Releases: spaze/phpstan-disallowed-calls
Support both PHPStan 1.12 & 2.0
The 4.0 release removed support for PHPStan 1.x, and this release brings it back. Both PHPStan 1.12 and PHPStan 2.0 are supported (#273).
You can learn more about PHPStan 2.0 in the release notes or in the blog post and don't forget to get yourself an elephpant and a t-shirt!
Support & require PHPStan 2.0
This major release supports and requires PHPStan 2.0 (#267)
As mentioned in the UPGRADING.md
guide:
It's not feasible to try to support both PHPStan 1.x and PHPStan 2.x with the same extension code.
You can learn more about PHPStan 2.0 in the release notes or in the blog post and don't forget to get yourself an elephpant and a t-shirt!
Support PHP 8.4
- Support PHP 8.4 (#270)
That's it. That's the release.
Disallow create_function and support PHPStan 1.12.6, getting ready for 2.0
- Add
create_function
as a disallowed function call (#261, thanks @BackEndTea) - Process
ClassConstFetch
where$class
isName
only for enums to correctly support PHPStan 1.12.6 (#266)
Internal changes:
- Add phpstan/phpstan-deprecation-rules in expectation of PHPStan 2.0 (#263)
- Fix test class name (#260, spotted by @szepeviktor, thanks)
Default error identifiers
- Add default error identifiers, used if not specified/overridden in your custom config (#258)
PHPStan 1.11 added error identifiers and while they were supported by this extension for quite some time (since #97), they were not added by default, only when you've specified them.
This release adds error identifiers everywhere, and they'll be used if you don't specify custom identifiers in your custom config.
The full list of identifiers is in the ErrorIdentifiers
class here https://github.com/spaze/phpstan-disallowed-calls/blob/main/src/RuleErrors/ErrorIdentifiers.php and they have a disallowed.something
format.
Disallow control structures like else, elseif, goto and others
- Can disallow control structures like
else
,elseif
,goto
(#257)
Checking params inside ( ... )
doesn't work at the moment, so you can disallow all declare()
constructs but can't re-allow e.g. declare(strict-types = 1)
.
If you try to disallow else if
with the space, an exception will be thrown, because else if
is parsed as else
followed by if
, so disallowing else if
with the space wouldn't have the desired effect and the result would be unexpected. Disallow elseif
, or don't write else if
in your code 😇
Add phpinfo() to dangerous calls config
Add phpinfo()
to dangerous calls config (#255)
See
- https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it
- or https://www.michalspacek.cz/kradeni-session-id-pomoci-phpinfo-a-jak-tomu-zabranit (in Czech)
for reasons why (phpinfo()
echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly
cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo()
.
Internal changes
Support PHPStan 1.10.58 in disallowed-loose-calls.neon config
Dynamic class constant fetch, disallowedEnums
What's Changed
- Support dynamic class constant fetch available in PHP 8.3 (#242, #248)
- Added
disallowedEnums
, they useDisallowedConstant
internally (#243, docs)
Internal changes:
- The PHP 8.0 polyfill is not needed anymore (#237)
- More tests for attributes (#240) and on more PHP versions (#244)
- More strict/correct config schema,
disallowedConstants
'constant
field is always present (#245) - Reuse the existing reflection variable (#246)
Note
The 3.1.0 release was the same minus #248.
Param values with PHPdoc `typeString`, attributes on properties and more reported, no "because reasons" in errors, more rules for the same call, few possible bw compat breaks
New major version because some major new features in this release, and some potential backwards compatibility breaks, if you use the extension in one way or another, all described below.
New features
- Can specify params with a doctype in
typeString
config option (#234)
You can now specify dis/allowed parameter values as PHPDoc string liketypeString: 'foo'|'bar'
ortypeString: 'array{}'
etc. instead of justvalue: scalar
- Support more attribute targets: properties, class constants, params (#225)
Disallowed attributes will now be also reported when used on/with those.
Changed
- No "because reasons", because reasons (#221) (Possible backwards compatibility break, if you ignore error messages in your config)
Previously, if there was nomessage
key in the disallowed configuration, "because reasons" was added automatically. I thought it was funny back when this was an internal extension only, but maybe it's not anymore. So there's no "because reasons" anymore, and the error message will always end with a full stop.
, unless it already ends with one, or unless it ends with?
or!
. - Define extension parameters as a structure (#222, #231 and a follow-up in #229 thanks to @francescolaffi) (Possible BC break, if you have a typo in your config, you may suddenly be alerted about it)
Bye typos, at least some of them. - Can add more rules for the same call to have different messages for various params (#232) (Possible BC break if you for some reason relied on the order of the rules for the same function or method)
- The
allowExceptParamsInAllowed
description in docs was flipped around (#235)