5.26.1

What's Changed

Fixes

• Fix JSON formatter crashes with invalid UTF in error messages by @weirdan in #11092

Full Changelog: 5.26.0...5.26.1

5.26.0

What's Changed

Features

• Add mysqli.execute-query as sink for TaintedSql by @cgocast in #11021
• Add TaintedCallable sinks for 4 core generic functions by @cgocast in #11090
• Improve mysql fetch_field* return type by @MoonE in #11009
• Check for psalm.dist.xml as well by @HypeMC in #11031

Fixes

• Change ReflectionParameter::getName() result type to non-empty-string by @vjik in #11037
• Fix mysqli_real_escape_string stub by @kamil-tekiela in #11078
• Fix mysqli_get_client_version by @kamil-tekiela in #11074
• Up the minimum required version of nikic/php-parser to 4.17 by @chesn0k in #10968
• Fix callable/lowercase strings coercion by @weirdan in #11091
• Consistently emit issues for properties on classes with unknown mixins by @issidorov in #11081

New Contributors

• @chesn0k made their first contribution in #10968

Full Changelog: 5.25.0...5.26.0

5.25.0

What's Changed

Features

• Casting int-range should keep literals by @kkmuffme in #10941
• Update help panel by @llaville in #11000
• Add support for phpstan-pure by @VincentLanglet in #10975
• Precise preg_match_all return type by @VincentLanglet in #10969

Fixes

• Fix-GH-10933-And-GH-10951 by @jack-worman in #10953
• redis: add possible types for Redis#auth method by @boesing in #10934
• Avoid false positive about array which are non-callable by @VincentLanglet in #10935
• Fix literal-string|non-empty-literal-string by @VincentLanglet in #10930
• Fix signature of Locale::canonicalize. by @ADmad in #11010

New Contributors

• @llaville made their first contribution in #11000

Full Changelog: 5.24.0...5.25.0

5.24.0

What's Changed

Features

• Allow specifying flags to Codebase::isTypeContainedByType by @danog in #10829
• Allow more callable types as subtypes of callable by @weirdan in #10805
• Report parent being used in callable context when the class does not extend anything by @kkmuffme in #10838
• Report error for additional deprecated arg types in PHP 8.1/8.3 by @kkmuffme in #10824
• Add MissingClassConstType Issue by @jack-worman in #10828
• Enforce parameter names for consistent constructors by @kkmuffme in #10821
• Add misc missing errors for invalid callable methods by @kkmuffme in #10839

Fixes

• Forbid named arguments for ArrayAcccess methods by @weirdan in #10804
• Don't crash on invalid templates by @weirdan in #10806
• report error for single param name mismatch too since named args can even be used then by @kkmuffme in #10822
• add support for named arguments for filter_var and filter_input by @pilif in #10815
• When inside isset, make array fetch result nullable by @edsrzf in #10756
• Promoted properties missing in extended __construct should report PropertyNotSetInConstructor by @kkmuffme in #10817
• Updating signature of getmxrr() by @ThomasLandauer in #10847
• Improve string-int juggle consistency in array keys and display for int-like strings in type by @kkmuffme in #10814
• Fix storage not available in thread for intersection doc types by @simonberger in #10856
• Don't emit MissingOverrideAttribute for implicit Stringable implementations by @edsrzf in #10858
• Specify array return type of session_get_cookie_params by @jorgsowa in #10859
• Unknown @psalm annotation should not make whole docblock invalid by @kkmuffme in #10885
• Add mail to impure functions list by @smaddock in #10923
• Update PHP 8.2 Call map delta with refined types for string comparison functions by @gsteel in #10883

Docs

• document that @psalm-internal works for namespace + class too by @kkmuffme in #10866

Internal changes

• fix tests running with other than called PHP binary if called with a non-default PHP binary by @kkmuffme in #10842
• Explicitly set value in config to fix warning in tests by @kkmuffme in #10843
• [PHP 8.4] Fixes for implicit nullability deprecation by @Ayesh in #10832
• Throw exception instead of silently logging issues occurred during scan by @danog in #10902

Other changes

• Fix conditional on non empty literal string by @VincentLanglet in #10912
• Ignore jsonSerialize for implementors of JsonSerializable by @josephwynn-sc in #10891
• Add XML functions to ImpureFunctionsList #10882 by @DKhalil in #10887

New Contributors

• @Ayesh made their first contribution in #10832
• @smaddock made their first contribution in #10923
• @josephwynn-sc made their first contribution in #10891
• @DKhalil made their first contribution in #10887

Full Changelog: 5.23.1...5.24.0

5.23.1

What's Changed

Fixes

• Fixed analysis of existing static methods if the __callStatic() method exists by @issidorov in #10812

Full Changelog: 5.23.0...5.23.1

5.23.0

What's Changed

Features

• Update PHP 8.2 stubs to include SensitiveParameterValue by @gsteel in #10726
• Add list of statements to BeforeFileAnalysisEvent by @ohader in #10728
• Forbid iterating over generators with non-nullable send() by @weirdan in #10697
• Initial support for named parameters for callables by @weirdan in #10772

Fixes

• Improve randomizer stubs by @danog in #10709
• Fix detecting magic static methods by @issidorov in #10704
• Fix non-empty-lowercase-string handling with literal non-lowercase strings by @kkmuffme in #10722
• Fix RiskyTruthyFalsyComparison irrelevant errors when there is no explicit truthy/falsy type by @kkmuffme in #10733
• Allow Override attribute to be used in pure contexts by @weirdan in #10734
• Revert "Allow tainted numerics except for 'html' and 'has_quotes'" by @ohader in #10729
• Fix loading stubs from phar file on Windows by @weirdan in #10748
• Fix a false flag issue with InvalidConstantAssignmentValue by @MelechMizrachi in #10738
• Set inside_isset false when analyzing ArrayDimFetch index by @edsrzf in #10752
• Set inside_isset = false when analyzing arguments by @edsrzf in #10753
• Fix PHP notice - crash on invalid taint-escape by @kkmuffme in #10760
• Fix version comparison for @since by @weirdan in #10764
• Since annotations outside phpstub should not infer php version by @kkmuffme in #10769
• Backport WeakMap iterator fix from master by @weirdan in #10778
• Namespace anonymous classes by @weirdan in #10779
• Update CallMap for sqlsrv_connect and sqlsrv_errors to match reflection by @theodorejb in #10781
• $resource parameter of mkdir() is nullable since PHP 7.3 by @weirdan in #10802
• Use wider class-string when combining class strings with intersections by @weirdan in #10800

Internal changes

• Use TaintKind/TaintKindGroup constants instead of string values by @ohader in #10746
• Skip symlink test on Windows by @weirdan in #10749
• Avoid duplicating code for RiskyTruthyFalsyComparison by @theodorejb in #10765
• fix PHP 8 tests running with wrong --php-version=/phpVersion= if not explicitly specified by @kkmuffme in #10776
• CS fix by @weirdan in #10801

New Contributors

• @MelechMizrachi made their first contribution in #10738

Full Changelog: 5.22.2...5.23.0

5.22.2

What's Changed

Fixes

• Catch missing classlike exceptions during scanning by @weirdan and @ohader in #10720

Full Changelog: 5.22.1...5.22.2

5.22.1

What's Changed

Fixes

• Improve parsing of @psalm-type by @weirdan in #10713

Full Changelog: 5.22.0...5.22.1

5.22.0

What's Changed

Features

• Allow inline comments in typedef shapes by @weirdan in #10623
• allow typedef imports from any kind of classlike by @weirdan in #10625
• Allow enum cases to be global constants by @weirdan in #10634
• New InvalidOverride issue for Override attribute by @edsrzf in #10644
• Analyze dynamic names for static property and const fetches by @edsrzf in #10629
• New MissingOverrideAttribute issue by @edsrzf in #10651
• Flag stdClass::__construct() calls that have arguments by @weirdan in #10661
• Improve Reflection stubs by @vudaltsov in #10091
• Forbid constructors from returning any values by @weirdan in #10686
• Report first class callables generated for unknown static methods by @weirdan in #10691
• Process @psalm-this-out on __construct() as well by @weirdan in #10690
• Report invalid number of arguments for psalm-taint-* by @staabm in #10699

Fixes

• Fix ownerDocument type in dom-ext classes by @fluffycondor in #10619
• Fix numeric scalar validate filter var input return type wrong by @kkmuffme in #10621
• Stable baseline by @weirdan in #10633
• Allow sebastian/diff v6 by @simPod in #10639
• CallMap: Adjust return type for inotify_add_watch() to int|false by @UlrichEckhardt in #10637
• Fix check-type when using builtin types from within a namespace by @robchett in #10648
• Do not add callable as a native property type by @weirdan in #10654
• Fix additional places where base_dir was broken due to missing separator by @kkmuffme in #10630
• Late binding of enum cases by @weirdan in #10655
• Suppress UndefinedClass in whatever_exists() by @weirdan in #10659
• Fix parsing magic method annotations by @issidorov in #10665
• Strip callmap prefixes from parameter names by @weirdan in #10666
• Narrow ord() return type to int<0,255> by @weirdan in #10676
• Template union object incorrect assertions by @robchett in #10677
• Don't show backtrace in InvalidDocblock issue message by @weirdan in #10679
• Class consts in array shapes by @weirdan in #10678
• Prevent mixed|null by @robchett in #10675

Internal changes

• Drop unused local composer repo by @weirdan in #10647
• Clarify that Pull request labels failure is to be resolved by maintainers by @weirdan in #10649
• Fix unstable hasFullyQualified(Interface|Enum)() by @weirdan in #10603
• Revert partial mistakenly pushed fix by @danog in #10671

Full Changelog: 5.21.1...5.22.0

5.21.1

What's Changed

Fixes

• Fix baseline loading for path specified on the command line by @weirdan in #10628

Full Changelog: 5.21.0...5.21.1