build(deps-dev): bump carthage-software/mago from 1.19.0 to 1.20.1

[dependabot]

Bumps carthage-software/mago from 1.19.0 to 1.20.1.

Release notes

Sourced from carthage-software/mago's releases.

Mago 1.20.1

A small but high-impact patch release. Reporting got significantly faster across the board — every output format (rich, json, count, github, gitlab, sarif, checkstyle, emacs, ariadne, code-count) now skips a wasteful copy of the issue list it used to make on every run. The bigger your project (and the more issues Mago finds), the more you save: WordPress analysis is ~3% faster end-to-end, Magento ~5%, and the savings in the reporting step itself are around 100 ms on a project of Magento's size.

⚡ Performance

Reporting

• Faster issue reporting on every output format: Mago used to copy its entire list of issues before formatting them — even when no filtering or sorting was needed, and even for a format like count that just tallies severities. On a small project the cost was barely noticeable, but on a project with hundreds of thousands of issues it could add over 100 ms per run. The reporter now walks the original list directly, only allocating when sorting is meaningful for that format (rich, ariadne, json). End result: noticeably snappier analyze runs on large codebases, no behavior change.

🐛 Bug Fixes

Analyzer

• Consistent issue code for unary operators on mixed: Using ++, --, or unary - on a value of type mixed was being reported as invalid-operand or possibly-invalid-operand, the same codes used for genuinely incompatible operands. Those operations are now reported under the dedicated mixed-operand code instead, matching how every other operator in Mago handles mixed and making baselines and rule suppressions more predictable (#1635)

🙏 Thank You

Contributors

A huge thank you to everyone who contributed code to this release:

• @​edsrzf — #1636

Issue Reporters

Thank you to everyone who reported issues that shaped this release:

• @​edsrzf — #1635

Full Changelog: carthage-software/mago@1.20.0...1.20.1

Mago 1.20.0

Mago 1.20.0 is a big release focused on analysis accuracy, speed, and diagnostics. Highlights include new new<X> and template-type<Object, ClassName, TemplateName> utility types, detection of @param docblocks that silently drop native union branches, a new find-overly-wide-return-types analyzer check, six new linter rules, glob-pattern support across both analyzer ignore.in and per-rule linter excludes, a side-effects-in-condition check, a trace-gated hang watcher for diagnosing pathological inputs, and sweeping performance work — loop fixed-point depth capping, walkdir directory pruning, ptr_eq fast paths on every TType impl, Rc<TUnion> plumbing through the analyzer hot path, saturate_clauses fast paths for single-literal clauses, sealed-keyed-array bounding in the combiner, and a zero-alloc AST visitor — together dropping end-to-end psl analysis by more than 3x. On the fix side, this release ships a pile of reconciler correctness work covering chained AND-clauses, narrowing through redundant ?->, strict in_array narrowing, property-hook variance, self-referencing class constants, and more.

✨ Features

Analyzer

• new<X> and template-type<Object, ClassName, TemplateName> utility types: Two new type-syntax utilities. new<X> resolves a class-string expression to the object type that would result from instantiating it, and template-type<O, C, N> extracts a named template parameter from a given object/class, matching the PHPStan semantics (#1217)
• find-overly-wide-return-types check: New opt-in analyzer pass that compares a function's declared return type against the union of types actually produced by its return statements, reporting a new OverlyWideReturnType issue when declared branches are never produced. Skipped for generators, abstract/unchecked methods, overriding methods, and mixed/void/never/templated returns (#1446, #1553)
• @param docblock narrowing check: Flags when a @param docblock type silently drops a branch of the native parameter union (e.g. annotating int|string as @param int), which would otherwise collapse the parameter to never inside the body (#1487)
• Side-effects-in-condition check: New side-effects-in-condition diagnostic and matching allow-side-effects-in-conditions setting (on by default) that warns when an if/while/for/ternary/match condition calls a function or method that isn't marked @pure, @mutation-free, or @external-mutation-free (#1604)
• Glob patterns in ignore.in: The analyzer's ignore configuration now accepts full glob patterns (e.g. src/**/*.php, modules/*/Generated/*.php) in in = [...] alongside plain directory/file prefixes, routed through the shared ExclusionMatcher (#1619)

Linter

• no-literal-namespace-string rule: Flags string literals that look like fully-qualified PHP class names and suggests ::class notation. Disabled by default, warning level (#1386)
• no-null-property-init rule: Flags untyped public $foo = null; property declarations, since untyped properties already default to null. Ships with an auto-fix to drop the redundant initializer. Disabled by default, help level (#1315)

... (truncated)

Commits

• c0453e9 release: 1.20.1
• 225427c perf(reporting): replace cloning apply_filters with a borrowing FilteredIssue...
• 76cc5f5 fix(analyzer): report mixed-operand for unary operators (#1636)
• a6380a4 release: 1.20.0
• 5121d63 feat(prelude): general improvements to DateTimeZone stub (#1612)
• 27b627a fix(config): resolve relative baseline paths against workspace (#1289)
• 5bcec99 feat(linter): add no-literal-namespace-string lint rule (#1386)
• 89f3294 feat(linter): add no-null-property-init rule (#1315)
• bb9db44 fix(codex): treat set => expr shorthand as backing-field reference for set-...
• 2509073 fix(database): also match exclude globs against absolute paths so legacy `*/<...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)