Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump squizlabs/php_codesniffer from 1.5.6 to 2.8.1 #6

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Mar 26, 2022

Bumps squizlabs/php_codesniffer from 1.5.6 to 2.8.1.

Release notes

Sourced from squizlabs/php_codesniffer's releases.

2.8.1

Security Advisory

  • This release contains a fix for a security advisory related to the improper handling of shell commands
    • Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
    • A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
    • All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
      • e.g., you run PHPCS over libraries that you did not write
      • e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
      • e.g., you allow external tool paths to be set by user-defined values
    • If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
      • The diff report
      • The notify-send report
      • The Generic.PHP.Syntax sniff
      • The Generic.Debug.CSSLint sniff
      • The Generic.Debug.ClosureLinter sniff
      • The Generic.Debug.JSHint sniff
      • The Squiz.Debug.JSLint sniff
      • The Squiz.Debug.JavaScriptLint sniff
      • The Zend.Debug.CodeAnalyzer sniff
    • Thanks to Klaus Purer for the report

Other Changes

  • The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
  • PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
  • PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
  • Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
    • It would previously report that only one argument is allowed per line
  • Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
  • Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
  • Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
    • Thanks to Juliette Reinders Folmer for the patch
  • Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
    • As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
  • Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
  • Fixed bug #1340 : STDIN file contents not being populated in some cases
    • Thanks to David Biňovec for the patch
  • Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines
  • Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing
    • Thanks to Algirdas Gurevicius for the patch
  • Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char
    • Thanks to Algirdas Gurevicius for the patch
  • Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces
  • Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop

2.8.0

  • The Internal.NoCodeFound error is no longer generated for content sourced from STDIN
    • This should stop some Git hooks generating errors because PHPCS is trying to process the refs passed on STDIN
  • Squiz.Commenting.DocCommentAlignment now checks comments on class properties defined using the VAR keyword
    • Thanks to Klaus Purer for the patch
  • The getMethodParameters() method now recognises "self" as a valid type hint

... (truncated)

Commits
  • d7cf0d8 Prepare for 2.8.1 release
  • 254ced6 Escape the notify-send path when getting the version number
  • 029305e Code that uses shell_exec() and exec() now escapes cmds and args in case PHPC...
  • b7c84a0 PEAR.Functions.FunctionDeclaration now reports an error for blank lines found...
  • 244d084 Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for bla...
  • b7fdd3e PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank ...
  • ca8f28c Adding missing test file
  • 69d07ba Added new test file
  • 63f0957 Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing er...
  • 7a99e69 Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator (...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [squizlabs/php_codesniffer](https://github.com/squizlabs/PHP_CodeSniffer) from 1.5.6 to 2.8.1.
- [Release notes](https://github.com/squizlabs/PHP_CodeSniffer/releases)
- [Commits](squizlabs/PHP_CodeSniffer@1.5.6...2.8.1)

---
updated-dependencies:
- dependency-name: squizlabs/php_codesniffer
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants