Bump rubocop-rspec from 3.9.0 to 3.10.0

[dependabot]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

Test coverage

91.6% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/27554350304

[cursor]

Stale comment

Dependabot review: rubocop-rspec 3.9.0 → 3.10.0

Security

No concerns identified.

• rubocop-rspec is a development/test-only linting plugin (Gemfile :development, :test group). It is not loaded at application runtime and does not affect production deployments.
• No CVEs or GitHub Security Advisories were found for rubocop-rspec 3.9.0 or 3.10.0.
• This PR also transitively bumps rubocop 1.86.1 → 1.87.0 and adds regexp_parser as a runtime dependency of rubocop-rspec. No known vulnerabilities were found for these versions.
• Supply-chain posture is unchanged: all gems are published on RubyGems with MFA-enabled releases.

Safety of merging

Low runtime risk; lint CI currently fails.

Area	Result
Application runtime	No impact — dev-only dependency
RSpec test suite (CI)	Pass — 2460 examples, 0 failures (~3m 10s)
RuboCop lint (CI)	Fail — 41 new offenses

What changed in 3.10.0

The release adds one notable new cop and several fixes to existing cops. No documented breaking API removals.

• New cop RSpec/MatchWithSimpleRegex — flags expect(x).to match(/literal/) where a plain include('literal') is clearer. This is the cause of all 41 new offenses in this repo (all autocorrectable).
• New cop RSpec/DiscardedMatcher — detects matchers accidentally left in void context (e.g. missing .and). No offenses detected here.
• Tightened rubocop peer dependency to ~> 1.86, >= 1.86.2, which pulled in rubocop 1.87.0. Compatible with existing rubocop-rspec_rails 2.32.0 (rubocop-rspec ~> 3.5).
• Other changes (bug fixes to RSpec/ExpectActual, RSpec/SpecFilePathFormat, RSpec/ContainExactly, etc.) did not surface new offenses in this codebase.

Affected spec files (27 files, 41 offenses)

All offenses are RSpec/MatchWithSimpleRegex in spec files under spec/concepts/, spec/features/, spec/graphql/mutations/, and spec/services/ — patterns like expect(...).to match(/not found/) that RuboCop now suggests rewriting to include('not found').

Regex-based matchers that use real pattern syntax (e.g. match(/\d\d-\d\d-\d\d/), match(JoinCodeGenerator::FORMAT_REGEX)) were not flagged.

Local testing

Could not run the suite in this automation environment (no Docker/Ruby toolchain available; Ruby 4.0.5 install failed due to network/SSL restrictions). Relied on GitHub Actions CI for the PR branch:

• test job: passed
• lint job: failed (41 RSpec/MatchWithSimpleRegex offenses)

Recommendation: Merge with caution

The version bump itself is safe and tests pass, but do not merge as-is — CI lint is red.

Before merging, choose one of:

1. Preferred: Run autocorrect on the PR branch:

   bundle exec rubocop -A

   All 41 offenses are marked [Correctable]; this rewrites simple match(/literal/) calls to include('literal') with no behavioural change to test intent.

2. Alternative: Disable RSpec/MatchWithSimpleRegex in the shared digital-engineering RuboCop config (or locally in .rubocop.yml) if the team prefers to adopt that style separately.

Once lint passes, this is a straightforward dev-dependency upgrade with no production impact.

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}

[cursor]

Dependabot review: rubocop-rspec 3.9.0 → 3.10.0

Recommendation: Hold — safe dependency bump, but CI lint is currently failing on this branch. Fix the new RuboCop offenses (all autocorrectable) before merging.

---

Security

• No known CVEs or GitHub security advisories for rubocop-rspec 3.10.0 (or 3.9.0).
• This is a dev-only linting plugin; it is not loaded at application runtime and does not affect production attack surface.
• The lockfile also resolves rubocop 1.86.1 → 1.87.0 as a transitive dependency (required by rubocop-rspec ≥ 3.10.0). No published advisories were found for these versions either.
• Supply chain: gem is MIT-licensed, published from the official rubocop/rubocop-rspec repo with MFA-required publishing. No supply-chain red flags identified.

Verdict: No security concerns introduced or resolved by this bump.

---

Safety of merging / behavioural impact

Area	Impact
Runtime / tests	No production behaviour change. Full RSpec suite passes on CI (91.57% SimpleCov line coverage).
Lint (CI gate)	Fails — 41 new offenses, all [Correctable].
Breaking API changes	None documented in the 3.10.0 changelog.

What changed in 3.10.0 (relevant to this repo):

1. New cop RSpec/MatchWithSimpleRegex — flags expect(x).to match(/literal/) and suggests include('literal'). This is the source of 40 offenses across spec/concepts/**, spec/features/**, spec/graphql/**, and spec/services/**.
2. New cop RSpec/DiscardedMatcher — no offenses detected in this codebase.
3. Bug fixes to existing cops (RSpec/ContainExactly, RSpec/ExpectActual, RSpec/SpecFilePathFormat, etc.) — should reduce false positives, no new failures observed.
4. Transitive rubocop 1.87.0 introduces 1 offense: Style/RedundantSelf in app/models/project.rb:117 (unrelated to RSpec cops).

Repo configuration: .rubocop.yml inherits shared RSpec rules from digital-engineering/configs/rubocop-rspec.yml and does not disable the new cops. .rubocop_todo.yml has no entries for MatchWithSimpleRegex or DiscardedMatcher.

Note: RSpec/DiscardedMatcher was listed in both 3.9.0 and 3.10.0 changelogs; 3.10.0 appears to be the release where it is fully active under current RuboCop.

---

CI / test results

Check	Result
test (RSpec)	✅ Pass
lint (RuboCop)	❌ Fail — 501 files inspected, 41 offenses (41 autocorrectable)
CLA	✅ Pass

Local environment: Docker and Ruby 4.0.5 were unavailable in the review agent environment; results above are from CI run 27537688810.

---

Recommendation: Hold

The bump itself is low-risk and tests are green, but merging as-is will leave main with a failing lint CI gate.

Before merge, either:

1. Run bundle exec rubocop -A on this branch to auto-correct all 41 offenses (mostly match(/…/) → include('…') in specs, plus one self removal in project.rb), or
2. Disable RSpec/MatchWithSimpleRegex in the shared digital-engineering RuboCop config (or locally in .rubocop.yml) if the team prefers to keep match for substring assertions.

After the lint fix, re-run CI and merge. Optionally consider bumping to 3.10.2 (latest patch) which includes fixes for RSpec/MatchWithSimpleRegex false positives with regex options/interpolations.

---

Review by Cursor automation

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}