Update all non-major dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
composer/composer (source)	^2.7.2 -> ^2.8.11					require-dev	minor
infection/infection	^0.27.11 -> ^0.31.2					require-dev	minor
laminas/automatic-releases	1.24.0 -> 1.25.0					action	minor
ocramius/package-versions	^2.8.0 -> ^2.10.0					require	minor
php	~8.1.0 || ~8.2.0 || ~8.3.0 -> ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0					require	minor
phpunit/phpunit (source)	^10.5.15 -> ^10.5.55					require-dev	patch
psalm/plugin-phpunit	^0.19.0 -> ^0.19.5					require	patch
shivammathur/setup-php	2.30.0 -> 2.35.4					action	minor
vimeo/psalm	^5.23.1 -> ^5.26.1					require	minor

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

composer/composer (composer/composer)

v2.8.11

Compare Source

• Fixed PHP 8.5 deprecation warnings (#​12504, #​12493, #​12505)
  • Fixed bump command handling of 0.x versions (#​12468)
  • Fixed psr-4 warnings being shown in some cases when using symlinked directories (#​12480)
  • Fixed audit command failing hard if any advisory constraint was invalid (#​12507)

v2.8.10

Compare Source

• Fixed plugins appearing loaded despite not being loaded yet in some edge cases (#​12442)
  • Fixed forward compatibility with Symfony 7.4 (#​12445)
  • Fixed deprecation warning on PHP 8.4 when platform check fails (#​12453)
  • Fixed support for new planner role in GitLab (#​12426)
  • Fixed Bitbucket regression introduced in 2.8.0 (#​12462)
  • Fixed json schema issues with version validation (#​12438)
  • Fixed git prompt breaking some systems (#​12437)
  • Fixed warning on PHP 8.5 when curl is not loaded (#​12472)

v2.8.9

Compare Source

• Fixed json schema issues with version validation (#​12376)
  • Fixed bump-after-update triggering after an update --lock, which makes no sense (#​12371)
  • Fixed zip bomb false positives when unpacking using ZipArchive (#​12409)
  • Fixed creation of empty archives (#​12408)
  • Removed output of script being run when running via composer <script-name> (#​12383)

v2.8.8

Compare Source

• Fixed json schema issues with version validation (#​12367)
  • Fixed issues running on 32bit machines (#​12365)

v2.8.7

Compare Source

• Bumped justinrainbow/json-schema dependency to 6.x (#​12348)
  • Added COMPOSER_MAX_PARALLEL_PROCESS env var to control max amount of parallel processes Composer will start (#​12356)
  • Added zstd/brotli presence in diagnose command output
  • Fixed error handler to avoid spamming deprecation notices (#​12360)
  • Fixed InstalledVersions returning duplicate data at Composer runtime (#​12225)
  • Fixed handling of --with ... constraints to make them apply to packages replaced a package with a different name (#​12353)
  • Fixed deprecation warnings showing up in IDE code inspections within the vendor dir (#​12331)
  • Fixed a few json schema completeness issues (#​12332, #​12321)
  • Fixed issue autoloading files with a .phar inside the path (#​12326)

v2.8.6

Compare Source

• Added COMPOSER_WITH_DEPENDENCIES and COMPOSER_WITH_ALL_DEPENDENCIES env vars to enable the --with[-all]-dependencies flags (#​12289)
  • Added COMPOSER_SKIP_SCRIPTS env var to tell Composer to skip certain script handlers by script names (comma separated) (#​12290)
  • Added error hint when Avast is detected together with curl certificate errors (#​9894)
  • Fixed handling of backslash in folder names when creating archives (#​12327)
  • Fixed detection of containerd for containers to avoid warning about root usage (#​12299)

v2.8.5

Compare Source

• Added build provenance attestation so you can also now download and verify phar files from GitHub releases:

    gh release --repo composer/composer download --pattern composer.phar
    gh attestation verify --repo composer/composer composer.phar
  

  • Fixed unsupported funding values causing parse errors in packages (#​12247)
  • Fixed support for a few newer funding formats (#​12257)
  • Fixed InstalledVersions regression from 2.8.4 when reload() is used (#​12269)
  • Fixed psr-0/psr-4 rules having unstable order in vendor/composer/autoload*.php (#​12263)
  • Fixed a few warnings happening incorrectly in edge cases (#​12284, #​12268, #​12283)

v2.8.4

Compare Source

• Fixed exit code of the audit command not being meaningful (now 1 for vulnerabilities and 2 for abandoned, 3 for both) (#​12203)
  • Fixed issue on plugin upgrade when it defines multiple classes (#​12226)
  • Fixed duplicate errors appearing in the output depending on php settings (#​12214)
  • Fixed InstalledVersions returning duplicate data in some instances (#​12225)
  • Fixed installed.php sorting to be deterministic (#​12197)
  • Fixed bump-after-update failing when using inline constraints (#​12223)
  • Fixed create-project command to now disable symlinking when used with a path repo as argument (#​12222)
  • Fixed validate --no-check-publish to hide publish errors entirely as they are irrelevant (#​12196)
  • Fixed audit command returning a failing code when composer audit fails as this should not trigger build failures, but running audit as standard part of your build is probably a terrible idea anyway (#​12196)
  • Fixed curl usage to disable multiplexing on broken versions when proxies are in use (#​12207)

v2.8.3

Compare Source

• Fixed windows handling of process discovery (#​12180)
  • Fixed react/promise requirement to allow 2.x installs again (#​12188)
  • Fixed some issues when lock:false is set in require and bump commands

v2.8.2

Compare Source

• Fixed crash while suggesting providers if they have no description (#​12152)
  • Fixed issues creating lock files violating the schema in some circumstances (#​12149)
  • Fixed create-project regression in 2.8.1 when using path repos with relative paths (#​12150)
  • Fixed ctrl-C aborts not working inside text prompts (#​12106)
  • Fixed git failing silently when git cannot read a repo due to ownership violations (#​12178)
  • Fixed handling of signals in non-PHP binaries run via proxies (#​12176)

v2.8.1

Compare Source

• Fixed PHP 8.5 deprecation warnings (#​12504, #​12493, #​12505)
  • Fixed bump command handling of 0.x versions (#​12468)
  • Fixed psr-4 warnings being shown in some cases when using symlinked directories (#​12480)
  • Fixed audit command failing hard if any advisory constraint was invalid (#​12507)

v2.8.0

Compare Source

• BC Warning: Fixed https_proxy env var falling back to http_proxy's value. The fallback and warning have now been removed per the 2.7.3 release notes (#​11938, #​11915)
  • Added --patch-only flag to the update command to restrict updates to patch versions and make an update of all deps safer (#​12122)
  • Added --abandoned flag to the audit command to configure how abandoned packages should be treated, overriding the audit.abandoned config setting (#​12091)
  • Added --ignore-severity flag to the audit command to ignore one or more advisory severities (#​12132)
  • Added --bump-after-update flag to the update command to run bump after the update is done (#​11942)
  • Added a way to control which scripts receive additional CLI arguments and where they appear in the command, see the docs (#​12086)
  • Added allow-missing-requirements config setting to skip the error when the lock file is not fulfilling the composer.json's dependencies (#​11966)
  • Added a JSON schema for the composer.lock file (#​12123)
  • Added better support for Bitbucket app passwords when cloning repos / installing from source (#​12103)
  • Added --type flag to filter packages by type(s) in the reinstall command (#​12114)
  • Added --strict-ambiguous flag to the dump-autoload command to make it return with an error code if duplicate classes are found (#​12119)
  • Added warning in dump-autoload when vendor files have been deleted (#​12139)
  • Added warnings for each missing platform package when running create-project to avoid having to run it again and again (#​12120)
  • Added sorting of packages in allow-plugins when sort-packages is enabled (#​11348)
  • Added suggestion of provider packages / polyfills when an ext or lib package is missing (#​12113)
  • Improved interactive package update selection by first outputting all packages and their possible updates (#​11990)
  • Improved dependency resolution failure output by sorting the output in a deterministic and (often) more logical way (#​12111)
  • Fixed PHP 8.4 deprecation warnings about E_STRICT (#​12116)
  • Fixed init command to validate the given license identifier (#​12115)
  • Fixed version guessing to be more deterministic on feature branches if it appears that it could come from either of two mainline branches (#​12129)
  • Fixed COMPOSER_ROOT_VERSION env var handling to treat 1.2 the same as 1.2.x-dev and not 1.2.0 (#​12109)
  • Fixed require command skipping new stability flags from the lock file, causing invalid lock file diffs (#​12112)
  • Fixed php://stdin potentially being open several times when running Composer programmatically (#​12107)
  • Fixed handling of platform packages in why-not command and partial updates (#​12110)
  • Reverted "Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#​12019)" from 2.7.8 as it was broken

v2.7.9

Compare Source

• Fixed Docker detection breaking on constrained environments (#​12095)
  • Fixed upstream issue in bash completion script, it is recommended to update it using the completion command (#​12015)

v2.7.8

Compare Source

• Added release-age, release-date and latest-release-date in the JSON output of outdated (#​12053)
  • Fixed PHP 8.4 deprecation warnings
  • Fixed addressability of branches containing # signs (#​12042)
  • Fixed bump command not handling some ~ constraints correctly (#​12038)
  • Fixed COMPOSER_AUTH not taking precedence over ./auth.json (#​12084)
  • Fixed relative: true sometimes not being respected in path repo symlinks (#​12092)
  • Fixed copy from cache sometimes failing on VirtualBox shared folders (#​12057)
  • Fixed PSR-4 autoloading order regression in some edge case (#​12063)
  • Fixed duplicate lib-* packages causing issues when having pecl + core versions of the same PHP extension (#​12093)
  • Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#​12019)
  • Fixed memory issues when installing large binaries (#​12032)
  • Fixed archive command crashing when a path cannot be realpath'd on windows (#​11544)
  • API: Deprecated BasePackage::$stabilities in favor of BasePackage::STABILITIES (685add7)
  • Improved Docker detection (#​12062)

infection/infection (infection/infection)

v0.31.2: --static-analysis-tool-options and no MSI shown by default for non-covered code

Compare Source

Added:

• Remove Mutation Score Indicator (MSI) from default output, show only with --with-uncovered by @​Copilot in #​2378

Changed:

• Add --static-analysis-tool-options CLI option with proper multiple options support by @​Copilot in #​2374

Internal:

• Fixed mutator list for E2E fixtures by @​sanmai in #​2359
• Kill mutant found in #​2361 by @​maks-rafalko in #​2362
• Fix "Method ReflectionProperty::setAccessible() is deprecated since 8.5, as it has no effect" by @​staabm in #​2364
• Remove lower-bound composer constraints by @​staabm in #​2366
• Fix PHPUnit 9.x compatibility by @​staabm in #​2368
• ✨ Add Copilot instructions for Infection mutation testing framework by @​Copilot in #​2376
• Add copilot-setup-steps.yml by @​maks-rafalko in #​2377

New Contributors

• @​Copilot made their first contribution in #​2376

Full Changelog: infection/infection@0.31.1...0.31.2

v0.31.1: Cleanup old PHPUnit cache files in Infection tmp directory

Compare Source

Added:

• Cleanup PHPUnit result-cache files older than 30 days by @​staabm in #​2349

Internal:

• DiffColorizerTest: Add multi byte tests by @​staabm in #​2354
• Kill timed out mutants in DiffColorizer by @​staabm in #​2353
• CI: Added PHP 8.5 setup by @​staabm in #​2348
• [Conductor] Update all of phpstan by @​private-packagist[bot] in #​2340
• [Conductor] Update all of sanmai by @​private-packagist[bot] in #​2345
• [Conductor] Update nikic/php-parser to v5.6.0 by @​private-packagist[bot] in #​2346
• [Conductor] Update sidz/phpstan-rules to 0.5.2 by @​private-packagist[bot] in #​2347
• [Conductor] Update phpunit/phpunit to 11.5.28 by @​private-packagist[bot] in #​2351
• [Conductor] Update myclabs/deep-copy to 1.13.4 by @​private-packagist[bot] in #​2352
• [Conductor] Update sanmai/di-container to 0.1.5 by @​private-packagist[bot] in #​2355

Full Changelog: infection/infection@0.31.0...0.31.1

v0.31.0

Compare Source

Changed:

• [BR BREAK!] Remove --only-covered; Introduce --with-uncovered instead by @​staabm in #​2336
• Directly enqueue follow-up processes by @​sanmai in #​2322
• Use executionOrder="defects,random" for phpunit.xml by @​staabm in #​2328

Fixed:

• Fix CLI output rendering for diffs which contain symfony-style like text by @​staabm in #​2338

Internal:

• Update the pipeline library to version 7 by @​sanmai in #​2342
• Switch to sanmai/di-container by @​sanmai in #​2343

Backward Compatibility Break

This version introduces BC Break. Do the following:

1. If you used Infection for all the code, including uncovered, like bin/infection, now you need to add --with-uncovered, because by default, Infection doesn't mutate uncovered code anymore

- bin/infection
+ bin/infection --with-uncovered

2. If you used Infection for the only code covered by tests, like bin/infection --only-covered, you need to remove this option because now this is a default behavior and this options has been removed

- bin/infection --only-covered
+ bin/infection

3. If you used Infection for all the code, including uncovered, but now you want to mutated only covered code, do nothing (default behavior has been changed)

v0.30.3

Compare Source

Added:

• [new mutator] Add ReturnRemoval mutator by @​sanmai in #​2296

Changed:

• Don't show 0 metrics in result summary by @​staabm in #​2311

Fixed:

• Do not report unmatched ignored errors for PHPStan killer for a mutant by @​maks-rafalko in #​2326

Internal:

• Replace array-by-reference with a SplQueue object by @​sanmai in #​2321

Full Changelog: infection/infection@0.30.2...0.30.3

v0.30.2

Compare Source

Added:

• [new mutator] Add ReturnRemoval mutator by @​sanmai in #​2296

Changed:

• Don't show 0 metrics in result summary by @​staabm in #​2311

Fixed:

• Do not report unmatched ignored errors for PHPStan killer for a mutant by @​maks-rafalko in #​2326

Internal:

• Replace array-by-reference with a SplQueue object by @​sanmai in #​2321

Full Changelog: infection/infection@0.30.2...0.30.3

v0.30.1

Compare Source

Changed:

• [performance] Smarter LogicalNot mutator by @​staabm in #​2283
• [performance] MutationProcess timeout is based on test-execution time by @​staabm in #​2300
• DX: Automatically determine git reference branch by @​staabm in #​2289
• Support NullSafe PropertyFetch/MethodCall in ArrayItem mutator by @​staabm in #​2294
• Make ArrayItem mutator less evil by @​sanmai in #​2299
• Remove IdenticalEqual by @​sanmai in #​2248
• Allow setting static analysis tool in config file by @​maks-rafalko in #​2301

Internal:

• Cleanup composer.json conflict rules with phpunit/php-code-coverage by @​staabm in #​2288
• Test forgotten PhpStan value object by @​maks-rafalko in #​2302
• Finally, fix the worst and the most unmaintainable test ever by @​maks-rafalko in #​2304
• Rename functions of ReflectionVisitor.php by @​maks-rafalko in #​2308
• Add threads=max to infection.json5 by @​maks-rafalko in #​2307
• Improve ParallelProcessRunner to guard against ReturnRemoval mutator by @​sanmai in #​2310
• Refactor SchemaConfigurationTest by @​sanmai in #​2305

Full Changelog: infection/infection@0.30.1...0.30.2

v0.30.0

Compare Source

Changed:

• TextFileLogger: add hints about different logfile options by @​staabm in #​2278
• [performance] Smarter TrueValue/FalseValue mutator by @​staabm in #​2280

Fixed:

• Fix HTML report with --static-analysis-tool=phpstan by @​maks-rafalko in #​2284

Internal:

• Fix a MethodCallRemoval test by @​staabm in #​2282

Full Changelog

v0.29.14

Compare Source

Full Changelog

Added:

• Add --threads to the config file under threads key by @​maks-rafalko in #​2158
• Support --show-mutations=int|max to support non-bool values by @​staabm in #​2216
• Introduce --id=<mutant-hash> to run the only one Mutant for killing it by @​maks-rafalko in #​2226
• Implement perMutator timings by @​staabm in #​2164
• Render process-limit into perMutator logger table header by @​staabm in #​2175
• Introduce a nomenclature by @​theofidry in #​1428
• Kill mutants by Static Analysis (PHPStan --static-analysis-tool=phpstan) if they are escaped and not killed by PHPUnit tests by @​maks-rafalko in #​2098
• Detect kills by SA during mutation analysis and differentiate them from kills by Test Framework by @​maks-rafalko in #​2157

Changed:

• [performance] Support narrowing a union type containing false with a non-falsy value by @​staabm in #​2121
• [performance] Don't mutate method in final class ProtectedVisibility: by @​staabm in #​2112
• [performance] Don't mutate true/false in conditions by @​staabm in #​2143
• [performance] Don't mutate cast in return of typed function by @​staabm in #​2145
• [performance] Don't mutate int-cast in return of int-typed function by @​staabm in #​2148
• [performance] Don't mutate string-cast in return of string-typed function by @​staabm in #​2149
• [performance] Don't mutate float-cast in return of float-typed function by @​staabm in #​2150
• [performance] Don't mutate array-cast in return of array-typed function by @​staabm in #​2151
• [performance] Don't mutate object-cast in return of object-typed function by @​staabm in #​2152
• [performance] Don't mutate cast in arguments when strict_types=1 by @​staabm in #​2154
• [performance] Don't mutate instanceof into pre-existing case by @​staabm in #​2176
• [performance] Don't produce mutations for identical type comparisons in EqualIdentical by @​staabm in #​2119
• [performance] Don't produce mutations for equal type comparisons in IdenticalEqual by @​staabm in #​2117
• [performance] Don't produce mutations for empty-array type comparisons by @​staabm in #​2130
• [performance] Don't produce mutations for same type comparisons of static method calls by @​staabm in #​2132
• [performance] Don't produce mutations for same type comparisons of class constants by @​staabm in #​2134
• [performance] Don't produce mutations for same type comparisons of known global constants by @​staabm in #​2135
• [performance] Don't mutate equal/not-equal in ternary by @​staabm in #​2139
• [performance] Don't mutate false/true in ternary by @​staabm in #​2138
• [performance] Don't mutate identical/not-identical in ternary by @​staabm in #​2140
• [performance] Don't mutate greater/smaller-than in ternary by @​staabm in #​2141
• [performance] Update MutationTestingRunner to stream-filter mutations in buffered mode by @​sanmai in #​2207
• [performance] Smarter DecrementInteger mutator by @​staabm in #​2204
• [performance] Smarter IncrementInteger mutator by @​staabm in #​2208
• [performance] Smarter DecrementInteger mutator by @​staabm in #​2238
• [performance] Smarter LogicalAndAllSubExprNegation with instanceof by @​staabm in #​2241
• [performance] Smarter LogicalOr Mutator by @​staabm in #​2243
• [performance] Prevent overlap of ArrayItemRemoval with IfNegation by @​staabm in #​2199
• [performance] Prevent endless loop in Decrement/Increment-mutator by @​staabm in #​2231
• [performance] ArrayItemRemoval: Do not remove item from array assignment as it produces PHP warning by @​staabm in #​2236
• DotFormatter: break legend into 2 lines by @​staabm in #​2200
• Support null-safe method calls in MethodCallRemoval mutator by @​staabm in #​2106
• Fix missing mutation for bool returning functions by @​staabm in #​2120

Fixed:

• Set ignore config when --mutants is used and config has global-ignoreSourceCodeByRegex by @​maks-rafalko in #​2172

Internal:

• Allow to run one e2e test for debugging by @​maks-rafalko in #​2062
• Remove container after usage by @​maks-rafalko in #​2073
• Get back devTools/Dockerfile.json to pin to it on Makefile by @​maks-rafalko in #​2072
• chore: Use docker compose by @​theofidry in #​2075
• Apply multiline promoted properties fixer to improve code readability by @​maks-rafalko in #​2076
• Use one phpstan config for src and tests folders by @​maks-rafalko in #​2091
• Introduce dead code detector by @​maks-rafalko in #​2090
• Do not check trailing whitespaces on .DB_Store on MacOS by @​maks-rafalko in #​2094
• Simplify mutant execution result handling, get rid of redundant abstraction: ProcessBearer by @​maks-rafalko in #​2095
• Rename MutantExecutionResultFactory to TestFrameworkMutantExecutionResultFactory and add interface by @​maks-rafalko in #​2099
• Introduce MutantProcessContainer to be able to run N processes for each Mutant (like PHPUnit, PHPStan, Psalm, any other "killer") by @​maks-rafalko in #​2096
• Add new processes to kill mutant to the queue if PHPUnit doesn't kill a Mutant by @​maks-rafalko in #​2097
• Add support for PHPStan dev versions in VersionParser by @​maks-rafalko in #​2100
• Bump sanmai/pipeline to 6.16 by @​sanmai in #​2101
• Add a memoized ComposerExecutableFinder injected as a dependency by @​sanmai in #​2105
• BaseMutatorTestCase: lint source in-process by @​staabm in #​2108
• More resilient StopwatchTest by @​staabm in #​2110
• Increase min MSI values by @​maks-rafalko in #​2113
• Utilize ParentConnector::findParent over raw calls to $node->getAttribute('parent') by @​staabm in #​2116
• Reduce the boilerplate with autowiring (stage 0) by @​sanmai in #​2115
• Fix failing test with different libxml2 versions by @​maks-rafalko in #​2122
• Reduce more boilerplate with autowiring (stage 1) by @​sanmai in #​2118
• Reduce the repetition in ContainerTest via named arguments by @​sanmai in #​2124
• Introduce collision detector by @​staabm in #​2128
• Refactor AbstractIdenticalComparison by @​staabm in #​2129
• Share reflection-cache across Mutators by @​staabm in #​2131
• Container: more explicit handling of abstract types by @​sanmai in #​2133
• Reduce method visibility in Container by @​staabm in #​2155
• Remove dependencies that can be resolved automatically by @​sanmai in #​2147
• Run the collision detection last by @​sanmai in #​2159
• Update ContainerTest to remove unnecessary test grouping by @​sanmai in #​2160
• Update test data providers to use more readable style by @​sanmai in #​2161
• Check minimum PHPStan version before starting MT logic (fail fast) if --static-analysis-tool=phpstan is used by @​maks-rafalko in #​2162
• Update PHPStan to 2.1.17 by @​staabm in #​2165
• Use numerically-stable memory-efficient approach for perMutator timings by @​sanmai in #​2173
• Generate PHPStan custom mutant config file to set parallel processes to 1 by @​maks-rafalko in #​2169
• Added per-mutator.md to .gitignore by @​staabm in #​2179
• kill mutants in MakeCustomMutatorCommandTest by @​staabm in #​2177
• Mutants aren't killed by SA, only prevented/caught by @​sanmai in #​2187
• ReflectionVisitorTest is more type safe by @​staabm in #​2190
• Add --fail-without-result-cache to PHPStan process by @​maks-rafalko in #​2182
• Fix FunctionCallRemoval mutation, save 25 seconds on run time by @​sanmai in #​2193
• Upgrade infection/tests-checker-action by [@​maks-rafalko](https://redirect.github.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update composer/composer:2.7.6 infection/infection:0.28.1 phpunit/phpunit:10.5.20 symfony/process:7.0.7 vimeo/psalm:5.24.0 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires vimeo/psalm ^5.24.0 -> satisfiable by vimeo/psalm[5.24.0].
    - vimeo/psalm 5.24.0 requires nikic/php-parser ^4.16 -> satisfiable by nikic/php-parser[v4.16.0, ..., v4.19.1].
    - You can only install one version of a package, so only one of these can be installed: nikic/php-parser[v4.10.0, ..., v4.19.1, v5.0.0, v5.0.1, v5.0.2].
    - infection/infection 0.28.1 requires nikic/php-parser ^5.0 -> satisfiable by nikic/php-parser[v5.0.0, v5.0.1, v5.0.2].
    - vimeo/psalm 5.24.0 conflicts with nikic/php-parser v4.17.0.
    - Root composer.json requires infection/infection ^0.28.1 -> satisfiable by infection/infection[0.28.1].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.