Bump Node.js (18.19.1 → 18.20.5), Ruby (3.2.5 → 3.3.6), Rubocop (1.42.0 → 1.70.0), sqlite3 (1.6.9 → 1.7.3), rails-html-sanitizer (1.6.0 → 1.6.2)

.bundler-audit.yml

@@ -4,3 +4,4 @@
 # - leave file with `ignore: []` if ignore list is empty
 ignore:
   - CVE-2024-6484 # ignore until a patch is available https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
+  - CVE-2024-54133 # ignore until Rails is upgraded to >= 7.0

.node-version

@@ -1 +1 @@
-18.19.1
+18.20.5

.ruby-version

@@ -1 +1 @@
-3.2.5
+3.3.6

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.2.5-slim
+FROM ruby:3.3.6-slim
 
 # Install dependencies
 RUN \

Gemfile.lock

@@ -395,7 +395,7 @@ GEM
       terminal-table (>= 1.4.0)
       thor (>= 0.16.0)
     jmespath (1.6.2)
-    json (2.7.1)
+    json (2.9.1)
     jsonpath (1.1.5)
       multi_json
     jwt (2.7.1)
@@ -404,6 +404,7 @@ GEM
       jsonpath (~> 1.0)
       recursive-open-struct (~> 1.1, >= 1.1.1)
       rest-client (~> 2.0)
+    language_server-protocol (3.17.0.3)
     large_object_store (1.7.0)
       zstd-ruby (~> 1.5.5)
     llhttp-ffi (0.5.0)
@@ -415,7 +416,7 @@ GEM
       railties (>= 4)
       request_store (~> 1.0)
     logstash-event (1.2.02)
-    loofah (2.22.0)
+    loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.7.1)
@@ -429,7 +430,7 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2024.0206)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.8)
     minitest (5.14.4)
     mixlib-shellout (3.2.7)
       chef-utils
@@ -457,16 +458,16 @@ GEM
     netrc (0.11.0)
     newrelic_rpm (9.7.1)
     nio4r (2.7.3)
-    nokogiri (1.16.5)
+    nokogiri (1.18.1)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.16.5-aarch64-linux)
+    nokogiri (1.18.1-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.16.5-arm64-darwin)
+    nokogiri (1.18.1-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.5-x86_64-darwin)
+    nokogiri (1.18.1-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.5-x86_64-linux)
+    nokogiri (1.18.1-x86_64-linux-gnu)
       racc (~> 1.4)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
@@ -499,10 +500,10 @@ GEM
       actionpack (>= 4.2)
       omniauth (~> 2.0)
     pagy (4.11.0)
-    parallel (1.24.0)
+    parallel (1.26.3)
     parallel_tests (2.32.0)
       parallel
-    parser (3.3.0.5)
+    parser (3.3.6.0)
       ast (~> 2.4.1)
       racc
     path_expander (1.1.1)
@@ -525,7 +526,7 @@ GEM
     puma (5.6.9)
       nio4r (~> 2.0)
     pyu-ruby-sasl (0.0.3.3)
-    racc (1.8.0)
+    racc (1.8.1)
     rack (2.2.9)
     rack-mini-profiler (3.3.0)
       rack (>= 1.2.0)
@@ -542,9 +543,9 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     railties (6.1.7.10)
       actionpack (= 6.1.7.10)
       activesupport (= 6.1.7.10)
@@ -555,7 +556,7 @@ GEM
     rake (13.2.1)
     rbtree3 (0.7.1)
     recursive-open-struct (1.1.3)
-    regexp_parser (2.9.0)
+    regexp_parser (2.10.0)
     request_store (1.5.1)
       rack (>= 1.4)
     rest-client (2.1.0)
@@ -567,23 +568,23 @@ GEM
     rollbar (2.27.1)
     rollbar-user_informer (0.1.0)
       rollbar (~> 2.15)
-    rubocop (1.42.0)
+    rubocop (1.70.0)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.1.2.1)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.36.2, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.30.0)
-      parser (>= 3.2.1.0)
-    rubocop-rails (2.23.1)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.37.0)
+      parser (>= 3.3.1.0)
+    rubocop-rails (2.28.0)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
-      rubocop (>= 1.33.0, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
+      rubocop (>= 1.52.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     ruby_parser (3.21.0)
@@ -627,23 +628,23 @@ GEM
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    sqlite3 (1.6.9)
+    sqlite3 (1.7.3)
       mini_portile2 (~> 2.8.0)
-    sqlite3 (1.6.9-aarch64-linux)
-    sqlite3 (1.6.9-arm64-darwin)
-    sqlite3 (1.6.9-x86_64-darwin)
-    sqlite3 (1.6.9-x86_64-linux)
+    sqlite3 (1.7.3-aarch64-linux)
+    sqlite3 (1.7.3-arm64-darwin)
+    sqlite3 (1.7.3-x86_64-darwin)
+    sqlite3 (1.7.3-x86_64-linux)
     stackprof (0.2.12)
-    terminal-table (1.8.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
     thor (1.3.1)
     tilt (2.3.0)
     timeout (0.4.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     uglifier (3.2.0)
       execjs (>= 0.3.0, < 3)
-    unicode-display_width (1.8.0)
+    unicode-display_width (2.6.0)
     validates_lengths_from_database (0.8.0)
       activerecord (>= 4)
     version_gem (1.1.3)
@@ -794,7 +795,7 @@ DEPENDENCIES
   webmock
 
 RUBY VERSION
-   ruby 3.2.5p208
+   ruby 3.3.6p108
 
 BUNDLED WITH
-   2.5.17
+   2.6.2

app/controllers/builds_controller.rb

@@ -168,10 +168,9 @@ def enforce_disabled_docker_builds
 
   def registering_external_build?
     return @registering_external_build if defined?(@registering_external_build)
-    @registering_external_build = (
+    @registering_external_build =
       action_name == "create" &&
-      EXTERNAL_BUILD_ATTRIBUTES.any? { |e| params.dig(:build, e).present? }
-    )
+        EXTERNAL_BUILD_ATTRIBUTES.any? { |e| params.dig(:build, e).present? }
   end
 
   def scope

app/controllers/projects_controller.rb

@@ -80,7 +80,7 @@ def create_callback
   end
 
   def destroy_callback
-    if to = (ENV["PROJECT_DELETED_NOTIFY_ADDRESS"] || created_email)
+    if to = ENV["PROJECT_DELETED_NOTIFY_ADDRESS"] || created_email
       ProjectMailer.deleted_email(to, current_user, @project).deliver_now
     end
   end

app/helpers/user_project_roles_helper.rb

@@ -5,7 +5,7 @@ def user_project_role_radio(user, role_name, role_id, user_project_role_id)
     global_access = (user.role_id >= role_id.to_i)
     disabled = (user.role_id > role_id.to_i)
     project_access = (user_project_role_id.to_i >= role_id.to_i)
-    checked = (global_access || project_access)
+    checked = global_access || project_access
     title = "User is a global #{user.role.name.capitalize}" if global_access
 
     label_tag nil, class: ('disabled' if disabled), title: title do

app/models/changeset/pull_request.rb

@@ -7,7 +7,7 @@ class Changeset::PullRequest
   WEBHOOK_FILTER = /(^|\s)\[samson review\]($|\s)/i
 
   # Matches URLs to JIRA issues.
-  JIRA_ISSUE_URL = %r[https?://[\da-z.\-]+\.[a-z.]{2,6}/browse/#{CODE_ONLY}(?=#{PUNCT}|$)]
+  JIRA_ISSUE_URL = %r[https?://[\da-z.-]+\.[a-z.]{2,6}/browse/#{CODE_ONLY}(?=#{PUNCT}|$)]
 
   # Matches "VOICE-1234" or "[VOICE-1234]"
   JIRA_CODE_TITLE = /(\[)*(#{CODE_ONLY})(\])*/

app/models/concerns/attr_encrypted_support.rb

@@ -2,7 +2,7 @@
 require 'attr_encrypted'
 
 module AttrEncryptedSupport
-  encryption_key_raw = (ENV['ATTR_ENCRYPTED_KEY'] || Rails.application.secrets.secret_key_base)
+  encryption_key_raw = ENV['ATTR_ENCRYPTED_KEY'] || Rails.application.secrets.secret_key_base
   ENCRYPTION_KEY = encryption_key_raw[0...32]
   ENCRYPTION_KEY_SHA = Digest::SHA2.hexdigest(encryption_key_raw)
 

app/models/job_execution.rb

@@ -140,7 +140,7 @@ def execute(dir)
 
     cmds = commands(dir)
     payload = {
-      stage: (@stage&.name || "none"),
+      stage: @stage&.name || "none",
       project: @job.project.name,
       kubernetes: kubernetes?,
       production: @stage&.production?
@@ -201,7 +201,7 @@ def commands(dir)
       DEPLOYER_NAME: @job.user.name,
       REFERENCE: @reference,
       REVISION: @job.commit,
-      TAG: (@job.tag || @job.commit),
+      TAG: @job.tag || @job.commit,
 
       # for shared notification scripts
       PROJECT_NAME: @job.project.name,

app/models/webhook.rb

@@ -25,7 +25,7 @@ def self.for_source(service_type, service_name)
   end
 
   def self.source_matches?(release_source, service_type, service_name)
-    release_source == 'any' || release_source == "any_#{service_type}" || release_source == service_name
+    ['any', "any_#{service_type}", service_name].include?(release_source)
   end
 
   private

db/migrate/20191105170029_make_outbound_webhooks_global.rb

@@ -20,7 +20,7 @@ def change
     OutboundWebhook.find_each do |wh|
       OutboundWebhookStage.create!(stage_id: wh.stage_id, outbound_webhook_id: wh.id) do |o|
         o.created_at = wh.created_at
-        o.updated_at = o.updated_at
+        o.updated_at = wh.updated_at
       end
     end
 

lib/samson/boot_check.rb

@@ -18,8 +18,8 @@ def check
           bad = [
             ActiveRecord::Base.descendants.map(&:name) - ["Audited::Audit"],
             ActionController::Base.descendants.map(&:name) - ["RollbarTestController"],
-            (const_defined?(:Mocha) && "mocha"),
-            (extra_threads.any? && "Extra threads: #{extra_threads}")
+            const_defined?(:Mocha) && "mocha",
+            extra_threads.any? && "Extra threads: #{extra_threads}"
           ].flatten.select { |x| x }
           raise "#{bad.join(", ")} should not be loaded" if bad.any?
         end

lib/samson/build_finder.rb

@@ -44,7 +44,7 @@ def find_or_create_builds
         possible = possible_builds
         needed.delete_if do |dockerfile, image|
           found = self.class.detect_build_by_selector!(
-            possible, dockerfile, image, fail: (last_try && build_disabled), project: @job.project
+            possible, dockerfile, image, fail: last_try && build_disabled, project: @job.project
           )
           if found
             all << found

lib/samson/hooks.rb

@@ -213,7 +213,7 @@ def symlink_plugin_fixtures
           # rails test does not trigger after_run and rake does not work with at_exit
           # https://github.com/rails/rails/pull/26515
           callback = -> do
-            links.each { |_, to| File.delete(to) rescue false } # rubocop:disable Style/RescueModifier
+            links.each { |(_, to)| File.delete(to) rescue false } # rubocop:disable Style/RescueModifier
           end
           if Minitest.respond_to?(:run_with_rails_extension) && Minitest.run_with_rails_extension
             at_exit(&callback)

lib/samson/repo_provider_status.rb

@@ -5,10 +5,8 @@ class RepoProviderStatus
 
     class << self
       def errors
-        (
-          Rails.cache.read(CACHE_KEY) ||
+        Rails.cache.read(CACHE_KEY) ||
           ["To see repo provider status information, add repo_provider_status:60 to PERIODICAL environment variable."]
-        )
       end
 
       def refresh

lib/tasks/maintenance.rake

@@ -73,7 +73,7 @@ namespace :maintenance do
     puts "Confirm? y/n"
     abort unless $stdin.gets.strip == "y"
 
-    actions.each do |_, from_stage|
+    actions.each do |(_, from_stage)|
       from_stage.deploy_groups -= [delete_group]
       from_stage.destroy! if delete_empty && from_stage.deploy_groups.empty?
     end

plugins/datadog/app/models/datadog_monitor_query.rb

@@ -71,7 +71,7 @@ def validate_query_works
     # match_tag is not in monitors grouping so it will never alert
     if match_target?
       monitors.each do |m|
-        groups = (m.response[:query][/\.by\(([^)]*)\)/, 1] || m.response[:query][/ by {([^}]*)}/, 1])
+        groups = m.response[:query][/\.by\(([^)]*)\)/, 1] || m.response[:query][/ by {([^}]*)}/, 1]
         next if groups.to_s.tr('"\'', '').split(",").include?(match_target)
 
         errors.add(

plugins/kubernetes/app/models/kubernetes/deploy_executor.rb

@@ -264,7 +264,7 @@ def print_events(status)
       @output.puts "\n#{resource_identifier(status)} events:"
 
       groups = events.group_by { |e| [e[:type], e[:reason], (e[:message] || "").split("\n").sort] }
-      groups.each do |_, event_group|
+      groups.each_value do |event_group|
         count = sum_event_group(event_group)
         counter = " x#{count}" if count != 1
         e = event_group.first

plugins/kubernetes/app/models/kubernetes/namespace.rb

@@ -55,7 +55,7 @@ def parsed_template
     def validate_template
       return errors.add :template, "needs to be set" if template.blank?
       return errors.add :template, "needs to be a Hash" unless parsed_template.is_a?(Hash)
-      return errors.add :template, "needs metadata.labels.team" unless parsed_template.dig("metadata", "labels", "team")
+      errors.add :template, "needs metadata.labels.team" unless parsed_template.dig("metadata", "labels", "team")
     rescue Psych::Exception
       errors.add :template, "needs to be valid yaml"
     end

plugins/kubernetes/app/models/kubernetes/role_validator.rb

@@ -130,7 +130,7 @@ def validate_name_kinds_are_unique
 
       # group by kind+name and to sure we have no duplicates
       groups = elements.group_by do |e|
-        user_supplied = (ALLOWED_DUPLICATE_KINDS.include?(e.fetch(:kind)) || self.class.keep_name?(e))
+        user_supplied = ALLOWED_DUPLICATE_KINDS.include?(e.fetch(:kind)) || self.class.keep_name?(e)
         [e.fetch(:kind), e.dig(:metadata, :namespace), user_supplied ? e.dig(:metadata, :name) : "hardcoded"]
       end.values
       bad = groups.select { |group| group.size > 1 }

plugins/kubernetes/test/controllers/kubernetes/stages_controller_test.rb

@@ -32,20 +32,20 @@
       it 'fails if reference invalid' do
         GitRepository.any_instance.expects(:commit_from_ref)
         get :manifest_preview, params: {project_id: project.id, id: stage.id}
-        assert_response 400, '# Git reference not found'
+        assert_response :bad_request, '# Git reference not found'
       end
 
       it 'captures template validation errors' do
         Kubernetes::DeployExecutor.any_instance.stubs(:preview_release_docs).raises(Samson::Hooks::UserError, "foobar")
         get :manifest_preview, params: {project_id: project.id, id: stage.id}
-        assert_response 400, '# foobar'
+        assert_response :bad_request, '# foobar'
       end
 
       it 'builds kubernetes manifest' do
         GitRepository.any_instance.expects(:commit_from_ref).returns(git_sha)
 
         get :manifest_preview, params: {project_id: project.id, id: stage.id}
-        assert_response 200
+        assert_response :ok
         yaml = YAML.load_stream(response.body)
         yaml.dig(0, "metadata", "name").must_equal "test-app-server"
         yaml.dig(0, "metadata", "namespace").must_equal "pod1"