Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
carthage-software/mago	^1.4.1 → ^1.8.0
ergebnis/composer-normalize	^2.49.0 → ^2.50.0
phpstan/phpstan	^2.1.38 → ^2.1.39
phpstan/phpstan-deprecation-rules	^2.0.3 → ^2.0.4
phpstan/phpstan-phpunit	^2.0.12 → ^2.0.16
phpstan/phpstan-strict-rules	^2.0.8 → ^2.0.10
phpstan/phpstan-symfony	^2.0.12 → ^2.0.14
phpunit/phpunit (source)	^11.5.50 → ^11.5.53

---

Release Notes

carthage-software/mago (carthage-software/mago)

v1.8.0: Mago 1.8.0

Compare Source

Mago 1.8.0

This release delivers major improvements to the incremental analysis engine for watch mode, new type narrowing capabilities, return type providers for filter_var() / filter_input(), and a large number of bug fixes across the analyzer, linter, formatter, and type system.

✨ Features

Analyzer

• is_a() and is_subclass_of() type narrowing: The analyzer now narrows types after calls to is_a() and is_subclass_of(), including support for class-string parameters (#​1102)
• Return type providers for filter_var() and filter_input(): These functions now return precise types based on the filter and flags arguments (e.g., FILTER_VALIDATE_INT returns int|false, FILTER_VALIDATE_EMAIL with FILTER_NULL_ON_FAILURE returns string|null) (#​1117)
• Discriminated union narrowing: When narrowing a union of keyed arrays (e.g., array{valid: true, result: string}|array{valid: false, errorCode: string}), the analyzer now correctly filters out incompatible variants based on the narrowed key type, instead of blindly overwriting all variants. This also works for object property narrowing on union types (#​1093)

Linter

• no-isset array access ignore option: The no-isset rule now supports an allow-array-access option, allowing you to flag isset($var) while still permitting isset($array['key']) for array offset checks (#​1097, #​1120) by @​dotdash

Semantics

• Enforce parentheses for immediately invoked closures: The semantics checker now flags function() { ... }() as error, requiring parentheses around the closure for immediate invocation (#​1118)

⚡ Performance

Incremental Analysis Engine

The watch mode (mago analyze --watch) received a complete overhaul of its incremental analysis pipeline:

• Signature-only fingerprinting: Body-only changes (e.g., changing a function implementation without modifying its signature) now skip cascade invalidation, resulting in significantly faster re-analysis cycles
• Targeted O(dirty) repopulation: Only changed symbols are re-populated, skipping safe symbols entirely
• Incremental codebase patching: New extend_ref and remove_entries operations allow fine-grained metadata updates without rebuilding the entire codebase
• Safe symbol restoration: The reference graph now supports restoring safe symbols and targeted cleanup, reducing unnecessary re-analysis
• Body-only docblock resolution: Fixed a bug where body-only changes left docblock type references unresolved, causing spurious non-existent-class-like errors in watch mode
• Improved file watcher stability: Better debounce handling, stability checks, and explicit path handling for the file watcher
• Watch mode is no longer experimental: The experimental warning has been removed

🐛 Bug Fixes

Analyzer

• require-extends/require-implements resolution: Members from @require-extends and @require-implements types are now correctly resolved (#​1064, #​1070)
• Unused property false positive with trait overrides: Properties that override trait properties via constructor promotion are no longer incorrectly flagged as unused (#​1119)
• FQN literal constants: Fully-qualified constant accesses \true, \false, and \null are now correctly recognized (#​1099, #​1100) by @​kzmshx
• Class-level template parameters for static calls: Template parameters defined at the class level are now properly resolved when making static method calls on generic types (#​1103)
• Abstract method compatibility checking: The get_substituted_method function is now correctly applied to the child method when checking method signature compatibility, fixing false positives with generic abstract method inheritance
• Mixin type parameters preservation: Type parameters on mixin types (e.g., IteratorIterator) are now preserved during method resolution, fixing incorrect return types (#​1106)
• Integer narrowing with non-variable expressions: Fixed incorrect narrowing when comparing integers against non-variable expressions like function calls (#​1088)
• For-loop condition narrowing: Integer literals in loop conditions (e.g., for ($i = 0; $i < 10; $i++)) are now properly extracted from the AST for type narrowing (#​1089)
• Redundant type comparison in OR conditions: Fixed false positive redundant-type-comparison when using count checks or string narrowing in || conditions (#​1112)
• List count with unknown size: HasAtLeastCount assertions no longer incorrectly set an exact known_count on lists with unknown count, preventing false unreachable-code reports (#​1104)
• Array spread with unknown count: Fixed false positive when spreading a list with unknown count into an array literal (#​1108)
• Class constant @var docblock type: The analyzer now prefers @var docblock types over inferred types for class constants, fixing cases where properly typed array values stayed as mixed (#​1090, #​1094)

Codex (Type System)

• never as bottom type: never is now correctly treated as a subtype of all types in extends_or_implements checks (#​1107, #​1109) by @​kzmshx
• Type alias forward references: All local @psalm-type / @phpstan-type alias names are now pre-registered before parsing, so aliases can reference each other regardless of declaration order (#​1116)
• String casing detection: Fixed incorrect impossible-condition false positives when comparing strtolower()/strtoupper() results with literals containing non-alphabetic characters (spaces, digits, etc.) (#​1086)
• Bidirectional TUnion equality: Type union equality checks are now bidirectional, preventing false positives when comparing types with different ordering (#​1087)

Linter

• no-redundant-use whole-word matching: Docblock reference checking now uses whole-word matching instead of substring matching, so use Config; is correctly flagged as unused even when ConfigUsage appears in a docblock (#​1078)
• inline-variable-return with by-reference assignment: The fixer no longer inlines assignments of by-reference expressions, which would produce invalid PHP (#​1114)
• prefer-early-continue with non-block body: Fixed the fixer for cases where the loop body is a single statement without braces (#​1085) by @​chrisopperwall-qz

Formatter

• First-class callable with argument unpacking: First-class callable expressions (e.g., $foo(...)) are no longer incorrectly treated as breaking expressions, fixing misformatted output (#​1091)
• Redundant grouping parentheses: The formatter now correctly removes redundant grouping parentheses in more cases (#​1121) by @​Michael4d45
• Heredoc span calculation: Fixed incorrect span calculation for heredoc/nowdoc strings, which could cause formatting issues (#​1092)

Prelude (Type Stubs)

• explode() return type: Corrected to properly return list<string> instead of non-empty-list<string> when the separator could be empty (#​1095)
• array_slice() return type: Now correctly preserves string keys in the return type (#​1096)
• ldap_sasl_bind() stubs: Updated all arguments except the first to be nullable (#​1098)
• bin2hex() stubs: Improved type definition (#​1101) by @​veewee

🏗️ Internal

• Removed experimental warning for analyzer watch mode
• New IncrementalAnalysisService encapsulating the full incremental analysis pipeline for watch mode and LSP
• CodebaseDiff::between() for metadata comparison and mark_safe_symbols() for incremental analysis
• Signature-only fingerprint mode for detecting body-only vs. signature changes
• Applied clippy fixes across codex and linter crates
• Re-generated linter documentation

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​chrisopperwall-qz — #​1085
• @​dotdash — #​1120
• @​kzmshx — #​1100, #​1109
• @​Michael4d45 — #​1121
• @​veewee — #​1101

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

• @​bendavies — #​1094
• @​ddanielou — #​1093
• @​Dima-369 — #​1086, #​1087
• @​dotdash — #​1097, #​1118
• @​dynasource — #​1090
• @​erik-perri — #​1078
• @​karoun — #​1103, #​1116
• @​KorvinSzanto — #​1117, #​1119
• @​kzmshx — #​1107
• @​marcovmun — #​1092, #​1114
• @​MartkCz — #​1091
• @​matsuo — #​1098
• @​mreidel-godaddy — #​1095, #​1096
• @​Nadyita — #​1104, #​1106, #​1108, #​1112

---

Full Changelog: carthage-software/mago@1.7.0...1.8.0

v1.7.0: Mago 1.7.0

Compare Source

Mago 1.7.0

This release introduces new type system features, improved type inference for built-in functions, a new linter rule, and numerous bug fixes for the analyzer, formatter, and type system. A significant internal effort also went into reducing dependencies and binary size.

✨ Features

Type System

• uppercase-string and non-empty-uppercase-string types: Full support for these PHPDoc types in type syntax, codex, and analyzer. This resolves cascading errors when these types were previously unrecognized (#​1057)

Analyzer

• Return type providers for min() and max(): These functions now return precise types based on their arguments (#​1074)

• array_filter() callback parameter type inference: The analyzer now respects the mode argument (ARRAY_FILTER_USE_KEY, ARRAY_FILTER_USE_BOTH) when inferring closure parameter types, fixing incorrect mixed inference for callback parameters (#​1031)

• Switch statement fallthrough analysis: The analyzer now correctly recognizes that non-terminating code paths in a case block fall through to the next case. A case with a conditional return followed by a case that always returns is no longer flagged as missing-return-statement (#​1081)

Linter

• no-redundant-isset rule: New rule that detects redundant arguments in isset() calls. For example, in isset($a, $a['key'], $a['key']['nested']), the first two checks are redundant because isset on a nested access implicitly checks all parent accesses (#​769)

CLI

• --ignore-baseline flag: New flag for lint and analyze commands that temporarily ignores the baseline file, useful for reviewing and fixing baselined issues (#​1076)

⚡ Performance

• Reduced AST size: Optimized AST node representation to reduce memory usage during parsing
• Leaner binary: Removed 7 third-party dependencies (reqwest, openssl, num_cpus, strum_macros, derivative, strsim, bitflags, async-walkdir), replacing them with standard library equivalents or manual implementations. reqwest/openssl were replaced with ureq/rustls for a significantly smaller and faster-compiling binary

🐛 Bug Fixes

Analyzer

• Unused method false positives: Methods referenced in literal arrays ([$this, 'method']) and string callbacks ('ClassName::method') are now correctly tracked as used (#​1069, #​1044)
• Property/constant access type expansion: Property access and constant access expressions now have their types properly expanded, fixing incorrect type inference (#​1071)
• Non-optional list items in array merge: Fixed an issue where non-optional list items were incorrectly skipped during array merging

Codex

• @psalm-require-extends support in traits: Methods, properties, and class constants inherited from required parent classes via @psalm-require-extends or @phpstan-require-extends are now properly resolved in traits, eliminating false non-existent-property, non-existent-class-constant, and unknown-ref errors (#​1064, #​1068, #​1070)
• Enum types in generic comparator: Fixed incorrect type comparison when enums implement generic interfaces, resolving false invalid-return-type errors (#​1061)
• Platform-aware constant types: Predefined constants like PHP_INT_SIZE, PHP_INT_MAX, and PHP_FLOAT_DIG now use platform-aware range/union types instead of host-specific literal values. PHP_INT_SIZE > 4 is no longer flagged as a redundant comparison (#​1084)

Formatter

• Assignment alignment leaking into nested arrays: When align-assignment-like is enabled, the alignment context from consecutive variable assignments no longer leaks into nested array key-value pairs (#​1082)

Linter

• prefer-first-class-callable with reference captures: Skip suggesting first-class callable syntax when the callee variable is captured by reference in a closure's use clause, as the two forms have different semantics (#​1067, #​1063) by @​kzmshx

Prelude (Type Stubs)

• array_walk generics: Fixed generic templates for array_walk to properly infer callback parameter types (#​1066, #​1045) by @​ddanielou
• array_splice type precision: Improved type definitions for array_splice to preserve list<T> types and correctly handle non-array replacement arguments (#​1072, #​1080)
• Sorting functions type precision: Enhanced type definitions for sorting functions (usort, uasort, uksort, etc.) to preserve non-empty array types (#​1083)

🏗️ Internal

• Replaced reqwest + openssl with ureq + rustls in self-update module
• Replaced num_cpus with std::thread::available_parallelism()
• Replaced bitflags with manual bit flag implementations
• Removed derivative, strum_macros, strsim, and async-walkdir dependencies
• Improved array inference logic in codex

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​ddanielou — #​1066
• @​kzmshx — #​1067

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

• @​aszenz — #​1031
• @​dotdash — #​769
• @​joshrai — #​1070
• @​karoun — #​1064
• @​klunejko — #​1082
• @​kzmshx — #​1063
• @​llaville — #​1044
• @​mathroc — #​1061
• @​Nadyita — #​1074, #​1080, #​1081, #​1083, #​1084
• @​Neila142 — #​1076
• @​rauanmayemir — #​1068, #​1069
• @​tm1000 — #​1057
• @​WalterWoshid — #​1071

---

Full Changelog: carthage-software/mago@1.6.0...1.7.0

v1.6.0: Mago 1.6.0

Compare Source

Mago 1.6.0

This release brings new analyzer checks for class design enforcement, new linter rules for file organization, path-scoped ignore/exclusion support, formatter fixes, and numerous bug fixes across the board.

✨ Features

Analyzer

• class-must-be-final check: New opt-in enforce-class-finality setting that reports classes not declared final, abstract, or annotated with @api/@psalm-api when they have no children (#​1054)

  [analyzer]
  enforce-class-finality = true

• missing-api-or-internal check: New opt-in require-api-or-internal setting that requires abstract classes, interfaces, and traits to have @api or @internal annotations, forcing projects to declare extensibility intent (#​1055)

  [analyzer]
  require-api-or-internal = true

• Path-scoped ignore entries: The ignore option now supports scoping ignored codes to specific paths (#​1037, #​1043)

  [analyzer]
  ignore = [
    "mixed-argument",
    { code = "missing-return-type", in = "tests/" },
    { code = "unused-parameter", in = ["tests/", "src/Generated/"] },
  ]

• Literal types for enum properties: Enum name and value properties now return literal types instead of generic string/int, enabling more precise type inference (#​1035, #​952) by @​veewee

• Severity level in code-count format: The code-count reporting format now includes the severity level for each issue code (#​987)

Linter

• file-name rule: New rule that enforces file names match the class/interface/enum/trait they contain (#​1049)

• single-class-per-file rule: New rule that enforces each file contains at most one class-like declaration

• Per-rule path exclusions: Linter rules now support path-based exclusions, allowing you to disable specific rules for specific directories (#​1037)

  [linter.rules]
  no-isset = { exclude = ["src/Legacy/"] }

• no-isset and readable-literal enabled by default: These rules are now enabled out of the box

• Removed deprecated rules: The deprecated constant-type, no-boolean-literal-comparison, parameter-type, property-type, and return-type linter rules have been removed — their functionality has been moved to the analyzer

Formatter

• PER-CS compatibility: inline-empty-function-braces and inline-empty-method-braces now default to true, matching the PER Coding Style specification (#​1053)

CLI

• Multiple --only rules: The --only flag now accepts multiple comma-separated rules (#​1046)

⚡ Performance

• foldhash replaces ahash: Switched to foldhash for faster hashing across the codebase
• Arc<T> replaces Box<T> in codex: Improves cloning performance for shared metadata

🐛 Bug Fixes

Analyzer

• Switch statement type narrowing: Non-exhaustive switch statements no longer incorrectly narrow variable types, preventing false redundant null-check warnings (#​1038)
• Type alias resolution in @var docblocks: Imported type aliases are now correctly expanded in @var docblock annotations (#​1029, #​1030)
• Type alias resolution in template extends: Imported type aliases are now resolved before being used as template arguments in extends/implements (#​1040)
• Template inference for non-generic objects: Non-generic named objects are no longer incorrectly included in template inference, preventing false positives (#​1036)
• FORCE_COLOR support: The FORCE_COLOR environment variable is now respected in reporting output (#​1042)
• CLI argument parser: Disabled enum variants are no longer shown in CLI argument parser output

Linter

• readable-literal false positive on floats: Fixed the rule triggering on float literals like 123.45 where neither side of the decimal benefits from separators, producing a no-op suggestion

Formatter

• Empty array line break: Fixed incorrect line break added at the end of empty arrays (#​1047, #​978) by @​Zuruuh
• Laravel Pint preset parity: Updated the Pint preset to match actual Laravel Pint formatting behavior (#​1052) by @​nikspyratos

Prelude (Type Stubs)

• array_walk generics: Added generic templates to array_walk for proper type inference (#​1045)
• curl_multi_exec signature: Corrected the signature of curl_multi_exec (#​1033)
• setcookie duplicate: Removed duplicate definition for setcookie that only accepted the old syntax (#​1032)

Documentation

• Fixed typo on homepage (#​1028)

🔒 Security & CI

• GitHub artifact attestations: Build artifacts now include provenance attestations for supply chain security (#​948)
• Explicit permissions: GitHub Actions workflows now use explicit permissions
• CD caching: Improved CI/CD pipeline with build caching
• Removed deprecated atty dependency

🏗️ Internal

• Bump time from 0.3.46 to 0.3.47 (#​1039) by @​dependabot
• Disable incremental build and add memory-debug profile
• Update sponsors list

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​veewee
• @​nikspyratos
• @​Zuruuh

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

• @​bendavies — #​1040
• @​ddanielou — #​1045
• @​JnsCas — #​1049
• @​KorvinSzanto — #​1053, #​1054, #​1055
• @​llaville — #​987, #​1028, #​1042, #​1043
• @​mytskine — #​1032, #​1033
• @​nikspyratos — #​1037, #​1046
• @​scop — #​948
• @​veewee — #​952
• @​WalterWoshid — #​1029, #​1030, #​1036, #​1038

---

Full Changelog: carthage-software/mago@1.5.0...1.6.0

v1.5.0: Mago 1.5.0

Compare Source

Mago 1.5.0

This release brings PSR-11 container support, custom help text for disallowed functions, and several important bug fixes for type narrowing and linter false positives.

✨ Features

Analyzer

• PSR-11 container support: New psr-container plugin that infers types from class-string arguments when calling ContainerInterface::get(). This eliminates mixed-method-access and mixed-argument errors when using PSR-11 service containers (#​1015) by @​Noojuno

  [analyzer]
  plugins = ["psr-container"]

Linter

• Custom help text for disallowed functions: The disallowed-functions rule now supports custom help messages per function or extension. Entries can be simple strings or objects with name and optional help fields (#​1024)

  [linter.rules]
  disallowed-functions = {
      functions = [
          "eval",
          { name = "error_log", help = "Use MyLogger instead." },
      ],
      extensions = [
          "curl",
          { name = "ffi", help = "FFI is disabled for security reasons." },
      ],
  }

🐛 Bug Fixes

Analyzer

• Nullsafe operator type narrowing: Fixed incorrect type narrowing in the false branch of if statements using nullsafe operators (?->). Previously, the variable was incorrectly narrowed to null in the else branch. Now if ($user?->isAuthorized()) correctly preserves the original type in the else branch, matching the semantics of $user !== null && $user->isAuthorized() (#​1025)

• Redundant instanceof detection: Fixed false positive for undefined variables when a variable is assigned in exhaustive if/elseif branches over a union type. The analyzer now correctly detects redundant instanceof checks and tracks variable assignments across all branches (#​1026)

Linter

• False positive in prefer-first-class-callable: Skip suggesting first-class callable syntax for runtime-dependent call targets where conversion would change evaluation semantics. This includes method chains (adminUrlGenerator()->generateUrl()), nullsafe calls ($obj?->method()), and dynamic method names ($obj->$method()) (#​1027, #​1020) by @​kzmshx

🏗️ Internal

• Bump bytes from 1.11.0 to 1.11.1 (#​1023) by @​dependabot
• Documentation updates and optimizations

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​kzmshx
• @​Noojuno

Issue Reporters

Thank you to everyone who reported issues that were fixed in this release:

• @​bendavies — #​1026
• @​ddanielou — #​1025
• @​dragosprotung — #​1020
• @​joshrai — #​1024

---

Full Changelog: carthage-software/mago@1.4.1...1.5.0

ergebnis/composer-normalize (ergebnis/composer-normalize)

v2.50.0

Compare Source

For a full diff see [2.49.0...2.50.0][2.49.0...2.50.0].

Changed

• Updated schema.json ([#​1563]), by [@​ergebnis-bot]

phpstan/phpstan-phar-composer-source (phpstan/phpstan)

v2.1.39

Compare Source

phpstan/phpstan-deprecation-rules (phpstan/phpstan-deprecation-rules)

v2.0.4

Compare Source

• 6b55710 - Constants deprecation depends on Scope->getPhpVersion() (#​170)
• fc5fc52 - Add keywords for static analysis in composer.json
• 7188c0b - move analyse-paths into phpstan.neon
• 5f39876 - Fix mutation testing on dev branch (#​166)
• 68e0865 - Setup mutation testing
• 0b87f52 - Update actions/checkout action to v5
• 2476691 - Update Eomm/why-don-t-you-tweet action to v2

phpstan/phpstan-phpunit (phpstan/phpstan-phpunit)

v2.0.16

Compare Source

• 6ab598e - DataProviderDataRule: Optimize hot path

v2.0.15

Compare Source

• 0f6ba8e - DataProviderReturnTypeIgnoreExtension - ignore Iterator, Generator, IteratorAggregate too

v2.0.14

Compare Source

• f7553d6 - Add support for createMockForIntersectionOfInterfaces

v2.0.13

Compare Source

• 45bc1ad - Implement DynamicCallToAssertionIgnoreExtension
• 590b84d - chore(deps): update wyrihaximus/github-action-get-previous-tag action to v2
• 4d1d776 - Add keywords for static analysis in composer.json

phpstan/phpstan-strict-rules (phpstan/phpstan-strict-rules)

v2.0.10

Compare Source

• 1aba28b - Bleeding edge - set reportNonIntStringArrayKey to true

v2.0.9

Compare Source

• b94a0b1 - Bleeding edge - Add operand types to DisallowedLooseComparisonRule error message
• f6f5b3e - Update WyriHaximus/github-action-get-previous-tag action to v2
• f602823 - Add keywords for static analysis in composer.json

phpstan/phpstan-symfony (phpstan/phpstan-symfony)

v2.0.14

Compare Source

• 6781365 - Fix phpstan error about generics missingType (#​470)

v2.0.13

Compare Source

• 6feadf7 - Add BrowserKitAssertionTraitReturnTypeExtension (#​452)
• a968c36 - Add keywords for static analysis in composer.json

sebastianbergmann/phpunit (phpunit/phpunit)

v11.5.53: PHPUnit 11.5.53

Compare Source

Fixed

• #​6503: Temporary file used by SourceMapper may be deleted prematurely when multiple PHPUnit processes run in parallel

---

Learn how to install or update PHPUnit 11.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

v11.5.52: PHPUnit 11.5.52

Compare Source

Fixed

• #​6495: Source map for issue trigger identification is regenerated in process isolation child processes

---

Learn how to install or update PHPUnit 11.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

v11.5.51: PHPUnit 11.5.51

Compare Source

Added

• #​6488: Allow disabling issue trigger identification for improved performance

Fixed

• #​6486: Incorrect file name reported for errors for test methods declared in traits
• #​6490: Incorrect test count when tests are skipped in before-class method

---

Learn how to install or update PHPUnit 11.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Renovate Bot

[renovate]

automergeComment