Skip to content

Bump the composer group across 1 directory with 4 updates#227

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer-b3633138ef
Open

Bump the composer group across 1 directory with 4 updates#227
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer-b3633138ef

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Bumps the composer group with 4 updates in the / directory: phpunit/phpunit, psy/psysh, composer/composer and google/protobuf.

Updates phpunit/phpunit from 9.6.29 to 9.6.33

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 9.6.33

Changed

  • To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

PHPUnit 9.6.32

Changed

  • PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

PHPUnit 9.6.31

  • No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

PHPUnit 9.6.30

Changed

  • Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

... (truncated)

Changelog

Sourced from phpunit/phpunit's changelog.

[9.6.33] - 2026-01-27

Changed

  • To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

[9.6.32] - 2026-01-24

Changed

  • PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

[9.6.31] - 2025-12-06

  • No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

[9.6.30] - 2025-12-01

Changed

  • Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6
Commits
  • fea0625 Prepare release
  • 1a677f6 Merge branch '8.5' into 9.6
  • 1015741 Prepare release
  • 1cce5f3 Merge branch '8.5' into 9.6
  • 3141742 Do not run PHPT test when its temporary file for code coverage information ex...
  • 0b3170a We do not need to unserialize() objects here
  • 261086a Extract method
  • fdd6b86 Fix CS/WS issue
  • 492ee10 Prepare release
  • 81edce2 Merge branch '8.5' into 9.6
  • Additional commits viewable in compare view

Updates psy/psysh from 0.12.7 to 0.12.22

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.22

Runtime config and clipboard support

PsySH has a new config command for inspecting and updating runtime-configurable settings during the current session. You can tweak things like pager, theme, verbosity, useSuggestions, useSyntaxHighlighting, clipboardCommand, and semicolonsSuppressReturn without restarting the shell. Fixes #361

There’s also a new copy command for copying the last result ($_) or any expression to your clipboard. Works with system clipboard commands, or via OSC 52 for SSH and remote terminals.

Configure with clipboardCommand or useOsc52Clipboard in your config.

Semicolon-based return suppression

Optionally suppress return values by ending a statement with ;, similar to MATLAB/Octave behavior. Supports a 'double' mode requiring ;; for suppression (if requireSemicolons is also enabled, both true and 'double' require ;;).

'semicolonsSuppressReturn' => true,
'semicolonsSuppressReturn' => 'double', // Always require ;; to suppress

Output and exception display improvements

Strings are now valid PHP!

  • PsySH now preserves backslashes and other characters it previously mangled in a few cases. Fixes #351, #568
  • Multiline strings are rendered using heredoc-style output rather than triple-quoted strings """. The old format is available via useDeprecatedMultilineStrings until the next major release.

Providing an exceptionDetails callback via config renders additional context about exceptions (e.g. validation errors) alongside the error message. Fixes #648

A few other improvements:

  • More consistent compact (and non-compact) output spacing.
  • Responsive help layout adapts to terminal width.

Better completion for everyone

Legacy readline now shares PsySH’s newer completion engine, which brings much better parity between ext-readline/libedit and experimental interactive readline. Command argument completion, better multiline buffering, and a handful of command-dispatch edge cases now work much more consistently outside experimental readline too.

Commands can now define their own argument completions via CommandArgumentCompletionAware.

Interactive readline polish

New in the experimental interactive readline:

  • Live syntax highlighting — code is highlighted as you type. Can be disabled via useSyntaxHighlighting if you don't like colors, I guess.
  • Allman-style indenting — opening brackets on a new line get proper indentation.
  • Improved auto-dedent — closing brackets automatically reduce indentation.

psy\info() and --info also report more detail about readline and autocomplete state.

Run psysh with --experimental-readline and try it out. It's getting kind of awesome!

... (truncated)

Commits
  • 3be75d5 Merge branch 'release/v0.12.22'
  • 8042a8f Bump to v0.12.22
  • fd4cb69 Fix phan warning
  • 2b350a4 Fix throw special casing in really old php-parser versions
  • 193e149 Fix a code cleaner bug with throw new Exception in PHP 7.4
  • f583f74 Restore VarDumper hard-ref handling, suppress link-only markers
  • 1e6a0d6 Prefer use statements over FQNs
  • 484e600 Simplify theme identity, no-op updates when unchanged
  • f01e492 Standardize test temp dir creation and cleanup
  • 6f33aea Add token-based fallback for incomplete member completion
  • Additional commits viewable in compare view

Updates composer/composer from 2.9.3 to 2.9.8

Release notes

Sourced from composer/composer's releases.

2.9.8

Full Changelog: composer/composer@2.9.7...2.9.8

2.9.7

  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Full Changelog: composer/composer@2.9.6...2.9.7

2.9.6

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Full Changelog: composer/composer@2.9.5...2.9.6

2.9.5

  • Added support for new pie download-url-methods (#12727)
  • Fixed detection of 7z when installed as 7za on some linux systems (#12731)
  • Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

Full Changelog: composer/composer@2.9.4...2.9.5

2.9.4

  • Added active plugins to the diagnose command output (#12706)
  • Fixed HTTP/3 causing issues with proxies (#12699)
  • Fixed show command regression with long descriptions containing unicode characters (#12704)
  • Fixed regression handling invalid unicode sequences in output (#12707)
  • Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
  • Fixed issue handling paths with = in them on Windows (#12726)

Full Changelog: composer/composer@2.9.3...2.9.4

Changelog

Sourced from composer/composer's changelog.

[2.9.8] 2026-05-13

[2.9.7] 2026-04-14

  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

[2.9.6] 2026-04-14

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

[2.9.5] 2026-01-29

  • Added support for new pie download-url-methods (#12727)
  • Fixed detection of 7z when installed as 7za on some linux systems (#12731)
  • Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

[2.9.4] 2026-01-22

  • Added active plugins to the diagnose command output (#12706)
  • Fixed HTTP/3 causing issues with proxies (#12699)
  • Fixed show command regression with long descriptions containing unicode characters (#12704)
  • Fixed regression handling invalid unicode sequences in output (#12707)
  • Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
  • Fixed issue handling paths with = in them on Windows (#12726)
Commits

Updates google/protobuf from 4.33.1 to 4.33.6

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the composer group across 1 directory with 4 updates
b81eb55 
Bumps the composer group with 4 updates in the / directory: [phpunit/phpunit](https://github.com/sebastianbergmann/phpunit), [psy/psysh](https://github.com/bobthecow/psysh), [composer/composer](https://github.com/composer/composer) and [google/protobuf](https://github.com/protocolbuffers/protobuf-php).


Updates `phpunit/phpunit` from 9.6.29 to 9.6.33
- [Release notes](https://github.com/sebastianbergmann/phpunit/releases)
- [Changelog](https://github.com/sebastianbergmann/phpunit/blob/9.6.33/ChangeLog-9.6.md)
- [Commits](sebastianbergmann/phpunit@9.6.29...9.6.33)

Updates `psy/psysh` from 0.12.7 to 0.12.22
- [Release notes](https://github.com/bobthecow/psysh/releases)
- [Commits](bobthecow/psysh@v0.12.7...v0.12.22)

Updates `composer/composer` from 2.9.3 to 2.9.8
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.9.3...2.9.8)

Updates `google/protobuf` from 4.33.1 to 4.33.6
- [Commits](protocolbuffers/protobuf-php@v4.33.1...v4.33.6)

---
updated-dependencies:
- dependency-name: phpunit/phpunit
  dependency-version: 9.6.33
  dependency-type: direct:development
  dependency-group: composer
- dependency-name: psy/psysh
  dependency-version: 0.12.22
  dependency-type: indirect
  dependency-group: composer
- dependency-name: composer/composer
  dependency-version: 2.9.8
  dependency-type: indirect
  dependency-group: composer
- dependency-name: google/protobuf
  dependency-version: 4.33.6
  dependency-type: indirect
  dependency-group: composer
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants