[codex] Fix E2E workflow crash and PHPUnit alerts

[ediamin]

Summary

• remove PHP CLI worker mode from the E2E built-in WordPress server so the post-merge main run stops crashing mid-suite
• pin PHPUnit to a patched 9.6.x release and refresh the Composer lockfile without breaking the PHP 7.4 test matrix
• document the remaining GHSA-qrr6-mg7r-m243 alert as a false positive for PHPUnit 9.x and dismiss that inaccurate Dependabot alert in GitHub

Root Cause

The failing main run after PR #16 died inside the PHP built-in server during Playwright execution. The workflow change in that PR introduced PHP_CLI_SERVER_WORKERS=4; the uploaded php-server.log showed four CLI server workers starting and then the server dropping out, which left the suite with socket hang up / ECONNREFUSED errors.

The two new Dependabot alerts were both on phpunit/phpunit from composer.lock. One was real and is fixed by moving from 9.6.25 to 9.6.34. The other used the advisory range <= 12.5.21, which incorrectly sweeps in PHPUnit 9.x, so I dismissed alert #88 as inaccurate.

Validation

• inspected Actions run 24599705526 and downloaded the uploaded php-server.log
• queried open Dependabot alerts via gh api
• regenerated composer.lock in a PHP 7.4 container
• verified the updated lockfile installs on PHP 7.4 with composer install --dry-run --no-interaction --no-security-blocking

Follow-up

• merging this PR should clear Dependabot alert #87 automatically
• the branch CI run should confirm the E2E workflow is stable again