7.1.1

• Exclude directories before searching for files (#1925)
• Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
• Fix SQL injection check for calculate method (Rohan Sharma)
• Check each side of or SQL arguments (#1935)
• Consider Tempfile.create.path as safe input (Ali Ismayilov)
• Fix false positive when calling with_content on ViewComponents (Peer Allan)
• Add FilePath#to_path for Ruby 3.5 compatibility (S.H.)
• Ignore attribute builder in Haml 6 (#1952)
• Word wrap text report output in pager

7.1.0

• Add Haml 6.x support (#1914, #1841, etc.)
• Support render model shortcut (#959, #1940, etc.)
• Add --ensure-no-obsolete-config-entries option (viralpraxis)
• Update JUnit report for CircleCI (Philippe Bernery)
• Improve ignored warnings layout in HTML report (Sebastien Savater)
• Only load escape functionality from cgi library (Earlopain)
• Add EOL dates for Rails 8.0 and Ruby 3.4
• Use lazy file lists for AppTree

7.0.2

• Fix error with empty BUNDLE_GEMFILE env variable

7.0.1

• Avoid warning on evaluation of plain strings (#1919)
• Enable use of custom/alternative Gemfiles (#1840, #1907)
• Fix error on directory with rb extension (viralpraxis)
• Support terminal-table 4.0 (Chedli Bourguiba)
• Better support Prism 1.4.0 (#1927)
• Only output timing for each file when using --debug

7.0.0

• Default to using Prism parser if available (disable with --no-prism)
• Disable following symbolic links by default (re-enable with --follow-symlinks)
• Remove updated entry in Brakeman ignore files (Toby Hsieh)
• Major changes to how rescanning works
• Fix hardcoded globally excluded paths (#1830)
• Always warn about deserializing from Marshal
• Update eval check to be a little noisier
• Output originalBaseUriIds for SARIF format report (#1889)
• Add step (and timing) for finding files
• Fix recursion when handling multiple assignment expressions (#1877)
• Fix array/hash unknown index handling
• Update terminal-table version
• Add CSV library as explicit dependency for Ruby 3.4 support
• Raise minimum Ruby version to 3.1

6.2.2

• New end-of-support dates for Rails
• Revamp command injection detection in pipeline* calls (#1862)
• Exclude more native gems from vendored gems in brakeman gem (#1869)

6.2.1

• Add optional support for Prism parser (use --prism)
• Handle parallel assignment with splats (#1833)
• Warn about unscoped finds with find_by! (#1786)
• Add initial Rails 8 support (Ron Shinall)
• Add support for symbolic links (Lu Zhu)
• Support YAML aliases in secret configs (Chedli Bourguiba)
• Add --show-ignored option (Gabriel Arcangel Zayas)
• Treat ::X and X the same, for now (Jill Klang)
• Remediation advice for command injection Nicholas Barone
• Fix compatibility with default frozen string literals (Jean Boussier)
• Fix Ruby warnings in test suite (Jean Boussier)

6.1.2

• Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
• Avoid detecting ViewComponentContrib::Base as dynamic render paths (vividmuimui)
• Avoid copying Sexps that are too large (#1818, #1546)
• Add EOL date for Ruby 3.3.0
• Remove deprecated use of Kernel#open("|...")
• Remove safe_yaml gem dependency
• Update Highline to 3.0 (#1812)

6.1.1

• Handle racc as a default gem in Ruby 3.3.0

6.1.0

• Add check for unfiltered search with Ransack
• Add --timing to add timing duration for scan steps
• Add PG::Connection.escape_string as a SQL sanitization method (Joévin Soulenq)
• Handle class << self
• Fix class method lookup in parent classes
• Fix keyword splats in filter arguments