Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
carthage-software/mago	^1.4.1 → ^1.9.1
ergebnis/composer-normalize	^2.49.0 → ^2.50.0
phpstan/phpstan	^2.1.38 → ^2.1.39
phpstan/phpstan-deprecation-rules	^2.0.3 → ^2.0.4
phpstan/phpstan-phpunit	^2.0.12 → ^2.0.16
phpstan/phpstan-strict-rules	^2.0.8 → ^2.0.10
phpstan/phpstan-symfony	^2.0.12 → ^2.0.14
phpunit/phpunit (source)	^11.5.50 → ^11.5.55

---

Release Notes

carthage-software/mago (carthage-software/mago)

v1.9.1: Mago 1.9.1

Compare Source

Mago 1.9.1

Patch release with several analyzer and formatter bug fixes, plus support for @psalm-mutation-free annotations.

✨ Features

Codex (Type System)

• @psalm-mutation-free and @psalm-external-mutation-free annotations: The codex scanner now recognizes these Psalm annotations and maps them to Mago's internal mutation-free flags, improving interoperability with Psalm-annotated codebases (#​1157)

🐛 Bug Fixes

Analyzer

• Property narrowings preserved across pure and mutation-free function calls: Previously, all property type narrowings were cleared after any function call that received an object argument. The analyzer now preserves property narrowings when the called function is marked as @pure, @mutation-free, or @external-mutation-free, since these functions are guaranteed not to mutate the object's state (#​1157)
• Generic type parameters preserved during instanceof narrowing on sealed class hierarchies: When narrowing a generic type (e.g., Result<T>) with instanceof against a sealed inheritor (e.g., Success<T>), the type parameters from the parent type are now correctly carried over to the narrowed type, preventing unexpected never type results (#​1156)
• Non-existent classes detected in @var annotations and instanceof RHS: The analyzer now reports non-existent-class-like errors for undefined types used in @var docblock annotations and on the right-hand side of instanceof expressions, matching the existing behavior for parameter types, return types, and property types (#​1007)
• Possibly undefined keys in unions of sealed/unsealed arrays: Fixed incorrect undefined-string-array-index errors when accessing keys on union types containing both sealed and unsealed array variants (e.g., array{foo: int, ...}|array{foo: int}). The unsealed variant's generic parameters are now properly considered when determining whether a key might exist (#​1154)
• Deduplicated undefined key errors across union variants: When accessing a non-existent key on a union of multiple keyed arrays, the undefined-string-array-index error is now reported only once instead of once per union variant

Formatter

• Trailing comments preserved on opening parenthesis line in multiline parameter lists: Fixed a bug where end-of-line inline comments (e.g., // @​phpstan-ignore method.unused) on method signatures with multiline parameter lists were incorrectly moved to the next line (#​1153)

Prelude (Type Stubs)

• DateTimeImmutable and DateTimeZone methods annotated as mutation-free: Methods on DateTimeImmutable and DateTimeZone that do not modify state are now annotated with @mutation-free, preventing false positive property narrowing invalidations when calling these methods (#​1157)
• ReflectionClass::getReflectionConstants() return type: Added missing return type information (#​1152)

Documentation

• Removed undocumented space_after_colon_in_enum_backing_type setting: Removed a reference to a non-existent formatter setting from the configuration reference documentation (#​1151)

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​BafS — #​1152
• @​dotdash — #​1154
• @​ptondereau — #​1151

Issue Reporters

Thank you to everyone who reported issues that shaped this release:

• @​Bleksak — #​1007
• @​MartkCz — #​1153
• @​Nadyita — #​1157
• @​wryk — #​1156

---

Full Changelog: carthage-software/mago@1.9.0...1.9.1

v1.9.0: Mago 1.9.0

Compare Source

Mago 1.9.0

This release brings PHP 8.5 deprecation detection, new return type providers for sprintf() and array_map(), generator type inference, several new formatter options, and a large number of bug fixes across the analyzer, formatter, linter, and type system.

✨ Features

Analyzer

• Return type provider for sprintf() and Psl\Str\format(): The analyzer now resolves return types for sprintf() calls with constant format strings, producing precise literal string types when all arguments are known at analysis time (#​1073)
• Return type provider for array_map() preserving array shapes: When calling array_map() with a typed callback on a keyed array, the analyzer now preserves the array shape in the return type instead of widening to array<key, value> (#​1144)
• Generator key and value type inference: Closures and arrow functions containing yield but no explicit return type annotation now have their Generator<K, V, S, R> type inferred from the yielded keys, values, and return statements (#​1150)

Linter

• PHP 8.5 deprecation rules: Three new rules to prepare your codebase for PHP 8.5:
  • deprecated-cast: Detects deprecated non-canonical type casts ((integer), (boolean), (double), and (binary)) and suggests their canonical replacements
  • deprecated-shell-execute-string: Detects usage of the backtick shell execute syntax (`ls -l`), which is deprecated in PHP 8.5, and suggests using shell_exec() instead
  • deprecated-switch-semicolon: Detects use of semicolons (;) as case separators in switch statements, deprecated in PHP 8.5, and suggests using colons (:) instead
• Improved mago-ignore / mago-expect diagnostics: When an ignore or expect pragma does not match any issue, the diagnostic now highlights the specific issue code that was not matched, making it easier to identify stale or incorrect pragmas (#​1123)

Formatter

• method-chain-semicolon-on-next-line setting: New option to place the semicolon on its own line when a method chain breaks across multiple lines, equivalent to PHP-CS-Fixer's multiline_whitespace_before_semicolons: new_line_for_chained_calls. Disabled by default, enabled in the Laravel/Pint preset (#​1105)
• null_pipe_last variant for null-type-hint setting: New option that converts ?T to T|null and reorders union types to place null last, providing PER-CS 3.0 compliance for null type positioning (#​1133, #​1134)
• Space after /**in single-line doc blocks: The formatter now ensures a space is present after the opening/**in single-line doc blocks (e.g.,/**@​var int _/becomes/\*\* @​var int _/) (#​1077)

CLI

• analyze --list-codes: New flag that outputs all analyzer issue codes as a JSON array of strings, useful for tooling integration (#​1146)
• lint --list-rules --json now includes severity: The JSON output of --list-rules now includes a level field (Error, Warning, Help, or Note) for each rule, matching the information shown in the human-readable table (#​1142)

🐛 Bug Fixes

Analyzer

• Property narrowing invalidation after method calls with object arguments: Property type narrowings and assertion clauses are now correctly invalidated when a method call receives an object as an argument, since the method could mutate the object's state
• Nullsafe operator false positives: Improved null compatibility checks prevent redundant-nullsafe-operator from producing code-breaking false positives when the nullsafe operator is legitimately needed (#​1131)
• Numeric type subtraction in reconciler: Fixed incorrect paradoxical-condition / impossible-condition errors when narrowing numeric types with is_numeric() checks on multiple variables (#​1130)
• Callable resolution with nullable/falsable types: The analyzer now correctly skips nullable and falsable variants when resolving callable targets, fixing false invalid-callable errors on functions like Closure::bind() (#​1127)
• Docblock nullability merging for expandable types: Fixed a bug where nullability from docblock types was not merged for expandable types (like conditional return types), causing false null-argument positives (#​1126)
• Variadic parameter type: Variadic parameters are now correctly typed as array<K, T> instead of list<T>, since named arguments can produce string keys (#​1138)
• Sealed/unsealed keyed array merging: The type combiner no longer incorrectly merges sealed and unsealed keyed arrays, preserving array shape precision in union types
• Unknown class handling in type identity comparison: Fixed a crash when comparing types involving unresolved class names (#​1145)

Formatter

• Trailing comments moving to opening brace: Fixed a bug where end-of-line inline comments (e.g., // @​phpstan-ignore method.unused) on method signatures were incorrectly moved to the opening brace line when using method-brace-style = "always-next-line" (#​1124)
• Echo tag indentation in inline HTML: Fixed incorrect indentation for inline PHP echo tags (<?= ?>) and single-expression echo statements within HTML templates (#​1149)
• Unary prefix comment oscillation: Fixed an idempotency bug where comments inside parenthesized unary prefix expressions (e.g., !(/* comment */ $x)) would oscillate between different positions on each format pass (#​1135)
• Print width with indentation: The formatter now correctly accounts for the current indentation level when calculating print width for breaking calls with zero-argument call arguments (#​993, #​1136)
• Method chain semicolon placement for nested chains: The method-chain-semicolon-on-next-line setting now correctly applies only when the method chain is the direct expression of the statement, not when a chain appears nested inside another expression (e.g., as a function argument)

Linter

• no-trailing-space fixer panic on CRLF files: Fixed a panic when the fixer encountered multibyte characters on lines with CRLF line endings (#​1137)

Lexer

• Namespaced identifiers in braced string interpolation: The lexer now correctly handles namespaced constant identifiers used as array keys inside braced string interpolation (e.g., "{$arr[Foo\BAR]}") (#​1128)

Prelude (Type Stubs)

• parse_str() @param-out type: Fixed the output parameter type annotation for parse_str() (#​1140)
• PHP 8.5 deprecation stubs: Updated type stubs to mark functions and features deprecated in PHP 8.5
• Closure::bind() stubs: Added proper stub definitions to prevent false invalid-callable errors (#​1127)

Composer

• Runtime function stubs: Added function stubs for Composer runtime compatibility, preventing errors when the Mago Composer plugin is loaded in a PHP context (#​1122)

🏗️ Internal

• Updated prelude stubs for PHP 8.5 deprecations
• Added IssueCode::all() method for listing all analyzer codes
• Added RuleEntry struct for serializing linter rules with metadata and severity level

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​ddanielou — #​1140
• @​dotdash — #​1123, #​1138
• @​kzmshx — #​1134, #​1137, #​1145
• @​ptondereau — #​1136
• @​veewee — #​1122

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

• @​bendavies — #​1126
• @​bfenton-smugmug — #​1128
• @​dotdash — #​1144
• @​HeySora — #​1131
• @​HugoHeneault — #​1105
• @​iparnamaa — #​1149
• @​karoun — #​1127
• @​kzmshx — #​1133
• @​klunejko — #​993
• @​lightla — #​1135
• @​MartkCz — #​1124
• @​Nadyita — #​1130
• @​seanjohnson08 — #​1142, #​1146
• @​WalterWoshid — #​1073, #​1077
• @​wryk — #​1150

---

Full Changelog: carthage-software/mago@1.8.0...1.9.0

v1.8.0: Mago 1.8.0

Compare Source

Mago 1.8.0

This release delivers major improvements to the incremental analysis engine for watch mode, new type narrowing capabilities, return type providers for filter_var() / filter_input(), and a large number of bug fixes across the analyzer, linter, formatter, and type system.

✨ Features

Analyzer

• is_a() and is_subclass_of() type narrowing: The analyzer now narrows types after calls to is_a() and is_subclass_of(), including support for class-string parameters (#​1102)
• Return type providers for filter_var() and filter_input(): These functions now return precise types based on the filter and flags arguments (e.g., FILTER_VALIDATE_INT returns int|false, FILTER_VALIDATE_EMAIL with FILTER_NULL_ON_FAILURE returns string|null) (#​1117)
• Discriminated union narrowing: When narrowing a union of keyed arrays (e.g., array{valid: true, result: string}|array{valid: false, errorCode: string}), the analyzer now correctly filters out incompatible variants based on the narrowed key type, instead of blindly overwriting all variants. This also works for object property narrowing on union types (#​1093)

Linter

• no-isset array access ignore option: The no-isset rule now supports an allow-array-access option, allowing you to flag isset($var) while still permitting isset($array['key']) for array offset checks (#​1097, #​1120) by @​dotdash

Semantics

• Enforce parentheses for immediately invoked closures: The semantics checker now flags function() { ... }() as error, requiring parentheses around the closure for immediate invocation (#​1118)

⚡ Performance

Incremental Analysis Engine

The watch mode (mago analyze --watch) received a complete overhaul of its incremental analysis pipeline:

• Signature-only fingerprinting: Body-only changes (e.g., changing a function implementation without modifying its signature) now skip cascade invalidation, resulting in significantly faster re-analysis cycles
• Targeted O(dirty) repopulation: Only changed symbols are re-populated, skipping safe symbols entirely
• Incremental codebase patching: New extend_ref and remove_entries operations allow fine-grained metadata updates without rebuilding the entire codebase
• Safe symbol restoration: The reference graph now supports restoring safe symbols and targeted cleanup, reducing unnecessary re-analysis
• Body-only docblock resolution: Fixed a bug where body-only changes left docblock type references unresolved, causing spurious non-existent-class-like errors in watch mode
• Improved file watcher stability: Better debounce handling, stability checks, and explicit path handling for the file watcher
• Watch mode is no longer experimental: The experimental warning has been removed

🐛 Bug Fixes

Analyzer

• require-extends/require-implements resolution: Members from @require-extends and @require-implements types are now correctly resolved (#​1064, #​1070)
• Unused property false positive with trait overrides: Properties that override trait properties via constructor promotion are no longer incorrectly flagged as unused (#​1119)
• FQN literal constants: Fully-qualified constant accesses \true, \false, and \null are now correctly recognized (#​1099, #​1100) by @​kzmshx
• Class-level template parameters for static calls: Template parameters defined at the class level are now properly resolved when making static method calls on generic types (#​1103)
• Abstract method compatibility checking: The get_substituted_method function is now correctly applied to the child method when checking method signature compatibility, fixing false positives with generic abstract method inheritance
• Mixin type parameters preservation: Type parameters on mixin types (e.g., IteratorIterator) are now preserved during method resolution, fixing incorrect return types (#​1106)
• Integer narrowing with non-variable expressions: Fixed incorrect narrowing when comparing integers against non-variable expressions like function calls (#​1088)
• For-loop condition narrowing: Integer literals in loop conditions (e.g., for ($i = 0; $i < 10; $i++)) are now properly extracted from the AST for type narrowing (#​1089)
• Redundant type comparison in OR conditions: Fixed false positive redundant-type-comparison when using count checks or string narrowing in || conditions (#​1112)
• List count with unknown size: HasAtLeastCount assertions no longer incorrectly set an exact known_count on lists with unknown count, preventing false unreachable-code reports (#​1104)
• Array spread with unknown count: Fixed false positive when spreading a list with unknown count into an array literal (#​1108)
• Class constant @var docblock type: The analyzer now prefers @var docblock types over inferred types for class constants, fixing cases where properly typed array values stayed as mixed (#​1090, #​1094)

Codex (Type System)

• never as bottom type: never is now correctly treated as a subtype of all types in extends_or_implements checks (#​1107, #​1109) by @​kzmshx
• Type alias forward references: All local @psalm-type / @phpstan-type alias names are now pre-registered before parsing, so aliases can reference each other regardless of declaration order (#​1116)
• String casing detection: Fixed incorrect impossible-condition false positives when comparing strtolower()/strtoupper() results with literals containing non-alphabetic characters (spaces, digits, etc.) (#​1086)
• Bidirectional TUnion equality: Type union equality checks are now bidirectional, preventing false positives when comparing types with different ordering (#​1087)

Linter

• no-redundant-use whole-word matching: Docblock reference checking now uses whole-word matching instead of substring matching, so use Config; is correctly flagged as unused even when ConfigUsage appears in a docblock (#​1078)
• inline-variable-return with by-reference assignment: The fixer no longer inlines assignments of by-reference expressions, which would produce invalid PHP (#​1114)
• prefer-early-continue with non-block body: Fixed the fixer for cases where the loop body is a single statement without braces (#​1085) by @​chrisopperwall-qz

Formatter

• First-class callable with argument unpacking: First-class callable expressions (e.g., $foo(...)) are no longer incorrectly treated as breaking expressions, fixing misformatted output (#​1091)
• Redundant grouping parentheses: The formatter now correctly removes redundant grouping parentheses in more cases (#​1121) by @​Michael4d45
• Heredoc span calculation: Fixed incorrect span calculation for heredoc/nowdoc strings, which could cause formatting issues (#​1092)

Prelude (Type Stubs)

• explode() return type: Corrected to properly return list<string> instead of non-empty-list<string> when the separator could be empty (#​1095)
• array_slice() return type: Now correctly preserves string keys in the return type (#​1096)
• ldap_sasl_bind() stubs: Updated all arguments except the first to be nullable (#​1098)
• bin2hex() stubs: Improved type definition (#​1101) by @​veewee

🏗️ Internal

• Removed experimental warning for analyzer watch mode
• New IncrementalAnalysisService encapsulating the full incremental analysis pipeline for watch mode and LSP
• CodebaseDiff::between() for metadata comparison and mark_safe_symbols() for incremental analysis
• Signature-only fingerprint mode for detecting body-only vs. signature changes
• Applied clippy fixes across codex and linter crates
• Re-generated linter documentation

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​chrisopperwall-qz — #​1085
• @​dotdash — #​1120
• @​kzmshx — #​1100, #​1109
• @​Michael4d45 — #​1121
• @​veewee — #​1101

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

• @​bendavies — #​1094
• @​ddanielou — #​1093
• @​Dima-369 — #​1086, #​1087
• @​dotdash — #​1097, #​1118
• @​dynasource — #​1090
• @​erik-perri — #​1078
• @​karoun — #​1103, #​1116
• @​KorvinSzanto — #​1117, #​1119
• @​kzmshx — #​1107
• @​marcovmun — #​1092, #​1114
• @​MartkCz — #​1091
• @​matsuo — #​1098
• @​mreidel-godaddy — #​1095, #​1096
• @​Nadyita — #​1104, #​1106, #​1108, #​1112

---

Full Changelog: carthage-software/mago@1.7.0...1.8.0

v1.7.0: Mago 1.7.0

Compare Source

Mago 1.7.0

This release introduces new type system features, improved type inference for built-in functions, a new linter rule, and numerous bug fixes for the analyzer, formatter, and type system. A significant internal effort also went into reducing dependencies and binary size.

✨ Features

Type System

• uppercase-string and non-empty-uppercase-string types: Full support for these PHPDoc types in type syntax, codex, and analyzer. This resolves cascading errors when these types were previously unrecognized (#​1057)

Analyzer

• Return type providers for min() and max(): These functions now return precise types based on their arguments (#​1074)

• array_filter() callback parameter type inference: The analyzer now respects the mode argument (ARRAY_FILTER_USE_KEY, ARRAY_FILTER_USE_BOTH) when inferring closure parameter types, fixing incorrect mixed inference for callback parameters (#​1031)

• Switch statement fallthrough analysis: The analyzer now correctly recognizes that non-terminating code paths in a case block fall through to the next case. A case with a conditional return followed by a case that always returns is no longer flagged as missing-return-statement (#​1081)

Linter

• no-redundant-isset rule: New rule that detects redundant arguments in isset() calls. For example, in isset($a, $a['key'], $a['key']['nested']), the first two checks are redundant because isset on a nested access implicitly checks all parent accesses (#​769)

CLI

• --ignore-baseline flag: New flag for lint and analyze commands that temporarily ignores the baseline file, useful for reviewing and fixing baselined issues (#​1076)

⚡ Performance

• Reduced AST size: Optimized AST node representation to reduce memory usage during parsing
• Leaner binary: Removed 7 third-party dependencies (reqwest, openssl, num_cpus, strum_macros, derivative, strsim, bitflags, async-walkdir), replacing them with standard library equivalents or manual implementations. reqwest/openssl were replaced with ureq/rustls for a significantly smaller and faster-compiling binary

🐛 Bug Fixes

Analyzer

• Unused method false positives: Methods referenced in literal arrays ([$this, 'method']) and string callbacks ('ClassName::method') are now correctly tracked as used (#​1069, #​1044)
• Property/constant access type expansion: Property access and constant access expressions now have their types properly expanded, fixing incorrect type inference (#​1071)
• Non-optional list items in array merge: Fixed an issue where non-optional list items were incorrectly skipped during array merging

Codex

• @psalm-require-extends support in traits: Methods, properties, and class constants inherited from required parent classes via @psalm-require-extends or @phpstan-require-extends are now properly resolved in traits, eliminating false non-existent-property, non-existent-class-constant, and unknown-ref errors (#​1064, #​1068, #​1070)
• Enum types in generic comparator: Fixed incorrect type comparison when enums implement generic interfaces, resolving false invalid-return-type errors (#​1061)
• Platform-aware constant types: Predefined constants like PHP_INT_SIZE, PHP_INT_MAX, and PHP_FLOAT_DIG now use platform-aware range/union types instead of host-specific literal values. PHP_INT_SIZE > 4 is no longer flagged as a redundant comparison (#​1084)

Formatter

• Assignment alignment leaking into nested arrays: When align-assignment-like is enabled, the alignment context from consecutive variable assignments no longer leaks into nested array key-value pairs (#​1082)

Linter

• prefer-first-class-callable with reference captures: Skip suggesting first-class callable syntax when the callee variable is captured by reference in a closure's use clause, as the two forms have different semantics (#​1067, #​1063) by @​kzmshx

Prelude (Type Stubs)

• array_walk generics: Fixed generic templates for array_walk to properly infer callback parameter types (#​1066, #​1045) by @​ddanielou
• array_splice type precision: Improved type definitions for array_splice to preserve list<T> types and correctly handle non-array replacement arguments (#​1072, #​1080)
• Sorting functions type precision: Enhanced type definitions for sorting functions (usort, uasort, uksort, etc.) to preserve non-empty array types (#​1083)

🏗️ Internal

• Replaced reqwest + openssl with ureq + rustls in self-update module
• Replaced num_cpus with std::thread::available_parallelism()
• Replaced bitflags with manual bit flag implementations
• Removed derivative, strum_macros, strsim, and async-walkdir dependencies
• Improved array inference logic in codex

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​ddanielou — #​1066
• @​kzmshx — #​1067

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

• @​aszenz — #​1031
• @​dotdash — #​769
• @​joshrai — #​1070
• @​karoun — #​1064
• @​klunejko — #​1082
• @​kzmshx — #​1063
• @​llaville — #​1044
• @​mathroc — #​1061
• @​Nadyita — #​1074, #​1080, #​1081, #​1083, #​1084
• @​Neila142 — #​1076
• @​rauanmayemir — #​1068, #​1069
• @​tm1000 — #​1057
• @​WalterWoshid — #​1071

---

Full Changelog: carthage-software/mago@1.6.0...1.7.0

v1.6.0: Mago 1.6.0

Compare Source

Mago 1.6.0

This release brings new analyzer checks for class design enforcement, new linter rules for file organization, path-scoped ignore/exclusion support, formatter fixes, and numerous bug fixes across the board.

✨ Features

Analyzer

• class-must-be-final check: New opt-in enforce-class-finality setting that reports classes not declared final, abstract, or annotated with @api/@psalm-api when they have no children (#​1054)

  [analyzer]
  enforce-class-finality = true

• missing-api-or-internal check: New opt-in require-api-or-internal setting that requires abstract classes, interfaces, and traits to have @api or @internal annotations, forcing projects to declare extensibility intent (#​1055)

  [analyzer]
  require-api-or-internal = true

• Path-scoped ignore entries: The ignore option now supports scoping ignored codes to specific paths (#​1037, #​1043)

  [analyzer]
  ignore = [
    "mixed-argument",
    { code = "missing-return-type", in = "tests/" },
    { code = "unused-parameter", in = ["tests/", "src/Generated/"] },
  ]

• Literal types for enum properties: Enum name and value properties now return literal types instead of generic string/int, enabling more precise type inference (#​1035, #​952) by @​veewee

• Severity level in code-count format: The code-count reporting format now includes the severity level for each issue code (#​987)

Linter

• file-name rule: New rule that enforces file names match the class/interface/enum/trait they contain (#​1049)

• single-class-per-file rule: New rule that enforces each file contains at most one class-like declaration

• Per-rule path exclusions: Linter rules now support path-based exclusions, allowing you to disable specific rules for specific directories (#​1037)

  [linter.rules]
  no-isset = { exclude = ["src/Legacy/"] }

• no-isset and readable-literal enabled by default: These rules are now enabled out of the box

• Removed deprecated rules: The deprecated constant-type, no-boolean-literal-comparison, parameter-type, property-type, and return-type linter rules have been removed — their functionality has been moved to the analyzer

Formatter

• PER-CS compatibility: inline-empty-function-braces and inline-empty-method-braces now default to true, matching the PER Coding Style specification (#​1053)

CLI

• Multiple --only rules: The --only flag now accepts multiple comma-separated rules (#​1046)

⚡ Performance

• foldhash replaces ahash: Switched to foldhash for faster hashing across the codebase
• Arc<T> replaces Box<T> in codex: Improves cloning performance for shared metadata

🐛 Bug Fixes

Analyzer

• Switch statement type narrowing: Non-exhaustive switch statements no longer incorrectly narrow variable types, preventing false redundant null-check warnings (#​1038)
• Type alias resolution in @var docblocks: Imported type aliases are now correctly expanded in @var docblock annotations (#​1029, #​1030)
• Type alias resolution in template extends: Imported type aliases are now resolved before being used as template arguments in extends/implements (#​1040)
• Template inference for non-generic objects: Non-generic named objects are no longer incorrectly included in template inference, preventing false positives (#​1036)
• FORCE_COLOR support: The FORCE_COLOR environment variable is now respected in reporting output (#​1042)
• CLI argument parser: Disabled enum variants are no longer shown in CLI argument parser output

Linter

• readable-literal false positive on floats: Fixed the rule triggering on float literals like 123.45 where neither side of the decimal benefits from separators, producing a no-op suggestion

Formatter

• Empty array line break: Fixed incorrect line break added at the end of empty arrays (#​1047, #​978) by @​Zuruuh
• Laravel Pint preset parity: Updated the Pint preset to match actual Laravel Pint formatting behavior (#​1052) by @​nikspyratos

Prelude (Type Stubs)

• array_walk generics: Added generic templates to array_walk for proper type inference (#​1045)
• curl_multi_exec signature: Corrected the signature of curl_multi_exec (#​1033)
• setcookie duplicate: Removed duplicate definition for setcookie that only accepted the old syntax (#​1032)

Documentation

• Fixed typo on homepage (#​1028)

🔒 Security & CI

• GitHub artifact attestations: Build artifacts now include provenance attestations for supply chain security (#​948)
• Explicit permissions: GitHub Actions workflows now use explicit permissions
• CD caching: Improved CI/CD pipeline with build caching
• Removed deprecated atty dependency

🏗️ Internal

• Bump time from 0.3.46 to 0.3.47 (#​1039) by @​dependabot
• Disable incremental build and add memory-debug profile
• Update sponsors list

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​veewee
• @​nikspyratos
• @​Zuruuh

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

• @​bendavies — #​1040
• @​ddanielou — #​1045
• @​JnsCas — #​1049
• @​KorvinSzanto — #​1053, #​1054, #​1055
• @​llaville — #​987, #​1028, #​1042, #​1043
• @​mytskine — #​1032, #​1033
• @​nikspyratos — #​1037, #​1046
• @​scop — #​948
• @​veewee — #​952
• @​WalterWoshid — #​1029, #​1030, [#​1036](https://redirect.github.com/

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Renovate Bot

[renovate]

automergeComment