[Security] Bump squizlabs/php_codesniffer from 2.6.2 to 3.5.8

[dependabot-preview]

Bumps squizlabs/php_codesniffer from 2.6.2 to 3.5.8. This update includes a security fix.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

Arbitrary shell execution

Affected versions: >=1.0.0, =2.0.0, <2.8.1

Release notes

Sourced from squizlabs/php_codesniffer's releases.

3.5.8

• Reverted a change to the way include/exclude patterns are processed for STDIN content
  • This change is not backwards compatible and will be re-introduced in version 3.6.0

3.5.7

• The PHP 8.0 T_NULLSAFE_OBJECT_OPERATOR token has been made available for older versions
  • Existing sniffs that check for T_OBJECT_OPERATOR have been modified to apply the same rules for the nullsafe object operator
  • Thanks to Juliette Reinders Folmer for the patch
• The new method of PHP 8.0 tokenizing for namespaced names has been revert to the pre 8.0 method
  • This maintains backwards compatible for existing sniffs on PHP 8.0
  • This change will be removed in PHPCS 4.0 as the PHP 8.0 tokenizing method will be backported for pre 8.0 versions
  • Thanks to Juliette Reinders Folmer for the patch
• Added support for changes to the way PHP 8.0 tokenizes hash comments
  • The existing PHP 5-7 behaviour has been replicated for version 8, so no sniff changes are required
  • Thanks to Juliette Reinders Folmer for the patch
• The autoloader has been changed to fix sniff class name detection issues that may occur when running on PHP 7.4+
  • Thanks to Eloy Lafuente for the patch
• Running the unit tests now includes warnings in the found and fixable error code counts
  • Thanks to Juliette Reinders Folmer for the patch
• PSR12.ControlStructures.BooleanOperatorPlacement.FoundMixed error message is now more accurate when using the allowOnly setting
  • Thanks to Vincent Langlet for the patch
• PSR12.Functions.NullableTypeDeclaration now supports the PHP8 static return type
  • Thanks to Juliette Reinders Folmer for the patch
• Fixed Squiz.Formatting.OperatorBracket false positive when exiting with a negative number
• Fixed Squiz.PHP.DisallowComparisonAssignment false positive for methods called on an object
• Fixed bug #2882 : Generic.Arrays.ArrayIndent can request close brace indent to be less than the statement indent level
• Fixed bug #2883 : Generic.WhiteSpace.ScopeIndent.Incorrect issue after NOWDOC
• Fixed bug #2975 : Undefined offset in PSR12.Functions.ReturnTypeDeclaration when checking function return type inside ternary
• Fixed bug #2988 : Undefined offset in Squiz.Strings.ConcatenationSpacing during live coding
  • Thanks to Thiemo Kreuz for the patch
• Fixed bug #2989 : Incorrect auto-fixing in Generic.ControlStructures.InlineControlStructure during live coding
  • Thanks to Thiemo Kreuz for the patch
• Fixed bug #3007 : Directory exclude pattern improperly excludes directories with names that start the same
  • Thanks to Steve Talbot for the patch
• Fixed bug #3043 : Squiz.WhiteSpace.OperatorSpacing false positive for negation in arrow function
  • Thanks to Juliette Reinders Folmer for the patch
• Fixed bug #3049 : Incorrect error with arrow function and parameter passed as reference
  • Thanks to Juliette Reinders Folmer for the patch
• Fixed bug #3053 : PSR2 incorrect fix when multiple use statements on same line do not have whitespace between them
• Fixed bug #3058 : Progress gets unaligned when 100% happens at the end of the available dots
• Fixed bug #3059 : Squiz.Arrays.ArrayDeclaration false positive when using type casting
  • Thanks to Sergei Morozov for the patch
• Fixed bug #3060 : Squiz.Arrays.ArrayDeclaration false positive for static functions
  • Thanks to Sergei Morozov for the patch
• Fixed bug #3065 : Should not fix Squiz.Arrays.ArrayDeclaration.SpaceBeforeComma if comment between element and comma
  • Thanks to Sergei Morozov for the patch
• Fixed bug #3066 : No support for namespace operator used in type declarations
  • Thanks to Juliette Reinders Folmer for the patch
• Fixed bug #3075 : PSR12.ControlStructures.BooleanOperatorPlacement false positive when operator is the only content on line
• Fixed bug #3099 : Squiz.WhiteSpace.OperatorSpacing false positive when exiting with negative number

Commits

• 9d58372 Prepare for 3.5.8 release
• 9dd6d64 Revert "File::addMessage(): don't apply include/exclude patterns to STDIN"
• a978246 Revert "File::process(): don't apply include/exclude patterns to STDIN"
• 4dbf1d5 Prepare for 3.5.7 release
• 8cbba26 Merge branch 'feature/3107-dont-check-stdin-against-ignore-include-paths' of ...
• d4ba5fc Changelog for #3043 (ref #3129)
• efcd173 Merge branch 'feature/3043/psr12-operatorspacing-bug-with-arrow-functions' of...
• 9bcc961 Merge branch 'docblocks1' of https://github.com/mayflower/PHP_CodeSniffer
• 224b3a2 Merge branch 'feature/minor-docs-fixes' of https://github.com/jrfnl/PHP_CodeS...
• 2ecd990 Changelog for #3135
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #290.