Changes since 4.10.0:
This releases fixes Ruby 3.0 compatibility (meaning running under 3.0, new syntax is not supported yet).
REXML as an Explicit Dependency
In Ruby 3.0, REXML has become a ‘bundled’ gem. It is distributed with Ruby, but if Bundler is involved then it needs to be declared as an explicit dependency.
If you like minimal dependencies, you can always use the brakeman-min gem which declares only strict dependencies.
(changes)
Avoid Slicing with Sexp#[]
Sexp subclasses from Array, and Array no longer returns subclasses from methods that create new arrays.
Brakeman was unfortunately using Sexp#[] with ranges (e.g. s(:a, :b, :c)[1..-1]), which runs into this behavior.
Happily, the Sexp#sexp_body method already exists to properly slice and return a Sexp.
(changes)
Recursive Renders with Absolute Paths
Brakeman has long been able to detect recursive render loops, but that detection did not work if the partial name was an ‘absolute’ path.
This is now fixed!
(changes)
Ensure RubyParser Path is a String
In some cases, the parser was given a Brakeman::FilePath for the file name.
This only caused an issue in some weird corner cases, but it was wrong nonetheless.
Now Brakeman::FileParser will ensure the file name is passed as a string.
(changes)
Support Haml 5.2
Haml 5.2.0 introduced a new method for escaping output, which caused some false positives.
(Note this was avoided in Brakeman 4.10.0 by bundling an earlier version of Haml.)
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.