lunchmoney 1.4.1 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50f3573ce7923a9282be65ac6fba693be82c2c51b8be11c268e23112fd06337c
-  data.tar.gz: 7be51f4d39ed969199ab04e36dda18acc8203b10c149cf3410d447bfc4794019
+  metadata.gz: 837338cb47e04506201212586e26c1b9c25a21eded600c3ddf34b9e20fae4395
+  data.tar.gz: ef26cf61532ecc48c74e7f15f6bf215a148578c6903dea90ad4a78d36f89dc8f
 SHA512:
-  metadata.gz: b3686c260fd902ca41f82f4ffc00064ed39b3828e86a648c9b5e5720ad87256778e96617447b7880aba7733e953a88341f7f9426f068f855afb7b62c35559dd8
-  data.tar.gz: bcbf7d9ff45a32f0339df95660de9c5911ba556ef77becb44b21cdced5492b67bc6c3f764829bec6f87850e87269ee50326a97b3dbb4d9bad90f90ae1f259e52
+  metadata.gz: d5285b8d16caa4dd5d4f6897008db0d4ec0ac51efea529ac8174cd6fce0b1c3a2b5384a4a9c08f6ff667fb3b08cf3aaab52bb7e26b52220e116b7245dd052d16
+  data.tar.gz: a8775f582eee1fc9c8258ab8e89d7486dedd66be933f4fa7b3044eee6ce859edfcb3f218cb6c87e9eb4c98e381708fa1dcdd41b4e33019e1d4d445bfcd82b6ab

data/.github/workflows/build_and_publish_yard_docs.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1.218.0
@@ -38,7 +38,7 @@ jobs:
         uses: actions/configure-pages@v5
 
       - name: Upload Artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@v4
         with:
           path: "doc"
 

data/.github/workflows/ci.yml

@@ -14,19 +14,22 @@ jobs:
 
     strategy:
       matrix:
-        ruby-version: [3.1, 3.2, 3.3, head]
+        ruby-version: [3.2, 3.3, 3.4, head]
     continue-on-error: ${{ endsWith(matrix.ruby-version, 'head') }}
 
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby-version }}
+      -
+        name: Check for newer VCR version
+        run: bin/toys check-vcr-version
       -
         name: RuboCop
         run: bin/rubocop
@@ -46,18 +49,14 @@ jobs:
         run: bin/toys mdl
       -
         name: Run Tests (Using Cassettes)
-        if: ${{ ! endsWith(matrix.ruby-version, '3.3') }}
+        if: ${{ ! endsWith(matrix.ruby-version, '3.4') }}
         run: bin/toys test
       -
         name: Run Tests (With Remote Calls & Coverage Report)
-        if: ${{ endsWith(matrix.ruby-version, '3.3') }}
-        uses: paambaati/codeclimate-action@v9.0.0
+        if: ${{ endsWith(matrix.ruby-version, '3.4') }}
+        continue-on-error: true
         env:
-          CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
           REMOTE_TESTS_ENABLED: ${{ vars.REMOTE_TESTS_ENABLED }}
           LUNCHMONEY_TOKEN: ${{ secrets.LUNCHMONEY_TOKEN }}
-        with:
-          coverageCommand: bin/toys test
-          coverageLocations: |
-            ${{ github.workspace }}/coverage/coverage.json:simplecov
+        run: bin/toys test
 

data/.github/workflows/rbi-updater.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ secrets.LUNCHMONEY_PAT_TOKEN }}

data/.github/workflows/release_pipeline.yml

@@ -24,7 +24,7 @@ jobs:
 
         steps:
             # Set up
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@v5
             - name: Set up Ruby
               uses: ruby/setup-ruby@v1
               with:

data/.rubocop.yml

@@ -1,7 +1,7 @@
 inherit_gem:
   rubocop-shopify: rubocop.yml
 
-require:
+plugins:
   - rubocop-sorbet
   - rubocop-minitest
   - rubocop-rails

data/.ruby-version

@@ -1 +1 @@
-3.4.2
+3.4.5

data/.toys/.toys.rb

@@ -9,3 +9,11 @@ alias_tool :style, :rubocop
 alias_tool :tapioca, :rbi
 alias_tool :tc, :typecheck
 alias_tool :cov, :coverage
+
+tool "check-vcr-version" do
+  desc "Check if a newer version of VCR has been released"
+
+  def run
+    system("ruby", "bin/check_vcr_version") || exit(1)
+  end
+end

data/Gemfile

@@ -10,7 +10,7 @@ gem "toys"
 gem "minitest", "~> 5.25", require: false
 gem "mocha", "~> 2.7.1", require: false
 gem "webmock", require: false
-gem "vcr", require: false
+gem "vcr", git: "https://github.com/vcr/vcr.git", ref: "ce35c236fe48899f02ddf780973b44cdb756c0ee", require: false
 gem "rubocop-shopify", require: false
 gem "rubocop-sorbet", require: false
 gem "rubocop-minitest", require: false

data/Gemfile.lock

@@ -1,7 +1,14 @@
+GIT
+  remote: https://github.com/vcr/vcr.git
+  revision: ce35c236fe48899f02ddf780973b44cdb756c0ee
+  ref: ce35c236fe48899f02ddf780973b44cdb756c0ee
+  specs:
+    vcr (6.3.1)
+
 PATH
   remote: .
   specs:
-    lunchmoney (1.4.1)
+    lunchmoney (1.5.0)
       activesupport (>= 6.1)
       faraday (>= 1.0.0)
       sorbet-runtime (>= 0.5)
@@ -9,7 +16,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.2.2.1)
+    activesupport (8.0.2.1)
       base64
       benchmark (>= 0.3)
       bigdecimal
@@ -21,43 +28,45 @@ GEM
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     appraisal (2.5.0)
       bundler
       rake
       thor (>= 0.14.0)
-    ast (2.4.2)
-    base64 (0.2.0)
-    benchmark (0.4.0)
-    bigdecimal (3.1.9)
+    ast (2.4.3)
+    base64 (0.3.0)
+    benchmark (0.4.1)
+    bigdecimal (3.2.2)
     chef-utils (18.5.0)
       concurrent-ruby
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.0)
+    connection_pool (2.5.3)
     crack (1.0.0)
       bigdecimal
       rexml
     docile (1.4.1)
-    dotenv (3.1.7)
-    drb (2.2.1)
+    dotenv (3.1.8)
+    drb (2.2.3)
     erubi (1.13.1)
-    faraday (2.12.2)
+    faraday (2.13.4)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
-    faraday-net_http (3.4.0)
+    faraday-net_http (3.4.1)
       net-http (>= 0.5.0)
-    hashdiff (1.1.2)
+    hashdiff (1.2.0)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    json (2.10.2)
-    kramdown (2.4.0)
-      rexml
+    json (2.13.2)
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    language_server-protocol (3.17.0.4)
-    logger (1.6.6)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
     mdl (0.13.0)
       kramdown (~> 2.3)
       kramdown-parser-gfm (~> 1.1)
@@ -75,48 +84,54 @@ GEM
     net-http (0.6.0)
       uri
     netrc (0.11.0)
-    parallel (1.26.3)
-    parser (3.3.7.1)
+    parallel (1.27.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
       racc
     prism (1.4.0)
     public_suffix (6.0.1)
     racc (1.8.1)
-    rack (3.1.9)
+    rack (3.2.1)
     rainbow (3.1.1)
-    rake (13.2.1)
-    rbi (0.3.1)
+    rake (13.3.0)
+    rbi (0.3.6)
       prism (~> 1.0)
       rbs (>= 3.4.4)
-      sorbet-runtime (>= 0.5.9204)
-    rbs (3.9.0)
+    rbs (4.0.0.dev.4)
       logger
-    regexp_parser (2.10.0)
-    rexml (3.4.1)
-    rubocop (1.71.2)
+      prism (>= 1.3.0)
+    regexp_parser (2.11.2)
+    require-hooks (0.2.2)
+    rexml (3.4.2)
+    rubocop (1.80.1)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop-ast (>= 1.46.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.38.0)
-      parser (>= 3.3.1.0)
-    rubocop-minitest (0.36.0)
-      rubocop (>= 1.61, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.29.1)
+    rubocop-ast (1.46.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    rubocop-minitest (0.38.2)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+    rubocop-rails (2.33.3)
       activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
       rack (>= 1.1)
-      rubocop (>= 1.52.0, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-shopify (2.15.1)
-      rubocop (~> 1.51)
-    rubocop-sorbet (0.8.7)
-      rubocop (>= 1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-shopify (2.17.1)
+      rubocop (~> 1.62)
+    rubocop-sorbet (0.10.5)
+      lint_roller
+      rubocop (>= 1.75.2)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.4.1)
@@ -126,43 +141,44 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    sorbet (0.5.11953)
-      sorbet-static (= 0.5.11953)
-    sorbet-runtime (0.5.11953)
-    sorbet-static (0.5.11953-universal-darwin)
-    sorbet-static (0.5.11953-x86_64-linux)
-    sorbet-static-and-runtime (0.5.11953)
-      sorbet (= 0.5.11953)
-      sorbet-runtime (= 0.5.11953)
-    spoom (1.6.1)
+    sorbet (0.6.12473)
+      sorbet-static (= 0.6.12473)
+    sorbet-runtime (0.6.12473)
+    sorbet-static (0.6.12473-universal-darwin)
+    sorbet-static (0.6.12473-x86_64-linux)
+    sorbet-static-and-runtime (0.6.12473)
+      sorbet (= 0.6.12473)
+      sorbet-runtime (= 0.6.12473)
+    spoom (1.7.6)
       erubi (>= 1.10.0)
       prism (>= 0.28.0)
-      rbi (>= 0.2.3)
+      rbi (>= 0.3.3)
+      rbs (>= 4.0.0.dev.4)
+      rexml (>= 3.2.6)
       sorbet-static-and-runtime (>= 0.5.10187)
       thor (>= 0.19.2)
-    tapioca (0.16.11)
+    tapioca (0.17.7)
       benchmark
       bundler (>= 2.2.25)
       netrc (>= 0.11.0)
       parallel (>= 1.21.0)
-      rbi (~> 0.2)
+      rbi (>= 0.3.1)
+      require-hooks (>= 0.2.2)
       sorbet-static-and-runtime (>= 0.5.11087)
-      spoom (>= 1.2.0)
+      spoom (>= 1.7.0)
       thor (>= 1.2.0)
       yard-sorbet
-    thor (1.3.2)
+    thor (1.4.0)
     tomlrb (2.0.3)
     toys (0.15.6)
       toys-core (= 0.15.6)
     toys-core (0.15.6)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (3.1.4)
+    unicode-display_width (3.1.5)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
     uri (1.0.3)
-    vcr (6.3.1)
-      base64
     webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -196,10 +212,10 @@ DEPENDENCIES
   spoom
   tapioca
   toys
-  vcr
+  vcr!
   webmock
   yard
   yard-sorbet
 
 BUNDLED WITH
-   2.6.6
+   2.7.0

data/README.md

@@ -3,8 +3,6 @@
 [![Gem Version](https://badge.fury.io/rb/lunchmoney.svg)](https://badge.fury.io/rb/lunchmoney)
 [![CI](https://github.com/mmenanno/lunchmoney/actions/workflows/ci.yml/badge.svg)](https://github.com/mmenanno/lunchmoney/actions/workflows/ci.yml)
 [![Yard Docs](https://github.com/mmenanno/lunchmoney/actions/workflows/build_and_publish_yard_docs.yml/badge.svg)](https://github.com/mmenanno/lunchmoney/actions/workflows/build_and_publish_yard_docs.yml)
-[![Maintainability](https://api.codeclimate.com/v1/badges/6e84458e8cf831e6a6fa/maintainability)](https://codeclimate.com/github/mmenanno/lunchmoney/maintainability)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/6e84458e8cf831e6a6fa/test_coverage)](https://codeclimate.com/github/mmenanno/lunchmoney/test_coverage)
 
 <a href="https://www.buymeacoffee.com/mmenanno" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
 

data/SECURITY.md

@@ -0,0 +1,151 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the following versions of the `lunchmoney` gem with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.4.x   | :white_check_mark: |
+| 1.3.x   | :white_check_mark: |
+| < 1.3   | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of the `lunchmoney` gem seriously. If you discover a security vulnerability, please follow these steps:
+
+### How to Report
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report security vulnerabilities by emailing us directly at:
+
+- **Email**: [Create an email to the maintainer based on the GitHub profile]
+- **Subject Line**: "[SECURITY] Vulnerability Report for lunchmoney gem"
+
+### What to Include
+
+Please include the following information in your report:
+
+1. **Description**: A clear description of the vulnerability
+2. **Impact**: The potential impact and severity of the vulnerability
+3. **Reproduction Steps**: Step-by-step instructions to reproduce the issue
+4. **Affected Versions**: Which versions of the gem are affected
+5. **Suggested Fix**: If you have ideas for how to fix the issue (optional)
+6. **Your Contact Information**: So we can follow up with questions if needed
+
+### Response Timeline
+
+We are committed to addressing security vulnerabilities promptly:
+
+- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours
+- **Initial Assessment**: We will provide an initial assessment within 5 business days
+- **Status Updates**: We will provide regular updates on our progress
+- **Resolution**: We aim to resolve critical vulnerabilities within 30 days
+
+### Responsible Disclosure
+
+We kindly ask that you:
+
+- Give us reasonable time to investigate and fix the issue before public disclosure
+- Avoid accessing, modifying, or deleting data that doesn't belong to you
+- Don't perform actions that could harm the availability or integrity of our services
+- Don't social engineer our team members or contractors
+
+### Recognition
+
+We appreciate the security research community's efforts to improve the security of our project. If you report a valid security vulnerability, we will:
+
+- Acknowledge your contribution in our release notes (unless you prefer to remain anonymous)
+- Work with you on the disclosure timeline
+- Keep you informed throughout the remediation process
+
+## Security Best Practices for Users
+
+When using the `lunchmoney` gem in your applications:
+
+### API Key Security
+
+1. **Never commit API keys to version control**
+   - Use environment variables (`LUNCHMONEY_TOKEN`)
+   - Use secure credential management systems
+   - Add API keys to your `.gitignore` file
+
+2. **Rotate API keys regularly**
+   - Generate new API keys periodically
+   - Immediately revoke compromised keys
+
+3. **Use least privilege access**
+   - Only grant the minimum permissions necessary
+   - Monitor API key usage for unusual activity
+
+### Network Security
+
+1. **Use HTTPS only**
+   - The gem uses HTTPS by default for all API calls
+   - Never disable SSL verification in production
+
+2. **Network monitoring**
+   - Monitor outbound API calls to LunchMoney
+   - Set up alerts for unusual API usage patterns
+
+### Dependency Security
+
+1. **Keep dependencies updated**
+   - Regularly update the `lunchmoney` gem
+   - Monitor for security advisories affecting dependencies
+
+2. **Audit your dependencies**
+
+   ```bash
+   # Install bundler-audit gem first
+   gem install bundler-audit
+
+   # Then audit your dependencies
+   bundle audit
+   ```
+
+### Error Handling
+
+1. **Don't log sensitive data**
+   - API keys should never appear in logs
+   - Be careful with error messages that might expose sensitive information
+
+2. **Handle API errors gracefully**
+
+   ```ruby
+   api = LunchMoney::Api.new
+   response = api.categories
+
+   if response.is_a?(LunchMoney::Errors)
+     # Handle error without exposing sensitive details
+     logger.error "API call failed"
+   end
+   ```
+
+## Security Features
+
+This gem includes several security features:
+
+- **HTTPS-only communication** with the LunchMoney API
+- **Input validation** for API parameters
+- **Error handling** that doesn't expose sensitive information
+- **Dependency management** with regular updates
+
+## Vulnerability History
+
+We will maintain a record of resolved security vulnerabilities here:
+
+- No security vulnerabilities have been reported to date
+
+## Contact
+
+For security-related questions or concerns, please contact:
+
+- **Maintainer**: @mmenanno
+- **Repository**: <https://github.com/mmenanno/lunchmoney>
+- **Documentation**: <https://mmenanno.github.io/lunchmoney/>
+
+---
+
+Thank you for helping keep the `lunchmoney` gem and our community safe!

data/bin/check_vcr_version

@@ -0,0 +1,94 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "net/http"
+require "json"
+require "uri"
+
+# This script checks if a newer version of VCR has been released beyond 6.3.1
+# If a newer version is found, it raises an error indicating that we should
+# switch back to using the released gem instead of the git commit.
+
+CURRENT_VCR_VERSION = "6.3.1"
+VCR_COMMIT_SHA = "ce35c236fe48899f02ddf780973b44cdb756c0ee"
+
+def fetch_latest_vcr_version
+  uri = URI("https://rubygems.org/api/v1/gems/vcr.json")
+  response = Net::HTTP.get_response(uri)
+
+  unless response.is_a?(Net::HTTPSuccess)
+    puts "Warning: Could not fetch VCR version information from RubyGems API"
+    puts "Response: #{response.code} #{response.message}"
+    return nil
+  end
+
+  gem_info = JSON.parse(response.body)
+  gem_info["version"]
+rescue StandardError => e
+  puts "Warning: Error fetching VCR version information: #{e.message}"
+  nil
+end
+
+def version_greater?(version1, version2)
+  # Simple version comparison - splits by dots and compares numerically
+  v1_parts = version1.split(".").map(&:to_i)
+  v2_parts = version2.split(".").map(&:to_i)
+
+  # Pad shorter version with zeros
+  max_length = [v1_parts.length, v2_parts.length].max
+  v1_parts += [0] * (max_length - v1_parts.length)
+  v2_parts += [0] * (max_length - v2_parts.length)
+
+  v1_parts.zip(v2_parts).each do |v1, v2|
+    return true if v1 > v2
+    return false if v1 < v2
+  end
+
+  false # versions are equal
+end
+
+def main
+  puts "Checking for newer VCR releases..."
+  puts "Current pinned version: #{CURRENT_VCR_VERSION}"
+  puts "Using commit: #{VCR_COMMIT_SHA}"
+  puts ""
+
+  latest_version = fetch_latest_vcr_version
+
+  if latest_version.nil?
+    puts "Could not determine latest VCR version. Skipping check."
+    exit 0
+  end
+
+  puts "Latest released version: #{latest_version}"
+
+  if version_greater?(latest_version, CURRENT_VCR_VERSION)
+    puts ""
+    puts "🚨 NEWER VCR VERSION AVAILABLE! 🚨"
+    puts ""
+    puts "A newer version of VCR (#{latest_version}) has been released!"
+    puts "This is likely to include the Ruby 3.5+ compatibility fix from commit #{VCR_COMMIT_SHA}."
+    puts ""
+    puts "ACTION REQUIRED:"
+    puts "1. Update Gemfile to use the released version:"
+    puts "   gem \"vcr\", \"~> #{latest_version}\", require: false"
+    puts ""
+    puts "2. Remove the git reference and commit SHA"
+    puts ""
+    puts "3. Run 'bundle update vcr' to update to the new version"
+    puts ""
+    puts "4. Test to ensure everything works with the released version"
+    puts ""
+    puts "5. Consider removing this version check script once updated"
+    puts ""
+
+    exit 1
+  else
+    puts "No newer version available. Continuing to use commit #{VCR_COMMIT_SHA}."
+    exit 0
+  end
+end
+
+if __FILE__ == $0
+  main
+end