chore(deps): Update Composer dependencies (security-patch)

[nielsdrost7]

Composer Dependency Update

This PR updates Composer dependencies.

Update Type:
Triggered by: schedule

Updated Packages

## Direct Dependencies (from composer.json)

doctrine/dbal: 4.4.1 → 4.4.3
filament/actions: v5.0.0 → v5.6.3
filament/filament: v5.0.0 → v5.6.3
laravel/framework: v12.47.0 → v12.59.0
maatwebsite/excel: 3.1.67 → 3.1.69
nwidart/laravel-modules: v12.0.4 → v12.0.5
spatie/laravel-permission: 6.24.0 → 6.25.0
barryvdh/laravel-debugbar: v3.16.3 → v4.2.8
driftingly/rector-laravel: 2.1.9 → 2.3.0
larastan/larastan: v3.9.0 → v3.9.6
laravel/boost: v1.8.10 → v2.4.6
laravel/pail: v1.2.4 → v1.2.6
laravel/sail: v1.52.0 → v1.59.0
laravel/tinker: v2.11.0 → v3.0.2
nunomaduro/collision: v8.8.3 → v8.9.4
phpunit/phpunit: 11.5.48 → 11.5.55
rector/rector: 2.3.1 → 2.4.3

## Transient Dependencies (indirect)

blade-ui-kit/blade-heroicons: 2.6.0 → 2.7.0
blade-ui-kit/blade-icons: 1.8.0 → 1.10.0
brick/math: 0.14.1 → 0.14.8
chillerlan/php-settings-container: 3.2.1 → 3.3.0
danharrin/livewire-rate-limiting: v2.1.0 → v2.2.0
doctrine/deprecations: 1.1.5 → 1.1.6
filament/forms: v5.0.0 → v5.6.3
filament/infolists: v5.0.0 → v5.6.3
filament/notifications: v5.0.0 → v5.6.3
filament/query-builder: v5.0.0 → v5.6.3
filament/schemas: v5.0.0 → v5.6.3
filament/support: v5.0.0 → v5.6.3
filament/tables: v5.0.0 → v5.6.3
filament/widgets: v5.0.0 → v5.6.3
guzzlehttp/psr7: 2.8.0 → 2.9.0
kirschbaum-development/eloquent-power-joins: 4.2.11 → 4.3.1
laravel/prompts: v0.3.10 → v0.3.17
laravel/serializable-closure: v2.0.8 → v2.0.13
league/commonmark: 2.8.0 → 2.8.2
league/flysystem: 3.30.2 → 3.34.0
league/flysystem-local: 3.30.2 → 3.31.0
league/uri: 7.8.0 → 7.8.1
league/uri-components: 7.8.0 → 7.8.1
league/uri-interfaces: 7.8.0 → 7.8.1
livewire/livewire: v4.0.1 → v4.3.0
nesbot/carbon: 3.11.0 → 3.11.4
nette/php-generator: v4.2.0 → v4.2.2
nette/schema: v1.3.3 → v1.3.5
nette/utils: v4.1.1 → v4.1.4
nunomaduro/termwind: v2.3.3 → v2.4.0
phpoffice/phpspreadsheet: 1.30.2 → 1.30.4
ryangjchandler/blade-capture-directive: v1.1.0 → v1.1.1
spatie/laravel-package-tools: 1.92.7 → 1.93.0
spatie/shiki-php: 2.3.2 → 2.4.0
symfony/clock: v7.4.0 → v7.4.8
symfony/console: v7.4.3 → v7.4.11
symfony/css-selector: v7.4.0 → v7.4.9
symfony/deprecation-contracts: v3.6.0 → v3.7.0
symfony/error-handler: v7.4.0 → v7.4.8
symfony/event-dispatcher: v7.4.0 → v7.4.9
symfony/event-dispatcher-contracts: v3.6.0 → v3.7.0
symfony/finder: v7.4.3 → v7.4.8
symfony/html-sanitizer: v7.4.0 → v7.4.8
symfony/http-foundation: v7.4.3 → v7.4.8
symfony/http-kernel: v7.4.3 → v7.4.11
symfony/mailer: v7.4.3 → v7.4.8
symfony/mime: v7.4.0 → v7.4.9
symfony/polyfill-ctype: v1.33.0 → v1.37.0
symfony/polyfill-intl-grapheme: v1.33.0 → v1.37.0
symfony/polyfill-intl-idn: v1.33.0 → v1.37.0
symfony/polyfill-intl-normalizer: v1.33.0 → v1.37.0
symfony/polyfill-mbstring: v1.33.0 → v1.37.0
symfony/polyfill-php80: v1.33.0 → v1.37.0
symfony/polyfill-php83: v1.33.0 → v1.37.0
symfony/polyfill-php84: v1.33.0 → v1.37.0
symfony/polyfill-php85: v1.33.0 → v1.37.0
symfony/polyfill-uuid: v1.33.0 → v1.37.0
symfony/process: v7.4.3 → v7.4.11
symfony/routing: v7.4.3 → v7.4.9
symfony/service-contracts: v3.6.1 → v3.7.0
symfony/string: v7.4.0 → v7.4.11
symfony/translation: v7.4.3 → v7.4.10
symfony/translation-contracts: v3.6.1 → v3.7.0
symfony/uid: v7.4.0 → v7.4.9
symfony/var-dumper: v7.4.3 → v7.4.8
voku/portable-ascii: 2.0.3 → 2.1.1
iamcal/sql-parser: v0.6 → v0.7
laravel/mcp: v0.5.2 → v0.7.0
laravel/roster: v0.2.9 → v0.5.1
php-debugbar/php-debugbar: v2.2.6 → v3.7.6
php-debugbar/symfony-bridge: (new) → v1.1.0
phpstan/phpstan: 2.1.33 → 2.1.54
phpunit/php-file-iterator: 5.1.0 → 5.1.1
psy/psysh: v0.12.18 → v0.12.22
sebastian/comparator: 6.3.2 → 6.3.3
symfony/yaml: v7.4.1 → v7.4.11
webmozart/assert: 1.12.1 → 2.3.0
anourvalar/eloquent-serialize: 1.3.5 → (removed)

Checks Performed

• Unit tests passed (commented out until further notice)
• Static analysis completed (commented out until further notice)
• Code formatting checked (commented out until further notice)

Security Audit

Security vulnerabilities detected. Please review audit-report.json.

Review Checklist

• Review updated packages and their changelogs
• Verify all tests pass
• Check for breaking changes
• Update documentation if needed
• Test manually in development environment

---

This PR was automatically created by the Composer Update workflow.

Summary by CodeRabbit

• Chores
  • Updated dependencies and development packages to latest versions
  • Refreshed security audit report with latest vulnerability assessments

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the Composer dependency manifest and security audit artifacts. A vulnerability audit report is populated with discovered advisories across multiple packages, and both direct and transient dependency versions are upgraded to newer releases.

Changes

Dependency Audit and Version Updates

Layer / File(s)	Summary
Vulnerability audit discovery audit-report.json	Advisories field is populated with vulnerability entries per package, including severity levels, affected version ranges, CVE identifiers, and remediation links for Filament, League CommonMark, PHPOffice Spreadsheet, PHPUnit, Psy/PsySH, and Symfony Process.
Composer dependency version updates updated-packages.txt	Direct dependencies (Doctrine DBAL, Filament, Laravel, Excel, Modules, Permission, Debugbar, Rector, Larastan, PHPUnit, Collision) and transient dependencies (Blade UI kits, Livewire, Flysystem, Symfony subcomponents, PHPStan ecosystem) are upgraded; php-debugbar/symfony-bridge is added and anourvalar/eloquent-serialize is removed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• InvoicePlane/InvoicePlane-v2#361: Populates audit-report.json advisories field following initial setup with empty advisory arrays.
• InvoicePlane/InvoicePlane-v2#319: Modifies the same audit-report.json and updated-packages.txt dependency artifacts.
• InvoicePlane/InvoicePlane-v2#300: Updates Composer security audit outputs and dependency constraints across the same files.

Poem

🐰 Dependencies dance in perfect formation,
Advisories listed with precision,
Versions upgraded, vulnerabilities checked—
The composer conducts security's sweet selection!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: updating Composer dependencies with a security-patch focus, which aligns with the primary content of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch automated/composer-update-36

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@updated-packages.txt`:
- Line 13: The dependency update from laravel/boost v1.8.10 to v2.4.6 is a major
upgrade with breaking changes: ensure the project meets the new minimums (PHP
8.2+, Laravel 11+), rename any references of the old CodeEnvironment symbol to
Agent (including classes, type hints and method names), update config/boost.php
by replacing the code_environment key with agents and adjust code that reads
that config (e.g., calls to config('boost.code_environment') ->
config('boost.agents')), and run php artisan boost:install to let the package
auto-migrate configuration and adopt the new opt-in command flags; consult
UPGRADE.md for any additional changes and update any uses of boost:install flags
to the new format.
- Line 10: The package upgrade from barryvdh/laravel-debugbar v3.16.3 to v4.2.8
is a package transfer with breaking changes; remove the old dev dependency and
install fruitcake/laravel-debugbar as instructed (run the equivalent of composer
remove for barryvdh/laravel-debugbar and composer require for
fruitcake/laravel-debugbar), then update all references and imports from
Barryvdh\Debugbar to Fruitcake\LaravelDebugbar, adjust configuration keys
(rename hiddens → masked and update query bindings handling), remove or replace
removed features/usages (socket storage, Lumen-specific code, PDO extension
usage, and any global helper calls), and follow the official upgrade guide to
update code paths and tests before deploying.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d06e3f6-f30d-4858-93b3-edbc7adbeba2

📥 Commits

Reviewing files that changed from the base of the PR and between cc00605 and 0de18ef.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• audit-report.json
• updated-packages.txt

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for laravel-debugbar v4 breaking changes and changelog

echo "=== Checking for breaking changes in laravel-debugbar v4 ==="
rg -n "DebugBar|Barryvdh" --type php -C 2 -g '!vendor/**'

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 133

---

🌐 Web query:

barryvdh/laravel-debugbar version 4 breaking changes and migration guide

💡 Result:

Laravel Debugbar version 4.0.0 introduced significant changes, most notably the transfer of package ownership from barryvdh/laravel-debugbar to fruitcake/laravel-debugbar [1][2][3]. To migrate to version 4.x, you must perform a manual replacement of the package [2][3]. Migration Steps: 1. Remove the old package: composer remove barryvdh/laravel-debugbar --dev --no-scripts [1][2][3] 2. Install the new package: composer require fruitcake/laravel-debugbar --dev --with-dependencies [2][3] 3. Update Namespaces: All references to the old namespace (Barryvdh\Debugbar) must be updated to the new namespace: Fruitcake\LaravelDebugbar [2][3][4]. Key Breaking Changes: - Package Ownership: The package is now maintained under the fruitcake organization [1][2][3]. - Removed Features: Support for Socket storage, Lumen framework, and PDO extension functionality has been removed [2][3][4]. - Helper Methods: The helper methods start_measure, add_measure, stop_measure, and measure have been removed; you should use debugbar->startMeasure and related methods instead [4]. - Configuration: Default configuration values have changed, and some options were removed [2][3]. It is recommended to publish the new configuration file and compare it with your existing settings [2][3]. - Dependencies: The package now requires php-debugbar 3.x, which removes dependencies on jQuery and Font Awesome [4]. - Internal Changes: The Query Collector now uses 'params' instead of 'bindings', and the 'hiddens' configuration option has been replaced by 'masked' [4]. For further details, consult the official upgrade guide at the fruitcake/laravel-debugbar repository [4][5].

Citations:

• 1: https://github.com/fruitcake/laravel-debugbar/releases/tag/v4.0.0
• 2: https://www.linkedin.com/pulse/laravel-debugbar-v400-ultimate-guide-dev-inception-dp97f
• 3: https://laravel-news.com/laravel-debugbar-4-0-0
• 4: https://github.com/fruitcake/laravel-debugbar/blob/master/UPGRADE.md
• 5: https://fruitcake.nl/blog/laravel-debugbar-v4-release

---

Critical: Package transfer and breaking changes in laravel-debugbar v4 upgrade.

laravel-debugbar v3.16.3 → v4.2.8 is not a routine major version update—the package was transferred from barryvdh/laravel-debugbar to fruitcake/laravel-debugbar with extensive breaking changes:

• All namespaces changed from Barryvdh\Debugbar to Fruitcake\LaravelDebugbar
• Multiple features removed (Socket storage, Lumen support, PDO extension, global helper methods)
• Configuration keys changed (hiddens → masked, query bindings handling changed)
• Requires manual package replacement: composer remove barryvdh/laravel-debugbar --dev followed by composer require fruitcake/laravel-debugbar --dev

Review the official upgrade guide and test thoroughly before deploying.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@updated-packages.txt` at line 10, The package upgrade from
barryvdh/laravel-debugbar v3.16.3 to v4.2.8 is a package transfer with breaking
changes; remove the old dev dependency and install fruitcake/laravel-debugbar as
instructed (run the equivalent of composer remove for barryvdh/laravel-debugbar
and composer require for fruitcake/laravel-debugbar), then update all references
and imports from Barryvdh\Debugbar to Fruitcake\LaravelDebugbar, adjust
configuration keys (rename hiddens → masked and update query bindings handling),
remove or replace removed features/usages (socket storage, Lumen-specific code,
PDO extension usage, and any global helper calls), and follow the official
upgrade guide to update code paths and tests before deploying.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

laravel/boost version 2.0 breaking changes and upgrade notes

💡 Result:

Laravel Boost v2.0 introduced significant architectural changes to support custom agents, improved configuration, and better extensibility. Below is a summary of the breaking changes and upgrade requirements. ### Upgrading to 2.x If you are not using custom agents or overriding Boost internals, the upgrade process is straightforward: 1. Update your dependencies. 2. Run php artisan boost:install to automatically handle the migration of your Boost configuration and resources [1][2]. ### Key Breaking Changes * Minimum Requirements: Boost 2.x requires PHP 8.2+ and Laravel 11.x+ [1][2]. * Terminology Refactor: The term CodeEnvironment has been replaced with Agent throughout the codebase [1][3]. * CodeEnvironment → Agent * CodeEnvironmentsDetector → AgentsDetector * registerCodeEnvironment() → registerAgent() * getCodeEnvironments() → getAgents() * Configuration Path: The configuration key in config/boost.php has been renamed from code_environment to agents [1][2]. * Command Signature: The boost:install command flags have shifted from negative opt-out to positive opt-in [1][2]: * Old: php artisan boost:install {--ignore-guidelines} {--ignore-mcp} * New: php artisan boost:install {--guidelines} {--skills} {--mcp} * Contract Renames: Several internal contracts were renamed for clarity [1][3]: * Laravel\Boost\Contracts\Agent → Laravel\Boost\Contracts\SupportsGuidelines * Laravel\Boost\Contracts\McpClient → Laravel\Boost\Contracts\SupportsMcp * Laravel\Boost\Contracts\SupportSkills → Laravel\Boost\Contracts\SupportsSkills ### Additional Structural Changes (v2.2.0) While not part of the initial 2.0 release, version 2.2.0 introduced a minor breaking change regarding how Inertia guidelines are organized [4][5]. The generic .ai/inertia-laravel/core.blade.php file was removed in favor of version-specific files (e.g., .ai/inertia-laravel/2/core.blade.php) to allow for better maintenance by package authors [4][5][6]. If you have custom overrides for these guidelines, you must update your file paths to match this new structure [4][7].

Citations:

• 1: https://github.com/laravel/boost/blob/5759fc7534d92d2dc6d7f672790a6c7a52d5448a/UPGRADE.md
• 2: https://github.com/laravel/boost/blob/f1f39e43b98453e04e1ecf073ac9c190a2b486c2/UPGRADE.md
• 3: laravel/boost@v2.0.0...v2.0.1
• 4: https://github.com/laravel/boost/releases/tag/v2.2.0
• 5: https://laravel-news.com/laravel-boost-2-2-0
• 6: https://laravel-news.com/index.php/inertia-2-3-16
• 7: Guidelines override with multiple in the same folder does not work laravel/boost#526

---

Review Laravel Boost v2.x breaking changes before upgrading.

laravel/boost v1.8.10 → v2.4.6 crosses a major version boundary with significant breaking changes. Key compatibility issues:

• Minimum Requirements: Requires PHP 8.2+ and Laravel 11.x+
• Terminology Refactor: CodeEnvironment → Agent (affects configuration keys and method names)
• Configuration Changes: config/boost.php key renamed from code_environment to agents
• Command Changes: boost:install flags shifted from opt-out to opt-in format

Run php artisan boost:install during migration to auto-migrate configuration. Refer to the UPGRADE.md documentation for complete migration requirements.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@updated-packages.txt` at line 13, The dependency update from laravel/boost
v1.8.10 to v2.4.6 is a major upgrade with breaking changes: ensure the project
meets the new minimums (PHP 8.2+, Laravel 11+), rename any references of the old
CodeEnvironment symbol to Agent (including classes, type hints and method
names), update config/boost.php by replacing the code_environment key with
agents and adjust code that reads that config (e.g., calls to
config('boost.code_environment') -> config('boost.agents')), and run php artisan
boost:install to let the package auto-migrate configuration and adopt the new
opt-in command flags; consult UPGRADE.md for any additional changes and update
any uses of boost:install flags to the new format.