[#45777] - [5.4] Update composer dependencies
- Fixed in Code Base
- 28 Jul 2025
- Medium
- Build: 5.4-dev
- # 45777
- Diff
- richard67:5.4-dev-composer-update-2025-07-25
User tests: Successful: Unsuccessful:
Pull Request for Issues #42859 , #45681 .
Summary of Changes
This pull request (PR) updates composer dependencies for the upcoming 5.4.0-beta1 release with respect to version constraints in the composer.json file, i.e. the result is what you get when you simply run composer update without having modified the composer.json file before.
In addition, this PR updates the version constraints in the composer.json file to reflect the updated versions without changing the kind of constraint.
Finally, the PR updates the PHPstan baseline file to adapt to the updated PHPstan version.
Why it needs to change the PHPstan baseline file
The updates have been made in 3 steps with 3 separate commits:
- First all dependencies except of PHPstan have been updated.
As you can see in the commit history, the CI checks for that commit were successful. - Then PHPstan has been updated.
As you can see in the commit history, the CI checks for that commit have failed.
If you check the details (click on the red cross beside the commit ID) you can see that only PHPstan has failed. - Finally the baseline file "phpstan-baseline.neon" of PHPstan has been updated so PHPstan checks pass again.
If you do it the other way around, first update PHPstan, then update the baseline file and then all other dependencies you will get the same result: After the first step PHP stan checks fail with the same number of errors as after step 2 in the above procedure, and when that has been fixed with the baseline file change, the PHPstan checks pass again, and the update of the other dependencies does not change that.
This shows that the new PHPstan errors (mainly deprecation notices and not really errors) which require the change of the baseline file are caused by the update of PHPstan.
Their b/c policy says here https://phpstan.org/user-guide/backward-compatibility-promise :
Type inference capabilities
As bugs get fixed, PHPStan gets smarter, and figures out more precise information about existing code. This can lead to unavoidable changes in understanding analysed code, and to old errors stopped being reported, or new errors started being reported.
The nature of static analyser is that the output can change even in minor/patch version, because any single change leads to code being understood a bit differently, and therefore breaking someone’s build.
So this is obviously the case here.
To be done with another PR: webauthn-lib
The "web-auth/webauthn-lib" is currently hard-pinned to version 4.5.2.
The main reason for that is that with an update to the latest 4.x version, the indirect dependency "web-auth/metadata-service" would be removed, which would require refactoring of CMS code as that uses this dependency.
The latest version which still includes the "web-auth/metadata-service" is 4.8.7.
An update to that version seems to work, but it will contain lots of refactoring and so should be done with a separate PR, which will need careful testing.
Updated Joomla Framework dependencies
New 3.x releases have been created for all Joomla Framework packages, so all dependencies to framework packages are updated.
However, not all updates contain relevant code changes. Some only change development dependencies or remove development only files from packages (which are removed from the CMS by the build.php script anyway).
joomla/application
Bug fixes and improvements:
- joomla-framework/application#123
This fixes issue #42859 . - joomla-framework/application#139
All changes: joomla-framework/application@3.0.3...3.0.4
joomla/archive
Bug fixes: Fixed wrong parameter type of set_time_limit call and a PHPstan warning in src/Zip.php, see commit joomla-framework/archive@1d50685 .
All changes: joomla-framework/archive@3.0.2...3.0.4
joomla/authentication
Only development related changes.
All changes: joomla-framework/authentication@3.0.1...3.0.3
joomla/console
Fix some PHPstan warnings in src/Application.php, see commit joomla-framework/console@fd5824c .
All changes: joomla-framework/console@3.0.1...3.0.3
joomla/crypt
Bug fixes and improvements:
- Fix wrong parameter type in openssl function calls from phpstan scan, see commit joomla-framework/crypt@11761ea .
- Remove unneeded checks for libsodium as Sodium is part of PHP since 7.2, see joomla-framework/crypt#26 (back ported from 4.x to 3.x)
All changes: joomla-framework/crypt@3.0.1...3.0.3
joomla/data
Bug fixes and improvements:
All changes: joomla-framework/data@3.0.1...3.0.3
joomla/database
Only development related changes.
All changes: joomla-framework/database@3.4.2...3.4.3
joomla/di
New feature Lazy Objects Helper:
Other changes are development related only.
All changes: joomla-framework/di@3.0.1...3.1.1
joomla/event
Fix unignorable PHPstan warnings in src/EventImmutable.php with commit joomla-framework/event@aabdac5 .
Other changes are development related only.
All changes: joomla-framework/event@3.0.1...3.0.2
joomla/filter
Only development related changes.
All changes: joomla-framework/filter@3.0.2...3.0.4
joomla/filesystem
Bug fixes and improvements:
- joomla-framework/filesystem#71
- joomla-framework/filesystem#74
- joomla-framework/filesystem#75
This fixes issue #45681 .
Other changes are development related only.
All changes: joomla-framework/filesystem@3.1.0...3.1.2
joomla/http
Improvement:
Other changes are development related only.
All changes: joomla-framework/http@3.1.0...3.1.2
joomla/input
Only development related changes.
All changes: joomla-framework/input@3.0.0...3.0.2
joomla/language
Only development related changes.
All changes: joomla-framework/language@3.0.0...3.0.2
joomla/oauth1
Fix PHP deprecation:
Other changes are development related only.
All changes: joomla-framework/oauth1@3.0.0...3.0.1
joomla/oauth2
Bug fixes and improvements:
Other changes are development related only.
All changes: joomla-framework/oauth2@3.0.0...3.0.1
joomla/registry
Only development related changes.
All changes: joomla-framework/registry@3.0.0...3.0.2
joomla/router
Fix PHP deprecation:
Other changes are development related only.
All changes: joomla-framework/router@3.0.0...3.0.2
joomla/session
Bug fixes and improvements:
- joomla-framework/session#64
- Fix wrong parameter types and names in doc blocks and resolve one assignment inside a boolean expression with commit joomla-framework/session@8876b26
Other changes are development related only.
All changes: joomla-framework/session@3.0.1...3.0.3
joomla/string
Bug fix: Fix parameter types in calls to setlocale and wrong data type for integer calculation with commit joomla-framework/string@cb2967f
Other changes are development related only.
All changes: joomla-framework/string@3.0.1...3.0.4
joomla/uri
Fix PHPstan warnings with commit joomla-framework/uri@ac18b41 .
Other changes are development related only.
All changes: joomla-framework/uri@3.0.0...3.0.2
joomla/utilities
Only development related changes.
All changes: joomla-framework/utilities@3.0.0...3.0.2
Updated other dependencies
google/recaptcha
Bug fixes and improvements:
Other changes are development related only.
All changes: google/recaptcha@1.3.0...1.3.1
phpmailer/phpmailer
Add full support for Unicode characters in email addresses, see https://github.com/PHPMailer/PHPMailer/releases/tag/v6.10.0 .
All changes: PHPMailer/PHPMailer@v6.9.3...v6.10.0
symfony/console
Releases:
- https://github.com/symfony/console/releases/tag/v6.4.20
- https://github.com/symfony/console/releases/tag/v6.4.21
- https://github.com/symfony/console/releases/tag/v6.4.22
- https://github.com/symfony/console/releases/tag/v6.4.23
All changes: symfony/console@v6.4.17...v6.4.23
symfony/error-handler
Releases:
- https://github.com/symfony/error-handler/releases/tag/v6.4.20
- https://github.com/symfony/error-handler/releases/tag/v6.4.22
- https://github.com/symfony/error-handler/releases/tag/v6.4.23
All changes: symfony/error-handler@v6.4.19...v6.4.23
symfony/polyfill-mbstring
Bug fixes:
- mbstring: Fix mb_rtrim() for UTF-8 text with commit symfony/polyfill-mbstring@6c1cb6e .
- Require iconv for mbstring with commit symfony/polyfill-mbstring@01072b6 .
All changes: symfony/polyfill-mbstring@v1.31.0...v1.32.0
symfony/web-link
No significant changes, only a new deprecation comment.
All changes: symfony/web-link@v6.4.13...v6.4.22
symfony/yaml
Releases:
- https://github.com/symfony/yaml/releases/tag/v6.4.20
- https://github.com/symfony/yaml/releases/tag/v6.4.21
- https://github.com/symfony/yaml/releases/tag/v6.4.23
All changes: symfony/yaml@v6.4.18...v6.4.23
composer/ca-bundle
Update cacert.pem to 2025-05-20, see https://github.com/composer/ca-bundle/releases/tag/1.5.7 .
All changes: composer/ca-bundle@1.5.6...1.5.7
web-token/jwt-library
Allow psr/cache v2, see https://github.com/web-token/jwt-library/releases/tag/3.4.8 .
All changes: web-token/jwt-library@3.4.7...3.4.8
php-debugbar/php-debugbar
There are lots of bug fixes and improvement since v2.1.6, but they all seem to be b/c.
A new opt-in feature added with version 2 is to collect PHP warnings, notices and deprecations which don't stop the code from running, see php-debugbar/php-debugbar#748 .
Release notes:
- https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.0
- https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.1
- https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.2
- https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.3
- https://github.com/php-debugbar/php-debugbar/releases/tag/v2.2.4
All changes: php-debugbar/php-debugbar@v2.1.6...v2.2.4
Updated development only dependencies
joomla/mediawiki
Fix Users::unBlockUserByID() method to use POST request and data with commit joomla-framework/mediawiki-api@7df0684 .
Other changes are development related only.
All changes: joomla-framework/mediawiki-api@3.0.0...3.0.1
joomla/test
Remove unnecesary empty() checks in src/DatabaseManager.php with commit joomla-framework/test@2aa3102 .
Other changes are development related only.
All changes: joomla-framework/test@3.0.0...3.0.3
phpunit/phpunit
See https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.23 .
All changes: sebastianbergmann/phpunit@9.6.22...9.6.23
friendsofphp/php-cs-fixer
All changes: PHP-CS-Fixer/PHP-CS-Fixer@v3.72.0...v3.84.0
squizlabs/php_codesniffer
All changes: PHPCSStandards/PHP_CodeSniffer@3.12.0...3.13.2
phpstan/phpstan
All changes: phpstan/phpstan@2.1.8...2.1.19
phpstan/phpstan-deprecation-rules
All changes: phpstan/phpstan-deprecation-rules@2.0.1...2.0.3
Testing Instructions
Experienced Reviewers
Update 2025-07-27: This part is already done. The PR has already 2 successful reviews by experienced maintainers.
Reviewers please use the GitHub review functionality to approve the changes or request changes.
- Review the changes listed above.
- Check that GitHub actions of the CI checks are successful.
- Check that the patched package for this PR has been successfully build with the Drone CI step.
End Users
The patched installation and update packages and custom update URL created by Drone for this PR can be found here:
https://artifacts.joomla.org/drone/joomla/joomla-cms/5.4-dev/45777/downloads/86405/
When having tested, please submit your test result in the issue tracker here https://issues.joomla.org/tracker/joomla-cms/45777 with the blue "Test this" button at the top left corner.
- Make a new installation with the branch or patched package from this PR.
- Switch error reporting to maximum and Debug System to On in global configuration.
- Install Blog Sample Data.
- Check that the debug bar works at least as well as before.
- Do whatever else comes into your mind in backend and frontend.
- Optional (only if you can easily reproduce):
Check that issue #42859 is fixed. - Optional (only if you can easily reproduce):
Check that issue #45681 is fixed.
Actual result BEFORE applying this Pull Request
Composer dependencies are outdated.
Expected result AFTER applying this Pull Request
Composer dependencies are up-to date, except of "web-auth/webauthn-lib" and "web-auth/metadata-service", which have to be checked separately, see section "To be done with another PR: webauthn-lib" above.
The CMS works as well as before, also the debug bar.
Issues #42859 and #45681 are fixed.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
| Labels |
Added:
Composer Dependency Changed
PR-5.4-dev
|
||
| Title |
|
||||||
@richard67 to be honest the entire debug plugin needs to be reviewed. I'd just accept this update as is and then someone needs to look at all the debug plugin functionality and our implementation of it. Its a spaghetti code of custom changes and hacks which in many cases are old and no longer needed. I tried to look into it but its a mess and I couldnt work out why we had the current customisations etc. Would be better if a fresh pair of eyes created the plugin from scratch with a new integration and then seeing what needs to be added etc. Anything else is a waste of time.
I'd just accept this update as is
@brianteeman Then you would give this PR a successful test?
i dont know enough about the other parts of the pr to test it
I have tested this item ✅ successfully on d4e6654
Tested including the CLI option; OPCache option not tested
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45777.
I have tested this item ✅ successfully on d4e6654
Except that did not test #45681 (opcache).
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45777.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45777.
✅ Final test before merge
- JBT full installation from Joomla_5.4.0-alpha4-dev+pr.45777-Development-Full_Package.zip
- Enabled Log Almost Everything and debug bar, installed Blog Sample Data, created article/category/user, installed and configured module zitat-service.de
- JBT update from Joomla_5.4.0-alpha3 with custom update server URL https://artifacts.joomla.org/drone/joomla/joomla-cms/5.4-dev/45777/downloads/86405/pr_list.xml
- Enabled Log Almost Everything and debug bar, installed German language packet as extension, installed Multilingual Sample Data , created article and associated
- local installation from git clone plus
gh pr checkout 45777- checked all required and dev-required packages in composer.json matching latest available version (without checking backports)
- phpstan/phpstan 2.1.19 is a newer version 2.1.20 released two days ago 2025-07-26, but this will always happen
- checked with
composer outdated --minor-only, direct dependencies only the following and already commented with reason:- phpstan/phpstan
- web-auth/webauthn-lib
- Checked
composer i, only one warning remains as already commented- Package web-auth/metadata-service is abandoned
- Checked
composer update --lockis creating the samecomposer.lockfile - Checked
composer audit-> only the already named web-auth/webauthn-lib is named with potential security vulnerability
- checked all required and dev-required packages in composer.json matching latest available version (without checking backports)
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-07-28 13:16:26 |
| Closed_By | ⇒ | muhme | |
| Labels |
Added:
RTC
|
||
Many thanks @richard67 for this enormous amount of work and the detailed description. Thank you @rdeutz and @laoneo for review. Thank you @brianteeman, @dautrich and @ceford for testing.
As this PR has 2 successful reviews, the review part of the testing instructions is done, and it only needs 2 human tests for the end user tests, which mainly consist of checking that nothing is broken and having a closer look on the debug bar.
@brianteeman As you recently had to do with the debug bar: Could you test this PR? That would be a great help. Thanks in advance.