chore(deps): update dependency squizlabs/php_codesniffer to v4

[alma-renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
squizlabs/php_codesniffer	^3.3 → ^4.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

PHPCSStandards/PHP_CodeSniffer (squizlabs/php_codesniffer)

v4.0.1: - 2025-11-10

Compare Source

This release includes all improvements and bugfixes from PHP_CodeSniffer 3.13.5.

Added

• Runtime support for PHP 8.5. All known PHP 8.5 deprecation notices have been fixed.
  • Syntax support for new PHP 8.5 features will follow in a future release.
  • If you find any PHP 8.5 deprecation notices which were missed, please report them.

Changed

• The Squiz.ControlStructures.SwitchDeclaration sniff will now flag a PHP close tag as a "wrong opener" and will auto-fix this by inserting a colon. #​1316
• Various housekeeping, including improvements to the tests and documentation.

Fixed

• 4.x regression #​1277: bring back whitespace tolerance in phpcs:ignore comma-separated rule reference lists.
  • Note: this bug did not affect phpcs:disable/phpcs:enable ignore annotations.
• Fixed bug #​968: Generic.WhiteSpace.ScopeIndent was reporting false positives - and making incorrect fixes - for lines following a line containing an arrow function.
  • Thanks to Soichi Sato for the patch.
• Fixed bug #​1216: Tokenizer/PHP: added more defensive coding to prevent PHP 8.5 "Using null as an array offset" deprecation notices.
  • Thanks to Andrew Lyons for the patch.
• Fixed bug #​1279: Tokenizer/PHP: on PHP < 8.0, an unclosed attribute (parse error) could end up removing some tokens from the token stream.
  • This could lead to false positives and false negative from sniffs, but could also lead to incorrect fixes being made mangling the file under scan.
• Fixed bug #​1315: Squiz.ControlStructures.SwitchDeclaration: a number of the fixers would get into fixer conflicts with each other if the code under scan contained multiple statements on a line within a switch.
  • The sniff will now forbid - and auto-fix - multiple statements on one line for case/default and "case breaking" statements.
• Fixed bug #​1316: Tokenizer/PHP: a PHP close tag after a switch case condition or after a default keyword, was not regarded as a "scope_opener" for the case/default body.
• Fixed bug #​1316: PSR2.ControlStructures.SwitchDeclaration: the WrongOpener error is now also auto-fixable if the wrong opener is a PHP close tag.
• Fixed bug #​1316: Squiz.PHP.NonExecutableCode would throw false positives when code within a switch control structure would move in and out of PHP.

---

New Contributors

The PHP_CodeSniffer project is happy to welcome the following new contributors:
@​andrewnicols, @​Soh1121

Statistics

Closed: 2 issues
Merged: 8 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

v4.0.0: - 2025-09-16

Compare Source

This release contains breaking changes.

Upgrade guides for both ruleset maintainers/end-users, as well as for sniff developers and integrators, have been published to the Wiki.

You are strongly encouraged to read the upgrade guide applicable to your situation before upgrading.

This release includes all improvements and bugfixes from PHP_CodeSniffer 4.0.0-beta1, 4.0.0-RC1, 3.13.3 and 3.13.4.

Changed

• Tokenizer/PHP: fully qualified exit/die/true/false/null will be tokenized as the keyword token and the token 'content' will include the leading backslash. #​1201
• Wherever possible based on the PHP 7.2 minimum version, parameter types have been added to all methods. #​1237
• The supported PHPUnit version constraints have been updated to ^8.4.0 || ^9.3.4 || ^10.5.32 || 11.3.3 - 11.5.28 || ^11.5.31. #​1247
  • External standards using the PHP_CodeSniffer native framework may need to update their own PHPUnit version constraints.
• Various housekeeping, including improvements to the tests and documentation.

Fixed

• Fixed bug #​1082: new exit codes weren't applied when running phpcbf on code provided via STDIN.
  • Thanks to Dan Wallis for the patch.
• Fixed bug #​1172: // phpcs:set for inline array properties did not handle a single item array with the value true, false or null correctly.
• Fixed bug #​1174: progress bar wasn't showing files as fixed when running phpcbf in parallel mode.
• Fixed bug #​1226: PHP 8.5 "Using null as an array offset" deprecation notice.

Other

• Please be aware that the master branch has been renamed to 3.x and the default branch has changed to the 4.x branch.
  • If you contribute to PHP_CodeSniffer, you will need to update your local git clone.
  • If you develop against PHP_CodeSniffer and run your tests against dev branches of PHPCS, you will need to update your workflows.

---

Statistics

Closed: 5 issues
Merged: 35 pull requests

Follow @​phpcs on Mastodon or @​PHP_CodeSniffer on X to stay informed.

Please consider funding the PHP_CodeSniffer project. If you already do so: thank you!

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud