chore(deps): Update Composer dependencies (security-patch)

[nielsdrost7]

Composer Dependency Update

This PR updates Composer dependencies.

Update Type:
Triggered by: schedule

Updated Packages

## Direct Dependencies (from composer.json)

filament/actions: v5.0.0 → v5.2.2
filament/filament: v5.0.0 → v5.2.2
laravel/framework: v12.47.0 → v12.52.0
spatie/laravel-permission: 6.24.0 → 6.24.1
barryvdh/laravel-debugbar: v3.16.3 → v4.0.9
larastan/larastan: v3.9.0 → v3.9.2
laravel/boost: v1.8.10 → v2.2.0
laravel/pail: v1.2.4 → v1.2.6
laravel/sail: v1.52.0 → v1.53.0
laravel/tinker: v2.11.0 → v2.11.1
nunomaduro/collision: v8.8.3 → v8.9.1
phpunit/phpunit: 11.5.48 → 11.5.55
rector/rector: 2.3.1 → 2.3.8

## Transient Dependencies (indirect)

blade-ui-kit/blade-icons: 1.8.0 → 1.8.1
brick/math: 0.14.1 → 0.14.8
doctrine/deprecations: 1.1.5 → 1.1.6
filament/forms: v5.0.0 → v5.2.2
filament/infolists: v5.0.0 → v5.2.2
filament/notifications: v5.0.0 → v5.2.2
filament/query-builder: v5.0.0 → v5.2.2
filament/schemas: v5.0.0 → v5.2.2
filament/support: v5.0.0 → v5.2.2
filament/tables: v5.0.0 → v5.2.2
filament/widgets: v5.0.0 → v5.2.2
laravel/prompts: v0.3.10 → v0.3.13
laravel/serializable-closure: v2.0.8 → v2.0.9
league/flysystem: 3.30.2 → 3.31.0
league/flysystem-local: 3.30.2 → 3.31.0
livewire/livewire: v4.0.1 → v4.1.4
nesbot/carbon: 3.11.0 → 3.11.1
nette/php-generator: v4.2.0 → v4.2.1
nette/schema: v1.3.3 → v1.3.5
nette/utils: v4.1.1 → v4.1.3
nunomaduro/termwind: v2.3.3 → v2.4.0
spatie/laravel-package-tools: 1.92.7 → 1.93.0
spatie/shiki-php: 2.3.2 → 2.3.3
symfony/console: v7.4.3 → v7.4.4
symfony/error-handler: v7.4.0 → v7.4.4
symfony/event-dispatcher: v7.4.0 → v7.4.4
symfony/finder: v7.4.3 → v7.4.5
symfony/http-foundation: v7.4.3 → v7.4.5
symfony/http-kernel: v7.4.3 → v7.4.5
symfony/mailer: v7.4.3 → v7.4.4
symfony/mime: v7.4.0 → v7.4.5
symfony/process: v7.4.3 → v7.4.5
symfony/routing: v7.4.3 → v7.4.4
symfony/string: v7.4.0 → v7.4.4
symfony/translation: v7.4.3 → v7.4.4
symfony/uid: v7.4.0 → v7.4.4
symfony/var-dumper: v7.4.3 → v7.4.4
iamcal/sql-parser: v0.6 → v0.7
laravel/mcp: v0.5.2 → v0.5.9
laravel/roster: v0.2.9 → v0.5.0
php-debugbar/php-debugbar: v2.2.6 → v3.4.0
php-debugbar/symfony-bridge: (new) → v1.1.0
phpstan/phpstan: 2.1.33 → 2.1.39
phpunit/php-file-iterator: 5.1.0 → 5.1.1
psy/psysh: v0.12.18 → v0.12.20
sebastian/comparator: 6.3.2 → 6.3.3

Checks Performed

• Unit tests passed (commented out until further notice)
• Static analysis completed (commented out until further notice)
• Code formatting checked (commented out until further notice)

Security Audit

Security vulnerabilities detected. Please review audit-report.json.

Review Checklist

• Review updated packages and their changelogs
• Verify all tests pass
• Check for breaking changes
• Update documentation if needed
• Test manually in development environment

---

This PR was automatically created by the Composer Update workflow.

Summary by CodeRabbit

Release Notes

Chores

• Updated multiple project dependencies to latest versions, including Laravel framework, testing tools, and utility packages.
• Documented security advisories for project dependencies.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the audit report to document three security advisories for phpunit/phpunit, psy/psysh, and symfony/process packages, converting the advisories field from an empty array into a structured package-to-advisories mapping. It also upgrades multiple project dependencies including Laravel framework to version 12.52.0 and Filament components to 5.2.2.

Changes

Cohort / File(s)	Summary
Security Advisories audit-report.json	Transformed "advisories" from an empty array to a package-keyed object. Added three security advisories for phpunit/phpunit, psy/psysh, and symfony/process, each with advisory details including CVE, severity, and source information.
Dependency Updates updated-packages.txt	Upgraded direct dependencies including Laravel framework (12.52.0), phpunit (11.5.55), Filament packages (5.2.2), and Rector. Added new packages such as spatie/laravel-permission, barryvdh/laravel-debugbar, and laravel/pail. Updated numerous transient dependencies across Filament, Symfony, and utility packages.

Possibly related PRs

• chore(deps): Update Composer dependencies (security-patch) #361: Modifies the same "advisories" field in audit-report.json with related structural changes to package-mapped advisory objects.
• chore(deps): Update Composer dependencies (all-dependencies) #319: Directly related as it also alters the "advisories" field in audit-report.json (clearing vs. populating advisories).
• chore(deps): Update Composer dependencies (security-patch) #300: Related through modifications to the "advisories" field with package-keyed advisory object structures.

Poem

🐰 Hop, skip, and a bound—our audits are sound!
Three advisories caught, security sought,
Packages upgraded, vulnerabilities abated,
Laravel leaps forward, dependencies restored! ✨

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the primary change: updating Composer dependencies with a security patch focus, which aligns with the actual changeset of dependency version bumps and security audit findings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch automated/composer-update-24

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

audit-report.json (1)

3-19: phpunit CVE-2026-24765 is rated High (CVSS 7.8) — verify your CI/CD pipeline is using the patched version immediately after merge.

The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to PHPT test execution. An attacker with write access could inject malicious .coverage files that execute during test execution — posing a significant risk to development pipelines and automated testing systems.

The vulnerability affects versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52. The upgrade to 11.5.55 lands outside the vulnerable range.

If your CI runners share workspace volumes or allow artifact injection between jobs, consider auditing those permissions as a defence-in-depth measure even after this patch lands.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@audit-report.json` around lines 3 - 19, Audit found phpunit/phpunit is
vulnerable (CVE-2026-24765) due to unsafe deserialization in
cleanupForCoverage(); update your dependency constraints to a patched release
(e.g., bump phpunit/phpunit to >=11.5.55 for the 11.x branch or >=12.5.8 for
12.x, or otherwise to the minimum patched version for the branch you use),
regenerate composer.lock, rebuild any CI images, and ensure your CI runners use
the updated lockfile; additionally verify CI workspace/volume permissions to
prevent artifact injection between jobs as a defense-in-depth measure.

updated-packages.txt (1)

9-9: laravel/boost v1→v2 is a major version bump — verify PHP 8.2+ and Laravel 11.x+ compatibility before merging.

Boost 2.0 introduced a major architectural shift with its new "Skills" system, moving guidelines into modular, syncable skills and reworking how package-specific knowledge is loaded. Additionally, v2.2.0 (the target version) restructures Inertia guidelines into versioned paths (e.g., .ai/inertia-laravel/1/ and .ai/inertia-laravel/2/).

Breaking prerequisites:

• PHP 8.2+ (PHP 8.1 support dropped)
• Laravel 11.x+ (Laravel 10 support dropped)
• If the project uses third-party packages that integrate with Boost, ensure they declare support for Boost 2.x

No custom Boost agent implementations were found in the codebase, so focus on verifying the PHP and Laravel version requirements.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` at line 9, The dependency bump to laravel/boost v2.2.0
is a major change requiring PHP 8.2+ and Laravel 11.x+ compatibility; update our
project constraints (composer.json require for "php" and "laravel/framework"/app
composer constraints) to ensure PHP >=8.2 and Laravel >=11, run CI matrix/local
PHP/Laravel tests, and fix or reject the upgrade if tests fail. Also search for
any code/config that expects Boost v1 behavior (references to "boost"
integration or custom Boost agents) and update usages to the new Skills system
and versioned guideline paths (e.g., `.ai/inertia-laravel/1/` →
`.ai/inertia-laravel/2/`), and verify third‑party packages that claim Boost
integration declare support for Boost 2.x. Ensure changelog/developer docs note
the requirement changes before merging.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@updated-packages.txt`:
- Line 7: Update composer.json to replace the old package name
"barryvdh/laravel-debugbar" with the new "fruitcake/laravel-debugbar" and run
the migration commands: remove the old dev package and require the new one as
described (use composer remove barryvdh/laravel-debugbar --dev --no-scripts &&
composer require fruitcake/laravel-debugbar --dev --with-dependencies). After
installing, search your codebase for any direct references to the old
namespace/class names and update them to Fruitcake\LaravelDebugbar, and review
config/debugbar.php for v4 changes (socket storage and Lumen support removed) to
adjust any deprecated options; also be aware php-debugbar and symfony-bridge
version shifts mentioned in the note and adjust dependency references if needed.

---

Nitpick comments:
In `@audit-report.json`:
- Around line 3-19: Audit found phpunit/phpunit is vulnerable (CVE-2026-24765)
due to unsafe deserialization in cleanupForCoverage(); update your dependency
constraints to a patched release (e.g., bump phpunit/phpunit to >=11.5.55 for
the 11.x branch or >=12.5.8 for 12.x, or otherwise to the minimum patched
version for the branch you use), regenerate composer.lock, rebuild any CI
images, and ensure your CI runners use the updated lockfile; additionally verify
CI workspace/volume permissions to prevent artifact injection between jobs as a
defense-in-depth measure.

In `@updated-packages.txt`:
- Line 9: The dependency bump to laravel/boost v2.2.0 is a major change
requiring PHP 8.2+ and Laravel 11.x+ compatibility; update our project
constraints (composer.json require for "php" and "laravel/framework"/app
composer constraints) to ensure PHP >=8.2 and Laravel >=11, run CI matrix/local
PHP/Laravel tests, and fix or reject the upgrade if tests fail. Also search for
any code/config that expects Boost v1 behavior (references to "boost"
integration or custom Boost agents) and update usages to the new Skills system
and versioned guideline paths (e.g., `.ai/inertia-laravel/1/` →
`.ai/inertia-laravel/2/`), and verify third‑party packages that claim Boost
integration declare support for Boost 2.x. Ensure changelog/developer docs note
the requirement changes before merging.

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba54801 and 66865b7.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• audit-report.json
• updated-packages.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# 1. Check if composer.json or composer.lock still references the old package name
fd -e json -e lock --max-depth=1 | xargs grep -l "barryvdh/laravel-debugbar" 2>/dev/null | head -20

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 99

---

🏁 Script executed:

# 2. Check if the deprecated debugbar:publish command is used anywhere
rg -rn "debugbar:publish" --type=php --type=sh

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 54

---

🏁 Script executed:

# 3. List the composer.json and composer.lock files to understand the project structure
git ls-files | grep -E "(composer\.json|composer\.lock)" | head -10

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 340

---

🌐 Web query:

barryvdh/laravel-debugbar v4 package rename fruitcake migration

💡 Result:

Laravel Debugbar v4 includes a package ownership/name change: it moved from barryvdh/laravel-debugbar → fruitcake/laravel-debugbar, and upgrading is treated as a remove + install migration (not an in-place update). [1][4]

Composer migration (recommended)

composer remove barryvdh/laravel-debugbar --dev --no-scripts
composer require fruitcake/laravel-debugbar --dev --with-dependencies

[1][2][4]

What you may need to change in your app

• If you referenced classes directly, update namespaces to Fruitcake\LaravelDebugbar (v4 moved away from the old structure). [1]
• Review/republish and compare config/debugbar.php because v4 updates/removes some config options. [1]
• Be aware of removals in v4 (notably socket storage and Lumen support). [1][2]

Notes about “replace” / compatibility

• The new package explicitly says you can “safely replace” the old name, and it declares it replaces barryvdh/laravel-debugbar on Packagist (helpful for dependency resolution). [3][4]

Sources: Laravel News (v4 announcement + migration commands) [1], v4 release notes referencing the rename/migration + upgrade guide [2], Packagist metadata (“replaces”) [3], Fruitcake release post (“safely replace”) [4].

---

🏁 Script executed:

# Check the root composer.json for package references
cat -n composer.json | grep -A 5 -B 5 "barryvdh\|fruitcake\|debugbar" || echo "No debugbar-related packages found in composer.json"

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 550

---

🏁 Script executed:

# Check if composer.lock contains the old package name
grep -E "barryvdh/laravel-debugbar|fruitcake/laravel-debugbar" composer.lock || echo "No debugbar packages found in composer.lock"

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 495

---

🏁 Script executed:

# Search for any references to publish commands in PHP or shell files (deployment scripts, setup files)
rg -rn "publish" --type=php --type=sh | grep -i "debugbar\|artisan" | head -20

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 54

---

🏁 Script executed:

# Check for any configuration or setup files that might reference the deprecated command
fd -e php -e sh -e yaml | xargs grep -l "publish" 2>/dev/null | head -10

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 624

---

barryvdh/laravel-debugbar has been renamed to fruitcake/laravel-debugbar in v4 — update composer.json.

The composer.json currently declares "barryvdh/laravel-debugbar": ">=3.16", but the package was officially renamed. Although composer.lock shows v4.0.9 pulling from the new fruitcake/laravel-debugbar repository, composer.json must be updated to reference the new package name.

Run: composer remove barryvdh/laravel-debugbar --dev --no-scripts && composer require fruitcake/laravel-debugbar --dev --with-dependencies

After upgrading:

• Update namespaces to Fruitcake\LaravelDebugbar if you reference classes directly
• Review config/debugbar.php — v4 updates config options
• Socket storage and Lumen support have been removed in v4

Also applies to: 59-60 (php-debugbar v2 → v3 and new symfony-bridge transient dependency)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@updated-packages.txt` at line 7, Update composer.json to replace the old
package name "barryvdh/laravel-debugbar" with the new
"fruitcake/laravel-debugbar" and run the migration commands: remove the old dev
package and require the new one as described (use composer remove
barryvdh/laravel-debugbar --dev --no-scripts && composer require
fruitcake/laravel-debugbar --dev --with-dependencies). After installing, search
your codebase for any direct references to the old namespace/class names and
update them to Fruitcake\LaravelDebugbar, and review config/debugbar.php for v4
changes (socket storage and Lumen support removed) to adjust any deprecated
options; also be aware php-debugbar and symfony-bridge version shifts mentioned
in the note and adjust dependency references if needed.