composer (5.x)(deps-dev): bump the development-dependencies group with 3 updates

[dependabot]

Updates the requirements on mimmi20/coding-standard, nikic/php-parser and phpstan/phpstan to permit the latest version.
Updates mimmi20/coding-standard to 6.1.6

Commits

• 6597833 Merge pull request #766 from mimmi20/dependabot/composer/master/slevomat/codi...
• a4e8d71 fix issue
• becbdf3 composer (master)(deps): update slevomat/coding-standard requirement
• 945c9d8 Merge pull request #765 from mimmi20/dependabot/composer/master/development-d...
• 5749bd1 composer (master)(deps-dev): bump the development-dependencies group with 2 u...
• 24be2f4 Merge pull request #764 from mimmi20/dependabot/composer/master/development-d...
• cc3d0dc composer (master)(deps-dev): update phpstan/phpstan requirement
• 00ff360 Merge pull request #762 from mimmi20/updates
• ee1416e activate update groups
• a16bafa Merge pull request #759 from mimmi20/dependabot/composer/master/phpstan/phpst...
• Additional commits viewable in compare view

Updates nikic/php-parser to 5.6.0

Release notes

Sourced from nikic/php-parser's releases.

PHP-Parser 5.6.0

Added

• [8.5] Added support for clone with arbitrary function arguments. This will be parsed as an Expr\FuncCall node, instead of the usual Expr\Clone_ node.
• [8.5] Permit declaration of function clone for use in stubs.
• [8.5] Added support for the pipe operator, represented by Expr\BinaryOp\Pipe.
• [8.5] Added support for the (void) cast, represented by Expr\Cast\Void_.
• [8.5] Added support for the final modifier on promoted properties.
• Added CallLike::getArg() to fetch an argument by position and name.

Changelog

Sourced from nikic/php-parser's changelog.

Version 5.6.0 (2025-07-27)

Added

• [8.5] Added support for clone with arbitrary function arguments. This will be parsed as an Expr\FuncCall node, instead of the usual Expr\Clone_ node.
• [8.5] Permit declaration of function clone for use in stubs.
• [8.5] Added support for the pipe operator, represented by Expr\BinaryOp\Pipe.
• [8.5] Added support for the (void) cast, represented by Expr\Cast\Void_.
• [8.5] Added support for the final modifier on promoted properties.
• Added CallLike::getArg() to fetch an argument by position and name.

Version 5.5.0 (2025-05-31)

Added

• [8.5] Added support for attributes on constants. Stmt\Const_ now has an attrGroups subnode.
• Added weakReferences option to NodeConnectingVisitor and ParentConnectingVisitor. This will create the parent/next/prev references as WeakReferences, to avoid making the AST cyclic and thus increasing GC pressure.

Changed

• Attributes on parameters are now printed on separate lines if the pretty printer target version is PHP 7.4 or older (which is the default). This allows them to be interpreted as comments, instead of causing a parse error. Specify a target version of PHP 8.0 or newer to restore the previous behavior.

Version 5.4.0 (2024-12-30)

Added

• Added Property::isAbstract() and Property::isFinal() methods.
• Added PropertyHook::isFinal() method.
• Emit an error if property hook is used on declaration with multiple properties.

Fixed

• Make legacy class aliases compatible with classmap-authoritative autoloader.
• Param::isPromoted() and Param::isPublic() now returns true for parameters that have property hooks but no explicit visibility modifier.
• PropertyHook::getStmts() now correctly desugars short set hooks. set => $value will be expanded to set { $this->propertyName = $value; }. This requires the propertyName attribute on the hook to be set, which is now also set by the parser. If the attribute is not set, getStmts() will throw an error for short set hooks, as it is not possible to produce a correct desugaring.

... (truncated)

Commits

• 221b0d0 Release PHP-Parser 5.6.0
• 3b8d8ab Add special case for clone in fuzzer
• c724dde Allow final on promoted properties
• 7c4f7ca Exclude one clone php-src test
• c5216ac Remove use of E_STRICT in test runner
• 507fa76 Add support for void cast
• 3e74153 Add emulation support for void cast
• b815a16 Add support for pipe operator
• c1f6c4c Add lexer emulation support for pipe operator
• 66d5018 feat: add CallLike::getArg() method (#1089)
• Additional commits viewable in compare view

Updates phpstan/phpstan to 2.1.21

Release notes

Sourced from phpstan/phpstan's releases.

2.1.21

Improvements 🔧

• Update nikic/PHP-Parser to 5.6.0 (phpstan/phpstan-src@90f8b11)

Bugfixes 🐛

• Fix unnecessary wrapping in TableErrorFormatter (#4170), #13317, thanks @​schlndh!
• Fix return value type inference of FuncCall on FuncCall (#4184), #13296, thanks @​VincentLanglet!
• Fix version_compare return type (#4178), #4457, thanks @​VincentLanglet!

Internals 🔍

• Put PHPUnit cache under tmp/ (#4169), thanks @​staabm!
• Add regression tests for already solved issues (#4174, #4173, #4172), thanks @​VincentLanglet!

Commits

• 1ccf445 PHPStan 2.1.21
• 90f8b11 Updated PHPStan to commit 90f8b11d423e18ff00fd4927907230b22edebcee
• 8ae740c Updated PHPStan to commit 8ae740c48df5a011f14634fe843fa274d77aac16
• a9ccfef PHPStan 2.1.20
• d81cb77 Updated PHPStan to commit d81cb77c90b5ca6aaf2d274ec6b012f9522b513e
• caef96e Shopware moved to Silver sponsors
• e85367b Shopware moved to Silver sponsors
• 80833f9 New gold sponsor
• 5cb41b9 Adjustment
• 98506a9 Revert "Always white"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
composer/mimmi20/coding-standard	>= 6.1.6, < 7.0.0	Unknown	Unknown
composer/nikic/php-parser	>= 5.6.0, < 6.0.0	🟢 5.3	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 4 Found 12/29 approved changesets -- score normalized to 4 Dangerous-Workflow ⚠️ -1 no workflows found Maintained 🟢 10 14 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ -1 no dependencies found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
composer/phpstan/phpstan	>= 2.1.21, < 3.0.0	🟢 5.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ -1 no dependencies found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• composer.json

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (33b6e1e) to head (4bd39f2).
⚠️ Report is 4 commits behind head on 5.x.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@             Coverage Diff             @@
##                 5.x      #406   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity        21        21           
===========================================
  Files              4         4           
  Lines            107       107           
===========================================
  Hits             107       107           

Flag	Coverage Δ
php-8.3	100.00% <ø> (ø)
phpunit	100.00% <ø> (ø)
ubuntu-latest	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/ContainerParserFactory.php	100.00% <ø> (ø)