chore(deps): update dependency bamarni/composer-bin-plugin to v1.9.1

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bamarni/composer-bin-plugin	1.8.3 → 1.9.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

bamarni/composer-bin-plugin (bamarni/composer-bin-plugin)

v1.9.1

Compare Source

Fixes

• Revert incorrect requirement bump (#​183)

v1.9.0

Compare Source

Features

• Bump the minimum required Composer version to 2.6 (#​177)

Fixes

• Fix endless recursion when --working-dir option precedes the sub-command (#​181)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

Code Review: Dependency Update - bamarni/composer-bin-plugin v1.9.0

Summary

This PR updates bamarni/composer-bin-plugin from v1.8.3 to v1.9.0 in the Astrolabe Nextcloud app. This is an automated Renovate Bot update affecting only the composer.lock file.

Review Findings

✅ Code Quality

• Clean update: Only composer.lock modified, no code changes required
• Proper lockfile format: All hash references and metadata correctly updated
• Version constraint satisfied: Existing composer.json requires ^1.8, and v1.9.0 satisfies this constraint

✅ Compatibility

Based on the release notes from the PR description:

• Composer requirement bump: Minimum Composer version is now 2.6 (from 2.0)
  • ⚠️ Action needed: Verify your CI/CD and deployment environments have Composer 2.6+
  • Check: composer --version in all relevant environments
• Bug fix included: Fixes endless recursion when --working-dir option precedes sub-command (chore(deps): replace mariadb docker tag with docker.io/library/mariadb lts #181)
  • This is a stability improvement with no breaking changes

✅ Test Coverage

• CI shows appropriate test coverage:
  • ✓ Linting passed
  • ✓ Astrolabe CI checks completed
  • ⏳ Integration tests in progress (expected behavior)
• No Astrolabe-specific tests need modification since this is a dev dependency

⚠️ Recommendations

1. Verify Composer version in environments:

   • Development: Check local Composer version
   • CI/CD: Verify GitHub Actions use Composer 2.6+
   • Production: Verify deployment pipeline uses Composer 2.6+
   • Docker images: Ensure Nextcloud container has Composer 2.6+ if running composer install

2. Consider testing the specific fix: If your workflow uses composer bin <namespace> --working-dir=<path> <command>, test that the recursion fix (chore(deps): replace mariadb docker tag with docker.io/library/mariadb lts #181) works correctly

3. Review dev dependencies alignment: The update bumps dev requirements for PHPStan (^1.8 → ^1.8 || ^2.0), which is forward-compatible

🔒 Security

• No security advisories associated with this update
• The roave/security-advisories package in require-dev would have flagged any known vulnerabilities
• Update improves stability, reducing potential for unexpected behavior

📊 Performance

• No performance implications expected
• Plugin only runs during composer install/update operations

Verdict

✅ APPROVE - This is a safe, non-breaking dependency update that:

• Fixes a bug (endless recursion)
• Maintains backward compatibility with existing code
• Follows semantic versioning correctly
• Improves tooling stability

Before merging: Confirm Composer 2.6+ is available in all environments where composer install runs.

---

Review generated by Claude Code. CI checks: Linting ✓, Astrolabe CI ✓, Integration tests ⏳

[claude]

Code Review: Dependency Update - bamarni/composer-bin-plugin v1.9.1

Summary

This PR updates bamarni/composer-bin-plugin from v1.8.3 to v1.9.1 in the Astrolabe third-party dependency (Nextcloud app management UI).

Analysis

✅ Code Quality & Best Practices

• Automated dependency update: Generated by Renovate Bot, following standard dependency management practices
• Lock file only: Only composer.lock is modified, which is expected for a dependency update
• Version constraint compliance: The update (1.9.1) satisfies the existing constraint ^1.8 in composer.json:38

✅ Functionality & Compatibility

According to the release notes:

• v1.9.0: Bumps minimum Composer version to 2.6, fixes endless recursion with --working-dir option
• v1.9.1: Reverts an incorrect requirement bump from v1.9.0

No breaking changes for this codebase since:

• The astrolabe component likely uses Composer 2.6+ (standard for modern PHP projects)
• The recursion fix improves stability
• v1.9.1 fixes a regression from v1.9.0

✅ Security Considerations

• No security advisories found for this plugin
• The update includes only bug fixes and minor improvements
• Dependency is used for development/build tooling (not runtime)

✅ Testing & CI

CI checks show:

• ✅ Linting: PASSED
• ⏳ Integration tests: IN_PROGRESS (expected)
• ⏭️ Astrolabe-specific checks: SKIPPED (changes detector correctly identified no PHP code changes)

The skipped checks are appropriate since this is a lock file update for a dev dependency.

⚠️ Minor Observations

1. Dev dependency updates: The lock file shows updates to composer/composer, phpstan/phpstan, and phpstan/phpstan-phpunit version constraints in the require-dev section. These are indirect changes from the plugin update.
2. Composer version requirement: If the project's Composer version is below 2.6, this update will enforce an upgrade. This is likely not an issue for modern CI/CD environments.

Recommendation

✅ APPROVE & MERGE once integration tests pass.

This is a low-risk dependency update that:

• Fixes a bug (endless recursion issue)
• Maintains backward compatibility within the ^1.8 semver range
• Includes only dev tooling (no production runtime impact)
• Follows proper semantic versioning

Suggested Actions

• Wait for integration tests to complete
• Merge when all CI checks pass
• No manual testing required (dev dependency only)

---

Review generated by Claude Code based on repository conventions in CLAUDE.md