[Security] Bump yard from 0.8.7.6 to 0.9.18

[dependabot-preview]

Bumps yard from 0.8.7.6 to 0.9.18. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Potential arbitrary file read vulnerability in yard server
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block
relative paths with an initial ../ sequence, which allows attackers to conduct
directory traversal attacks and read arbitrary files.

Patched versions: >= 0.9.11
Unaffected versions: none

Release notes

Sourced from yard's releases.

v0.9.18

No release notes provided.

Release v0.9.17

No release notes provided.

Release v0.9.16

No release notes provided.

Release v0.9.15

0.9.15 - July 17th, 2018

• Fixed security issue in parsing of Ruby code that could allow for arbitrary
  execution. Credit to Nelson Elhage nelhage@nelhage.com for discovering this
  issue.

Release v0.9.14

• Fixed a regression in symbol parsing (#1170).

Release v0.9.13

• Added support for grouped constants via @!group directive (#1056).
• Added support for quoted symbols (#1168).
• Added support for i18n in tag text (#1169).
• Fixed HTML rendering of inline code blocks (#1152).
• Fixed rendering of anchor URLs in rendered HTML (#1154).

Release v0.9.11

• Mark C methods as explicit but also remove explicit check in stats. (#727)
• Report unresolved parent namespaces as undocumentable errors instead. (#753)
• No longer ignore overridden methods from documentation check in stats (#719)
• Fix JRuby throwing exception when remove_method called on non-existent method. (#732)
• Add basic support for private_class_method (#747)
• Ensure namespace is always set when parent module is not found. (#753)
• Set overflow as auto on table of contents.
• Report 100% documented if nothing is undocumented. (#754)
• Added support for RubyGems 2.0.0+. (#742)
• Allow users to enter their own YARD RakeTask name. (#705)
• Fixed a typo that was causing Windows detection to always fail. (#715)
• Add debug information when loading a plugin fails. (#711)

0.8.7.3 - November 1, 2013

... (truncated)

Changelog

Sourced from yard's changelog.

master

0.9.16 - August 11th, 2018

• Documentation fixes (#1175, #1178).
• Fixed stack overflow issue when parsing extremely large lists (#1176).

0.9.15 - July 17th, 2018

• Fixed security issue in parsing of Ruby code that could allow for arbitrary
  execution. Credit to Nelson Elhage nelhage@nelhage.com for discovering this
  issue.

0.9.14 - June 2nd, 2018

• Fixed a regression in symbol parsing (#1170).

0.9.13 - May 28th, 2018

• Added support for grouped constants via @!group directive (#1056).
• Added support for quoted symbols (#1168).
• Added support for i18n in tag text (#1169).
• Fixed HTML rendering of inline code blocks (#1152).
• Fixed rendering of anchor URLs in rendered HTML (#1154).

0.9.12 - November 26th, 2017

• Be more explicit about lack of support for absolute paths in extra files
  specified by yard doc command.

0.9.11 - November 23rd, 2017

• Fixed security issue in --readme that allowed for arbitrary file reads on
  disk. Credit to ztz ztz@ztz.me for discovering this issue.
• Improved styling for inline code blocks (#1142).

[0.9.10] - November 18th, 2017

... (truncated)

Commits

• 589f525 Bump version to 0.9.18
• 61d0ac2 Make test_doc Windows friendly
• 5a41289 Disable gems on Windows (fixes bundling for 64bit machines)
• 97e1346 Merge pull request #1210 from larskanis/add-svg-to-image-filenames
• 47b7e82 Merge pull request #1211 from dduugg/fix-pcm-warn
• ce80848 Merge pull request #1212 from castwide/file_singleton_methods
• 5699818 Fix frozen string modification in onefile template
• 6252ced Include .rb files as part of default ext/ glob
• 7e9aa9d Temporarily disable CI for Ruby 2.0/2.1 (Travis issues)
• e2a520b Fix rubocop formatting issues
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.