Skip to content

Bump brakeman from 4.7.2 to 5.0.4

NipaNipa requested to merge dependabot/bundler/brakeman-5.0.4 into master

Bumps brakeman from 4.7.2 to 5.0.4.

Release notes

Sourced from brakeman's releases.

5.0.2

  • Fix Loofah version check

5.0.1

  • Support loading slim/smart (#1570)
  • Set more line numbers on Sexps (#1579)
  • Detect ::Rails.application.configure too (#1584)
  • Always ignore slice/only calls for mass assignment
  • Don't fail if $HOME/$USER are not defined
  • Convert splat array arguments to arguments
  • Bundle unreleased RubyParser changes

5.0.0

  • Scan (almost) all Ruby files in project
  • Revamp CSV report to a CSV list of warnings
  • Add Sonarqube report format (Adam England)
  • Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
  • Add check for potential HTTP verb confusion (#1432)
  • Add --[no-]skip-vendor option
  • Ignore uuid as a safe attribute
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Collapse __send__ calls
  • Set Rails configuration defaults based on load_defaults version
  • Update Ruby requirement to version 2.4.0
  • Suggest using --force if no Rails application is detected

5.0.0.pre1

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.1

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths (#1536)
  • Ensure RubyParser is passed file path as a String (#1534)
  • Support new Haml 5.2.0 escaping method (#1517)

4.10.0

4.9.1

  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Check chomped strings for SQL injection (#1509)
  • Always set line number for joined arrays (#1499)
... (truncated)
Changelog

Sourced from brakeman's changelog.

5.0.4 - 2021-06-08

(brakeman gem release only)

  • Update bundled ruby_parser to include argument forwarding support

5.0.2 - 2021-06-07

  • Fix Loofah version check

5.0.1 - 2021-04-27

  • Detect ::Rails.application.configure too
  • Set more line numbers on Sexps
  • Support loading slim/smart
  • Don't fail if $HOME/$USER are not defined
  • Always ignore slice/only calls for mass assignment
  • Convert splat array arguments to arguments

5.0.0 - 2021-01-26

  • Ignore uuid as a safe attribute
  • Collapse __send__ calls
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Revamp CSV report to a CSV list of warnings
  • Set Rails configuration defaults based on load_defaults version
  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project

4.10.1 - 2020-12-24

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths
  • Ensure RubyParser is passed file path as a String
  • Support new Haml 5.2.0 escaping method

5.0.0.pre1 - 2020-11-17

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
... (truncated)
Commits

Merge request reports