chore(deps): update dependency yard to '~> 0.9', '>= 0.9.35' (main) - autoclosed

[mend-for-github-com]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
yard (source)	'~> 0.9' -> '~> 0.9', '>= 0.9.35'

By merging this PR, the issue #7 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
Medium	5.4	CVE-2024-27285

---

Release Notes

lsegal/yard (yard)

v0.9.35

Compare Source

• Fix possible XSS on generated YARD frameset pages (thanks to @​RedYetiDev for finding and patching) (2069e2b).
• Fix errors when using @option on non-method objects (#​1508)
• Support Ruby 3.3 changes in Ripper parser (#​1510)

v0.9.34

Compare Source

• Add changelog to yard.gemspec
• Fix fork behavior in yard server --fork

v0.9.33

Compare Source

• Ensure .yardopts is present in gem package (internal YARD documentation change)

v0.9.32

Compare Source

• Fix issue with custom Rack::Request attributes in yard server

v0.9.31

Compare Source

• Remove dependency on webrick in YARD::Server::Commands::StaticFileHelpers

v0.9.30

Compare Source

• Hot release fix to correct issue with gem packaging missing templates (#​1490)

v0.9.29

Compare Source

• Enable table support for CommonMarker (#​1443)
• Parser performance improvements (#​1452, #​1453, #​1454, #​1455)
• Fix autoload of RipperParser (#​1460)
• Remove dependency on webrick for better Ruby 3.1+ support
• Improvements for mixin resolution (#​1467, #​1468)

v0.9.28

Compare Source

• Safe load config YAML files (#​1385)
• Handle empty string constants (#​1415)
• Pre-emptively support removal of Object#taint in Ruby 3.2 (#​1419)
• Fix Ruby 3.1 forward args Ripper change (#​1431)

v0.9.27

Compare Source

• Add support for Ruby 3.0 endless method definitions. (#​1376, #​1381)
• Add existence check for README file (#​1367)
• Support module_function decorator (#​1365)
• Add CommonMarker markup support (-m commonmarker) (#​1157, #​1388)
• Fix nested array parsing (#​1389)
• Add WEBrick as a runtime dependency for Ruby 3.0 support (#​1400)
• Support fail_on_warning option in yard stats command (#​1392)
• Better integration with Sorbet (#​1401)
• Handle include mixins on complex paths (#​1386)
• Fix @!scope maintaining state in lone comment blocks (#​1411)
• Remove support for Travis CI

v0.9.26

Compare Source

• Add support for Ruby 3.0 and fix tests
• Fix support for frozen_string_literal: false magic comments (#​1363)

v0.9.25

Compare Source

• Fix parsing issue with conditional blocks mixed with conditional modifiers.
  (#​1308, #​1324, #​1326, #​1327)
• Add table of contents IDs to redcarpet generated markdown. (#​1323)
• Backport fixes for Ruby 1.9 (#​1320)
• Fix parsing of checksums in yard server (#​1301)
• Map Ruby C variable error names to Ruby classes (#​1270, #​1275)
• Fix initialization of RDocMarkup across threads (#​1318)
• Remove warning for Kernel#open (#​1312)
• Omit spec files in gem package (#​1307)
• README updates (#​1322)

v0.9.24

Compare Source

• Add {YARD::CodeObjects::NamespaceMapper.on_invalidate} callback when separator
  cache is changed.
• Fix issue where Registry fails to resolve first-time lookups on instance methods.

v0.9.23

Compare Source

• Fix issues with double encoded code blocks when highlighted from an extra
  file.

v0.9.22

Compare Source

• Revert jquery update in last release since it requires more changes. (#​1298)

v0.9.21

Compare Source

• Updates to add support for Ruby 2.7.0 (#​1290, #​1296)
• Fix parsing of multiline method signatures (#​1220)
• Remove RubyGems post install message (#​1269)
• Improve object deletion from RegistryStore (#​1284)
• Improve memory usage performance (#​1260)
• Handle include and extend calls with explicit receivers (#​1274)
• Fix deep nesting of TOC items (#​1288)
• Fix highlighting for Asciidoc markup code blocks (#​1276)
• Fix HTML formatting of script tags (#​1263)
• Update jquery to 3.4.1 (#​1294)
• Test fixes (#​1244)

v0.9.20

Compare Source

• Fix parsing of stringified Symbols in Ruby source (#​1256).
• Fix path traversal vulnerability in yard server. This bug would allow
  unsanitized HTTP requests to access arbitrary files on the machine of a
  yard server host under certain conditions. Thanks to CuongMX from
  Viettel Cyber Security for discovering this vulnerability.

v0.9.19

Compare Source

• Fixed bug in browser back button (#​1071, #​1228)
• Fixed handling of ArgumentError in ExtraFileObject (#​1198)
• Fixed double return tag displaying on boolean methods (#​1226)
• Removed unused Module#namespace_name function (#​1229)
• Fixed parsing order of README files. YARD will now prefer README over
  README.md over README.x.md or README-x.md (and the like). READMEs will now
  also be ordered by filename; the first README is still chosen unless
  --readme is provided.
• Updated AsciiDoc markup support to use non-deprecated calls.

v0.9.18

Compare Source

v0.9.17

Compare Source

v0.9.16

Compare Source

• Documentation fixes (#​1175, #​1178).
• Fixed stack overflow issue when parsing extremely large lists (#​1176).

v0.9.15

Compare Source

• Fixed security issue in parsing of Ruby code that could allow for arbitrary
  execution. Credit to Nelson Elhage nelhage@nelhage.com for discovering this
  issue.

v0.9.14

Compare Source

• Fixed a regression in symbol parsing (#​1170).

v0.9.13

Compare Source

• Added support for grouped constants via @!group directive (#​1056).
• Added support for quoted symbols (#​1168).
• Added support for i18n in tag text (#​1169).
• Fixed HTML rendering of inline code blocks (#​1152).
• Fixed rendering of anchor URLs in rendered HTML (#​1154).

v0.9.12

Compare Source

• Be more explicit about lack of support for absolute paths in extra files
  specified by yard doc command.

v0.9.11

Compare Source

• Fixed security issue in --readme that allowed for arbitrary file reads on
  disk. Credit to ztz ztz@ztz.me for discovering this issue.
• Improved styling for inline code blocks (#​1142).

v0.9.10

Compare Source

• Added --fail-on-warning option for yard doc which exits with a non-zero
  code if there are any warnings (#​1093).
• Added support for parsing inside Struct.new blocks (#​1099).
• Added support new ripper AST tokens (#​1104, #​1124).
• Fixed an issue where @see (obj) reference tags would fail (#​1111)
• Fix sorting in yard stats (#​1123).

v0.9.9

Compare Source

• Added gem uninstall hooks to remove YARD documentation files. (#​1083)
• Added support for C++ namespaces. (#​809)
• Fixed issue where loading a .html page via an anchor would not scroll to
  the anchor section. (#​1082)
• Hide some Ruby warnings.
• Improve progress indicator icons in terminal.

v0.9.8

Compare Source

• Fixed installed gems not being correctly found in yard server and by plugins.
• Fixed tokenization of %w(...) array syntax.

v0.9.7

Compare Source

• Fixed resolution of absolute object paths with ambiguous names. (#​1029)

v0.9.6

Compare Source

• Removed official support for Ruby 1.x (1.8/1.9). YARD can still be installed
  in these versions, but support is not guaranteed. Simple bug fixes may still
  be considered via pull request only. Issues without code will be automatically
  closed.
• Added {YARD::Tags::Tag#explain_types} returning a plain English summary
  of the type specification of a given tag. Also adds {YARD::Tags::TypesExplainer}
  as an implementation class for the method.
• Added support for automatic linking of constants and method calls of
  Ruby syntax highlighted source code in generated HTML. Also adds the
  {YARD::Parser::Ruby::TokenResolver} implementation class to iterate over
  tokenized code with extra resolved object information.
• Added support for compound constant assignments (A::B::C = true).
• Added LibraryVersion#yardoc_file_for_SOURCE callback method for sources with
  a pre-determined yardoc file location. Implement this method instead of
  manually setting library.yardoc_file = ... in your load method (you can
  still assign the attribute manually).
• Use RubyGems 2.x+ API to query gems when available instead of using backport.
• Various bug fixes

v0.9.5

Compare Source

• yard doc will now generate .yardoc/processing and .yardoc/complete files
  to allow other tools to properly detect when YARD is in the middle of parsing
  source files, and when it has completed writing the database.
• Added support for on-demand generation of LibraryVersion objects using the
  :disk source type. LibraryVersion objects pointing to a .yardoc database
  directory will now auto-generate if there is a source_path attached.
• Added warning for macros attached to non-method objects.
• Fixed a few more parsing errors.

v0.9.4

Compare Source

• Minor Ruby file parsing and CSS bug fixes.

v0.9.3

Compare Source

• Fix JavaScript errors in --one-file template (#​1426)
• Fix heredoc parsing and add support for squiggly heredocs (#​1315, #​1495)
• Accessibility improvements to the default template (#​1501)
• Improved YARD documentation (#​1410, #​1512, #​1516, #​1544)
• Fix error when parsing @option tags (#​1515)
• Fix issue parsing UTF-8 filenames (#​1517)
• Replace OpenStruct with optimized YARD::OpenStruct to avoid ostruct performance warnings (#​1545)
• Add support for private attr_* syntax (#​1541)
• Remove logger dependency (#​1546)

v0.9.2

Compare Source

• Enable table support for CommonMarker (#​1443)
• Parser performance improvements (#​1452, #​1453, #​1454, #​1455)
• Fix autoload of RipperParser (#​1460)
• Remove dependency on webrick for better Ruby 3.1+ support
• Improvements for mixin resolution (#​1467, #​1468)

v0.9.1

Compare Source

• Fixed bug in browser back button (#​1071, #​1228)
• Fixed handling of ArgumentError in ExtraFileObject (#​1198)
• Fixed double return tag displaying on boolean methods (#​1226)
• Removed unused Module#namespace_name function (#​1229)
• Fixed parsing order of README files. YARD will now prefer README over
  README.md over README.x.md or README-x.md (and the like). READMEs will now
  also be ordered by filename; the first README is still chosen unless
  --readme is provided.
• Updated AsciiDoc markup support to use non-deprecated calls.

---

• If you want to rebase/retry this PR, check this box