Bump the "maintenance" group with 1 updates across multiple ecosystems

[dependabot]

Bumps the maintenance group with 3 updates: squizlabs/php_codesniffer, lion/test and infection/infection.

Updates squizlabs/php_codesniffer from 3.13.5 to 4.0.1

Release notes

Sourced from squizlabs/php_codesniffer's releases.

4.0.1 - 2025-11-10

This release includes all improvements and bugfixes from PHP_CodeSniffer 3.13.5.

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• The Squiz.ControlStructures.SwitchDeclaration sniff will now flag a PHP close tag as a "wrong opener" and will auto-fix this by inserting a colon. #1316
• Various housekeeping, including improvements to the tests and documentation.

Fixed

• 4.x regression #1277: bring back whitespace tolerance in phpcs:ignore comma-separated rule reference lists.
  • Note: this bug did not affect phpcs:disable/phpcs:enable ignore annotations.
• Fixed bug #968: Generic.WhiteSpace.ScopeIndent was reporting false positives - and making incorrect fixes - for lines following a line containing an arrow function.
  • Thanks to Soichi Sato for the patch.
• Fixed bug #1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Andrew Lyons for the patch.
• Fixed bug #1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
• Fixed bug #1315: Squiz.ControlStructures.SwitchDeclaration: a number of the fixers would get into fixer conflicts with each other if the code under scan contained multiple statements on a line within a switch.
  • The sniff will now forbid - and auto-fix - multiple statements on one line for case/default and "case breaking" statements.
• Fixed bug #1316: Tokenizer/PHP: a PHP close tag after a switch case condition or after a default keyword, was not regarded as a "scope_opener" for the case/default body.
• Fixed bug #1316: PSR2.ControlStructures.SwitchDeclaration: the WrongOpener error is now also auto-fixable if the wrong opener is a PHP close tag.
• Fixed bug #1316: Squiz.PHP.NonExecutableCode would throw false positives when code within a switch control structure would move in and out of PHP.

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors: @​andrewnicols, @​Soh1121

Statistics

Closed: 2 issues Merged: 8 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

4.0.0 - 2025-09-16

This release contains breaking changes.

Upgrade guides for both ruleset maintainers/end-users, as well as for sniff developers and integrators, have been published to the Wiki.

You are strongly encouraged to read the upgrade guide applicable to your situation before upgrading.

... (truncated)

Changelog

Sourced from squizlabs/php_codesniffer's changelog.

Changelog

The file documents changes to the PHP_CodeSniffer project for the 3.x series of releases.

Commits

• 0525c73 Merge pull request #1318 from PHPCSStandards/feature/changelog-4.0.1
• 4c09fb4 Changelog for the 4.0.1 release
• 7ed8ea2 Merge pull request #1316 from PHPCSStandards/feature/tokenizer-php-switch-cas...
• b80dc24 Various sniffs: update tests to safeguard handling of case/default with P...
• 6bd0af6 Squiz/NonExecutableCode: bug fix - false positive with PHP close tag after ca...
• 6d61496 Squiz/SwitchDeclaration: make implied semicolon via close tag auto-fixable
• 21c0e80 PSR2/SwitchDeclaration: make implied semicolon via close tag auto-fixable
• 6327f77 Tokenizer/PHP: PHP close tag should be regarded as scope opener for switch ca...
• 9397930 Squiz/SwitchDeclaration: bug fix - fixer conflict for single line code (#1315)
• 2c13a90 Merge pull request #1308 from Soh1121/issue-968/fix-wrong-indentation-with-ar...
• Additional commits viewable in compare view

Updates lion/test from 3.14.0 to 4.0.0

Release notes

Sourced from lion/test's releases.

v4.0.0

What's Changed

• Support for PHP 8.5 has been added. by @​Sleon4 in lion-packages/test#63
• Update Dependabot support by @​Sleon4 in lion-packages/test#64
• Update php.yml by @​Sleon4 in lion-packages/test#65
• Bump the "maintenance" group with 1 updates across multiple ecosystems by @​dependabot[bot] in lion-packages/test#66
• Update README.md by @​Sleon4 in lion-packages/test#67

Full Changelog: lion-packages/test@v3.14.0...v4.0.0

Commits

• 87bfdf9 Merge pull request #67 from lion-packages/Sleon4-patch-1
• 218731d Update README.md
• 68d2783 Merge pull request #66 from lion-packages/dependabot/maintenance-a799d7e6bf
• fe1bf15 build(deps-dev): bump the maintenance group with 2 updates
• 03f9c63 Merge pull request #65 from lion-packages/Sleon4-patch-1
• 1677b86 Update php.yml
• 7292e29 Merge pull request #64 from lion-packages/Sleon4-patch-1
• 7e821b3 Update dependabot.yml
• 7c1d68a Merge pull request #63 from lion-packages/php-support
• ed49450 build: The composer's information is being updated
• Additional commits viewable in compare view

Updates infection/infection from 0.29.14 to 0.32.0

Release notes

Sourced from infection/infection's releases.

Format-presering pretty printing; new GitHub loggers with collapsable sections; Symfony 8 support

Added:

• Support --exclude-source-from-xml-coverage fast path for PHPUnit 12.5+ by @​staabm in infection/infection#2604
• Implement GitHubActionsLogTextFileLogger to improve DX of text file logger with GA by @​staabm in infection/infection#2552
• Add support for Symfony 8 by @​Kocal in infection/infection#2551

Changed:

• Format-preserving pretty-printing for Mutants by @​maks-rafalko in infection/infection#2448

Internal:

• Replace deprecated SplObjectStorage methods with alternatives by @​romm in infection/infection#2447
• chore: Remove redundant RequiresOperatingSystem by @​sanmai in infection/infection#2466
• Support PHPStan dev-versions by @​staabm in infection/infection#2492
• refactor(ParallelProcessRunner): Refactor ParallelProcessRunner for clarity by @​sanmai in infection/infection#2560
• refactor(ParallelProcessRunner): extract a decorator of SplQueue by @​sanmai in infection/infection#2562
• refactor: Declare native property types by @​staabm in infection/infection#2571
• Update shipmonk/dead-code-detector to 0.14.0 by @​staabm in infection/infection#2670
• Bump to Rector ^2.2.4 by @​samsonasik in infection/infection#2479
• Prevent use of deprecated PHPUnit $this->isType('string') by @​staabm in infection/infection#2605
• Enable failOnDeprecation="true" in PHPUnit configuration by @​staabm in infection/infection#2606

and a huge work (around ~210 PRs) by @​theofidry, updating Infection architecture to bring more features in the future that were impossible to implement before. You can track them here:

• Rework the source & filtering API #2595 by @​theofidry
• Consolidate the Git API #2622 by @​theofidry
• RFC: Source Collection #2380 by @​theofidry
• RFC: Tracer #2751 by @​theofidry

New Contributors

• @​samsonasik made their first contribution in infection/infection#2479
• @​wickedOne made their first contribution in infection/infection#2587
• @​Kocal made their first contribution in infection/infection#2551
• @​VincentLanglet made their first contribution in infection/infection#2732

Full Changelog: infection/infection@0.31.9...0.32.0

Support PHPStan-dev version in PHPStanAdapter

Changed:

• Support PHPStan-dev version in PHPStanAdapter by @​staabm #2495

Full Changelog: infection/infection@0.31.8...0.31.9

0.31.8

Changed:

... (truncated)

Changelog

Sourced from infection/infection's changelog.

[0.32.0]

Fixed:

• [BC BREAK!] The relative paths of the sources (source.directories in the Infection configuration file) are no longer relative to the current working directory but instead to the location of the configuration file.

0.31.0 (2025-07-28)

Changed:

• [BR BREAK!] Remove --only-covered; Introduce --with-uncovered instead by @​staabm in infection/infection#2336
• Directly enqueue follow-up processes by @​sanmai in infection/infection#2322
• Use executionOrder="defects,random" for phpunit.xml by @​staabm in infection/infection#2328

Fixed:

• Fix CLI output rendering for diffs which contain symfony-style like text by @​staabm in infection/infection#2338

Internal:

• Update the pipeline library to version 7 by @​sanmai in infection/infection#2342
• Switch to sanmai/di-container by @​sanmai in infection/infection#2343

Backward Compatibility Break

This version introduces BC Break. Do the following:

1. If you used Infection for all the code, including uncovered, like bin/infection, now you need to add --with-uncovered, because by default, Infection doesn't mutate uncovered code anymore

- bin/infection
+ bin/infection --with-uncovered

2. If you used Infection for the only code covered by tests, like bin/infection --only-covered, you need to remove this option because now this is a default behavior and this options has been removed

- bin/infection --only-covered
+ bin/infection

3. If you used Infection for all the code, including uncovered, but now you want to mutated only covered code, do nothing (default behavior has been changed)

# continue using
bin/infection

Full Changelog: infection/infection@0.30.3...0.31.0

... (truncated)

Commits

• 71d4a12 test: Rework the PHPUnit end-to-end tests (#2624)
• a5bbdad test: Rename the PHPUnit tests (#2752)
• 35dfda6 feat(git): Add git commands (#2669)
• a955b1f refactor: Rename the console options to be more consistent (#2750)
• b4079bc docs(git): Update some pieces of documentation (#2749)
• 588133a [Conductor] Update phpunit/php-code-coverage to 11.0.12 (#2748)
• de1cf6b feat(SourceCollector): Add a command to list all the sources (#2706)
• c551eeb refactor: Move the parsing of the config file option into a single place (#2747)
• 2bfca87 refactor: Use the Symfony command constants (#2746)
• 96bc39b feat(SourceCollector): Fail earlier when no source file is found (#2703)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: php. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
composer/infection/infection	0.32.0	🟢 5.7	Details Check Score Reason Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 2 Found 5/25 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow ⚠️ -1 no workflows found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ -1 no dependencies found License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
composer/lion/test	4.0.0	Unknown	Unknown
composer/psr/clock	1.0.0	Unknown	Unknown
composer/sanmai/di-container	0.1.5	Unknown	Unknown
composer/sanmai/duoclock	0.1.3	Unknown	Unknown
composer/sanmai/pipeline	7.6	Unknown	Unknown
composer/squizlabs/php_codesniffer	4.0.1	Unknown	Unknown
composer/symfony/console	8.0.1	🟢 5.1	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 24 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ -1 No tokens found SAST ⚠️ 0 no SAST tool detected Pinned-Dependencies ⚠️ -1 no dependencies found Binary-Artifacts 🟢 9 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected
composer/symfony/filesystem	8.0.1	🟢 4.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected
composer/symfony/finder	8.0.0	🟢 4.3	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Pinned-Dependencies ⚠️ -1 no dependencies found SAST ⚠️ 0 no SAST tool detected Dangerous-Workflow ⚠️ -1 no workflows found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
composer/symfony/polyfill-php85	1.33.0	Unknown	Unknown
composer/symfony/process	8.0.0	🟢 4	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Token-Permissions ⚠️ -1 No tokens found Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Pinned-Dependencies ⚠️ -1 no dependencies found Dangerous-Workflow ⚠️ -1 no workflows found SAST ⚠️ 0 no SAST tool detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected
composer/webmozart/assert	2.0.0	🟢 5.5	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 7/20 approved changesets -- score normalized to 3 Pinned-Dependencies ⚠️ -1 no dependencies found Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• composer.lock