Skip to content

Releases: spaze/phpstan-disallowed-calls

Support both PHPStan 1.12 & 2.0

13 Nov 17:21
0f030fd
Compare
Choose a tag to compare

The 4.0 release removed support for PHPStan 1.x, and this release brings it back. Both PHPStan 1.12 and PHPStan 2.0 are supported (#273).

You can learn more about PHPStan 2.0 in the release notes or in the blog post and don't forget to get yourself an elephpant and a t-shirt!

Support & require PHPStan 2.0

11 Nov 13:47
7c3c422
Compare
Choose a tag to compare

This major release supports and requires PHPStan 2.0 (#267) (update: the 4.0.1 release adds back support for PHPStan 1.12)

As mentioned in the UPGRADING.md guide:

It's not feasible to try to support both PHPStan 1.x and PHPStan 2.x with the same extension code.

You can learn more about PHPStan 2.0 in the release notes or in the blog post and don't forget to get yourself an elephpant and a t-shirt!

Support PHP 8.4

26 Oct 01:04
ed12b33
Compare
Choose a tag to compare
  • Support PHP 8.4 (#270)

That's it. That's the release.

Disallow create_function and support PHPStan 1.12.6, getting ready for 2.0

11 Oct 01:45
ad538e6
Compare
Choose a tag to compare
  • Add create_function as a disallowed function call (#261, thanks @BackEndTea)
  • Process ClassConstFetch where $class is Name only for enums to correctly support PHPStan 1.12.6 (#266)

Internal changes:

  • Add phpstan/phpstan-deprecation-rules in expectation of PHPStan 2.0 (#263)
  • Fix test class name (#260, spotted by @szepeviktor, thanks)

Default error identifiers

14 May 16:30
f7f1dc8
Compare
Choose a tag to compare
  • Add default error identifiers, used if not specified/overridden in your custom config (#258)

PHPStan 1.11 added error identifiers and while they were supported by this extension for quite some time (since #97), they were not added by default, only when you've specified them.

This release adds error identifiers everywhere, and they'll be used if you don't specify custom identifiers in your custom config.
The full list of identifiers is in the ErrorIdentifiers class here https://github.com/spaze/phpstan-disallowed-calls/blob/main/src/RuleErrors/ErrorIdentifiers.php and they have a disallowed.something format.

Disallow control structures like else, elseif, goto and others

04 May 17:02
d58806c
Compare
Choose a tag to compare
  • Can disallow control structures like else, elseif, goto (#257)

Checking params inside ( ... ) doesn't work at the moment, so you can disallow all declare() constructs but can't re-allow e.g. declare(strict-types = 1).

If you try to disallow else if with the space, an exception will be thrown, because else if is parsed as else followed by if, so disallowing else if with the space wouldn't have the desired effect and the result would be unexpected. Disallow elseif, or don't write else if in your code 😇

Add phpinfo() to dangerous calls config

21 Apr 17:08
6d5ce7e
Compare
Choose a tag to compare

Add phpinfo() to dangerous calls config (#255)

See

for reasons why (phpinfo() echoes cookie values like the session id, which may then be stolen with XSS for example, bypassing HttpOnly cookie flag), and use https://github.com/spaze/phpinfo instead of just calling phpinfo().

Internal changes

  • It's already a list, no need to call array_values() (#253, this is a new bleeding edge rule added in PHPStan 1.10.59)
  • Update dev dependencies (#254)

Support PHPStan 1.10.58 in disallowed-loose-calls.neon config

13 Feb 18:29
d0b3d66
Compare
Choose a tag to compare
  • Hardcode ENT_QUOTES as int 3 in disallowed-loose-calls.neon config (#250)
  • Run tests every day to assure compatibility (#251)

Dynamic class constant fetch, disallowedEnums

22 Jan 18:46
fe56632
Compare
Choose a tag to compare

What's Changed

  • Support dynamic class constant fetch available in PHP 8.3 (#242, #248)
  • Added disallowedEnums, they use DisallowedConstant internally (#243, docs)

Internal changes:

  • The PHP 8.0 polyfill is not needed anymore (#237)
  • More tests for attributes (#240) and on more PHP versions (#244)
  • More strict/correct config schema, disallowedConstants' constant field is always present (#245)
  • Reuse the existing reflection variable (#246)

Note

The 3.1.0 release was the same minus #248.

Param values with PHPdoc `typeString`, attributes on properties and more reported, no "because reasons" in errors, more rules for the same call, few possible bw compat breaks

22 Dec 18:35
69935c9
Compare
Choose a tag to compare

New major version because some major new features in this release, and some potential backwards compatibility breaks, if you use the extension in one way or another, all described below.

New features

  • Can specify params with a doctype in typeString config option (#234)
    You can now specify dis/allowed parameter values as PHPDoc string like typeString: 'foo'|'bar' or typeString: 'array{}' etc. instead of just value: scalar
  • Support more attribute targets: properties, class constants, params (#225)
    Disallowed attributes will now be also reported when used on/with those.

Changed

  • No "because reasons", because reasons (#221) (Possible backwards compatibility break, if you ignore error messages in your config)
    Previously, if there was no message key in the disallowed configuration, "because reasons" was added automatically. I thought it was funny back when this was an internal extension only, but maybe it's not anymore. So there's no "because reasons" anymore, and the error message will always end with a full stop ., unless it already ends with one, or unless it ends with ? or !.
  • Define extension parameters as a structure (#222, #231 and a follow-up in #229 thanks to @francescolaffi) (Possible BC break, if you have a typo in your config, you may suddenly be alerted about it)
    Bye typos, at least some of them.
  • Can add more rules for the same call to have different messages for various params (#232) (Possible BC break if you for some reason relied on the order of the rules for the same function or method)
  • The allowExceptParamsInAllowed description in docs was flipped around (#235)

Internal test changes

  • Use the DI container in tests (#223, #228)
  • Merge test libs dir into src (#227)
  • Rename attribute tests and drop ClassWithAttributesAllow (#230)