Bump the composer group across 1 directory with 6 updates

[dependabot]

Bumps the composer group with 6 updates in the / directory:

Package	From	To
enshrined/svg-sanitize	0.19.0	0.22.0
web-auth/webauthn-lib	4.9.2	5.2.4
yiisoft/yii2	2.0.51	2.0.54
yiisoft/yii2-redis	2.0.18	2.0.20
phpunit/phpunit	10.5.45	10.5.63
psy/psysh	0.12.7	0.12.21

Updates enshrined/svg-sanitize from 0.19.0 to 0.22.0

Release notes

Sourced from enshrined/svg-sanitize's releases.

0.22.0

Resolved an issue where attribute name case inconsistencies (e.g., xlink:Href instead of xlink:href) in XML processing could cause namespace lookups and sanitisation to fail. Attribute names in both namespaced and non-namespaced contexts are now normalised to their expected lowercase form before processing. This ensures consistent sanitisation of xlink:href and other targeted attributes regardless of their original case.

Full Changelog: darylldoyle/svg-sanitizer@0.21.0...0.22.0

Props @​ohader and @​realazizk

Commits

• 0afa95e Merge commit from fork
• 5a0a1ea [SECURITY] Prevent bypass via mixed-case SVG attributes
• 5e47746 Merge pull request #112 from Orgoth/patch-1
• b154c6e Update AllowedAttributes.php
• 068d9fc Merge pull request #110 from lolli42/lolli-1
• 7dd11e4 Use actions/checkout@v4, v3 is deprecated
• fd26ab8 Require PHP ^7.1
• c0b26c3 Add PHP 8.4 to test matrix
• 71b62a0 Support PHP 8.4
• bcd646a Merge pull request #108 from gawpertron/fix/recursive-php-sanitisation
• Additional commits viewable in compare view

Updates web-auth/webauthn-lib from 4.9.2 to 5.2.4

Commits

• c346c98 fix: add PHPStan type annotations for parse_url() return values in CheckAllow...
• 9d891cd Merge commit from fork
• 8782f57 fix: set trust anchor when validating certificate path to support intermediat...
• 49efc4a fix: use spomky-labs/pki-framework to replace native php openssl functions fo...
• ac89d35 Rector/ECS (#792)
• 8937c39 Add WebAuthn authentication extensions support
• b02a2e6 Refactor Symfony test configurations and add badge support
• 6450850 Replace secured_rp_ids with allowed_origins and allow_subdomains
• 7aa58ea Fix typo in docblock annotation for @​deprecated property (#696)
• 3630e05 Fix trust path denormalization for x5c data validation (#694)
• Additional commits viewable in compare view

Updates yiisoft/yii2 from 2.0.51 to 2.0.54

Changelog

Sourced from yiisoft/yii2's changelog.

2.0.54 January 09, 2026

• Bug #19506: Fix @property annotations in yii\console\widgets\Table, yii\di\Container and yii\web\Session (mspirkov)
• Bug #19655: Fix LinkPager::getPageRange when maxButtons is 2 (mspirkov)
• Bug #20432: Fix PHPStan/Psalm annotations for ActiveQuery::asArray (mspirkov)
• Bug #20437: Fix PHPStan/Psalm annotations for BaseArrayHelper::merge (mspirkov)
• Bug #20447: Fix behavior for yii\web\Controller::bindActionParams around mixed type (chriscpty)
• Bug #20453: Fix PHPStan/Psalm types in yii\web\View (mspirkov)
• Bug #20459: Fix return type in RequestParserInterface::parse (mspirkov)
• Bug #20475: Fix Formatter class asScientific() method for PHP 8.5 sprintf precision change (6 to 0) (terabytesoftw)
• Bug #20479: Fix issue with MSSQL related to char and nchar (craiglondon)
• Bug #20482: Fix deprecation of ReflectionMethod::setAccessible() in PHP 8.5 (terabytesoftw)
• Bug #20483: Fix CompositeAuth making bad assumptions on AuthInterface implementations (sammousa)
• Bug #20485: Fix error Cannot unset string offsets in yii\di\Instance:ensure(['__class' => ...], 'some\class\name') (mspirkov)
• Bug #20489: Replace deprecated strftime with date in YiiRequirementChecker (mspirkov)
• Bug #20492: Fix deprecation of finfo_close() in PHP 8.5 by conditionally closing the resource (terabytesoftw)
• Bug #20494: Fix PHPdoc, add PHPStan/Psalm annotations for authMethods property in CompositeAuth class (terabytesoftw)
• Bug #20495: Fix behavior when resetting sequence in QueryBuilder for MSSQL (achretien)
• Bug #20508: Fix PHPDoc, add PHPStan/Psalm annotations for yii\web\CookieCollection::getIterator. Add missing @property annotation in yii\base\Model (mspirkov)
• Bug #20513: Fix code examples in PHPDoc (mspirkov)
• Bug #20515: Fix @param annotations in BetweenColumnsCondition, InCondition and LikeCondition (mspirkov)
• Bug #20516: Fix @template annotations in ActiveRecord (mspirkov)
• Bug #20524: Fix PHPStan/Psalm annotations in Yii::createObject (mspirkov)
• Bug #20530: Fix notice "Object of class DateTimeImmutable could not be converted to int" in CookieCollection::has (mspirkov)
• Bug #20532: Add missing return statements in CacheController::actionFlushSchema, FixtureController::actionUnload, HelpController::actionIndex and ServeController::actionIndex (mspirkov)
• Bug #20541: Remove deprecated caching components: XCache and ZendDataCache, and update related tests and documentation (terabytesoftw)
• Bug #20542: Fix Formatter working with more complex ICU unit data structure (OndrejVasicek)
• Bug #20548: Fix PHP 8.5 null array offset deprecation warnings (terabytesoftw)
• Bug #20569: Fix @param annotation for $default in HeaderCollection::get (mspirkov)
• Bug #20570: Fix @var annotation for UrlManager::$cache (mspirkov)
• Bug #20571: Fix @var annotation for yii\web\Response::$stream (mspirkov)
• Bug #20576: Fix @var annotation for StringValidator::$length (mspirkov)
• Bug #20583: Fix return value in Request::getServerPort (mspirkov)
• Bug #20585: Fix @return annotation for CompositeUrlRule::createRules() (mspirkov)
• Bug #20587: Fix @var annotation for yii\rbac\Item::$ruleName (mspirkov)
• Bug #20589: Fix @var annotations for yii\rbac\DbManager properties (mspirkov)
• Bug #20594: Fix @return annotation for Instance::get() (mspirkov)
• Bug #20595: Fix @return annotation for BaseHtml::getAttributeValue() (mspirkov)
• Bug #20599: Fix @return annotation for ConditionInterface::fromArrayDefinition() (mspirkov)
• Bug #20600: Fix @var annotation for yii\test\FileFixtureTrait::$dataFile (mspirkov)
• Bug #20604: Fix @var annotation for yii\db\Command::$pdoStatement (mspirkov)
• Bug #20605: Fix return value in SerialColumn::renderDataCellContent() (mspirkov)
• Bug #20608: Fix @return annotations for yii\rest\Serializer methods (mspirkov)
• Bug #20610: Fix @var annotation for ActiveQueryTrait::$with (mspirkov)
• Bug #20611: Fix @return annotations for yii\i18n\GettextMoFile methods (mspirkov)
• Bug #20617: Fix @return annotation for DataColumn::getDataCellValue() (mspirkov)
• Bug #20618: Fix @var annotation for yii\web\Response::$acceptMimeType (mspirkov)
• Bug #20619: Fix @return annotation for yii\db\Query::prepare() (mspirkov)
• Bug #20620: Fix @var annotation for RateLimiter::$user (mspirkov)

... (truncated)

Commits

• 99daebf release version 2.0.54
• b905795 Reorganize static analysis documentation in UPGRADE.md (#20701)
• ae4179d Document Behavior template parameter requirements for static analysis tools (...
• a351d47 Fix #20689: Fix PHP 8.5 imagedestroy deprecation warning
• edaf376 Revert "release version 2.0.54"
• ce44881 Revert "prepare for next release"
• 23bbb65 prepare for next release
• 8ce2309 release version 2.0.54
• fe0481f Update framework/composer.json
• 61af031 Minor changelog fixes
• Additional commits viewable in compare view

Updates yiisoft/yii2-redis from 2.0.18 to 2.0.20

Changelog

Sourced from yiisoft/yii2-redis's changelog.

2.0.20 June 05, 2025

• Bug CVE-2025-48493: Prevent logging AUTH parameters when YII_DEBUG is off (samdark)
• Bug #270: Prevent null parameter on mb_strlen to avoid PHP 8.4 implicity nullable types deprecation (tehmaestro)

2.0.19 February 13, 2025

• Enh #264: Improve performance of mget() for big list of keys (alx-xc, rob006)

Commits

• d5b89cb release version 2.0.20
• 962252d Merge commit from fork
• bfec5b6 Fix #270: Prevent null parameter on mb_strlen to avoid PHP 8.4 implicity nu...
• c00e9fb prepare for next release
• 81a4a56 release version 2.0.19
• b083ad4 Fix Issue template typo in vesion (#268)
• d09895f Merge pull request #265 from rob006/patch-1
• 309af2c Update CHANGELOG.md
• 465b044 Improve performance of mget() for big list of keys
• 4629747 Merge pull request #263 from Arhell/upd
• Additional commits viewable in compare view

Updates phpunit/phpunit from 10.5.45 to 10.5.63

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 10.5.63

Fixed

• Regression introduced in PHPUnit 9.6.33

---

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 10.5.62

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

---

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 10.5.61

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

---

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 10.5.60

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

---

Learn how to install or update PHPUnit 10.5 in the documentation.

Keep up to date with PHPUnit:

... (truncated)

Changelog

Sourced from phpunit/phpunit's changelog.

[10.5.63] - 2026-01-27

Fixed

• Regression introduced in PHPUnit 9.6.33

[10.5.62] - 2026-01-27

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

[10.5.61] - 2026-01-24

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

[10.5.60] - 2025-12-06

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

[10.5.59] - 2025-12-01

Changed

• #6338: Removed code from PHPUnit\Runner\TestSuiteSorter that was only used in the tests for this class
• Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

[10.5.58] - 2025-09-28

Fixed

• #6368: failOnPhpunitWarning="false" has no effect

[10.5.57] - 2025-09-24

• No changes; phpunit.phar rebuilt with updated dependencies

[10.5.56] - 2025-09-23

• No changes; phpunit.phar rebuilt with updated dependencies

[10.5.55] - 2025-09-14

Changed

• #6366: Exclude __sleep() and __wakeup() from test double code generation on PHP >= 8.5

[10.5.54] - 2025-09-11

... (truncated)

Commits

• 3319826 Prepare release
• b0d98a2 Merge branch '9.6' into 10.5
• b36f023 Fix regression introduced in PHPUnit 9.6.33
• 3f7dd50 Prepare release
• 9c95cf0 Merge branch '9.6' into 10.5
• fea0625 Prepare release
• 1a677f6 Merge branch '8.5' into 9.6
• 1015741 Prepare release
• e5cda18 Fix bad merge
• a8b932b Merge branch '9.6' into 10.5
• Additional commits viewable in compare view

Updates psy/psysh from 0.12.7 to 0.12.21

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.21

Added an experimental interactive readline: a from-scratch pure-PHP readline replacement built specifically for PsySH. Instead of delegating to ext-readline or ext-libedit, this gives PsySH full control over input, editing, completion, and rendering.

This is opt-in and experimental. Default behavior is completely unchanged. Enable it in your config or from the command line:

'useExperimentalReadline' => true,

psysh --experimental-readline

See the interactive readline wiki page for more!

Completions that actually understand your code

The new completion engine is syntax-aware, type-aware, and runtime-value-aware. It parses your input, resolves types from live objects in scope, and completes based on what your code actually is, not just string matching on symbol names.

Type $user-> and see that object's actual methods and properties. Chain through $repo->find(1)-> and get completions for the return type. Fuzzy matching means asum finds array_sum and stl finds strtolower. Completions show in a navigable multi-column menu.

Multi-line editing

Press Enter on an incomplete statement and the input continues on the next line with proper indentation. Closing brackets auto-dedent. Shift+Enter always inserts a newline. No more fighting the shell to write a multi-line closure.

History

• Reverse history search (Ctrl+R) with an overlay showing match highlighting, smart-case filtering, deduplication, and keyboard navigation.
• Filtered history navigation: type part of a previous command, then press Up/Down to cycle through matching history entries.

And more

• Fish-style inline autosuggestions from your history. This one's still a bit rough; enable it separately with 'useSuggestions' => true.
• Bracket and quote auto-pairing with smart backspace.
• Bracketed paste mode: pastes multi-line code verbatim without executing line-by-line.
• No ext-readline or ext-libedit required. Works with any terminal.
• Ctrl+L to clear the screen.

This addresses a bunch of long-standing issues: #234, #254, #309, #346, #506, #561, #668, #732, #769, #869.

We'd love your feedback! Give it a try, and let us know what works and what doesn't. The goal is to make this the default. Help us get it there. 🧪

PsySH v0.12.20

Project trust edge case fixes

Fixed several edge cases with the Restricted Mode introduced in v0.12.19 where non-interactive contexts (piped input, execute() calls, Composer proxy scripts) could incorrectly trigger trust prompts or restrict trusted functionality.

Fixes #913

Commands work better outside the shell

... (truncated)

Commits

• 4821fab Merge branch 'release/v0.12.21'
• d5ebbe4 Bump to v0.12.21
• 85b019a Give phar test a bit more memory.
• a097a1a Truncate reverse history search preview to prevent the input lines from
• 689401b Improve reverse history search UI.
• 7938716 Add filtered history navigation (up/down arrow keys with text in the buffer)
• 7d6ade6 Merge pull request #914 from bobthecow/feature/interactive-readline
• 4c0d732 Improve auto-indent/dedent behavior
• 59e9dfa Use a default <info> format that's more readable across modern terminal theme...
• c2b2408 Allow tab completion with interactive readline, regardless of ext-readline av...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.