[Security] Bump squizlabs/php_codesniffer from 2.6.0 to 2.9.2

[dependabot-preview]

Bumps squizlabs/php_codesniffer from 2.6.0 to 2.9.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected versions: < 2.0.0, >= 1.0.0; < 2.8.1, >= 2.0.0

Sourced from The PHP Security Advisories Database.

Arbitrary shell execution

Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1

Release notes

Sourced from squizlabs/php_codesniffer's releases.

2.9.2

Final 2.9 Release

Version 2.9.2 will be the final release of the PHP_CodeSniffer 2.9 branch, first released over 4 years ago. All developers still using version 2 are strongly encouraged to migrate to version 3.

Version 3 was first released as stable on the 4th of May 2017 and is a large refactoring of the code base that breaks backwards compatibility for all custom sniffs and custom reports. An upgrade guide for sniff and report developers is available here: https://github.com/squizlabs/PHP_CodeSniffer/wiki/Version-3.0-Upgrade-Guide

Note: If you only use the built-in coding standards (such as PEAR or PSR2), or you have a custom ruleset.xml file that only makes use of the sniffs and reports distributed with PHP_CodeSniffer, you do not need to make any changes to begin using PHP_CodeSniffer version 3.

Other Changes

• PHPCS should now run under PHP 7.3 without deprecation warnings
  • Thanks to Nick Wilde for the patch
• Fixed bug #1496 : Squiz.Strings.DoubleQuoteUsage not unescaping dollar sign when fixing
  • Thanks to Michał Bundyra for the patch
• Fixed bug #1549 : Squiz.PHP.EmbeddedPhp fixer conflict with // comment before PHP close tag
  • Thanks to Juliette Reinders Folmer for the patch
• Fixed bug #1890 : Incorrect Squiz.WhiteSpace.ControlStructureSpacing.NoLineAfterClose error between catch and finally statements

2.9.1

• Fixed bug #1442 : T_NULLABLE detection not working for nullable parameters and return type hints in some cases
• Fixed bug #1448 : Generic.Classes.OpeningBraceSameLine doesn't detect comment before opening brace
  • Thanks to Juliette Reinders Folmer for the patch

2.9.0

• Added Generic.Debug.ESLint sniff to run ESLint over JS files and report errors
  • Set eslint path using: phpcs --config-set eslint_path /path/to/eslint
  • Thanks to Ryan McCue for the contribution
• T_POW is now properly considered an arithmetic operator, and will be checked as such
  • Thanks to Juliette Reinders Folmer for the patch
• T_SPACESHIP and T_COALESCE are now properly considered comparison operators, and will be checked as such
  • Thanks to Juliette Reinders Folmer for the patch
• Generic.PHP.DisallowShortOpenTag now warns about possible short open tags even when short_open_tag is set to OFF
  • Thanks to Juliette Reinders Folmer for the patch
• Generic.WhiteSpace.DisallowTabIndent now finds and fixes inproper use of spaces anywhere inside the line indent
  • Previously, only the first part of the indent was used to determine the indent type
  • Thanks to Juliette Reinders Folmer for the patch
• PEAR.Commenting.ClassComment now supports checking of traits as well as classes and interfaces
  • Thanks to Juliette Reinders Folmer for the patch
• Squiz.Commenting.FunctionCommentThrowTag now supports re-throwing exceptions (request #946)
  • Thanks to Samuel Levy for the patch
• Squiz.PHP.DisallowMultipleAssignments now ignores PHP4-style member var assignments
  • Thanks to Juliette Reinders Folmer for the patch
• Squiz.WhiteSpace.FunctionSpacing now ignores spacing above functions when they are preceded by inline comments
  • Stops conflicts between this sniff and comment spacing sniffs
• Squiz.WhiteSpace.OperatorSpacing no longer checks the equal sign in declare statements
  • Thanks to Juliette Reinders Folmer for the patch
• Added missing error codes for a couple of sniffs so they can now be customised as normal
• Fixed bug #1266 : PEAR.WhiteSpace.ScopeClosingBrace can throw an error while fixing mixed PHP/HTML
• Fixed bug #1364 : Yield From values are not recognised as returned values in Squiz FunctionComment sniff
• Fixed bug #1373 : Error in tab expansion results in white-space of incorrect size
  • Thanks to Mark Clements for the patch

... (truncated)

Commits

• 2acf168 Changelog for #2158
• c11a3ea Addition fixes for 7.3 support (ref #2158)
• 71fb5c5 Support PHP 7.3
• 8a457eb Changelog for #1892 - bakport for #1890
• 7eba2c8 Backport Fixed bug #1890
• 58c6ac5 Backport Fixed bug #1890
• fed288d Backport Fixed bug #1890
• c2abeee backport Fixed bug #1890
• 68fb8e5 Backported fix for #1496
• 393ffff Changelog for #1549
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.