Bump the composer-non-major group across 1 directory with 7 updates

[dependabot]

Bumps the composer-non-major group with 7 updates in the / directory:

Package	From	To
api-platform/core	4.3.10	4.3.14
mtdowling/jmespath.php	2.8.0	2.9.1
symfony/webpack-encore-bundle	2.4.0	2.4.1
friendsofphp/php-cs-fixer	3.95.5	3.95.10
justinrainbow/json-schema	6.9.0	6.10.0
phpunit/phpunit	13.2.0	13.2.1
rector/rector	2.4.5	2.5.2

Updates api-platform/core from 4.3.10 to 4.3.14

Release notes

Sourced from api-platform/core's releases.

v4.3.14

What's Changed

• fix(mcp): support mcp/sdk 0.6 ResourceDefinition in Loader by @​soyuka in api-platform/core#8302
• fix(openapi): serialize Reference objects with $ref in the generated document by @​soyuka in api-platform/core#8306
• fix(doctrine): filter parent link from uri variables in fetch_data=false reference by @​soyuka in api-platform/core#8295
• fix(doctrine): exclude self-reference relation links from GraphQL root item lookup by @​soyuka in api-platform/core#8314
• fix(mcp): support mcp/sdk 0.6 by @​soyuka in api-platform/core#8311
• fix(jsonapi): exclude relations from openapi attributes schema by @​soyuka in api-platform/core#8313
• chore: drop phpstan mcp/sdk class.notFound ignore by @​soyuka in api-platform/core#8320
• feat(laravel): boot without a database via dumped metadata by @​soyuka in api-platform/core#8290
• fix(jsonapi): correct relationship schemas in generated json schema by @​soyuka in api-platform/core#8321
• refactor(jsonapi): single source of truth for the attribute/relationship split by @​soyuka in api-platform/core#8325
• fix(serializer): fix union types denormalization fallback after security mismatch by @​jonnyeom in api-platform/core#8333
• chore: fix phpstan on 4.3 by @​soyuka in api-platform/core#8331

Full Changelog: api-platform/core@v4.3.13...v4.3.14

v4.3.13

What's Changed

• fix(elasticsearch): coerce document _id to declared int identifier type by @​soyuka in api-platform/core#8296
• fix(openapi): throw clear error for openapi parameter missing name in yaml config by @​soyuka in api-platform/core#8297
• fix(jsonschema): embed relations of non-resource objects in output schema by @​alexisLefebvre in api-platform/core#8294

Full Changelog: api-platform/core@v4.3.12...v4.3.13

v4.3.12

🔒 Security

Fixes CVE-2026-54164 (GHSA-9rjg-x2p2-h68h) — type confusion: relation IRIs were not type-checked, so a writable relation could be assigned a resource of the wrong type.

• fix(serializer): validate IRI target class on relation denormalization (6bcbeb2db)

What's Changed

• fix(doctrine): guard unmapped relation links in ORM handleLinks by @​soyuka in api-platform/core#8293
• fix(graphql): honor custom mutation output class in payload type by @​soyuka in api-platform/core#8300

Full Changelog: api-platform/core@v4.3.11...v4.3.12

v4.3.11

What's Changed

• fix(metadata): preserve explicit class on ApiResource when propagating defaults by @​soyuka in api-platform/core#8262
• fix(openapi): ship oauth2-redirect.js with swagger-ui assets by @​soyuka in api-platform/core#8261
• fix(httpcache): allow custom http method on SouinPurger and SurrogateKeysPurger by @​soyuka in api-platform/core#8259
• fix(swagger): improve dark mode button in swaggerUI by @​divine in api-platform/core#8265
• fix(metadata): read ApiProperty from trait private properties inherited via parent class by @​soyuka in api-platform/core#8275
• fix(hydra): declare hydra:view links as nullable in json schema by @​soyuka in api-platform/core#8277
• fix(jsonschema): embed genId:false relations in output schema by @​alexisLefebvre in api-platform/core#8272

... (truncated)

Changelog

Sourced from api-platform/core's changelog.

v4.3.14

Bug fixes

• 0d9bcde6b fix(doctrine): filter parent link from uri variables in fetch_data=false reference (#8295)
• 2abda532d fix(serializer): fix union types denormalization fallback after security mismatch (#8333)
• 553f6d3c0 fix(openapi): serialize Reference objects with $ref in the generated document (#8306)
• 75c275cd0 fix(jsonapi): exclude relations from openapi attributes schema (#8313)
• 8586a80e6 fix(mcp): support mcp/sdk 0.6 (#8311, #8302)
• 8999b60ca fix(jsonapi): correct relationship schemas in generated json schema (#8321)
• 977714184 fix(doctrine): exclude self-reference relation links from GraphQL root item lookup (#8314)

Features

• 84e7818d4 feat(laravel): boot without a database via dumped metadata (#8290)

v4.3.13

Bug fixes

• 098d52766 fix(elasticsearch): coerce document _id to declared int identifier type (#8296)
• 20baa6180 fix(openapi): throw clear error for openapi parameter missing name in yaml config (#8297)
• 9e18fe013 fix(jsonschema): embed relations of non-resource objects in output schema (#8294)

v4.3.12

Bug fixes

• 6bcbeb2db fix(serializer): validate IRI target class on relation denormalization
• 6b1fe1e47 fix(doctrine): guard unmapped relation links in ORM handleLinks (#8293)
• cc021e4fa fix(graphql): honor custom mutation output class in payload type (#8300)

v4.3.11

Bug fixes

• 2726085ae fix(metadata): keep explicitly set GraphQL mutation description (#8286)
• 4819b5f9f fix(metadata): metadata mutators for resource & operations with lower priority (#8273)
• 6b8bd0a3d fix(metadata): read ApiProperty from trait private properties inherited via parent class (#8275)
• aced52dd0 fix(metadata): preserve nested array query parameters in IriHelper (#8278)
• c37e27079 fix(metadata): preserve explicit class on ApiResource when propagating defaults (#8262)
• c79045718 fix(jsonschema): embed genId:false relations in output schema (#8272)
• ce4f6c210 fix(jsonschema): don't leak operation deprecation onto sub-schemas (#8289)
• 134bb5cd7 fix(jsonld): replace already-populated nested relation from embedded @​id on patch (#8274)
• 4b50a4edc fix(hydra): declare hydra:view links as nullable in json schema (#8277)
• 78538aa90 fix(mcp): resolve $ref inside oneOf/anyOf when flattening tool outputSchema (#8268)
• a8d4b00f5 fix(mcp): always serialize payload into TextContent when structuredContent is disabled (#8270)
• 1ffe0ada8 fix(symfony): register http cache purgers independently of invalidation flag (#8260)
• 81a1307fe fix(symfony): expose uri variables in security expression context (#8279)

... (truncated)

Commits

• bb5ac42 doc: changelog 4.3.14
• 989d1df chore: fix phpstan on 4.3 (#8331)
• 2abda53 fix(serializer): fix union types denormalization fallback after security mism...
• ea1ede5 refactor(jsonapi): single source of truth for the attribute/relationship spli...
• 8999b60 fix(jsonapi): correct relationship schemas in generated json schema (#8321)
• 84e7818 feat(laravel): boot without a database via dumped metadata (#8290)
• 3948362 chore: drop phpstan mcp/sdk class.notFound ignore (#8320)
• 75c275c fix(jsonapi): exclude relations from openapi attributes schema (#8313)
• 8586a80 fix(mcp): support mcp/sdk 0.6 (#8311)
• 9777141 fix(doctrine): exclude self-reference relation links from GraphQL root item l...
• Additional commits viewable in compare view

Updates mtdowling/jmespath.php from 2.8.0 to 2.9.1

Release notes

Sourced from mtdowling/jmespath.php's releases.

2.9.1

• Fixed the compiled runtime to emit function names as string literals, preventing arbitrary code execution.
• Fixed the parser to reject non-identifier function callees, such as literal and raw string callees.

2.9.0

• Added PHP 8.5 support.
• Fixed to_number() to parse number strings using the JSON number grammar.
• Fixed reverse() and string slicing to operate on UTF-8 characters rather than bytes.
• Fixed slicing of array-like (ArrayAccess + Countable) values.
• Fixed equality and contains() to use JSON semantics, e.g. 1 == 1.0 is now true.
• Fixed multi-select hashes to end projections, so following tokens apply to the projected list.
• Fixed sort() and sort_by() to compare numbers numerically.
• Changed sort(), sort_by(), max(), min(), max_by() and min_by() to order strings by code point.
• Fixed max_by() and min_by() to error on mixed-type keys instead of returning arbitrary elements.
• Fixed max() returning null or erroring when the first array element is falsy, e.g. max([0, 1]).
• Fixed sum() and join() to return 0 and an empty string respectively for empty arrays.
• Fixed 0.0 to be truthy in filters and logical operators, like every other number.
• Fixed the compiled runtime to apply JMESPath truthiness to || and &&.
• Fixed @(foo), foo[-] and oversized index literals to throw syntax errors.
• Fixed PHP warnings emitted while parsing certain invalid expressions.
• Fixed the caret position in syntax error messages for errors at the end of an expression.
• Fixed map() to error on non-array second arguments instead of returning [].
• Fixed Env::cleanCompileDir() when JP_PHP_COMPILE=on.

Changelog

Sourced from mtdowling/jmespath.php's changelog.

2.9.1 - 2026-06-11

• Fixed the compiled runtime to emit function names as string literals, preventing arbitrary code execution.
• Fixed the parser to reject non-identifier function callees, such as literal and raw string callees.

2.9.0 - 2026-06-10

• Added PHP 8.5 support.
• Fixed to_number() to parse number strings using the JSON number grammar.
• Fixed reverse() and string slicing to operate on UTF-8 characters rather than bytes.
• Fixed slicing of array-like (ArrayAccess + Countable) values.
• Fixed equality and contains() to use JSON semantics, e.g. 1 == 1.0 is now true.
• Fixed multi-select hashes to end projections, so following tokens apply to the projected list.
• Fixed sort() and sort_by() to compare numbers numerically.
• Changed sort(), sort_by(), max(), min(), max_by() and min_by() to order strings by code point.
• Fixed max_by() and min_by() to error on mixed-type keys instead of returning arbitrary elements.
• Fixed max() returning null or erroring when the first array element is falsy, e.g. max([0, 1]).
• Fixed sum() and join() to return 0 and an empty string respectively for empty arrays.
• Fixed 0.0 to be truthy in filters and logical operators, like every other number.
• Fixed the compiled runtime to apply JMESPath truthiness to || and &&.
• Fixed @(foo), foo[-] and oversized index literals to throw syntax errors.
• Fixed PHP warnings emitted while parsing certain invalid expressions.
• Fixed the caret position in syntax error messages for errors at the end of an expression.
• Fixed map() to error on non-array second arguments instead of returning [].
• Fixed Env::cleanCompileDir() when JP_PHP_COMPILE=on.

Commits

• 9c208ba Release 2.9.1
• 83a51c1 Add security policy and convert readme to markdown (#117)
• 69aea5a Fix arbitrary code execution in the compiled runtime (#119)
• 77105da Replace old links in the code (#118)
• 9501100 Release 2.9.0
• ca10035 Fixed sum() and join() to return 0 and an empty string respectively for empty...
• eb36591 Fixed 0.0 to be truthy in filters and logical operators, like every other num...
• eed8676 Fixed multi-select hashes to end projections, so following tokens apply to th...
• e8aa189 Add PHP 8.5 CI (#113)
• 01e9111 Fix cleanup backlog (#112)
• Additional commits viewable in compare view

Updates symfony/webpack-encore-bundle from 2.4.0 to 2.4.1

Release notes

Sourced from symfony/webpack-encore-bundle's releases.

v2.4.1

What's Changed

• Fix Symfony 8.1 DependencyInjection deprecation warning by @​30Sana in symfony/webpack-encore-bundle#258
• Update .gitattributes by @​gharlan in symfony/webpack-encore-bundle#256
• Add Zizmor, Dependabot, and upgrade+pin actions by @​Kocal in symfony/webpack-encore-bundle#259
• Don't let Composer advisory blocking break CI by @​Kocal in symfony/webpack-encore-bundle#261

New Contributors

• @​30Sana made their first contribution in symfony/webpack-encore-bundle#258
• @​gharlan made their first contribution in symfony/webpack-encore-bundle#256

Full Changelog: symfony/webpack-encore-bundle@v2.4.0...v2.4.1

Commits

• cac8d6c minor #261 Don't let Composer advisory blocking break CI (Kocal)
• cb3dd07 Don't let Composer advisory blocking break CI
• 9edab87 minor #259 Add Zizmor, Dependabot, and upgrade+pin actions (Kocal)
• 42e1d0c Add Zizmor, Dependabot, and upgrade+pin actions
• fee5542 minor #256 Update .gitattributes (gharlan)
• c1c96dd bug #258 Fix Symfony 8.1 DependencyInjection deprecation warning (30Sana)
• 2bee63b Fix Symfony 8.1 DependencyInjection deprecation warning
• 4286633 Update .gitattributes
• See full diff in compare view

Updates friendsofphp/php-cs-fixer from 3.95.5 to 3.95.10

Release notes

Sourced from friendsofphp/php-cs-fixer's releases.

v3.95.10 Adalbertus

What's Changed

• fix: TokensAnalyzer - handle T_PUBLIC_SET, T_PROTECTED_SET, T_PRIVATE_SET by @​keradus in PHP-CS-Fixer/PHP-CS-Fixer#9696

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.9...v3.95.10

v3.95.9 Adalbertus

What's Changed

• chore: apply class_keyword by @​keradus in PHP-CS-Fixer/PHP-CS-Fixer#9689
• refactor: change Fixers execution order to always-deterministic by @​keradus in PHP-CS-Fixer/PHP-CS-Fixer#9690

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.8...v3.95.9

v3.95.8 Adalbertus

What's Changed

• fix: SingleClassElementPerStatementFixer - do not drop modifiers when splitting final constants/properties by @​kubawerlos in PHP-CS-Fixer/PHP-CS-Fixer#9687

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.7...v3.95.8

v3.95.7 Adalbertus

What's Changed

• fix: ClassReferenceNameCasingFixer - do not change case of typed class constant names by @​kubawerlos in PHP-CS-Fixer/PHP-CS-Fixer#9686

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.6...v3.95.7

v3.95.6 Adalbertus

What's Changed

• chore: fix typo in comment about fixer configuration by @​live627 in PHP-CS-Fixer/PHP-CS-Fixer#9675
• deps: bump shipmonk/dead-code-detector from 1.1.3 to 1.2.0 in /dev-tools in the shipmonk group across 1 directory by @​dependabot[bot] in PHP-CS-Fixer/PHP-CS-Fixer#9661
• deps: upgrade deep-deps for dev-tools by @​keradus in PHP-CS-Fixer/PHP-CS-Fixer#9677
• chore: narrow Preg::match/Preg::matchAll subject string type when match is truthy by @​staabm in PHP-CS-Fixer/PHP-CS-Fixer#9668
• deps: bump alpine from 3.23 to 3.24 in the all group by @​dependabot[bot] in PHP-CS-Fixer/PHP-CS-Fixer#9679
• deps: update dev-deps by @​keradus in PHP-CS-Fixer/PHP-CS-Fixer#9683
• chore: Docker - ignore root-user warning for pip by @​keradus in PHP-CS-Fixer/PHP-CS-Fixer#9682
• deps: bump codecov/codecov-action from 6 to 7 in /.github/workflows in the all group across 1 directory by @​dependabot[bot] in PHP-CS-Fixer/PHP-CS-Fixer#9681
• fix: PhpUnitAttributesFixer - correctly handle @requires PHPUnit with space-separated version constraint by @​kubawerlos in PHP-CS-Fixer/PHP-CS-Fixer#9684
• UX: Cache - explicit deprecation for usage of non-handled objects in rules configuration, as they silently fail now; add support for JsonSerializable config values by @​keradus in PHP-CS-Fixer/PHP-CS-Fixer#9678

Full Changelog: PHP-CS-Fixer/PHP-CS-Fixer@v3.95.5...v3.95.6

Changelog

Sourced from friendsofphp/php-cs-fixer's changelog.

Changelog for v3.95.10

• fix: TokensAnalyzer - handle T_PUBLIC_SET, T_PROTECTED_SET, T_PRIVATE_SET (#9696)

Changelog for v3.95.9

• chore: apply class_keyword (#9689)
• refactor: change Fixers execution order to always-deterministic (#9690)

Changelog for v3.95.8

• fix: SingleClassElementPerStatementFixer - do not drop modifiers when splitting final constants/properties (#9687)

Changelog for v3.95.7

• fix: ClassReferenceNameCasingFixer - do not change case of typed class constant names (#9686)

Changelog for v3.95.6

• chore: Docker - ignore root-user warning for pip (#9682)
• chore: fix typo in comment about fixer configuration (#9675)
• chore: narrow Preg::match/Preg::matchAll subject string type when match is truthy (#9668)
• deps: bump alpine from 3.23 to 3.24 in the all group (#9679)
• deps: bump codecov/codecov-action from 6 to 7 in /.github/workflows in the all group across 1 directory (#9681)
• deps: bump shipmonk/dead-code-detector from 1.1.3 to 1.2.0 in /dev-tools in the shipmonk group across 1 directory (#9661)
• deps: update dev-deps (#9683)
• deps: upgrade deep-deps for dev-tools (#9677)
• fix: PhpUnitAttributesFixer - correctly handle @requires PHPUnit with space-separated version constraint (#9684)
• UX: Cache - explicit deprecation for usage of non-handled objects in rules configuration, as they silently fail now; add support for JsonSerializable config values (#9678)

Commits

• 93e1ab3 prepared the 3.95.10 release
• f5ef45e fix: TokensAnalyzer - handle T_PUBLIC_SET, T_PROTECTED_SET, `T_PRIVATE_...
• 204b56e bumped version
• 7a6a047 prepared the 3.95.9 release
• 75a0377 refactor: change Fixers execution order to always-deterministic (#9690)
• 502de71 chore: apply class_keyword (#9689)
• 4bc1ed2 bumped version
• 4140023 prepared the 3.95.8 release
• 3210545 fix: SingleClassElementPerStatementFixer - do not drop modifiers when split...
• 34ed5e8 bumped version
• Additional commits viewable in compare view

Updates justinrainbow/json-schema from 6.9.0 to 6.10.0

Release notes

Sourced from justinrainbow/json-schema's releases.

6.10.0

Added

• feat: Add Draft-2019-09 (#885)

Changelog

Sourced from justinrainbow/json-schema's changelog.

[6.10.0] - 2026-06-16

Added

• feat: Add Draft-2019-09 (#885)

Commits

• 8b1308a docs: Prepare release 6.10.0
• 30c8542 docs: Update CHANGELOG.md for PR #885
• bbe268a feat: Add Draft-2019-09 (#885)
• See full diff in compare view

Updates phpunit/phpunit from 13.2.0 to 13.2.1

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 13.2.1

Fixed

• #6741: Test is not run when --filter matches the name of a data set but not the name of the test method
• #6743: Improve error message for invalid version constraint in attribute
• #6744: Environment variable attributes reject empty-string values since PHPUnit 13.2.0

---

Learn how to install or update PHPUnit 13.2 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

Changelog

Sourced from phpunit/phpunit's changelog.

[13.2.1] - 2026-06-15

Fixed

• #6741: Test is not run when --filter matches the name of a data set but not the name of the test method
• #6743: Improve error message for invalid version constraint in attribute
• #6744: Environment variable attributes reject empty-string values since PHPUnit 13.2.0

Commits

• 60da0ff Prepare release
• a625c2a Merge branch '12.5' into 13.2
• 900400a Prepare release
• 4b16590 Fix CS/WS issues
• 073298c Closes #6744
• 9147606 Merge branch '12.5' into 13.2
• cbabf21 Update ChangeLog
• d651dab Improve error message for invalid version constraint in attribute
• 059594d Add test showing current behaviour
• 8330ffa Closes #6741
• Additional commits viewable in compare view

Updates rector/rector from 2.4.5 to 2.5.2

Release notes

Sourced from rector/rector's releases.

Released Rector 2.5.2

Bugfixes 🐛

• Match class + path in unused-skip reporting — fix combined class => [paths] skips being wrongly flagged as unused (#8073)
• Mark skip used only when rule would change the file — a class/path skip counts as "used" only if the rule would actually touch that file, killing false "used" hits (#8076)
• Improve unused-skip resolver methods — cleaner resolution internals (#8072)
• Track used skips as class => [paths] map — richer per-path skip tracking backing the report (#8074)

Released Rector 2.5.1

Bugfixes 🐛

• Skip unused-skip reporting on narrowed runs - no more false "unused skip" noise when running Rector on a subset of paths (#8069)
• Display skips only on uncached run - skip report shows on real runs, not when results come from cache (#8071)
• RemoveAlwaysTrueIfConditionRector — avoid scanning whole new statements on dynamic variable checks; moved logic to ExprAnalyzer and bail early on defined variables (#8057)

Released Rector 2.5

New Features 🥳 🎉 🎉 🎉

This release has 3 interesting new features. Let's look at them:

[dx] Report skips that never matched (#8058)

• What? - like PHPStan's reportUnusedIgnores, but for Rector ->withSkip(). Flags skip entries that never matched anything during the run, so you can delete stale skips.

• Why? - skips rot. You skip a path/rule to dodge a problem, later the file moves or the rule stops firing there — the skip lingers forever, silently masking nothing. This surfaces dead skips so config stays honest.

// rector.php
return RectorConfig::configure()
    ->withSkip([
        SimplifyUselessVariableRector::class => [
            '*/src/Legacy/*',          // still matches — fine
            '*/NonexistentUnused/*',   // matches nothing — stale
        ],
    ])
    ->reportUnusedSkips();

Run output:

 [OK] Rector is done!
[WARNING] This skip is unused, it never matched any element.
You can remove it from "->withSkip()"

Rector\CodeQuality\Rector\FunctionLike\SimplifyUselessVariableRector => /NonexistentUnused/

... (truncated)

Commits

• 49ff633 Rector 2.5.2
• 56d179b Updated Rector to commit dd21759b1194fe28cd266337124fd3035c62ead9
• 228203d Updated Rector to commit 2328ea6338d2496c409aaf2d8a001052e323feda
• d7cb788 Updated Rector to commit 19dcdb7816f10cb502a1b2ef5a6628185f74e49d
• 76d81c5 Updated Rector to commit aea1570424613c9a0acbf80c3abeb41d7dd33dbe
• 34a9124 Rector 2.5.1
• 6502d60 Updated Rector to commit df98b3b4e5f024d2260edc233dc9cb4adfe6a3e0
• b74237c Updated Rector to commit 84ab911ef53267aa1c4a9466064def614e486eea
• e3c4ee7 Updated Rector to commit 3893ea422afa3fb801ae64fa546c8a2cb24b0f97
• bdd26a9 Updated Rector to commit 580b374ea3638fd50cf9b98b84445cd9fe53768e
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions