You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#1418: Fix a false positive for Rails/StrongParametersExpect when require is given an array literal, such as params.require([:foo, :bar]).permit(:baz). (@koic)
#1574: Fix an invalid autocorrection for Rails/StrongParametersExpect when permit receives a single dynamic argument, such as params.require(:user).permit(permitted_attributes). (@koic)
#1635: Fix Rails/StrongParametersExpect to allow params[:foo].inspect. (@jdelStrother)
#1418: Fix a false positive for Rails/StrongParametersExpect when require is given an array literal, such as params.require([:foo, :bar]).permit(:baz). ([@koic][])
#1574: Fix an invalid autocorrection for Rails/StrongParametersExpect when permit receives a single dynamic argument, such as params.require(:user).permit(permitted_attributes). ([@koic][])
#1635: Fix Rails/StrongParametersExpect to allow params[:foo].inspect. ([@jdelStrother][])
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Verdict: safe to merge. Lockfile-only patch bump; rubocop-rails is a :development, :test gem and does not ship to production.
CI (run 27679038894):lint ✅ · test ✅ (91.72% coverage). Local Docker/Ruby unavailable here; verification via CI.
Safety of merging
No runtime impact. v2.35.4 is a bug-fix release for the Rails/StrongParametersExpect cop (false positives and unsafe autocorrect). Current codebase lint is clean under the new version.
Concerns unlikely to be caught by the RSpec suite:
Lint-only behaviour change — tests do not exercise RuboCop cops; only the CI lint job validates this. That job passed, so current code is fine.
Future lint deltas — code using params.require([...]), dynamic .permit(permitted_attributes), or params[:foo].inspect may now lint differently than on 2.35.3; this is a cop fix, not a runtime change.
Autocorrect safety — if someone runs rubocop -A on flagged strong-params code, autocorrect behaviour differs from 2.35.3 (previously could produce invalid Ruby in edge cases).
Proposed fixes
None required — CI is green and no application code changes are needed.
Sent by Cursor Automation: Editor-* - Tests Dependabot PRs
Lockfile-only bump of a dev/test linting gem — no runtime or application code changes.
Verification
CI (run 27679038894):lint ✅ (bundle exec rubocop — 507 files, no offenses), test ✅, coverage 91.72%.
Local: Docker/Ruby unavailable in this environment; relied on CI.
Safety of merging
Concerns unlikely to be caught by the test suite:
Lint-only dependency — no production behaviour change; risk is limited to RuboCop rule behaviour in CI and local dev.
Rails/StrongParametersExpect cop fixes — v2.35.4 only adjusts that cop (fewer false positives; safer autocorrect for dynamic permit args). This repo already uses params.expect widely; google_auth_controller.rb also uses require with an array literal, which this release specifically fixes.
Autocorrect semantics — Rails/StrongParametersExpect remains an unsafe cop; rubocop -A could still rewrite strong-params code in ways tests might not cover. CI does not run autocorrect.
Proposed fixes
None — no failing tests, new deprecations, or lint regressions observed.
Sent by Cursor Automation: Editor-* - Tests Dependabot PRs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cla-signeddependenciesPull requests that update a dependency filerubyPull requests that update ruby code
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Bumps rubocop-rails from 2.35.3 to 2.35.4.
Release notes
Sourced from rubocop-rails's releases.
Changelog
Sourced from rubocop-rails's changelog.
Commits
a4d53a5Cut 2.35.4e9e592dUpdate Changelog84eb5fe[Doc] Update the doc forRails/StrongParametersExpect5490e3eMerge pull request #1636 from koic/fix_strong_parameters_expect_dynamic_permi...cfe75e9[Fix #1574] Fix an invalid autocorrection forRails/StrongParametersExpect4817d57Merge pull request #1633 from koic/doc_strong_parameters_expect_safetyd9824c6Merge pull request #1634 from koic/fix_strong_parameters_expect_array_requiree30a80bMerge pull request #1635 from jdelStrother/params-inspect70651a0Allowinspectin Rails/StrongParametersExpecta8f6e0c[Doc] Document additional unsafety ofRails/StrongParametersExpectDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)