Fix composer audit vulnerabilities (phpunit, symfony/process)

[CybotTM]

Summary

• Update phpunit/phpunit from 12.5.7 to 12.5.10 to fix CVE-2026-24765 (high severity: unsafe deserialization in PHPT code coverage handling)
• Update symfony/process from v8.0.4 to v8.0.5 to fix CVE-2026-24739 (medium severity: incorrect argument escaping under MSYS2/Git Bash on Windows)
• Includes sub-dependency updates: phpunit/php-code-coverage 12.5.2 -> 12.5.3, phpunit/php-file-iterator 6.0.0 -> 6.0.1

These two vulnerabilities are currently causing the composer audit step to fail in CI, blocking PR #258 and any other PRs that run the Lint & Static Analysis workflow.

Only composer.lock is changed; no changes to composer.json were needed since the existing version constraints already allow the fixed versions.

Test plan

• CI composer audit step passes (no more security advisory failures)
• Unit tests pass (phpunit upgrade is a patch version)
• All other CI checks remain green

[Copilot]

Copilot wasn't able to review any files in this pull request.

[gemini-code-assist]

Summary of Changes

Hello @CybotTM, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's security posture by addressing two critical vulnerabilities found in "phpunit/phpunit" and "symfony/process". By updating these key dependencies and their sub-dependencies, the PR ensures that the application is protected against known exploits, while also resolving CI failures related to "composer audit" checks, thereby unblocking further development.

Highlights

• PHPUnit Vulnerability Fix: Updated "phpunit/phpunit" from 12.5.7 to 12.5.10 to resolve a high-severity unsafe deserialization vulnerability (CVE-2026-24765).
• Symfony Process Vulnerability Fix: Updated "symfony/process" from v8.0.4 to v8.0.5 to address a medium-severity incorrect argument escaping vulnerability (CVE-2026-24739).
• Sub-dependency Updates: Included updates for "phpunit/php-code-coverage" (12.5.2 to 12.5.3) and "phpunit/php-file-iterator" (6.0.0 to 6.0.1).
• CI Unblock: These updates are crucial for passing the "composer audit" step in CI, which was blocking other pull requests.
• Lock File Only: All changes are confined to "composer.lock", as existing "composer.json" constraints already allowed the updated versions.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• composer.lock
  • Updated "phpunit/php-code-coverage" from 12.5.2 to 12.5.3.
  • Updated "phpunit/php-file-iterator" from 6.0.0 to 6.0.1, including new funding URLs.
  • Updated "phpunit/phpunit" from 12.5.7 to 12.5.10.
  • Updated "symfony/process" from v8.0.4 to v8.0.5.
  • Updated "plugin-api-version" from 2.6.0 to 2.9.0.
  • Various "reference" hashes and "time" stamps were updated for the affected packages.

Activity

• The pull request was initiated by CybotTM to resolve security vulnerabilities identified by "composer audit".
• The author provided a clear summary of the vulnerabilities, the affected packages, and the versions being updated.
• A test plan was outlined, emphasizing CI "composer audit" success, unit test stability, and overall CI health.
• The changes are exclusively within "composer.lock", indicating a dependency resolution update rather than direct code modifications.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively resolves two security vulnerabilities by updating phpunit/phpunit and symfony/process along with their dependencies. The changes are correctly isolated to the composer.lock file, which is the expected outcome of running composer update to apply security patches. The updated versions directly address the mentioned CVEs. The change is straightforward and necessary for the project's security. I approve of these changes.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.49%. Comparing base (133396d) to head (a987242).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #259   +/-   ##
=========================================
  Coverage     81.49%   81.49%           
  Complexity     2579     2579           
=========================================
  Files           172      172           
  Lines          7107     7107           
=========================================
  Hits           5792     5792           
  Misses         1315     1315           

Flag	Coverage Δ
integration	47.47% <ø> (ø)
unit	50.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.