chore(php): regenerate php-model seeds to pick up phpunit 12.5.22 bump

[github-actions]

Description

Linear ticket: Refs

Resolves Dependabot alert #1995 — GHSA-qrr6-mg7r-m243 (PHPUnit argument injection via newline in PHP INI values forwarded to child processes).

Root cause. The generator source of truth (generators/php/base/src/project/PhpProject.ts) already emits phpunit/phpunit: ^12.5.22 — that fix shipped in php-sdk@2.4.2 (see generators/php/sdk/changes/2.4.2/bump-phpunit-cve.yml), and the php-sdk seeds were regenerated at that time. The php-model seeds were not regenerated in that PR, so they still contained ^9.0 in the committed composer.json snapshots. That's the stale file Dependabot is pointing at (seed/php-model/multi-url-environment-reference/composer.json).

Fix. Per review feedback, the fix is at the generator level (already in place) + a regeneration of the php-model seed snapshots. No generator code or seed files were hand-edited; the seed diff is purely the output of running the current generator.

Changes Made

• Regenerated all 119 seed/php-model/* fixtures via:

  node --enable-source-maps packages/seed/dist/cli.cjs img php-model
  node --enable-source-maps packages/seed/dist/cli.cjs test --generator php-model --skip-scripts
  

• Resulting diffs across the seed snapshots:
  • phpunit/phpunit: ^9.0 → ^12.5.22 in composer.json (resolves the alert)
  • php-version: "8.1" → "8.3" in .github/workflows/ci.yml (minimum supported by PHPUnit 12; matches what bump-phpunit-cve.yml already described for php-sdk)
  • New fields in .fern/metadata.json (originGitCommitIsDirty, invokedBy, requestedVersion, ciProvider) produced by the current generator
• Deleted scaffold file .github/dependabot-alerts/alert-1995.md
• Updated README.md generator (if applicable) — N/A

Not included. Two orphan top-level composer.json files remain in seed/php-sdk/basic-auth/ and seed/php-sdk/basic-auth-pw-omitted/ with ^9.0. Those fixtures now only configure a wire-tests output folder (whose composer.json is already on ^12.5.22), so the top-level files are leftover output from a previous config and are not produced by the current generator. Leaving them for a separate cleanup PR to keep this one scoped to the alert.

Testing

• Unit tests added/updated — N/A (no logic changes)
• Manual testing completed: all 119 php-model seed fixtures regenerated successfully with --skip-scripts; spot-checked seed/php-model/multi-url-environment-reference/composer.json to confirm phpunit/phpunit is now ^12.5.22; verified no remaining "phpunit/phpunit": "^9 strings under seed/php-model/.

Link to Devin session: https://app.devin.ai/sessions/ce52c98beed84f9394ee30be4afa1f13

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}