Skip to content

Update brakeman requirement from ~> 6.1 to ~> 8.0#5

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/brakeman-8.0.2
Closed

Update brakeman requirement from ~> 6.1 to ~> 8.0#5
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/brakeman-8.0.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 9, 2026

Copy link
Copy Markdown

Updates the requirements on brakeman to permit the latest version.

Release notes

Sourced from brakeman's releases.

8.0.2

  • Reline console control should use stderr
  • Fix logger cleanup based method (Imran Iqbal)

8.0.1

  • Fix for disappearing cursor when no warnings are reported

8.0.0

  • Complete revamp of scan progress output and logging
  • --skip-libs removed (#1839
  • --index-libs removed
  • Fix qualified constant lookup to respect module/class context (Mike Dalessio)
  • Fix singleton method prefixes (viralpraxis)
  • Faster file globbing for templates (Mikael Henriksson)
  • No longer produce weak dynamic render path warnings
  • Replace Erubis with Erubi (#1970)

7.1.2

This was released on December 25, 2025

  • Update ruby_parser to remove max version restriction (Chedli Bourguiba)
  • Increase minimum Ruby version to 3.2.0
  • Reduce SQL injection false positives from count (and other) calls (#1936)
  • Remove more XSS false positives related to Haml attribute builder
  • Update Minitest version to 6.0

7.1.1

  • Exclude directories before searching for files (#1925)
  • Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
  • Fix SQL injection check for calculate method (Rohan Sharma)
  • Check each side of or SQL arguments (#1935)
  • Consider Tempfile.create.path as safe input (Ali Ismayilov)
  • Fix false positive when calling with_content on ViewComponents (Peer Allan)
  • Add FilePath#to_path for Ruby 3.5 compatibility (S.H.)
  • Ignore attribute builder in Haml 6 (#1952)
  • Word wrap text report output in pager

7.1.0

  • Add Haml 6.x support (#1914, #1841, etc.)
  • Support render model shortcut (#959, #1940, etc.)
  • Add --ensure-no-obsolete-config-entries option (viralpraxis)
  • Update JUnit report for CircleCI (Philippe Bernery)
  • Improve ignored warnings layout in HTML report (Sebastien Savater)
  • Only load escape functionality from cgi library (Earlopain)
  • Add EOL dates for Rails 8.0 and Ruby 3.4
  • Use lazy file lists for AppTree

7.0.2

  • Fix error with empty BUNDLE_GEMFILE env variable

... (truncated)

Changelog

Sourced from brakeman's changelog.

8.0.2 - 2026-02-03

  • Reline console control should use stderr
  • Fix logger cleanup based method (Imran Iqbal)

8.0.1 - 2026-01-29

  • Make sure to reset the cursor even when exit code is 0

8.0.0 - 2026-01-29

  • No longer produce weak dynamic render path warnings
  • --skip-libs removed
  • --index-libs removed
  • Revamp of scan progress output and logging
  • Faster file globbing for templates (Mikael Henriksson)
  • Fix singleton method prefixes (viralpraxis)
  • Fix qualified constant lookup to respect module/class context (Mike Dalessio)
  • Replace Erubis with Erubi

7.1.2 - 2025-12-25

  • Update ruby_parser to remove version restriction (Chedli Bourguiba)
  • Raise minimum required Ruby to 3.2.0
  • Use Minitest 6.0
  • Reduce SQL injection false positives from count calls
  • Ignore more Haml attribute builder methods

7.1.1 - 2025-11-03

  • Fix false positive when calling with_content on ViewComponents (Peer Allan)
  • Word wrap text output in pager
  • Consider Tempfile.create.path as safe input (Ali Ismayilov)
  • Exclude directories before searching for files
  • Check each side of or SQL arguments
  • Ignore attribute builder in Haml 6
  • Add FilePath#to_path for Ruby 3.5 compatibility (S-H-GAMELINKS)
  • Fix SQL injection check for calculate method (Rohan Sharma)
  • Fix missing td in HTML report (John Hawthorn)
  • Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)

7.1.0 - 2025-07-18

  • Add EOL dates for Rails 8.0 and Ruby 3.4
  • Support render model shortcut
  • Use lazy file lists for AppTree
  • Add Haml 6.x support
  • Improve ignored warnings layout in HTML report (Sebastien Savater)
  • Update JUnit report for CircleCI (Philippe Bernery)
  • Only load escape functionality from cgi library (Earlopain)

... (truncated)

Commits
  • c072892 Bump to 8.0.2
  • b3ad4c8 Merge pull request #2007 from presidentbeef/add_ruby_4_0_to_tests
  • 0fb669a Add Ruby 4.0 to test matrix
  • c531af9 Merge pull request #2006 from presidentbeef/set_reline_to_use_stderr
  • 3028a07 Use correct output destination with Reline
  • a0cbbc9 Merge pull request #2004 from imran-iq/imran/push-rpwxzowkpovk
  • bfbc5c9 Fix argument error to logger.cleanup
  • 406e8f1 Bump to 8.0.1
  • 6d37b1c Merge pull request #2002 from presidentbeef/always_quit
  • 192fcb9 Make sure to quit after running
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Update brakeman requirement from ~> 6.1 to ~> 8.0
f13202a 
Updates the requirements on [brakeman](https://github.com/presidentbeef/brakeman) to permit the latest version.
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](presidentbeef/brakeman@v6.2.2...v8.0.2)

---
updated-dependencies:
- dependency-name: brakeman
  dependency-version: 8.0.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Feb 9, 2026
@thomaswitt

thomaswitt commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Superseded by a single consolidated bundle update (local commit b654939, landing on main) that jumps the whole tree to current latest — past this PR's stale target — and clears all 21 bundler-audit advisories in one pass: async-http→0.95.1, aws-sdk-core→3.250.0, aws-sdk-dynamodb→1.168.0, aws-sdk-s3→1.224.0, plus the brakeman dev-dep widened to ~> 8.0. Closing as obsolete.

@thomaswitt thomaswitt closed this Jun 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 2, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/bundler/brakeman-8.0.2 branch June 2, 2026 15:20
thomaswitt added a commit that referenced this pull request Jun 2, 2026
@thomaswitt
chore(deps): update all dependencies to latest and clear security adv…
b654939 
…isories

Supersede 5 stale Dependabot PRs (#2,#4,#5,#6,#7) whose targets lagged
current releases by ~4 months, via one full bundle update. Clears all 21
bundler-audit advisories.

Runtime: async 2.35.3->2.39.0, async-http 0.94.0->0.95.1,
protocol-http 0.58.0->0.62.2, aws-sdk-core 3.241.4->3.250.0.
Security: rack 3.2.4->3.2.6, json 2.18.0->2.19.7, addressable 2.8.8->2.9.0,
activesupport 8.1.2->8.1.3 (dev/test-only except json via async->console).

Widen brakeman dev-dep ~> 6.1 -> ~> 8.0 (folds in Dependabot #5).
Group the socketry async stack, aws-sdk, and rubocop gems in dependabot.yml
(async-http pins its protocol-*/io-* stack, so they must move together);
this edit also re-wakes Dependabot, paused after ~113 days of inactivity.

bin/ci green: rufo, rubocop, rspec (84 unit + 17 docker integration),
bundler-audit clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thomaswitt