fix(security): bump PHPUnit for GHSA-qrr6-mg7r-m243 and related fixes

barbieswimcrew · barbieswimcrew · commit 17ee6f403bc5 · 2026-04-21T12:33:11.000+02:00
- Require patched dev versions: ^9.6.33, ^10.5.62, ^11.5.50, ^12.5.22, ^13.1.6
- Add composer.lock and track it (Dependabot needs a lockfile to resolve versions)
- Set config.platform.php to 8.0.30 so the lock matches the package minimum

Made-with: Cursor
diff --git a/.gitignore b/.gitignore
@@ -13,7 +13,6 @@ Thumbs.db
 
 #composer related
 composer.phar
-composer.lock
 vendor/
 
 .phpunit.result.cache
diff --git a/composer.json b/composer.json
@@ -10,12 +10,17 @@
     ],
     "minimum-stability": "dev",
     "prefer-stable": true,
+    "config": {
+        "platform": {
+            "php": "8.0.30"
+        }
+    },
     "require": {
         "php": ">=8.0",
         "symfony/validator": "^5.4.43 || ^6.4.11 || ^7.1.4 || ^8.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6 || ^10.5 || ^11.0.3"
+        "phpunit/phpunit": "^9.6.33 || ^10.5.62 || ^11.5.50 || ^12.5.22 || ^13.1.6"
     },
     "autoload": {
         "psr-4": {
diff --git a/composer.lock b/composer.lock
