search

FriendsOfREDAXO / rexstan

redaxo phpstan addon
https://staabm.github.io/archive.html#rexstan
MIT License
35 stars 3 forks source link

Bump spaze/phpstan-disallowed-calls from 2.16.1 to 3.4.0 #707

Open dependabot[bot] opened 3 months ago

dependabot[bot] commented 3 months ago

Bumps spaze/phpstan-disallowed-calls from 2.16.1 to 3.4.0.

Release notes

Sourced from spaze/phpstan-disallowed-calls's releases.

Default error identifiers

  • Add default error identifiers, used if not specified/overridden in your custom config (#258)

PHPStan 1.11 added error identifiers and while they were supported by this extension for quite some time (since #97), they were not added by default, only when you've specified them.

This release adds error identifiers everywhere, and they'll be used if you don't specify custom identifiers in your custom config. The full list of identifiers is in the ErrorIdentifiers class here https://github.com/spaze/phpstan-disallowed-calls/blob/main/src/RuleErrors/ErrorIdentifiers.php and they have a disallowed.something format.

Disallow control structures like else, elseif, goto and others

  • Can disallow control structures like else, elseif, goto (#257)

Checking params inside ( ... ) doesn't work at the moment, so you can disallow all declare() constructs but can't re-allow e.g. declare(strict-types = 1).

If you try to disallow else if with the space, an exception will be thrown, because else if is parsed as else followed by if, so disallowing else if with the space wouldn't have the desired effect and the result would be unexpected. Disallow elseif, or don't write else if in your code 😇

Add phpinfo() to dangerous calls config

Add phpinfo() to dangerous calls config (#255)

See

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().

Internal changes

  • It's already a list, no need to call array_values() (#253, this is a new bleeding edge rule added in PHPStan 1.10.59)
  • Update dev dependencies (#254)

Dynamic class constant fetch, disallowedEnums

What's Changed

  • Support dynamic class constant fetch available in PHP 8.3 (#242, #248)
  • Added disallowedEnums, they use DisallowedConstant internally (#243, docs)

Internal changes:

  • The PHP 8.0 polyfill is not needed anymore (#237)
  • More tests for attributes (#240) and on more PHP versions (#244)
  • More strict/correct config schema, disallowedConstants' constant field is always present (#245)
  • Reuse the existing reflection variable (#246)

Note

The 3.1.0 release was the same minus #248.

Param values with PHPdoc typeString, attributes on properties and more reported, no "because reasons" in errors, more rules for the same call, few possible bw compat breaks

New major version because some major new features in this release, and some potential backwards compatibility breaks, if you use the extension in one way or another, all described below.

New features

  • Can specify params with a doctype in typeString config option (#234) You can now specify dis/allowed parameter values as PHPDoc string like typeString: 'foo'|'bar' or typeString: 'array{}' etc. instead of just value: scalar
  • Support more attribute targets: properties, class constants, params (#225) Disallowed attributes will now be also reported when used on/with those.

... (truncated)

Commits
  • f7f1dc8 Add default error identifiers, used if not specified (#258)
  • f2e46bd Add default error identifiers, used if not specified
  • d58806c Can disallow control structures like else, elseif, goto (#257)
  • 5b5bef6 Can disallow control structures like else, elseif, goto
  • 6d5ce7e Add phpinfo() to dangerous calls config (#255)
  • a28a1e6 Add phpinfo() to dangerous calls config
  • bcd693f Update dev dependencies (#254)
  • e3f6e67 Move the flag config type check to paramFactory()
  • 104dc95 Add attributes in addition to docblocks
  • 75d9f4c Allow nikic/php-parser 5
  • Additional commits viewable in compare view


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.