Skip to content

chore(deps): Update Composer dependencies (security-patch)#428

Open
nielsdrost7 wants to merge 1 commit intodevelopfrom
automated/composer-update-27
Open

chore(deps): Update Composer dependencies (security-patch)#428
nielsdrost7 wants to merge 1 commit intodevelopfrom
automated/composer-update-27

Conversation

@nielsdrost7
Copy link
Copy Markdown
Collaborator

@nielsdrost7 nielsdrost7 commented Mar 16, 2026
edited by coderabbitai bot
Loading

Composer Dependency Update

This PR updates Composer dependencies.

Update Type:
Triggered by: schedule

Updated Packages

## Direct Dependencies (from composer.json)

doctrine/dbal: 4.4.1 → 4.4.2
filament/actions: v5.0.0 → v5.3.5
filament/filament: v5.0.0 → v5.3.5
laravel/framework: v12.47.0 → v12.54.1
spatie/laravel-permission: 6.24.0 → 6.24.1
barryvdh/laravel-debugbar: v3.16.3 → v4.1.3
driftingly/rector-laravel: 2.1.9 → 2.1.12
larastan/larastan: v3.9.0 → v3.9.3
laravel/boost: v1.8.10 → v2.3.1
laravel/pail: v1.2.4 → v1.2.6
laravel/sail: v1.52.0 → v1.53.0
laravel/tinker: v2.11.0 → v2.11.1
nunomaduro/collision: v8.8.3 → v8.9.1
phpunit/phpunit: 11.5.48 → 11.5.55
rector/rector: 2.3.1 → 2.3.8

## Transient Dependencies (indirect)

blade-ui-kit/blade-icons: 1.8.0 → 1.9.0
brick/math: 0.14.1 → 0.14.8
doctrine/deprecations: 1.1.5 → 1.1.6
filament/forms: v5.0.0 → v5.3.5
filament/infolists: v5.0.0 → v5.3.5
filament/notifications: v5.0.0 → v5.3.5
filament/query-builder: v5.0.0 → v5.3.5
filament/schemas: v5.0.0 → v5.3.5
filament/support: v5.0.0 → v5.3.5
filament/tables: v5.0.0 → v5.3.5
filament/widgets: v5.0.0 → v5.3.5
guzzlehttp/psr7: 2.8.0 → 2.9.0
laravel/prompts: v0.3.10 → v0.3.14
laravel/serializable-closure: v2.0.8 → v2.0.10
league/commonmark: 2.8.0 → 2.8.1
league/flysystem: 3.30.2 → 3.32.0
league/flysystem-local: 3.30.2 → 3.31.0
league/uri: 7.8.0 → 7.8.1
league/uri-components: 7.8.0 → 7.8.1
league/uri-interfaces: 7.8.0 → 7.8.1
livewire/livewire: v4.0.1 → v4.2.1
nesbot/carbon: 3.11.0 → 3.11.3
nette/php-generator: v4.2.0 → v4.2.2
nette/schema: v1.3.3 → v1.3.5
nette/utils: v4.1.1 → v4.1.3
nunomaduro/termwind: v2.3.3 → v2.4.0
spatie/laravel-package-tools: 1.92.7 → 1.93.0
spatie/shiki-php: 2.3.2 → 2.3.3
symfony/console: v7.4.3 → v7.4.7
symfony/css-selector: v7.4.0 → v7.4.6
symfony/error-handler: v7.4.0 → v7.4.4
symfony/event-dispatcher: v7.4.0 → v7.4.4
symfony/finder: v7.4.3 → v7.4.6
symfony/html-sanitizer: v7.4.0 → v7.4.7
symfony/http-foundation: v7.4.3 → v7.4.7
symfony/http-kernel: v7.4.3 → v7.4.7
symfony/mailer: v7.4.3 → v7.4.6
symfony/mime: v7.4.0 → v7.4.7
symfony/process: v7.4.3 → v7.4.5
symfony/routing: v7.4.3 → v7.4.6
symfony/string: v7.4.0 → v7.4.6
symfony/translation: v7.4.3 → v7.4.6
symfony/uid: v7.4.0 → v7.4.4
symfony/var-dumper: v7.4.3 → v7.4.6
iamcal/sql-parser: v0.6 → v0.7
laravel/mcp: v0.5.2 → v0.6.2
laravel/roster: v0.2.9 → v0.5.1
php-debugbar/php-debugbar: v2.2.6 → v3.5.1
php-debugbar/symfony-bridge: (new) → v1.1.0
phpstan/phpstan: 2.1.33 → 2.1.40
phpunit/php-file-iterator: 5.1.0 → 5.1.1
psy/psysh: v0.12.18 → v0.12.21
sebastian/comparator: 6.3.2 → 6.3.3
symfony/yaml: v7.4.1 → v7.4.6

Checks Performed

  • Unit tests passed (commented out until further notice)
  • Static analysis completed (commented out until further notice)
  • Code formatting checked (commented out until further notice)

Security Audit

Security vulnerabilities detected. Please review audit-report.json.

Review Checklist

  • Review updated packages and their changelogs
  • Verify all tests pass
  • Check for breaking changes
  • Update documentation if needed
  • Test manually in development environment

This PR was automatically created by the Composer Update workflow.

Summary by CodeRabbit

  • Chores
    • Updated framework and component dependencies to latest versions, including major version upgrades for Laravel Framework, Filament, and Symfony components.
    • Updated audit report with comprehensive advisory information for identified packages, including security severity levels and vulnerability details.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 16, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request updates security advisories in the audit report with detailed per-package vulnerability information across multiple packages and bumps numerous dependencies to newer versions, including major version updates for key framework and utility packages.

Changes

Cohort / File(s) Summary
Security Advisories
audit-report.json		 Expanded advisories field from empty array to structured object with detailed per-package vulnerability entries (league/commonmark, phpunit/phpunit, psy/psysh, symfony/process), each containing advisoryId, affectedVersions, CVE, severity, and other metadata.
Dependency Updates
updated-packages.txt		 Extensive version bumps across Direct and Transient dependencies; notable updates include laravel/framework 12.46.0→12.54.1, filament/* v4.5.x→v5.3.5, Symfony components 7.4.x→7.4.6/7.4.7, and introduction of new transitive dependency php-debugbar/symfony-bridge v1.1.0.

Possibly related PRs

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🐰 Hop along to safety's call,
Advisories catalogued, one and all,
Dependencies leap to versions new,
Patches and bumps in every queue,
Security strengthens, package by package true! 🔐

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore(deps): Update Composer dependencies (security-patch)' accurately describes the main change—a dependency update focusing on security patches—matching the PR's objectives and file modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch automated/composer-update-27
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
updated-packages.txt (1)

3-17: Recommend enabling tests before merging this security patch.

The PR notes that unit tests, static analysis, and formatting checks are commented out. Given the scope of changes—including 3 major version bumps and multiple security fixes—these checks should be enabled to validate compatibility before merge.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` around lines 3 - 17, The CI currently has "unit tests",
"static analysis", and "formatting checks" commented out; before merging the
dependency bumps, re-enable those CI jobs (unit tests / phpunit, static analysis
/ phpstan/larastan, and formatting/lint jobs) in your pipeline configuration,
restore any commented-out steps or job definitions, and run the pipeline locally
or in CI to ensure all tests and checks pass (fix any failures introduced by
package upgrades before merging).
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@updated-packages.txt`:
- Line 8: The upgrade to laravel-debugbar v4 is breaking: update composer
dependency from barryvdh/laravel-debugbar to fruitcake/laravel-debugbar, rename
all code references and imports from the old namespace (Barryvdh\Debugbar\*) to
the new Fruitcake\LaravelDebugbar\* names, remove or replace removed features
(SocketStorage, FileCollector and helper functions like
start_measure/add_measure) with supported alternatives, update config keys
(change hiddens → masked and in QueryCollector rename bindings → params), and
update middleware/listener usage by replacing modifyResponse hooks with the new
handleResponse listener pattern; enable and run the commented-out tests to
validate these changes.
- Around line 68-69: Update the dependency constraints and lockfile to the new
major versions for barryvdh/laravel-debugbar (v4.1.3), php-debugbar/php-debugbar
(v3.5.1) and add php-debugbar/symfony-bridge (v1.1.0); run composer update to
apply changes, then run the full test suite and smoke tests to ensure no runtime
regressions. Also search the codebase for any custom DebugBar usage or
collectors (references to DebugBar, Debugbar, DebugBar\*, barryvdh\Debugbar) and
remove/update any custom config if found, then clear framework caches
(config/cache, route/cache, view/cache) and verify local/dev environments still
load the debug toolbar. Ensure composer.lock is committed after the update.

---

Nitpick comments:
In `@updated-packages.txt`:
- Around line 3-17: The CI currently has "unit tests", "static analysis", and
"formatting checks" commented out; before merging the dependency bumps,
re-enable those CI jobs (unit tests / phpunit, static analysis /
phpstan/larastan, and formatting/lint jobs) in your pipeline configuration,
restore any commented-out steps or job definitions, and run the pipeline locally
or in CI to ensure all tests and checks pass (fix any failures introduced by
package upgrades before merging).
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc4a6165-f24b-4ffb-a409-ff1875b484c1

📥 Commits

Reviewing files that changed from the base of the PR and between ba54801 and bead9d3.

⛔ Files ignored due to path filters (1)
  • composer.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • audit-report.json
  • updated-packages.txt

updated-packages.txt
filament/filament: v5.0.0 → v5.3.5
laravel/framework: v12.47.0 → v12.54.1
spatie/laravel-permission: 6.24.0 → 6.24.1
barryvdh/laravel-debugbar: v3.16.3 → v4.1.3
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

barryvdh laravel-debugbar v4 breaking changes migration guide

💡 Result:

Laravel Debugbar v4 (barryvdh → fruitcake) breaking changes + migration steps

  1. Switch package name (required)
composer remove barryvdh/laravel-debugbar --dev --no-scripts
composer require fruitcake/laravel-debugbar --dev --with-dependencies

[1][2]

  1. Namespace change (only if you reference classes/provider/facade directly)
  • Old: Barryvdh\Debugbar\...
  • New: Fruitcake\LaravelDebugbar\...
    [1][3]
  1. Upstream php-debugbar 3.x
  • jQuery + FontAwesome removed upstream; only likely to affect you if you have custom collectors/UI integrations.
    [3]
  1. Removed in v4
  • SocketStorage
  • Lumen support
  • FileCollector
  • Helper functions: start_measure(), add_measure(), stop_measure(), measure() → use debugbar()->startMeasure() etc.
    [3] (also summarized in release notes [1])
  1. Config / API changes you may need to update
  • QueryCollector: parameter bindings removed, use params instead.
  • Config: hiddens replaced by masked (uses keys, not array paths).
  • Inertia: now has its own collector + config, so update config/debugbar.php accordingly.
    [3]
  1. If you maintain a package that extends Debugbar
  • modifyResponsehandleResponse, implemented via a listener (not middleware).
  • HttpDriver is now session-less and uses cookies.
  • Octane: Debugbar keeps state and must reset collectors; you can remove Debugbar from Octane “flush” config (per guide).
    [3]

Primary migration reference: the project’s UPGRADE.md (3.x → 4.x). [3]

Sources: [1] [2] [3]

Critical: barryvdh/laravel-debugbar v4 has multiple breaking changes requiring code updates.

This major version includes significant breaking changes that must be addressed:

  • Package ownership changed: v4 moved from barryvdh to fruitcake; ensure composer dependency reflects this
  • Namespace changed: Barryvdh\Debugbar\...Fruitcake\LaravelDebugbar\... (update all references)
  • Removed features: SocketStorage, FileCollector, and helper functions (start_measure(), add_measure(), etc.)
  • Config changes: hiddensmasked; QueryCollector bindings parameter → params
  • API changes: Middleware pattern changed (modifyResponsehandleResponse via listener)

With tests currently commented out, these changes will not be validated. Enable tests before merging to catch regressions.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` at line 8, The upgrade to laravel-debugbar v4 is
breaking: update composer dependency from barryvdh/laravel-debugbar to
fruitcake/laravel-debugbar, rename all code references and imports from the old
namespace (Barryvdh\Debugbar\*) to the new Fruitcake\LaravelDebugbar\* names,
remove or replace removed features (SocketStorage, FileCollector and helper
functions like start_measure/add_measure) with supported alternatives, update
config keys (change hiddens → masked and in QueryCollector rename bindings →
params), and update middleware/listener usage by replacing modifyResponse hooks
with the new handleResponse listener pattern; enable and run the commented-out
tests to validate these changes.

updated-packages.txt
Comment on lines +68 to +69
php-debugbar/php-debugbar: v2.2.6 → v3.5.1
php-debugbar/symfony-bridge: (new) → v1.1.0
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for debugbar configuration files and custom collectors
fd -e php -E vendor . --exec grep -l -i 'debugbar' {} \;

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 54

🏁 Script executed:

cat updated-packages.txt | head -80 | tail -15

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 588

🏁 Script executed:

# Look for composer.json and composer.lock to understand dependencies
fd -name "composer.*" -type f

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 302

🏁 Script executed:

# Search for any debugbar-related configuration files (not just PHP)
fd -i "debugbar" -type f

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 242

🏁 Script executed:

# Look for Laravel debugbar configuration
fd -type f -name "*config*" | head -20

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 242

🏁 Script executed:

# Look for composer.json
cat composer.json 2>/dev/null | grep -A 5 -B 5 "php-debugbar" || echo "No php-debugbar in composer.json"

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 104

🏁 Script executed:

# Search for any config directory structure
find . -type d -name "config" 2>/dev/null | head -10

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 80

🏁 Script executed:

# Look for any Laravel debugbar config
find . -path "*/vendor" -prune -o -name "*debugbar*" -o -name "*debug*" -type f -print 2>/dev/null

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 54

🏁 Script executed:

# Check if laravel-debugbar was in the update list
grep -i "laravel-debugbar\|laravel/debugbar" updated-packages.txt

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 115

🏁 Script executed:

# List contents of config directory
ls -la config/ 2>/dev/null | head -20

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 1266

🏁 Script executed:

# Look for any debug or debugbar references in config files
find config -type f 2>/dev/null | xargs grep -l -i "debugbar\|debug" 2>/dev/null

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 105

🏁 Script executed:

# Check composer.lock to see the dependency chain
grep -A 2 -B 2 '"name": "barryvdh/laravel-debugbar"' composer.lock 2>/dev/null | head -20

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 209

🏁 Script executed:

# Check app.php for debugbar references
grep -n -i "debugbar" config/app.php

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 54

🏁 Script executed:

# Check logging.php for debugbar references
grep -n -i "debugbar" config/logging.php

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 54

🏁 Script executed:

# Look at the actual usage/registration of debugbar in app.php
grep -A 5 -B 5 -i "debugbar" config/app.php

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 54

Major version bumps in php-debugbar and related dependencies confirmed, but custom configuration risk is minimal.

The php-debugbar/php-debugbar upgrade from v2.2.6 to v3.5.1 is a confirmed major version bump, accompanied by the new php-debugbar/symfony-bridge v1.1.0 dependency. This is driven by the barryvdh/laravel-debugbar upgrade from v3.16.3 to v4.1.3, which is also a major version bump.

However, the codebase uses debugbar out-of-the-box with no custom configurations or collectors. No debugbar-specific configuration was found in config/app.php, config/logging.php, or elsewhere in the project. This significantly reduces compatibility risk since the upgrade is handled entirely by the Laravel debugbar package.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` around lines 68 - 69, Update the dependency constraints
and lockfile to the new major versions for barryvdh/laravel-debugbar (v4.1.3),
php-debugbar/php-debugbar (v3.5.1) and add php-debugbar/symfony-bridge (v1.1.0);
run composer update to apply changes, then run the full test suite and smoke
tests to ensure no runtime regressions. Also search the codebase for any custom
DebugBar usage or collectors (references to DebugBar, Debugbar, DebugBar\*,
barryvdh\Debugbar) and remove/update any custom config if found, then clear
framework caches (config/cache, route/cache, view/cache) and verify local/dev
environments still load the debug toolbar. Ensure composer.lock is committed
after the update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

automated-pr composer dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nielsdrost7