Skip to content

Bump the composer group across 1 directory with 5 updates#528

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/composer-ea5aeb1451
Open

Bump the composer group across 1 directory with 5 updates#528
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/composer-ea5aeb1451

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Bumps the composer group with 2 updates in the / directory: codeception/codeception and composer/composer.

Updates codeception/codeception from 4.1.20 to 4.1.22

Release notes

Sourced from codeception/codeception's releases.

Security fix

  • Security fix: Disable deserialization of RunProcess class (#6241) reported by @​snoopysecurity
  • Reduce memory consumption of very large tests (#6230) by @​esnelubov
  • Support guzzlehttp/psr7 v2 by @​W0rma
  • Fix W3C warning in reports generated by Recorder extension (#6224) by RickR2H

4.1.21

  • Fix dry-run compatibility with symfony/console 5.3
  • Coverage: Don't attempt to set cookie domain when it is "localhost" #6210 by @​marcovtwout
  • Coverage: Don't attempt to read cookies while an alert is open #6211 by @​marcovtwout
Changelog

Sourced from codeception/codeception's changelog.

4.1.22

  • Security fix: Disable deserialization of RunProcess class (#6241)
  • Reduce memory consumption of very large tests (#6230) by @​esnelubov
  • Support guzzlehttp/psr7 v2 by @​W0rma
  • Fix W3C warning in reports generated by Recorder extension (#6224) by RickR2H

4.1.21

  • Fix dry-run compatibility with symfony/console 5.3
  • Coverage: Don't attempt to set cookie domain when it is "localhost" (#6210) by @​marcovtwout
  • Coverage: Don't attempt to read cookies while an alert is open (#6211) by @​marcovtwout
Commits
  • 9777ec3 4.1.22
  • cbce9ea Security: Disable deserialization of RunProcess class (#6241)
  • d69ab79 Merge pull request #6230 from esnelubov/4.1-free-memory
  • ad2d34e Add check for PHP version to make the code work on PHP 5.6
  • 2cc87fd Reduce the memory consumption of tests by forcing PHP to return the unused me...
  • 701b636 Merge pull request #6229 from W0rma/guzzle-psr7-v2
  • 405204b Allow installation of guzzlehttp/psr7 v2
  • 549160c Recorder extension: role="navigation" is unnecessary for element nav (#6224)
  • c25f20d Use 1.x versions of modules in 4.1 to fix CI
  • 818a8b3 4.1.21
  • Additional commits viewable in compare view

Updates composer/composer from 2.0.13 to 2.2.28

Release notes

Sourced from composer/composer's releases.

2.2.28

Full Changelog: composer/composer@2.2.27...2.2.28

2.2.27

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (246f807b, 246f807b, 246f807b)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
  • Fixed issue handling paths with = in them on Windows (#11568)

Full Changelog: composer/composer@2.2.26...2.2.27

2.2.26

Full Changelog: composer/composer@2.2.25...2.2.26

2.2.25

  • Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
  • Fixed issue on plugin upgrade when it defines multiple classes (#12226)
  • Fixed duplicate errors appearing in the output depending on php settings (#12214)
  • Fixed InstalledVersions returning duplicate data in some instances (#12225)

Full Changelog: composer/composer@2.2.24...2.2.25

2.2.24

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)

2.2.23

2.2.22

  • Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
  • Fixed handling of broken junctions on windows (#11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.2.28] 2026-05-13

[2.2.27] 2026-04-14

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (246f807b, 246f807b, 246f807b)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
  • Fixed issue handling paths with = in them on Windows (#11568)

[2.2.26] 2025-12-30

[2.2.25] 2024-12-11

  • Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
  • Fixed issue on plugin upgrade when it defines multiple classes (#12226)
  • Fixed duplicate errors appearing in the output depending on php settings (#12214)
  • Fixed InstalledVersions returning duplicate data in some instances (#12225)

[2.2.24] 2024-06-10

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)

[2.2.23] 2024-02-08

[2.2.22] 2023-09-29

  • Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
  • Fixed handling of broken junctions on windows (#11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
  • Fixed support for plugin classes being marked as readonly (#11404)
  • Fixed GitHub rate limit reporting (#11366)
  • Fixed issue displaying solver problems with branch names containing % signs (#11359)

... (truncated)

Commits

Updates guzzlehttp/psr7 from 1.8.2 to 2.9.1

Release notes

Sourced from guzzlehttp/psr7's releases.

2.9.1

  • Fix parsing of relative path references containing a colon in a non-initial path segment
  • Fix CachingStream::detach() returning an incomplete resource before the decorated stream has been fully read
  • Fix Message::bodySummary() returning null when truncating printable UTF-8 bodies inside a multibyte character

2.9.0

Added

  • Added nested array expansion support to MultipartStream
  • Added @return static to MessageTrait methods

Changed

  • Updated MIME type mappings

See also the change log for changes.

2.8.1

Fixed

  • Encode + signs in Uri::withQueryValue() and Uri::withQueryValues() to prevent them being interpreted as spaces

See also the change log for changes.

2.8.0

Added

  • Allow empty lists as header values

Changed

  • PHP 8.5 support

See also the change log for changes.

2.7.1

Fixed

  • Fixed uppercase IPv6 addresses in URI

Changed

  • Improve uploaded file error message

... (truncated)

Changelog

Sourced from guzzlehttp/psr7's changelog.

2.9.1 - 2026-05-19

Fixed

  • Fix parsing of relative path references containing a colon in a non-initial path segment
  • Fix CachingStream::detach() returning an incomplete resource before the decorated stream has been fully read
  • Fix Message::bodySummary() returning null when truncating printable UTF-8 bodies inside a multibyte character

2.9.0 - 2026-03-10

Added

  • Added nested array expansion support to MultipartStream
  • Added @return static to MessageTrait methods

Changed

  • Updated MIME type mappings

2.8.1 - 2026-03-10

Fixed

  • Encode + signs in Uri::withQueryValue() and Uri::withQueryValues() to prevent them being interpreted as spaces

2.8.0 - 2025-08-23

Added

  • Allow empty lists as header values

Changed

  • PHP 8.5 support

2.7.1 - 2025-03-27

Fixed

  • Fixed uppercase IPv6 addresses in URI

Changed

  • Improve uploaded file error message

2.7.0 - 2024-07-18

Added

  • Add Utils::redactUserInfo() method

... (truncated)

Commits

Updates phpunit/phpunit from 9.5.4 to 9.6.34

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 9.6.34

Fixed

  • Regression introduced in PHPUnit 9.6.33

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

PHPUnit 9.6.33

Changed

  • To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

PHPUnit 9.6.32

Changed

  • PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

PHPUnit 9.6.31

  • No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

... (truncated)

Changelog

Sourced from phpunit/phpunit's changelog.

[9.6.34] - 2026-01-27

Fixed

  • Regression introduced in PHPUnit 9.6.33

[9.6.33] - 2026-01-27

Changed

  • To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

[9.6.32] - 2026-01-24

Changed

  • PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

[9.6.31] - 2025-12-06

  • No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

[9.6.30] - 2025-12-01

Changed

  • Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

[9.6.29] - 2025-09-24

  • No changes; phpunit.phar rebuilt with updated dependencies

[9.6.28] - 2025-09-23

  • No changes; phpunit.phar rebuilt with updated dependencies

[9.6.27] - 2025-09-14

Changed

  • #6366: Exclude __sleep() and __wakeup() from test double code generation on PHP >= 8.5

[9.6.26] - 2025-09-11

Changed

  • Implement __serialize() in addition to __sleep() (which will be deprecated in PHP 8.5)

[9.6.25] - 2025-08-20

... (truncated)

Commits
  • b36f023 Fix regression introduced in PHPUnit 9.6.33
  • fea0625 Prepare release
  • 1a677f6 Merge branch '8.5' into 9.6
  • 1015741 Prepare release
  • 1cce5f3 Merge branch '8.5' into 9.6
  • 3141742 Do not run PHPT test when its temporary file for code coverage information ex...
  • 0b3170a We do not need to unserialize() objects here
  • 261086a Extract method
  • fdd6b86 Fix CS/WS issue
  • 492ee10 Prepare release
  • Additional commits viewable in compare view

Updates symfony/process from 5.2.4 to 5.4.51

Release notes

Sourced from symfony/process's releases.

v5.4.51

Changelog (symfony/process@v5.4.50...v5.4.51)

v5.4.47

Changelog (symfony/process@v5.4.46...v5.4.47)

  • no significant changes

v5.4.46

Changelog (symfony/process@v5.4.45...v5.4.46)

v5.4.45

Changelog (symfony/process@v5.4.44...v5.4.45)

  • no significant changes

v5.4.44

Changelog (symfony/process@v5.4.43...v5.4.44)

v5.4.40

Changelog (symfony/process@v5.4.39...v5.4.40)

  • no significant changes

v5.4.39

Changelog (symfony/process@v5.4.38...v5.4.39)

  • no significant changes

v5.4.36

Changelog (symfony/process@v5.4.35...v5.4.36)

v5.4.35

Changelog (symfony/process@v5.4.34...v5.4.35)

v5.4.34

... (truncated)

Commits
  • 467bfc5 [Process] Fix escaping for MSYS on Windows
  • 5d1662f normalize paths to avoid failures if a path is referenced by different names
  • 0190687 [Process] Fix test
  • ee75984 security #cve-2024-51736 [Process] Use %PATH% before %CD% to load the shell o...
  • 05c2ccc [Process] Use %PATH% before %CD% to load the shell on Windows
  • d94dda5 [Process] Fix escaping /X arguments on Windows
  • 72baf6b fix the constant being used
  • 81e1a0c fix the path separator being used
  • d67303e minor #58747 [Process] fix the directory separator being used (xabbuh)
  • 5cdd400 minor #58746 [Process] Improve test cleanup by unlinking in a finally block...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the composer group across 1 directory with 5 updates
324de58 
Bumps the composer group with 2 updates in the / directory: [codeception/codeception](https://github.com/Codeception/Codeception) and [composer/composer](https://github.com/composer/composer).


Updates `codeception/codeception` from 4.1.20 to 4.1.22
- [Release notes](https://github.com/Codeception/Codeception/releases)
- [Changelog](https://github.com/Codeception/Codeception/blob/main/CHANGELOG-4.x.md)
- [Commits](Codeception/Codeception@4.1.20...4.1.22)

Updates `composer/composer` from 2.0.13 to 2.2.28
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/2.2.28/CHANGELOG.md)
- [Commits](composer/composer@2.0.13...2.2.28)

Updates `guzzlehttp/psr7` from 1.8.2 to 2.9.1
- [Release notes](https://github.com/guzzle/psr7/releases)
- [Changelog](https://github.com/guzzle/psr7/blob/2.9/CHANGELOG.md)
- [Commits](guzzle/psr7@1.8.2...2.9.1)

Updates `phpunit/phpunit` from 9.5.4 to 9.6.34
- [Release notes](https://github.com/sebastianbergmann/phpunit/releases)
- [Changelog](https://github.com/sebastianbergmann/phpunit/blob/9.6.34/ChangeLog-9.6.md)
- [Commits](sebastianbergmann/phpunit@9.5.4...9.6.34)

Updates `symfony/process` from 5.2.4 to 5.4.51
- [Release notes](https://github.com/symfony/process/releases)
- [Changelog](https://github.com/symfony/process/blob/8.1/CHANGELOG.md)
- [Commits](symfony/process@v5.2.4...v5.4.51)

---
updated-dependencies:
- dependency-name: codeception/codeception
  dependency-version: 4.1.22
  dependency-type: direct:development
  dependency-group: composer
- dependency-name: composer/composer
  dependency-version: 2.2.28
  dependency-type: direct:development
  dependency-group: composer
- dependency-name: guzzlehttp/psr7
  dependency-version: 2.9.1
  dependency-type: indirect
  dependency-group: composer
- dependency-name: phpunit/phpunit
  dependency-version: 9.6.34
  dependency-type: indirect
  dependency-group: composer
- dependency-name: symfony/process
  dependency-version: 5.4.51
  dependency-type: indirect
  dependency-group: composer
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 19, 2026
@dependabot dependabot Bot mentioned this pull request May 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants