Skip to content

Bump the composer group across 1 directory with 2 updates#94

Merged
ringostarr80 merged 1 commit intomainfrom
dependabot/composer/composer-5f8370c95d
Feb 21, 2026
Merged

Bump the composer group across 1 directory with 2 updates#94
ringostarr80 merged 1 commit intomainfrom
dependabot/composer/composer-5f8370c95d

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 21, 2026

Bumps the composer group with 2 updates in the / directory: psy/psysh and symfony/process.

Updates psy/psysh from 0.12.18 to 0.12.20

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.20

Project trust edge case fixes

Fixed several edge cases with the Restricted Mode introduced in v0.12.19 where non-interactive contexts (piped input, execute() calls, Composer proxy scripts) could incorrectly trigger trust prompts or restrict trusted functionality.

Fixes #913

Commands work better outside the shell

Decoupled commands from ShellOutput via a new ShellOutputAdapter, so commands degrade gracefully when used in non-interactive contexts rather than failing on missing shell features.

Improvements

  • Added downstream compatibility tests for local and CI workflows
  • Moved internal helper scripts from bin/ to scripts/

PsySH v0.12.19

⚠️ Security fix

Fixed a CWD configuration poisoning vulnerability (CVE-2026-25129) where a malicious .psysh.php file in an attacker-writable directory could execute arbitrary code when a victim runs PsySH from that directory. This affects all versions prior to v0.12.19 and v0.11.23, including downstream consumers like Laravel Tinker, when invoked from an attacker-writable CWD.

Fixed in v0.12.19 and v0.11.23. Upgrade ASAP.

Restricted Mode

PsySH now requires explicit trust before loading project-local config (.psysh.php), local PsySH binaries, or Composer autoloads from untrusted projects. Trust decisions are persisted per-project in trusted_projects.json.

Configure with trustProject:

'trustProject' => 'prompt',  // default — ask interactively
'trustProject' => 'always',  // trust all projects
'trustProject' => 'never',   // always run restricted

Or use --trust-project / --no-trust-project CLI flags, or the PSYSH_TRUST_PROJECT env var.

Non-interactive sessions automatically skip untrusted features with a warning.

Magic method and property support 🪄

Tab completion, ls, doc, and show commands now recognize @method and @property docblock tags. Magic members display in magenta so you can tell them apart from real methods and properties.

Inheritance works as expected — magic members from parent classes, interfaces, and traits are included, with child declarations taking precedence.

Also fixes parsing of generic types (e.g., array<int, string>) in docblock tags, which previously broke on whitespace inside angle brackets.

See #905

... (truncated)

Commits
  • 19678eb Merge branch 'release/v0.12.20'
  • f09d6ba Bump to v0.12.20
  • abcfdf9 Decouple commands from ShellOutput via ShellOutputAdapter
  • 7ad4f00 Clearer Actions output
  • 7aa3cf9 Clearer Actions output
  • 0b40a63 Add downstream compatibility tests for local and CI workflows
  • 3f27b87 Move internal helper scripts from bin/ to scripts/
  • 21aa946 Merge branch 'fix/project-trust-edge-cases'
  • 81f6547 Harden stdin pipe detection heuristics
  • fc9d9d2 Avoid untrusted handoff for current Composer proxy
  • Additional commits viewable in compare view

Updates symfony/process from 7.4.3 to 7.4.5

Release notes

Sourced from symfony/process's releases.

v7.4.5

Changelog (symfony/process@v7.4.4...v7.4.5)

v7.4.4

Changelog (symfony/process@v7.4.3...v7.4.4)

Commits
  • 608476f Merge branch '7.3' into 7.4
  • 81fe4ea Merge branch '6.4' into 7.3
  • c46e854 [Process] Fix escaping for MSYS on Windows
  • 626f07a Merge branch '7.3' into 7.4
  • 4424bc1 Merge branch '6.4' into 7.3
  • c593135 [Process] Adjust Process mustRun method phpdoc
  • f532042 Merge branch '7.3' into 7.4
  • 6d13a93 Merge branch '6.4' into 7.3
  • e579464 [Process] Ignore invalid env var names
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the composer group across 1 directory with 2 updates
0124c20 
Bumps the composer group with 2 updates in the / directory: [psy/psysh](https://github.com/bobthecow/psysh) and [symfony/process](https://github.com/symfony/process).


Updates `psy/psysh` from 0.12.18 to 0.12.20
- [Release notes](https://github.com/bobthecow/psysh/releases)
- [Commits](bobthecow/psysh@v0.12.18...v0.12.20)

Updates `symfony/process` from 7.4.3 to 7.4.5
- [Release notes](https://github.com/symfony/process/releases)
- [Changelog](https://github.com/symfony/process/blob/8.1/CHANGELOG.md)
- [Commits](symfony/process@v7.4.3...v7.4.5)

---
updated-dependencies:
- dependency-name: psy/psysh
  dependency-version: 0.12.20
  dependency-type: indirect
  dependency-group: composer
- dependency-name: symfony/process
  dependency-version: 7.4.5
  dependency-type: indirect
  dependency-group: composer
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Feb 21, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 21, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ringostarr80 ringostarr80 merged commit 8df5b8d into main Feb 21, 2026
9 checks passed
@dependabot dependabot bot deleted the dependabot/composer/composer-5f8370c95d branch February 21, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ringostarr80