fix(security+psalm): update phpunit to 12.5.9 and suppress ForbiddenCode

walmir-silva · walmir-silva · commit 62320425488d · 2026-03-02T10:26:24.000-03:00
Security: - phpunit/phpunit updated from ^12.0 to ^12.5.8 (resolves CVE-2026-24765: unsafe deserialisation in PHPT code coverage handling, severity HIGH) - 'composer audit' now reports no vulnerabilities Psalm ForbiddenCode: - Add @psalm-suppress ForbiddenCode on shell_exec() calls in: - src/Core/ProcessExecutor: tier-3 binary resolution via 'command -v' - src/Runner/ComposerAuditRunner: composer binary resolution Both uses are safe: input is sanitised with escapeshellarg() Local CI simulation results: dependencies PASSED (composer validate + check-platform-reqs) security PASSED (no advisories) phpstan PASSED (PHPStan level 9: 0 errors; Psalm: 0 errors) cs-fixer PASSED (code style OK) tests OK (41 tests, 81 assertions)
diff --git a/composer.json b/composer.json
@@ -27,9 +27,9 @@
         "php": ">=8.4"
     },
     "require-dev": {
-        "phpunit/phpunit": "^12.0",
-        "phpstan/phpstan": "^2.0",
         "friendsofphp/php-cs-fixer": "^3.64",
+        "phpstan/phpstan": "^2.0",
+        "phpunit/phpunit": "^12.5.8",
         "rector/rector": "^2.0",
         "vimeo/psalm": "^6.0"
     },
diff --git a/src/Core/ProcessExecutor.php b/src/Core/ProcessExecutor.php
@@ -99,6 +99,7 @@ public function resolveBinary(string $vendorBin): ?string
 
         // Tier 3: Global PATH
         $basename = basename($vendorBin);
+        /** @psalm-suppress ForbiddenCode — shell_exec is intentional for binary resolution; input is escaped */
         $globalBin = trim((string) shell_exec('command -v ' . escapeshellarg($basename) . ' 2>/dev/null'));
         if ('' !== $globalBin && is_executable($globalBin)) {
             return $globalBin;
diff --git a/src/Runner/ComposerAuditRunner.php b/src/Runner/ComposerAuditRunner.php
@@ -39,6 +39,7 @@ protected function defaultArguments(): array
     #[\Override]
     protected function binary(): ?string
     {
+        /** @psalm-suppress ForbiddenCode — shell_exec is intentional for binary resolution; input is escaped */
         $global = trim((string) shell_exec('command -v ' . escapeshellarg('composer') . ' 2>/dev/null'));
 
         if ('' !== $global && is_executable($global)) {

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ protected function defaultArguments(): array`
`39`	`39`	`#[\Override]`
`40`	`40`	`protected function binary(): ?string`
`41`	`41`	`{`
	`42`	`+ /** @psalm-suppress ForbiddenCode — shell_exec is intentional for binary resolution; input is escaped */`
`42`	`43`	`$global = trim((string) shell_exec('command -v ' . escapeshellarg('composer') . ' 2>/dev/null'));`
`43`	`44`
`44`	`45`	`if ('' !== $global && is_executable($global)) {`