ci: drop PHP 8.1, pin PHPUnit to 11.x, pin webpack for Docusaurus build

PHP 8.1 reached end-of-life in 2025 so drop it from the test matrix and
bump the runtime requirement to >=8.2. On the matrix side this also
clears a pre-existing red CI caused by PHPUnit 12.x (PHP >=8.3) now
resolving over PHPUnit 11.x on 8.1.

Pin `phpunit/phpunit` to `^11.0` explicitly — PHPUnit 11 is the latest
major that supports PHP 8.2, and 12.x's PHP >=8.3 requirement is what
was breaking composer resolution for every PR opened after PHPUnit
12.5.22 shipped.

Acknowledge advisory PKSA-5jz8-6tcw-pbk4 (GHSA-qrr6-mg7r-m243) with a
targeted audit-ignore carrying the threat-model rationale. The advisory
describes argument injection via newlines in PHP INI values forwarded to
child processes; phpunit is require-dev only and the attack surface is
phpunit config + CLI args authored by maintainers/CI, which carry the
same trust boundary as any other committed code. No fix has been
backported to PHPUnit 10.x or 11.x. Revisit when a backport ships or
when we bump min PHP to 8.3 and can move to ^12.5.22.

For the Docusaurus docs workflow, pin webpack to 5.88.2 via a
package.json `resolutions` block. Webpack versions newer than 5.88.x
tightened ProgressPlugin schema validation and reject options that
webpackbar@5 (transitively pinned by @docusaurus/core 2.4.3) passes
through, producing the "options has an unknown property 'name' /
'color' / 'reporters' / 'reporter'" build failure on every PR.

Author: oojacoboo

.github/workflows/continuous_integration.yml

@@ -22,7 +22,7 @@ jobs:
     strategy:
       matrix:
         install-args: ['', '--prefer-lowest']
-        php-version: ['8.1', '8.2', '8.3', '8.4']
+        php-version: ['8.2', '8.3', '8.4']
       fail-fast: false
 
     steps:
@@ -73,7 +73,7 @@ jobs:
         run: "composer phpstan"
 
       - name: "Run coding standard checks with squizlabs/php_codesniffer on minimum supported PHP version"
-        if: matrix.php-version == '8.1'
+        if: matrix.php-version == '8.2'
         run: composer cs-check
 
       - name: "Archive code coverage results"

composer.json

@@ -10,7 +10,7 @@
         }
     ],
     "require": {
-        "php": ">=8.1",
+        "php": ">=8.2",
         "ext-json": "*",
         "composer/package-versions-deprecated": "^1.8",
         "phpdocumentor/reflection-docblock": "^5.4",
@@ -35,7 +35,7 @@
         "php-coveralls/php-coveralls": "^2.7",
         "phpstan/extension-installer": "^1.4",
         "phpstan/phpstan": "^2.0",
-        "phpunit/phpunit": "^10.5 || ^11.0 || ^12.0",
+        "phpunit/phpunit": "^11.0",
         "symfony/var-dumper": "^6.4"
     },
     "suggest": {
@@ -68,6 +68,11 @@
             "composer/package-versions-deprecated": true,
             "dealerdirect/phpcodesniffer-composer-installer": true,
             "phpstan/extension-installer": true
+        },
+        "audit": {
+            "ignore": {
+                "PKSA-5jz8-6tcw-pbk4": "PHPUnit argument-injection via newline in INI values forwarded to child PHP processes (GHSA-qrr6-mg7r-m243). phpunit is a require-dev dependency; the attack surface is INI values in phpunit config or CLI args, which are authored by maintainers/CI and carry the same trust as any other committed code. No fix available for PHPUnit 10.x or 11.x yet — revisit when backport ships or when we bump min PHP to 8.3 and can move to ^12.5.22."
+            }
         }
     }
 }

website/package.json

@@ -16,6 +16,9 @@
     "react": "^17.0.1",
     "react-dom": "^17.0.1"
   },
+  "resolutions": {
+    "webpack": "5.88.2"
+  },
   "browserslist": {
     "production": [
       ">0.5%",