Bump the composer group across 1 directory with 3 updates

[dependabot]

Bumps the composer group with 3 updates in the / directory: phpunit/phpunit, psy/psysh and symfony/process.

Updates phpunit/phpunit from 10.5.46 to 10.5.62

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 10.5.62

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

---

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 10.5.61

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

---

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 10.5.60

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

---

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 10.5.59

Changed

• #6338: Removed code from PHPUnit\Runner\TestSuiteSorter that was only used in the tests for this class
• Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

---

Learn how to install or update PHPUnit 10.5 in the documentation.

... (truncated)

Changelog

Sourced from phpunit/phpunit's changelog.

[10.5.62] - 2026-01-27

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

[10.5.61] - 2026-01-24

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

[10.5.60] - 2025-12-06

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

[10.5.59] - 2025-12-01

Changed

• #6338: Removed code from PHPUnit\Runner\TestSuiteSorter that was only used in the tests for this class
• Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

[10.5.58] - 2025-09-28

Fixed

• #6368: failOnPhpunitWarning="false" has no effect

[10.5.57] - 2025-09-24

• No changes; phpunit.phar rebuilt with updated dependencies

[10.5.56] - 2025-09-23

• No changes; phpunit.phar rebuilt with updated dependencies

[10.5.55] - 2025-09-14

Changed

• #6366: Exclude __sleep() and __wakeup() from test double code generation on PHP >= 8.5

[10.5.54] - 2025-09-11

Changed

• Do not use __sleep() method (which will be deprecated in PHP 8.5)

[10.5.53] - 2025-08-20

... (truncated)

Commits

• 3f7dd50 Prepare release
• 9c95cf0 Merge branch '9.6' into 10.5
• fea0625 Prepare release
• 1a677f6 Merge branch '8.5' into 9.6
• 1015741 Prepare release
• e5cda18 Fix bad merge
• a8b932b Merge branch '9.6' into 10.5
• 1cce5f3 Merge branch '8.5' into 9.6
• 3141742 Do not run PHPT test when its temporary file for code coverage information ex...
• 0b3170a We do not need to unserialize() objects here
• Additional commits viewable in compare view

Updates psy/psysh from 0.12.8 to 0.12.19

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.19

⚠️ Security fix

Fixed a CWD configuration poisoning vulnerability (CVE-2026-25129) where a malicious .psysh.php file in an attacker-writable directory could execute arbitrary code when a victim runs PsySH from that directory. This affects all versions prior to v0.12.19 and v0.11.23, including downstream consumers like Laravel Tinker, when invoked from an attacker-writable CWD.

Fixed in v0.12.19 and v0.11.23. Upgrade ASAP.

Restricted Mode

PsySH now requires explicit trust before loading project-local config (.psysh.php), local PsySH binaries, or Composer autoloads from untrusted projects. Trust decisions are persisted per-project in trusted_projects.json.

Configure with trustProject:

'trustProject' => 'prompt',  // default — ask interactively
'trustProject' => 'always',  // trust all projects
'trustProject' => 'never',   // always run restricted

Or use --trust-project / --no-trust-project CLI flags, or the PSYSH_TRUST_PROJECT env var.

Non-interactive sessions automatically skip untrusted features with a warning.

Magic method and property support 🪄

Tab completion, ls, doc, and show commands now recognize @method and @property docblock tags. Magic members display in magenta so you can tell them apart from real methods and properties.

Inheritance works as expected — magic members from parent classes, interfaces, and traits are included, with child declarations taking precedence.

Also fixes parsing of generic types (e.g., array<int, string>) in docblock tags, which previously broke on whitespace inside angle brackets.

See #905

Improvements

• Excluded a few unnecessary files and folders from release source zips (Thanks @​reedy!)
• Fixed --cwd to actually change the working directory. Previously it only affected discovery for autoload/config, so relative paths and other directory-dependent behavior didn’t work as expected inside the shell.
• Significantly improved memory usage with older php-parser versions (pre-v4.18.0)

PsySH v0.12.18

• Fix exit() not working when uopz extension is loaded
• Don't reopen pager if user closes it early
• Ensure stty state is restored before exiting PsySH (fixes an issue where Ctrl-C might be incorrectly handled after exiting)

PsySH v0.12.17

Hot code reloading!!?!?1?

... (truncated)

Commits

• a4f766e Merge branch 'release/v0.12.19'
• b59690d Bump to v0.12.19
• 5e93b5c Add Restricted Mode for untrusted projects
• 9bfc28d Revert "Add PAGER env var support."
• 07d8a16 Add magic method and property support
• d1438d6 Bump symfony/process from 5.4.47 to 5.4.51 in /vendor-bin/box
• 22fba81 Update phpstan ignore list
• 312b64a Fix OOM in CI, improve memory usage with php-parser older than v4.18.0
• 3283653 Year++, minor cleanup
• 95f8ef0 Lazy-boot Shell dependencies
• Additional commits viewable in compare view

Updates symfony/process from 6.4.20 to 6.4.33

Release notes

Sourced from symfony/process's releases.

v6.4.33

Changelog (symfony/process@v6.4.32...v6.4.33)

• security #cve-2026-24739 Fix escaping for MSYS on Windows (nicolas-grekas)
• bug #63164 Fix escaping for MSYS on Windows (@​nicolas-grekas)

v6.4.32

Changelog (symfony/process@v6.4.31...v6.4.32)

• bug #63004 Ignore invalid env var names (@​nicolas-grekas)

v6.4.31

Changelog (symfony/process@v6.4.30...v6.4.31)

• bug symfony/symfony#62775 [Process] Fix dealing with broken stdin pipes (@​nicolas-grekas)

v6.4.26

Changelog (symfony/process@v6.4.25...v6.4.26)

• bug symfony/symfony#61727 Replace __sleep/wakeup() by __(un)serialize() for throwing and internal usages (@​nicolas-grekas)

v6.4.25

Changelog (symfony/process@v6.4.24...v6.4.25)

• bug symfony/symfony#61401 [Process] Enhance hasSystemCallBeenInterrupted function for non-english locale (@​christianseel)

v6.4.24

Changelog (symfony/process@v6.4.23...v6.4.24)

• no significant changes

Commits

• c46e854 [Process] Fix escaping for MSYS on Windows
• c593135 [Process] Adjust Process mustRun method phpdoc
• e579464 [Process] Ignore invalid env var names
• 8541b73 [Process] Fix dealing with broken stdin pipes
• 48bad91 Replace __sleep/wakeup() by __(un)serialize() for throwing and internal usages
• 6be2f0c [Process] Enhance hasSystemCallBeenInterrupted function for non-english locale
• 6e0026e Fix wrong boolean values
• 8eb6dc5 CS fixes
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.