[5.4] Update composer dependencies

[richard67]

Pull Request for Issues #42859 , #45681 .

Summary of Changes

This pull request (PR) updates composer dependencies for the upcoming 5.4.0-beta1 release with respect to version constraints in the composer.json file, i.e. the result is what you get when you simply run composer update without having modified the composer.json file before.

In addition, this PR updates the version constraints in the composer.json file to reflect the updated versions without changing the kind of constraint.

Finally, the PR updates the PHPstan baseline file to adapt to the updated PHPstan version.

Why it needs to change the PHPstan baseline file

The updates have been made in 3 steps with 3 separate commits:

1. First all dependencies except of PHPstan have been updated.
   As you can see in the commit history, the CI checks for that commit were successful.
2. Then PHPstan has been updated.
   As you can see in the commit history, the CI checks for that commit have failed.
   If you check the details (click on the red cross beside the commit ID) you can see that only PHPstan has failed.
3. Finally the baseline file "phpstan-baseline.neon" of PHPstan has been updated so PHPstan checks pass again.

If you do it the other way around, first update PHPstan, then update the baseline file and then all other dependencies you will get the same result: After the first step PHP stan checks fail with the same number of errors as after step 2 in the above procedure, and when that has been fixed with the baseline file change, the PHPstan checks pass again, and the update of the other dependencies does not change that.

This shows that the new PHPstan errors (mainly deprecation notices and not really errors) which require the change of the baseline file are caused by the update of PHPstan.

Their b/c policy says here https://phpstan.org/user-guide/backward-compatibility-promise :

Type inference capabilities

As bugs get fixed, PHPStan gets smarter, and figures out more precise information about existing code. This can lead to unavoidable changes in understanding analysed code, and to old errors stopped being reported, or new errors started being reported.

The nature of static analyser is that the output can change even in minor/patch version, because any single change leads to code being understood a bit differently, and therefore breaking someone’s build.

So this is obviously the case here.

To be done with another PR: webauthn-lib

The "web-auth/webauthn-lib" is currently hard-pinned to version 4.5.2.

The main reason for that is that with an update to the latest 4.x version, the indirect dependency "web-auth/metadata-service" would be removed, which would require refactoring of CMS code as that uses this dependency.

The latest version which still includes the "web-auth/metadata-service" is 4.8.7.

An update to that version seems to work, but it will contain lots of refactoring and so should be done with a separate PR, which will need careful testing.

Updated Joomla Framework dependencies

New 3.x releases have been created for all Joomla Framework packages, so all dependencies to framework packages are updated.

However, not all updates contain relevant code changes. Some only change development dependencies or remove development only files from packages (which are removed from the CMS by the build.php script anyway).

joomla/application

Bug fixes and improvements:

• fix cli scheduler:run breaks if --live-site does not end with / joomla-framework/application#123
  This fixes issue cli scheduler:run breaks if --live-site does not end with / #42859 .
• [4.0] Fixing phpstan error and adding baseline joomla-framework/application#139

All changes: joomla-framework/application@3.0.3...3.0.4

joomla/archive

Bug fixes: Fixed wrong parameter type of set_time_limit call and a PHPstan warning in src/Zip.php, see commit joomla-framework/archive@1d50685 .

All changes: joomla-framework/archive@3.0.2...3.0.4

joomla/authentication

Only development related changes.

All changes: joomla-framework/authentication@3.0.1...3.0.3

joomla/console

Fix some PHPstan warnings in src/Application.php, see commit joomla-framework/console@fd5824c .

All changes: joomla-framework/console@3.0.1...3.0.3

joomla/crypt

Bug fixes and improvements:

• Fix wrong parameter type in openssl function calls from phpstan scan, see commit joomla-framework/crypt@11761ea .
• Remove unneeded checks for libsodium as Sodium is part of PHP since 7.2, see remove unneeded checks joomla-framework/crypt#26 (back ported from 4.x to 3.x)

All changes: joomla-framework/crypt@3.0.1...3.0.3

joomla/data

Bug fixes and improvements:

• [PHP8.4] Deprecate implicitly nullable parameter types joomla-framework/data#20
• [3.x] Add ReturnTypeWillChange attribute to methods where return types will be fixed in 4.x-dev joomla-framework/data#29

All changes: joomla-framework/data@3.0.1...3.0.3

joomla/database

Only development related changes.

All changes: joomla-framework/database@3.4.2...3.4.3

joomla/di

New feature Lazy Objects Helper:

• Lazy Objects helper joomla-framework/di#64
• Lazy Objects helper v2 joomla-framework/di#67

Other changes are development related only.

All changes: joomla-framework/di@3.0.1...3.1.1

joomla/event

Fix unignorable PHPstan warnings in src/EventImmutable.php with commit joomla-framework/event@aabdac5 .

Other changes are development related only.

All changes: joomla-framework/event@3.0.1...3.0.2

joomla/filter

Only development related changes.

All changes: joomla-framework/filter@3.0.2...3.0.4

joomla/filesystem

Bug fixes and improvements:

• Meaningfull error for copy method joomla-framework/filesystem#71
• Invalidate file cache upon copying folders joomla-framework/filesystem#74
• [3.x] Port improvements for opcache invalidation from CMS - redo PR #38 joomla-framework/filesystem#75
  This fixes issue PHP Warning opcache.restrict_api='not-website-apth' #45681 .

Other changes are development related only.

All changes: joomla-framework/filesystem@3.1.0...3.1.2

joomla/http

Improvement:

• [2.x] Socket driver : default to 1.0 as protocol version joomla-framework/http#54 .

Other changes are development related only.

All changes: joomla-framework/http@3.1.0...3.1.2

joomla/input

Only development related changes.

All changes: joomla-framework/input@3.0.0...3.0.2

joomla/language

Only development related changes.

All changes: joomla-framework/language@3.0.0...3.0.2

joomla/oauth1

Fix PHP deprecation:

• [PHP8.4] Deprecate implicitly nullable parameter types joomla-framework/oauth1#11

Other changes are development related only.

All changes: joomla-framework/oauth1@3.0.0...3.0.1

joomla/oauth2

Bug fixes and improvements:

• Fix missing code param in authentication request joomla-framework/oauth2#21
• [PHP8.4] Deprecate implicitly nullable parameter types joomla-framework/oauth2#24

Other changes are development related only.

All changes: joomla-framework/oauth2@3.0.0...3.0.1

joomla/registry

Only development related changes.

All changes: joomla-framework/registry@3.0.0...3.0.2

joomla/router

Fix PHP deprecation:

• [PHP8.4] Deprecate implicitly nullable parameter types joomla-framework/router#19

Other changes are development related only.

All changes: joomla-framework/router@3.0.0...3.0.2

joomla/session

Bug fixes and improvements:

• [3.x] use database createQuery joomla-framework/session#64
• Fix wrong parameter types and names in doc blocks and resolve one assignment inside a boolean expression with commit joomla-framework/session@8876b26

Other changes are development related only.

All changes: joomla-framework/session@3.0.1...3.0.3

joomla/string

Bug fix: Fix parameter types in calls to setlocale and wrong data type for integer calculation with commit joomla-framework/string@cb2967f

Other changes are development related only.

All changes: joomla-framework/string@3.0.1...3.0.4

joomla/uri

Fix PHPstan warnings with commit joomla-framework/uri@ac18b41 .

Other changes are development related only.

All changes: joomla-framework/uri@3.0.0...3.0.2

joomla/utilities

Only development related changes.

All changes: joomla-framework/utilities@3.0.0...3.0.2

Updated other dependencies

google/recaptcha

Bug fixes and improvements:

• Update recaptcha-v2-checkbox.php google/recaptcha#482
• Fix PHPdoc param description for setChallengeTimeout google/recaptcha#547
• Fix compatibility with php 8.4 google/recaptcha#575

Other changes are development related only.

All changes: google/recaptcha@1.3.0...1.3.1

phpmailer/phpmailer

Add full support for Unicode characters in email addresses, see https://github.com/PHPMailer/PHPMailer/releases/tag/v6.10.0 .

All changes: PHPMailer/PHPMailer@v6.9.3...v6.10.0

symfony/console

Releases:

• https://github.com/symfony/console/releases/tag/v6.4.20
• https://github.com/symfony/console/releases/tag/v6.4.21
• https://github.com/symfony/console/releases/tag/v6.4.22
• https://github.com/symfony/console/releases/tag/v6.4.23

All changes: symfony/console@v6.4.17...v6.4.23

symfony/error-handler

Releases:

• https://github.com/symfony/error-handler/releases/tag/v6.4.20
• https://github.com/symfony/error-handler/releases/tag/v6.4.22
• https://github.com/symfony/error-handler/releases/tag/v6.4.23

All changes: symfony/error-handler@v6.4.19...v6.4.23

symfony/polyfill-mbstring

Bug fixes:

• mbstring: Fix mb_rtrim() for UTF-8 text with commit symfony/polyfill-mbstring@6c1cb6e .
• Require iconv for mbstring with commit symfony/polyfill-mbstring@01072b6 .

All changes: symfony/polyfill-mbstring@v1.31.0...v1.32.0

symfony/web-link

No significant changes, only a new deprecation comment.

All changes: symfony/web-link@v6.4.13...v6.4.22

symfony/yaml

Releases:

• https://github.com/symfony/yaml/releases/tag/v6.4.20
• https://github.com/symfony/yaml/releases/tag/v6.4.21
• https://github.com/symfony/yaml/releases/tag/v6.4.23

All changes: symfony/yaml@v6.4.18...v6.4.23

composer/ca-bundle

Update cacert.pem to 2025-05-20, see https://github.com/composer/ca-bundle/releases/tag/1.5.7 .

All changes: composer/ca-bundle@1.5.6...1.5.7

web-token/jwt-library

Allow psr/cache v2, see https://github.com/web-token/jwt-library/releases/tag/3.4.8 .

All changes: web-token/jwt-library@3.4.7...3.4.8

php-debugbar/php-debugbar

There are lots of bug fixes and improvement since v2.1.6, but they all seem to be b/c.

A new opt-in feature added with version 2 is to collect PHP warnings, notices and deprecations which don't stop the code from running, see php-debugbar/php-debugbar#748 .

Release notes:

• https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.0
• https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.1
• https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.2
• https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.3
• https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.4

All changes: php-debugbar/php-debugbar@v2.1.6...v2.2.4

Updated development only dependencies

joomla/mediawiki

Fix Users::unBlockUserByID() method to use POST request and data with commit joomla-framework/mediawiki-api@7df0684 .

Other changes are development related only.

All changes: joomla-framework/mediawiki-api@3.0.0...3.0.1

joomla/test

Remove unnecesary empty() checks in src/DatabaseManager.php with commit joomla-framework/test@2aa3102 .

Other changes are development related only.

All changes: joomla-framework/test@3.0.0...3.0.3

phpunit/phpunit

See https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.23 .

All changes: sebastianbergmann/phpunit@9.6.22...9.6.23

friendsofphp/php-cs-fixer

All changes: PHP-CS-Fixer/PHP-CS-Fixer@v3.72.0...v3.84.0

squizlabs/php_codesniffer

All changes: PHPCSStandards/PHP_CodeSniffer@3.12.0...3.13.2

phpstan/phpstan

All changes: phpstan/phpstan@2.1.8...2.1.19

phpstan/phpstan-deprecation-rules

All changes: phpstan/phpstan-deprecation-rules@2.0.1...2.0.3

Testing Instructions

Experienced Reviewers

Update 2025-07-27: This part is already done. The PR has already 2 successful reviews by experienced maintainers.

Reviewers please use the GitHub review functionality to approve the changes or request changes.

1. Review the changes listed above.
2. Check that GitHub actions of the CI checks are successful.
3. Check that the patched package for this PR has been successfully build with the Drone CI step.

End Users

The patched installation and update packages and custom update URL created by Drone for this PR can be found here:
https://artifacts.joomla.org/drone/joomla/joomla-cms/5.4-dev/45777/downloads/86405/

When having tested, please submit your test result in the issue tracker here https://issues.joomla.org/tracker/joomla-cms/45777 with the blue "Test this" button at the top left corner.

1. Make a new installation with the branch or patched package from this PR.
2. Switch error reporting to maximum and Debug System to On in global configuration.
3. Install Blog Sample Data.
4. Check that the debug bar works at least as well as before.
5. Do whatever else comes into your mind in backend and frontend.
6. Optional (only if you can easily reproduce):
   Check that issue cli scheduler:run breaks if --live-site does not end with / #42859 is fixed.
7. Optional (only if you can easily reproduce):
   Check that issue PHP Warning opcache.restrict_api='not-website-apth' #45681 is fixed.

Actual result BEFORE applying this Pull Request

Composer dependencies are outdated.

Expected result AFTER applying this Pull Request

Composer dependencies are up-to date, except of "web-auth/webauthn-lib" and "web-auth/metadata-service", which have to be checked separately, see section "To be done with another PR: webauthn-lib" above.

The CMS works as well as before, also the debug bar.

Issues #42859 and #45681 are fixed.

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[richard67]

As this PR has 2 successful reviews, the review part of the testing instructions is done, and it only needs 2 human tests for the end user tests, which mainly consist of checking that nothing is broken and having a closer look on the debug bar.

@brianteeman As you recently had to do with the debug bar: Could you test this PR? That would be a great help. Thanks in advance.

[brianteeman]

@richard67 to be honest the entire debug plugin needs to be reviewed. I'd just accept this update as is and then someone needs to look at all the debug plugin functionality and our implementation of it. Its a spaghetti code of custom changes and hacks which in many cases are old and no longer needed. I tried to look into it but its a mess and I couldnt work out why we had the current customisations etc. Would be better if a fresh pair of eyes created the plugin from scratch with a new integration and then seeing what needs to be added etc. Anything else is a waste of time.

[richard67]

I'd just accept this update as is

@brianteeman Then you would give this PR a successful test?

[brianteeman]

i dont know enough about the other parts of the pr to test it

[dautrich]

I have tested this item ✅ successfully on d4e6654

Tested including the CLI option; OPCache option not tested

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45777.}

[ceford]

I have tested this item ✅ successfully on d4e6654

Except that did not test #45681 (opcache).

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45777.}

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45777.}

[muhme]

✅ Final test before merge

• JBT full installation from Joomla_5.4.0-alpha4-dev+pr.45777-Development-Full_Package.zip
  • Enabled Log Almost Everything and debug bar, installed Blog Sample Data, created article/category/user, installed and configured module zitat-service.de
• JBT update from Joomla_5.4.0-alpha3 with custom update server URL https://artifacts.joomla.org/drone/joomla/joomla-cms/5.4-dev/45777/downloads/86405/pr_list.xml
  • Enabled Log Almost Everything and debug bar, installed German language packet as extension, installed Multilingual Sample Data , created article and associated
• local installation from git clone plus gh pr checkout 45777
  • checked all required and dev-required packages in composer.json matching latest available version (without checking backports)
    • phpstan/phpstan 2.1.19 is a newer version 2.1.20 released two days ago 2025-07-26, but this will always happen
  • checked with composer outdated --minor-only, direct dependencies only the following and already commented with reason:
    • phpstan/phpstan
    • web-auth/webauthn-lib
  • Checked composer i, only one warning remains as already commented
    • Package web-auth/metadata-service is abandoned
  • Checked composer update --lock is creating the same composer.lock file
  • Checked composer audit -> only the already named web-auth/webauthn-lib is named with potential security vulnerability

[muhme]

Many thanks @richard67 for this enormous amount of work and the detailed description. Thank you @rdeutz and @laoneo for review. Thank you @brianteeman, @dautrich and @ceford for testing.