Composer: update to PHPCSDevCS 1.2.0 #1983
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PHPCSDevCS now allows for PHPCS 4.0 and includes PHPCompatibility 10.0.0-alpha1 and a range of sniffs from PHPCSExtra. This also means that we can now scan files without a file extension (if explicitly requested), so the `bin` script can now be scanned. Includes minor documentation update in the ruleset. Includes adding one selective exclusion to the ruleset. Includes various small CS fixes. Refs: * https://github.com/PHPCSStandards/PHPCSDevCS/releases/tag/1.2.0 * squizlabs/PHP_CodeSniffer 2916 * PHPCSStandards/PHP_CodeSniffer 1022
Dependabot has basically _never_ submitted any useful PRs updating the dependencies managed via Composer. In most cases, it wouldn't be able to anyway as the "widen" strategy only really causes update PRs when a new major of a dependency is released and with a new major of a dependency, we'll generally need to do a managed update, so wouldn't be able to use the Dependabot PR anyhow. On top of that, it appears to be completely impossible to set any environment variables for the running of Dependabot via GH Actions. This is problematic as we have a circular dependency via the `phpcsstandards/phpcsdevcs` package since the update to PHPCSDevCS 1.2.0 and the only way to get round that is to set a `COMPOSER_ROOT_VERSION` environment variable. In practice, this means that since the update to PHPCSDevCS 1.2.0, the action runs for Dependabot are failing, which is not useful. All in all, I see no upside to continue to have Dependabot enabled for the Composer packages.
This was referenced Nov 13, 2025
wimg
approved these changes
Nov 24, 2025
This was referenced Nov 25, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Composer: update to PHPCSDevCS 1.2.0
PHPCSDevCS now allows for PHPCS 4.0 and includes PHPCompatibility 10.0.0-alpha1 and a range of sniffs from PHPCSExtra.
This also means that we can now scan files without a file extension (if explicitly requested), so the
binscript can now be scanned.Includes minor documentation update in the ruleset.
Includes adding one selective exclusion to the ruleset.
Includes various small CS fixes.
Refs:
GH Actions: run CS check against PHPCS 4.x dev
Dependabot: remove
composerecosystemDependabot has basically never submitted any useful PRs updating the dependencies managed via Composer.
In most cases, it wouldn't be able to anyway as the "widen" strategy only really causes update PRs when a new major of a dependency is released and with a new major of a dependency, we'll generally need to do a managed update, so wouldn't be able to use the Dependabot PR anyhow.
On top of that, it appears to be completely impossible to set any environment variables for the running of Dependabot via GH Actions.
This is problematic as we will have a circular dependency via the
phpcsstandards/phpcsdevcspackage once this update to PHPCSDevCS 1.2.0 would be merged and the only way to get round that is to set aCOMPOSER_ROOT_VERSIONenvironment variable.In practice, this means that updating to PHPCSDevCS 1.2.0 will cause the action runs for Dependabot to fail, which is not useful.
All in all, I see no upside to continue to have Dependabot enabled for the Composer packages.