build(deps-dev): bump carthage-software/mago from 1.4.1 to 1.5.0

[dependabot]

Bumps carthage-software/mago from 1.4.1 to 1.5.0.

Release notes

Sourced from carthage-software/mago's releases.

Mago 1.5.0

This release brings PSR-11 container support, custom help text for disallowed functions, and several important bug fixes for type narrowing and linter false positives.

✨ Features

Analyzer

• PSR-11 container support: New psr-container plugin that infers types from class-string arguments when calling ContainerInterface::get(). This eliminates mixed-method-access and mixed-argument errors when using PSR-11 service containers (#1015) by @​Noojuno

  [analyzer]
  plugins = ["psr-container"]

Linter

• Custom help text for disallowed functions: The disallowed-functions rule now supports custom help messages per function or extension. Entries can be simple strings or objects with name and optional help fields (#1024)

  [linter.rules]
  disallowed-functions = {
      functions = [
          "eval",
          { name = "error_log", help = "Use MyLogger instead." },
      ],
      extensions = [
          "curl",
          { name = "ffi", help = "FFI is disabled for security reasons." },
      ],
  }

🐛 Bug Fixes

Analyzer

• Nullsafe operator type narrowing: Fixed incorrect type narrowing in the false branch of if statements using nullsafe operators (?->). Previously, the variable was incorrectly narrowed to null in the else branch. Now if ($user?->isAuthorized()) correctly preserves the original type in the else branch, matching the semantics of $user !== null && $user->isAuthorized() (#1025)

• Redundant instanceof detection: Fixed false positive for undefined variables when a variable is assigned in exhaustive if/elseif branches over a union type. The analyzer now correctly detects redundant instanceof checks and tracks variable assignments across all branches (#1026)

Linter

• False positive in prefer-first-class-callable: Skip suggesting first-class callable syntax for runtime-dependent call targets where conversion would change evaluation semantics. This includes method chains (adminUrlGenerator()->generateUrl()), nullsafe calls ($obj?->method()), and dynamic method names ($obj->$method()) (#1027, #1020) by @​kzmshx

🏗️ Internal

• Bump bytes from 1.11.0 to 1.11.1 (#1023) by @​dependabot
• Documentation updates and optimizations

... (truncated)

Commits

• 0ce3f5d release: 1.5.0
• 3e4b986 feat(linter): add custom help text support for disallowed functions
• 0509150 fix(linter): skip runtime-dependent call targets in prefer-first-class-callab...
• 9055ff6 feat(analyzer): add PSR-11 container support via plugin (#1015)
• 25d3843 fix(analyzer): correct nullsafe operator type narrowing in false branch
• 1ccfd8e fix(analyzer): detect redundant instanceof checks
• 873131b fix(ci): remove wasm optimization
• 6d59c87 fix(docs): remove manual chunks
• 1c9cbe1 perf(docs): optimize logo size
• 6de27d1 fix(ci): install missing imagick package
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)