🚨 [security] [server] Update kalnoy/nestedset: 4.3.3 → 4.3.5 (patch)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ kalnoy/nestedset (4.3.3 → 4.3.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ laravel/framework (5.7.20 → 5.7.29) · Repo

Sorry, we couldn't find anything useful about this release.

✳️ laravel/passport (7.0.5 → 7.5.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ spatie/laravel-medialibrary (7.5.5 → 7.18.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ defuse/php-encryption (indirect, 2.2.1 → 2.3.1) · Repo

Release Notes

2.3.1

Misc. minor improvements

2.3.0

Miscellaneous minor bugfixes. Note that the signing public key has changed, see the README on GitHub for the new public key fingerprint, and for the location of the new key signed by the old key.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ doctrine/inflector (indirect, 1.3.0 → 1.4.4) · Repo

Release Notes

1.4.4

Release Notes for 1.4.4

1.4.4

• Total issues resolved: 0

• Total pull requests resolved: 1

• Total contributors: 1

• 186: Reintroduce PHP 7.1 to old 1.4 compatibilty branch thanks to @beberlei

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ doctrine/lexer (indirect, 1.0.1 → 1.2.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dragonmantank/cron-expression (indirect, 2.2.0 → 2.3.1) · Repo · Changelog

Release Notes

2.3.1

[2.3.1] - 2020-10-12

Added

• Added support for PHP 8 (#92)

Changed

• N/A

Fixed

• N/A

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ egulias/email-validator (indirect, 2.1.7 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1

Fixed by #297

3.0.0

EmailValidator v3 Changelog

New Features

• Access to local part and domain part from EmailParser
• Validations outside of the scope of the RFC will be considered "extra" validations, thus opening the door for adding new; will live in their own folder "extra" (as requested in #248, #195, #183).

Breacking changes

• PHP version upgraded to match Symfony's (as of 12/2020).
• DNSCheckValidation now fails for missing MX records. While the RFC argues that the existence of only A records to be valid, starting in v3 they will be considered invalid.
• Emails domain part are now intenteded to be RFC 1030 compliant, rendering previous valid emails (e.g example@examp&) invalid.

PHP versions upgrade policy

PHP version upgrade requirement will happen via MINOR (3.x) version upgrades of the library, following the adoption level by major frameworks.

Changes

• #235
• #215
• #130
• #258
• #188
• #181
• #217
• #214
• #249
• #236
• #257
• #210

Thanks

To contributors, be it with PRs, reporting issues or supporting otherwise.

2.1.23

Fixes #215

2.1.22

Fixes

• #217
• #214

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ erusev/parsedown (indirect, 1.7.1 → 1.7.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ firebase/php-jwt (indirect, 5.0.0 → 5.3.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ guzzlehttp/guzzle (indirect, 6.3.3 → 6.5.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ guzzlehttp/promises (indirect, 1.3.1 → 1.4.1) · Repo · Changelog

Release Notes

1.4.1

See change log for changes.

1.4.0

See change log for changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ guzzlehttp/psr7 (indirect, 1.5.2 → 1.8.2) · Repo · Changelog

Release Notes

1.8.2

See change log for changes.

1.8.0

See change log for changes.

1.7.0

See change log for changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ intervention/image (indirect, 2.4.2 → 2.5.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ lcobucci/jwt (indirect, 3.2.5 → 3.4.5) · Repo

Release Notes

3.4.5

Release Notes for 3.4.5

This release fixes an issue with the compatibility layer that disallowed us to use composer's classmap-authoritative autoload.

3.4.5

• Total issues resolved: 1
• Total pull requests resolved: 1
• Total contributors: 1

Bug

• 667: Support composer classmap-authoritative option thanks to @fyrye

3.4.4

Release Notes for 3.4.4

This release fixes a gap on our forward compatibility layer with v4 for multiple audience support, improving the documentation to state how users can migrate their code.

3.4.4

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

Bug

• 656: Fix forward compatibility layer gap for audience claim thanks to @lcobucci

Documentation,Improvement

• 630: Improve deprecation for aud claims thanks to @SvenRtbg

3.4.3

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

Bug

• 635: Token must expire the exact time of "exp" claim thanks to @Slamdunk

Documentation

• 634: Fix argument name in @param annotation of OpenSSL#doVerify() thanks to @chalasr

3.4.1

This release fixes a bug and a BC-break introduced in v3.4.0.

• Total issues resolved: 1
• Total pull requests resolved: 2
• Total contributors: 2

Bug

• 562: Fix validation of the audience claim on the new API thanks to @b-water

BC-break

• 561: Remove RegisteredClaimGiven exception in favour of deprecation message for withClaim thanks to @Spomky

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ league/flysystem (indirect, 1.0.49 → 1.1.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ league/glide (indirect, 1.4.0 → 1.7.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ league/oauth2-server (indirect, 7.3.2 → 7.4.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ maennchen/zipstream-php (indirect, 0.5.2 → 1.2.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ monolog/monolog (indirect, 1.24.0 → 1.26.1) · Repo · Changelog

Release Notes

1.26.1

• Fixed PHP 8.1 deprecation warning

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nesbot/carbon (indirect, 1.36.2 → 1.39.1) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ nexmo/client (indirect, 1.6.0 → 1.9.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nikic/php-parser (indirect, 4.2.0 → 4.10.5) · Repo · Changelog

Release Notes

4.10.5

Added

• [PHP 8.1] Added support for enums. These are represented using the Stmt\Enum_ and Stmt\EnumCase nodes.
• [PHP 8.1] Added support for never type. This type will now be returned as an Identifier rather than Name.
• Added ClassConst builder.

Changed

• Non-UTF-8 code units in strings will now be hex-encoded.

Fixed

• Fixed precedence of arrow functions.

4.10.4

Fixed

• Fixed position information for variable-variables (#741).
• Fixed position information for traits/interfaces preceded by if statement (#738).

4.10.3

Fixed

• Fixed formatting-preserving pretty printing for "{$x}".
• Ternary expressions are now treated as non-associative in the pretty printer, in order to generate code that is compatible with the parentheses requirement introduced in PHP 8.
• Removed no longer necessary error_clear_last() call in lexer, which may interfere with fatal error handlers if invoked during shutdown.

4.10.2

Fixed

• Fixed check for token emulation conflicts with other libraries.

4.10.1

Added

• Added support for recovering from a missing semicolon after a property or class constant declaration.

Fixed

• Fix spurious whitespace in formatting-preserving pretty printer when both removing and adding elements at the start of a list.
• Fix incorrect case-sensitivity in keyword token emulation.

4.10.0

Added

• [PHP 8.0] Added support for attributes. These are represented using a new AttributeGroup node containing Attribute nodes. A new attrGroups subnode is available on all node types that support attributes, i.e. Stmt\Class_, Stmt\Trait_, Stmt\Interface_, Stmt\Function_, Stmt\ClassMethod, Stmt\ClassConst, Stmt\Property, Expr\Closure, Expr\ArrowFunction and Param.
• [PHP 8.0] Added support for nullsafe properties inside interpolated strings, in line with an upstream change.

Fixed

• Improved compatibility with other libraries that use forward compatibility defines for PHP tokens.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ opis/closure (indirect, 3.1.3 → 3.6.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ php-http/promise (indirect, 1.0.0 → 1.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ phpdocumentor/reflection-common (indirect, 1.0.1 → 2.2.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ phpdocumentor/reflection-docblock (indirect, 4.3.0 → 4.3.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ phpdocumentor/type-resolver (indirect, 0.4.0 → 1.4.0) · Repo

Release Notes

1.4.0

Added

• Improved Pseudo type support #113, thanks to @mvriel

Deprecated

• phpDocumentor\Reflection\Types\False_ is replaced by \phpDocumentor\Reflection\PseudoTypes\False_ will be removed in v2
• phpDocumentor\Reflection\Types\True_ is replaced by \phpDocumentor\Reflection\PseudoTypes\True_ will be removed in v2

Fixed

• fix parsing tokens #114, thanks to @xabbuh

Removed

• Nothing

Security

• Nothing

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ phpseclib/phpseclib (indirect, 2.0.13 → 2.0.32) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Certificate Validation in phpseclib

phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

Release Notes

2.0.32

• SSH2: add getAuthMethodsToContinue() method (#1648)
• SSH2: timeout would occasionally infinitely loop
• SSH2: fix PHP7.4 errors about accessing bool as string (#1656)
• SSH2: fix issue with key re-exchange (#1644)
• SFTP: reopen channel on channel closure (#1654)
• X509: extra characters before cert weren't being removed (#1659)
• ASN1: fix timezone issue when non-utc time is given (#1562)
• RSA: OAEP decryption didn't check labels correctly (#1669)

2.0.31

• X509: always parse the first cert of a bundle (#1568)
• SSH2: behave like putty with broken publickey auth (#1572)
• SSH2: don't close channel on unexpected response to channel request (#1631)
• RSA: support keys with PSS algorithm identifier (#1584)
• RSA: cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130)
• SFTP/Stream: make it so you can write past the end of a file (#1618)
• SFTP: fix undefined index notice in stream touch() (#1615)
• SFTP: digit only filenames were converted to integers by php (#1623)
• BigInteger: fix issue with toBits on 32-bit PHP 8 installs
• Crypt: use a custom error handler for mcrypt to avoid deprecation errors

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ psr/container (indirect, 1.0.0 → 1.1.1) · Repo

Release Notes

1.1.1

Removed

• This release removes the extension of Throwable by Psr\Container\ContainerInterface, as it leads to inheritance issues when child classes implement the Throwable interface in addition to ContainerInterface under PHP versions prior to 7.4.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ psr/log (indirect, 1.1.0 → 1.1.4) · Repo

Release Notes

1.1.4

• Fixed type annotations on AbstractLogger and LoggerAwareTrait

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ralouphie/getallheaders (indirect, 2.0.5 → 3.0.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ramsey/uuid (indirect, 3.8.0 → 3.9.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sebastian/diff (indirect, 3.0.1 → 3.0.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ spatie/image (indirect, 1.5.2 → 1.10.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ spatie/image-optimizer (indirect, 1.1.3 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0

• use --skip-if-larger pngquant option by default (#140)

1.3.2

• improve gifsicle (#131)

1.3.1

• fix empty string setBinaryPath() (#129)

1.3.0

• support PHP 8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ spatie/pdf-to-image (indirect, 1.8.1 → 1.2.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ spatie/temporary-directory (indirect, 1.1.4 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0

• add support for PHP 8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ swiftmailer/swiftmailer (indirect, 6.1.3 → 6.2.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/console (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/css-selector (indirect, 4.2.2 → 5.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/debug (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/event-dispatcher (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/finder (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/http-foundation (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Security Advisories 🚨

🚨 Exceptions displayed in non-debug configurations in Symfony

Description

When ErrorHandler renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-debug environments.

Resolution

The ErrorHandler class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-debug environments.

The patches for this issue are available here and here for branch 4.4.

Credits

I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.

🚨 Prevent cache poisoning via a Response Content-Type header in Symfony

Description

When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.

Resolution

Symfony does not use the Accept header anymore to guess the Content-Type.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

🚨 Argument injection in a MimeTypeGuesser in Symfony

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

🚨 Argument injection in a MimeTypeGuesser in Symfony

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

🚨 Invalid HTTP method overrides allow possible XSS or other attacks in Symfony

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

Release Notes

4.4.25

Changelog (v4.4.24...v4.4.25)

• no significant changes

4.4.15

Changelog (v4.4.14...v4.4.15)

• no changes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/http-kernel (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Security Advisories 🚨

🚨 RCE in Symfony

Description

The CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Resolution

HTTP headers designed for internal use in HttpCache are now stripped from remote responses before being passed to HttpCache.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

Release Notes

4.4.25

Changelog (v4.4.24...v4.4.25)

• no significant changes

4.4.23

Changelog (v4.4.22...v4.4.23)

• no significant changes

4.4.22

Changelog (v4.4.21...v4.4.22)

• no significant changes

4.4.21

Changelog (v4.4.20...v4.4.21)

• bug #40535 ConfigDataCollector to return known data without the need of a Kernel (topikito)

4.4.20

Changelog (v4.4.19...v4.4.20)

• bug #40231 Configure session.cookie_secure earlier (tamcy)
• bug #40104 Silence failed deprecations logs writes (fancyweb)

4.4.19

Changelog (v4.4.18...v4.4.19)

• bug #39944 Configure the ErrorHandler even when it is overriden (nicolas-grekas)
• bug #39797 Dont allow unserializing classes with a destructor (jderusse)

4.4.18

Changelog (v4.4.17...v4.4.18)

• bug #39220 Fix bug with whitespace in Kernel::stripComments() (ausi)

4.4.17

Changelog (v4.4.16...v4.4.17)

• bug #38910 Fix session initialized several times (jderusse)
• bug #38894 Remove Symfony 3 compatibility code (derrabus)

4.4.16

Changelog (v4.4.15...v4.4.16)

• no changes

4.4.15

Changelog (v4.4.14...v4.4.15)

• no changes

4.4.14

Changelog (v4.4.13...v4.4.14)

• bug #38212 Do not override max_redirects option in HttpClientKernel (dmolineus)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/polyfill-ctype (indirect, 1.10.0 → 1.23.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/polyfill-mbstring (indirect, 1.10.0 → 1.23.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/polyfill-php72 (indirect, 1.10.0 → 1.23.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/process (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/psr-http-message-bridge (indirect, 1.1.0 → 1.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/routing (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/translation (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ symfony/var-dumper (indirect, 4.2.2 → 4.4.25) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tijsverkoyen/css-to-inline-styles (indirect, 2.2.1 → 2.2.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ vlucas/phpdotenv (indirect, 2.5.2 → 2.6.7) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ webmozart/assert (indirect, 1.4.0 → 1.10.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zendframework/zend-diactoros (indirect, 1.8.6 → 2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 kylekatarnls/update-helper (added, 1.2.1)

🆕 league/mime-type-detection (added, 1.7.0)

🆕 myclabs/php-enum (added, 1.8.0)

🆕 nexmo/client-core (added, 1.8.1)

🆕 psr/http-factory (added, 1.0.1)

🆕 symfony/deprecation-contracts (added, 2.4.0)

🆕 symfony/error-handler (added, 4.4.25)

🆕 symfony/event-dispatcher-contracts (added, 1.1.9)

🆕 symfony/http-client-contracts (added, 2.4.0)

🆕 symfony/mime (added, 5.3.2)

🆕 symfony/polyfill-iconv (added, 1.23.0)

🆕 symfony/polyfill-intl-idn (added, 1.23.0)

🆕 symfony/polyfill-intl-normalizer (added, 1.23.0)

🆕 symfony/polyfill-php73 (added, 1.23.0)

🆕 symfony/polyfill-php80 (added, 1.23.0)

🆕 symfony/service-contracts (added, 2.4.0)

🆕 symfony/translation-contracts (added, 2.4.0)

🗑️ symfony/contracts (removed)

🗑️ laravel/envoy (removed)

🗑️ nategood/httpful (removed)

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Circle CI, Semaphore and Travis-CI are all excellent options.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)