Skip to content

Bump the composer group across 1 directory with 5 updates#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer-a4b81ac465
Open

Bump the composer group across 1 directory with 5 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer-a4b81ac465

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown

Bumps the composer group with 4 updates in the / directory: guzzlehttp/guzzle, league/commonmark, nesbot/carbon and psy/psysh.

Updates guzzlehttp/guzzle from 7.7.0 to 7.12.1

Release notes

Sourced from guzzlehttp/guzzle's releases.

7.12.1

Changed

  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.1

Fixed

  • Reject proxy URLs with a malformed scheme in the cURL handlers instead of letting libcurl mishandle them

Security

7.12.0

Added

  • Added RequestOptions constants for curl, retries, and stream_context

Changed

  • Adjusted guzzlehttp/psr7 version constraint to ^2.12
  • Constrain cURL transport sharing to safe libcurl DNS and SSL session support
  • Resolve proxy environment variables in the cURL handlers; libcurl no longer reads the environment itself
  • Ignore proxy environment variables when the proxy request option makes a decision
  • Disable proxy environment variables on Windows SAPIs other than CLI (httpoxy hardening)
  • Redact proxy credentials from cURL handler error messages, following Psr7\Utils::redactUserInfo()
  • Normalize no-proxy domain and IP literal matching across the cURL and stream handlers

Deprecated

  • Deprecated the request-level handler option, which will be ignored in 8.0
  • Deprecated raw cURL request options outside the built-in cURL handlers' allow-list
  • Deprecated the CURLOPT_PROXYTYPE cURL request option; set the proxy type via a scheme-prefixed proxy URL
  • Deprecated PHP stream context options outside the built-in stream handler allow-list
  • Deprecated passing ntlm as a built-in auth type
  • Deprecated Utils::describeType()
  • Deprecated non-finite floats in the query and form_params options; 8.0 rejects them
  • Deprecated non-string scalar values in the body option; 8.0 rejects them

Fixed

  • Fix cURL TLS and HTTP/2 capability detection using libcurl feature checks
  • Fix proxy no list matches being re-proxied through environment-configured proxies by libcurl
  • Fix no list and NO_PROXY matching to support IP CIDR ranges, matching libcurl
  • Fix the stream handler not applying scheme-less proxies and their credentials

7.11.2

Fixed

... (truncated)

Changelog

Sourced from guzzlehttp/guzzle's changelog.

7.12.1 - 2026-06-18

Changed

  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.1

Fixed

  • Reject proxy URLs with a malformed scheme in the cURL handlers instead of letting libcurl mishandle them

Security

7.12.0 - 2026-06-16

Added

  • Added RequestOptions constants for curl, retries, and stream_context

Changed

  • Adjusted guzzlehttp/psr7 version constraint to ^2.12
  • Constrain cURL transport sharing to safe libcurl DNS and SSL session support
  • Resolve proxy environment variables in the cURL handlers; libcurl no longer reads the environment itself
  • Ignore proxy environment variables when the proxy request option makes a decision
  • Disable proxy environment variables on Windows SAPIs other than CLI (httpoxy hardening)
  • Redact proxy credentials from cURL handler error messages, following Psr7\Utils::redactUserInfo()
  • Normalize no-proxy domain and IP literal matching across the cURL and stream handlers

Deprecated

  • Deprecated the request-level handler option, which will be ignored in 8.0
  • Deprecated raw cURL request options outside the built-in cURL handlers' allow-list
  • Deprecated the CURLOPT_PROXYTYPE cURL request option; set the proxy type via a scheme-prefixed proxy URL
  • Deprecated PHP stream context options outside the built-in stream handler allow-list
  • Deprecated passing ntlm as a built-in auth type
  • Deprecated Utils::describeType()
  • Deprecated non-finite floats in the query and form_params options; 8.0 rejects them
  • Deprecated non-string scalar values in the body option; 8.0 rejects them

Fixed

  • Fix cURL TLS and HTTP/2 capability detection using libcurl feature checks
  • Fix proxy no list matches being re-proxied through environment-configured proxies by libcurl
  • Fix no list and NO_PROXY matching to support IP CIDR ranges, matching libcurl
  • Fix the stream handler not applying scheme-less proxies and their credentials

... (truncated)

Commits
  • d346274 Release 7.12.1
  • 7f537cd Reject dot-only cookie domains (#3653)
  • 29482f2 Adjust version constraints (#3651)
  • fc70174 Reject proxy URLs with a malformed scheme in the cURL handlers (#3637)
  • 0f4da82 Reject HTTPS proxies when libcurl lacks HTTPS-proxy support (#3626)
  • eaa8159 Release 7.12.0
  • e0d3349 Adjusted guzzlehttp/psr7 version constraint and corrected links (#3646)
  • 8ca9415 Normalize scalar body request options (#3644)
  • 1a8d3aa Translate scheme-less proxies and their credentials in the stream handler (#3...
  • 751f7a5 Revert too aggressive authenticated proxy tunnel reuse mitigation (#3641)
  • Additional commits viewable in compare view

Updates guzzlehttp/psr7 from 2.5.0 to 2.12.4

Release notes

Sourced from guzzlehttp/psr7's releases.

2.12.4

Changed

  • Pass explicit trim characters ahead of the PHP 8.6 trim default change

2.12.3

Security

2.12.2

Fixed

  • Report URI parsing, filtering, and normalization PCRE failures explicitly
  • Report HTTP message parser PCRE failures explicitly
  • Fail closed when PCRE validation fails for request targets and hosts

2.12.1

Security

2.12.0

Deprecated

  • Deprecated non-finite float values in Query::build() that guzzlehttp/psr7 3.0 rejects
  • Deprecated non-finite float multipart contents that guzzlehttp/psr7 3.0 rejects
  • Deprecated non-string scalar bodies in Utils::streamFor(); cast them to a string for 3.0
  • Deprecated non-string Uri::withQueryValues() values; cast them to a string for 3.0

2.11.1

Fixed

  • Fixed non-finite float values emitting coercion warnings on PHP 8.5

2.11.0

Changed

  • Changed Utils::modifyRequest() to reject conflicting URI and Host header changes in the same call
  • Changed Header::parse() to split semicolon-separated parameters without repeated regular expression lookaheads
  • Changed UriComparator::isCrossOrigin() so only HTTP and HTTPS missing ports receive implicit default ports

Deprecated

  • Deprecated invalid PSR-7 arguments that guzzlehttp/psr7 3.0 will require native types for
  • Deprecated non-string header values that guzzlehttp/psr7 3.0 will reject
  • Deprecated empty header value arrays that guzzlehttp/psr7 3.0 will reject
  • Deprecated URI schemes that do not match guzzlehttp/psr7 3.0 syntax requirements
  • Deprecated multipart boundary and custom part header metadata that guzzlehttp/psr7 3.0 will reject
  • Deprecated reliance on automatic uppercasing of request methods; guzzlehttp/psr7 3.0 preserves method casing

... (truncated)

Changelog

Sourced from guzzlehttp/psr7's changelog.

2.12.4 - 2026-07-08

Changed

  • Pass explicit trim characters ahead of the PHP 8.6 trim default change

Fixed

  • Anchor server port and response start-line patterns to the true end of input
  • Treat host-less origin-form request targets starting with // as paths in Message::parseRequest()
  • Reject raw DEL bytes in bracketed IP-literal hosts instead of parsing a mutated host
  • Reject invalid bytes after a bracketed IP-literal host instead of reparsing a different host

2.12.3 - 2026-06-23

Security

2.12.2 - 2026-06-23

Fixed

  • Report URI parsing, filtering, and normalization PCRE failures explicitly
  • Report HTTP message parser PCRE failures explicitly
  • Fail closed when PCRE validation fails for request targets and hosts

2.12.1 - 2026-06-18

Security

2.12.0 - 2026-06-16

Deprecated

  • Deprecated non-finite float values in Query::build() that guzzlehttp/psr7 3.0 rejects
  • Deprecated non-finite float multipart contents that guzzlehttp/psr7 3.0 rejects
  • Deprecated non-string scalar bodies in Utils::streamFor(); cast them to a string for 3.0
  • Deprecated non-string Uri::withQueryValues() values; cast them to a string for 3.0

2.11.1 - 2026-06-12

Fixed

  • Fixed non-finite float values emitting coercion warnings on PHP 8.5

2.11.0 - 2026-06-02

... (truncated)

Commits
  • 51e27f9 Release 2.12.4
  • 25bde3c Reject raw DEL and ambiguous suffixes in bracketed IP-literal parsing (#836)
  • 7a20ba3 Cover negative seek targets in CachingStreamTest (#823)
  • a8539ed Treat host-less origin-form // targets as paths (#820)
  • 7aee8d7 Add regression tests for multi-slash URI paths (#816)
  • e0faef6 Anchor validation patterns to the true end of input (#814)
  • c8edab2 Freeze trim characters ahead of PHP 8.6 (#812)
  • 7ec62dc Release 2.12.3
  • ddd64f1 Validate the URI host so getHost() matches the URI authority (#811)
  • 5ec8b15 Release 2.12.2
  • Additional commits viewable in compare view

Updates league/commonmark from 2.4.0 to 2.8.3

Release notes

Sourced from league/commonmark's releases.

2.8.3

What's Changed

Fixed

  • Fixed tab-indented fenced code blocks inside list items losing the first character of each line and having their info string mangled (#981, #1130)
  • Fixed the unsafe link filter incorrectly blocking safe URLs containing vbscript:, file:, or data: anywhere after the start (#1131)

Full Changelog: thephpleague/commonmark@2.8.2...2.8.3

2.8.2

This is a security release to address an issue where the allowed_domains setting for the Embed extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.

Fixed

  • Fixed DomainFilteringAdapter hostname boundary bypass where domains like youtube.com.evil could match an allowlist entry for youtube.com (GHSA-hh8v-hgvp-g3f5)

Full Changelog: thephpleague/commonmark@2.8.1...2.8.2

2.8.1

What's Changed

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

  • Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
  • Fixed PHP 8.5 deprecation (#1107)

New Contributors

Full Changelog: thephpleague/commonmark@2.8.0...2.8.1

2.8.0

What's Changed

Added

  • Added a new HighlightExtension for marking important text using == syntax (#1100)

Fixed

  • Fixed AutolinkExtension incorrectly matching URLs after invalid www. prefix (#1095, #1103)

New Contributors

Full Changelog: thephpleague/commonmark@2.7.1...2.8.0

2.7.1

Notable Changes

... (truncated)

Changelog

Sourced from league/commonmark's changelog.

[2.8.3] - 2026-07-12

Fixed

  • Fixed tab-indented fenced code blocks inside list items losing the first character of each line and having their info string mangled (#981, #1130)
  • Fixed the unsafe link filter incorrectly blocking safe URLs containing vbscript:, file:, or data: anywhere after the start (#1131)

[2.8.2] - 2026-03-19

This is a security release to address an issue where the allowed_domains setting for the Embed extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.

Fixed

  • Fixed DomainFilteringAdapter hostname boundary bypass where domains like youtube.com.evil could match an allowlist entry for youtube.com (GHSA-hh8v-hgvp-g3f5)

[2.8.1] - 2026-03-05

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

  • Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
  • Fixed PHP 8.5 deprecation (#1107)

[2.8.0] - 2025-11-26

Added

  • Added a new HighlightExtension for marking important text using == syntax (#1100)

Fixed

  • Fixed AutolinkExtension incorrectly matching URLs after invalid www. prefix (#1095, #1103)

[2.7.1] - 2025-07-20

Changed

  • Optimized several regular expressions in RegexHelper to improve performance (#674, #1086)

Fixed

  • EmbedProcessor no longer calls updateEmbeds() when there are no embeds to update (#1081)
  • Fixed missing benchmark.php CSV path validation for non-existent files (#1068, #1085)

[2.7.0] - 2025-05-05

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

  • Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

  • The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
  • The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes

[2.6.2] - 2025-04-18

... (truncated)

Commits
  • 1902f60 Prepare for 2.8.3 release
  • 171f927 Update changelog
  • 51b529f Fix tab handling in fenced code blocks (#1130)
  • cfb11ec Fix over-blocking of safe URLs by the unsafe link filter (#1131)
  • fb59dbc Strengthen unsafe link and image renderer test assertions (#1129)
  • 4d0b5b1 Fix typos and broken formatting in the 2.x docs (#1128)
  • 73d4f1f Add Anthropic to the list of sponsors
  • 0faf9ee Merge pull request #1125 from thephpleague/fix/markdownlint-md060
  • a85b4ad Fetch full git history for the Markdownlint job
  • e6dc715 Fix Markdownlint CI job by not overriding DEFAULT_BRANCH
  • Additional commits viewable in compare view

Updates nesbot/carbon from 2.68.1 to 2.73.0

Release notes

Sourced from nesbot/carbon's releases.

2.73.0

Complete commits list: briannesbitt/Carbon@2.72.6...2.73.0

Summary:

2.72.6

Complete commits list: CarbonPHP/carbon@2.72.5...2.72.6

Summary:

  • Validate locale earlier
Commits
  • 9228ce9 Merge pull request #13 from thecaliskan/2.x
  • 142f0f5 changed CS rule
  • dc27804 changed CS rule
  • 8910c51 changed expected result for PHP 8.4
  • d1e695f Added PHP 8.3 and PHP 8.4 test for laravel and removed PHP 8.4 lowest test ma...
  • 5dca8dc Fixes for PHP 8.4
  • 8c3e607 Fixes for implicit nullability deprecation
  • 5f4c750 upgraded phpunit version on tests
  • a4932f3 Fixed CS
  • d6f5afb Added PHP 8.4 support
  • Additional commits viewable in compare view

Updates psy/psysh from 0.11.19 to 0.11.23

Release notes

Sourced from psy/psysh's releases.

PsySH v0.11.23

  • Fixed CWD configuration poisoning vulnerability (CVE-2026-25129). Backported Restricted Mode from v0.12. PsySH now requires explicit trust before loading local config (.psysh.php), local PsySH binaries, or Composer autoloads from untrusted projects. Configure with trustProject config option, --trust-project / --no-trust-project CLI flags, or PSYSH_TRUST_PROJECT env var.

PsySH v0.11.22

  • Fix Sudo static property manipulation in PHP 8.3.

PsySH v0.11.21

Made a bunch of behind the scenes fixes, that you probably won't even notice. Specifically:

  • Ensure that parse errors show the original message, not "unexpected EOF" (unless that was the original error).
  • Prettier output for Symfony Console exceptions.
  • Improve argument parsing for timeit command.
  • Remove very deprecated Symfony TableHelper fallback (it's been unsupported by our oldest supported Console version for years).
  • A bunch of static analysis improvements.

PsySH v0.11.20

  • Fix undefined array key (when argv doesn't exist) in userland readline implementation (Thanks @​BafS!)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the composer group with 4 updates in the / directory: [guzzlehttp/guzzle](https://github.com/guzzle/guzzle), [league/commonmark](https://github.com/thephpleague/commonmark), [nesbot/carbon](https://github.com/CarbonPHP/carbon) and [psy/psysh](https://github.com/bobthecow/psysh).


Updates `guzzlehttp/guzzle` from 7.7.0 to 7.12.1
- [Release notes](https://github.com/guzzle/guzzle/releases)
- [Changelog](https://github.com/guzzle/guzzle/blob/7.14/CHANGELOG.md)
- [Commits](guzzle/guzzle@7.7.0...7.12.1)

Updates `guzzlehttp/psr7` from 2.5.0 to 2.12.4
- [Release notes](https://github.com/guzzle/psr7/releases)
- [Changelog](https://github.com/guzzle/psr7/blob/2.12/CHANGELOG.md)
- [Commits](guzzle/psr7@2.5.0...2.12.4)

Updates `league/commonmark` from 2.4.0 to 2.8.3
- [Release notes](https://github.com/thephpleague/commonmark/releases)
- [Changelog](https://github.com/thephpleague/commonmark/blob/2.8/CHANGELOG.md)
- [Commits](thephpleague/commonmark@2.4.0...2.8.3)

Updates `nesbot/carbon` from 2.68.1 to 2.73.0
- [Release notes](https://github.com/CarbonPHP/carbon/releases)
- [Commits](CarbonPHP/carbon@2.68.1...2.73.0)

Updates `psy/psysh` from 0.11.19 to 0.11.23
- [Release notes](https://github.com/bobthecow/psysh/releases)
- [Commits](bobthecow/psysh@v0.11.19...v0.11.23)

---
updated-dependencies:
- dependency-name: guzzlehttp/guzzle
  dependency-version: 7.12.1
  dependency-type: direct:production
  dependency-group: composer
- dependency-name: guzzlehttp/psr7
  dependency-version: 2.12.4
  dependency-type: indirect
  dependency-group: composer
- dependency-name: league/commonmark
  dependency-version: 2.8.3
  dependency-type: indirect
  dependency-group: composer
- dependency-name: nesbot/carbon
  dependency-version: 2.73.0
  dependency-type: indirect
  dependency-group: composer
- dependency-name: psy/psysh
  dependency-version: 0.11.23
  dependency-type: indirect
  dependency-group: composer
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants