Bump the composer group across 1 directory with 4 updates

[dependabot]

Bumps the composer group with 1 update in the / directory: codeception/codeception.

Updates codeception/codeception from 4.1.20 to 4.1.22

Release notes

Sourced from codeception/codeception's releases.

Security fix

• Security fix: Disable deserialization of RunProcess class (#6241) reported by @​snoopysecurity
• Reduce memory consumption of very large tests (#6230) by @​esnelubov
• Support guzzlehttp/psr7 v2 by @​W0rma
• Fix W3C warning in reports generated by Recorder extension (#6224) by RickR2H

4.1.21

• Fix dry-run compatibility with symfony/console 5.3
• Coverage: Don't attempt to set cookie domain when it is "localhost" #6210 by @​marcovtwout
• Coverage: Don't attempt to read cookies while an alert is open #6211 by @​marcovtwout

Changelog

Sourced from codeception/codeception's changelog.

4.1.22

• Security fix: Disable deserialization of RunProcess class (#6241)
• Reduce memory consumption of very large tests (#6230) by @​esnelubov
• Support guzzlehttp/psr7 v2 by @​W0rma
• Fix W3C warning in reports generated by Recorder extension (#6224) by RickR2H

4.1.21

• Fix dry-run compatibility with symfony/console 5.3
• Coverage: Don't attempt to set cookie domain when it is "localhost" (#6210) by @​marcovtwout
• Coverage: Don't attempt to read cookies while an alert is open (#6211) by @​marcovtwout

Commits

• 9777ec3 4.1.22
• cbce9ea Security: Disable deserialization of RunProcess class (#6241)
• d69ab79 Merge pull request #6230 from esnelubov/4.1-free-memory
• ad2d34e Add check for PHP version to make the code work on PHP 5.6
• 2cc87fd Reduce the memory consumption of tests by forcing PHP to return the unused me...
• 701b636 Merge pull request #6229 from W0rma/guzzle-psr7-v2
• 405204b Allow installation of guzzlehttp/psr7 v2
• 549160c Recorder extension: role="navigation" is unnecessary for element nav (#6224)
• c25f20d Use 1.x versions of modules in 4.1 to fix CI
• 818a8b3 4.1.21
• Additional commits viewable in compare view

Updates guzzlehttp/psr7 from 1.8.2 to 2.10.3

Release notes

Sourced from guzzlehttp/psr7's releases.

2.10.3

Fixed

• Fixed URI parsing for IPv6 literals containing embedded IPv4 addresses
• Fixed malformed UTF-8 URI strings being parsed as empty URIs

2.10.2

Security

• Reject control and whitespace characters in URI host components (GHSA-hq7v-mx3g-29hw)
• Reject malformed Host values when constructing request URIs (GHSA-34xg-wgjx-8xph)

Fixed

• Make ServerRequest::fromGlobals() robust against unexpected HTTP header value types in $_SERVER

2.10.1

Fixed

• Fix Utils::modifyRequest() with numeric header names

2.10.0

• Harden ServerRequest::fromGlobals() against malformed $_SERVER values
• Prevent custom stream metadata from affecting internal size handling
• Throw when StreamWrapper::getResource() cannot create a resource
• Preserve custom request implementations in Utils::modifyRequest()
• Preserve custom URI implementations in UriResolver::resolve()
• Make Uri::__toString() side-effect-free

2.9.1

• Fix parsing of relative path references containing a colon in a non-initial path segment
• Fix CachingStream::detach() returning an incomplete resource before the decorated stream has been fully read
• Fix Message::bodySummary() returning null when truncating printable UTF-8 bodies inside a multibyte character

2.9.0

Added

• Added nested array expansion support to MultipartStream
• Added @return static to MessageTrait methods

Changed

• Updated MIME type mappings

---

See also the change log for changes.

2.8.1

Fixed

... (truncated)

Changelog

Sourced from guzzlehttp/psr7's changelog.

2.10.3 - 2026-05-27

Fixed

• Fixed URI parsing for IPv6 literals containing embedded IPv4 addresses
• Fixed malformed UTF-8 URI strings being parsed as empty URIs

2.10.2 - 2026-05-25

Security

• Reject control and whitespace characters in URI host components (GHSA-hq7v-mx3g-29hw)
• Reject malformed Host values when constructing request URIs (GHSA-34xg-wgjx-8xph)

Fixed

• Make ServerRequest::fromGlobals() robust against unexpected HTTP header value types in $_SERVER

2.10.1 - 2026-05-20

Fixed

• Fix Utils::modifyRequest() with numeric header names

2.10.0 - 2026-05-19

Changed

• Harden ServerRequest::fromGlobals() against malformed $_SERVER values
• Prevent custom stream metadata from affecting internal size handling
• Throw when StreamWrapper::getResource() cannot create a resource
• Preserve custom request implementations in Utils::modifyRequest()
• Preserve custom URI implementations in UriResolver::resolve()
• Make Uri::__toString() side-effect-free

2.9.1 - 2026-05-19

Fixed

• Fix parsing of relative path references containing a colon in a non-initial path segment
• Fix CachingStream::detach() returning an incomplete resource before the decorated stream has been fully read
• Fix Message::bodySummary() returning null when truncating printable UTF-8 bodies inside a multibyte character

2.9.0 - 2026-03-10

Added

• Added nested array expansion support to MultipartStream
• Added @return static to MessageTrait methods

... (truncated)

Commits

• 7c14722 Release 2.10.3
• d18aa5d Parse IPv6 literals with embedded IPv4 addresses (#731)
• 1451aa3 Cover fromParts host control validation (#730)
• 8e00bb5 Reject malformed UTF-8 URIs (#729)
• a1bbdc1 Release 2.10.2
• c68fe44 Reject malformed Host authorities (#717)
• a0fda81 Normalize global header values (#718)
• 12caca7 Reject control characters in URI hosts (#715)
• 73ab136 Release 2.10.1
• 52ce6eb Fix modifyRequest with numeric header names (#667)
• Additional commits viewable in compare view

Updates phpunit/phpunit from 9.5.4 to 9.6.34

Release notes

Sourced from phpunit/phpunit's releases.

PHPUnit 9.6.34

Fixed

• Regression introduced in PHPUnit 9.6.33

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 9.6.33

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 9.6.32

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

• You can follow @​phpunit@phpc.social to stay up to date with PHPUnit's development.
• You can subscribe to the PHPUnit Updates newsletter to receive updates about and tips for PHPUnit.

PHPUnit 9.6.31

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

---

Learn how to install or update PHPUnit 9.6 in the documentation.

Keep up to date with PHPUnit:

... (truncated)

Changelog

Sourced from phpunit/phpunit's changelog.

[9.6.34] - 2026-01-27

Fixed

• Regression introduced in PHPUnit 9.6.33

[9.6.33] - 2026-01-27

Changed

• To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

[9.6.32] - 2026-01-24

Changed

• PHPUnit\Framework\MockObject exceptions are now subtypes of PHPUnit\Exception

[9.6.31] - 2025-12-06

• No changes; phpunit.phar rebuilt with PHP 8.4 to work around PHP-Scoper issue #1139

[9.6.30] - 2025-12-01

Changed

• Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6

[9.6.29] - 2025-09-24

• No changes; phpunit.phar rebuilt with updated dependencies

[9.6.28] - 2025-09-23

• No changes; phpunit.phar rebuilt with updated dependencies

[9.6.27] - 2025-09-14

Changed

• #6366: Exclude __sleep() and __wakeup() from test double code generation on PHP >= 8.5

[9.6.26] - 2025-09-11

Changed

• Implement __serialize() in addition to __sleep() (which will be deprecated in PHP 8.5)

[9.6.25] - 2025-08-20

... (truncated)

Commits

• b36f023 Fix regression introduced in PHPUnit 9.6.33
• fea0625 Prepare release
• 1a677f6 Merge branch '8.5' into 9.6
• 1015741 Prepare release
• 1cce5f3 Merge branch '8.5' into 9.6
• 3141742 Do not run PHPT test when its temporary file for code coverage information ex...
• 0b3170a We do not need to unserialize() objects here
• 261086a Extract method
• fdd6b86 Fix CS/WS issue
• 492ee10 Prepare release
• Additional commits viewable in compare view

Updates symfony/yaml from 5.2.5 to 5.4.53

Release notes

Sourced from symfony/yaml's releases.

v5.4.53

Changelog (symfony/yaml@v5.4.52...v5.4.53)

• bug #64316 Allow trailing newlines after the end-of-document marker (@​nicolas-grekas)

v5.4.52

Changelog (symfony/yaml@v5.4.44...v5.4.52)

• security #cve-2026-45305 Harden the Parser::cleanup() regexes against catastrophic backtracking (@​nicolas-grekas)
• security #cve-2026-45304 Bound collection-alias resolution in the parser (@​nicolas-grekas)
• security #cve-2026-45133 Bound recursion depth in the parser (@​nicolas-grekas)

v5.4.45

Changelog (symfony/yaml@v5.4.44...v5.4.45)

• no significant changes

v5.4.44

Changelog (symfony/yaml@v5.4.43...v5.4.44)

• bug symfony/symfony#58279 [Yaml] parse empty sequence elements as null (@​xabbuh)

v5.4.43

Changelog (symfony/yaml@v5.4.42...v5.4.43)

• bug symfony/symfony#57968 [Yaml] 🐛 throw ParseException on invalid date (@​homersimpsons)

v5.4.40

Changelog (symfony/yaml@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/yaml@v5.4.38...v5.4.39)

• bug symfony/symfony#54706 [Yaml] call substr() with integer offsets (@​xabbuh)

v5.4.35

Changelog (symfony/yaml@v5.4.34...v5.4.35)

• no significant changes

v5.4.31

Changelog (symfony/yaml@v5.4.30...v5.4.31)

• bug symfony/symfony#52443 [Yaml] Fix uid binary parsing (@​mRoca)
• bug symfony/symfony#52408 [Yaml] Fix block scalar array parsing (@​NickSdot)

v5.4.30

Changelog (symfony/yaml@v5.4.29...v5.4.30)

... (truncated)

Changelog

Sourced from symfony/yaml's changelog.

CHANGELOG

8.0

• Remove support for parsing duplicate mapping keys whose value is null

7.3

• Add compact nested mapping support by using the Yaml::DUMP_COMPACT_NESTED_MAPPING flag
• Add the Yaml::DUMP_FORCE_DOUBLE_QUOTES_ON_VALUES flag to enforce double quotes around string values

7.2

• Deprecate parsing duplicate mapping keys whose value is null
• Add support for dumping null as an empty value by using the Yaml::DUMP_NULL_AS_EMPTY flag

7.1

• Add support for getting all the enum cases with !php/enum Foo

7.0

• Remove the !php/const: tag, use !php/const instead (without the colon)

6.3

• Add support to dump int keys as strings by using the Yaml::DUMP_NUMERIC_KEY_AS_STRING flag

6.2

• Add support for !php/enum and !php/enum *->value
• Deprecate the !php/const: tag in key which will be replaced by the !php/const tag (without the colon) since 3.4

6.1

• In cases where it will likely improve readability, strings containing single quotes will be double-quoted

5.4

• Add a $maxNestingLevel argument to Parser::__construct(), Yaml::parse() and Yaml::parseFile() to bound recursion depth (default 128)

... (truncated)

Commits

• ae0bbb4 [Yaml] Allow trailing newlines after the end-of-document marker
• b0b2705 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking
• 5a351ff [Yaml] Bound collection-alias resolution in the parser
• b02ba66 [Yaml] Bound recursion depth in the parser
• a454d47 Add PR template and auto-close PR on subtree split repositories
• 7025b96 parse empty sequence elements as null
• 62f96e1 🐛 throw ParseException on invalid date
• 81cad0c Revert "minor #54653 Auto-close PRs on subtree-splits (nicolas-grekas)"
• bc780e1 call substr() with integer offsets
• a38ba0b Auto-close PRs on subtree-splits
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.