Bump psy/psysh from 0.12.9 to 0.12.15 in /plib/library

[dependabot]

Bumps psy/psysh from 0.12.9 to 0.12.15.

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.15

Abbreviated output reverted

The abbreviated return value output introduced in v0.12.13 has been reverted. This feature attempted to show shorter output for statements that looked like they were trying to take an action (like assignments and method calls with side effects) while preserving full output for inspection-like statements. Unfortunately, this version of the feature just ... wasn't it.

Thanks to everyone who provided feedback. If you've got thoughts on approaches that could make this better, please share them in #512!

In-shell manual updates

You can now update the PHP manual directly from inside the shell! Run doc --update-manual to fetch the latest manual version.

More robust manual handling

• Log a warning (and continue) when trying to read from an invalid manual file
• Show invalid manual info in --info and \Psy\info()
• Prompt to clean up invalid manual files when running --update-manual
• Prompt to upgrade to v3 manual (preserving language selection!) when running --update-manual with an existing sqlite manual
• Preserve legacy manuals when updating to v3, supporting systems with multiple PsySH versions installed

Bug fixes

• Fix namespace and use statement edge cases where aliases weren't properly tracked across REPL inputs
• Fix history command filtering and --head/--tail interaction to apply filters first
• Fix E_STRICT warning in PHP 8.4
• Fix ParseCommand parsing (you had one job ಠ_ಠ)

Other improvements

• Add a hint about doc foo when help foo doesn't match a known command
• Don't call deprecated curl_close() on PHP >= 8.0.0 (thanks @​mpesari!)
• Lock phar build dependencies for reproducible builds
• Improve PHP 8.5 support
• Improve test coverage

PsySH v0.12.14

Logging support

Log user input, command invocations, and executed code to a PSR-3 logger or callback.

// Simple callback
$config->setLogging(function ($kind, $data) {
    file_put_contents('/tmp/psysh.log', "[$kind] $data\n", FILE_APPEND);
});
// PSR-3 logger with granular control
$config->setLogging([
'logger' => $psrLogger,
'level' => [
'input'   => 'info',
</tr></table>

... (truncated)

Commits

• 38953bc Merge branch 'release/0.12.15'
• fa6c7a7 Bump to v0.12.15
• f53e6dc Remove unused use
• 0d463ef Revert "Print shorter return values for actions than inspection."
• 9a5877e Add updater tests
• de82e60 Add tests for base command
• f29a2e0 Bump shivammathur/setup-php from 2.35.5 to 2.36.0
• cdd9599 Add tests for V2Manual.
• 6d97e20 Fix theme tests on --prefer-lowest tests
• 1307edd Add Theme test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Updates composer.lock to newer versions of psy/psysh, nikic/php-parser, and multiple Symfony components (Console 7.4, String 8.0, Var-Dumper 7.4), plus polyfills and contracts.

• Dependencies (composer.lock):
  • Upgrade psy/psysh v0.12.9 -> v0.12.15 (adds optional composer/class-map-generator).
  • Upgrade nikic/php-parser v5.5.0 -> v5.6.2.
  • Upgrade Symfony components:
    • symfony/console v7.3.0 -> v7.4.0 (widens deps to symfony/string ^7.2|^8.0).
    • symfony/string v7.3.0 -> v8.0.0 (requires PHP >= 8.4; updates polyfill constraints and dev deps).
    • symfony/var-dumper v7.3.0 -> v7.4.0 (updates dev constraints to include ^8.0 peers).
  • Upgrade Symfony polyfills: polyfill-ctype, polyfill-intl-grapheme, polyfill-intl-normalizer, polyfill-mbstring to v1.33.0.
  • Upgrade symfony/service-contracts v3.6.0 -> v3.6.1.
  • Misc metadata updates (sources, references, timestamps).

^{Written by Cursor Bugbot for commit a151082. This will update automatically on new commits. Configure here.}

[secure-code-warrior-for-github]

Micro-Learning Topic: SQL injection (Detected by phrase)

Matched on "sqli"

What is this? (2min video)

This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission.

Try a challenge in Secure Code Warrior

Helpful references

• PHP SQL Injection Page - A detailed page on SQL injection in the online PHP manual.
• OWASP SQL Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications.
• OWASP SQL Injection - OWASP community page with comprehensive information about SQL injection, and links to various OWASP resources to help detect or prevent it.
• OWASP Query Parameterization Cheat Sheet - A derivative work of the OWASP SQL Injection Prevention Cheat Sheet focused on SQL query parameterization.
• Preventing SQL Injection Attacks With Python - A tutorial on crafting parameterized queries, SQL composition and safe query execution in Python.

[cursor]

Bug: Transitive dependency requires PHP 8.4 breaking compatibility

The psy/psysh update pulls in symfony/string v8.0.0 as a transitive dependency, which raises the minimum PHP version from 8.2 to 8.4. The project's main dependency guzzlehttp/guzzle supports PHP 7.2.5+, suggesting the project was designed for older PHP versions. This hidden major version bump could break deployments on PHP 8.2 or 8.3 environments that previously worked.

Additional Locations (1)

• plib/library/composer.lock#L3450-L3451

 

[dependabot]

Superseded by #161.