chore(deps): Update Composer dependencies (security-patch)

[nielsdrost7]

Composer Dependency Update

This PR updates Composer dependencies.

Update Type:
Triggered by: schedule

Updated Packages

## Direct Dependencies (from composer.json)

doctrine/dbal: 4.4.1 → 4.4.3
filament/actions: v5.0.0 → v5.4.1
filament/filament: v5.0.0 → v5.4.1
laravel/framework: v12.47.0 → v12.55.1
maatwebsite/excel: 3.1.67 → 3.1.68
nwidart/laravel-modules: v12.0.4 → v12.0.5
spatie/laravel-permission: 6.24.0 → 6.25.0
barryvdh/laravel-debugbar: v3.16.3 → v4.1.3
driftingly/rector-laravel: 2.1.9 → 2.2.0
larastan/larastan: v3.9.0 → v3.9.3
laravel/boost: v1.8.10 → v2.3.4
laravel/pail: v1.2.4 → v1.2.6
laravel/sail: v1.52.0 → v1.54.0
laravel/tinker: v2.11.0 → v3.0.0
nunomaduro/collision: v8.8.3 → v8.9.1
phpunit/phpunit: 11.5.48 → 11.5.55
rector/rector: 2.3.1 → 2.3.9

## Transient Dependencies (indirect)

blade-ui-kit/blade-heroicons: 2.6.0 → 2.7.0
blade-ui-kit/blade-icons: 1.8.0 → 1.9.0
brick/math: 0.14.1 → 0.14.8
chillerlan/php-settings-container: 3.2.1 → 3.3.0
danharrin/livewire-rate-limiting: v2.1.0 → v2.2.0
doctrine/deprecations: 1.1.5 → 1.1.6
filament/forms: v5.0.0 → v5.4.1
filament/infolists: v5.0.0 → v5.4.1
filament/notifications: v5.0.0 → v5.4.1
filament/query-builder: v5.0.0 → v5.4.1
filament/schemas: v5.0.0 → v5.4.1
filament/support: v5.0.0 → v5.4.1
filament/tables: v5.0.0 → v5.4.1
filament/widgets: v5.0.0 → v5.4.1
guzzlehttp/psr7: 2.8.0 → 2.9.0
kirschbaum-development/eloquent-power-joins: 4.2.11 → 4.3.0
laravel/prompts: v0.3.10 → v0.3.15
laravel/serializable-closure: v2.0.8 → v2.0.10
league/commonmark: 2.8.0 → 2.8.2
league/flysystem: 3.30.2 → 3.32.0
league/flysystem-local: 3.30.2 → 3.31.0
league/uri: 7.8.0 → 7.8.1
league/uri-components: 7.8.0 → 7.8.1
league/uri-interfaces: 7.8.0 → 7.8.1
livewire/livewire: v4.0.1 → v4.2.1
nesbot/carbon: 3.11.0 → 3.11.3
nette/php-generator: v4.2.0 → v4.2.2
nette/schema: v1.3.3 → v1.3.5
nette/utils: v4.1.1 → v4.1.3
nunomaduro/termwind: v2.3.3 → v2.4.0
spatie/laravel-package-tools: 1.92.7 → 1.93.0
spatie/shiki-php: 2.3.2 → 2.3.3
symfony/console: v7.4.3 → v7.4.7
symfony/css-selector: v7.4.0 → v7.4.6
symfony/error-handler: v7.4.0 → v7.4.4
symfony/event-dispatcher: v7.4.0 → v7.4.4
symfony/finder: v7.4.3 → v7.4.6
symfony/html-sanitizer: v7.4.0 → v7.4.7
symfony/http-foundation: v7.4.3 → v7.4.7
symfony/http-kernel: v7.4.3 → v7.4.7
symfony/mailer: v7.4.3 → v7.4.6
symfony/mime: v7.4.0 → v7.4.7
symfony/process: v7.4.3 → v7.4.5
symfony/routing: v7.4.3 → v7.4.6
symfony/string: v7.4.0 → v7.4.6
symfony/translation: v7.4.3 → v7.4.6
symfony/uid: v7.4.0 → v7.4.4
symfony/var-dumper: v7.4.3 → v7.4.6
iamcal/sql-parser: v0.6 → v0.7
laravel/mcp: v0.5.2 → v0.6.3
laravel/roster: v0.2.9 → v0.5.1
php-debugbar/php-debugbar: v2.2.6 → v3.5.1
php-debugbar/symfony-bridge: (new) → v1.1.0
phpstan/phpstan: 2.1.33 → 2.1.42
phpunit/php-file-iterator: 5.1.0 → 5.1.1
psy/psysh: v0.12.18 → v0.12.22
sebastian/comparator: 6.3.2 → 6.3.3
symfony/yaml: v7.4.1 → v7.4.6
webmozart/assert: 1.12.1 → 2.1.6
anourvalar/eloquent-serialize: 1.3.5 → (removed)
ryangjchandler/blade-capture-directive: v1.1.0 → (removed)

Checks Performed

• Unit tests passed (commented out until further notice)
• Static analysis completed (commented out until further notice)
• Code formatting checked (commented out until further notice)

Security Audit

Security vulnerabilities detected. Please review audit-report.json.

Review Checklist

• Review updated packages and their changelogs
• Verify all tests pass
• Check for breaking changes
• Update documentation if needed
• Test manually in development environment

---

This PR was automatically created by the Composer Update workflow.

Summary by CodeRabbit

• Chores
  • Updated security advisories to document known vulnerabilities in project dependencies.
  • Upgraded core frameworks and libraries to their latest stable versions, including major updates across the technology stack.
  • Integrated new development tools and utility libraries to enhance project capabilities and developer experience.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the project's security audit report with newly identified vulnerability advisories across six packages, and comprehensively upgrades Composer dependencies to newer versions across both direct and transitive package requirements.

Changes

Cohort / File(s)	Summary
Security Audit Updates audit-report.json	Converted advisories field from empty array to object containing structured vulnerability entries for filament/tables, league/commonmark (2 advisories), phpunit/phpunit, psy/psysh, and symfony/process, each with metadata including advisory IDs, affected versions, titles, CVEs, timestamps, and severity levels.
Dependency Upgrades updated-packages.txt	Upgraded multiple direct dependencies including Filament (v5.0.0 → v5.4.1), Laravel framework (v12.47.0 → v12.55.1), Laravel Boost (v1.8.10 → v2.3.4), PHPUnit (11.5.48 → 11.5.55), and Rector (2.3.1 → 2.3.9); added new direct packages (Doctrine DBAL, Maatwebsite Excel, Laravel Modules, Spatie Permissions, Laravel Debugbar, Laravel Pail/Sail/Tinker); updated transitive dependencies including Livewire (v4.0.1 → v4.2.1) and related ecosystem packages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• InvoicePlane/InvoicePlane-v2#361: Introduced the initial audit-report.json file with empty advisories; this PR populates the advisories object with vulnerability data.

Poem

🐰 Dependencies dance in version streams so bright,
From five-point-oh to five-point-four in sight!
Security audits now paint the truth,
Vulnerabilities caught before they're loose! 🛡️
Package by package, we hop along,
Building safer software, bold and strong!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: updating Composer dependencies with a security-patch focus, which aligns with the PR's primary objective of dependency updates and the security audit vulnerabilities identified.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch automated/composer-update-28

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@audit-report.json`:
- Around line 2-109: The audit-report.json still contains obsolete entries under
the "advisories" section (e.g., "filament/tables", "league/commonmark",
"phpunit/phpunit", etc.); regenerate the report from the current composer.lock
so it reflects installed versions (run your project's Composer audit and
export/update audit-report.json), verify the "advisories" block no longer lists
fixed vulnerabilities, and commit the regenerated audit-report.json.

In `@updated-packages.txt`:
- Around line 10-19: This PR upgrades several packages across major versions
(e.g., barryvdh/laravel-debugbar v3→v4, laravel/boost v1→v2, laravel/tinker
v2→v3, php-debugbar v2→v3, webmozart/assert 1→2 and phpunit/phpunit bumped), but
the phpunit and phpstan CI workflows are configured only with workflow_dispatch
so they won't run automatically on PRs; update the CI to run the PHPUnit and
PHPStan workflows on pull_request (add or change the trigger from
workflow_dispatch to include pull_request) or manually trigger them for this PR,
then re-run all three quality gates (phpunit/phpunit tests, phpstan analysis,
and pint formatting) against this branch to validate compatibility with the
upgraded packages (focus checks around barryvdh/laravel-debugbar,
laravel/tinker, laravel/boost, php-debugbar, webmozart/assert).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 468da512-6f1f-4460-a06e-8926a09051f5

📥 Commits

Reviewing files that changed from the base of the PR and between ba54801 and 815f7fb.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• audit-report.json
• updated-packages.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify installed versions from composer.lock for packages listed in audit-report.json
python - <<'PY'
import json, pathlib

lock_path = pathlib.Path("composer.lock")
audit_path = pathlib.Path("audit-report.json")

lock = json.loads(lock_path.read_text())
audit = json.loads(audit_path.read_text())

pkgs = {}
for section in ("packages", "packages-dev"):
    for p in lock.get(section, []):
        pkgs[p["name"]] = p["version"]

targets = list(audit.get("advisories", {}).keys())
print("Package versions in composer.lock:")
for name in targets:
    print(f"- {name}: {pkgs.get(name, 'NOT INSTALLED')}")

print("\nAdvisory IDs:")
for name, items in audit.get("advisories", {}).items():
    ids = ", ".join(x.get("advisoryId","?") for x in items)
    print(f"- {name}: {ids}")
PY

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 461

---

Regenerate audit-report.json from composer.lock before merge

The security report contains advisories that no longer apply. All listed packages have been upgraded to versions that resolve their respective vulnerabilities according to the affected version ranges specified. Commit an updated report that reflects the current security status of the installed dependencies.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@audit-report.json` around lines 2 - 109, The audit-report.json still contains
obsolete entries under the "advisories" section (e.g., "filament/tables",
"league/commonmark", "phpunit/phpunit", etc.); regenerate the report from the
current composer.lock so it reflects installed versions (run your project's
Composer audit and export/update audit-report.json), verify the "advisories"
block no longer lists fixed vulnerabilities, and commit the regenerated
audit-report.json.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Detect major version jumps from updated-packages.txt =="
python - <<'PY'
import re, pathlib
txt = pathlib.Path("updated-packages.txt").read_text().splitlines()
pat = re.compile(r'^([a-z0-9_.-]+/[a-z0-9_.-]+):\s+([vV]?\d+(?:\.\d+){0,2}|[0-9]+(?:\.[0-9]+){0,2})\s+→\s+([vV]?\d+(?:\.\d+){0,2}|[0-9]+(?:\.[0-9]+){0,2})$')
def major(v):
    v=v.lower().lstrip('v')
    return int(v.split('.')[0])
for line in txt:
    m = pat.match(line.strip())
    if not m:
        continue
    name, old, new = m.groups()
    if major(old) != major(new):
        print(f"{name}: {old} -> {new}")
PY

echo
echo "== Check for commented-out quality gates in GitHub workflows =="
fd -e yml -e yaml .github/workflows | xargs -r rg -n -C2 '^\s*#\s*.*(phpunit|pint|phpstan|test|static|analysis|format)'

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 776

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check lines 74-81 in updated-packages.txt =="
sed -n '74,81p' updated-packages.txt

echo
echo "== Check for commented-out quality gates in GitHub workflows =="
fd --full-path '.github/workflows' -e yml -e yaml | xargs -r rg -n -C2 '^\s*#\s*.*(phpunit|pint|phpstan|test|static|analysis|format)' || echo "No commented-out quality gates found"

echo
echo "== List all workflow files =="
find .github/workflows -type f -name '*.yml' -o -name '*.yaml' 2>/dev/null || echo "No workflow files found"

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 820

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Inspect phpunit.yml =="
cat .github/workflows/phpunit.yml

echo
echo "== Inspect phpstan.yml =="
cat .github/workflows/phpstan.yml

echo
echo "== Inspect pint.yml =="
cat .github/workflows/pint.yml

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 8714

---

Run quality gate workflows on all major version upgrades before merging

The PR includes 5 major version jumps across lines 10–19 and 74–81:

• barryvdh/laravel-debugbar: v3 → v4
• laravel/boost: v1 → v2
• laravel/tinker: v2 → v3
• php-debugbar/php-debugbar: v2 → v3
• webmozart/assert: 1 → 2

The PHPUnit and PHPStan workflows are configured to run manually only (workflow_dispatch), not automatically on PRs. Pint runs on PRs but may need validation with the updated versions. Re-run all three quality gates (phpunit, phpstan, pint) with these new versions before merging to ensure compatibility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` around lines 10 - 19, This PR upgrades several packages
across major versions (e.g., barryvdh/laravel-debugbar v3→v4, laravel/boost
v1→v2, laravel/tinker v2→v3, php-debugbar v2→v3, webmozart/assert 1→2 and
phpunit/phpunit bumped), but the phpunit and phpstan CI workflows are configured
only with workflow_dispatch so they won't run automatically on PRs; update the
CI to run the PHPUnit and PHPStan workflows on pull_request (add or change the
trigger from workflow_dispatch to include pull_request) or manually trigger them
for this PR, then re-run all three quality gates (phpunit/phpunit tests, phpstan
analysis, and pint formatting) against this branch to validate compatibility
with the upgraded packages (focus checks around barryvdh/laravel-debugbar,
laravel/tinker, laravel/boost, php-debugbar, webmozart/assert).