chore(deps): update dependency vimeo/psalm to v7 (main)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vimeo/psalm	^6.16.1 → ^7.0.0-beta19

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

vimeo/psalm (vimeo/psalm)

v7.0.0-beta19

Compare Source

What's Changed

Fixes

• Final improvements for reduced scanning by @​danog in #​11809
• Allow enums to have impure methods by @​danog
• Switch void/never params to use ParadoxicalCondition issue by @​danog

Full Changelog: vimeo/psalm@7.0.0-beta18...7.0.0-beta19

v7.0.0-beta18

Compare Source

What's Changed

Features

• Introduce psalm plugin API by @​danog in #​11739
• Defer project/extra file list initialization, disable it for single-file scans by @​danog in #​11804
• [7.x] Allow plugin issues to specify custom documentation URLs by @​alies-dev in #​11735
• [7.x] Rename compact output format to table, add new truly compact format by @​alies-dev in #​11750
• [7.x] Add TaintedLlmPrompt issue type for prompt injection detection by @​alies-dev in #​11746

Fixes

• [7.x] Add missing ImpureGlobalVariable to error levels doc by @​alies-dev in #​11737
• Mutability inference fixes by @​danog in #​11734
• [7.x] Support parenthesized union types in @​method parameter annotations by @​alies-dev in #​11733
• [7.x] Respect ERROR_LEVEL for plugin-defined issues by @​alies-dev in #​11736
• Fix --show-snippet option silently consuming next CLI argument by @​alies-dev in #​11684
• Explicitly disable JIT by default by @​danog in #​11745
• [6.x] Fix InterfaceAnalyzer crash when storage is overwritten by reflection by @​alies-dev in #​11760
• [6.x] Use macOS bundle ID for PhpStorm (support JetBrains Tool installed apps), respect PHPSTORM env var on Darwin by @​alies-dev in #​11801

Docs

• [7.x] Improve error levels documentation presentation by @​alies-dev in #​11759

Internal changes

• Forward context by @​danog in #​11738
• Refactor methodexists by @​danog in #​11744

Other changes

• Fix repo link by @​maximal in #​11782

Full Changelog: vimeo/psalm@7.0.0-beta17...7.0.0-beta18

v7.0.0-beta17

Compare Source

What's Changed

Features

• Add stub for memcached by @​ADmad in #​11717

Fixes

• Fix duplicate error for abstract methods in traits if the issue is due to the implementer by @​kkmuffme in #​11695
• Report regular issue instead of throw/crash by @​kkmuffme in #​11693
• Add PHP 8.5 (and 8.4) handling where it wasn't added yet by @​kkmuffme in #​11697
• curl_share_init_persistent requires non-empty array otherwise throws by @​kkmuffme in #​11701
• Add max_depth option to unserialize() callmap type by @​eyupcanakman in #​11702
• Add TDate template parameter to DatePeriod stubs by @​alies-dev in #​11728
• Fix false InvalidArgument for sprintf precision placeholders by @​eyupcanakman in #​11729

Internal changes

• Disable JIT by default, make it opt-in via --force-jit by @​alies-dev in #​11682
• Regenerate callmaps to include new ext-mongodb 2.2 API by @​alcaeus in #​11720
• Bump docker/setup-buildx-action from 3 to 4 by @​dependabot[bot] in #​11719
• Pass a context wherever possible by @​danog in #​11725

New Contributors

• @​eyupcanakman made their first contribution in #​11702
• @​Copilot made their first contribution in #​11726

Full Changelog: vimeo/psalm@7.0.0-beta16...7.0.0-beta17

v7.0.0-beta16

Compare Source

This release allows using @psalm-pure on classes, which will mark all methods as pure, and ban property declarations.

What's Changed

Features

• Allow @​psalm-pure on classes by @​danog in #​11676

Fixes

• Improve class mutability inference by @​danog in #​11675

Full Changelog: vimeo/psalm@7.0.0-beta15...7.0.0-beta16

v7.0.0-beta15

Compare Source

This release features a major refactoring of Psalm's mutability inference system.

This release will likely be followed by a stable release.

The new automated mutability (pure, mutation free, externally mutation free, impure) attribute fixes that will be proposed by Psalm, when applied, will improve Psalm's type inference and especially security analysis, as pure functions are automatically specialized by Psalm, killing false positives during security analysis.

Now, Psalm will always analyze and emit MissingPureAnnotation and MissingImmutableAnnotation issues for all functions, methods and classes that can be marked with one of the following attributes (which can be automatically added by running Psalm with --alter --issues=MissingPureAnnotation,MissingImmutableAnnotation).

For functions and methods, MissingPureAnnotation will be emitted, automatically adding the following annotations:

• @psalm-pure » - Indicates that the function or method is pure, one whose output is just a function of its input (no mutations or even read property accesses allowed).
• @psalm-mutation-free » - Used to annotate a class method that does not mutate state, either internally or externally of the class's scope (only internal property reads on $this are allowed for methods)
• @psalm-external-mutation-free » - Used to annotate a class method that does not mutate state externally of the class's scope (internal property reads and writes on $this and self are allowed for methods)
• @psalm-impure » - A new annotation, equivalent to the default mutability level of functions and methods (all mutations allowed): Psalm will require the explicit annotation of only abstract methods with this or any of the above annotations through a separate, non-autofixable MissingAbstractPureAnnotation issue, to improve mutability inference for implementors of an interface (though it can be used on all functions and methods as well).

For classes, MissingImmutableAnnotation will be emitted, automatically adding the following annotations:

• @psalm-immutable » - Used to annotate a class where every property is treated by consumers as @psalm-readonly and every instance method is treated as @psalm-mutation-free.
• @psalm-external-mutation-free » - Used to annotate a class where every instance method is treated as @psalm-external-mutation-free.
• @psalm-mutable » - A new annotation, used to annotate a class where at least one property is mutable: this is the default behavior, but it can be explicitly marked for clarity: Psalm will require the explicit annotation of only interfaces with this or any of the above annotations through a separate, non-autofixable MissingInterfaceImmutableAnnotation issue, to improve mutability inference for implementors of an interface (though it can be used on all classes and interfaces as well).

New types

For situations where the callable or Closure needs to be pure, mutation-free or externally mutation-free, the following subtypes are available:

• Pure (no mutations or even read property accesses allowed), equivalent to marking functions or methods with @psalm-pure
  • pure-callable
  • pure-Closure
• Mutation-free (only internal property reads on $this are allowed for methods), equivalent to marking functions or methods with @psalm-mutation-free
  • self-accessing-callable
  • self-accessing-Closure
• Externally mutation-free (internal property reads and writes on $this and self are allowed for methods), equivalent to marking functions or methods with @psalm-external-mutation-free
  • self-mutating-callable
  • self-mutating-Closure
• Impure (the default behavior, all mutations allowed); functions or methods can also be explicitly marked as impure with @psalm-impure
  • impure-callable (an alias to callable)
  • impure-Closure (an alias to Closure)

This can be useful when the callable is used in a function marked with @psalm-pure or @psalm-mutation-free or @psalm-external-mutation-free.

What's Changed

Features

• Mutation refactoring, always emit MissingPureAnnotation and MissingImmutableAnnotation issues by @​danog in #​11630
• Global variables are impure like static variables by @​kkmuffme in #​11659

Fixes

• Skip virtual nodes during manipulation by @​danog in #​11632

Full Changelog: vimeo/psalm@6.15.1...7.0.0-beta15

v7.0.0-beta14

Compare Source

What's Changed

Features

• More detailed progress for taint graph resolution by @​danog in #​11349
• Huge performance improvements for taint analysis by @​danog in #​11342
• Show progress when merging thread results by @​danog in #​11374
• Combined analysis by @​danog in #​11384
• Always run taint analysis by default by @​danog in #​11399

Fixes

• Fix assertions with empty lists by @​danog in #​11312
• Allow concatenation between (string|int) and similar types by @​haas-dtv in #​11364
• Fix conditional taints by @​danog in #​11628

Docs

• Update configuration.md: Adding --config= cli parameter by @​ThomasLandauer in #​11332

Other changes

• Tweak concurrency by @​danog in #​11361
• Fix paratest runs with default PHP unlike all other scripts by @​kkmuffme in #​11441

Full Changelog: vimeo/psalm@6.14.3...7.0.0-beta14

v7.0.0-beta13

Compare Source

What's Changed

Features

• Do not ignore null array offsets within isset by @​danog in #​11608

Full Changelog: vimeo/psalm@7.0.0-beta12...7.0.0-beta13

v7.0.0-beta12

Compare Source

What's Changed

Features

• Add PHP 8.5 support by @​MarjovanLier in #​11604
• Add PHP 8.5 support by @​danog

Fixes

• Replace unix clear command with ANSI escape codes to clear the screen by @​HenkPoley in #​11528

Internal changes

• Improve performance by avoiding repeated scanning of files included/required only once by @​mmcev106 in #​11478

Other changes

• feat(language server): add --on-open-debounce-ms by @​kk-daniel in #​11550
• fix(language server): fix --on-change-debounce-ms by @​kk-daniel in #​11549
• Replace deprecated __sleep method with __serialize by @​theodorejb in #​11563
• Fix the opcache status retrieval if restricted paths are set. by @​dmvrtx in #​11556
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​11539
• fix: deprecations for PHP 8.5 by @​jorgsowa in #​11541
• ci: add nikic/php-parser deprecations to Psalm baseline by @​jorgsowa in #​11596
• fix: deprecated null offset by @​jorgsowa in #​11599
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​11593

New Contributors

• @​dmvrtx made their first contribution in #​11556
• @​MarjovanLier made their first contribution in #​11604

Full Changelog: vimeo/psalm@7.0.0-beta11...7.0.0-beta12

v7.0.0-beta11

Compare Source

What's Changed

Features

• ✨ Full support for iterables for iterator_to_array by @​andrew-demb in #​11430
• Add an arrayCache configuration key that can be used to disable the newly introduced array cache: this will slightly slow down execution times while reducing RAM usage, avoiding OOM issues on bigger codebases by @​danog

Full Changelog: vimeo/psalm@7.0.0-beta10...7.0.0-beta11

v7.0.0-beta10

Compare Source

What's Changed

Fixes

• Fix false negatives with mixed in templated value-of/key-of by @​danog in #​11499
• Avoid tainting problems with first-class callables by @​danog

Full Changelog: vimeo/psalm@7.0.0-beta9...7.0.0-beta10

v7.0.0-beta9

Compare Source

Fixes:

• Normalize order of taint flow graph issues

Full Changelog: vimeo/psalm@7.0.0-beta8...7.0.0-beta9

v7.0.0-beta8

Compare Source

This release syncs up the 7.x branch with the 6.x branch.

What's Changed

Features

• Add plugin hook to polyfill custom autoloaders by @​danog in #​11422
• Implement cache consolidation with --consolidate-cache flag by @​danog in #​11450
• Add ignoreIncludeSideEffects configuration key by @​danog in #​11451

Fixes

• Fix #​11420 by @​danog in #​11421
• Cache refactoring by @​danog in #​11415
• Fix crash on numeric annotation by @​VincentLanglet in #​11445
• Disable diffing if not in diff run by @​danog in #​11447
• Update stubs for ext-mongodb 2.0 by @​alcaeus in #​11453
• Update stubs for ext-mongodb 2.1 by @​alcaeus in #​11454

Docs

• [Doc] Clarify union vs. intersection for numeric supertype by @​kylekatarnls in #​11444

Other changes

• Fix paratest runs with default PHP unlike all other scripts by @​kkmuffme in #​11441

New Contributors

• @​kylekatarnls made their first contribution in #​11444

Full Changelog: vimeo/psalm@7.0.0-beta7...7.0.0-beta8

v7.0.0-beta7

Compare Source

What's Changed

Fixes

• Deprecate reflection's setAccessible on 8.1 by @​danog in #​11401
• InvalidNamedArgument "objectOrClass" for ReflectionClass constructor due to incorrect stub by @​savinmikhail in #​11407
• DateTimeImmutable::setTimestamp rename argument to $timestamp by @​savinmikhail in #​11409
• fix: alter of ClassMustBeFinal inserts final before attributes by @​Tofandel in #​11390
• Add fix for PropertyHooks by @​craig-mcmahon in #​11411
• Disable diff mode by @​danog in #​11416

Other changes

• Better types for mb_substitute_character by @​danog in #​11400

New Contributors

• @​savinmikhail made their first contribution in #​11407
• @​craig-mcmahon made their first contribution in #​11411

Full Changelog: vimeo/psalm@7.0.0-beta6...7.0.0-beta7

v7.0.0-beta6

Compare Source

What's Changed

Features

• Enable taint analysis by default.

Fixes

• Deprecate reflection's setAccessible on 8.1 by @​danog in #​11401

Other changes

• Better types for mb_substitute_character by @​danog in #​11400

Full Changelog: vimeo/psalm@7.0.0-beta5...7.0.0-beta6

v7.0.0-beta5: Combined analysis!

Compare Source

This beta release adds a major new feature to Psalm v7: combined analysis!

Combined analysis allows running normal analysis, security analysis and dead code analysis all at the same time, within a single run, greatly reducing overall runtimes!

Future beta releases will also enable taint analysis by default, given that now it can be run alongside normal analysis.

What's Changed

Features

• Combined analysis by @​danog in #​11384

Full Changelog: vimeo/psalm@7.0.0-beta4...7.0.0-beta5

v7.0.0-beta4

Compare Source

Join the new official Psalm news channel and the Psalm community!

The news channel will be used to share inside exclusive news about upcoming Psalm features (including property hook support, coming within the next few releases!), and the community group can be used to discuss and share the way you use Psalm!

What's Changed

Features

• Add forceJit and noCache configuration keys by @​danog in #​11380
• Add rank to SARIF report by @​danog in #​11383

Full Changelog: vimeo/psalm@7.0.0-beta3...7.0.0-beta4

v7.0.0-beta3

Compare Source

Add git and composer to the docker image by @​danog.

Full Changelog: vimeo/psalm@7.0.0-beta2...7.0.0-beta3

v7.0.0-beta2

Compare Source

What's Changed

Features

• Show progress when merging thread results by @​danog in #​11374

Fixes

• Fix some possible JIT crashes in official docker image by @​danog
• Improve stub generation by @​danog
• Hotfix #​11363 by @​danog in #​11366
• Allow concatenation between (string|int) and similar types by @​haas-dtv in #​11364
• Backport #​11364 to 6.x by @​haas-dtv in #​11369
• Merge multiple docblocks for statements by @​robchett in #​11371

Internal changes

• Bump docker image to 8.4.5 by @​danog in #​11367

Full Changelog: vimeo/psalm@7.0.0-beta1...7.0.0-beta2

v7.0.0-beta1: First Psalm v7 beta!

Compare Source

Announcing the first public beta of Psalm v7!

Psalm v7 brings huge performance improvements to security analysis, up to 10x thanks to a full refactoring of both the internal representation of taints, and optimization of the graph resolution logic.

It also brings performance improvements to dead code analysis, and fixes for list types.

Even more performance improvements and new features will be released soon!

What's Changed

Breaking changes

See here for the full list of breaking changes between v6 and v7.

Features

• Huge performance improvements for taint analysis by @​danog in #​11342
• More detailed progress for taint graph resolution and JIT compilation by @​danog in #​11349

Fixes

• Fix assertions with empty lists by @​danog in #​11312

Other changes

• Tweak concurrency by @​danog in #​11361

Full Changelog: vimeo/psalm@6.9.0...7.0.0-beta1

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • "before 5am on tuesday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!