chore(deps): update dependency vimeo/psalm to v3.18.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
vimeo/psalm	require-dev	minor	3.11.6 -> 3.18.2

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

---

Release Notes

vimeo/psalm

v3.18.2: Improve treatment of finally blocks

Compare Source

Last night's release added a regression in how variables set in try statements are treated, ticketed here: https://github.com/vimeo/psalm/issues/4368

v3.18.0: Bugfixes

Compare Source

Language server works again

This fixes an issue that prevented the language server from seeing recent changes to files (caused, almost inexplicably, by removing a @param docblock).

Other bugfixes

• Fix an issue with remapped template params (#​4326)
• Improve handling of try statements without catches (#​4333, #​4366)
• Deal with a few more combinatorial expansion issues gracefully (#​4347)
• Improve Psalter replacements (#​4350, #​4349)
• @​pascalheidmann fixed an error when creating a report in a non-existent directory (#​4353)
• Improve handling of assignments on the RHS of || if conditionals (#​4354)

v3.17.2: Fix two regressions

Compare Source

• Fix #​4327 - make sure loop always returns
• Fix #​4315 - prevent crash when setting unknown property in finally

v3.17.1: Fix preg_split

Compare Source

3.17.0 added a potentially-erroneous return type when a non-zero $flags param is passed to preg_split. This fixes things.

v3.17.0: A bunch of bugfixes

Compare Source

Features

• @​mr-feek added support for configurable universal objects (#​3948)
• Improved error messages and reporting for ParadoxicalCondition (example) – thanks to @​dkarlovi, @​jbafford and @​ro0NL for their input

Bugfixes

Fixed XML generation

3.16 broke XML output, this is now fixed (#​4252).

Other bugfixes

• @​DanielBadura added a stub for random_int, providing better inference (#​4199)
• Improved signatures for preg_match_all (#​4202) and @​orklah helped improve preg_split
• Treat func_num_args as pure (#​4215)
• Fix __invoke declaration crash (#​4210)
• Allow hinting arrow function return types (#​4209)
• Add checks for if ((bool) $foo) (#​4206)
• Fix crash with some class-string property assignments (#​4198)
• @​aheart fixed bugs with JUnit generation (#​4234)
• @​danog added a bunch of stubs for Spl* classes (#​4255)
• allowMissingFiles was fixed by @​ddeboer (#​4259)
• prevent crash after analysing file that defines a class twice (#​4264)
• prevent an infinite loop when analysing a closure unioned with invokable class (#​4266)
• @​marcosh added more stubs for array functions (#​4271)
• prevent crash when annotating the intersection of arrays (#​4287)
• Fix reported property id for multiple MissingConstructor issues on a single class (#​4297)
• Prevent crash when trying to negate a positive-numeric assertion (#​4306)
• Fix return types for a few callmap-provided functions (#​4309)
• Prevent a class name validation check on a string argument to a class-string|Foo union (#​4310)

Also thanks to @​orklah for many linting PRs, and to @​weirdan for very good triaging

v3.16: A smattering of things

Compare Source

Features

New PHPStorm-optimised output format

Added a phpstorm report format that displays errors in a manner that PHPStorm can parse more easily (#​4085) – thanks @​the-toster (with additional help from @​Rarst)

Detection of strpos issues

Psalm will now raise two separate issues for the following code:

function foo(string $s) : void {
  if (strpos(".", $s) !== -1) {}
}

The first, InvalidLiteralArgument, complains a string was passed where a variable was expected. The second complains that the output of strpos can never be negative.

Allow intersection of object-like arrays and regular arrays

Psalm now allows the docblock array{foo: string}&array<string, string>, understanding it to mean an array of strings with one explicit known key.

@​psalm-stub-override

Added support for @psalm-stub-override which only renders the stub valid if the given class already exists – thanks @​weirdan (#​4177)

@​psalm-suppress Issue1, Issue2

Added support for multiple suppressed issues on a given line – thanks @​weirdan (#​4179)

Bugfixes

Allow multiple issues of the same type at a single position

Psalm will now report multiple issues that map to the same code position (but whose message body is different). If you use the baseline, you might need to update it accordingly (#​4167)

Other bugfixes

• allow slashes in docblock tags (#​4112)
• ensure calling Closure::__invoke doesn't break when running Psalm in PHP 7.2.11 and below (#​4111)
• refine closure types more accurately according to a callable
• prevent crash when suppressing UndefinedTrait (#​4130)
• improve inference of preg_match_all $matches array value (#​4128)
• fix a crash when using a short closure without specifying the Closure type anywhere in the affected methods (#​4148)
• allow null checks on the output of Iterator::current (#​4146)
• Language Server @​matthijskooijman made a couple of improvements (#​4143)
• treat literal numeric strings as numeric always (#​4154)
• Taint analysis @​craigfrancis added additional mysql sinks (#​4155)
• Language Server @​ngyuki fixed a bug using the Phar (#​4174)
• Fix Psalm's assertion generation from count($arr) <= 1 (#​4169)
• @​ygottschalk improved Psalm's assertion generation from count calls further (#​4175)
• Improve error message (and location) for unused params once they've been written to (#​4127)
• prevent an empty docblock from suppressing missing property types (#​4178)
• properly detect yield expressions in function arguments (#​4122)
• improved Psalm's understanding of array_merge and array_filter functions

v3.15: Automatically add pure/immutable annotations

Compare Source

Features

This release brings a couple of features that are useful to fans of functional programming.

If you're unfamiliar with these concepts, or want to know how Psalm uses them, read this article first.

Automatic addition of @psalm-pure/@psalm-immutable annotations (#​4036):

Running vendor/bin/psalm --alter --issues=MissingPureAnnotation,MissingImmutableAnnotation will add those annotations to any function, method or class that deserves it.

So

function sayHello(string $s): string {
    return 'Hello ' . $s;
}

is transformed into

/**
 * @​psalm-pure
 */
function sayHello(string $s): string {
    return 'Hello ' . $s;
}

Note: running this command will not recursively add annotations, so if you have a chain of callers like

function one(string $s) { return two($s); }

function two(string $s) { return $s; }

running the command once will produce

function one(string $s) { return two($s); }

/**
 * @​psalm-pure
 */
function two(string $s) { return $s; }

and running it a second time will produce

/**
 * @​psalm-pure
 */
function one(string $s) { return two($s); }

/**
 * @​psalm-pure
 */
function two(string $s) { return $s; }

Pure callables and closures

Thanks to @​azjezz, Psalm now understands the annotation pure-callable, which allows you to guarantee the purity of a pure function that executes a callable.

Let's say we want to return the longest string in an array of strings ["a", "bbb", "cc"]. We could write that function pretty simply, but let's suppose we want to make it a bit more generic: given an array of items, and a callable that returns a score for the each entry, return the highest-scoring value.

We can define that function in PHP like

/**
 * @​psalm-param non-empty-array $values
 * @​psalm-pure
 */
function get_max(array $values, callable $score_func) {
    $max = reset($values);
    $max_num = null;
    foreach ($values as $value) {
        $value_num = $score_func($value);
        if (null === $max_num || $value_num >= $max_num) {
            $max = $value;
            $max_num = $value_num;
        }
    }

    return $max;
}

echo get_max(['a', 'bbb', 'cc'], 'strlen'); // outputs "bbb"

This function is only pure, though, if the callable that we're passing is pure.

With this latest version the full, pure type signature of the function can be written:

/**
 * @​template T
 * @&#8203;psalm-param non-empty-array<T> $values
 * @&#8203;psalm-param pure-callable(T):int $score_func
 * @&#8203;psalm-return T
 *
 * @&#8203;psalm-pure
 */
function get_max(array $values, callable $score_func) { ... }

Bugfixes

• preserve intersections when expanding templated types (#​4043)
• don't remove null types unnecessarily in mixed union, and refine iterable keys after is_array check (#​4038)
• assume most iterators are impure (#​4064)
• process indirect comparisons to null in assertions (#​4061)
• allow pure functions to return impure closures (#​4077)
• allow literal reconciliation against positive-int types (#​4081, #​4093)
• allow ParamNameMismatch to be suppressed locally (#​4012)
• fix parsing of union param types inside docblock @method annotations(#​4083)
• @​staabm added a slightly-improved return type for strpos that precludes negative numbers
• @​weirdan fixed #​3869 by creating a per-user cache directory
• MissingPropertyType can now be refined on a per-property basis (#​2200)
• @​lhchavez broadened the param type for strval to allow null

v3.14.2: Fix another regression

Compare Source

Bugfixes

• Fix exception when two mixins declare the same method (seen frequently on Laravel, thanks @​xyng) – #​4013
• Prevent mixed assignment in loop after positive check (#​4011)
• Allow @psalm-type to reference imported type right above (#​3999)
• Fixed some hash_* function signatures - thanks @​baukevdw (#​4014)
• Allow float defaults in namespaced class @method docblock annotations (#​4017)
• Taint analysis - added sinks for pgsql functions - thanks @​TysonAndre (#​4021)
• Resolve type aliases in foreach docblock annotations - thanks @​weirdan (#​4029)
• Don’t hang when pcntl_fork is disabled - thanks @​weirdan (#​3951)
• Add config option to discover unused @psalm-suppress on every run – thanks @​micheh (#​3011)

v3.14.1: Fix regression

Compare Source

Fixes a crash with this code:

/**
  * @&#8203;param array<int, int> $arr
 */
 function foo(array $arr) : void {
    for ($i = 20; $arr[$i] === 5 && $i > 0; $i--) {}
}

v3.14.0: Flag named argument discrepancies

Compare Source

Features

Named argument checks with ParamNameMismatch

For more information, see this article.

Preventing unsafe instantiation

Psalm now warns you when calling new $foo() where $foo() is a class that can be extended and where the constructor is not declared final, or new static where the constructor is not declared final (#​3934).

For more information, see the issue page

Other features

• @​mr-feek added support for supplying memory limit with a --memory-limit flag (#​3947)

Bugfixes

• fix a few false-positives around positive-int types (#​3914)
• expand scalar-class-constant types in a few more places (#​3913, #​3741)
• @​NicolasCARPi improved the signature for hash_file() (#​3920)
• honour arrays with class-string keys when appending literal classes (#​3923)
• @​SignpostMarv marked bscale as impure (ref #​3918)
• preserve list-ness when assigning to a tuple inside a loop (#​3928)
• fix regression with array_shift (#​3941)
• @​jarstelfox fixed the casing checker to ignore callStatic (#​3939)
• @​xyng added support for multiple mixins (#​3772)
• improved Psalm's recovery when it encounters complex boolean logic (#​3932, #​3954)
• @​ygottschalk improved reset's return type
• @​sasezaki fixed the treatment of generators when an explicit send type is provided (#​3966)
• Language Server @​ngyuki fixed file path handling on windows (#​3984)
• Use unused code config settings when running language server (#​3987)
• Prevent an incorrect intersection of union types with usort (#​3964)
• Prevent crash with bad imported type reference (#​3927)
• @​weirdan improved handling of @psalm-import-type errors (#​3997)
• comparisons between classes and interfaces are now allowed (#​3917)

v3.13.1: Minor bugfixes

Compare Source

• fixes a possible crash when recursing through template params (#​3912)
• improves the return type for fgetcsv (now more lenient)

v3.13.0: Allow MissingPropertyType to be fixed automatically

Compare Source

Features

MissingPropertyType fixer

Running vendor/bin/psalm --alter --issues=MissingPropertyType (when using PHP 7.4) on

<?php
class A {
    public $string_or_int;
    public $only_string;
    public $conditionally_set_string;

    public function __construct()
    {
        if (rand(0, 1)) {
            $this->string_or_int = 5;
        } else {
            $this->string_or_int = "hello";
            $this->conditionally_set_string = "goodbye";
        }

        $this->only_string = "bar";
    }
}

gives

<?php
class A {
    /**
     * @&#8203;var string|int
     */
    public $string_or_int;

    public string $only_string;

    /**
     * @&#8203;var null|string
     */
    public $conditionally_set_string;

    public function __construct()
    {
        if (rand(0, 1)) {
            $this->string_or_int = 5;
        } else {
            $this->string_or_int = "hello";
            $this->conditionally_set_string = "goodbye";
        }

        $this->only_string = "baz";
    }
}

This fix has full compatibility with previous versions of PHP, too.

=== true detection

@​greg0ire added support such that Psalm will warn you when comparing $some_bool === true where $some_bool would have sufficed.

This option is hidden behind the strictBinaryOperands config flag.

positive-int

Psalm has a new type, positive-int, for situations where you want the typechecker to guarantee that an integer is positive.

Other features

• @​TysonAndre added support for generating multiple reports from a single Psalm run (#​3776, #​3777)
• Language Server: @​joehoyle added jump-to-definition for use statements (#​3805)
• @​ntzm added support for disabling the analysis of phpStormMeta files (#​3833)
• @​bdsl improved the handling of @internal, hopefully clarifying its usage (#​3841)
• Psalm now detects impossible substr comparisons based on string length (#​3877)
• @var docblock annotations are now supported in many more places (#​1916)

Bugfixes

• fix resolution of @template T as self inside traits (#​3753)
• prevent a crash when a class being thrown is not found (#​3755)
• array_map should remember how an array was created (#​3764)
• @​joehoyle improved performance when scanning large stub files (#​3781)
• Language Server: @​joehoyle fixed the offset calculation in getReferenceAtPosition (#​3783)
• allow removing false and null from a templated var (#​3790)
• @​erunion added support for always running taint analysis via the config (#​3800)
• allow analysis of $i++ inside an isset check (#​3802)
• prevent a large number of chained assignments crashing Psalm (#​3797)
• Language Server: @​joehoyle fixed jump-to-definition for nullable function param types (#​3804)
• Language Server: @​joehoyle fixed jump-to-definition for return types where the docblock type is invalid (#​3806)
• @​weirdan improved Psalm's support for custom autoloader logic (#​3183)
• allow more complex negations from custom assertions (#​3811)
• allow detection of paradoxes when switching on the result of a function call (#​3808)
• @​EvgeniiR improved support for array_column such that it can understand emptiness (#​3813)
• @​TysonAndre added more impure function references (#​3814)
• improved a bunch of things around how getters are treated (#​3820, #​3825 and more)
• @​ntzm made the *getcsv return types more specific (#​3832)
• @​adrienlucas added taint tracking through strval and sprintf
• @​ygottschalk improved handling of key, array_key_first and array_key_last (#​3838)
• @​EvgeniiR fixed an erroneous UndefinedClass issue that could crop up with params of type array|callable (#​3842)
• @​gharlan added support for assignments to immutable classes in __unserialize (#​3845)
• improve support for falsy assertions (#​3858)
• allow magic properties to be reconciled just like regular properties (#​3857)
• detect mutations due to property assignments in mutation-free methods (#​3870)
• prevent a crash when comparing an object with properties to a missing class (#​3882)
• don't alter a class-string type when doing an empty check (#​3894)
• support turning methods final via trait aliasing (#​3897)
• allow templated types to be refined via instanceof (#​3907)

v3.12.2

Compare Source

Taint analysis bugfixes & features

• allow taints to flow when no return type is given (#​3652)
• taint encapsulated strings based on their contents (#​3655)
• @​TysonAndre added print, unserialize, create_function and more as sinks
• allow taints to flow through unpacked arguments and mixed foreach (#​3670)
• taint property types for magic getters/setters even in the absence of a @property annotation (#​3668)
• add taints to filter_var (#​3675)
• preserve taints after is_string checks (#​3680)
• taint the contents of exit just as echo is (#​3681)
• @​TysonAndre improved handling of preg_replace_callback
• allow taints to flow through implied __toString methods (#​3697)
• specialize constructor taints as nececssary
• allow any part of a taint path to be suppressed with @psalm-suppress TaintedInput

Other features

@​olleharstedt added support for @psalm-self-out, which allows some typestate-oriented programming in Psalm (#​3650)

Bugfixes

• allow comparison of get_class($foo) === static::class
• fix false-negative around missing property declarations (#​3642)
• improve treatment of comparisons after assignment in conditional (#​3631)
• @​villfa improved reflection info for Redis (#​3673)
• PDO::query now allows two arguments (#​3694)
• @​simPod improved reflection for RdKafka\ProducerTopic::producev (#​3700)
• @​bdsl added a change that propagates @internal annotations on classes to their methods (#​3698)
• prevent crash with a Foo|? return type (#​3716)
• prevent crash on empty @method (#​3721)
• @​jarstelfox fixed up the example TemplateChecker plugin
• prevent crash when clone-ing undefined class (#​3719)
• infer template params from a class-string where appropriate (#​3726)
• improve handling of if conditionals inside do {...} while(); (#​3685)
• @​lhchavez fixed a bug in docblock parsing where data was lost if a comment referred to a tag (#​3776)
• allow false to be removed from template params (#​3737)
• allow storing references to impure classes via the class names inside immutable classes (#​3738)

v3.12.1: Improve taint analysis a little

Compare Source

Taint analysis

• $_REQUEST is now treated as a source, and taints now flow through trim and similar funcs
• @psalm-taint-specialize now works in static methods

Also @​TysonAndre added a --debug-emitted-issues command line flag to help debug the route of a Psalm issue.

Bugfixes

• preg_replace_callback now supports arrays properly even when the closure is not well-documented (#​3639)

v3.12.0: Add --taint-analysis command

Compare Source

This will be the officially-supported taint analysis command going forward.

v3.11.7: Add more taint analysis features

Compare Source

Features

• various taint analysis improvements
• added an <extraFiles> tag to tell Psalm about directories it should scan, but not analyse (#​3618)

Bugfixes

• add better support for complex switch (true) case statements (#​3603)
• allow lists to have their types refined in @psalm-assert calls (#​3605)
• treat (Foo\Bar::class)::baz() as Foo\Bar::baz() (#​3609)
• @​andrei-petre improved error message casing for undefined methods (#​3615)
• @​iluuu1994 allowed strings with leading backslashes e.g. '\Foo\Bar::baz' to be treated as callables (#​3607)
• prevent a crash when analysing an assertion on a class constant where the class doesn’t exist (#​3607)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.