[2.x] CI blocked by phpunit advisory GHSA-qrr6-mg7r-m243 (PKSA-5jz8-6tcw-pbk4)

[imorland]

Problem

As of 2026-04-18, composer install fails on any repository using flarum/testing ^2.0 (directly or transitively via flarum/phpstan).

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires flarum/phpstan ^2.0.0 -> satisfiable by flarum/phpstan[v2.0.0-beta.1, ..., v2.0.0-beta.8].
    - flarum/phpstan[v2.0.0-beta.1, ..., v2.0.0-beta.8] require flarum/testing ^2.0 -> satisfiable by flarum/testing[v2.0.0-beta.1, ..., v2.0.0-beta.8].
    - flarum/testing[v2.0.0-beta.1, ..., v2.0.0-beta.8] require phpunit/phpunit ^11.0 -> found phpunit/phpunit[11.0.0, ..., 11.5.55] but these were not loaded, because they are affected by security advisories ("PKSA-5jz8-6tcw-pbk4", "PKSA-z3gr-8qht-p93v").

Cause

Two advisories apply to phpunit 11.x:

• PKSA-z3gr-8qht-p93v (CVE-2026-24765): affects >=11.0.0,<11.5.50. Fixed in 11.5.50.
• PKSA-5jz8-6tcw-pbk4 (GHSA-qrr6-mg7r-m243): affects <=12.5.21. Fixed in 12.5.22 / 13.1.6. No 11.x backport.

flarum/testing requires phpunit/phpunit: ^11.0. Because GHSA-qrr6-mg7r-m243 has no 11.x fix, every 11.x version fails Composer's resolver-level advisory check.

Proposal

Bump flarum/testing's phpunit/phpunit constraint to ^12.5.22.

PHPUnit 12 requires PHP 8.3+ (already the Flarum 2.x floor) and removes support for docblock annotations. Extension test suites using @test, @dataProvider, etc. will need to migrate to PHP 8 attributes (#[Test], #[DataProvider]). Flarum core's test suite already uses attributes exclusively.

Release notes for the next 2.x release should link to the PHPUnit annotations-to-attributes migration guide.