Brings PHP 8.2 fixes.

> composer u mikey179/vfsstream
> composer req --dev typo3/testing-framework:^6.16.6

Change-Id: I4761948bd8827ab4638f280d5b69403d300afcb1
Resolves: #98026
Releases: main, 11.5, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75293


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

These raises fix the bulk of PHP 8.2 unit test
fails.

We need to make webmozart/assert:^1.11.0 explicit
to pin it as minimum version for PHP 8.2
composer update --prefer-lowest in nightlies.

We don't strictly need the phpunit raise, but
pick it as casual dev update along the way.

$ composer require --dev phpunit/phpunit:^9.5.21
$ composer require --dev webmozart/assert:^1.11.0

Resolves: #97967
Releases: master, 11.5
Change-Id: I5c79a8577c5eb836566cb5c00bb6b63aa1b7ea1f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75242


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

PHPStan 1.8.1 removes some warnings.

Used commands:

> composer req --dev phpstan/phpstan:^1.8.1
> ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97959
Releases: main, 11.5
Change-Id: Ifaaf37add767f98d16b3e847447a2882c3c77ee8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75209


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Patch level raise of a monorepo --dev dependency
as yet another raise to unblock psr/container:^2.

$ composer req --dev bnf/phpstan-psr-container:^1.0.1

Change-Id: I73da5737bfbad6dfb739f5f56732d5d283e3e372
Resolves: #97958
Releases: main, 11.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75207


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

This patch raises egulias/email-validator to min version of
3.2.1, which incorporates latest changes. This also contains
a fix to avoid the usage of PHP8.2 deprecated methods, namely
`utf8_encode()` and `utf8_decode()`.

Used commands:

> composer req egulias/email-validator:"^3.2.1"
> composer req egulias/email-validator:"^3.2.1" \
    -d typo3/sysext/core --no-update

Resolves: #97879
Releases: main, 11.5
Change-Id: Ia985dd3171ec988201022052d036b00e765c2654
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75078


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Used commands:
> composer req --dev phpstan/phpstan:^1.8.0
> ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97823
Releases: main, 11.5
Change-Id: Ia124e34cf81c55915c2815cdff71bdde6aabe972
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75018


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The maintainers of the package guzzlehttp/guzzle released a new version
7.4.5 that fixes two security issues:

* CURLOPT_HTTPAUTH option not cleared on change of origin [1]
* Change in port should be considered a change in origin [2]

Executed commands:

    composer require \
        guzzlehttp/guzzle:^7.4.5 \
        -W
    composer require \
        -d typo3/sysext/core \
        guzzlehttp/guzzle:^7.4.5 \
        --no-update

[1] https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
[2] https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699

Resolves: #97802
Releases: main, 11.5, 10.4
Change-Id: Ia49f75f8ed078beb43ba42f89efdd8e68ee146c5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74972


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The package guzzlehttp/guzzle has been updated to version 7.4.4
and 6.5.7 which both fix the security issues [1] and [2]. Since
TYPO3 is not affected by the issues by default, this is handled
as a public bugfix.

3rd party extensions may however be affected by the vulnerabilities
if `Authorization` or `Cookie` headers are used.

Executed commands:

    composer require \
        guzzlehttp/guzzle:^7.4.4 \
        -W
    composer require \
        -d typo3/sysext/core \
        guzzlehttp/guzzle:^7.4.4 \
        --no-update

[1] https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
[2] https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9

Resolves: #97759
Releases: main, 11.5, 10.4
Change-Id: I6ed48f2b03e5e0ca82a9aa493499a5eaf65b184c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74878


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

composer req --dev composer/composer:^2.2.12

Resolves: #97722
Releases: main, 11.5
Change-Id: I526de4c62b5f9bc03230a8794cd42082e9f00560
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74801


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Used commands:

> composer req --dev phpstan/phpstan:^1.7.3
> ./Build/Scripts/runTests.sh -s clean
> ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97706
Releases: main, 11.5
Change-Id: Ida82935064ad4ff5c2858d9a5a6696befd52e512
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74789


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

The package guzzlehttp/guzzle has been updated to 7.4.3 and 6.5.6
respectively, both fixing a security vulnerability related to
cross-domain cookie leakage [1]. Since TYPO3 is not affected by
this issue by default, this is handled as a public bugfix.

However, 3rd party code (e.g. thru extensions) may be affected by this
issue, as long `'cookies' => true` is used in requests done by Guzzle.

Executed commands:

    composer require \
        guzzlehttp/guzzle:^7.4.3 \
        -W
    composer require \
        -d typo3/sysext/core \
        guzzlehttp/guzzle:^7.4.3 \
        --no-update

[1] https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3

Resolves: #97694
Releases: main, 11.5, 10.4
Change-Id: I39071c917c7ed26392f66b0ea2f774ecbceead9f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74751


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Update testing-framework to incorporate latest changes.

Some phpstan-baseline ignore-patterns are added and will
be addressed with dedicated patches.

This change is a manual backport of #97677.

Used commands:

> composer req typo3/testing-framework:^6.16.5 --dev
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97679
Related: #97677
Releases: 11.5
Change-Id: I4decfc4ceb9bacc59e81669443dd4a06ed1b0a72
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74724


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

The new version finds some new possible bugs and
removes some incorrect ones.

Used commands:

> composer req --dev phpstan/phpstan:^1.7.0
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97678
Releases: main, 11.5
Change-Id: I0359ab80b0a6afc907f76bee328fb32c1e0655b7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74723


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Raise phpstan to include latest phpstan bugfixes.
See: https://github.com/phpstan/phpstan/releases/tag/1.6.9

Used commands:

> composer req phpstan/phpstan:^1.6.9 --dev
> Build/Scripts/runTests.sh -s clean ; \
  Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97668
Releases: main, 11.5
Change-Id: I61298c1696b14a6e89ddc98043de13acb127c6a0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74720


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Brings a multibyte fix when dealing with word-based
diffs, which is our default usage.

composer req lolli42/finediff:^1.0.1

Resolves: #97611
Releases: main, 11.5, 10.4
Change-Id: I601842ed75917f9a6d438191273e602238d3edda
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74606


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

A series of minor TF fixes, nothing fancy.

composer req --dev typo3/testing-framework:^6.16.4

Change-Id: I3b8fcec5d16398ba0b1b88379c3dc54b129252d3
Resolves: #97600
Releases: 11.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74592


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Raise phpstan to newest release, which find more
things in a proper way. This includes some opcache
and autoloading fixes which may hopefully help with
lately occurrence of long-running phpstan ci runs.

Used commands:

> composer req --dev phpstan/phpstan:^1.6.7
> Build/Scripts/runTests.sh -s clean
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97551
Releases: main, 11.5
Change-Id: If7493bc4138e99ff173047cba358d3be43cf2357
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74525


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>

symfony/rate-limiter:5.4.8 has been released, so the failing
tests commented out with #97298 can be included again.

Raised symfony/rate-limiter:^5.4.8 to ensure that broken
version is not used.

Used commands:

> composer req "symfony/rate-limiter":"^5.4.8"
> composer req "symfony/rate-limiter":"^5.4.8" \
    -d typo3/sysext/core --no-update

Resolves: #97494
Related: #97298
Releases: main, 11.5
Change-Id: Idaa17f130a56f3e23c56243f24ecdccc14ac4b46
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74486


Tested-by: core-ci <typo3@b13.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

The new version finds some new possible bugs.

Used commands:

> composer require --dev phpstan/phpstan:^1.6.3
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97508
Releases: main, 11.5
Change-Id: I7a813c4f12258aad96b99cec3feb93ee10d55bcf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74482


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

The new version finds some new possible bugs and
removes some incorrect ones.

Used commands:

> composer require --dev phpstan/phpstan:^1.6.0
> composer require --dev phpstan/phpstan-phpunit:^1.1.1
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97476
Releases: main, 11.5
Change-Id: Idaa2b920eacf0c36de8b5d97ae96549ad56a9e52
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74436


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Used commands:
> composer req --dev -W phpunit/phpunit:^9.5.20
> composer req --dev -W phpspec/prophecy:^1.15.0
> composer req --dev -W phpspec/prophecy-phpunit:^2.0.1

Resolves: #97402
Releases: main, 11.5
Change-Id: I1d4ed2470cb22b97578ee7b5749dfc3439558f9c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74333


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The new version finds some new possible bugs and
removes some incorrect ones.

Also update phpstan/phpstan-phpunit.

Used commands:
> composer req --dev phpstan/phpstan:^1.5.6
> composer req --dev phpstan/phpstan-phpunit:^1.1.0
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97397
Releases: main, 11.5
Change-Id: I052ba01b33582f3f18f49c0ee2375f63d1048f4b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74329


Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Recent guzzlehttp/psr7 versions address vulnerability CVE-2022-24775.
Mentioned known vulnerability is not considered relevant for the
TYPO3 core. That's why this issue is handled as regular bugfix.

Commands executed:
  composer req guzzlehttp/psr7:"^1.8.5 || ^2.1.2"
  composer req guzzlehttp/psr7:"^1.8.5 || ^2.1.2" \
    -d typo3/sysext/core --no-update

Resolves: #97240
Releases: main, 11.5, 10.4
Change-Id: I915b5620140912ecf1e0dc5bc887f4cc25ffb85a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74060


Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Used command:

> composer req --dev -W \
    "composer/composer":"^2.2.7" \
    "friendsofphp/php-cs-fixer":"^3.8.0"

> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97227
Releases: main, 11.5
Change-Id: Iad07abbef89a4b69c9d0ab2ea76cc3645bdb5476
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74023


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

This patch raises doctrine/dbal to 2.13.8 as minimum version,
which contains a bugfix to avoid a native php error is emitted,
stating "mysqli::real_connect(): Passing null to parameter #7".

See: https://github.com/doctrine/dbal/pull/5296

One phpstan ignore pattern slightly changed because of a
changed return type declarion of doctrine/dbal. Tackling
the corresponding error should be done in a dedicated test
after proper investigation.

Used commands:

> composer req doctrine/dbal:^2.13.8
> composer req doctrine/dbal:^2.13.8 \
  -d typo3/sysext/core --no-update
> composer req doctrine/dbal:^2.13.8 \
  -d typo3/sysext/install --no-update
> composer req doctrine/dbal:^2.13.8 \
  -d typo3/sysext/redirects --no-update
> composer req doctrine/dbal:^2.13.8 \
  -d typo3/sysext/core --no-update
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97222
Releases: 11.5
Change-Id: I6c1712a792780bd2966b3977d43f767e59304bd5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74013


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

The new release allows versions 1, 2, or 3 of psr/log,
so unblocks core using psr/log 3.

Commands run:
> composer req typo3/html-sanitizer ^2.0.14
> composer req typo3/html-sanitizer ^2.0.14 \
  -d typo3/sysext/core --no-update

Resolves: #97183
Releases: main, 11.5
Change-Id: Id0369aefb034ce477d4aa863f58e04518485ee47
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73997


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

This update gets rid of a false positive:

https://github.com/phpstan/phpstan-phpunit/issues/120

Resolves: #97163
Releases: main, 11.5
Change-Id: I6f7ecd909a127b5940b928d81c94ab7b3404cd49
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73896


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>

The testing-framework with FE requests using sub requests
is now able to handle DELETE,PATCH,PUT and POST requests.

The situation in testing-framework is not the final solution,
though. The patch adds a test to verify if testing-framework
request details are properly received in the FE application.

This not only adds a use case to the core for these kind
of requests, but also ensures that we don't break this
detail again when testing-framework internal handling is
further refactored.

Also needs a testing-framework bugfix in v11:
> composer req --dev typo3/testing-framework:^6.16.2

Resolves: #97084
Releases: main, 11.5
Change-Id: I8268625d4b439f1657168d6b9c9a3878b36477bd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73768


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The new version finds some new possible bugs and
removes some incorrect ones. Combined with a TF
raise.

Used commands:
> composer req --dev phpstan/phpstan:^1.4.8
> composer req --dev typo3/testing-framework:^6.16.1
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #97097
Releases: main, 11.5
Change-Id: I97cec4c07f70b6d451ba55f9aaec7df109c36f71
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73811


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

doctrine/lexer has released a new minor version with
fixed method docblocks, thus phpstan ignore pattern
can now be removed again.

See: https://github.com/doctrine/lexer/issues/62

> composer req doctrine/lexer:"^1.2.3"
> composer req doctrine/lexer:"^1.2.3 \
  --no-update -d typo3/sysext/core
> Build/Scripts/runTests.sh \
  -s phpstanGenerateBaseline

Resolves: #97063
Related: #97055
Releases: main, 11.5
Change-Id: I5e729543c4721e7f9a17511c113139bf7908b208
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73754


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

doctrine/lexer has released a new minor version with changed
method docblocks, which now emits phpstan errors because of
incompatible types.

This patch raises the minor version for development and core
usage and adding phpstan ignore pattern to the baseline file
until doctrine/lexer has fixed the incompatible state. This
is a dedicated preparation to raise other dev dependencies.

Issue has been reported to the corresponding github repository:
https://github.com/doctrine/lexer/issues/62

used commands:

> composer req doctrine/lexer:"^1.2.2"
> composer req doctrine/lexer:"^1.2.2" \
  --no-update -d typo3/sysext/core
> Build/Scripts/runTests.sh \
  -s phpstanGenerateBaseline

Resolves: #97055
Releases: main, 11.5
Change-Id: Ib5c04202bdc6a4b5787a191e4bf1e175982fb217
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73736


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The private container now provides access to non-public
services that have been at least once injected (and thus
be considered as service during DI compilation phase).

This may be used to provide dependencies to functional
test setups where some dependencies needs to be mocked
while other should receive the vanilla dependency
the container would normally inject.

A functional test case does implement the ContainerInterface
now, allowing tests to access both public and private
services.

$this->getContainer() may still be used if the default
container (delivering public services only) needs to
be injected into a service.

Related testing-framework pull request:
https://github.com/TYPO3/testing-framework/pull/331

Commands executed:
  composer req --dev typo3/testing-framework:^6.16.0
  git grep -l "this->getContainer()->get("  | xargs sed -i 's/this->getContainer()->get(/this->get(/g'

Resolves: #97032
Releases: main, 11.5
Change-Id: I5987d5244270a3e190c8721f6a8971c7fd1309ef
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73732


Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

This patch raises styleguide to the recently
released version to test against a more actual
codebase, including backports and the one or
other bugfix (postgres install etc).

used command:

> composer req typo3/cms-styleguide:"~11.5.4" --dev
> cd Build/composer ; \
    rm -rf composer.json ; \
    mv composer.dist.json composer.json ; \
    composer req typo3/cms-styleguide:"~11.5.4" \
      --dev --no-update ; \
    mv composer.json composer.dist.json ; \
    cd ../../

Resolves: #97012
Releases: 11.5
Change-Id: Ic03b13ac3737d29a8d90e4957806a2f6dd173ab5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73674


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Recent release of enshrined/svg-sanitize addressed a XSS vulnerability.

The main purpose of having this library in TYPO3 is to protect against
user submitted images that contains markup - which is possible with
SVG files. In most TYPO3 scenarios these files would be stored in
https://example.org/fileadmin/evil.svg and can be fetched directly.

However, recent update for CVE-2022-23638 of the svg-sanitizer library
seems to address the usage of inline SVG, used in an embedded HTML
context, see https://github.com/darylldoyle/svg-sanitizer/issues/71

Resolves: #96901
Releases: main, 11.5, 10.4
Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73627


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Raise development dependency "php-webdriver/webdriver" to a
version which includes officially PHP8.1 fixes and opens for
up for "Symfony 6 components" installation on main.

used command:

> composer req php-webdriver/webdriver:"^1.12.0" --dev

Resolves: #96979
Releases: main, 11.5
Change-Id: I1ca15e0473e179c89c39fa2aa46073f3d09a2687
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73621


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

see https://github.com/TYPO3/testing-framework/pull/328

composer req --dev typo3/testing-framework:^6.15.3

Besides that, corresponding test cases for shortcut redirects
were extended to make the actual behavior more explicit there.

Resolves: #96818
Releases: 11.5
Change-Id: Ia0ffaaf0a6c93a05513f73bec5a5e5fb75b9eac7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73387


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

This brings a couple of fixes for false positives
that shrink the baseline by around 90 errors.

> composer req --dev phpstan/phpstan:^1.4.5
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Change-Id: I47ba88117866a59f2b7760539f1be217d1bcde34
Resolves: #96747
Releases: main, 11.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73295


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The plugins adds a dynamic return type resolver for the
ContainerInterface::get() method and is especially useful
in core ServiceProviders once we enable phpstan level 5
as invalid parameter usage will then be detected.

The plugin already revealed wrong interface usage in
functional MFA tests which are fixed as a drive by.

Commands executed:

  composer req --dev bnf/phpstan-psr-container:^1.0
  Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Releases: main, 11.5
Resolves: #96691
Change-Id: I4149a75e9a94ba61218e18c0639c03a06a7c53c1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73222


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Adding phpstan/phpstan-phpunit makes phpstan
"understand" mocking and a couple of related things.

Loading the extension in phpstan.neon reduces removes
a bunch of PHPStan warnings, makes others more specific,
and adds new warnings for some PHPUnit-specific issues.

> composer require --dev phpstan/phpstan-phpunit:^1.0

Resolves: #96690
Releases: main, 11.5
Change-Id: Ib77f18f9492c3891b46d213b4f3981be1ac21c1a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73221


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Having jangregor/phpstan-prophecy and including it
in the phpstan config cuts the baseline by ~half.
Details can now be sorted out with single patches.

> composer req --dev jangregor/phpstan-prophecy:^1.0
> Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #96684
Releases: main, 11.5
Change-Id: I7a2a8fd4a40a1a791d7622b506680a53e73187f9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73212


Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>