chore(deps): update api dev dependencies (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cakephp/cakephp-codesniffer (source)	^4.2 → ^5.0
mll-lab/laravel-graphiql	^3.0 → ^4.0
squizlabs/php_codesniffer	^3.5 → ^4.0

---

Release Notes

cakephp/cakephp-codesniffer (cakephp/cakephp-codesniffer)

v5.3.0: CakePHP CodeSniffer 5.3.0

Compare Source

What's Changed

Updated to use PHP_CodeSniffer 4.0.

Potentially breaking change: If you get an error about missing sniffs, you should remove the installed_paths config from your phpcs config file.

• update stan by @​LordSimal in #​417
• Update to phpcs v4 by @​ADmad in #​420
• 5.next by @​ADmad in #​421

Full Changelog: cakephp/cakephp-codesniffer@5.2.2...5.3.0

v5.2.2: CakePHP CodeSniffer 5.2.2

Compare Source

What's Changed

• fix error with change in slevomat/coding-standard 8.19.0 by @​LordSimal in #​416

Full Changelog: cakephp/cakephp-codesniffer@5.2.1...5.2.2

v5.2.1: CakePHP CodeSniffer 5.2.1

Compare Source

What's Changed

• Replace deprecated sniffs by @​ADmad in #​414

Full Changelog: cakephp/cakephp-codesniffer@5.2.0...5.2.1

v5.2.0: CakePHP CodeSniffer 5.2.0

Compare Source

What's Changed

• Add rule for trailing command in function call. by @​ADmad in #​398
• Update for PHP 8.1+ by @​dereuromark in #​369
• PHPStan Level 8 by @​dereuromark in #​399
• Remove unneded ClosureDeclarationSniff. by @​ADmad in #​400
• Add couple of new sniffs by @​ADmad in #​405
• adjust README by @​LordSimal in #​407
• Update readme by @​ADmad in #​406
• Update to Slevomat 8.16 and phpdoc-parser 2 by @​nicosp in #​412
• Prepare for v5.2 release by @​ADmad in #​413

New Contributors

• @​nicosp made their first contribution in #​412

Full Changelog: cakephp/cakephp-codesniffer@5.1.4...5.2.0

v5.1.4: CakePHP CodeSniffer 5.1.4

Compare Source

What's Changed

• fix error when phpdoc param has no type by @​LordSimal in #​403
• error on group use declarations by @​LordSimal in #​404

Full Changelog: cakephp/cakephp-codesniffer@5.1.3...5.1.4

v5.1.3: CakePHP CodeSniffer 5.1.3

Compare Source

What's Changed

• add attribute rules by @​LordSimal in #​396

Full Changelog: cakephp/cakephp-codesniffer@5.1.2...5.1.3

v5.1.2: CakePHP CodeSniffer 5.1.2

Compare Source

What's Changed

• 5.x dependencies update by @​ADmad in #​395
• Add sniff and formatter for arrow functions.

Full Changelog: cakephp/cakephp-codesniffer@5.1.1...5.1.2

v5.1.1: CakePHP CodeSniffer 5.1.1

Compare Source

What's Changed

• Update ruleset.xml by @​swiffer in #​381
• Removed phpunit.xml.dist by @​ADmad in #​384

Full Changelog: cakephp/cakephp-codesniffer@5.1.0...5.1.1

v5.1.0

Compare Source

What's Changed

• Add sniff for unused variables. by @​ADmad in #​371

Full Changelog: cakephp/cakephp-codesniffer@5.0.1...5.1.0

v5.0.1: CakePHP CodeSniffer 5.0.1

Compare Source

What's Changed

• Add spacing check for arrow function closures. by @​ADmad in #​366

Full Changelog: cakephp/cakephp-codesniffer@5.0.0...5.0.1

v5.0.0: CakePHP CodeSniffer 5.0.0

Compare Source

The 5.0 release will be used by cake 5 core and plugin packages. The primary changes involve type declarations and type hints for PHP 8.0+.

What's Changed

• cake 5: Switch to slevomat parameter typehint sniffs by @​othercorey in #​329
• cake 5: Switch to slevomat return typehint sniff by @​othercorey in #​331
• cake 5: Extend doc comment and attribute spacing checks by @​othercorey in #​332
• cake 5: Add function tag alignment check by @​othercorey in #​334
• cake 5: Sort param and return type hints by @​othercorey in #​335
• Convert array type to generic in non-unions by @​othercorey in #​338
• cake 5: Add slevomat property type hint sniffs by @​othercorey in #​339
• Add sniff to require use statements by @​othercorey in #​342
• Add support for scalar type by @​othercorey in #​345
• Don't sort unknown generics as arrays by @​othercorey in #​346
• 5.x: Enable missing native type hint sniffs by @​othercorey in #​349
• Remove parenthesis next to commas by @​othercorey in #​352
• Add missing docblock closer by @​othercorey in #​353
• Add $this and self to sort list by @​othercorey in #​354
• Simplify test case for TypeHintSniff by @​othercorey in #​355
• Add option to skip legacy generics by @​othercorey in #​359
• Add explicit dependency on phpstan/phpdoc-parser by @​othercorey in #​360
• Bump up slevomat coding standard. by @​ADmad in #​362
• Add test for intersections to type hint sniff by @​othercorey in #​364
• Bump up slevomat/coding-standard by @​ADmad in #​365

Full Changelog: cakephp/cakephp-codesniffer@4.6.0...5.0.0

mll-lab/laravel-graphiql (mll-lab/laravel-graphiql)

v4.0.2

Compare Source

Fixed

• Allow scrolling in GraphiQL Explorer plugin

v4.0.1

Compare Source

Fixed

• Fix Uncaught ReferenceError: fetcher is not defined error

v4.0.0

Compare Source

Changed

• Upgrade to GraphiQL 4
• Remove deprecated aliases for methods in GraphiQLAsset from DownloadAssetsCommand

PHPCSStandards/PHP_CodeSniffer (squizlabs/php_codesniffer)

v4.0.1: - 2025-11-10

Compare Source

This release includes all improvements and bugfixes from PHP_CodeSniffer 3.13.5.

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• The Squiz.ControlStructures.SwitchDeclaration sniff will now flag a PHP close tag as a "wrong opener" and will auto-fix this by inserting a colon. #​1316
• Various housekeeping, including improvements to the tests and documentation.

Fixed

• 4.x regression #​1277: bring back whitespace tolerance in phpcs:ignore comma-separated rule reference lists.
  • Note: this bug did not affect phpcs:disable/phpcs:enable ignore annotations.
• Fixed bug #​968: Generic.WhiteSpace.ScopeIndent was reporting false positives - and making incorrect fixes - for lines following a line containing an arrow function.
  • Thanks to Soichi Sato for the patch.
• Fixed bug #​1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Andrew Lyons for the patch.
• Fixed bug #​1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
• Fixed bug #​1315: Squiz.ControlStructures.SwitchDeclaration: a number of the fixers would get into fixer conflicts with each other if the code under scan contained multiple statements on a line within a switch.
  • The sniff will now forbid - and auto-fix - multiple statements on one line for case/default and "case breaking" statements.
• Fixed bug #​1316: Tokenizer/PHP: a PHP close tag after a switch case condition or after a default keyword, was not regarded as a "scope_opener" for the case/default body.
• Fixed bug #​1316: PSR2.ControlStructures.SwitchDeclaration: the WrongOpener error is now also auto-fixable if the wrong opener is a PHP close tag.
• Fixed bug #​1316: Squiz.PHP.NonExecutableCode would throw false positives when code within a switch control structure would move in and out of PHP.

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors:
@​andrewnicols, @​Soh1121

Statistics

Closed: 2 issues
Merged: 8 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v4.0.0: - 2025-09-16

Compare Source

This release contains breaking changes.

Upgrade guides for both ruleset maintainers/end-users, as well as for sniff developers and integrators, have been published to the Wiki.

You are strongly encouraged to read the upgrade guide applicable to your situation before upgrading.

This release includes all improvements and bugfixes from PHP_CodeSniffer 4.0.0-beta1, 4.0.0-RC1, 3.13.3 and 3.13.4.

Changed

• Tokenizer/PHP: fully qualified exit/die/true/false/null will be tokenized as the keyword token and the token 'content' will include the leading backslash. #​1201
• Wherever possible based on the PHP 7.2 minimum version, parameter types have been added to all methods. #​1237
• The supported PHPUnit version constraints have been updated to ^8.4.0 || ^9.3.4 || ^10.5.32 || 11.3.3 - 11.5.28 || ^11.5.31. #​1247
  • External standards using the PHP_CodeSniffer native framework may need to update their own PHPUnit version constraints.
• Various housekeeping, including improvements to the tests and documentation.

Fixed

• Fixed bug #​1082: new exit codes weren't applied when running phpcbf on code provided via STDIN.
  • Thanks to Dan Wallis for the patch.
• Fixed bug #​1172: // phpcs:set for inline array properties did not handle a single item array with the value true, false or null correctly.
• Fixed bug #​1174: progress bar wasn't showing files as fixed when running phpcbf in parallel mode.
• Fixed bug #​1226: PHP 8.5 "Using null as an array offset" deprecation notice.

Other

• Please be aware that the master branch has been renamed to 3.x and the default branch has changed to the 4.x branch.
  • If you contribute to PHP_CodeSniffer, you will need to update your local git clone.
  • If you develop against PHP_CodeSniffer and run your tests against dev branches of PHPCS, you will need to update your workflows.

---

Statistics

Closed: 5 issues
Merged: 35 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v3.13.5: - 2025-11-04

Compare Source

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• Various housekeeping, including improvements to the tests and documentation.
  • Thanks to Rodrigo Primo and Juliette Reinders Folmer for their contributions.

Fixed

• Fixed bug #​1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Andrew Lyons for the patch.
• Fixed bug #​1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
  • Thanks to Juliette Reinders Folmer for the patch.

Other

• Please be aware that the master branch has been renamed to 3.x and the default branch has changed to the 4.x branch.
  • If you contribute to PHP_CodeSniffer, you will need to update your local git clone.
  • If you develop against PHP_CodeSniffer and run your tests against dev branches of PHPCS, you will need to update your workflows.

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors:
@​andrewnicols

Statistics

Closed: 2 issues
Merged: 36 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v3.13.4: - 2025-09-05

Compare Source

Fixed

• Fixed bug #​1213: ability to run tests for external standards using the PHPCS native test framework was broken.
  • Thanks to Juliette Reinders Folmer for the patch.
• Fixed bug #​1215: PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Juliette Reinders Folmer for the patch.

Statistics

Closed: 0 issues
Merged: 3 pull requests

If you like to stay informed about releases and more, follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v3.13.3: - 2025-09-04

Compare Source

Added

• Tokenizer support for PHP 8.4 dereferencing of new expressions without wrapping parentheses. #​1160
  • Thanks to Juliette Reinders Folmer for the patch.
• Tokenizer support for PHP 8.4 abstract properties. #​1183
  • The File::getMemberProperties() method now also supports abstract properties through a new is_abstract array index in the return value. #​1184
  • Additionally, the following sniffs have been updated to support abstract properties:
    • Generic.PHP.LowerCaseConstant #​1185
    • Generic.PHP.UpperCaseConstant #​1185
    • PSR2.Classes.PropertyDeclaration #​1188
    • Squiz.Commenting.VariableComment #​1186
    • Squiz.WhiteSpace.MemberVarSpacing #​1187
  • Thanks to Juliette Reinders Folmer for the patches
• Tokenizer support for the PHP 8.4 "exit as a function call" change. #​1201
  • When exit/die is used as a fully qualified "function call", it will now be tokenized as T_NS_SEPARATOR + T_EXIT.
  • Additionally, the following sniff has been updated to handle fully qualified exit/die correctly:
    • Squiz.PHP.NonExecutableCode
  • Thanks to Juliette Reinders Folmer for the patches

Changed

• Tokenizer/PHP: fully qualified true/false/null will now be tokenized as T_NS_SEPARATOR + T_TRUE/T_FALSE/T_NULL. #​1201
  • Previously, these were tokenized as T_NS_SEPARATOR + T_STRING.
  • Additionally, the following sniffs have been updated to handle fully qualified true/false/null correctly:
    • Generic.CodeAnalysis.UnconditionalIfStatement
    • Generic.ControlStructures.DisallowYodaConditions
    • PEAR.Functions.ValidDefaultValue
  • Thanks to Juliette Reinders Folmer for the patches.
• Generic.PHP.Syntax: the sniff is now able to scan input provided via STDIN on non-Windows OSes. #​915
  • Thanks to Rodrigo Primo for the patch.
• PSR2.ControlStructures.SwitchDeclaration: the WrongOpener* error code is now auto-fixable if the identified "wrong opener" is a semi-colon. #​1161
  • Thanks to Juliette Reinders Folmer for the patch.
• The PSR2.Classes.PropertyDeclaration will now check that the abstract modifier keyword is placed before a visibility keyword. #​1188
  • Errors will be reported via a new AbstractAfterVisibility error code.
  • Thanks to Juliette Reinders Folmer for the patch.
• Various housekeeping, including improvements to the tests and documentation.
  • Thanks to Bernhard Zwein, Rick Kerkhof, Rodrigo Primo and Juliette Reinders Folmer for their contributions.

Fixed

• Fixed bug #​1112 : --parallel option fails if PHP_CodeSniffer is invoked via bash and the invokation creates a non-PHPCS-managed process.
  • Thanks to Rick Kerkhof for the patch.
• Fixed bug #​1113 : fatal error when the specified "files to scan" would result in the same file being added multiple times to the queue.
  • This error only occured when --parallel scanning was enabled.
  • Thanks to Rodrigo Primo for the patch.
• Fixed bug #​1154 : PEAR.WhiteSpace.ObjectOperatorIndent: false positive when checking multiple chained method calls in a multidimensional array.
  • Thanks to Rodrigo Primo for the patch.
• Fixed bug #​1193 : edge case inconsistency in how empty string array keys for sniff properties are handled.
  • Thanks to Rodrigo Primo and Juliette Reinders Folmer for the patch.
• Fixed bug #​1197 : Squiz.Commenting.FunctionComment: return types containing a class name with underscores would be truncated leading to incorrect results.
  • Thanks to Juliette Reinders Folmer for the patch.

Other

• The Wiki documentation is now publicly editable. 🎉
  • Update proposals can be submittted by opening a pull request in the PHPCSStandards/PHP_CodeSniffer-documentation repository.
    Contributions welcome !
  • Thanks to Anna Filina, Dan Wallis and Juliette Reinders Folmer for their work on getting this set up.
• The Phar website has had a facelift. #​107
  • Thanks to Bernhard Zwein for making this happen!

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors:
@​benno5020, @​NanoSector

Statistics

Closed: 11 issues
Merged: 40 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: backend/composer.lock

Command failed: composer update cakephp/cakephp-codesniffer:5.3.0 mll-lab/laravel-graphiql:4.0.2 squizlabs/php_codesniffer:4.0.1 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
������������������������������������������������������                                                      ������������������������������������������������������Dependency dealerdirect/phpcodesniffer-composer-installer is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency laravel/framework is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires squizlabs/php_codesniffer ^4.0, found squizlabs/php_codesniffer[4.0.0beta1, ..., 4.x-dev] but these were not loaded, likely because it conflicts with another require.
  Problem 2
    - ezyang/htmlpurifier is locked to version v4.18.0 and an update of this package was not requested.
    - ezyang/htmlpurifier v4.18.0 requires php ~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0 -> your php version (8.5.2) does not satisfy that requirement.
  Problem 3
    - Root composer.json requires cakephp/cakephp-codesniffer ^5.0 -> satisfiable by cakephp/cakephp-codesniffer[5.3.0].
    - cakephp/cakephp-codesniffer 5.3.0 requires dealerdirect/phpcodesniffer-composer-installer ^1.1.2 -> found dealerdirect/phpcodesniffer-composer-installer[v1.1.2, v1.2.0] but the package is fixed to v1.1.1 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.
  Problem 4
    - dealerdirect/phpcodesniffer-composer-installer is locked to version v1.1.1 and an update of this package was not requested.
    - dealerdirect/phpcodesniffer-composer-installer v1.1.1 requires squizlabs/php_codesniffer ^2.0 || ^3.1.0 || ^4.0 -> found squizlabs/php_codesniffer[2.0.0a1, ..., 2.9.x-dev, 3.1.0, ..., 3.x-dev, 4.0.0beta1, ..., 4.x-dev] but these were not loaded, likely because it conflicts with another require.
  Problem 5
    - sirbrillig/phpcs-variable-analysis is locked to version v2.12.0 and an update of this package was not requested.
    - sirbrillig/phpcs-variable-analysis v2.12.0 requires squizlabs/php_codesniffer ^3.5.6 -> found squizlabs/php_codesniffer[3.5.6, ..., 3.x-dev] but it conflicts with your root composer.json require (^4.0).
  Problem 6
    - mews/purifier is locked to version 3.4.3 and an update of this package was not requested.
    - ezyang/htmlpurifier v4.18.0 requires php ~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0 -> your php version (8.5.2) does not satisfy that requirement.
    - mews/purifier 3.4.3 requires ezyang/htmlpurifier ^4.16.0 -> satisfiable by ezyang/htmlpurifier[4.16.0 (alias of v4.18.0), v4.18.0].
    - ezyang/htmlpurifier 4.16.0 is an alias of ezyang/htmlpurifier v4.18.0 and thus requires it to be installed too.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.