lunchmoney 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3bcd23a0d41ac030c6a7d3a99c6438d363cfe100d1c1349f8ff8ab07e9da5a1b
-  data.tar.gz: a1021db38ff1305b39733d80d69681b74c05190521e1c38fe6b47afce0fc7f6d
+  metadata.gz: 837338cb47e04506201212586e26c1b9c25a21eded600c3ddf34b9e20fae4395
+  data.tar.gz: ef26cf61532ecc48c74e7f15f6bf215a148578c6903dea90ad4a78d36f89dc8f
 SHA512:
-  metadata.gz: 1dd9b667746978ea1033cba76a0f23082f040da1de55122aa45a7114eb572fb0580140f7bac48c53fb3ad52e560babb8e13bbb2f6766f8ca61a8fcc99308b721
-  data.tar.gz: 4e84da79f6ae55f67c6f388c470346e541541553abf764a3365509990d2c6bce62ea96f66e9f0e960d4f1c394e1d67a969eecfefcc668942b954798eb278cdaf
+  metadata.gz: d5285b8d16caa4dd5d4f6897008db0d4ec0ac51efea529ac8174cd6fce0b1c3a2b5384a4a9c08f6ff667fb3b08cf3aaab52bb7e26b52220e116b7245dd052d16
+  data.tar.gz: a8775f582eee1fc9c8258ab8e89d7486dedd66be933f4fa7b3044eee6ce859edfcb3f218cb6c87e9eb4c98e381708fa1dcdd41b4e33019e1d4d445bfcd82b6ab

data/.github/dependabot.yml

@@ -11,6 +11,13 @@ updates:
     open-pull-requests-limit: 100
     schedule:
       interval: weekly
+    groups:
+      minor_updates:
+        update-types:
+          - "minor"
+      patch_updates:
+        update-types:
+          - "patch"
   - package-ecosystem: github-actions
     directory: "/"
     open-pull-requests-limit: 100

data/.github/workflows/build_and_publish_yard_docs.yml

@@ -20,12 +20,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1.165.1
+        uses: ruby/setup-ruby@v1.218.0
         with:
-          ruby-version: 3.3.0
+          ruby-version: head
           bundler-cache: true
 
       - name: Install YARD
@@ -38,7 +38,7 @@ jobs:
         uses: actions/configure-pages@v5
 
       - name: Upload Artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@v4
         with:
           path: "doc"
 

data/.github/workflows/ci.yml

@@ -14,19 +14,22 @@ jobs:
 
     strategy:
       matrix:
-        ruby-version: [3.1, 3.2, 3.3, head]
+        ruby-version: [3.2, 3.3, 3.4, head]
     continue-on-error: ${{ endsWith(matrix.ruby-version, 'head') }}
 
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby-version }}
+      -
+        name: Check for newer VCR version
+        run: bin/toys check-vcr-version
       -
         name: RuboCop
         run: bin/rubocop
@@ -46,18 +49,14 @@ jobs:
         run: bin/toys mdl
       -
         name: Run Tests (Using Cassettes)
-        if: ${{ ! endsWith(matrix.ruby-version, '3.3') }}
+        if: ${{ ! endsWith(matrix.ruby-version, '3.4') }}
         run: bin/toys test
       -
         name: Run Tests (With Remote Calls & Coverage Report)
-        if: ${{ endsWith(matrix.ruby-version, '3.3') }}
-        uses: paambaati/codeclimate-action@v8.0.0
+        if: ${{ endsWith(matrix.ruby-version, '3.4') }}
+        continue-on-error: true
         env:
-          CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
           REMOTE_TESTS_ENABLED: ${{ vars.REMOTE_TESTS_ENABLED }}
           LUNCHMONEY_TOKEN: ${{ secrets.LUNCHMONEY_TOKEN }}
-        with:
-          coverageCommand: bin/toys test
-          coverageLocations: |
-            ${{ github.workspace }}/coverage/coverage.json:simplecov
+        run: bin/toys test
 

data/.github/workflows/rbi-updater.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ secrets.LUNCHMONEY_PAT_TOKEN }}

data/.github/workflows/release_pipeline.yml

@@ -24,7 +24,7 @@ jobs:
 
         steps:
             # Set up
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@v5
             - name: Set up Ruby
               uses: ruby/setup-ruby@v1
               with:

data/.rubocop.yml

@@ -1,7 +1,7 @@
 inherit_gem:
   rubocop-shopify: rubocop.yml
 
-require:
+plugins:
   - rubocop-sorbet
   - rubocop-minitest
   - rubocop-rails

data/.ruby-version

@@ -1 +1 @@
-3.3.0
+3.4.5

data/.simplecov

@@ -21,6 +21,7 @@ SimpleCov.start do
     "lib/lunchmoney.rb",
     "lib/lunchmoney/api.rb",
     "lib/lunchmoney/configuration.rb",
+    "lib/lunchmoney/deprecate.rb",
     "lib/lunchmoney/errors.rb",
     "lib/lunchmoney/exceptions.rb",
     "lib/lunchmoney/validators.rb",

data/.toys/.toys.rb

@@ -9,3 +9,11 @@ alias_tool :style, :rubocop
 alias_tool :tapioca, :rbi
 alias_tool :tc, :typecheck
 alias_tool :cov, :coverage
+
+tool "check-vcr-version" do
+  desc "Check if a newer version of VCR has been released"
+
+  def run
+    system("ruby", "bin/check_vcr_version") || exit(1)
+  end
+end

data/Gemfile

@@ -7,10 +7,10 @@ gemspec
 
 # Specify development dependencies here
 gem "toys"
-gem "minitest", "~> 5.24", require: false
-gem "mocha", "~> 2.4.0", require: false
+gem "minitest", "~> 5.25", require: false
+gem "mocha", "~> 2.7.1", require: false
 gem "webmock", require: false
-gem "vcr", require: false
+gem "vcr", git: "https://github.com/vcr/vcr.git", ref: "ce35c236fe48899f02ddf780973b44cdb756c0ee", require: false
 gem "rubocop-shopify", require: false
 gem "rubocop-sorbet", require: false
 gem "rubocop-minitest", require: false

data/Gemfile.lock

@@ -1,7 +1,14 @@
+GIT
+  remote: https://github.com/vcr/vcr.git
+  revision: ce35c236fe48899f02ddf780973b44cdb756c0ee
+  ref: ce35c236fe48899f02ddf780973b44cdb756c0ee
+  specs:
+    vcr (6.3.1)
+
 PATH
   remote: .
   specs:
-    lunchmoney (1.4.0)
+    lunchmoney (1.5.0)
       activesupport (>= 6.1)
       faraday (>= 1.0.0)
       sorbet-runtime (>= 0.5)
@@ -9,8 +16,9 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.2.1)
+    activesupport (8.0.2.1)
       base64
+      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
@@ -20,147 +28,162 @@ GEM
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     appraisal (2.5.0)
       bundler
       rake
       thor (>= 0.14.0)
-    ast (2.4.2)
-    base64 (0.2.0)
-    bigdecimal (3.1.8)
+    ast (2.4.3)
+    base64 (0.3.0)
+    benchmark (0.4.1)
+    bigdecimal (3.2.2)
     chef-utils (18.5.0)
       concurrent-ruby
-    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.3)
     crack (1.0.0)
       bigdecimal
       rexml
     docile (1.4.1)
-    dotenv (3.1.2)
-    drb (2.2.1)
-    erubi (1.13.0)
-    faraday (2.10.1)
-      faraday-net_http (>= 2.0, < 3.2)
+    dotenv (3.1.8)
+    drb (2.2.3)
+    erubi (1.13.1)
+    faraday (2.13.4)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
       logger
-    faraday-net_http (3.1.1)
-      net-http
-    hashdiff (1.1.1)
-    i18n (1.14.5)
+    faraday-net_http (3.4.1)
+      net-http (>= 0.5.0)
+    hashdiff (1.2.0)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    json (2.7.2)
-    kramdown (2.4.0)
-      rexml
+    json (2.13.2)
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    language_server-protocol (3.17.0.3)
-    logger (1.6.0)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
     mdl (0.13.0)
       kramdown (~> 2.3)
       kramdown-parser-gfm (~> 1.1)
       mixlib-cli (~> 2.1, >= 2.1.1)
       mixlib-config (>= 2.2.1, < 4)
       mixlib-shellout
-    minitest (5.25.1)
+    minitest (5.25.5)
     mixlib-cli (2.1.8)
     mixlib-config (3.0.27)
       tomlrb
     mixlib-shellout (3.2.8)
       chef-utils
-    mocha (2.4.5)
+    mocha (2.7.1)
       ruby2_keywords (>= 0.0.5)
-    net-http (0.4.1)
+    net-http (0.6.0)
       uri
     netrc (0.11.0)
-    parallel (1.26.3)
-    parser (3.3.4.2)
+    parallel (1.27.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
       racc
-    prism (0.30.0)
+    prism (1.4.0)
     public_suffix (6.0.1)
     racc (1.8.1)
-    rack (3.1.7)
+    rack (3.2.1)
     rainbow (3.1.1)
-    rake (13.2.1)
-    rbi (0.1.14)
-      prism (>= 0.18.0, < 1.0.0)
-      sorbet-runtime (>= 0.5.9204)
-    regexp_parser (2.9.2)
-    rexml (3.3.6)
-      strscan
-    rubocop (1.65.1)
+    rake (13.3.0)
+    rbi (0.3.6)
+      prism (~> 1.0)
+      rbs (>= 3.4.4)
+    rbs (4.0.0.dev.4)
+      logger
+      prism (>= 1.3.0)
+    regexp_parser (2.11.2)
+    require-hooks (0.2.2)
+    rexml (3.4.2)
+    rubocop (1.80.1)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.4, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.46.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.32.1)
-      parser (>= 3.3.1.0)
-    rubocop-minitest (0.35.1)
-      rubocop (>= 1.61, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.26.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.46.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    rubocop-minitest (0.38.2)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+    rubocop-rails (2.33.3)
       activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
       rack (>= 1.1)
-      rubocop (>= 1.52.0, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-shopify (2.15.1)
-      rubocop (~> 1.51)
-    rubocop-sorbet (0.8.5)
-      rubocop (>= 1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-shopify (2.17.1)
+      rubocop (~> 1.62)
+    rubocop-sorbet (0.10.5)
+      lint_roller
+      rubocop (>= 1.75.2)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    securerandom (0.3.1)
+    securerandom (0.4.1)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    sorbet (0.5.11545)
-      sorbet-static (= 0.5.11545)
-    sorbet-runtime (0.5.11545)
-    sorbet-static (0.5.11545-universal-darwin)
-    sorbet-static (0.5.11545-x86_64-linux)
-    sorbet-static-and-runtime (0.5.11545)
-      sorbet (= 0.5.11545)
-      sorbet-runtime (= 0.5.11545)
-    spoom (1.4.2)
+    sorbet (0.6.12473)
+      sorbet-static (= 0.6.12473)
+    sorbet-runtime (0.6.12473)
+    sorbet-static (0.6.12473-universal-darwin)
+    sorbet-static (0.6.12473-x86_64-linux)
+    sorbet-static-and-runtime (0.6.12473)
+      sorbet (= 0.6.12473)
+      sorbet-runtime (= 0.6.12473)
+    spoom (1.7.6)
       erubi (>= 1.10.0)
       prism (>= 0.28.0)
+      rbi (>= 0.3.3)
+      rbs (>= 4.0.0.dev.4)
+      rexml (>= 3.2.6)
       sorbet-static-and-runtime (>= 0.5.10187)
       thor (>= 0.19.2)
-    strscan (3.1.0)
-    tapioca (0.16.1)
+    tapioca (0.17.7)
+      benchmark
       bundler (>= 2.2.25)
       netrc (>= 0.11.0)
       parallel (>= 1.21.0)
-      rbi (>= 0.1.14, < 0.2)
+      rbi (>= 0.3.1)
+      require-hooks (>= 0.2.2)
       sorbet-static-and-runtime (>= 0.5.11087)
-      spoom (>= 1.2.0)
+      spoom (>= 1.7.0)
       thor (>= 1.2.0)
       yard-sorbet
-    thor (1.3.1)
+    thor (1.4.0)
     tomlrb (2.0.3)
     toys (0.15.6)
       toys-core (= 0.15.6)
     toys-core (0.15.6)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
-    uri (0.13.0)
-    vcr (6.3.1)
-      base64
-    webmock (3.23.1)
+    unicode-display_width (3.1.5)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
+    uri (1.0.3)
+    webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    yard (0.9.36)
+    yard (0.9.37)
     yard-sorbet (0.9.0)
       sorbet-runtime
       yard
@@ -168,6 +191,7 @@ GEM
 PLATFORMS
   arm64-darwin-22
   arm64-darwin-23
+  arm64-darwin-24
   x86_64-darwin-20
   x86_64-linux
 
@@ -176,8 +200,8 @@ DEPENDENCIES
   dotenv
   lunchmoney!
   mdl
-  minitest (~> 5.24)
-  mocha (~> 2.4.0)
+  minitest (~> 5.25)
+  mocha (~> 2.7.1)
   rubocop-minitest
   rubocop-rails
   rubocop-shopify
@@ -188,10 +212,10 @@ DEPENDENCIES
   spoom
   tapioca
   toys
-  vcr
+  vcr!
   webmock
   yard
   yard-sorbet
 
 BUNDLED WITH
-   2.5.3
+   2.7.0

data/README.md

@@ -3,8 +3,6 @@
 [![Gem Version](https://badge.fury.io/rb/lunchmoney.svg)](https://badge.fury.io/rb/lunchmoney)
 [![CI](https://github.com/mmenanno/lunchmoney/actions/workflows/ci.yml/badge.svg)](https://github.com/mmenanno/lunchmoney/actions/workflows/ci.yml)
 [![Yard Docs](https://github.com/mmenanno/lunchmoney/actions/workflows/build_and_publish_yard_docs.yml/badge.svg)](https://github.com/mmenanno/lunchmoney/actions/workflows/build_and_publish_yard_docs.yml)
-[![Maintainability](https://api.codeclimate.com/v1/badges/6e84458e8cf831e6a6fa/maintainability)](https://codeclimate.com/github/mmenanno/lunchmoney/maintainability)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/6e84458e8cf831e6a6fa/test_coverage)](https://codeclimate.com/github/mmenanno/lunchmoney/test_coverage)
 
 <a href="https://www.buymeacoffee.com/mmenanno" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
 

data/SECURITY.md

@@ -0,0 +1,151 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the following versions of the `lunchmoney` gem with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.4.x   | :white_check_mark: |
+| 1.3.x   | :white_check_mark: |
+| < 1.3   | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of the `lunchmoney` gem seriously. If you discover a security vulnerability, please follow these steps:
+
+### How to Report
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report security vulnerabilities by emailing us directly at:
+
+- **Email**: [Create an email to the maintainer based on the GitHub profile]
+- **Subject Line**: "[SECURITY] Vulnerability Report for lunchmoney gem"
+
+### What to Include
+
+Please include the following information in your report:
+
+1. **Description**: A clear description of the vulnerability
+2. **Impact**: The potential impact and severity of the vulnerability
+3. **Reproduction Steps**: Step-by-step instructions to reproduce the issue
+4. **Affected Versions**: Which versions of the gem are affected
+5. **Suggested Fix**: If you have ideas for how to fix the issue (optional)
+6. **Your Contact Information**: So we can follow up with questions if needed
+
+### Response Timeline
+
+We are committed to addressing security vulnerabilities promptly:
+
+- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours
+- **Initial Assessment**: We will provide an initial assessment within 5 business days
+- **Status Updates**: We will provide regular updates on our progress
+- **Resolution**: We aim to resolve critical vulnerabilities within 30 days
+
+### Responsible Disclosure
+
+We kindly ask that you:
+
+- Give us reasonable time to investigate and fix the issue before public disclosure
+- Avoid accessing, modifying, or deleting data that doesn't belong to you
+- Don't perform actions that could harm the availability or integrity of our services
+- Don't social engineer our team members or contractors
+
+### Recognition
+
+We appreciate the security research community's efforts to improve the security of our project. If you report a valid security vulnerability, we will:
+
+- Acknowledge your contribution in our release notes (unless you prefer to remain anonymous)
+- Work with you on the disclosure timeline
+- Keep you informed throughout the remediation process
+
+## Security Best Practices for Users
+
+When using the `lunchmoney` gem in your applications:
+
+### API Key Security
+
+1. **Never commit API keys to version control**
+   - Use environment variables (`LUNCHMONEY_TOKEN`)
+   - Use secure credential management systems
+   - Add API keys to your `.gitignore` file
+
+2. **Rotate API keys regularly**
+   - Generate new API keys periodically
+   - Immediately revoke compromised keys
+
+3. **Use least privilege access**
+   - Only grant the minimum permissions necessary
+   - Monitor API key usage for unusual activity
+
+### Network Security
+
+1. **Use HTTPS only**
+   - The gem uses HTTPS by default for all API calls
+   - Never disable SSL verification in production
+
+2. **Network monitoring**
+   - Monitor outbound API calls to LunchMoney
+   - Set up alerts for unusual API usage patterns
+
+### Dependency Security
+
+1. **Keep dependencies updated**
+   - Regularly update the `lunchmoney` gem
+   - Monitor for security advisories affecting dependencies
+
+2. **Audit your dependencies**
+
+   ```bash
+   # Install bundler-audit gem first
+   gem install bundler-audit
+
+   # Then audit your dependencies
+   bundle audit
+   ```
+
+### Error Handling
+
+1. **Don't log sensitive data**
+   - API keys should never appear in logs
+   - Be careful with error messages that might expose sensitive information
+
+2. **Handle API errors gracefully**
+
+   ```ruby
+   api = LunchMoney::Api.new
+   response = api.categories
+
+   if response.is_a?(LunchMoney::Errors)
+     # Handle error without exposing sensitive details
+     logger.error "API call failed"
+   end
+   ```
+
+## Security Features
+
+This gem includes several security features:
+
+- **HTTPS-only communication** with the LunchMoney API
+- **Input validation** for API parameters
+- **Error handling** that doesn't expose sensitive information
+- **Dependency management** with regular updates
+
+## Vulnerability History
+
+We will maintain a record of resolved security vulnerabilities here:
+
+- No security vulnerabilities have been reported to date
+
+## Contact
+
+For security-related questions or concerns, please contact:
+
+- **Maintainer**: @mmenanno
+- **Repository**: <https://github.com/mmenanno/lunchmoney>
+- **Documentation**: <https://mmenanno.github.io/lunchmoney/>
+
+---
+
+Thank you for helping keep the `lunchmoney` gem and our community safe!