Release 4.0.0 · grasmash/yaml-expander

Breaking changes

Requires PHP >= 8.1 (previously no PHP constraint).
symfony/yaml 4.x and 5.x (EOL) are no longer supported; allowed versions are ^6.4.40 || ^7.4.12 || ^8.0.12.
grasmash/expander 1.x and 2.x are no longer supported; requires ^3.0.1.
Native parameter and return types on the public API (parse(), expandArrayProperties()). Passing non-string YAML or a non-array reference array now throws TypeError.
parse() now returns [] for empty YAML and throws UnexpectedValueException when YAML parses to a non-array value (previously both surfaced as an opaque TypeError).

symfony/yaml constraint excludes versions vulnerable to CVE-2026-45304 (YAML parser "Billion Laughs" memory exhaustion).
PHPUnit dev constraint excludes versions vulnerable to CVE-2026-24765.
Dropped php-coveralls, which pulled in vulnerable guzzlehttp releases at lowest versions; coverage is now uploaded with coverallsapp/github-action.
All GitHub Actions are pinned to commit SHAs.
New README guidance: only parse YAML from trusted sources.

The constructor logger is now optional and defaults to NullLogger: new YamlExpander().
declare(strict_types=1) throughout.
100% test coverage; new tests for empty input, scalar input, invalid YAML, and unresolved-placeholder behavior.
Test suite modernized to PHPUnit 10–13 (attributes, static data providers).
CI now tests PHP 8.1–8.4, including a working lowest-dependencies job (the previous prefer-lowest job silently never ran), with Dependabot enabled for composer and GitHub Actions.
README examples rewritten to match the actual API; CONTRIBUTING.md and RELEASE.md now contain accurate instructions.
squizlabs/php_codesniffer 4.x allowed for development.

Full Changelog: 3.0.3...4.0.0

🤖 Generated with Claude Code