Skip to content

Bump the composer-non-major group across 1 directory with 6 updates#1545

Open
dependabot[bot] wants to merge 1 commit into
1.8from
dependabot/composer/composer-non-major-9bd68cb36b
Open

Bump the composer-non-major group across 1 directory with 6 updates#1545
dependabot[bot] wants to merge 1 commit into
1.8from
dependabot/composer/composer-non-major-9bd68cb36b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the composer-non-major group with 6 updates in the / directory:

Package From To
api-platform/core 4.3.10 4.3.13
mtdowling/jmespath.php 2.8.0 2.9.1
friendsofphp/php-cs-fixer 3.95.5 3.95.8
justinrainbow/json-schema 6.9.0 6.10.0
phpunit/phpunit 13.2.0 13.2.1
rector/rector 2.4.5 2.4.6

Updates api-platform/core from 4.3.10 to 4.3.13

Release notes

Sourced from api-platform/core's releases.

v4.3.13

What's Changed

Full Changelog: api-platform/core@v4.3.12...v4.3.13

v4.3.12

🔒 Security

Fixes CVE-2026-54164 (GHSA-9rjg-x2p2-h68h) — type confusion: relation IRIs were not type-checked, so a writable relation could be assigned a resource of the wrong type.

  • fix(serializer): validate IRI target class on relation denormalization (6bcbeb2db)

What's Changed

Full Changelog: api-platform/core@v4.3.11...v4.3.12

v4.3.11

What's Changed

New Contributors

Full Changelog: api-platform/core@v4.3.10...v4.3.11

Changelog

Sourced from api-platform/core's changelog.

v4.3.13

Bug fixes

  • 098d52766 fix(elasticsearch): coerce document _id to declared int identifier type (#8296)
  • 20baa6180 fix(openapi): throw clear error for openapi parameter missing name in yaml config (#8297)
  • 9e18fe013 fix(jsonschema): embed relations of non-resource objects in output schema (#8294)

v4.3.12

Bug fixes

  • 6bcbeb2db fix(serializer): validate IRI target class on relation denormalization
  • 6b1fe1e47 fix(doctrine): guard unmapped relation links in ORM handleLinks (#8293)
  • cc021e4fa fix(graphql): honor custom mutation output class in payload type (#8300)

v4.3.11

Bug fixes

  • 2726085ae fix(metadata): keep explicitly set GraphQL mutation description (#8286)
  • 4819b5f9f fix(metadata): metadata mutators for resource & operations with lower priority (#8273)
  • 6b8bd0a3d fix(metadata): read ApiProperty from trait private properties inherited via parent class (#8275)
  • aced52dd0 fix(metadata): preserve nested array query parameters in IriHelper (#8278)
  • c37e27079 fix(metadata): preserve explicit class on ApiResource when propagating defaults (#8262)
  • c79045718 fix(jsonschema): embed genId:false relations in output schema (#8272)
  • ce4f6c210 fix(jsonschema): don't leak operation deprecation onto sub-schemas (#8289)
  • 134bb5cd7 fix(jsonld): replace already-populated nested relation from embedded @​id on patch (#8274)
  • 4b50a4edc fix(hydra): declare hydra:view links as nullable in json schema (#8277)
  • 78538aa90 fix(mcp): resolve $ref inside oneOf/anyOf when flattening tool outputSchema (#8268)
  • a8d4b00f5 fix(mcp): always serialize payload into TextContent when structuredContent is disabled (#8270)
  • 1ffe0ada8 fix(symfony): register http cache purgers independently of invalidation flag (#8260)
  • 81a1307fe fix(symfony): expose uri variables in security expression context (#8279)
  • d6fd5bfae fix(httpcache): allow custom http method on SouinPurger and SurrogateKeysPurger (#8259)
  • b3b376225 fix(openapi): ship oauth2-redirect.js with swagger-ui assets (#8261)
  • fb2062465 fix(swagger): improve dark mode button in swaggerUI (#8265)

Notes

  • JSON-LD PATCH: an embedded @id on a nested writable relation now replaces the currently-linked relation when it points to a different resource. A dangling embedded @id now returns a 400 instead of being silently ignored (it previously mutated the existing relation in place). See #8274.
Commits
  • 3e35293 doc: changelog 4.3.13
  • 6a1f0d3 Merge upstream 4.3 (concurrent fixes) into 4.3
  • 1510da4 doc: changelog 4.3.12
  • 105cc43 Merge 4.2 into 4.3
  • 2082421 doc: changelog 4.2.26
  • 9e18fe0 fix(jsonschema): embed relations of non-resource objects in output schema (#8...
  • 8923522 Merge 4.1 into 4.2
  • 20baa61 fix(openapi): throw clear error for openapi parameter missing name in yaml co...
  • 098d527 fix(elasticsearch): coerce document _id to declared int identifier type (#8296)
  • 0720d3b doc: changelog 4.1.30
  • Additional commits viewable in compare view

Updates mtdowling/jmespath.php from 2.8.0 to 2.9.1

Release notes

Sourced from mtdowling/jmespath.php's releases.

2.9.1

  • Fixed the compiled runtime to emit function names as string literals, preventing arbitrary code execution.
  • Fixed the parser to reject non-identifier function callees, such as literal and raw string callees.

2.9.0

  • Added PHP 8.5 support.
  • Fixed to_number() to parse number strings using the JSON number grammar.
  • Fixed reverse() and string slicing to operate on UTF-8 characters rather than bytes.
  • Fixed slicing of array-like (ArrayAccess + Countable) values.
  • Fixed equality and contains() to use JSON semantics, e.g. 1 == 1.0 is now true.
  • Fixed multi-select hashes to end projections, so following tokens apply to the projected list.
  • Fixed sort() and sort_by() to compare numbers numerically.
  • Changed sort(), sort_by(), max(), min(), max_by() and min_by() to order strings by code point.
  • Fixed max_by() and min_by() to error on mixed-type keys instead of returning arbitrary elements.
  • Fixed max() returning null or erroring when the first array element is falsy, e.g. max([0, 1]).
  • Fixed sum() and join() to return 0 and an empty string respectively for empty arrays.
  • Fixed 0.0 to be truthy in filters and logical operators, like every other number.
  • Fixed the compiled runtime to apply JMESPath truthiness to || and &&.
  • Fixed @(foo), foo[-] and oversized index literals to throw syntax errors.
  • Fixed PHP warnings emitted while parsing certain invalid expressions.
  • Fixed the caret position in syntax error messages for errors at the end of an expression.
  • Fixed map() to error on non-array second arguments instead of returning [].
  • Fixed Env::cleanCompileDir() when JP_PHP_COMPILE=on.
Changelog

Sourced from mtdowling/jmespath.php's changelog.

2.9.1 - 2026-06-11

  • Fixed the compiled runtime to emit function names as string literals, preventing arbitrary code execution.
  • Fixed the parser to reject non-identifier function callees, such as literal and raw string callees.

2.9.0 - 2026-06-10

  • Added PHP 8.5 support.
  • Fixed to_number() to parse number strings using the JSON number grammar.
  • Fixed reverse() and string slicing to operate on UTF-8 characters rather than bytes.
  • Fixed slicing of array-like (ArrayAccess + Countable) values.
  • Fixed equality and contains() to use JSON semantics, e.g. 1 == 1.0 is now true.
  • Fixed multi-select hashes to end projections, so following tokens apply to the projected list.
  • Fixed sort() and sort_by() to compare numbers numerically.
  • Changed sort(), sort_by(), max(), min(), max_by() and min_by() to order strings by code point.
  • Fixed max_by() and min_by() to error on mixed-type keys instead of returning arbitrary elements.
  • Fixed max() returning null or erroring when the first array element is falsy, e.g. max([0, 1]).
  • Fixed sum() and join() to return 0 and an empty string respectively for empty arrays.
  • Fixed 0.0 to be truthy in filters and logical operators, like every other number.
  • Fixed the compiled runtime to apply JMESPath truthiness to || and &&.
  • Fixed @(foo), foo[-] and oversized index literals to throw syntax errors.
  • Fixed PHP warnings emitted while parsing certain invalid expressions.
  • Fixed the caret position in syntax error messages for errors at the end of an expression.
  • Fixed map() to error on non-array second arguments instead of returning [].
  • Fixed Env::cleanCompileDir() when JP_PHP_COMPILE=on.
Commits
  • 9c208ba Release 2.9.1
  • 83a51c1 Add security policy and convert readme to markdown (#117)
  • 69aea5a Fix arbitrary code execution in the compiled runtime (#119)
  • 77105da Replace old links in the code (#118)
  • 9501100 Release 2.9.0
  • ca10035 Fixed sum() and join() to return 0 and an empty string respectively for empty...
  • eb36591 Fixed 0.0 to be truthy in filters and logical operators, like every other num...
  • eed8676 Fixed multi-select hashes to end projections, so following tokens apply to th...
  • e8aa189 Add PHP 8.5 CI (#113)
  • 01e9111 Fix cleanup backlog (#112)
  • Additional commits viewable in compare view

Updates friendsofphp/php-cs-fixer from 3.95.5 to 3.95.8

Release notes

Sourced from friendsofphp/php-cs-fixer's releases.

v3.95.8 Adalbertus

What's Changed

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.7...v3.95.8

v3.95.7 Adalbertus

What's Changed

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.6...v3.95.7

v3.95.6 Adalbertus

What's Changed

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.5...v3.95.6

Changelog

Sourced from friendsofphp/php-cs-fixer's changelog.

Changelog for v3.95.8

  • fix: SingleClassElementPerStatementFixer - do not drop modifiers when splitting final constants/properties (#9687)

Changelog for v3.95.7

  • fix: ClassReferenceNameCasingFixer - do not change case of typed class constant names (#9686)

Changelog for v3.95.6

  • chore: Docker - ignore root-user warning for pip (#9682)
  • chore: fix typo in comment about fixer configuration (#9675)
  • chore: narrow Preg::match/Preg::matchAll subject string type when match is truthy (#9668)
  • deps: bump alpine from 3.23 to 3.24 in the all group (#9679)
  • deps: bump codecov/codecov-action from 6 to 7 in /.github/workflows in the all group across 1 directory (#9681)
  • deps: bump shipmonk/dead-code-detector from 1.1.3 to 1.2.0 in /dev-tools in the shipmonk group across 1 directory (#9661)
  • deps: update dev-deps (#9683)
  • deps: upgrade deep-deps for dev-tools (#9677)
  • fix: PhpUnitAttributesFixer - correctly handle @requires PHPUnit with space-separated version constraint (#9684)
  • UX: Cache - explicit deprecation for usage of non-handled objects in rules configuration, as they silently fail now; add support for JsonSerializable config values (#9678)
Commits
  • 4140023 prepared the 3.95.8 release
  • 3210545 fix: SingleClassElementPerStatementFixer - do not drop modifiers when split...
  • 34ed5e8 bumped version
  • 4fa4102 prepared the 3.95.7 release
  • 8fc7d9b fix: ClassReferenceNameCasingFixer - do not change case of typed class cons...
  • cb89a76 bumped version
  • 804e6c9 prepared the 3.95.6 release
  • 5145f75 UX: Cache - explicit deprecation for usage of non-handled objects in rules co...
  • 744616a fix: PhpUnitAttributesFixer - correctly handle @requires PHPUnit with spa...
  • cfc6aa0 deps: bump codecov/codecov-action from 6 to 7 in /.github/workflows in the al...
  • Additional commits viewable in compare view

Updates justinrainbow/json-schema from 6.9.0 to 6.10.0

Release notes

Sourced from justinrainbow/json-schema's releases.

6.10.0

Added

  • feat: Add Draft-2019-09 (#885)
Changelog

Sourced from justinrainbow/json-schema's changelog.

[6.10.0] - 2026-06-16

Added

  • feat: Add Draft-2019-09 (#885)
Commits

Updates phpunit/phpunit from 13.2.0 to 13.2.1

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 13.2.1

Fixed

  • #6741: Test is not run when --filter matches the name of a data set but not the name of the test method
  • #6743: Improve error message for invalid version constraint in attribute
  • #6744: Environment variable attributes reject empty-string values since PHPUnit 13.2.0

Learn how to install or update PHPUnit 13.2 in the documentation.

Keep up to date with PHPUnit:

Changelog

Sourced from phpunit/phpunit's changelog.

[13.2.1] - 2026-06-15

Fixed

  • #6741: Test is not run when --filter matches the name of a data set but not the name of the test method
  • #6743: Improve error message for invalid version constraint in attribute
  • #6744: Environment variable attributes reject empty-string values since PHPUnit 13.2.0
Commits

Updates rector/rector from 2.4.5 to 2.4.6

Release notes

Sourced from rector/rector's releases.

Released Rector 2.4.6

New Features 🥳

  • [deprecation] Add RenameDeprecatedMethodCallRector inferring rename from @​deprecated docblock (#8015)
  • [sets] kick of named args set (#8013)
# rector.php
return (RectorConfig::configure())
    ->withPreparedSets(namedArgs: true);

Bugfixes 🐛

  • [BetterPhpDocParser] Keep import referenced by @see/@​uses tag with a trailing description (#8039), Thanks @​ruudk!
  • [internals] skip and finalize beforeTraverse() and afterTraverse() as never used, use refactor() instead (#7765)
  • [DeadCode] Skip (void) cast with #[NoDiscard] on target method call on RemoveDeadStmtRector (#8038)
  • Bump composer/pcre to ^3.4.0 and phpstan/phpstan to ^2.2.2 (#8037)
  • [CodeQuality] Handle crash on custom exception not autoloaded on ThrowWithPreviousExceptionRector (#8036)
  • refactor: extract AutoloadFileParameterResolver from bin, add tests (#8035), Thanks @​SanderMuller!
  • Fix cached results surviving a change of --autoload-file (#8034), Thanks @​SanderMuller!
  • [CodingStyle] Remove AstResolver usage on ArrowFunctionAndClosureFirstClassCallableGuard (#8031)
  • [DeadCode] Remove AstResolver on RemoveParentCallWithoutParentRector (#8032)
  • [DeadCode] Skip with use of func_num_args() on RemoveNullArgOnNullDefaultParamRector (#8030)
  • [Php70] Skip rewriting to $this on static method or static closure on StaticCallOnNonStaticToInstanceCallRector (#8026)
  • [ci] add compat test (#8025)
  • Fix ReplaceArgumentDefaultValueRector generating invalid self:: constant in unrelated classes (#8023)
  • Fix RemoveDeadIfBlockRector dropping else block when merging empty if with elseif (#8022)
  • Fix RemoveParentCallWithoutParentRector removing valid call when ancestor hierarchy is unresolvable (#8018)
  • split of RemoveNullNamedArgOnNullDefaultParamRector to handle only named args (#8014)
  • Add failing tests (#8012), Thanks @​u01jmg3!
  • Update rector/swiss-knife version to ^2.4.1 (#8011)

rectorphp/rector-symfony 🎶

  • [Symfony81] Add new rule for deprecated validator test usages (#948), Thanks @​florianhofsaessC24!
  • fix: only convert Twig extensions fully reducible to AsTwig attributes (#947)
  • [Symfony73] Sort optional parameters last in InvokableCommandInputAttributeRector (#945)
  • Add PHPStan rule requiring nested set configs to be imported in parent set config (#943)
  • [Symfony81] Add new rule for Security component (#942), Thanks @​MrYamous!
  • Remove unused imports (#941), Thanks @​MrYamous!
  • [Symfony81] Add new rule for Filesystem (#940), Thanks @​MrYamous!

... (truncated)

Commits
  • 9b9e5c7 Rector 2.4.6
  • 2d9889c Updated Rector to commit 5dfb29c770aee27d3c8a432c3b5ac6bb4b4c3c36
  • f47ca16 Updated Rector to commit 21785b46e7e8a5eeb155030d81b10d54a0fd408a
  • 809e24d Updated Rector to commit 9704b6fdcce08d322181ac48485c35cdc28082ae
  • b4775d0 Updated Rector to commit 9e4dc598b59992584b4c9c13822cb409cde0d2e9
  • fc13aff Updated Rector to commit 9e4dc598b59992584b4c9c13822cb409cde0d2e9
  • dabec70 Updated Rector to commit a01724e1e63cdb4456f3d121cf7580d608bab603
  • 3d28220 Updated Rector to commit 5f6399efbb348a453bfc959c17885590155ae840
  • 1a40588 Updated Rector to commit 5c5fd4d142902a90ac8a19ee71c4e1a5430102a4
  • 19b2482 Updated Rector to commit 1f43c362108a4278bb2fc137cf3495d7a55a11d1
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the composer-non-major group across 1 directory with 6 updates
26f34ff 
Bumps the composer-non-major group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [api-platform/core](https://github.com/api-platform/core) | `4.3.10` | `4.3.13` |
| [mtdowling/jmespath.php](https://github.com/jmespath/jmespath.php) | `2.8.0` | `2.9.1` |
| [friendsofphp/php-cs-fixer](https://github.com/PHP-CS-Fixer/PHP-CS-Fixer) | `3.95.5` | `3.95.8` |
| [justinrainbow/json-schema](https://github.com/jsonrainbow/json-schema) | `6.9.0` | `6.10.0` |
| [phpunit/phpunit](https://github.com/sebastianbergmann/phpunit) | `13.2.0` | `13.2.1` |
| [rector/rector](https://github.com/rectorphp/rector) | `2.4.5` | `2.4.6` |



Updates `api-platform/core` from 4.3.10 to 4.3.13
- [Release notes](https://github.com/api-platform/core/releases)
- [Changelog](https://github.com/api-platform/core/blob/main/CHANGELOG.md)
- [Commits](api-platform/core@v4.3.10...v4.3.13)

Updates `mtdowling/jmespath.php` from 2.8.0 to 2.9.1
- [Release notes](https://github.com/jmespath/jmespath.php/releases)
- [Changelog](https://github.com/jmespath/jmespath.php/blob/master/CHANGELOG.md)
- [Commits](jmespath/jmespath.php@2.8.0...2.9.1)

Updates `friendsofphp/php-cs-fixer` from 3.95.5 to 3.95.8
- [Release notes](https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases)
- [Changelog](https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/blob/master/CHANGELOG.md)
- [Commits](PHP-CS-Fixer/PHP-CS-Fixer@v3.95.5...v3.95.8)

Updates `justinrainbow/json-schema` from 6.9.0 to 6.10.0
- [Release notes](https://github.com/jsonrainbow/json-schema/releases)
- [Changelog](https://github.com/jsonrainbow/json-schema/blob/main/CHANGELOG.md)
- [Commits](jsonrainbow/json-schema@6.9.0...6.10.0)

Updates `phpunit/phpunit` from 13.2.0 to 13.2.1
- [Release notes](https://github.com/sebastianbergmann/phpunit/releases)
- [Changelog](https://github.com/sebastianbergmann/phpunit/blob/13.2.1/ChangeLog-13.2.md)
- [Commits](sebastianbergmann/phpunit@13.2.0...13.2.1)

Updates `rector/rector` from 2.4.5 to 2.4.6
- [Release notes](https://github.com/rectorphp/rector/releases)
- [Commits](rectorphp/rector@2.4.5...2.4.6)

---
updated-dependencies:
- dependency-name: api-platform/core
  dependency-version: 4.3.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: composer-non-major
- dependency-name: mtdowling/jmespath.php
  dependency-version: 2.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: composer-non-major
- dependency-name: friendsofphp/php-cs-fixer
  dependency-version: 3.95.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: composer-non-major
- dependency-name: justinrainbow/json-schema
  dependency-version: 6.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: composer-non-major
- dependency-name: phpunit/phpunit
  dependency-version: 13.2.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: composer-non-major
- dependency-name: rector/rector
  dependency-version: 2.4.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: composer-non-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update Php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants