Travis Carden

Here's the PR, @effulgentsia: https://github.com/php-tuf/composer-stager/pull/85. I requested review from the security team at https://drupal.slack.com/archives/C5B7P7294/p1677870014372739.

I assume this should be a stable blocker, @effulgentsia.

Infection now runs on its own "Mutation" job and comments on PRs when it detects new issues. It's has proved very helpful.

I removed a few dependencies in https://github.com/php-tuf/composer-stager/pull/292.

> The problem is that as soon as one of these dependencies falls behind with PHP 8.4/5 compatibility, it will block composer-stager compatibility with those releases Is that a meaningful...

@catch56 all the existing dev dependencies _are_ currently compatible with PHP 8.4--except for `phpspec/prophecy`, which of course Drupal has, too. @xjm your rationale makes sense. I would be open to...

@catch56 I would be fine with removing the dev dependencies and putting them in a separate project in parallel in order to get things unblocked quickly. Shall we proceed that...

FYI: I'm starting on this today. If anyone knows of an established pattern (I'm not sure `drupal/core-dev` correlates exactly) or a clear precedent I should consult, I would be glad...

FYI, in case anyone's watching this: very shortly after picking this issue up I got pulled off to deal with a Symfony Process update that broke our Windows integration. 😒...

I've removed the dependencies in https://github.com/php-tuf/composer-stager/pull/401 so this issue can move forward while I devise a new solution. I'll report back with what I come up with.