search

FriendsOfREDAXO / rexstan

redaxo phpstan addon
https://staabm.github.io/archive.html#rexstan
MIT License
35 stars 3 forks source link

Bump spaze/phpstan-disallowed-calls from 2.16.1 to 3.2.0 #697

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 4 months ago

Bumps spaze/phpstan-disallowed-calls from 2.16.1 to 3.2.0.

Release notes

Sourced from spaze/phpstan-disallowed-calls's releases.

Add phpinfo() to dangerous calls config

Add phpinfo() to dangerous calls config (#255)

See

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().

Internal changes

  • It's already a list, no need to call array_values() (#253, this is a new bleeding edge rule added in PHPStan 1.10.59)
  • Update dev dependencies (#254)

Dynamic class constant fetch, disallowedEnums

What's Changed

  • Support dynamic class constant fetch available in PHP 8.3 (#242, #248)
  • Added disallowedEnums, they use DisallowedConstant internally (#243, docs)

Internal changes:

  • The PHP 8.0 polyfill is not needed anymore (#237)
  • More tests for attributes (#240) and on more PHP versions (#244)
  • More strict/correct config schema, disallowedConstants' constant field is always present (#245)
  • Reuse the existing reflection variable (#246)

Note

The 3.1.0 release was the same minus #248.

Param values with PHPdoc typeString, attributes on properties and more reported, no "because reasons" in errors, more rules for the same call, few possible bw compat breaks

New major version because some major new features in this release, and some potential backwards compatibility breaks, if you use the extension in one way or another, all described below.

New features

  • Can specify params with a doctype in typeString config option (#234) You can now specify dis/allowed parameter values as PHPDoc string like typeString: 'foo'|'bar' or typeString: 'array{}' etc. instead of just value: scalar
  • Support more attribute targets: properties, class constants, params (#225) Disallowed attributes will now be also reported when used on/with those.

Changed

  • No "because reasons", because reasons (#221) (Possible backwards compatibility break, if you ignore error messages in your config) Previously, if there was no message key in the disallowed configuration, "because reasons" was added automatically. I thought it was funny back when this was an internal extension only, but maybe it's not anymore. So there's no "because reasons" anymore, and the error message will always end with a full stop ., unless it already ends with one, or unless it ends with ? or !.
  • Define extension parameters as a structure (#222, #231 and a follow-up in #229 thanks to @​francescolaffi) (Possible BC break, if you have a typo in your config, you may suddenly be alerted about it) Bye typos, at least some of them.
  • Can add more rules for the same call to have different messages for various params (#232) (Possible BC break if you for some reason relied on the order of the rules for the same function or method)
  • The allowExceptParamsInAllowed description in docs was flipped around (#235)

Internal test changes

  • Use the DI container in tests (#223, #228)
  • Merge test libs dir into src (#227)
  • Rename attribute tests and drop ClassWithAttributesAllow (#230)
Commits
  • 6d5ce7e Add phpinfo() to dangerous calls config (#255)
  • a28a1e6 Add phpinfo() to dangerous calls config
  • bcd693f Update dev dependencies (#254)
  • e3f6e67 Move the flag config type check to paramFactory()
  • 104dc95 Add attributes in addition to docblocks
  • 75d9f4c Allow nikic/php-parser 5
  • d363d00 It's already a list, no need to call array_values() (#253)
  • d0f8166 It's already a list, no need to call array_values()
  • d0b3d66 Run tests every day to assure compatibility (#251)
  • 179e952 Run tests every day to assure compatibility
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 3 months ago

Superseded by #701.