Skip to content

Update dependency phpunit/phpunit to v13 [SECURITY]#29

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/packagist-phpunit-phpunit-vulnerability
Open

Update dependency phpunit/phpunit to v13 [SECURITY]#29
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/packagist-phpunit-phpunit-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jan 28, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
phpunit/phpunit (source) ^6 || ^7^6 || ^7 || ^13 age confidence

PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling

CVE-2026-24765 / GHSA-vvj3-c3rp-c85p

More information

Details

Overview

A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

Technical Details

Affected Component: PHPT test runner, method cleanupForCoverage()
Affected Versions: <= 8.5.51, <= 9.6.32, <= 10.5.61, <= 11.5.49, <= 12.5.7

Vulnerable Code Pattern
if ($buffer !== false) {
    // Unsafe call without restrictions
    $coverage = @&#8203;unserialize($buffer);
}

The vulnerability occurs when a .coverage file, which should not exist before test execution, is deserialized without the allowed_classes parameter restriction. An attacker with local file write access can place a malicious serialized object with a __wakeup() method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled.

Attack Prerequisites and Constraints

This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through:

  • CI/CD Pipeline Attacks: A malicious pull request that places a .coverage file alongside test files, executed when the CI system runs tests using PHPUnit and collects code coverage information
  • Local Development Environment: An attacker with shell access or ability to write files to the project directory
  • Compromised Dependencies: A supply chain attack inserting malicious files into a package or monorepo

Critical Context: Running test suites from unreviewed pull requests without isolated execution is inherently a code execution risk, independent of this specific vulnerability. This represents a broader class of Poisoned Pipeline Execution (PPE) attacks affecting CI/CD systems.

Proposed Remediation Approach

Rather than just silently sanitizing the input via ['allowed_classes' => false], the maintainer has chosen to make the anomalous state explicit by treating pre-existing .coverage files for PHPT tests as an error condition.

Rationale for Error-Based Approach:
  1. Visibility Over Silence: When an invariant is violated (a .coverage file existing before test execution), the error must be visible in CI/CD output, alerting operators to investigate the root cause rather than proceeding with sanitized input
  2. Operational Security: A .coverage file should never exist before tests run, coverage data is generated by executing tests, not sourced from artifacts. Its presence indicates:
    • A malicious actor placed it intentionally
    • Build artifacts from a previous run contaminated the environment
    • An unexpected filesystem state requiring investigation
  3. Defense-in-Depth Principle: Protecting a single deserialization call does not address the fundamental attack surface. Proper mitigations for PPE attacks lie outside PHPUnit's scope:
    • Isolate CI/CD runners (ephemeral, containerized environments)
    • Restrict code execution on protected branches
    • Scan pull requests and artifacts for tampering
    • Use branch protection rules to prevent unreviewed code execution
Severity Classification
  • Attack Vector (AV): Local (L) — requires write access to the file system where tests execute
  • Attack Complexity (AC): Low (L) — exploitation is straightforward once the malicious file is placed
  • Privileges Required (PR): Low (L) — PR submitter status or contributor role provides sufficient access
  • User Interaction (UI): None (N) — automatic execution during standard test execution
  • Scope (S): Unchanged (U) — impact remains within the affected test execution context
  • Confidentiality Impact (C): High (H) — full remote code execution enables complete system compromise
  • Integrity Impact (I): High (H) — arbitrary code execution allows malicious modifications
  • Availability Impact (A): High (H) — full code execution permits denial-of-service actions
Mitigating Factors (Environmental Context)

Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration:

  • Ephemeral Runners: Use containerized, single-use CI/CD runners that discard filesystem state between runs
  • Code Review Enforcement: Require human review and approval before executing code from pull requests
  • Branch Protection: Enforce branch protection rules that block unreviewed code execution
  • Artifact Isolation: Separate build artifacts from source; never reuse artifacts across independent builds
  • Access Control: Limit file write permissions in CI environments to authenticated, trusted actors
Fixed Behaviour

When a .coverage file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. This ensures:

  • Visibility: The error appears prominently in CI/CD output and test logs
  • Investigation: Operations teams can investigate the root cause (potential tampering, environment contamination)
  • Fail-Fast Semantics: Test execution stops rather than proceeding with an unexpected state
Recommendation

Update to the patched version immediately if a project runs PHPT tests using PHPUnit with coverage instrumentation in any CI/CD environment that executes code from external contributors. Additionally, audit the project's CI/CD configuration to ensure:

  • Pull requests from forks or untrusted sources execute in isolated environments
  • Branch protection rules require human review before code execution
  • CI/CD runners are ephemeral and discarded after each build
  • Build artifacts are not reused across independent runs without validation

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sebastianbergmann/phpunit (phpunit/phpunit)

v13.1.7: PHPUnit 13.1.7

Compare Source

Changed
  • Pass LIBXML_NONET when parsing/validating XML configuration files to make explicit that no network I/O is performed
  • Verify the result file written by an isolated child process with a random nonce before deserializing it

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.1.6: PHPUnit 13.1.6

Compare Source

Fixed
  • #​6590: Silent failure when configuration file is invalid
  • #​6592: INI metacharacters ; and " are not preserved when forwarding settings to child processes

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.1.5: PHPUnit 13.1.5

Compare Source

Fixed
  • #​5860: PHP CLI -d settings are not forwarded to child processes for process isolation
  • #​6451: Incomplete version in RequiresPhp (e.g. <=8.5) is compared against full PHP version, causing unexpected skips
  • #​6589: dataSetAsStringWithData() raises "float is not representable as int" warning for large floats in data sets

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.1.4: PHPUnit 13.1.4

Compare Source

Fixed
  • #​5993: DefaultJobRunner deadlocks on child processes that write large amounts of stderr output
  • #​6465: SAPI-populated $_SERVER entries leak from parent into child process
  • #​6587: failOnEmptyTestSuite="false" in phpunit.xml is ignored when --group/--filter/--testsuite matches no tests
  • #​6588: Order of issue baseline entries is not canonicalized

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.1.3: PHPUnit 13.1.3

Compare Source

Fixed
  • Regression in XML configuration migration introduced in PHPUnit 12.5.8

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.1.2: PHPUnit 13.1.2

Compare Source

Fixed
  • #​4571: No warning when --random-order-seed is used when test execution order is not random
  • #​4975: --filter does not work when filter string starts with #
  • #​5354: JUnit XML logger does not handle TestSuiteSkipped event
  • #​6276: Exit with non-zero exit code when explicit test selection (--filter, --group, --testsuite) yields no tests
  • #​6583: Failing output expectation skips tearDown() and handler restoration, causing subsequent tests to be marked as risky

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.1.1: PHPUnit 13.1.1

Compare Source

Changed
  • #​3676: Include class/interface name in mock object expectation failure messages
  • #​4793: Exit with non-zero exit code when exit was called from some test
Fixed
  • #​5881: colors="true" in XML configuration file does not unconditionally enable colored output
  • #​6019: --migrate-configuration does not update schema location when XML content already validates against current schema
  • #​6372: Assertion failure inside willReturnCallback() is silently swallowed when code under test catches exceptions
  • #​6464: Process isolation template unconditionally calls set_include_path()
  • #​6571: Static analysis errors for TestDoubleBuilder method chaining

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.1.0: PHPUnit 13.1.0

Compare Source

Added
  • #​6501: Include unexpected output in Open Test Reporting (OTR) XML logfile
  • #​6517: includeInCodeCoverage attribute for <directory> and <file> children of <source>
  • #​6523: Include #[Group] information in Open Test Reporting (OTR) XML logfile
  • #​6524: Report issues in Open Test Reporting (OTR) XML logfile
  • #​6526: Introduce #[DataProviderClosure] for static closures
  • #​6530: Support for custom issue trigger resolvers that can be configured using <issueTriggerResolvers> in the XML configuration file
  • #​6547: Support for %r...%r in EXPECTF section
  • Support for configuring HTML code coverage report options (colors, thresholds, custom CSS) in XML configuration file without requiring an outputDirectory attribute, allowing the output directory to be specified later with the --coverage-html CLI option
  • Support for configuring dark mode colors, progress bar colors, and breadcrumb colors for HTML code coverage reports in the XML configuration file
Changed
  • #​6557: Improve failure description for StringMatchesFormatDescription constraint which is used by assertFileMatchesFormat(), assertFileMatchesFormatFile(), assertStringMatchesFormat(), assertStringMatchesFormatFile(), and EXPECTF sections of PHPT test files
  • The HTML code coverage report now uses a more colorblind-friendly blue/amber/orange palette by default
  • Extracted PHPUnit\Runner\Extension\Facade from a concrete class to an interface and introduced an internal ExtensionFacade implementation, so that extensions only depend on the Facade interface while PHPUnit internally uses the ExtensionFacade class that also provides query methods
Deprecated
  • #​6515: Deprecate the --log-events-verbose-text <file> CLI option
  • #​6537: Soft-deprecate id() and after() for mock object expectations
Fixed
  • #​6025: FILE_EXTERNAL breaks __DIR__
  • #​6351: No warning when the same test runner extension is configured more than once
  • #​6433: Logic in TestSuiteLoader is brittle and causes "Class FooTest not found" even for valid tests in valid filenames
  • #​6463: Process Isolation fails on non-serializable globals and quietly ignore closures

Learn how to install or update PHPUnit 13.1 in the documentation.

Keep up to date with PHPUnit:

v13.0.6: PHPUnit 13.0.6

Compare Source

Changed
  • #​4440: Improve error when configured code coverage file list is empty
  • #​6549: Allow to stub both hooks of non-virtual properties
Fixed
  • #​6529: Git "detached HEAD state" in Open Test Reporting (OTR) XML logger not handled properly
  • #​6545: Stubbing a class with set property hook leaves property uninitialized by default
  • The RegularExpression and StringMatchesFormatDescription did not handle preg_match() errors such as Compilation failed: regular expression is too large

Learn how to install or update PHPUnit 13.0 in the documentation.

Keep up to date with PHPUnit:

v13.0.5: PHPUnit 13.0.5

Compare Source

Fixed
  • #​6521: Performance regression in PHPUnit 11.5.54, PHPUnit 12.5.13, and PHPUnit 13.0.4

Learn how to install or update PHPUnit 13.0 in the documentation.

Keep up to date with PHPUnit:

v13.0.4: PHPUnit 13.0.4

Compare Source

Fixed
  • #​6489: Classification of self/direct/indirect deprecation triggers is not aligned with Symfony's bridge for PHPUnit

Learn how to install or update PHPUnit 13.0 in the documentation.

Keep up to date with PHPUnit:

v13.0.3: PHPUnit 13.0.3

Compare Source

Fixed
  • #​6511: TestDox variables out of order with named arguments
  • #​6514: <ini /> can silently fail

Learn how to install or update PHPUnit 13.0 in the documentation.

Keep up to date with PHPUnit:

v13.0.2: PHPUnit 13.0.2

Compare Source

Deprecated
  • #​6505: Calling atLeast() with an argument that is not positive
  • #​6507: Support for using with*() without expects()
Fixed
  • #​6503: Temporary file used by SourceMapper may be deleted prematurely when multiple PHPUnit processes run in parallel
  • #​6509: "No expectations were configured for the mock object ..." notice is emitted when with() is used without expects()

Learn how to install or update PHPUnit 13.0 in the documentation.

Keep up to date with PHPUnit:

v13.0.1: PHPUnit 13.0.1

Compare Source

Fixed
  • #​6495: Source map for issue trigger identification is regenerated in process isolation child processes
  • #​6497: method() returns InvocationMocker instead of InvocationStubber for test stubs

Learn how to install or update PHPUnit 13.0 in the documentation.

Keep up to date with PHPUnit:

v13.0.0: PHPUnit 13.0.0

Compare Source

Added
  • #​6450: TestCase::invokeTestMethod() method for customizing test method invocation
  • #​6455: withParameterSetsInOrder() and withParameterSetsInAnyOrder() for expecting calls to the same method of a mock object but with different arguments
  • #​6466: Sealed test doubles
  • #​6468: Configuration option to require sealed mock objects
  • #​6477: assertArraysAreIdentical(), assertArraysAreIdenticalIgnoringOrder(), assertArraysHaveIdenticalValues(), assertArraysHaveIdenticalValuesIgnoringOrder(), assertArraysAreEqual(), assertArraysAreEqualIgnoringOrder(), assertArraysHaveEqualValues(), and assertArraysHaveEqualValuesIgnoringOrder() assertions
  • --test-files-file <file> CLI option to configure a file that contains the paths to the test files to be loaded (one file per line); use this when using CLI arguments is not an option due to argument length limitations
Deprecated
  • #​6461: any() matcher (hard deprecation)
Removed
  • #​6054: Assert::isType()
  • #​6057: assertContainsOnly() and assertNotContainsOnly()
  • #​6061: containsOnly()
  • #​6076: Support for PHP 8.3
  • #​6141: testClassName() method on event value objects for hook methods called for test methods
  • #​6230: Configuration::includeTestSuite() and Configuration::excludeTestSuite()
  • #​6241: --dont-report-useless-tests CLI option
  • #​6247: Support for using #[CoversNothing] on a test method
  • #​6285: #[RunClassInSeparateProcess] attribute
  • #​6356: Support for version constraint string argument without explicit version comparison operator

Learn how to install or update PHPUnit 13.0 in the documentation.

Keep up to date with PHPUnit:

v12.5.23: PHPUnit 12.5.23

Compare Source

Changed
  • Pass LIBXML_NONET when parsing/validating XML configuration files to make explicit that no network I/O is performed
  • Verify the result file written by an isolated child process with a random nonce before deserializing it

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.22

Compare Source

v12.5.21

Compare Source

v12.5.20

Compare Source

v12.5.19: PHPUnit 12.5.19

Compare Source

Fixed
  • Regression in XML configuration migration introduced in PHPUnit 12.5.8

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.18: PHPUnit 12.5.18

Compare Source

Fixed
  • #​4571: No warning when --random-order-seed is used when test execution order is not random
  • #​4975: --filter does not work when filter string starts with #
  • #​5354: JUnit XML logger does not handle TestSuiteSkipped event
  • #​6276: Exit with non-zero exit code when explicit test selection (--filter, --group, --testsuite) yields no tests
  • #​6583: Failing output expectation skips tearDown() and handler restoration, causing subsequent tests to be marked as risky

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.17: PHPUnit 12.5.17

Compare Source

Changed
  • #​4793: Exit with non-zero exit code when exit was called from some test
Fixed
  • #​5881: colors="true" in XML configuration file does not unconditionally enable colored output
  • #​6019: --migrate-configuration does not update schema location when XML content already validates against current schema
  • #​6372: Assertion failure inside willReturnCallback() is silently swallowed when code under test catches exceptions
  • #​6464: Process isolation template unconditionally calls set_include_path()
  • #​6571: Static analysis errors for TestDoubleBuilder method chaining

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.16: PHPUnit 12.5.16

Compare Source

Added
  • #​6547: Support for %r...%r in EXPECTF section
Fixed
  • #​6025: FILE_EXTERNAL breaks __DIR__
  • #​6351: No warning when the same test runner extension is configured more than once
  • #​6433: Logic in TestSuiteLoader is brittle and causes "Class FooTest not found" even for valid tests in valid filenames
  • #​6463: Process Isolation fails on non-serializable globals and quietly ignore closures

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.15: PHPUnit 12.5.15

Compare Source

Changed
  • #​4440: Improve error when configured code coverage file list is empty
  • #​6549: Allow to stub both hooks of non-virtual properties
Fixed
  • #​6529: Git "detached HEAD state" in Open Test Reporting (OTR) XML logger not handled properly
  • #​6545: Stubbing a class with set property hook leaves property uninitialized by default
  • The RegularExpression and StringMatchesFormatDescription did not handle preg_match() errors such as Compilation failed: regular expression is too large

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.14: PHPUnit 12.5.14

Compare Source

Fixed
  • #​6521: Performance regression in PHPUnit 11.5.54, PHPUnit 12.5.13, and PHPUnit 13.0.4

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.13: PHPUnit 12.5.13

Compare Source

Fixed
  • #​6489: Classification of self/direct/indirect deprecation triggers is not aligned with Symfony's bridge for PHPUnit

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.12: PHPUnit 12.5.12

Compare Source

Fixed
  • #​6511: TestDox variables out of order with named arguments
  • #​6514: <ini /> can silently fail

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.11: PHPUnit 12.5.11

Compare Source

Deprecated
  • #​6510: Deprecate using with*() on test stubs
Fixed
  • #​6503: Temporary file used by SourceMapper may be deleted prematurely when multiple PHPUnit processes run in parallel
  • #​6509: "No expectations were configured for the mock object ..." notice is emitted when with() is used without expects()

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.10: PHPUnit 12.5.10

Compare Source

Fixed
  • #​6495: Source map for issue trigger identification is regenerated in process isolation child processes

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.9: PHPUnit 12.5.9

Compare Source

Added
  • #​6488: Allow disabling issue trigger identification for improved performance
Fixed
  • #​6486: Incorrect file name reported for errors for test methods declared in traits
  • #​6490: Incorrect test count when tests are skipped in before-class method

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.8: PHPUnit 12.5.8

Compare Source

Changed
  • To prevent Poisoned Pipeline Execution (PPE) attacks using prepared .coverage files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.7: PHPUnit 12.5.7

Compare Source

Fixed
  • #​6362: Manually instantiated test doubles are broken since PHPUnit 11.2
  • #​6470: Infinite recursion in Count::getCountOf() for unusal implementations of Iterator or IteratorAggregate

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.6: PHPUnit 12.5.6

Compare Source

Changed

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.5: PHPUnit 12.5.5

Compare Source

Deprecated
  • #​6461: any() matcher (soft deprecation)
Fixed
  • #​6470: Mocking a class with a property hook setter accepting more types than the property results in a fatal error

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.4: PHPUnit 12.5.4

Compare Source

Changed
  • The #[AllowMockObjectsWithoutExpectations] attribute can now be used on the method level
Fixed
  • #​6446: Test runner crashes with Timer::start() has to be called before Timer::stop()

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.3: PHPUnit 12.5.3

Compare Source

Changed
  • The message emitted when a test method creates a mock object but does not configure any expectations for it has been improved

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.2: PHPUnit 12.5.2

Compare Source

Added
  • Attribute #[AllowMockObjectsWithoutExpectations] for excluding tests from the check that emits the notice for test methods that create a mock object but do not configure an expectation for it

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.1: PHPUnit 12.5.1

Compare Source

Added
  • TestCase::getStubBuilder() (analogous to TestCase::getMockBuilder()) for creating (partial) test stubs using a fluent API

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.5.0: PHPUnit 12.5.0

Compare Source

Added
  • #​6376: --all CLI option to ignore test selection configured in XML configuration file
  • #​6422: Make <source> element in XML code coverage report optional
Changed
  • #​6380: Allow Throwable in expectExceptionObject()
  • A PHPUnit notice is now emitted for test methods that create a mock object but do not configure an expectation for it

Learn how to install or update PHPUnit 12.5 in the documentation.

Keep up to date with PHPUnit:

v12.4.5: PHPUnit 12.4.5

Compare Source

Changed
  • Updated list of deprecated PHP configuration settings for PHP 8.4, PHP 8.5, and PHP 8.6
Fixed
  • #​6426: Fix migration of configuration without schema location

Learn how to install or update PHPUnit 12.4 in the documentation.

Keep up to date with PHPUnit:

v12.4.4: PHPUnit 12.4.4

Compare Source

Fixed
  • #​6408: Exception in a data provider method leads to internal PHPUnit error
  • #​6410: Test runner's shutdown handler is called in system-under-test's child process

Learn how to install or update PHPUnit 12.4 in the documentation.

Keep up to date with PHPUnit:

v12.4.3: PHPUnit 12.4.3

Compare Source

Fixed
  • #​6402: Avoid reading from STDOUT when rewind() fails

Learn how to install or update PHPUnit 12.4 in the documentation.

Keep up to date with PHPUnit:

v12.4.2: PHPUnit 12.4.2

Compare Source

Changed
  • Skipped tests alone no longer lead to a yellow background for the test result summary
Fixed
  • #​6391: Errors during backup of global variables and static properties are not reported

Learn how to install or update PHPUnit 12.4 in the documentation.

Keep up to date with PHPUnit:

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from b160c76 to 1c656f2 Compare February 2, 2026 15:02
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v12 [SECURITY] Feb 2, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 1c656f2 to d376760 Compare February 2, 2026 20:38
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v12 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Feb 2, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from d376760 to dbc1fde Compare February 12, 2026 15:53
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Feb 12, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from dbc1fde to 7e90f28 Compare February 12, 2026 19:03
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Feb 12, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 7e90f28 to 9bdf501 Compare February 16, 2026 14:02
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Feb 16, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 9bdf501 to 8b4a24f Compare February 16, 2026 17:11
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Feb 16, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 8b4a24f to fe59998 Compare March 5, 2026 09:25
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Mar 5, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from fe59998 to 9cb0aca Compare March 5, 2026 14:50
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Mar 5, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 9cb0aca to 5843da3 Compare March 13, 2026 15:13
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Mar 13, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 5843da3 to d77461f Compare March 13, 2026 20:13
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Mar 13, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from d77461f to 38f77c1 Compare March 26, 2026 17:54
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Mar 26, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 38f77c1 to cf35586 Compare March 26, 2026 21:56
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Mar 26, 2026
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/packagist-phpunit-phpunit-vulnerability branch March 27, 2026 01:49
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] - autoclosed Update dependency phpunit/phpunit to v8 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from d3000d0 to cf35586 Compare March 30, 2026 21:17
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from cf35586 to d3000d0 Compare March 30, 2026 21:17
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from d3000d0 to ce0d591 Compare April 8, 2026 21:40
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Apr 8, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from ce0d591 to 0976d08 Compare April 9, 2026 01:59
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Apr 9, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 0976d08 to aacaec1 Compare April 15, 2026 09:38
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from aacaec1 to 85c77ef Compare April 16, 2026 09:03
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 85c77ef to 37b961e Compare April 16, 2026 15:11
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 37b961e to 66709a6 Compare April 17, 2026 00:08
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Apr 17, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 66709a6 to 694c082 Compare April 19, 2026 10:36
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 694c082 to 81742d5 Compare April 19, 2026 17:09
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v13 [SECURITY] Update dependency phpunit/phpunit to v12 [SECURITY] Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 81742d5 to 44ee6cd Compare April 20, 2026 20:48
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v12 [SECURITY] Update dependency phpunit/phpunit to v8 [SECURITY] Apr 20, 2026
@renovate renovate Bot force-pushed the renovate/packagist-phpunit-phpunit-vulnerability branch from 44ee6cd to eacdcab Compare April 21, 2026 20:07
@renovate renovate Bot changed the title Update dependency phpunit/phpunit to v8 [SECURITY] Update dependency phpunit/phpunit to v13 [SECURITY] Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants