Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump brakeman from 4.1.1 to 4.3.0 #72

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump brakeman from 4.1.1 to 4.3.0 #72

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps brakeman from 4.1.1 to 4.3.0.

Release notes

Sourced from brakeman's releases.

4.2.1

4.2.0

  • Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
  • Exclude template folders in lib/ (kru0096)
  • Warn about SQL injection with not
  • Avoid warning about symbol DoS on Model#attributes (#1096)
  • Avoid warning about open redirects with model methods ending with _path(#1117)
  • Avoid warning about command injection with Shellwords.escape (#1159)
  • Use ivars from initialize in libraries
  • Fix multiple assignment of globals (#1155)
  • Sexp#body= can accept :rlist from Sexp#body_list
  • Update RubyParser to 3.11.0
Changelog

Sourced from brakeman's changelog.

4.3.0

  • Check exec-type calls even if they are targets
  • Convert Array#join to string interpolation
  • BaseCheck#include_interp? should return first string interpolation
  • Add --parser-timeout option
  • Track parent calls in CallIndex
  • Warn about dangerous link_to href with sanitize()
  • Ignore params#to_h and params#to_hash in SQL checks
  • Change "".freeze to just ""
  • Ignore Process.pid in system calls
  • Index Kernel#` calls even if they are targets
  • Code Climate: omit leading dot from only_files (Todd Mazierski)
  • --color can be used to force color output
  • Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048

4.2.1

4.2.0

  • Avoid warning about symbol DoS on Model#attributes
  • Avoid warning about open redirects with model methods ending with _path
  • Avoid warning about command injection with Shellwords.escape
  • Use ivars from initialize in libraries
  • Sexp#body= can accept :rlist from Sexp#body_list
  • Update RubyParser to 3.11.0
  • Fix multiple assignment of globals
  • Warn about SQL injection in not
  • Exclude template folders in lib/ (kru0096)
  • Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
Commits
  • 7208177 Bump to 4.3.0
  • 12dd36d Merge pull request #1203 from presidentbeef/better_array_joining
  • 363ae3c Fix Array#join and consecutive interpolated values
  • fe17a90 Update CHANGES
  • b0c867e Merge pull request #1201 from presidentbeef/join_debug_cleanup
  • ec35d53 Cleanup debug stuff from Array#join
  • 9c705d3 Better test failure output on unexpected warnings
  • 7dd1516 Merge pull request #1200 from presidentbeef/check_exec_as_targets
  • fc1dd99 Check exec-type calls if they are targets
  • d06a37d Merge pull request #1198 from presidentbeef/join_to_interpolation
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use (this|these) label[s] will set the current labels as the default for future PRs for this repo and language
  • @dependabot use (this|these) reviewer[s] will set the current reviewers as the default to be assigned for future PRs for this repo and language
  • @dependabot use (this|these) assignees[s] will set the current assignees as the default for future PRs for this repo and language

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-preview dependabot-preview bot mentioned this pull request May 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dependabot-support