PHPStan is a static PHP code analyzer that's aimed at finding actual
bugs in the code. Where PHP Code Sniffer is about codeing standards,
PHPStan is about correctness of code.
The provided configuration file (`phpstan.neon.dist`) is configured to
use the _lowest_ level of checks that PHPStan will report on. See
https://phpstan.org/user-guide/rule-levels for information about the
various rule levels.
Run an analysis of the code base like this:
% ./vendor/bin/phpstan
It will output any found issues to stdout.
You can also run it like this:
% ./vendor/bin/phpstan --error-format=raw > phpstan.log
This will give you an output file in a format that's suitable for use
with typical editors for mapping errors to source locations.
Note that we upgrade to the 2.x branch of the dependency, as the 3.x
branch requires PHP version 8.2 or later. There's no reason for us to
move our minimum supported version of PHP just yet.
This eliminates a potential vulnerability where an template author could
inject arbitrary PHP files to be run via the 'extends' tag.
See:
- https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
- 0be92bc8a6
Impact assessment:
In our case I would consider this a low severity issue as we don't
allow users to dynamically add or edit smarty templates. Templates has
to be updated via merge requests, or by installing a theme. In both
cases a malicious attacker already has easier ways to inject whatever
code they want.
Further, the extend tag is not in use in any of our core templates.
Introduces a bootstrap file that ensures that the base test case classes
are loaded and available instead.
This reduces the number of warnings when running composer install.
As the Symphony\Yaml stuff disappeared with behat, we need another way
to load read the yaml files with database fixtures for the integration
tests.
As the php yaml extension is not distributed with PHP by default, this
creates it as another dev dependency!
