Bump the composer group across 1 directory with 9 updates

[dependabot]

Bumps the composer group with 5 updates in the / directory:

Package	From	To
guzzlehttp/guzzle	7.10.3	7.12.1
laravel/framework	12.60.2	12.61.1
phpoffice/phpspreadsheet	1.30.4	1.30.5
phpseclib/phpseclib	3.0.52	3.0.55
symfony/html-sanitizer	7.4.12	7.4.13

Updates guzzlehttp/guzzle from 7.10.3 to 7.12.1

Release notes

Sourced from guzzlehttp/guzzle's releases.

7.12.1

Changed

• Adjusted guzzlehttp/psr7 version constraint to ^2.12.1

Fixed

• Reject proxy URLs with a malformed scheme in the cURL handlers instead of letting libcurl mishandle them

Security

• Reject HTTPS proxies when the installed libcurl lacks HTTPS-proxy support (GHSA-wpwq-4j6v-78m3)
• Reject dot-only cookie Domain attributes as match-all (GHSA-cwxw-98qj-8qjx)

7.12.0

Added

• Added RequestOptions constants for curl, retries, and stream_context

Changed

• Adjusted guzzlehttp/psr7 version constraint to ^2.12
• Constrain cURL transport sharing to safe libcurl DNS and SSL session support
• Resolve proxy environment variables in the cURL handlers; libcurl no longer reads the environment itself
• Ignore proxy environment variables when the proxy request option makes a decision
• Disable proxy environment variables on Windows SAPIs other than CLI (httpoxy hardening)
• Redact proxy credentials from cURL handler error messages, following Psr7\Utils::redactUserInfo()
• Normalize no-proxy domain and IP literal matching across the cURL and stream handlers

Deprecated

• Deprecated the request-level handler option, which will be ignored in 8.0
• Deprecated raw cURL request options outside the built-in cURL handlers' allow-list
• Deprecated the CURLOPT_PROXYTYPE cURL request option; set the proxy type via a scheme-prefixed proxy URL
• Deprecated PHP stream context options outside the built-in stream handler allow-list
• Deprecated passing ntlm as a built-in auth type
• Deprecated Utils::describeType()
• Deprecated non-finite floats in the query and form_params options; 8.0 rejects them
• Deprecated non-string scalar values in the body option; 8.0 rejects them

Fixed

• Fix cURL TLS and HTTP/2 capability detection using libcurl feature checks
• Fix proxy no list matches being re-proxied through environment-configured proxies by libcurl
• Fix no list and NO_PROXY matching to support IP CIDR ranges, matching libcurl
• Fix the stream handler not applying scheme-less proxies and their credentials

7.11.2

Fixed

... (truncated)

Changelog

Sourced from guzzlehttp/guzzle's changelog.

7.12.1 - 2026-06-18

Changed

• Adjusted guzzlehttp/psr7 version constraint to ^2.12.1

Fixed

• Reject proxy URLs with a malformed scheme in the cURL handlers instead of letting libcurl mishandle them

Security

• Reject HTTPS proxies when the installed libcurl lacks HTTPS-proxy support (GHSA-wpwq-4j6v-78m3)
• Reject dot-only cookie Domain attributes as match-all (GHSA-cwxw-98qj-8qjx)

7.12.0 - 2026-06-16

Added

• Added RequestOptions constants for curl, retries, and stream_context

Changed

• Adjusted guzzlehttp/psr7 version constraint to ^2.12
• Constrain cURL transport sharing to safe libcurl DNS and SSL session support
• Resolve proxy environment variables in the cURL handlers; libcurl no longer reads the environment itself
• Ignore proxy environment variables when the proxy request option makes a decision
• Disable proxy environment variables on Windows SAPIs other than CLI (httpoxy hardening)
• Redact proxy credentials from cURL handler error messages, following Psr7\Utils::redactUserInfo()
• Normalize no-proxy domain and IP literal matching across the cURL and stream handlers

Deprecated

• Deprecated the request-level handler option, which will be ignored in 8.0
• Deprecated raw cURL request options outside the built-in cURL handlers' allow-list
• Deprecated the CURLOPT_PROXYTYPE cURL request option; set the proxy type via a scheme-prefixed proxy URL
• Deprecated PHP stream context options outside the built-in stream handler allow-list
• Deprecated passing ntlm as a built-in auth type
• Deprecated Utils::describeType()
• Deprecated non-finite floats in the query and form_params options; 8.0 rejects them
• Deprecated non-string scalar values in the body option; 8.0 rejects them

Fixed

• Fix cURL TLS and HTTP/2 capability detection using libcurl feature checks
• Fix proxy no list matches being re-proxied through environment-configured proxies by libcurl
• Fix no list and NO_PROXY matching to support IP CIDR ranges, matching libcurl
• Fix the stream handler not applying scheme-less proxies and their credentials

... (truncated)

Commits

• d346274 Release 7.12.1
• 7f537cd Reject dot-only cookie domains (#3653)
• 29482f2 Adjust version constraints (#3651)
• fc70174 Reject proxy URLs with a malformed scheme in the cURL handlers (#3637)
• 0f4da82 Reject HTTPS proxies when libcurl lacks HTTPS-proxy support (#3626)
• eaa8159 Release 7.12.0
• e0d3349 Adjusted guzzlehttp/psr7 version constraint and corrected links (#3646)
• 8ca9415 Normalize scalar body request options (#3644)
• 1a8d3aa Translate scheme-less proxies and their credentials in the stream handler (#3...
• 751f7a5 Revert too aggressive authenticated proxy tunnel reuse mitigation (#3641)
• Additional commits viewable in compare view

Updates laravel/framework from 12.60.2 to 12.61.1

Release notes

Sourced from laravel/framework's releases.

v12.61.1

• [12.x] Preserve empty HTTP attach contents by @​GrahamCampbell in laravel/framework#60291
• Fix @​params typo in Fluent and MessageBag toPrettyJson() docblocks by @​Amirhf1 in laravel/framework#60313
• [12.x] Fix regex typo in Env::addVariableToEnvContents that prevented quotin… by @​Amirhf1 in laravel/framework#60312
• [12.x] Fix Number::trim() returning null for INF and NAN values by @​Amirhf1 in laravel/framework#60322
• [12.x] Fix FIFO queue name normalization in Cloud managed queues by @​kieranbrown in laravel/framework#60316
• [12.x] Fix Number::pairs() infinite loop when $by is zero or negative by @​Amirhf1 in laravel/framework#60324
• [12.x] Ensure path seperators aren't encoded in LocalFilesystemAdapter by @​jackbayliss in laravel/framework#60350
• [12.x] Ensure config is bound before trying to log deprecation notice by @​crynobone in laravel/framework#60376

v12.61.0

• [12.x] Accept Symfony's new control-characters exception message in mailer test by @​kieranbrown in laravel/framework#60203
• [12.x] Fix queue:failed command to show real class name by @​clementmas in laravel/framework#60279
• [12.x] Throw ManagedQueueNotFoundException when a managed queue is missing by @​kieranbrown in laravel/framework#60276

Commits

• e8472ca Update version to v12.61.1
• 61d5557 [12.x] Ensure config is bound before trying to log deprecation notice (#60376)
• 12df688 [12.x] Ensure path seperators aren't encoded in LocalFilesystemAdapter (#60350)
• 33afd1e [12.x] Fix Number::pairs() infinite loop when $by is zero or negative (#60324)
• e854b8c Fix FIFO queue name normalization in Cloud managed queues (#60316)
• 55d9fb8 fix(Number): return INF/NAN as-is in trim() (#60322)
• c76283c Fix regex typo in Env::addVariableToEnvContents that prevented quoting values...
• 6730281 Fix @​params typo in Fluent and MessageBag toPrettyJson() docblocks (#60313)
• b8f2341 Preserve empty HTTP attach contents (#60291)
• 3438371 Update CHANGELOG
• Additional commits viewable in compare view

Updates guzzlehttp/psr7 from 2.10.1 to 2.12.1

Release notes

Sourced from guzzlehttp/psr7's releases.

2.12.1

Security

• Reject CR/LF in HTTP method, protocol version, and reason phrase (GHSA-vm85-hxw5-5432)

2.12.0

Deprecated

• Deprecated non-finite float values in Query::build() that guzzlehttp/psr7 3.0 rejects
• Deprecated non-finite float multipart contents that guzzlehttp/psr7 3.0 rejects
• Deprecated non-string scalar bodies in Utils::streamFor(); cast them to a string for 3.0
• Deprecated non-string Uri::withQueryValues() values; cast them to a string for 3.0

2.11.1

Fixed

• Fixed non-finite float values emitting coercion warnings on PHP 8.5

2.11.0

Changed

• Changed Utils::modifyRequest() to reject conflicting URI and Host header changes in the same call
• Changed Header::parse() to split semicolon-separated parameters without repeated regular expression lookaheads
• Changed UriComparator::isCrossOrigin() so only HTTP and HTTPS missing ports receive implicit default ports

Deprecated

• Deprecated invalid PSR-7 arguments that guzzlehttp/psr7 3.0 will require native types for
• Deprecated non-string header values that guzzlehttp/psr7 3.0 will reject
• Deprecated empty header value arrays that guzzlehttp/psr7 3.0 will reject
• Deprecated URI schemes that do not match guzzlehttp/psr7 3.0 syntax requirements
• Deprecated multipart boundary and custom part header metadata that guzzlehttp/psr7 3.0 will reject
• Deprecated reliance on automatic uppercasing of request methods; guzzlehttp/psr7 3.0 preserves method casing
• Deprecated invalid Utils::modifyRequest() change values that guzzlehttp/psr7 3.0 will reject

Fixed

• Fixed Utils::copyToStream() to retry short destination writes instead of dropping the unwritten remainder
• Fixed Header::parse() splitting of semicolon-separated parameters with escaped quotes

2.10.4

Fixed

• Apply UriNormalizer percent-encoding normalizations to URI fragments
• Make LimitStream::getSize() return 0 for slices past the underlying stream end
• Make AppendStream::read() return an empty string when no streams are attached
• Make CachingStream::read() throw on an incomplete cache-target write instead of silently corrupting replays
• Prevent CachingStream::seek() from looping indefinitely when the remote stream makes no progress

2.10.3

... (truncated)

Changelog

Sourced from guzzlehttp/psr7's changelog.

2.12.1 - 2026-06-18

Security

• Reject CR/LF in HTTP method, protocol version, and reason phrase (GHSA-vm85-hxw5-5432)

2.12.0 - 2026-06-16

Deprecated

• Deprecated non-finite float values in Query::build() that guzzlehttp/psr7 3.0 rejects
• Deprecated non-finite float multipart contents that guzzlehttp/psr7 3.0 rejects
• Deprecated non-string scalar bodies in Utils::streamFor(); cast them to a string for 3.0
• Deprecated non-string Uri::withQueryValues() values; cast them to a string for 3.0

2.11.1 - 2026-06-12

Fixed

• Fixed non-finite float values emitting coercion warnings on PHP 8.5

2.11.0 - 2026-06-02

Changed

• Changed Utils::modifyRequest() to reject conflicting URI and Host header changes in the same call
• Changed Header::parse() to split semicolon-separated parameters without repeated regular expression lookaheads
• Changed UriComparator::isCrossOrigin() so only HTTP and HTTPS missing ports receive implicit default ports

Deprecated

• Deprecated invalid PSR-7 arguments that guzzlehttp/psr7 3.0 will require native types for
• Deprecated non-string header values that guzzlehttp/psr7 3.0 will reject
• Deprecated empty header value arrays that guzzlehttp/psr7 3.0 will reject
• Deprecated URI schemes that do not match guzzlehttp/psr7 3.0 syntax requirements
• Deprecated multipart boundary and custom part header metadata that guzzlehttp/psr7 3.0 will reject
• Deprecated reliance on automatic uppercasing of request methods; guzzlehttp/psr7 3.0 preserves method casing
• Deprecated invalid Utils::modifyRequest() change values that guzzlehttp/psr7 3.0 will reject

Fixed

• Fixed Utils::copyToStream() to retry short destination writes instead of dropping the unwritten remainder
• Fixed Header::parse() splitting of semicolon-separated parameters with escaped quotes

2.10.4 - 2026-05-29

Fixed

• Apply UriNormalizer percent-encoding normalizations to URI fragments
• Make LimitStream::getSize() return 0 for slices past the underlying stream end

... (truncated)

Commits

• 172ef2f Release 2.12.1
• f3f94b4 Mitigate CRLF Injection in HTTP Start-Line Serialization (#798)
• 9b38012 Release 2.12.0
• fffbe3d Deprecate non-string scalar stream bodies and query values (#790)
• 6a37393 Deprecate non-finite float values (#788)
• 640e289 Release 2.11.1
• 0220ac9 Fix non-finite float coercion warnings on PHP 8.5 (#787)
• bbb5e61 Release 2.11.0
• aac7d94 Restore copyToStream throws annotation (#781)
• d6f9070 Fix copyToStream short writes (#772)
• Additional commits viewable in compare view

Updates phpoffice/phpspreadsheet from 1.30.4 to 1.30.5

Release notes

Sourced from phpoffice/phpspreadsheet's releases.

1.30.5

Security Note

• File::prohibitWrappers and Drawing::setPath now reject phar paths with extra leading slashes (e.g. phar:///…) that escaped the prior parse_url-based filter.

Fixed

• Third-party security patches.

Changelog

Sourced from phpoffice/phpspreadsheet's changelog.

2026-05-30 - 1.30.5

Security Note

• File::prohibitWrappers and Drawing::setPath now reject phar paths with extra leading slashes (e.g. phar:///…) that escaped the prior parse_url-based filter.

Fixed

• Third-party security patches.

Commits

• 97bcabd actions/checkout v6
• 0e2a4e2 actions/cache v5
• 1433b34 Security Patch
• See full diff in compare view

Updates phpseclib/phpseclib from 3.0.52 to 3.0.55

Release notes

Sourced from phpseclib/phpseclib's releases.

3.0.55

• RSA: signature verification with PKCS1 with failed when the parameters field was absent

3.0.54

• X509: add setURLFetchCallback() method

3.0.53

• RSA: decryption with password protected keys didn't work with OpenSSL engine (#2140)
• ASN1: speed up OID calculations
• SFTP: add hardlink() method (#2142)
• DES: fix PHP deprecations (#2145)

Changelog

Sourced from phpseclib/phpseclib's changelog.

3.0.55 - 2026-06-14

• RSA: signature verification with PKCS1 with failed when the parameters field was absent

3.0.54 - 2026-06-14

• X509: add setURLFetchCallback() method

3.0.53 - 2026-06-09

• RSA: decryption with password protected keys didn't work with OpenSSL engine (#2140)
• ASN1: speed up OID calculations
• SFTP: add hardlink() method (#2142)
• DES: fix PHP deprecations (#2145)

Commits

• db9744e Merge branch '3.0' of github.com:phpseclib/phpseclib into 3.0
• 1f0c555 RSA: types in the comment
• 4f5414f CHANGELOG: new release
• d7b53f6 RSA: PKCS1 signature verification didn't always work with OpenSSL
• 89a3dae Merge branch '2.0' into 3.0
• efbc42c Merge branch '1.0' into 2.0
• b732ef5 README: update 1.0 download link
• 5418963 Merge branch '2.0' into 3.0
• d73c9e0 Merge branch '1.0' into 2.0
• fa867e5 CHANGELOG: add new release
• Additional commits viewable in compare view

Updates symfony/html-sanitizer from 7.4.12 to 7.4.13

Release notes

Sourced from symfony/html-sanitizer's releases.

v7.4.13

Changelog (symfony/html-sanitizer@v7.4.12...v7.4.13)

• security #cve-2026-48761 Sanitize URL attributes on , , , , and the URL inside content (@​nicolas-grekas)
• security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@​nicolas-grekas)
• bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@​nicolas-grekas)

Commits

• 761f6c4 Merge branch '6.4' into 7.4
• fba29d9 security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on <object>,...
• a326fa2 security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks an...
• a33ec9e Merge branch '6.4' into 7.4
• b8617a0 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to...
• cc08b9c [HtmlSanitizer] Sanitize URL attributes on <object>, <applet>, <iframe>, <img...
• 2e05019 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs
• See full diff in compare view

Updates symfony/http-foundation from 7.4.8 to 7.4.13

Release notes

Sourced from symfony/http-foundation's releases.

v7.4.13

Changelog (symfony/http-foundation@v7.4.7...v7.4.13)

• security #cve-2026-48736 Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@​nicolas-grekas)

Commits

• bc354f4 Merge branch '6.4' into 7.4
• 48d76c2 security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUt...
• fda5ebe Merge branch '6.4' into 7.4
• 5979ae8 Ignore Doctrine DBAL deprecations that can't be worked around
• 10d5daa [HttpFoundation] Fix tests for PHP 8.6: session.cookie_samesite=Lax
• 3ebc78a [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS
• 051a962 Merge branch '6.4' into 7.4
• 5402ad1 Remove wrong documentation
• c38f205 [7.4] Remove usages of named arguments in tests
• a762b60 Update XSD references in phpunit.xml.dist files
• Additional commits viewable in compare view

Updates symfony/polyfill-intl-idn from 1.37.0 to 1.38.1

Release notes

Sourced from symfony/polyfill-intl-idn's releases.

v1.38.1

Changelog (symfony/polyfill-intl-idn@v1.31.0...v1.38.1)

• security #cve-2026-46644 Reject xn-- labels whose Punycode payload decodes to ASCII-only (@​nicolas-grekas)

Commits

• dc21118 [Intl][Idn] Reject xn-- labels whose Punycode payload decodes to ASCII-only
• See full diff in compare view

Updates symfony/routing from 7.4.12 to 7.4.13

Release notes

Sourced from symfony/routing's releases.

v7.4.13

Changelog (symfony/routing@v7.4.12...v7.4.13)

• security #cve-2026-48784 Fix dot-segment encoding for chained "../" and "./" in generated URLs (@​nicolas-grekas)
• bug #64343 Harden __unserialize against __toString trampolines (@​nicolas-grekas)

Commits

• 3a16217 Merge branch '6.4' into 7.4
• af04c79 Merge branch '5.4' into 6.4
• e6f3f03 Fix tests and merge resolution after merging 6.4 into 7.4
• 5156fe8 Merge branch '6.4' into 7.4
• be4ce34 [Routing][RateLimiter][Mime][Security] Harden __unserialize against __toStrin...
• f4ca0c5 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.