Bump psy/psysh from 0.12.9 to 0.12.16 in /plib/library

[dependabot]

Bumps psy/psysh from 0.12.9 to 0.12.16.

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.16

A quick release adding support for Symfony Console v7.4+ and v8.x.

PsySH v0.12.15

Abbreviated output reverted

The abbreviated return value output introduced in v0.12.13 has been reverted. This feature attempted to show shorter output for statements that looked like they were trying to take an action (like assignments and method calls with side effects) while preserving full output for inspection-like statements. Unfortunately, this version of the feature just ... wasn't it.

Thanks to everyone who provided feedback. If you've got thoughts on approaches that could make this better, please share them in #512!

In-shell manual updates

You can now update the PHP manual directly from inside the shell! Run doc --update-manual to fetch the latest manual version.

More robust manual handling

• Log a warning (and continue) when trying to read from an invalid manual file
• Show invalid manual info in --info and \Psy\info()
• Prompt to clean up invalid manual files when running --update-manual
• Prompt to upgrade to v3 manual (preserving language selection!) when running --update-manual with an existing sqlite manual
• Preserve legacy manuals when updating to v3, supporting systems with multiple PsySH versions installed

Bug fixes

• Fix namespace and use statement edge cases where aliases weren't properly tracked across REPL inputs
• Fix history command filtering and --head/--tail interaction to apply filters first
• Fix E_STRICT warning in PHP 8.4
• Fix ParseCommand parsing (you had one job ಠ_ಠ)

Other improvements

• Add a hint about doc foo when help foo doesn't match a known command
• Don't call deprecated curl_close() on PHP >= 8.0.0 (thanks @​mpesari!)
• Lock phar build dependencies for reproducible builds
• Improve PHP 8.5 support
• Improve test coverage

PsySH v0.12.14

Logging support

Log user input, command invocations, and executed code to a PSR-3 logger or callback.

// Simple callback
$config->setLogging(function ($kind, $data) {
    file_put_contents('/tmp/psysh.log', "[$kind] $data\n", FILE_APPEND);
});
// PSR-3 logger with granular control
$config->setLogging([
</tr></table>

... (truncated)

Commits

• ee6d502 Merge branch 'release/0.12.16'
• 13d4e37 Bump to v0.12.16
• f17a026 Bump actions/checkout from 6.0.0 to 6.0.1
• c2d6760 Maybe.
• 6a2d8f0 Add support for Symfony Console 8.x
• 2d86002 Bump box build deps.
• 55a0ae9 Improve devex for bumping phar composer lockfile.
• 2ce99b3 Ensure custom commands are correctly initialized in Symfony Console 7.4+
• 38953bc Merge branch 'release/0.12.15'
• fa6c7a7 Bump to v0.12.15
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Updates plib/library/composer.lock to upgrade psy/psysh and several transitive dependencies (Symfony components, PHP-Parser, polyfills), adding Symfony 8 compatibility and updated constraints.

• Dependencies (plib/library/composer.lock):
  • psy/psysh v0.12.9 → v0.12.16 (adds Symfony Console v7.4+/v8 support).
  • Symfony:
    • symfony/console v7.3.0 → v7.4.1 (broadens compatibility to ^8.0).
    • symfony/var-dumper v7.3.0 → v7.4.0 (dev requirements include Symfony 8).
    • symfony/string v7.3.0 → v8.0.1 (requires PHP ≥8.4; updated polyfill constraints).
    • symfony/service-contracts v3.6.0 → v3.6.1.
  • nikic/php-parser v5.5.0 → v5.7.0.
  • Polyfills bumped to v1.33.0: symfony/polyfill-ctype, symfony/polyfill-intl-grapheme, symfony/polyfill-intl-normalizer, symfony/polyfill-mbstring.

^{Written by Cursor Bugbot for commit 3492bf1. This will update automatically on new commits. Configure here.}

[secure-code-warrior-for-github]

Micro-Learning Topic: SQL injection (Detected by phrase)

Matched on "sqli"

What is this? (2min video)

This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission.

Try a challenge in Secure Code Warrior

Helpful references

• PHP SQL Injection Page - A detailed page on SQL injection in the online PHP manual.
• OWASP SQL Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications.
• OWASP SQL Injection - OWASP community page with comprehensive information about SQL injection, and links to various OWASP resources to help detect or prevent it.
• OWASP Query Parameterization Cheat Sheet - A derivative work of the OWASP SQL Injection Prevention Cheat Sheet focused on SQL query parameterization.
• Preventing SQL Injection Attacks With Python - A tutorial on crafting parameterized queries, SQL composition and safe query execution in Python.

[cursor]

Bug: Dependency update breaks PHP 8.0-8.3 compatibility

The symfony/string package was updated to v8.0.1 which requires "php": ">=8.4". This creates an incompatibility because psy/psysh claims to support "php": "^8.0 || ^7.4" and other packages in the project support PHP 7.x and 8.0+. The lock file will fail to install on any system running PHP 8.3 or lower, breaking compatibility for the vast majority of PHP installations currently in use.

 

[dependabot]

Superseded by #169.