Bump psy/psysh from 0.12.9 to 0.12.19 in /plib/library

[dependabot]

Bumps psy/psysh from 0.12.9 to 0.12.19.

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.19

⚠️ Security fix

Fixed a CWD configuration poisoning vulnerability (CVE-2026-25129) where a malicious .psysh.php file in an attacker-writable directory could execute arbitrary code when a victim runs PsySH from that directory. This affects all versions prior to v0.12.19 and v0.11.23, including downstream consumers like Laravel Tinker, when invoked from an attacker-writable CWD.

Fixed in v0.12.19 and v0.11.23. Upgrade ASAP.

Restricted Mode

PsySH now requires explicit trust before loading project-local config (.psysh.php), local PsySH binaries, or Composer autoloads from untrusted projects. Trust decisions are persisted per-project in trusted_projects.json.

Configure with trustProject:

'trustProject' => 'prompt',  // default — ask interactively
'trustProject' => 'always',  // trust all projects
'trustProject' => 'never',   // always run restricted

Or use --trust-project / --no-trust-project CLI flags, or the PSYSH_TRUST_PROJECT env var.

Non-interactive sessions automatically skip untrusted features with a warning.

Magic method and property support 🪄

Tab completion, ls, doc, and show commands now recognize @method and @property docblock tags. Magic members display in magenta so you can tell them apart from real methods and properties.

Inheritance works as expected — magic members from parent classes, interfaces, and traits are included, with child declarations taking precedence.

Also fixes parsing of generic types (e.g., array<int, string>) in docblock tags, which previously broke on whitespace inside angle brackets.

See #905

Improvements

• Excluded a few unnecessary files and folders from release source zips (Thanks @​reedy!)
• Fixed --cwd to actually change the working directory. Previously it only affected discovery for autoload/config, so relative paths and other directory-dependent behavior didn’t work as expected inside the shell.
• Significantly improved memory usage with older php-parser versions (pre-v4.18.0)

PsySH v0.12.18

• Fix exit() not working when uopz extension is loaded
• Don't reopen pager if user closes it early
• Ensure stty state is restored before exiting PsySH (fixes an issue where Ctrl-C might be incorrectly handled after exiting)

PsySH v0.12.17

Hot code reloading!!?!?1?

... (truncated)

Commits

• a4f766e Merge branch 'release/v0.12.19'
• b59690d Bump to v0.12.19
• 5e93b5c Add Restricted Mode for untrusted projects
• 9bfc28d Revert "Add PAGER env var support."
• 07d8a16 Add magic method and property support
• d1438d6 Bump symfony/process from 5.4.47 to 5.4.51 in /vendor-bin/box
• 22fba81 Update phpstan ignore list
• 312b64a Fix OOM in CI, improve memory usage with php-parser older than v4.18.0
• 3283653 Year++, minor cleanup
• 95f8ef0 Lazy-boot Shell dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Medium Risk
Primarily a dependency lockfile update, but it pulls in a major symfony/string version with a higher PHP requirement and updated Symfony compatibility constraints, which could break installs or runtime behavior if the environment isn’t aligned.

Overview
Updates plib/library/composer.lock to bump psy/psysh from v0.12.9 to v0.12.19 (includes upstream restricted-mode / security hardening) and refreshes its dependency graph.

This also upgrades related packages, notably nikic/php-parser (v5.5.0→v5.7.0) and several Symfony components/polyfills (console/var-dumper to v7.4.4, string to v8.0.4, polyfills to v1.33.0, service-contracts to v3.6.1), adjusting their declared compatibility ranges in the lockfile.

^{Written by Cursor Bugbot for commit 8405173. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[cursor]

Dependency requires PHP 8.4 breaking older PHP support

High Severity

The symfony/string package was upgraded from v7.3.0 to v8.0.4, which changes the minimum PHP version requirement from >=8.2 to >=8.4. This creates a conflict because psy/psysh claims to support PHP 7.4+ and the project may run on PHP 8.2 or 8.3. The lock file was likely generated on PHP 8.4+, so composer install will fail on any PHP version below 8.4.

Additional Locations (1)

• plib/library/composer.lock#L1693-L1694