Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
infection/infection	0.32.7 → 0.33.2					require	minor
laminas/laminas-ci-matrix-action	1.32.0 → v1.33					action	minor
psalm/plugin-phpunit	^0.19.7 → ^0.20.1					require-dev	minor
shivammathur/setup-php	2.36.0 → 2.37.1					action	minor

---

Release Notes

infection/infection (infection/infection)

v0.33.2

Compare Source

Changed:

• Use N processes by default instead of 1 by @​maks-rafalko in #​3157

Internal:

• ci: Introduce zizmor GitHub Actions security analysis by @​theofidry in #​3158

Full Changelog: infection/infection@0.33.1...0.33.2

v0.33.1

Compare Source

Changed:

• Update symfony packages to unblock #​3152 by @​maks-rafalko in #​3153
• Allow infection/include-interceptor:^1.0.0 by @​maks-rafalko in #​3152
• fix(phpunit): Parse PHPUnit extra options as console input tokens by @​theofidry in #​3147

Full Changelog: infection/infection@0.33.0...0.33.1

v0.33.0

Compare Source

Added:

• feat: New testing framework Testo support by @​roxblnfk in #​3107
• feat(logger): Make dots-per-row configurable in the dot progress formatter by @​paulbalandan in #​3129

Changed:

• feat!: BC break: Improve the project directory resolution to the ConfigurationFactory by @​theofidry in #​3009

Fixed:

• fix(git): Fix the project directory resolution when git is not available by @​theofidry in #​3113

Internal:

• feat(reporter): Introduce the Reporter framework by @​theofidry in #​3095

Full Changelog: infection/infection@0.32.7...0.33.0

laminas/laminas-ci-matrix-action (laminas/laminas-ci-matrix-action)

v1.33

Compare Source

v1.33.0

Compare Source

Release Notes for 1.33.0

1.33.0

• Total issues resolved: 0
• Total pull requests resolved: 4
• Total contributors: 2

Enhancement

• 368: Add support for Twig CS Fixer code checks thanks to @​guillaume-sainthillier

Documentation,Enhancement

• 367: docs: improve supported tools documentation with tables thanks to @​guillaume-sainthillier

Dependencies

• 365: Update actions/upload-artifact action to v6 thanks to @​renovate[bot]
• 364: Update actions/download-artifact action to v7 thanks to @​renovate[bot]

psalm/psalm-plugin-phpunit (psalm/plugin-phpunit)

v0.20.1

Compare Source

v0.20.0

Compare Source

What's Changed

• Switch to psalm/psalm-plugin-api 0.1.0 (targeting Psalm v7 beta)
• Bump actions/cache from 3 to 4 by @​dependabot[bot] in #​153
• Bump actions/checkout from 3 to 4 by @​dependabot[bot] in #​152
• Bump actions/cache from 4 to 5 by @​dependabot[bot] in #​157
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​156

Full Changelog: psalm/psalm-plugin-phpunit@0.19.5...0.20.0

shivammathur/setup-php (shivammathur/setup-php)

v2.37.1

Compare Source

Changelog

Security Updates

• Fixed shell command escaping and PHP version input validation. (GHSA-pqwm-q9pv-ph8r / CVE-2026-46420)

[!NOTE]
This can affect workflows that pass values from users or pull requests to setup-php, for example from comments, dispatch inputs, PR titles/branches, generated matrices, or files such as .php-version and composer.json.
Be especially careful with pull_request_target workflows that use any value from the pull request. Workflows that only use fixed trusted values are not expected to be affected, but updating to 2.37.1 is recommended.

• Fixed GitHub auth handling for Composer versions affected by GHSA-f9f8-rm49-7jv2. It should now skip configuring GitHub OAuth if affected Composer versions are installed and show a warning to upgrade. (GHSA-5wxr-w449-57cm / CVE-2026-45793)

[!NOTE]
This only affects workflows where the composer version is pinned like composer:2.9.7, workflows that do not pin the version or use composer:v2 are not affected as those get automatic updates. In case you pin the version, it is highly recommended to upgrade and have automation to do such timely upgrades in your workflows.

Fixes and Improvements

• Fixed support for phalcon on Windows.

• Fixed restoring tools when using cached using previous runs.

• Improved enabling gearman extension on Linux.

• Fixed fallback when installing PhpManager and VcRedist modules on Windows.

• Fixed parsing extension inputs with backslash line continuation.

• Improved workflow examples

  • Added workflow examples for Drupal 11 composer-managed projects and WordPress plugins.
  • Added workflow examples for Yii3 web applications and replaced Yii2 Starter Kit examples.
  • Updated workflow examples to use currently supported PHP versions.

• Updated OS release mappings for newer Ubuntu releases.

• Updated internal workflows for Codecov v6 and NPM trusted publishing.

• Updated Node.js dependencies.

• Fixed composer version in README. (#​1081)

Thanks @​Pyker for the contribution

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.37.0

Compare Source

Changelog

• Updated the action to use Node.js 24. (#​1049)

• Added support for master in the php-version input. It should now set up a nightly build from the master branch of php-src.

• Added support to install ioncube and zephir_parser extensions on PHP 8.5.

• Expanded support for installing extensions using Homebrew on macOS from the shivammathur/homebrew-extensions tap. This includes pdo_firebird, sqlsrv, pdo_sqlsrv, pecl_http, swow, xhprof, and several other supported extensions.

• Improved switching PHP versions on Linux. Missing alternatives should now be registered automatically before switching versions. #​1067

• Improved support for Homebrew on macOS. It should now retry stuck brew commands with an inactivity watchdog.

• Improved support for adding tools. It should now correctly use the latest release download URL when a version is not specified. (#​1064)

• Improved tool setup and caching on self-hosted runners.

• Improved support for sqlsrv and pdo_sqlsrv on PHP 8.1 and 8.2.

• Fixed installing pecl_http on Windows. Switched to downloads.php.net for fixing ICU version post install.

• Fixed cached couchbase installs on macOS using the shivammathur/cache-extensions action.

• Replaced @actions/core with local functions to reduce bundle size.

• Refactored to use ES2024+ features for Node 24.

• Updated actions used in examples to their latest versions.

• Updated Node.js dependencies.

Thanks @​theluckystrike for the contribution 🎉

Thanks @​code-kudu, @​ssddanbrown, @​RoundingWell, and @​ntzrbtr for the sponsorship ❤️

For the complete list of changes, please refer to the Full Changelog

Follow for updates

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Read more about the use of Renovate Bot within ocramius/* projects.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update infection/infection:0.33.2 psalm/plugin-phpunit:0.20.1 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Dependency sanmai/later is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires psalm/plugin-phpunit ^0.20.1 -> satisfiable by psalm/plugin-phpunit[0.20.1].
    - vimeo/psalm is locked to version 6.16.1 and an update of this package was not requested.
    - psalm/plugin-phpunit 0.20.1 requires psalm/psalm-plugin-api ^0.1 -> satisfiable by psalm/psalm-plugin-api[0.1.0].
    - psalm/psalm-plugin-api 0.1.0 conflicts with vimeo/psalm <7.0.0.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.