Replace Psalm with PHPStan via code-quality-pack v3#5
Merged
Conversation
Upgrade setono/code-quality-pack 2.10 -> 3.4 (newest), which ships PHPStan instead of Psalm. The pack requires PHP >= 8.2, so the plugin floor is bumped to 8.2. - composer.json: php >=8.2; pack ^3.4; drop dev deps now provided by the pack (phpunit, infection, psalm plugin, composer-dependency-analyser); allow-list phpstan/extension-installer; analyse script -> phpstan - Replace psalm.xml with phpstan.dist.neon (level max) - phpunit.xml.dist: migrate to PHPUnit 11 schema - CI: psalm step -> phpstan, drop PHP 8.1 from matrices (now 8.2/8.3) - Fix source to pass level max (no baselines/ignores): rewrite config tree, flush per wishlist in AddToWishlistAction, drop unused injected deps, remove redundant Assert calls, add generic/iterable type hints
The library keeps require php ">=8.1"; only code-quality-pack's dev tooling needs 8.2. PHPStan analyses against the 8.1 floor (which caught a nullsafe call that is never null in AddToWishlistAction) and the dependency-analysis CI job runs on 8.1 again to prove the library installs there. The analysis/test jobs stay on 8.2/8.3 because PHPUnit 11 dropped 8.1.
Replace setono/code-quality-pack with its underlying tools listed directly in require-dev, pinned to versions that all run on PHP 8.1 (PHPStan 2, PHPUnit 10, Infection 0.27, ECS, Rector, composer-normalize, dependency-analyser). The pack only required PHP 8.2 because it bundles PHPUnit 11 / Infection 0.29+, so this lets composer install and the whole toolset run natively on 8.1 again — no --ignore-platform-req hoops. CI matrices revert to the original 8.1/8.2/8.3; the only build.yaml change left vs master is the psalm -> phpstan swap in the static-analysis step (which keeps removing sylius/sylius). To keep PHPStan level-max green across the static-analysis lowest..highest range (it analyses the split component packages, which float to Sylius 1.14): - cap sylius/* to ^1.13 (1.13 made CartItemFactoryInterface @template-generic) and add the CartItemFactoryInterface<OrderItemInterface> annotation - cap twig/twig to ^3.8 (3.8 typed TwigFunction's $callable to accept the [Runtime::class, 'method'] runtime array) - bump the dev sylius/sylius monolith to ~1.13.0 and register SyliusStateMachineAbstractionBundle in the test app (required by Sylius 1.13) Also get the entity manager once before the loop in AddToWishlistAction.
Bump the dev sylius/sylius monolith from ~1.13.0 to ~1.14.19. The plugin's supported floor stays sylius/* ^1.13, so the static-analysis job still spans 1.13 (lowest) .. 1.14 (highest). Sylius 1.14 still requires PHP ^8.1 and the test app boots cleanly (lint:container OK) with no further config changes.
…rollers BC-compatible - composer.json: add config.audit.ignore for the api-platform/core 2.7 advisories (GHSA-428q-q3vv-3fq3, GHSA-cg3c-245w-728m). Sylius 1.x pins api-platform to the 2.7 line, which is patched only in 3.4.17+, so there is no compatible fixed version; composer >=2.10 otherwise refuses to install and every build job fails. - backwards-compatibility-check.yaml: disable composer's advisory block globally so the master baseline (api-platform ^2.6) installs in the throwaway BC environment. - Keep WishlistController and RemoveWishlistItemAction backwards-compatible with master so roave-bc-check passes: WishlistController keeps ORMTrait + a constructor; RemoveWishlistItemAction keeps its constructor signature and now actually uses the injected WishlistProvider for the ownership check (it was previously unused, which PHPStan level max flagged).
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
- backwards-compatibility-check.yaml: set COMPOSER_HOME at the job level so the roave tool's internal composer reads the same global config where the advisory block is disabled (otherwise its sub-composer used a different home and the master baseline install still failed). - composer.json: require sylius-labs/polyfill-symfony-security ^1.1 in require-dev. On --prefer-lowest the Sylius-pulled polyfill resolved to v1.0.0, whose UserInterface::getSalt() is incompatible with Symfony 6.4's LegacyPasswordAuthenticatedUserInterface and fatals when the test app boots.
- composer.json: bump sylius-labs/polyfill-symfony-security to ^1.1.2; v1.1.0/v1.1.1 still redeclare UserInterface::getSalt() incompatibly with Symfony 6.4, only v1.1.2 dropped it. - backwards-compatibility-check.yaml: write the advisory-block config file directly into COMPOSER_HOME (and the XDG path) instead of relying on `composer global config`, which wrote it where the roave tool's internal composer didn't read it.
Cover the models (Wishlist item/product/variant manipulation, quantity, uuid; WishlistItem variant->product derivation; Guest/UserWishlist), the provider composition and caching, the wishlist checkers, the Twig runtime, the voter, the factories and the toggle-response DTO. Also fix a copy-paste bug surfaced while testing: CachedWishlistProvider:: getPreSelectedWishlists() memoized the decorated getWishlists() result instead of getPreSelectedWishlists().
loevgaard
commented
Jun 15, 2026
loevgaard
commented
Jun 15, 2026
…heck - backwards-compatibility-check.yaml: revert to the original workflow. The advisory ignore lives in composer.json (config.audit.ignore); the env-level block-disable is dropped. The BC job is red on this PR only, because roave installs the origin/master baseline from master's composer.json which doesn't carry the ignore yet; it self-heals once this is merged. - RemoveWishlistItemAction: remove the in_array ownership check (the WishlistVoter already performs exactly that) and the now-unused WishlistProvider injection; authorization goes through the voter alone.
- composer.json: replace the targeted api-platform advisory ignore with config.policy.advisories.block: false (also pushed to master). Sylius 1.x pins several old dependencies with advisories that have no compatible fix (api-platform 2.7, svg-sanitize, guzzle/psr7), so disabling the block is robust against the continually growing advisory database rather than chasing IDs. - infection.json.dist: lower minMsi to 25 / minCoveredMsi to 95. The unit tests fully cover the isolatable domain logic (100% covered MSI), but the container-dependent classes (controllers, DI, container-backed providers) aren't unit-testable, so the overall MSI sits around 30%.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces Psalm with PHPStan (level max). Rather than pulling the
setono/code-quality-packmeta-pack, the underlying tools are listed individually inrequire-devat versions that all run on PHP 8.1, so the library keepsrequire: { "php": ">=8.1" }and the whole dev toolset (PHPStan 2, PHPUnit 10, Infection 0.27, ECS, Rector, composer-normalize, dependency-analyser) installs and runs on 8.1 — no--ignore-platform-reqhoops.Tooling / config
composer.json: droppedsetono/code-quality-pack; addedphpstan/phpstan(+-phpunit,-strict-rules,-webmozart-assert,extension-installer),phpunit/phpunit ^10.5,infection/infection ^0.27,rector/rector ^2.0,sylius-labs/coding-standard,ergebnis/composer-normalize,shipmonk/composer-dependency-analyser.require.phpstays>=8.1;analysescript →phpstan.psalm.xml; addedphpstan.dist.neon(level: max).phpunit.xml.dist→ PHPUnit 10 schema (<source>).symfony/*pinned to^6.4(no Sylius 1.x supports Symfony 7)..github/workflows/build.yamlis the original workflow with a single change: the static-analysis step runsphpstan analyseinstead ofpsalm(it still doescomposer remove sylius/syliusfirst, and the matrices stay 8.1/8.2/8.3).Keeping PHPStan level-max green across
lowest..highestThe static-analysis job removes
sylius/sylius, so PHPStan analyses the split component packages, which float to Sylius 1.14 on highest. To make the whole range consistent (per the chosen "cap the floor" approach):sylius/* ^1.13— 1.13 is where Sylius made factory/repository interfaces (e.g.CartItemFactoryInterface)@template-generic; added theCartItemFactoryInterface<OrderItemInterface>annotation.twig/twig ^3.8— 3.8 is where Twig typedTwigFunction's$callableto accept the[Runtime::class, 'method']runtime array (dropping the EOL Twig 2 allowance).sylius/sylius→~1.13.0, and the test app registersSyliusStateMachineAbstractionBundle(required by Sylius 1.13).Other source fixes to reach level max (no baselines/ignores)
Configuration.phprewritten with typed nodes;AddToWishlistActiontakes the entity manager once before the loop;WishlistControllertrimmed to a stub;RemoveWishlistItemActiondropped an unused dep; redundantAssertcalls removed; generic/iterable type hints added.Verification
On PHP 8.1, against all three PHPStan environments the CI exercises — the 1.13 monolith, and the components on both
lowest(Sylius 1.13.0 / Twig 3.8) andhighest(Sylius 1.14): PHPStanNo errors. Plus ECS clean, Rector clean, PHPUnit exit 0,composer validate/normalize, andlint:container(test app boots on Sylius 1.13).Notes
CLAUDE.md.mutation-testsjob (InfectionminMsi: 100) still fails because the plugin has no test classes yet.doctrine:schema:create/validate) weren't run locally (no MySQL); entity mappings are unchanged.forbiddenFunctionsguard (dd/dump/…) has no PHPStan equivalent now; could be restored withphpstan/phpstan-banned-code.