Bump rubocop-rails from 2.35.3 to 2.35.4

[dependabot]

Bumps rubocop-rails from 2.35.3 to 2.35.4.

Release notes

Sourced from rubocop-rails's releases.

RuboCop Rails v2.35.4

Bug fixes

• #1418: Fix a false positive for Rails/StrongParametersExpect when require is given an array literal, such as params.require([:foo, :bar]).permit(:baz). (@​koic)
• #1574: Fix an invalid autocorrection for Rails/StrongParametersExpect when permit receives a single dynamic argument, such as params.require(:user).permit(permitted_attributes). (@​koic)
• #1635: Fix Rails/StrongParametersExpect to allow params[:foo].inspect. (@​jdelStrother)

Changelog

Sourced from rubocop-rails's changelog.

2.35.4 (2026-06-07)

Bug fixes

• #1418: Fix a false positive for Rails/StrongParametersExpect when require is given an array literal, such as params.require([:foo, :bar]).permit(:baz). ([@​koic][])
• #1574: Fix an invalid autocorrection for Rails/StrongParametersExpect when permit receives a single dynamic argument, such as params.require(:user).permit(permitted_attributes). ([@​koic][])
• #1635: Fix Rails/StrongParametersExpect to allow params[:foo].inspect. ([@​jdelStrother][])

Commits

• a4d53a5 Cut 2.35.4
• e9e592d Update Changelog
• 84eb5fe [Doc] Update the doc for Rails/StrongParametersExpect
• 5490e3e Merge pull request #1636 from koic/fix_strong_parameters_expect_dynamic_permi...
• cfe75e9 [Fix #1574] Fix an invalid autocorrection for Rails/StrongParametersExpect
• 4817d57 Merge pull request #1633 from koic/doc_strong_parameters_expect_safety
• d9824c6 Merge pull request #1634 from koic/fix_strong_parameters_expect_array_require
• e30a80b Merge pull request #1635 from jdelStrother/params-inspect
• 70651a0 Allow inspect in Rails/StrongParametersExpect
• a8f6e0c [Doc] Document additional unsafety of Rails/StrongParametersExpect
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

Test coverage

91.72% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/27679038894

[cursor]

Stale comment

Dependabot assessment: rubocop-rails 2.35.3 → 2.35.4

Verdict: safe to merge. Lockfile-only patch bump; rubocop-rails is a :development, :test gem and does not ship to production.

CI (run 27679038894): lint ✅ · test ✅ (91.72% coverage). Local Docker/Ruby unavailable here; verification via CI.

Safety of merging

No runtime impact. v2.35.4 is a bug-fix release for the Rails/StrongParametersExpect cop (false positives and unsafe autocorrect). Current codebase lint is clean under the new version.

Concerns unlikely to be caught by the RSpec suite:

• Lint-only behaviour change — tests do not exercise RuboCop cops; only the CI lint job validates this. That job passed, so current code is fine.
• Future lint deltas — code using params.require([...]), dynamic .permit(permitted_attributes), or params[:foo].inspect may now lint differently than on 2.35.3; this is a cop fix, not a runtime change.
• Autocorrect safety — if someone runs rubocop -A on flagged strong-params code, autocorrect behaviour differs from 2.35.3 (previously could produce invalid Ruby in edge cases).

Proposed fixes

None required — CI is green and no application code changes are needed.

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}

[cursor]

Dependabot assessment: rubocop-rails 2.35.3 → 2.35.4

Verdict: safe to merge.

Lockfile-only bump of a dev/test linting gem — no runtime or application code changes.

Verification

• CI (run 27679038894): lint ✅ (bundle exec rubocop — 507 files, no offenses), test ✅, coverage 91.72%.
• Local: Docker/Ruby unavailable in this environment; relied on CI.

Safety of merging

Concerns unlikely to be caught by the test suite:

• Lint-only dependency — no production behaviour change; risk is limited to RuboCop rule behaviour in CI and local dev.
• Rails/StrongParametersExpect cop fixes — v2.35.4 only adjusts that cop (fewer false positives; safer autocorrect for dynamic permit args). This repo already uses params.expect widely; google_auth_controller.rb also uses require with an array literal, which this release specifically fixes.
• Autocorrect semantics — Rails/StrongParametersExpect remains an unsafe cop; rubocop -A could still rewrite strong-params code in ways tests might not cover. CI does not run autocorrect.

Proposed fixes

None — no failing tests, new deprecations, or lint regressions observed.

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}