance.

  • Reported by mprogrammer.

Thanks

• Adam
• NAITOH Jun
• Hiroya Fujinami
• mprogrammer

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop-ast (indirect, 1.31.3 → 1.32.3) · Repo · Changelog

Release Notes

1.32.3 (from changelog)

Bug fixes

• #310: Fix RuboCop::AST::DefNode#void_context? to handle class methods called initialize. ([@vlad-pisanov][])

1.32.1 (from changelog)

Changes

• #309: Mark RuboCop::AST::EnsureNode as being in a void context. (@earlopain)

1.32.0 (from changelog)

New features

• #304: Add RuboCop::AST::RationalNode. (@koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unicode-display_width (indirect, 2.5.0 → 2.6.0) · Repo · Changelog

Release Notes

2.6.0 (from changelog)

• Unicode 16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🗑️ strscan (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #400.