Skip to content

chore(deps): update dependency carthage-software/mago to v1.8.0#2408

Merged
g5bot merged 1 commit intodevfrom
renovate/carthage-software-mago-1.x-lockfile
Feb 16, 2026
Merged

chore(deps): update dependency carthage-software/mago to v1.8.0#2408
g5bot merged 1 commit intodevfrom
renovate/carthage-software-mago-1.x-lockfile

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 16, 2026

This PR contains the following updates:

Package Change Age Confidence
carthage-software/mago 1.5.01.8.0 age confidence

Release Notes

carthage-software/mago (carthage-software/mago)

v1.8.0: Mago 1.8.0

Compare Source

Mago 1.8.0

This release delivers major improvements to the incremental analysis engine for watch mode, new type narrowing capabilities, return type providers for filter_var() / filter_input(), and a large number of bug fixes across the analyzer, linter, formatter, and type system.

✨ Features

Analyzer
  • is_a() and is_subclass_of() type narrowing: The analyzer now narrows types after calls to is_a() and is_subclass_of(), including support for class-string parameters (#​1102)
  • Return type providers for filter_var() and filter_input(): These functions now return precise types based on the filter and flags arguments (e.g., FILTER_VALIDATE_INT returns int|false, FILTER_VALIDATE_EMAIL with FILTER_NULL_ON_FAILURE returns string|null) (#​1117)
  • Discriminated union narrowing: When narrowing a union of keyed arrays (e.g., array{valid: true, result: string}|array{valid: false, errorCode: string}), the analyzer now correctly filters out incompatible variants based on the narrowed key type, instead of blindly overwriting all variants. This also works for object property narrowing on union types (#​1093)
Linter
  • no-isset array access ignore option: The no-isset rule now supports an allow-array-access option, allowing you to flag isset($var) while still permitting isset($array['key']) for array offset checks (#​1097, #​1120) by @​dotdash
Semantics
  • Enforce parentheses for immediately invoked closures: The semantics checker now flags function() { ... }() as error, requiring parentheses around the closure for immediate invocation (#​1118)

⚡ Performance

Incremental Analysis Engine

The watch mode (mago analyze --watch) received a complete overhaul of its incremental analysis pipeline:

  • Signature-only fingerprinting: Body-only changes (e.g., changing a function implementation without modifying its signature) now skip cascade invalidation, resulting in significantly faster re-analysis cycles
  • Targeted O(dirty) repopulation: Only changed symbols are re-populated, skipping safe symbols entirely
  • Incremental codebase patching: New extend_ref and remove_entries operations allow fine-grained metadata updates without rebuilding the entire codebase
  • Safe symbol restoration: The reference graph now supports restoring safe symbols and targeted cleanup, reducing unnecessary re-analysis
  • Body-only docblock resolution: Fixed a bug where body-only changes left docblock type references unresolved, causing spurious non-existent-class-like errors in watch mode
  • Improved file watcher stability: Better debounce handling, stability checks, and explicit path handling for the file watcher
  • Watch mode is no longer experimental: The experimental warning has been removed

🐛 Bug Fixes

Analyzer
  • require-extends/require-implements resolution: Members from @require-extends and @require-implements types are now correctly resolved (#​1064, #​1070)
  • Unused property false positive with trait overrides: Properties that override trait properties via constructor promotion are no longer incorrectly flagged as unused (#​1119)
  • FQN literal constants: Fully-qualified constant accesses \true, \false, and \null are now correctly recognized (#​1099, #​1100) by @​kzmshx
  • Class-level template parameters for static calls: Template parameters defined at the class level are now properly resolved when making static method calls on generic types (#​1103)
  • Abstract method compatibility checking: The get_substituted_method function is now correctly applied to the child method when checking method signature compatibility, fixing false positives with generic abstract method inheritance
  • Mixin type parameters preservation: Type parameters on mixin types (e.g., IteratorIterator) are now preserved during method resolution, fixing incorrect return types (#​1106)
  • Integer narrowing with non-variable expressions: Fixed incorrect narrowing when comparing integers against non-variable expressions like function calls (#​1088)
  • For-loop condition narrowing: Integer literals in loop conditions (e.g., for ($i = 0; $i < 10; $i++)) are now properly extracted from the AST for type narrowing (#​1089)
  • Redundant type comparison in OR conditions: Fixed false positive redundant-type-comparison when using count checks or string narrowing in || conditions (#​1112)
  • List count with unknown size: HasAtLeastCount assertions no longer incorrectly set an exact known_count on lists with unknown count, preventing false unreachable-code reports (#​1104)
  • Array spread with unknown count: Fixed false positive when spreading a list with unknown count into an array literal (#​1108)
  • Class constant @var docblock type: The analyzer now prefers @var docblock types over inferred types for class constants, fixing cases where properly typed array values stayed as mixed (#​1090, #​1094)
Codex (Type System)
  • never as bottom type: never is now correctly treated as a subtype of all types in extends_or_implements checks (#​1107, #​1109) by @​kzmshx
  • Type alias forward references: All local @psalm-type / @phpstan-type alias names are now pre-registered before parsing, so aliases can reference each other regardless of declaration order (#​1116)
  • String casing detection: Fixed incorrect impossible-condition false positives when comparing strtolower()/strtoupper() results with literals containing non-alphabetic characters (spaces, digits, etc.) (#​1086)
  • Bidirectional TUnion equality: Type union equality checks are now bidirectional, preventing false positives when comparing types with different ordering (#​1087)
Linter
  • no-redundant-use whole-word matching: Docblock reference checking now uses whole-word matching instead of substring matching, so use Config; is correctly flagged as unused even when ConfigUsage appears in a docblock (#​1078)
  • inline-variable-return with by-reference assignment: The fixer no longer inlines assignments of by-reference expressions, which would produce invalid PHP (#​1114)
  • prefer-early-continue with non-block body: Fixed the fixer for cases where the loop body is a single statement without braces (#​1085) by @​chrisopperwall-qz
Formatter
  • First-class callable with argument unpacking: First-class callable expressions (e.g., $foo(...)) are no longer incorrectly treated as breaking expressions, fixing misformatted output (#​1091)
  • Redundant grouping parentheses: The formatter now correctly removes redundant grouping parentheses in more cases (#​1121) by @​Michael4d45
  • Heredoc span calculation: Fixed incorrect span calculation for heredoc/nowdoc strings, which could cause formatting issues (#​1092)
Prelude (Type Stubs)
  • explode() return type: Corrected to properly return list<string> instead of non-empty-list<string> when the separator could be empty (#​1095)
  • array_slice() return type: Now correctly preserves string keys in the return type (#​1096)
  • ldap_sasl_bind() stubs: Updated all arguments except the first to be nullable (#​1098)
  • bin2hex() stubs: Improved type definition (#​1101) by @​veewee

🏗️ Internal

  • Removed experimental warning for analyzer watch mode
  • New IncrementalAnalysisService encapsulating the full incremental analysis pipeline for watch mode and LSP
  • CodebaseDiff::between() for metadata comparison and mark_safe_symbols() for incremental analysis
  • Signature-only fingerprint mode for detecting body-only vs. signature changes
  • Applied clippy fixes across codex and linter crates
  • Re-generated linter documentation

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

Full Changelog: carthage-software/mago@1.7.0...1.8.0

v1.7.0: Mago 1.7.0

Compare Source

Mago 1.7.0

This release introduces new type system features, improved type inference for built-in functions, a new linter rule, and numerous bug fixes for the analyzer, formatter, and type system. A significant internal effort also went into reducing dependencies and binary size.

✨ Features

Type System
  • uppercase-string and non-empty-uppercase-string types: Full support for these PHPDoc types in type syntax, codex, and analyzer. This resolves cascading errors when these types were previously unrecognized (#​1057)
Analyzer

  • Return type providers for min() and max(): These functions now return precise types based on their arguments (#​1074)

  • array_filter() callback parameter type inference: The analyzer now respects the mode argument (ARRAY_FILTER_USE_KEY, ARRAY_FILTER_USE_BOTH) when inferring closure parameter types, fixing incorrect mixed inference for callback parameters (#​1031)

  • Switch statement fallthrough analysis: The analyzer now correctly recognizes that non-terminating code paths in a case block fall through to the next case. A case with a conditional return followed by a case that always returns is no longer flagged as missing-return-statement (#​1081)

Linter
  • no-redundant-isset rule: New rule that detects redundant arguments in isset() calls. For example, in isset($a, $a['key'], $a['key']['nested']), the first two checks are redundant because isset on a nested access implicitly checks all parent accesses (#​769)
CLI
  • --ignore-baseline flag: New flag for lint and analyze commands that temporarily ignores the baseline file, useful for reviewing and fixing baselined issues (#​1076)

⚡ Performance

  • Reduced AST size: Optimized AST node representation to reduce memory usage during parsing
  • Leaner binary: Removed 7 third-party dependencies (reqwest, openssl, num_cpus, strum_macros, derivative, strsim, bitflags, async-walkdir), replacing them with standard library equivalents or manual implementations. reqwest/openssl were replaced with ureq/rustls for a significantly smaller and faster-compiling binary

🐛 Bug Fixes

Analyzer
  • Unused method false positives: Methods referenced in literal arrays ([$this, 'method']) and string callbacks ('ClassName::method') are now correctly tracked as used (#​1069, #​1044)
  • Property/constant access type expansion: Property access and constant access expressions now have their types properly expanded, fixing incorrect type inference (#​1071)
  • Non-optional list items in array merge: Fixed an issue where non-optional list items were incorrectly skipped during array merging
Codex
  • @psalm-require-extends support in traits: Methods, properties, and class constants inherited from required parent classes via @psalm-require-extends or @phpstan-require-extends are now properly resolved in traits, eliminating false non-existent-property, non-existent-class-constant, and unknown-ref errors (#​1064, #​1068, #​1070)
  • Enum types in generic comparator: Fixed incorrect type comparison when enums implement generic interfaces, resolving false invalid-return-type errors (#​1061)
  • Platform-aware constant types: Predefined constants like PHP_INT_SIZE, PHP_INT_MAX, and PHP_FLOAT_DIG now use platform-aware range/union types instead of host-specific literal values. PHP_INT_SIZE > 4 is no longer flagged as a redundant comparison (#​1084)
Formatter
  • Assignment alignment leaking into nested arrays: When align-assignment-like is enabled, the alignment context from consecutive variable assignments no longer leaks into nested array key-value pairs (#​1082)
Linter
  • prefer-first-class-callable with reference captures: Skip suggesting first-class callable syntax when the callee variable is captured by reference in a closure's use clause, as the two forms have different semantics (#​1067, #​1063) by @​kzmshx
Prelude (Type Stubs)
  • array_walk generics: Fixed generic templates for array_walk to properly infer callback parameter types (#​1066, #​1045) by @​ddanielou
  • array_splice type precision: Improved type definitions for array_splice to preserve list<T> types and correctly handle non-array replacement arguments (#​1072, #​1080)
  • Sorting functions type precision: Enhanced type definitions for sorting functions (usort, uasort, uksort, etc.) to preserve non-empty array types (#​1083)

🏗️ Internal

  • Replaced reqwest + openssl with ureq + rustls in self-update module
  • Replaced num_cpus with std::thread::available_parallelism()
  • Replaced bitflags with manual bit flag implementations
  • Removed derivative, strum_macros, strsim, and async-walkdir dependencies
  • Improved array inference logic in codex

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

Full Changelog: carthage-software/mago@1.6.0...1.7.0

v1.6.0: Mago 1.6.0

Compare Source

Mago 1.6.0

This release brings new analyzer checks for class design enforcement, new linter rules for file organization, path-scoped ignore/exclusion support, formatter fixes, and numerous bug fixes across the board.

✨ Features

Analyzer

  • class-must-be-final check: New opt-in enforce-class-finality setting that reports classes not declared final, abstract, or annotated with @api/@psalm-api when they have no children (#​1054)

    [analyzer]
enforce-class-finality = true

  • missing-api-or-internal check: New opt-in require-api-or-internal setting that requires abstract classes, interfaces, and traits to have @api or @internal annotations, forcing projects to declare extensibility intent (#​1055)

    [analyzer]
require-api-or-internal = true

  • Path-scoped ignore entries: The ignore option now supports scoping ignored codes to specific paths (#​1037, #​1043)

    [analyzer]
ignore = [
  "mixed-argument",
  { code = "missing-return-type", in = "tests/" },
  { code = "unused-parameter", in = ["tests/", "src/Generated/"] },
]

  • Literal types for enum properties: Enum name and value properties now return literal types instead of generic string/int, enabling more precise type inference (#​1035, #​952) by @​veewee

  • Severity level in code-count format: The code-count reporting format now includes the severity level for each issue code (#​987)

Linter

  • file-name rule: New rule that enforces file names match the class/interface/enum/trait they contain (#​1049)

  • single-class-per-file rule: New rule that enforces each file contains at most one class-like declaration

  • Per-rule path exclusions: Linter rules now support path-based exclusions, allowing you to disable specific rules for specific directories (#​1037)

    [linter.rules]
no-isset = { exclude = ["src/Legacy/"] }

  • no-isset and readable-literal enabled by default: These rules are now enabled out of the box

  • Removed deprecated rules: The deprecated constant-type, no-boolean-literal-comparison, parameter-type, property-type, and return-type linter rules have been removed — their functionality has been moved to the analyzer

Formatter
  • PER-CS compatibility: inline-empty-function-braces and inline-empty-method-braces now default to true, matching the PER Coding Style specification (#​1053)
CLI
  • Multiple --only rules: The --only flag now accepts multiple comma-separated rules (#​1046)

⚡ Performance

  • foldhash replaces ahash: Switched to foldhash for faster hashing across the codebase
  • Arc<T> replaces Box<T> in codex: Improves cloning performance for shared metadata

🐛 Bug Fixes

Analyzer
  • Switch statement type narrowing: Non-exhaustive switch statements no longer incorrectly narrow variable types, preventing false redundant null-check warnings (#​1038)
  • Type alias resolution in @var docblocks: Imported type aliases are now correctly expanded in @var docblock annotations (#​1029, #​1030)
  • Type alias resolution in template extends: Imported type aliases are now resolved before being used as template arguments in extends/implements (#​1040)
  • Template inference for non-generic objects: Non-generic named objects are no longer incorrectly included in template inference, preventing false positives (#​1036)
  • FORCE_COLOR support: The FORCE_COLOR environment variable is now respected in reporting output (#​1042)
  • CLI argument parser: Disabled enum variants are no longer shown in CLI argument parser output
Linter
  • readable-literal false positive on floats: Fixed the rule triggering on float literals like 123.45 where neither side of the decimal benefits from separators, producing a no-op suggestion
Formatter
  • Empty array line break: Fixed incorrect line break added at the end of empty arrays (#​1047, #​978) by @​Zuruuh
  • Laravel Pint preset parity: Updated the Pint preset to match actual Laravel Pint formatting behavior (#​1052) by @​nikspyratos
Prelude (Type Stubs)
  • array_walk generics: Added generic templates to array_walk for proper type inference (#​1045)
  • curl_multi_exec signature: Corrected the signature of curl_multi_exec (#​1033)
  • setcookie duplicate: Removed duplicate definition for setcookie that only accepted the old syntax (#​1032)
Documentation

🔒 Security & CI

  • GitHub artifact attestations: Build artifacts now include provenance attestations for supply chain security (#​948)
  • Explicit permissions: GitHub Actions workflows now use explicit permissions
  • CD caching: Improved CI/CD pipeline with build caching
  • Removed deprecated atty dependency

🏗️ Internal

  • Bump time from 0.3.46 to 0.3.47 (#​1039) by @​dependabot
  • Disable incremental build and add memory-debug profile
  • Update sponsors list

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

Issue Reporters

Thank you to everyone who reported issues and requested features that shaped this release:

Full Changelog: carthage-software/mago@1.5.0...1.6.0

Configuration

📅 Schedule: Branch creation - Between 03:00 AM and 05:59 AM ( * 3-5 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@g5bot g5bot merged commit 2b6bbf0 into dev Feb 16, 2026
3 of 4 checks passed
@g5bot g5bot deleted the renovate/carthage-software-mago-1.x-lockfile branch February 16, 2026 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@g5bot