Update bundler-audit: 0.8.0 → 0.9.0.1 (major)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ bundler-audit (0.8.0 → 0.9.0.1) · Repo · Changelog

Release Notes

0.9.0.1 (from changelog)

• Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6. (issue #319)
  • Although, Ruby 2.5 and prior have all reached End-of-Life and are no longer receiving security updates. It is strongly advised that you should upgrade to a currently supported version of Ruby.

0.9.0 (from changelog)

• Load advisory metadata using YAML.safe_load. (issue #302)
  • Explicitly permit the Date class for Psych >= 4.0.0 and Ruby >= 3.1.0.
• Added {Bundler::Audit::Advisory#to_h}. (pull #310)
• Added {Bundler::Audit::Database#commit_id}.

CLI

• Added the --config option. (pull #306)
• Added the junit output format (ex: --format junit). (pull #314)
• Add missing output for CVSSv3 criticality information. (pull #302)
  • Include criticality information in the JSON output as well. (pull #310)
• bundle-audit stats now prints the commit ID of the ruby-advisory-db.
• Fixed a deprecation warning from Thor. (issue #317)

Rake Task

• Add the bundle:audit:update task for updating the ruby-advisory-db. (pull #296)
• Aliased bundle:audit to bundle:audit:check.
• Aliased bundler:audit:* to bundle:audit:*.
• Rake tasks now execute bundle-audit command as a subprocess to ensure isolation.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 52 commits:

• Updated the ChangeLog for 0.9.0.1.
• Version bump to 0.9.0.1.
• Re-enable Ruby 2.5 in the CI matrix to test against psych < 3.1.0.
• Support psych < 3.1.0 YAML.safe_load calling conventions for ruby < 2.6 (issue #319).
• Added a Gem Version badge (badge.fury.io).
• Mention that issue #302 will also affect ruby >= 3.1.0, if not fixed.
• Updated the ChangeLog for 0.9.0.
• Missed a spot.
• Do not require yard-spellcheck by default, as it's a CLI tool.
• Use https:// URLs in license text.
• Fix spelling mistakes in the documentation.
• Added yard-spellcheck.
• Re-did the Style/PercentLiteralDelimiters configuration.
• Whitespace--
• Add special rubocop configuration to allow %w[], but also %{} and %r{}.
• Be specific about which insecure URI schemes bundler-audit checks for.
• Use the permitted_classes: keyword with YAML.safe_load.
• Use rubocop's built-in rake task (@lopopolo).
• Disable a few more pedantic rubocop rules.
• Whitespace--.
• Represent each line as a String literal to preserve XML indentation.
• Added rubocop to the CI pipeline.
• Use less expect_any_instance_of.
• Style.
• Also print the commit ID along with other database stats for debugging purposes.
• Added Database#commit_id.
• Revert "Thor's exit_on_failure? is deprecated." (fixes #317)
• Comment out sections/text that are meant to be deleted/filled-in.
• Added a bug report Issue template
• Require CGI lib explicitly (#315)
• Version bump to 0.9.0.
• format: adding a Junit presenter format inspired by #206 (#314)
• Fix typo in readme (#313)
• Style fixes.
• Add criticality level in JSON format (#310)
• Support config path (#306)
• Add missing @param tag.
• Use more keyword arguments.
• Add the bundler:audit tasks to the Rakefile.
• Changed the rake tasks to execute bundler-audit as a subprocess.
• Bump the spec Gemfile.lock files
• Bump nokogiri from 1.11.1 to 1.11.5 in /spec/bundle/insecure_sources (#305)
• Merge pull request #301 from gonzoyumo/fix_criticality_with_text_format
• Bump nokogiri from 1.11.1 to 1.11.5 in /spec/bundle/secure (#304)
• Fix text format output
• Alias bundler:audit:* to bundle:audit:*.
• Aliased bundle:audit to bundle:audit:check.
• Renamed the bundler:audit_update task to bundler:audit:update.
• Merge pull request #298 from braingourmets/feature/rake-tasks
• Add a Rake task for updating the vulnerability database
• Use YAML.safe_load
• Docs: Fix README link reference (#295)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #19.