(chore): bump psy/psysh from 0.12.18 to 0.12.20

[dependabot]

Bumps psy/psysh from 0.12.18 to 0.12.20.

Release notes

Sourced from psy/psysh's releases.

PsySH v0.12.20

Project trust edge case fixes

Fixed several edge cases with the Restricted Mode introduced in v0.12.19 where non-interactive contexts (piped input, execute() calls, Composer proxy scripts) could incorrectly trigger trust prompts or restrict trusted functionality.

Fixes #913

Commands work better outside the shell

Decoupled commands from ShellOutput via a new ShellOutputAdapter, so commands degrade gracefully when used in non-interactive contexts rather than failing on missing shell features.

Improvements

• Added downstream compatibility tests for local and CI workflows
• Moved internal helper scripts from bin/ to scripts/

PsySH v0.12.19

⚠️ Security fix

Fixed a CWD configuration poisoning vulnerability (CVE-2026-25129) where a malicious .psysh.php file in an attacker-writable directory could execute arbitrary code when a victim runs PsySH from that directory. This affects all versions prior to v0.12.19 and v0.11.23, including downstream consumers like Laravel Tinker, when invoked from an attacker-writable CWD.

Fixed in v0.12.19 and v0.11.23. Upgrade ASAP.

Restricted Mode

PsySH now requires explicit trust before loading project-local config (.psysh.php), local PsySH binaries, or Composer autoloads from untrusted projects. Trust decisions are persisted per-project in trusted_projects.json.

Configure with trustProject:

'trustProject' => 'prompt',  // default — ask interactively
'trustProject' => 'always',  // trust all projects
'trustProject' => 'never',   // always run restricted

Or use --trust-project / --no-trust-project CLI flags, or the PSYSH_TRUST_PROJECT env var.

Non-interactive sessions automatically skip untrusted features with a warning.

Magic method and property support 🪄

Tab completion, ls, doc, and show commands now recognize @method and @property docblock tags. Magic members display in magenta so you can tell them apart from real methods and properties.

Inheritance works as expected — magic members from parent classes, interfaces, and traits are included, with child declarations taking precedence.

Also fixes parsing of generic types (e.g., array<int, string>) in docblock tags, which previously broke on whitespace inside angle brackets.

See #905

... (truncated)

Commits

• 19678eb Merge branch 'release/v0.12.20'
• f09d6ba Bump to v0.12.20
• abcfdf9 Decouple commands from ShellOutput via ShellOutputAdapter
• 7ad4f00 Clearer Actions output
• 7aa3cf9 Clearer Actions output
• 0b40a63 Add downstream compatibility tests for local and CI workflows
• 3f27b87 Move internal helper scripts from bin/ to scripts/
• 21aa946 Merge branch 'fix/project-trust-edge-cases'
• 81f6547 Harden stdin pipe detection heuristics
• fc9d9d2 Avoid untrusted handoff for current Composer proxy
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Composer package changes

Dev Packages	Operation	Base	Target	Link	License
psy/psysh	Upgraded	v0.12.18	v0.12.20	Compare	MIT

[github-actions]

Coverage report for commit: 23fb172
File: coverage.xml

Cover ┌─────────────────────────┐ Freq.
   0% │ ███████████████████████ │ 100.0%
  10% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  20% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  30% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  40% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  50% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  60% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  70% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  80% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  90% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
 100% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
      └─────────────────────────┘
 *Legend:* █ = Current Distribution 

Summary - Lines: - | Methods: -

Files	Lines	Methods	Branches
src
DatabaseServiceProvider.php	-	-	100.00%
src/Model
Post.php	-	-	100.00%
src/Traits
Related.php	-	-	100.00%

_{🤖 comment via lucassabreu/comment-coverage-clover}