Skip to content

Update dev dependencies for PHP 8.5#47

Merged
ChiragAgg5k merged 1 commit into
mainfrom
fix/phpunit-cve-2026-24765
May 19, 2026
Merged

Update dev dependencies for PHP 8.5#47
ChiragAgg5k merged 1 commit into
mainfrom
fix/phpunit-cve-2026-24765

Conversation

@ChiragAgg5k
Copy link
Copy Markdown
Member

@ChiragAgg5k ChiragAgg5k commented May 19, 2026

Summary

  • Update PHPUnit from 12.4.x to 12.5.x, resolving GHSA-vvj3-c3rp-c85p / CVE-2026-24765 from Dependabot alert Feat: DNS library #1.
  • Refresh PHPUnit-related lockfile packages to patched compatible versions.
  • Update Laravel Pint from 1.25.x to 1.29.x to remove PHP 8.5 deprecation output during formatting checks.

Verification

  • composer audit
  • composer format:check
  • composer analyze -- --memory-limit=512M
  • composer test

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented May 19, 2026

Greptile Summary

This PR updates two dev-only dependencies — phpunit/phpunit from 12.4.* to 12.5.* (patching CVE-2026-24765 / GHSA-vvj3-c3rp-c85p) and laravel/pint from 1.25.* to 1.29.* (eliminating PHP 8.5 deprecation noise) — with the lockfile regenerated accordingly.

  • phpunit/phpunit jumps to 12.5.25, pulling in updated transitive packages (php-code-coverage 12.5.6, php-file-iterator 6.0.1, several sebastian/* libraries) and one new transitive dependency sebastian/recursion-context ^7.0.1.
  • laravel/pint moves to v1.29.1, updating its own dev sub-tree (including a switch to Laravel Zero Framework v12, Pest v3, and a new shipfastlabs/agent-detector dev dependency). None of these affect the production package graph.

Confidence Score: 5/5

All changes are confined to require-dev; the production package graph is untouched.

Both bumped packages are dev-only tools. The lockfile is consistent with the version constraints declared in composer.json, and the CVE addressed by the PHPUnit upgrade is in the test runner itself, not in any code shipped to users.

No files require special attention.

Important Files Changed

Filename Overview
composer.json Bumps phpunit/phpunit from 12.4.* to 12.5.* and laravel/pint from 1.25.* to 1.29.* — both are dev-only dependencies with no production impact.
composer.lock Lockfile regenerated to reflect the new versions: PHPUnit 12.4.5→12.5.25, Pint v1.25.1→v1.29.1, and transitive updates to php-code-coverage, php-file-iterator, sebastian/* sub-packages. A new transitive dependency sebastian/recursion-context is introduced by PHPUnit 12.5.x.

Reviews (1): Last reviewed commit: "Update dev dependencies for PHP 8.5" | Re-trigger Greptile

@ChiragAgg5k ChiragAgg5k merged commit 28fe759 into main May 19, 2026
5 checks passed
@ChiragAgg5k ChiragAgg5k deleted the fix/phpunit-cve-2026-24765 branch May 19, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loks0n loks0n loks0n approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChiragAgg5k @loks0n