build(deps): bump the composer group across 1 directory with 2 updates

[dependabot]

Bumps the composer group with 2 updates in the / directory: league/commonmark and psy/psysh.

Updates league/commonmark from 2.8.0 to 2.8.1

Release notes

Sourced from league/commonmark's releases.

2.8.1

What's Changed

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

• Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
• Fixed PHP 8.5 deprecation (#1107)

New Contributors

• @​Kocal made their first contribution in thephpleague/commonmark#1106
• @​freost made their first contribution in thephpleague/commonmark#1107

Full Changelog: thephpleague/commonmark@2.8.0...2.8.1

Changelog

Sourced from league/commonmark's changelog.

[2.8.1] - 2026-03-05

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

• Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
• Fixed PHP 8.5 deprecation (#1107)

Commits

• 84b1ca4 Almost forgot this entry
• bcf54f5 Merge commit from fork
• 7a68ed1 Prepare to release 2.8.1
• 5c0c4c8 Fix DisallowedRawHtml bypass via newline/tab in tag names
• f6e7443 Add regression test
• 0719b67 Merge pull request #1107 from freost/fix-php85-deprecation-error
• 63ff2e0 Fix PHP 8.5 deprecation
• 8608e9c Merge pull request #1106 from Kocal/patch-1
• 10f246a [Docs] Fix "rendering" page rendering
• 24b0774 Merge pull request #1104 from thephpleague/renovate/major-symfony
• Additional commits viewable in compare view

Updates psy/psysh from 0.12.18 to 0.12.21

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.21

Added an experimental interactive readline: a from-scratch pure-PHP readline replacement built specifically for PsySH. Instead of delegating to ext-readline or ext-libedit, this gives PsySH full control over input, editing, completion, and rendering.

This is opt-in and experimental. Default behavior is completely unchanged. Enable it in your config or from the command line:

'useExperimentalReadline' => true,

psysh --experimental-readline

See the interactive readline wiki page for more!

Completions that actually understand your code

The new completion engine is syntax-aware, type-aware, and runtime-value-aware. It parses your input, resolves types from live objects in scope, and completes based on what your code actually is, not just string matching on symbol names.

Type $user-> and see that object's actual methods and properties. Chain through $repo->find(1)-> and get completions for the return type. Fuzzy matching means asum finds array_sum and stl finds strtolower. Completions show in a navigable multi-column menu.

Multi-line editing

Press Enter on an incomplete statement and the input continues on the next line with proper indentation. Closing brackets auto-dedent. Shift+Enter always inserts a newline. No more fighting the shell to write a multi-line closure.

History

• Reverse history search (Ctrl+R) with an overlay showing match highlighting, smart-case filtering, deduplication, and keyboard navigation.
• Filtered history navigation: type part of a previous command, then press Up/Down to cycle through matching history entries.

And more

• Fish-style inline autosuggestions from your history. This one's still a bit rough; enable it separately with 'useSuggestions' => true.
• Bracket and quote auto-pairing with smart backspace.
• Bracketed paste mode: pastes multi-line code verbatim without executing line-by-line.
• No ext-readline or ext-libedit required. Works with any terminal.
• Ctrl+L to clear the screen.

This addresses a bunch of long-standing issues: #234, #254, #309, #346, #506, #561, #668, #732, #769, #869.

We'd love your feedback! Give it a try, and let us know what works and what doesn't. The goal is to make this the default. Help us get it there. 🧪

PsySH v0.12.20

Project trust edge case fixes

Fixed several edge cases with the Restricted Mode introduced in v0.12.19 where non-interactive contexts (piped input, execute() calls, Composer proxy scripts) could incorrectly trigger trust prompts or restrict trusted functionality.

Fixes #913

Commands work better outside the shell

... (truncated)

Commits

• 4821fab Merge branch 'release/v0.12.21'
• d5ebbe4 Bump to v0.12.21
• 85b019a Give phar test a bit more memory.
• a097a1a Truncate reverse history search preview to prevent the input lines from
• 689401b Improve reverse history search UI.
• 7938716 Add filtered history navigation (up/down arrow keys with text in the buffer)
• 7d6ade6 Merge pull request #914 from bobthecow/feature/interactive-readline
• 4c0d732 Improve auto-indent/dedent behavior
• 59e9dfa Use a default <info> format that's more readable across modern terminal theme...
• c2b2408 Allow tab completion with interactive readline, regardless of ext-readline av...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.