Skip to content

chore(deps): upgrade PHPUnit to ^13 to clear security advisories#216

Merged
gaelreyrol merged 2 commits intoFriendsOfOpenTelemetry:mainfrom
gaelreyrol:fix/phpunit-security-upgrade
Apr 18, 2026
Merged

chore(deps): upgrade PHPUnit to ^13 to clear security advisories#216
gaelreyrol merged 2 commits intoFriendsOfOpenTelemetry:mainfrom
gaelreyrol:fix/phpunit-security-upgrade

Conversation

@gaelreyrol
Copy link
Copy Markdown
Contributor

@gaelreyrol gaelreyrol commented Apr 18, 2026
edited
Loading

Summary

  • Bumps phpunit/phpunit from ^11.5 to ^13.0. All currently reachable 11.5.x releases are blocked by Packagist security advisories (PKSA-5jz8-6tcw-pbk4, PKSA-z3gr-8qht-p93v), so composer update fails as-is.
  • PHPUnit 13 requires PHP 8.4+. The PHPUnit CI job narrows to PHP 8.4 only. Runtime compat with PHP 8.2/8.3 stays declared in composer.json; PHPStan now analyses against a phpVersion range (min: 80200, max: 80400) across 8.2/8.3/8.4 in CI as the static replacement for the dropped PHPUnit coverage.
  • PHP-CS-Fixer matrix collapses to PHP 8.2 only — its output is deterministic across runtimes, and 8.2 (lowest supported) matches the tool's own recommendation.
  • Removes three redundant @coversDefaultClass doc-comments; each already carries an equivalent #[CoversClass] attribute (deprecated in 12+).

Test plan

  • composer update resolves with no security-advisory errors
  • composer run test — 411 tests pass (9 pre-existing skips) on PHPUnit 13.1.7
  • composer run phpstan — clean across the 80200–80400 range, no baseline changes needed
  • composer run php-cs-fixer:lint — clean
  • CI matrix renders as expected: PHPStan 3× (8.2/8.3/8.4), PHPUnit 1× (8.4), PHP-CS-Fixer 1× (8.2)

@gaelreyrol
chore(deps): upgrade PHPUnit to ^13 to clear security advisories
ff2b781 
Bump phpunit/phpunit from ^11.5 to ^13.0 since all reachable 11.5.x releases
are now blocked by Packagist advisories (PKSA-5jz8-6tcw-pbk4, PKSA-z3gr-8qht-p93v).

PHPUnit 13 requires PHP 8.4+, so the PHPUnit CI job narrows to 8.4 only. To
preserve declared runtime compatibility with PHP 8.2/8.3, PHPStan now analyses
against a phpVersion range (min: 80200, max: 80400) — catching both too-new
syntax and features removed before 8.4. PHPStan still runs in CI across
8.2/8.3/8.4 as the static replacement for the dropped PHPUnit coverage.

PHP-CS-Fixer matrix collapses to PHP 8.2 only (its output is deterministic
across runtimes; 8.2 is the lowest supported, matching the tool's own guidance).

Also removes redundant @coversDefaultClass doc-comments from three test files;
each already carries an equivalent #[CoversClass] attribute.
@gaelreyrol gaelreyrol requested a review from a team as a code owner April 18, 2026 07:48
@gaelreyrol gaelreyrol self-assigned this Apr 18, 2026
@gaelreyrol gaelreyrol added Code: Tests dependencies Pull requests that update a dependency file labels Apr 18, 2026
@gaelreyrol
fix(ci): unblock PHPUnit coverage run and narrow PHPStan matrix
b0dc572 
PHPUnit 13 rejects #[CoversClass] targets outside the <source> coverage
include when --coverage-clover is active. DummyLoggerService and
DummyMeterService live in the test application (tests/Functional/Application/src),
so the attributes were already incorrect — drop them; these are functional
integration tests, not unit coverage tests. Locally masked by XDEBUG_MODE=off
in composer run test.

Narrow PHPStan CI matrix to PHP 8.4 only. Installing project vendor on 8.2/8.3
now fails because phpunit/phpunit ^13 requires PHP 8.4+. Cross-version static
analysis is driven by phpVersion: {min: 80200, max: 80400} in phpstan.neon and
is runtime-independent — running PHPStan on three PHP versions was redundant.
@gaelreyrol gaelreyrol added this to the Beta milestone Apr 18, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 18, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.21%. Comparing base (6a48d3a) to head (b0dc572).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main     #216      +/-   ##
============================================
- Coverage     91.25%   91.21%   -0.04%     
  Complexity      692      692              
============================================
  Files           116      116              
  Lines          2789     2789              
============================================
- Hits           2545     2544       -1     
- Misses          244      245       +1
Flag Coverage Δ
phpunit 91.21% <ø> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@gaelreyrol gaelreyrol merged commit b628f4d into FriendsOfOpenTelemetry:main Apr 18, 2026
5 of 6 checks passed
@gaelreyrol gaelreyrol deleted the fix/phpunit-security-upgrade branch April 18, 2026 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@gaelreyrol gaelreyrol

Labels

Code: Tests dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

Beta

Development

Successfully merging this pull request may close these issues.

1 participant

@gaelreyrol