[Security] Bump yard from 0.9.9 to 0.9.11

[dependabot-preview]

Bumps yard from 0.9.9 to 0.9.11. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Potential arbitrary file read vulnerability in yard server
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block
relative paths with an initial ../ sequence, which allows attackers to conduct
directory traversal attacks and read arbitrary files.

Patched versions: >= 0.9.11
Unaffected versions: none

Release notes

Sourced from yard's releases.

Release v0.9.11

• Mark C methods as explicit but also remove explicit check in stats. (#727)
• Report unresolved parent namespaces as undocumentable errors instead. (#753)
• No longer ignore overridden methods from documentation check in stats (#719)
• Fix JRuby throwing exception when remove_method called on non-existent method. (#732)
• Add basic support for private_class_method (#747)
• Ensure namespace is always set when parent module is not found. (#753)
• Set overflow as auto on table of contents.
• Report 100% documented if nothing is undocumented. (#754)
• Added support for RubyGems 2.0.0+. (#742)
• Allow users to enter their own YARD RakeTask name. (#705)
• Fixed a typo that was causing Windows detection to always fail. (#715)
• Add debug information when loading a plugin fails. (#711)

0.8.7.3 - November 1, 2013

• Handle Unicode method/class/file names in server URL encoding (Handle legal UTF-8 method names docmeta/rubydoc.info#69).
• Style keyword style hashes with same symbol color in code highlighting (#707).
• Fix broken JS when visiting docs in file:// scheme (#706).
• Add support for new AsciiDoc file extensions (#704).
• Fix issues where non-Ruby code blocks would not display in Ruby 2 (#702).
• Add support for extra Ruby 2 symbol types in Ripper (#701).
• Ensure config directory exists before saving config file (#700).

0.8.7.2 - September 18, 2013

• Disallow absolute URLs when using frame anchor support.
• Support casted functions in CRuby method declarations (#697)

0.8.7.1 - September 11, 2013

• Fix potential XSS issue with frame anchor support.
• Add support for gettext 3.x gem.

0.8.7 - July 26, 2013

• Added --hide-api API option to hide objects with a given @api tag (#685).
• Added "Returns ...." prefix to summary when a lone @​return tag is used.
• Fixed issue that caused ref tags to be added to a docstring twice (#678).
• Fixed formatting issue in docstring summaries (#686)

... (truncated)

Changelog

Sourced from yard's changelog.

0.9.11 - November 23rd, 2017

• Fixed security issue in --readme that allowed for arbitrary file reads on
  disk. Credit to ztz [email protected] for discovering this issue.
• Improved styling for inline code blocks (#1142).

0.9.10 - November 18th, 2017

• Added --fail-on-warning option for yard doc which exits with a non-zero
  code if there are any warnings (#1093).
• Added support for parsing inside Struct.new blocks (#1099).
• Added support new ripper AST tokens (#1104, #1124).
• Fixed an issue where @see (obj) reference tags would fail (#1111)
• Fix sorting in yard stats (#1123).

Commits

• 7748eda Tag release v0.9.11
• 3bcccf6 Fix broken tests
• 10e84bd Update changelog
• b0217b3 Disallow relative paths that start with ../
• bd56c5d Merge pull request #1142 from noraj1337/patch-1
• cb1ddd7 Merge pull request #1143 from noraj1337/patch-2
• 6aecb55 fix typo
• fd3dff0 fix typo and 80 char line
• bac35d8 add an easy way to find yard plugins
• cedc0a5 css fix for inline code
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #52.