chore(deps): update dependency cyclonedx/cyclonedx-php-composer to v4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
cyclonedx/cyclonedx-php-composer	require-dev	major	3.11.0 -> 4.0.0

---

Release Notes

CycloneDX/cyclonedx-php-composer

v4.0.0

Compare Source

Based on OWASP Software Component Verification Standard for Software Bill of Materials
(SCVS SBOM) criteria, this tool is now capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
Affective changes based on these SCVS SBOM criteria:

• 2.1 – Added Support for CycloneDX 1.4 (via #​250)
• 2.3 – SBOM has a unique identifier (#​279 via #​250, #​353)
• 2.7 – SBOM is timestamped (#​112 via #​250)
• 2.9 – Accuracy of Inventory was improved (#​102, #​122, #​261, #​313 via #​250)
• 2.10 – Accuracy of Inventory of all test components was improved (#​102, #​122, #​261, #​313 via #​250)
• 2.11 – SBOM metadata was enhanced (#​171 via #​250)
• 2.15 – SPDX license expression detection fixed (#​128 via #​250)

4.0.0 - Details

• BREAKING changes
• Removed support for PHP <8.1 (#​91, #​128 via #​250)
  • Removed support for Composer <2.3 (#​153 via #​250)
  • CLI
    • Removed deprecated composer command make-bom, call composer CycloneDX:make-sbom instead (#​293 via #​309)
    • Changed option output-file to default to - now, which causes to print to STDOUT (via #​250)
    • Removed option exclude-dev in favor of new option omit (via #​250)
    • Removed option exclude-plugins in favor of new option omit (via #​250)
    • Removed option no-version-normalization (#​102 via #​250)
  • SBOM results
    • Components' version is no longer artificially normalized (#​102 via #​250)
  • Dependencies
    • Requires cyclonedx/cyclonedx-library:^2.1, was :^1.4.2 (#​128 via #​250, #​353)
• Changed
  • Evidence analysis prefers actually installed packages over lock file (#​122 via #​250)
  • Root component's versions is unset, if version detection fails (#​154 via #​250)
  • Composer packages of type "composer-installer" are treated as composer plugins (via #​250)
• Added
  • Evidence collection knows actually installed packages (#​122 via #​250)
  • SBOM results
    • Support for CycloneDX Spec v1.4 (via #​250)
    • might have serialnumber populated (#​279 via #​250, #​353)
    • might have metadata.timestamp populated (#​112 via #​250)
    • might have metadata.tools[].tool.externalReferences populated (#​171 via #​250)
    • might have components[].component.author populated (#​261 via #​250)
    • might have components[].component.properties populated according to cdx:composer Namespace Taxonomy (#​313 via #​250)
  • CLI
    • New option omit (via #​250)
    • New switch validate to override no-validate (via #​250)
    • New switches output-reproducible and no-output-reproducible (via #​250)
• Misc
  • Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's require-dev feature (via #​250)
  • Reworked demo setups to be more global-install like (via #​250)

---

Configuration

📅 Schedule: Branch creation - "on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.