Update all project dependencies

[justin808]

Summary

• Updates all runtime and development dependencies to their latest compatible versions
• Updates .rubocop.yml configuration to use modern plugin syntax

Runtime Dependencies Updated

• dotenv: 2.8.1 → 3.1.8 (major version update)
• jwt: 2.8.1 → 3.1.2 (major version update)
• psych: 5.1.0 → 5.2.6 (minor version update)
• thor: 1.2.1 → 1.4.0 (minor version update)

Development Dependencies Updated

• overcommit: 0.60.0 → 0.68.0
• rspec: 3.12.0 → 3.13.2
• rubocop: 1.64.1 → 1.81.7
• rubocop-rake: 0.6.0 → 0.7.1
• rubocop-rspec: 3.0.1 → 3.8.0
• timecop: 0.9.6 → 0.9.10
• webmock: 3.18.1 → 3.26.1

Configuration Changes

Updated .rubocop.yml to use the new plugin configuration syntax required by rubocop 1.72+:

• Changed from require: to plugins: for rubocop-rake and rubocop-rspec

Test Plan

• Bundle update completed successfully
• RuboCop runs without configuration errors (44 pre-existing style offenses found, unrelated to dependency updates)
• Tests require CPLN_ORG environment variable (same as before update)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated multiple dependencies across development tools and core libraries to newer versions
  • Updated configuration mechanism for code quality tools

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates configuration and dependency management across the project. RuboCop configuration transitions from a require-based to a plugin-based mechanism. Development and runtime gem dependencies are upgraded to newer versions, affecting multiple tools and libraries.

Changes

Cohort / File(s)	Summary
Configuration updates .rubocop.yml	Changed top-level plugin declaration from require: to plugins: with entries rubocop-rake and rubocop-rspec
Development dependencies Gemfile	Updated gem versions: overcommit (0.60.0 → 0.68.0), rspec (3.12.0 → 3.13), rubocop (1.64.1 → 1.81), rubocop-rake (0.6.0 → 0.7.1), rubocop-rspec (3.0.1 → 3.8), timecop (0.9.6 → 0.9.10), webmock (3.18.1 → 3.26)
Runtime dependencies cpflow.gemspec	Updated dependency version constraints: dotenv (~> 2.8.1 → > 3.1), jwt (> 2.8.1 → > 3.1), psych (> 5.1.0 → > 5.2), thor (> 1.2.1 → ~> 1.4)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Rationale: Changes are primarily routine dependency version bumps with straightforward impact. The RuboCop config key transition is a simple structural change. Most edits are repetitive (version updates) and low-risk.
• Areas requiring attention:
  • Verify that plugins: syntax is compatible with the RuboCop version being used (1.81)
  • Confirm that the major version updates (dotenv, jwt) don't introduce breaking changes to the API usage in the codebase

Possibly related PRs

• Update many dependencies #208: Modifies the same dependency declarations in Gemfile and cpflow.gemspec (rubocop, rubocop-rake, rubocop-rspec, timecop, webmock versions).

Poem

🐰 Dependencies dancing, versions on the rise,
Rubocop's plugins sparkle through the skies,
From require to plugins, a fresh new way,
Our gems all polished for a better day! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update all project dependencies' directly and accurately summarizes the main change: dependency versions are updated across runtime and development dependencies, plus RuboCop configuration syntax is modernized.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jg-/update-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between edfc861 and 06cd950.

⛔ Files ignored due to path filters (1)

• Gemfile.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .rubocop.yml (1 hunks)
• Gemfile (1 hunks)
• cpflow.gemspec (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: zzaakiirr
Repo: shakacode/control-plane-flow PR: 236
File: lib/core/terraform_config/policy.rb:4-4
Timestamp: 2024-10-16T09:35:47.327Z
Learning: Disabling Rubocop rules is acceptable when refactoring can be done later.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: RSpec (Fast) / rspec

🔇 Additional comments (2)

Gemfile (1)

8-8: Development dependencies updated appropriately.

The gem version constraints using pessimistic versioning (~>) are well-chosen for development dependencies. All updates are isolated to development tooling and won't affect runtime behavior.

Also applies to: 10-10, 12-12, 13-13, 14-14, 16-16, 17-17

.rubocop.yml (1)

1-3: Configuration correctly updated for RuboCop 1.72+ plugin syntax.

The change from require: to plugins: aligns with RuboCop 1.81 and is the modern, required syntax for plugin configuration.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify JWT and dotenv 3.x API compatibility with application code.

Both jwt and dotenv have major version bumps (2→3) with breaking changes:

JWT 3.0 requires token signatures to be verified before accessing payload, dropped the HS512256 algorithm, and removed deprecated claim verification methods. Dotenv 3.0 introduced several updates and changed how Dotenv::Railtie is handled.

While the PR summary confirms tests pass, ensure the application code:

• Calls JWT.decode with explicit algorithm verification (as per best practices)
• Does not rely on removed or renamed dotenv methods (though Dotenv::Railtie still works as Dotenv::Rails)
• Handles multiline environment variables correctly if applicable

Run the following to verify JWT and dotenv usage patterns:

---

🏁 Script executed:

#!/bin/bash
# Description: Check JWT and dotenv API usage in the codebase for compatibility issues

# Find JWT.decode calls to ensure explicit algorithm is specified
echo "=== JWT.decode calls (should have algorithm: parameter) ==="
rg -n 'JWT\.decode' -A 2 --type=rb -g '!spec/**' -g '!test/**'

# Find dotenv method calls
echo -e "\n=== Dotenv API usage ==="
rg -n 'Dotenv\.' --type=rb -g '!spec/**' -g '!test/**' | head -20

# Check for use of removed dotenv methods (overload, deprecated names)
echo -e "\n=== Potentially deprecated dotenv method names ==="
rg -n 'Dotenv\.overload' --type=rb

Length of output: 218

---

🏁 Script executed:

#!/bin/bash
# Description: Check JWT and dotenv API usage with corrected ripgrep syntax

# Find JWT.decode calls to ensure explicit algorithm is specified
echo "=== JWT.decode calls (should have algorithm: parameter) ==="
rg -n 'JWT\.decode' -A 2 -g '*.rb' -g '!spec/**' -g '!test/**'

# Find dotenv method calls
echo -e "\n=== Dotenv API usage ==="
rg -n 'Dotenv\.' -g '*.rb' -g '!spec/**' -g '!test/**' | head -30

# Check for use of removed dotenv methods (overload, deprecated names)
echo -e "\n=== Potentially deprecated dotenv method names ==="
rg -n 'Dotenv\.overload' -g '*.rb'

# Also check the gemspec file itself and main entry points
echo -e "\n=== Files in lib directory ==="
find lib -name '*.rb' 2>/dev/null | head -20

Length of output: 931

---

🌐 Web query:

JWT gem 3.0 breaking changes decode method signature

💡 Result:

Short answer: In ruby-jwt 3.0 the public decode signature is still

JWT.decode(jwt, key = nil, verify = true, options = {}, &keyfinder)

but behavior around the options and algorithm handling changed — decoding now uses the new JWT::Decode class and expects algorithm/algorithm objects via the options (see ALGORITHM_KEYS), and the gem restructured algorithms (custom algorithms must follow the JWT::JWA::SigningAlgorithm interface). See the 3.x docs/changelog for details. [1][2][3]

Sources

• Gem release / versions (3.0.0, 3.1.x). [RubyGems]. [1]
• JWT.decode method signature in 3.x docs (shows decode(jwt, key = nil, verify = true, options = {})). [2]
• UPGRADING / CHANGELOG notes about algorithm restructuring and decode/claim verification changes. [3]

---

🌐 Web query:

ruby-jwt 3.0 upgrade guide verify false breaking changes

💡 Result:

Short answer: ruby-jwt 3.0 removed the old “skip verification by reading payload” behavior — the gem now requires the token signature to be verified before you can access the payload, and several deprecated claim/verify APIs were removed. That’s the breaking change behind “verify=false” style usage. [1][2]

What changed (essentials)

• v3.0 requires signature verification before accessing payload — you can no longer rely on calling decode (or accessing EncodedToken#payload) without verifying the signature first. [2]
• Deprecated claim verification helpers (old verify methods) and some Verify/algorithm APIs were removed; see the UPGRADING notes for API replacements. [1][2]

What to do when upgrading

• Stop using patterns that relied on skipping verification (e.g. any code that decoded/inspected payload without verifying signature). Instead explicitly verify the signature when decoding or use the new EncodedToken API:
  • Use JWT::EncodedToken.new(token).verify!(signature: { algorithm: 'HS256', key: 'secret' }) then read payload. (EncodedToken#verify! bundles signature + claim validation.) [4]
  • Or call the library’s verify API that both checks signature and claims before reading payload. [1][4]
• Update code that used deprecated JWT::Claims.verify! / Verify class methods to the new JWT::Claims.verify_payload! / EncodedToken flow. [1]
• If you used an option like verify: false (or other ways to bypass verification), remove/replace it — those patterns are no longer supported. [1][2]

References

• UPGRADING notes (ruby-jwt repository). [1]
• CHANGELOG v3.0.0 (breaking changes: require verification before payload; removed deprecated claim verification; dropped HS512256). [2]
• README / GitHub docs showing EncodedToken/verify! usage. [4]

If you want, tell me one example of how you currently call JWT.decode or read payload and I’ll show the exact replacement for v3.0.

---

🏁 Script executed:

#!/bin/bash
# Check if controlplane_api_direct.rb was modified and look for tests

echo "=== Searching for tests that cover JWT token decode ==="
rg -n 'JWT\.decode|api_token.*token|controlplane.*api' -g '*.rb' | grep -i test | head -20

echo -e "\n=== Full context of JWT.decode usage ==="
rg -n 'JWT\.decode' -B 5 -A 5 -g '*.rb' -g '!spec/**' -g '!test/**'

echo -e "\n=== Check if there are spec files testing controlplane_api_direct ==="
find . -name '*spec*.rb' -o -name '*test*.rb' | xargs grep -l 'controlplane_api_direct\|JWT.decode' 2>/dev/null | head -10

echo -e "\n=== Look at the full method containing JWT.decode ==="
rg -n 'def.*payload\|def.*decode' -B 2 -A 15 lib/core/controlplane_api_direct.rb | head -40

Length of output: 1014

---

Fix JWT.decode call to use JWT 3.x compatible API at lib/core/controlplane_api_direct.rb:92.

The current code uses the deprecated JWT 2.x API which is no longer supported in JWT 3.x. The line payload, = JWT.decode(api_token[:token], nil, false) will fail at runtime because JWT 3.0 removed the ability to decode/access payloads without signature verification and no longer accepts the verify=false parameter for skipping verification.

This method will throw a JWT::DecodeError when called with JWT 3.x (or later versions). Update this line to pass algorithms via options or use the new JWT::EncodedToken API to maintain compatibility.

🤖 Prompt for AI Agents

In cpflow.gemspec around lines 18 to 21, update the JWT.decode usage in
lib/core/controlplane_api_direct.rb line 92 to be compatible with JWT 3.x:
replace the deprecated JWT 2.x call that relied on verify=false with a call that
supplies the required options (pass an algorithms option when calling
JWT.decode, e.g. an empty array to indicate no algorithms) or switch to the new
JWT::EncodedToken API to extract the payload without signature verification;
ensure the new call follows the JWT 3.x method signature and returns the payload
as before.