Bump the composer group across 1 directory with 5 updates

[dependabot]

Bumps the composer group with 5 updates in the / directory:

Package	From	To
phpunit/phpunit	9.6.29	9.6.33
psy/psysh	0.12.7	0.12.22
symfony/process	6.4.26	6.4.33
composer/composer	2.9.3	2.9.7
google/protobuf	4.33.1	4.33.6

Updates phpunit/phpunit from 9.6.29 to 9.6.33

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 9.6.33

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 9.6.32

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 9.6.31

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 9.6.30

Changed

• Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

... (truncated)

Changelog

Sourced from phpunit/phpunit's changelog.

[9.6.33] - 2026-01-27

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

[9.6.32] - 2026-01-24

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

[9.6.31] - 2025-12-06

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

[9.6.30] - 2025-12-01

Changed

• Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

Commits

• fea0625 Prepare release
• 1a677f6 Merge branch '8.5' into 9.6
• 1015741 Prepare release
• 1cce5f3 Merge branch '8.5' into 9.6
• 3141742 Do not run PHPT test when its temporary file for code coverage information ex...
• 0b3170a We do not need to unserialize() objects here
• 261086a Extract method
• fdd6b86 Fix CS/WS issue
• 492ee10 Prepare release
• 81edce2 Merge branch '8.5' into 9.6
• Additional commits viewable in compare view

Updates psy/psysh from 0.12.7 to 0.12.22

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.22

Runtime config and clipboard support

PsySH has a new config command for inspecting and updating runtime-configurable settings during the current session. You can tweak things like pager, theme, verbosity, useSuggestions, useSyntaxHighlighting, clipboardCommand, and semicolonsSuppressReturn without restarting the shell. Fixes #361

There’s also a new copy command for copying the last result ($_) or any expression to your clipboard. Works with system clipboard commands, or via OSC 52 for SSH and remote terminals.

Configure with clipboardCommand or useOsc52Clipboard in your config.

Semicolon-based return suppression

Optionally suppress return values by ending a statement with ;, similar to MATLAB/Octave behavior. Supports a 'double' mode requiring ;; for suppression (if requireSemicolons is also enabled, both true and 'double' require ;;).

'semicolonsSuppressReturn' => true,
'semicolonsSuppressReturn' => 'double', // Always require ;; to suppress

Output and exception display improvements

Strings are now valid PHP!

• PsySH now preserves backslashes and other characters it previously mangled in a few cases. Fixes #351, #568
• Multiline strings are rendered using heredoc-style output rather than triple-quoted strings """. The old format is available via useDeprecatedMultilineStrings until the next major release.

Providing an exceptionDetails callback via config renders additional context about exceptions (e.g. validation errors) alongside the error message. Fixes #648

A few other improvements:

• More consistent compact (and non-compact) output spacing.
• Responsive help layout adapts to terminal width.

Better completion for everyone

Legacy readline now shares PsySH’s newer completion engine, which brings much better parity between ext-readline/libedit and experimental interactive readline. Command argument completion, better multiline buffering, and a handful of command-dispatch edge cases now work much more consistently outside experimental readline too.

Commands can now define their own argument completions via CommandArgumentCompletionAware.

Interactive readline polish

New in the experimental interactive readline:

• Live syntax highlighting — code is highlighted as you type. Can be disabled via useSyntaxHighlighting if you don't like colors, I guess.
• Allman-style indenting — opening brackets on a new line get proper indentation.
• Improved auto-dedent — closing brackets automatically reduce indentation.

psy\info() and --info also report more detail about readline and autocomplete state.

Run psysh with --experimental-readline and try it out. It's getting kind of awesome!

... (truncated)

Commits

• 3be75d5 Merge branch 'release/v0.12.22'
• 8042a8f Bump to v0.12.22
• fd4cb69 Fix phan warning
• 2b350a4 Fix throw special casing in really old php-parser versions
• 193e149 Fix a code cleaner bug with throw new Exception in PHP 7.4
• f583f74 Restore VarDumper hard-ref handling, suppress link-only markers
• 1e6a0d6 Prefer use statements over FQNs
• 484e600 Simplify theme identity, no-op updates when unchanged
• f01e492 Standardize test temp dir creation and cleanup
• 6f33aea Add token-based fallback for incomplete member completion
• Additional commits viewable in compare view

Updates symfony/process from 6.4.26 to 6.4.33

Release notes

Sourced from symfony/process's releases.

v6.4.33

Changelog (symfony/process@v6.4.32...v6.4.33)

• security #cve-2026-24739 Fix escaping for MSYS on Windows (nicolas-grekas)
• bug #63164 Fix escaping for MSYS on Windows (@​nicolas-grekas)

v6.4.32

Changelog (symfony/process@v6.4.31...v6.4.32)

• bug #63004 Ignore invalid env var names (@​nicolas-grekas)

v6.4.31

Changelog (symfony/process@v6.4.30...v6.4.31)

• bug symfony/symfony#62775 [Process] Fix dealing with broken stdin pipes (@​nicolas-grekas)

Commits

• c46e854 [Process] Fix escaping for MSYS on Windows
• c593135 [Process] Adjust Process mustRun method phpdoc
• e579464 [Process] Ignore invalid env var names
• 8541b73 [Process] Fix dealing with broken stdin pipes
• See full diff in compare view

Updates composer/composer from 2.9.3 to 2.9.7

Release notes

Sourced from composer/composer's releases.

2.9.7

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Full Changelog: composer/composer@2.9.6...2.9.7

2.9.6

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Full Changelog: composer/composer@2.9.5...2.9.6

2.9.5

• Added support for new pie download-url-methods (#12727)
• Fixed detection of 7z when installed as 7za on some linux systems (#12731)
• Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

Full Changelog: composer/composer@2.9.4...2.9.5

2.9.4

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

Full Changelog: composer/composer@2.9.3...2.9.4

Changelog

Sourced from composer/composer's changelog.

[2.9.7] 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

[2.9.6] 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

[2.9.5] 2026-01-29

• Added support for new pie download-url-methods (#12727)
• Fixed detection of 7z when installed as 7za on some linux systems (#12731)
• Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

[2.9.4] 2026-01-22

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

Commits

• 82a2fbd Release 2.9.7
• 02265b2 Update changelog
• ca0612e Fixes custom script command aliases regression when a script is called a subs...
• bd695ee Reverting release version changes
• 9afc32c Release 2.9.6
• e00073c Fix some perforce type issues
• 4fcc13d Convert perforce util to use array process args to avoid injections
• fd82721 Update changelog
• 15f2541 Fix --no-plugins handling regression in #12758, fixes #12789
• 4f02616 Merge commit from fork
• Additional commits viewable in compare view

Updates google/protobuf from 4.33.1 to 4.33.6

Commits

• 84b008c 4.33.6 sync
• 1debe45 5.34.0 sync
• 3f6644d 5.34.0RC2 sync
• 6fd2d13 4.29.6 sync
• ebe8010 4.33.5 sync
• a217acb 5.34.0RC1 sync
• 22d2802 4.33.4 sync
• 281537d 4.33.3 sync
• fbd96b7 4.33.2 sync
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[lehors]

@dependabot rebase

[dependabot]

Dependabot attempted to update this pull request, but because the branch dependabot/composer/composer-12a16617f1 is protected it was unable to do so.

[dependabot]

Oh no! Something went wrong on our end. Please try again later.

If the problem persists, please contact GitHub support for assistance 🙇

[lehors]

These updates are not compatible with our setup:

lock file does not contain a compatible set of packages. Please run composer update.

Problem 1
- doctrine/instantiator is locked to version 2.1.0 and an update of this package was not requested.
- doctrine/instantiator 2.1.0 requires php ^8.4 -> your php version (8.3.31) does not satisfy that requirement.
Problem 2
- phpspec/prophecy is locked to version v1.23.1 and an update of this package was not requested.
- doctrine/instantiator 2.1.0 requires php ^8.4 -> your php version (8.3.31) does not satisfy that requirement.
- phpspec/prophecy v1.23.1 requires doctrine/instantiator ^1.2 || ^2.0 -> satisfiable by doctrine/instantiator[2.1.0].

After running composer update:

$ php ./web/core/scripts/run-tests.sh --sqlite /tmp/drupal.sqlite --url http://localhost Drupal
Drupal\Core\Test\Exception\MissingGroupException: Missing @group annotation in Drupal\Tests\devel\Unit\DevelClientSideFilterTableTest in /Users/lehors/LocalProjects/github.com/model_openness_tool/web/core/lib/Drupal/Core/Test/TestDiscovery.php:342
Stack trace:
#0 /Users/lehors/LocalProjects/github.com/model_openness_tool/web/core/lib/Drupal/Core/Test/TestDiscovery.php(169): Drupal\Core\Test\TestDiscovery::getTestInfo('Drupal\Tests\de...', '/**\n * Tests Cl...')
#1 /Users/lehors/LocalProjects/github.com/model_openness_tool/web/core/scripts/run-tests.sh(1004): Drupal\Core\Test\TestDiscovery->getTestClasses(NULL, Array)
#2 /Users/lehors/LocalProjects/github.com/model_openness_tool/web/core/scripts/run-tests.sh(172): simpletest_script_get_test_list()
#3 {main}

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml