Update PHPUnit requirement - and therefore supported PHP version

[timoschinkel]

A vulnerability has been reported in PHPUnit, and this vulnerability has been solved in 12.5.22: sebastianbergmann/phpunit#6592

Edit: The CVE for this is GHSA-qrr6-mg7r-m243, and seems to only be applicable to versions 12 and 13.

The challenge is that this version of PHPUnit supports PHP 8.3 and higher. Since I don't expect any functional changes in the short term this change proposes updating the PHPUnit version to 12, and in extend update the required PHP version to 8.3. No functionality has changed, so anyone still on an older PHP version can still use the 1.2.0 version of this package. I'm using PHPUnit 12, and not 13, because version 13 requires PHP 8.4, and I would like to support a wide range of PHP versions.

• Update PHPUnit to ^12.5.22
• Drop support for PHP < 8.3

[stof]

Note that PHPUnit 9 an d10 are not affected by that vulnerability

[timoschinkel]

Note that PHPUnit 9 an d10 are not affected by that vulnerability

That's good to know. The Dependabot vulnerability states that the vulnerable versions are <= 12.5.22, but now that I look at Packagist the latest 9 and 10 are indeed not marked as vulnerable. I will reconsider if this change is actually necessary. Thank you.

[stof]

yeah, the github advisory database has the wrong info (apparently, they edited the affected range when importing the advisory). See github/advisory-database#7430 for the pending fix.

[timoschinkel]

Thank you for the additional information. I will leave this pull request open, as I make up my mind on the supported PHP versions. As much as I want to support a wide range of versions, I also would like to keep somewhat up-to-date with our dependencies. Even if we only have a small amount of them.