Bump spaze/phpstan-disallowed-calls from 2.16.1 to 4.0.1

[dependabot]

Bumps spaze/phpstan-disallowed-calls from 2.16.1 to 4.0.1.

Release notes

Sourced from spaze/phpstan-disallowed-calls's releases.

Support both PHPStan 1.12 & 2.0

The 4.0 release removed support for PHPStan 1.x, and this release brings it back. Both PHPStan 1.12 and PHPStan 2.0 are supported (#273).

You can learn more about PHPStan 2.0 in the release notes or in the blog post and don't forget to get yourself an elephpant and a t-shirt!

Support & require PHPStan 2.0

This major release supports and requires PHPStan 2.0 (#267)

As mentioned in the UPGRADING.md guide:

It's not feasible to try to support both PHPStan 1.x and PHPStan 2.x with the same extension code.

You can learn more about PHPStan 2.0 in the release notes or in the blog post and don't forget to get yourself an elephpant and a t-shirt!

Support PHP 8.4

• Support PHP 8.4 (#270)

That's it. That's the release.

Default error identifiers

• Add default error identifiers, used if not specified/overridden in your custom config (#258)

PHPStan 1.11 added error identifiers and while they were supported by this extension for quite some time (since #97), they were not added by default, only when you've specified them.

This release adds error identifiers everywhere, and they'll be used if you don't specify custom identifiers in your custom config. The full list of identifiers is in the ErrorIdentifiers class here https://github.com/spaze/phpstan-disallowed-calls/blob/main/src/RuleErrors/ErrorIdentifiers.php and they have a disallowed.something format.

Disallow control structures like else, elseif, goto and others

• Can disallow control structures like else, elseif, goto (#257)

Checking params inside ( ... ) doesn't work at the moment, so you can disallow all declare() constructs but can't re-allow e.g. declare(strict-types = 1).

If you try to disallow else if with the space, an exception will be thrown, because else if is parsed as else followed by if, so disallowing else if with the space wouldn't have the desired effect and the result would be unexpected. Disallow elseif, or don't write else if in your code 😇

Add phpinfo() to dangerous calls config

Add phpinfo() to dangerous calls config (#255)

See

• https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
• or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().

Internal changes

• It's already a list, no need to call array_values() (#253, this is a new bleeding edge rule added in PHPStan 1.10.59)
• Update dev dependencies (#254)

Dynamic class constant fetch, disallowedEnums

What's Changed

• Support dynamic class constant fetch available in PHP 8.3 (#242, #248)

... (truncated)

Commits

• 0f030fd Support PHPStan 1.12 (#273)
• b84ea26 Test with the lowest dependencies, mainly test with PHPStan 1
• 2854dfe Bump the lowest nette/neon to bring in the linter
• 729e474 Bump the lowest PHPUnit to one which supports PHP 8
• a206c46 Seems it's possible to support both PHPStan 1.12 & 2.0 with this extension
• 7c3c422 Support PHPStan 2.0 (#267)
• 55e4124 Add native type declarations
• 8981c20 PHPStan 2 requires PHP 7.4+, no need to test with older versions
• ad496c7 Remove @throws exceptions that are not thrown in the method
• 030337c Update types for CallLike::getArgs() calls
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)