[Security] Bump yard from 0.8.7.6 to 0.9.12

[dependabot-preview]

Bumps yard from 0.8.7.6 to 0.9.12. This update includes security fixes.

Vulnerabilities fixed

Potential arbitrary file read vulnerability in yard server
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block
relative paths with an initial ../ sequence, which allows attackers to conduct
directory traversal attacks and read arbitrary files.

Patched versions: [">= 0.9.11"]
Unaffected versions: []

Changelog

Sourced from yard's changelog.

0.9.12 - November 26th, 2017

• Be more explicit about lack of support for absolute paths in extra files
  specified by yard doc command.

0.9.11 - November 23rd, 2017

• Fixed security issue in --readme that allowed for arbitrary file reads on
  disk. Credit to ztz ztz@ztz.me for discovering this issue.
• Improved styling for inline code blocks (#1142).

0.9.10 - November 18th, 2017

• Added --fail-on-warning option for yard doc which exits with a non-zero
  code if there are any warnings (#1093).
• Added support for parsing inside Struct.new blocks (#1099).
• Added support new ripper AST tokens (#1104, #1124).
• Fixed an issue where [**see**](https://github.com/see) (obj) reference tags would fail (#1111)
• Fix sorting in yard stats (#1123).

0.9.9 - April 23rd, 2017

• Added gem uninstall hooks to remove YARD documentation files. (#1083)
• Added support for C++ namespaces. (#809)
• Fixed issue where loading a .html page via an anchor would not scroll to
  the anchor section. (#1082)
• Hide some Ruby warnings.
• Improve progress indicator icons in terminal.

0.9.8 - January 13th, 2017

• Fixed installed gems not being correctly found in yard server and by plugins.
• Fixed tokenization of %w(...) array syntax.

0.9.7 - January 9th, 2017

• Fixed resolution of absolute object paths with ambiguous names. (#1029)

... (truncated)

Commits

• 03515a8 Tag release v0.9.12
• de1a671 Update changelog
• 410b203 Disallow absolute paths in extra files and README
• 77af90b Removing IRC link
• 7748eda Tag release v0.9.11
• 3bcccf6 Fix broken tests
• 10e84bd Update changelog
• b0217b3 Disallow relative paths that start with ../
• bd56c5d Merge pull request #1142 from noraj1337/patch-1
• cb1ddd7 Merge pull request #1143 from noraj1337/patch-2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot ignore this [minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use [this|these] label[s] will set the current labels as the default for future PRs for this repo and language

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #240.