chore(deps): Update Composer dependencies (security-patch)

[nielsdrost7]

Composer Dependency Update

This PR updates Composer dependencies.

Update Type:
Triggered by: schedule

Updated Packages

## Direct Dependencies (from composer.json)

doctrine/dbal: 4.4.1 → 4.4.3
filament/actions: v5.0.0 → v5.5.2
filament/filament: v5.0.0 → v5.5.2
laravel/framework: v12.47.0 → v12.56.0
maatwebsite/excel: 3.1.67 → 3.1.68
nwidart/laravel-modules: v12.0.4 → v12.0.5
spatie/laravel-permission: 6.24.0 → 6.25.0
barryvdh/laravel-debugbar: v3.16.3 → v4.2.7
driftingly/rector-laravel: 2.1.9 → 2.3.0
larastan/larastan: v3.9.0 → v3.9.6
laravel/boost: v1.8.10 → v2.4.4
laravel/pail: v1.2.4 → v1.2.6
laravel/sail: v1.52.0 → v1.57.0
laravel/tinker: v2.11.0 → v3.0.2
nunomaduro/collision: v8.8.3 → v8.9.3
phpunit/phpunit: 11.5.48 → 11.5.55
rector/rector: 2.3.1 → 2.4.2

## Transient Dependencies (indirect)

blade-ui-kit/blade-heroicons: 2.6.0 → 2.7.0
blade-ui-kit/blade-icons: 1.8.0 → 1.9.1
brick/math: 0.14.1 → 0.14.8
chillerlan/php-settings-container: 3.2.1 → 3.3.0
danharrin/livewire-rate-limiting: v2.1.0 → v2.2.0
doctrine/deprecations: 1.1.5 → 1.1.6
filament/forms: v5.0.0 → v5.5.2
filament/infolists: v5.0.0 → v5.5.2
filament/notifications: v5.0.0 → v5.5.2
filament/query-builder: v5.0.0 → v5.5.2
filament/schemas: v5.0.0 → v5.5.2
filament/support: v5.0.0 → v5.5.2
filament/tables: v5.0.0 → v5.5.2
filament/widgets: v5.0.0 → v5.5.2
guzzlehttp/psr7: 2.8.0 → 2.9.0
kirschbaum-development/eloquent-power-joins: 4.2.11 → 4.3.1
laravel/prompts: v0.3.10 → v0.3.16
laravel/serializable-closure: v2.0.8 → v2.0.12
league/commonmark: 2.8.0 → 2.8.2
league/flysystem: 3.30.2 → 3.33.0
league/flysystem-local: 3.30.2 → 3.31.0
league/uri: 7.8.0 → 7.8.1
league/uri-components: 7.8.0 → 7.8.1
league/uri-interfaces: 7.8.0 → 7.8.1
livewire/livewire: v4.0.1 → v4.2.4
nesbot/carbon: 3.11.0 → 3.11.4
nette/php-generator: v4.2.0 → v4.2.2
nette/schema: v1.3.3 → v1.3.5
nette/utils: v4.1.1 → v4.1.3
nunomaduro/termwind: v2.3.3 → v2.4.0
phpoffice/phpspreadsheet: 1.30.2 → 1.30.4
ryangjchandler/blade-capture-directive: v1.1.0 → v1.1.1
spatie/laravel-package-tools: 1.92.7 → 1.93.0
spatie/shiki-php: 2.3.2 → 2.3.3
symfony/clock: v7.4.0 → v7.4.8
symfony/console: v7.4.3 → v7.4.8
symfony/css-selector: v7.4.0 → v7.4.8
symfony/error-handler: v7.4.0 → v7.4.8
symfony/event-dispatcher: v7.4.0 → v7.4.8
symfony/finder: v7.4.3 → v7.4.8
symfony/html-sanitizer: v7.4.0 → v7.4.8
symfony/http-foundation: v7.4.3 → v7.4.8
symfony/http-kernel: v7.4.3 → v7.4.8
symfony/mailer: v7.4.3 → v7.4.8
symfony/mime: v7.4.0 → v7.4.8
symfony/polyfill-ctype: v1.33.0 → v1.36.0
symfony/polyfill-intl-grapheme: v1.33.0 → v1.36.0
symfony/polyfill-intl-idn: v1.33.0 → v1.36.0
symfony/polyfill-intl-normalizer: v1.33.0 → v1.36.0
symfony/polyfill-mbstring: v1.33.0 → v1.36.0
symfony/polyfill-php80: v1.33.0 → v1.36.0
symfony/polyfill-php83: v1.33.0 → v1.36.0
symfony/polyfill-php84: v1.33.0 → v1.36.0
symfony/polyfill-php85: v1.33.0 → v1.36.0
symfony/polyfill-uuid: v1.33.0 → v1.36.0
symfony/process: v7.4.3 → v7.4.8
symfony/routing: v7.4.3 → v7.4.8
symfony/string: v7.4.0 → v7.4.8
symfony/translation: v7.4.3 → v7.4.8
symfony/uid: v7.4.0 → v7.4.8
symfony/var-dumper: v7.4.3 → v7.4.8
voku/portable-ascii: 2.0.3 → 2.1.0
iamcal/sql-parser: v0.6 → v0.7
laravel/mcp: v0.5.2 → v0.6.7
laravel/roster: v0.2.9 → v0.5.1
php-debugbar/php-debugbar: v2.2.6 → v3.7.5
php-debugbar/symfony-bridge: (new) → v1.1.0
phpstan/phpstan: 2.1.33 → 2.1.50
phpunit/php-file-iterator: 5.1.0 → 5.1.1
psy/psysh: v0.12.18 → v0.12.22
sebastian/comparator: 6.3.2 → 6.3.3
symfony/yaml: v7.4.1 → v7.4.8
webmozart/assert: 1.12.1 → 2.3.0
anourvalar/eloquent-serialize: 1.3.5 → (removed)

Checks Performed

• Unit tests passed (commented out until further notice)
• Static analysis completed (commented out until further notice)
• Code formatting checked (commented out until further notice)

Security Audit

Security vulnerabilities detected. Please review audit-report.json.

Review Checklist

• Review updated packages and their changelogs
• Verify all tests pass
• Check for breaking changes
• Update documentation if needed
• Test manually in development environment

---

This PR was automatically created by the Composer Update workflow.

Summary by CodeRabbit

• Chores
  • Updated core project dependencies and development tools to newer versions
  • Added comprehensive security advisory records documenting known vulnerabilities in dependencies, including affected versions and severity information

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated audit-report.json by populating security advisories for six packages (filament/tables, league/commonmark, phpunit/phpunit, psy/psysh, symfony/process) with detailed advisory metadata. Also updated updated-packages.txt to reflect newer versions of existing dependencies and introduce additional direct dependencies including doctrine/dbal, maatwebsite/excel, spatie/laravel-permission, and others.

Changes

Cohort / File(s)	Summary
Audit Advisories audit-report.json	Converted empty advisories array into a keyed object containing 8 advisory entries across 6 packages, each with fields: advisoryId, affectedVersions, title, cve, link, reportedAt, sources, and severity.
Dependency Updates updated-packages.txt	Upgraded versions for filament/*, laravel/*, phpunit/*, and symfony/* packages; added new direct dependencies (doctrine/dbal, maatwebsite/excel, spatie/laravel-permission, laravel-modules, laravel-debugbar, and others); removed anourvalar/eloquent-serialize; updated transitive dependencies across Filament, Livewire, and supporting tooling ecosystems.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(deps): Update Composer dependencies (all-dependencies) #319 — Modifies the same manifest files (audit-report.json and updated-packages.txt) with security advisory and package version updates.
• chore(deps): Update Composer dependencies (security-patch) #300 — Also updates audit-report.json and updated-packages.txt to add security advisories and bump package versions.
• chore(deps): Update Composer dependencies (security-patch) #361 — Touches both audit-report.json and updated-packages.txt, expanding security audit data and package dependency information.

Poem

🐰 Security checks hop along the way,
Packages pruned and updated today,
No advisories left in the dark,
Each dependency branded with care and a mark.
Fresh versions leap forward with grace!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: a security-focused update to Composer dependencies, as evidenced by the audit-report.json additions and version bumps across packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch automated/composer-update-32

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@updated-packages.txt`:
- Around line 3-19: Uncomment and re-enable the CI steps that run the unit
tests, static analysis, and code-formatting checks (the "unit tests", "static
analysis"/PHPStan(Larastan) and "code style"/php-cs-fixer jobs), then run
composer update and execute the full test suite locally/CI to catch breakages
introduced by major bumps (notably laravel-debugbar, laravel/boost,
laravel/tinker); if tests or Larastan report failures, fix incompatibilities or
pin versions as needed, re-run php-cs-fixer to enforce formatting, perform
manual dev environment verification, and after deployment monitor application
logs for deprecation/warning messages to ensure nothing breaks in production.
- Line 13: You bumped laravel/boost from v1.8.10 to v2.4.4 which contains
breaking changes; audit and update the project to meet PHP 8.2+ and Laravel
11.x+ requirements, rename any CodeEnvironment references to Agent (classes,
type hints, imports), and update configuration keys and paths from
code_environment to the new agents structure (including any custom agent
implementations). Follow the upgrade guide at the package repo to migrate
configuration files, service bindings, and provider registrations, run tests and
static analysis, and fix any type/signature changes in functions or classes that
reference laravel/boost APIs.
- Line 10: Upgrade to fruitcake/laravel-debugbar requires code/config changes:
update composer/package reference to fruitcake/laravel-debugbar and replace any
PHP namespaces/usages from Barryvdh\Debugbar to Fruitcake\LaravelDebugbar
(search for uses of Debugbar facade/class names), update config/debugbar.php
keys from 'hiddens' → 'masked' and adapt any config shape changes,
remove/replace calls to removed helper methods and adjust Query Collector usages
to the new API (stop passing the removed bindings parameter to QueryCollector
methods), and run the commented-out upgrade tests and full test suite per
UPGRADE.md to validate behavior.
- Line 95: The webmozart/assert dependency was bumped from 1.12.1 to 2.3.0 which
contains breaking changes; verify and update the codebase by: confirm PHP
runtime requirement and add ext-ctype to composer.json if needed, scan the code
for usage of webmozart/assert API (look for calls to isTraversable(),
reportInvalidArgument(), endsWith(), length() and any trait-based assertions)
and replace deprecated isTraversable() with isIterable(), update any call sites
expecting reportInvalidArgument() to return (or never) accordingly, review
multibyte-sensitive calls to endsWith()/length() for changed behavior, and run
the test suite and static analysis to catch trait assertion/regression
issues—adjust code or pin the package if incompatibilities are found.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e3e1bbf-f19e-4a93-acec-45d6e4eab7fb

📥 Commits

Reviewing files that changed from the base of the PR and between cc00605 and 6eb9843.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• audit-report.json
• updated-packages.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Recommend running the full test suite despite being commented out.

The PR objectives mention that "checks for unit tests, static analysis, and code formatting are present but commented out." Given the security-critical nature of this PR with multiple major version bumps (laravel-debugbar v3→v4, laravel/boost v1→v2, laravel/tinker v2→v3), it's essential to run the full test suite, static analysis, and ensure code formatting compliance before merging.

Consider:

1. Uncommenting and running unit tests to catch breaking changes
2. Running static analysis (PHPStan/Larastan) to detect type compatibility issues
3. Performing manual testing in a development environment as noted in the review checklist
4. Checking application logs after deployment for deprecation warnings

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` around lines 3 - 19, Uncomment and re-enable the CI
steps that run the unit tests, static analysis, and code-formatting checks (the
"unit tests", "static analysis"/PHPStan(Larastan) and "code style"/php-cs-fixer
jobs), then run composer update and execute the full test suite locally/CI to
catch breakages introduced by major bumps (notably laravel-debugbar,
laravel/boost, laravel/tinker); if tests or Larastan report failures, fix
incompatibilities or pin versions as needed, re-run php-cs-fixer to enforce
formatting, perform manual dev environment verification, and after deployment
monitor application logs for deprecation/warning messages to ensure nothing
breaks in production.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the laravel-debugbar v4 changelog to identify breaking changes

echo "Fetching laravel-debugbar changelog for v4.x..."
gh api repos/barryvdh/laravel-debugbar/releases --jq '.[] | select(.tag_name | startswith("v4.")) | {tag: .tag_name, published: .published_at, body: .body}' | head -50

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 29560

---

🌐 Web query:

barryvdh laravel-debugbar v4 upgrade guide breaking changes

💡 Result:

The Laravel Debugbar v4 upgrade guide and breaking changes from v3 to v4 are detailed in the official UPGRADE.md file. Key points: ## Installation/Upgrade Steps 1. Remove the old package: composer remove barryvdh/laravel-debugbar --dev --no-scripts 2. Install the new package: composer require fruitcake/laravel-debugbar --dev --with-dependencies ## Major Breaking Changes - Package and Namespace Change: Moved from barryvdh/laravel-debugbar to fruitcake/laravel-debugbar. Namespace changed to Fruitcake\LaravelDebugbar (update manual service provider/facade registrations if any). - php-debugbar Updated to 3.x: Removes jQuery and Font Awesome dependencies. Minimal impact unless using custom collectors. - Removed Features: - SocketStorage (no longer maintained) - Lumen support (no longer maintained) - FileCollector (no longer useful) - Helper methods: start_measure, add_measure, stop_measure, measure (use debugbar->startMeasure etc. instead) - Query Collector Changes: Now extends php-debugbar widget. bindings parameter removed in favor of params. - Config Changes: 'hiddens' option replaced with 'masked' (uses keys, not array paths). Inertia has its own collector/config – update config/debugbar.php accordingly. - Extending Packages: modifyResponse changed to handleResponse (now a listener, not middleware). HttpDriver is now session-less (uses cookies). Octane resets collectors (remove from flush config). ## Other Notes - Publish and review new config/debugbar.php for updated defaults and removed deprecations. - Compatible with Laravel 9-12.x. - v4.0.0 released Jan 23, 2026; latest versions (e.g., v4.2.4 as of Apr 2026) include minor fixes but no additional breaking changes noted. Full details in official UPGRADE.md: https://github.com/fruitcake/laravel-debugbar/blob/master/UPGRADE.md

Citations:

• 1: https://github.com/fruitcake/laravel-debugbar/blob/master/UPGRADE.md
• 2: https://github.com/fruitcake/laravel-debugbar/releases/tag/v4.0.0
• 3: https://laravel-news.com/laravel-debugbar-4-0-0
• 4: https://github.com/fruitcake/laravel-debugbar/blob/master/CHANGELOG.md

---

Review the UPGRADE.md for breaking changes before deploying v4.2.7.

barryvdh/laravel-debugbar v3.16.3 → v4.2.7 includes breaking changes: package renamed to fruitcake/laravel-debugbar with namespace change to Fruitcake\LaravelDebugbar, php-debugbar upgraded to 3.x, config structure changes ('hiddens' → 'masked'), removed helper methods, Query Collector API changes (bindings parameter removed), and other modifications. Review https://github.com/fruitcake/laravel-debugbar/blob/master/UPGRADE.md and run commented-out tests to validate the upgrade.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` at line 10, Upgrade to fruitcake/laravel-debugbar
requires code/config changes: update composer/package reference to
fruitcake/laravel-debugbar and replace any PHP namespaces/usages from
Barryvdh\Debugbar to Fruitcake\LaravelDebugbar (search for uses of Debugbar
facade/class names), update config/debugbar.php keys from 'hiddens' → 'masked'
and adapt any config shape changes, remove/replace calls to removed helper
methods and adjust Query Collector usages to the new API (stop passing the
removed bindings parameter to QueryCollector methods), and run the commented-out
upgrade tests and full test suite per UPGRADE.md to validate behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch laravel/boost v2 releases to identify breaking changes

echo "Fetching laravel/boost v2.x releases..."
gh api repos/laravel/boost/releases --jq '.[] | select(.tag_name | startswith("v2.")) | {tag: .tag_name, published: .published_at, body: .body}' | head -50

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 23934

---

🌐 Web query:

Laravel Boost v2 upgrade guide breaking changes from v1

💡 Result:

The official Laravel Boost v2.x upgrade guide from v1.x is available in the GitHub repository at UPGRADE.md. Key breaking changes and migration steps include: Minimum Requirements: - PHP 8.2+ - Laravel 11.x+ General Upgrade Process: If not using custom agents or overrides, minimal issues expected. Run composer require laravel/boost:^2.0 then php artisan boost:install to automatically handle migration. Custom Agent Changes (Low Impact): - CodeEnvironment renamed to Agent. - Namespace changes: Extend Laravel\Boost\Install\Agents\Agent instead of CodeEnvironment. - Implement SupportsGuidelines, and optionally SupportsMcp, SupportsSkills. Example migration code provided in docs. Configuration File Changes (Low Impact): - Paths changed from code_environment to agents in config/boost.php, e.g., config('boost.agents.junie.guidelines_path'). Installation Command Signature (Low Impact): - Flags changed from opt-out (--ignore-guidelines, --ignore-mcp) to opt-in (--guidelines, --skills, --mcp). Later minor releases (e.g., v2.2.0) introduced additional small breaking changes like Inertia guidelines path restructuring (.ai/inertia-laravel/core.blade.php to versioned paths like .ai/inertia-laravel/2/core.blade.php), but core v1 to v2 changes are as above. Full details: https://github.com/laravel/boost/blob/main/UPGRADE.md

Citations:

• 1: https://github.com/laravel/boost/blob/main/UPGRADE.md
• 2: https://github.com/laravel/boost/releases/tag/v2.0.0
• 3: https://github.com/laravel/boost/blob/main/CHANGELOG.md

---

Review breaking changes in laravel/boost v1→v2 upgrade.

laravel/boost v2.4.4 introduces breaking changes from v1.8.10, including minimum PHP 8.2+ requirement, Laravel 11.x+ dependency, namespace changes (CodeEnvironment → Agent), and configuration updates (code_environment → agents paths). Verify the project meets these requirements and review the official upgrade guide at https://github.com/laravel/boost/blob/main/UPGRADE.md for migration steps, particularly configuration and custom agent updates if applicable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` at line 13, You bumped laravel/boost from v1.8.10 to
v2.4.4 which contains breaking changes; audit and update the project to meet PHP
8.2+ and Laravel 11.x+ requirements, rename any CodeEnvironment references to
Agent (classes, type hints, imports), and update configuration keys and paths
from code_environment to the new agents structure (including any custom agent
implementations). Follow the upgrade guide at the package repo to migrate
configuration files, service bindings, and provider registrations, run tests and
static analysis, and fix any type/signature changes in functions or classes that
reference laravel/boost APIs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check webmozart/assert v2 changelog for breaking changes

echo "Fetching webmozart/assert v2.x releases..."
gh api repos/webmozarts/assert/releases --jq '.[] | select(.tag_name | startswith("2.")) | {tag: .tag_name, published: .published_at, body: .body}' | head -30

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 1274

---

🌐 Web query:

webmozart assert version 2 breaking changes upgrade guide from v1

💡 Result:

The webmozart/assert library (also referenced as webmozarts/assert on GitHub) has version 2.x released, with the latest being 2.1.6 as of February 2026. Version 2.0.0 was released on December 21 (year not specified in results, but post-1.11.0). There is no explicit "upgrade guide from v1 to v2" found in the searched sources. Breaking changes and upgrade considerations are detailed in the CHANGELOG.md, primarily from older v1 versions, but v2 likely includes cumulative changes plus new ones not fully detailed in snippets: - Removed symfony/polyfill-ctype dependency; now requires ext-ctype PHP extension (1.11.0). Provide the polyfill if needed. - Trait methods now check assertions directly instead of using callStatic. - isList now correctly handles lists with NaN. - reportInvalidArgument return type changed to never. - Multibyte fixes in string methods like endsWith, length (may break if relying on old multibyte-incorrect behavior). - Deprecated isTraversable in favor of isIterable. - Support for PHP <7.2 removed (1.10.0). - Other additions/fixes in v1 like new methods (positiveInteger, notFalse, etc.), Psalm/PHPStan improvements. Release notes for v2.x (e.g., 2.0.0, 2.1.x) direct to "see change log for changes," but specific v2 breaking changes are not explicitly listed in available snippets. Check the full CHANGELOG.md on the GitHub repo (https://github.com/webmozarts/assert/blob/master/CHANGELOG.md) for complete details, as it covers UNRELEASED and all versions up to current. To upgrade: 1. Update via Composer: composer require webmozart/assert:^2.0. 2. Ensure PHP meets requirements (likely PHP 8+ based on recent activity). 3. Install ext-ctype if missing. 4. Replace deprecated methods (e.g., isTraversable -> isIterable). 5. Test multibyte string assertions. 6. Update static analysis tools (PHPStan plugin updated to 2.0 for v2 support). 7. Review trait usage and assertion behaviors. The repo is active (last push Feb 2026), official docs at GitHub README.

Citations:

• 1: https://code.osu.edu/umarketing/standard-built/-/blob/94f9dfbfba412b408aa84958f0847b2c4d410ac5/vendor/webmozart/assert/CHANGELOG.md
• 2: https://github.com/webmozarts/assert/blob/1.11.0/CHANGELOG.md
• 3: https://github.com/webmozart/assert/
• 4: https://github.com/webmozarts/assert
• 5: https://github.com/webmozarts/assert/tree/2.1.2
• 6: https://github.com/webmozart/assert/releases
• 7: https://packagist.org/packages/webmozart/assert
• 8: https://github.com/webmozarts/assert/releases/tag/2.1.4

---

Major version bump in transient dependency requires verification of breaking changes.

webmozart/assert updated from 1.12.1 to 2.3.0. Known breaking changes in v2 include:

• PHP version requirement increased (likely PHP 8+; support for PHP <7.2 removed in v1)
• ext-ctype PHP extension now required (removed symfony/polyfill-ctype dependency)
• isTraversable() deprecated; use isIterable() instead
• reportInvalidArgument() return type changed to never
• Multibyte string handling fixed in methods like endsWith() and length()
• Trait assertion behavior changed

Review CHANGELOG.md for complete details and verify compatibility with InvoicePlane's codebase.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` at line 95, The webmozart/assert dependency was bumped
from 1.12.1 to 2.3.0 which contains breaking changes; verify and update the
codebase by: confirm PHP runtime requirement and add ext-ctype to composer.json
if needed, scan the code for usage of webmozart/assert API (look for calls to
isTraversable(), reportInvalidArgument(), endsWith(), length() and any
trait-based assertions) and replace deprecated isTraversable() with
isIterable(), update any call sites expecting reportInvalidArgument() to return
(or never) accordingly, review multibyte-sensitive calls to endsWith()/length()
for changed behavior, and run the test suite and static analysis to catch trait
assertion/regression issues—adjust code or pin the package if incompatibilities
are found.