This is a small release, but may change some fingerprints of warnings in libraries. Also, the Slim dependency has been removed due to conflicts. See below for details.
- Remove Slim dependency (Casey West)
- Properly process libraries (Patrick Toomey)
--add-libs-pathfor additional libraries (Patrick Toomey)
- Allow for controllers/models/templates in directories under
- Properly format command interpolation (again)
Slim Gem Dependency Removed
Since Rails 4.2 requires Slim 3.0.1 and Slim 3.0 dropped support for Ruby 1.8.7, there is no way to satisfy dependencies for Slim, Rails 4.2, and retain support for Ruby 1.8.7 when Brakeman is added as a dependency in a
The only acceptable solution is to not include Slim as a dependency at all and let users sort it out for themselves. Sorry for the unfortunate situation, but there is no way to add Brakeman to a
Gemfile and avoid Bundler attempting to resolve Brakeman’s dependencies against the application’s dependencies, despite there being no relation.
Thanks to Casey West for working through solutions for this issue.
Libraries were added to the call index (which meant they were scanned during checks) in the 3.0.0 release, but there were still not being processed like most other code. This led to some checks not finding issues they should have. Patrick Toomey pointed this out and contributed a fix.
This change may affect existing warning fingerprints for warnings in libraries. Apologies for the inconvenience.
Allow Additional Library Paths
Patrick Toomey also added a new option
--add-libs-path to treat more paths as if they were in
Scan Application Subdirectories
Neal Harris contributed a change to support applications with multiple applications under
app/, such as
Avoid CSRF Warning for APIs
Brakeman will no longer warn about missing
ApplicationController does not inherit from
Command Interpolation Format Fix
Previous release had an incomplete fix for this. There should be no impact to warning fingerprints.
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and joining the mailing list.