chore(deps): upgrade PHPUnit to ^13 to clear security advisories (#216)

* chore(deps): upgrade PHPUnit to ^13 to clear security advisories

Bump phpunit/phpunit from ^11.5 to ^13.0 since all reachable 11.5.x releases
are now blocked by Packagist advisories (PKSA-5jz8-6tcw-pbk4, PKSA-z3gr-8qht-p93v).

PHPUnit 13 requires PHP 8.4+, so the PHPUnit CI job narrows to 8.4 only. To
preserve declared runtime compatibility with PHP 8.2/8.3, PHPStan now analyses
against a phpVersion range (min: 80200, max: 80400) — catching both too-new
syntax and features removed before 8.4. PHPStan still runs in CI across
8.2/8.3/8.4 as the static replacement for the dropped PHPUnit coverage.

PHP-CS-Fixer matrix collapses to PHP 8.2 only (its output is deterministic
across runtimes; 8.2 is the lowest supported, matching the tool's own guidance).

Also removes redundant @coversDefaultClass doc-comments from three test files;
each already carries an equivalent #[CoversClass] attribute.

* fix(ci): unblock PHPUnit coverage run and narrow PHPStan matrix

PHPUnit 13 rejects #[CoversClass] targets outside the <source> coverage
include when --coverage-clover is active. DummyLoggerService and
DummyMeterService live in the test application (tests/Functional/Application/src),
so the attributes were already incorrect — drop them; these are functional
integration tests, not unit coverage tests. Locally masked by XDEBUG_MODE=off
in composer run test.

Narrow PHPStan CI matrix to PHP 8.4 only. Installing project vendor on 8.2/8.3
now fails because phpunit/phpunit ^13 requires PHP 8.4+. Cross-version static
analysis is driven by phpVersion: {min: 80200, max: 80400} in phpstan.neon and
is runtime-independent — running PHPStan on three PHP versions was redundant.

Author: gaelreyrol

.github/workflows/ci.yml

@@ -17,8 +17,6 @@ jobs:
       matrix:
         php:
           - '8.2'
-          - '8.3'
-          - '8.4'
       fail-fast: false
     steps:
       - name: Checkout
@@ -49,8 +47,6 @@ jobs:
     strategy:
       matrix:
         php:
-          - '8.2'
-          - '8.3'
           - '8.4'
       fail-fast: false
     steps:
@@ -95,21 +91,13 @@ jobs:
     strategy:
       matrix:
         php:
-          - '8.2'
-          - '8.3'
           - '8.4'
         dependencies:
           - 'highest'
         include:
           - php: '8.4'
             dependencies: 'highest'
             coverage: true
-          - php: '8.3'
-            dependencies: 'highest'
-            coverage: true
-          - php: '8.2'
-            dependencies: 'highest'
-            coverage: true
       fail-fast: false
     steps:
       - name: Checkout

composer.json

@@ -59,7 +59,7 @@
         "open-telemetry/exporter-otlp": "^1",
         "open-telemetry/exporter-zipkin": "^1",
         "open-telemetry/transport-grpc": "^1",
-        "phpunit/phpunit": "^11.5",
+        "phpunit/phpunit": "^13.0",
         "pyrech/composer-changelogs": "^2.2",
         "roave/security-advisories": "dev-master",
         "symfony/browser-kit": "^7.4",

phpstan.neon

@@ -2,7 +2,9 @@ includes:
 	- phpstan-baseline.neon
 
 parameters:
-	phpVersion: 80200
+	phpVersion:
+		min: 80200
+		max: 80400
 	level: 6
 	paths:
 		- src/

phpunit.xml.dist

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/11.5/phpunit.xsd"
+    xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/13.0/phpunit.xsd"
     bootstrap="vendor/autoload.php"
     executionOrder="depends,defects"
     beStrictAboutOutputDuringTests="true"

tests/Functional/DummyLoggerServiceTest.php

@@ -9,12 +9,10 @@
 use Monolog\Level;
 use OpenTelemetry\SDK\Logs\ReadableLogRecord;
 use OpenTelemetry\SDK\Trace\StatusData;
-use PHPUnit\Framework\Attributes\CoversClass;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 use Zalas\PHPUnit\Globals\Attribute\Env;
 
 #[Env('KERNEL_CLASS', Kernel::class)]
-#[CoversClass(DummyLoggerService::class)]
 class DummyLoggerServiceTest extends KernelTestCase
 {
     use LoggingTestCaseTrait;

tests/Functional/DummyMeterServiceTest.php

@@ -6,13 +6,11 @@
 use App\Service\DummyMeterService;
 use OpenTelemetry\SDK\Metrics\Data\HistogramDataPoint;
 use OpenTelemetry\SDK\Metrics\Data\NumberDataPoint;
-use PHPUnit\Framework\Attributes\CoversClass;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 use Symfony\Component\VarDumper\Test\VarDumperTestTrait;
 use Zalas\PHPUnit\Globals\Attribute\Env;
 
 #[Env('KERNEL_CLASS', Kernel::class)]
-#[CoversClass(DummyMeterService::class)]
 final class DummyMeterServiceTest extends KernelTestCase
 {
     use MeterTestCaseTrait;

tests/Unit/OpenTelemetry/Exporter/OtlpExporterOptionsTest.php

@@ -12,8 +12,6 @@
 use PHPUnit\Framework\TestCase;
 
 /**
- * @coversDefaultClass \FriendsOfOpenTelemetry\OpenTelemetryBundle\OpenTelemetry\Exporter\OtlpExporterOptions
- *
  * @phpstan-import-type ExporterOptions from ExporterOptionsInterface
  */
 #[CoversClass(OtlpExporterOptions::class)]

tests/Unit/OpenTelemetry/Trace/SpanProcessor/NoopSpanProcessorFactoryTest.php

@@ -6,9 +6,6 @@
 use PHPUnit\Framework\Attributes\CoversClass;
 use PHPUnit\Framework\TestCase;
 
-/**
- * @coversDefaultClass \FriendsOfOpenTelemetry\OpenTelemetryBundle\OpenTelemetry\Trace\SpanProcessor\NoopSpanProcessorFactory
- */
 #[CoversClass(NoopSpanProcessorFactory::class)]
 class NoopSpanProcessorFactoryTest extends TestCase
 {

tests/Unit/OpenTelemetry/Trace/SpanProcessor/SimpleSpanProcessorFactoryTest.php

@@ -10,9 +10,6 @@
 use PHPUnit\Framework\Attributes\CoversClass;
 use PHPUnit\Framework\TestCase;
 
-/**
- * @coversDefaultClass \FriendsOfOpenTelemetry\OpenTelemetryBundle\OpenTelemetry\Trace\SpanProcessor\SimpleSpanProcessorFactory
- */
 #[CoversClass(SimpleSpanProcessorFactory::class)]
 class SimpleSpanProcessorFactoryTest extends TestCase
 {