This is the first release of Psalm v6!

Users are encouraged to switch to Psalm v6 right away, as v5 is not supported anymore.

Also announcing Psalm's new support model: you can support Psalm development by requesting a support contract from Daniil Gentili, the only active maintainer of Psalm.

Support contracts can cover full integration of Psalm into existing codebases, support for Psalm issues and development of additional Psalm features.

See here » for info, pricing and contact information.

Main highlights of Psalm v6:

• PHP 8.4 support
• Amp v3 support
• PHP-Parser v5 support
• Fully overhauled dictionaries, for much more accurate and always up to date signatures for PHP and extension functions and methods, and much simpler PHP version upgrades.
• ignoreInternalFunctionFalseReturn and ignoreInternalFunctionNullReturn are now false by default: this means Psalm now warns when a false/null return type of a native function is not explicitly checked.
• Modernization of the codebase for higher performance.
• Many other bugfixes and performance improvements.

Plugin authors should consult the changelog for info about BC-breaking changes.

What's Changed

Features

• Add --force-jit flag by @danog in #11165
• Xpath injection detection #10162 by @cgocast in #10163
• Backed enum value changed to Atomic instead of scalar int or strings by @tuqqu in #10165
• Introduce NonVariableReferenceReturn issue by @tuqqu in #10227
• Detect DoS by sleep #10178 by @cgocast in #10183
• Introduce DuplicateProperty issue by @tuqqu in #10265
• Disable ignoreInternalFunction(False|Null)Return by default by @robchett in #10211
• Add intl extension stub by @braindawg in #10276
• Improved type of callable-array by @robchett in #9794
• Add progress for scanning stage by @robchett in #10345
• Allow enum cases to be global constants by @robchett in #10339
• Report unused issue handler suppressions by @robchett in #10341
• Support @(no-)seal-(properties|methods) annotations without prefix by @robchett in #10344
• Stub constants for ZipArchive from ext-zip by @braindawg in #10332
• Allow type aliases for static variables by @robchett in #10362
• Inherit magic methods from @mixin by @robchett in #10356
• TaintedExtract by @cgocast in #10417
• feat: Default baseline file by @jorgsowa in #10696
• Add phpstub for amqp extension (php-amqp) by @mkilmanas in #11172
• Add phpstub for amqp extension (php-amqp) by @mkilmanas in #11181

Fixes

• Fix #10047 by @cgocast in #10048
• Respect stubs in all cases by @mmcev106 in #10092
• Hotfix Shepard build by @robchett in #10268
• Hotfix shepard build by @robchett in #10343
• Add constants from SOAP extension to stub by @braindawg in #10333
• Incorrectly asserting non-empty-list after combining with empty list by @robchett in #9787
• Consistent type docblock parsing by @robchett in #10326
• Fix stub for RecursiveArrayIterator::getChildren by @robchett in #10340
• Maintain loop start val after increment/decrement by @robchett in #10263
• Method annotation fixes by @robchett in #10361
• A segment of progress was being output early as the startScanningFile… by @robchett in #10360
• Fix at in array keys by @danog in #10426
• Inherit conditional returns by @robchett in #10357
• Fix iteration over weakmaps by @danog in #10472
• Suppress scanning output in CI by @robchett in #10688
• Suppress unused config suppression detection when running in partial or cache mode by @weirdan in #10694
• Fix trait analysis by @danog in #10904

Docs

• Doc typo by @cgocast in #10393
• Fixed docblock spacing in @psalm-internal documentation example by @still-dreaming-1 in #10467
• Update dealing_with_code_issues.md: Minor by @ThomasLandauer in #10954
• Fix broken links to PHPDoc Types page in documentation by @elazar in #11105
• Fix broken phpDocumentor links on Supported Annotations docs page by @elazar in #11119

Internal changes

• Switch to amp v3 by @danog in #10024
• Psalm v6 by @danog in #10040
• Make TLiteralFloat::$value and TLiteralInt::$value typed by @weirdan in #9517
• Psalm v6: strict_types=1 by @danog in #10044
• V6 fixes by @danog in #10310
• Remove MixedInferredReturnType by @robchett in #9783
• Merge 5.x by @danog in #10369
• Improve scan progress by @danog in #10415
• Merge 5.x by @danog in #10504
• Apply rector fixes by @danog in #10305
• Do not use JIT on windows by @danog in #10564
• Let disable-extension also disable zend extensions by @danog in #10565
• Merge 5.x by @danog in #10569
• Merge 5.x by @danog in #10576
• Remove unnecessary null type from initialized_methods Context property by @theodorejb in #10610
• Update master from 5.x by @weirdan in #10597
• Update master from 5.x by @weirdan in #10618
• Update master from 5.x by @weirdan in #10656
• Update master from 5.x by @weirdan in #10684
• Fix composer warnings by @weirdan in #10695
• Update master from 5.x by @weirdan in #10693
• Update master from 5.x by @weirdan in #10714
• Update master from 5.x by @weirdan in #10750
• Update master from 5.x by @weirdan in #10775
• Update master from 5.x by @weirdan in #10803
• Fix the tests broken when running with Paratest by @weirdan in #11122
• Fix grammar by @MoonE in #11154
• Merge 5.x by @danog in #11164
• Normalize callmap by @danog in #11174
• Normalize callmap by @danog in #11175
• Remove unnecessary array spread of temp arrays by @MoonE in #11182
• PHP 8.4 support, dictionary refactoring by @danog in #11169
• Add support for PHP 8.4 by @GromNaN in #10928

Typos

• Fix typos by @szepeviktor in #10963

Other changes

• Update nikic/php-parser to 5.0 by @edsrzf in #10567
• 🐛 Fix "Config supression" link by @homersimpsons in #11185

New Contributors

• @braindawg made their first contribution in #10276
• @elazar made their first contribution in #11105
• @mkilmanas made their first contribution in #11172
• @homersimpsons made their first contribution in #11185

Full Changelog: 5.26.1...6.0.0

What's Changed

Fixes

• Fix JSON formatter crashes with invalid UTF in error messages by @weirdan in #11092

Full Changelog: 5.26.0...5.26.1

What's Changed

Features

• Add mysqli.execute-query as sink for TaintedSql by @cgocast in #11021
• Add TaintedCallable sinks for 4 core generic functions by @cgocast in #11090
• Improve mysql fetch_field* return type by @MoonE in #11009
• Check for psalm.dist.xml as well by @HypeMC in #11031

Fixes

• Change ReflectionParameter::getName() result type to non-empty-string by @vjik in #11037
• Fix mysqli_real_escape_string stub by @kamil-tekiela in #11078
• Fix mysqli_get_client_version by @kamil-tekiela in #11074
• Up the minimum required version of nikic/php-parser to 4.17 by @chesn0k in #10968
• Fix callable/lowercase strings coercion by @weirdan in #11091
• Consistently emit issues for properties on classes with unknown mixins by @issidorov in #11081

New Contributors

• @chesn0k made their first contribution in #10968

Full Changelog: 5.25.0...5.26.0

What's Changed

Features

• Casting int-range should keep literals by @kkmuffme in #10941
• Update help panel by @llaville in #11000
• Add support for phpstan-pure by @VincentLanglet in #10975
• Precise preg_match_all return type by @VincentLanglet in #10969

Fixes

• Fix-GH-10933-And-GH-10951 by @jack-worman in #10953
• redis: add possible types for Redis#auth method by @boesing in #10934
• Avoid false positive about array which are non-callable by @VincentLanglet in #10935
• Fix literal-string|non-empty-literal-string by @VincentLanglet in #10930
• Fix signature of Locale::canonicalize. by @ADmad in #11010

New Contributors

• @llaville made their first contribution in #11000

Full Changelog: 5.24.0...5.25.0

What's Changed

Features

• Allow specifying flags to Codebase::isTypeContainedByType by @danog in #10829
• Allow more callable types as subtypes of callable by @weirdan in #10805
• Report parent being used in callable context when the class does not extend anything by @kkmuffme in #10838
• Report error for additional deprecated arg types in PHP 8.1/8.3 by @kkmuffme in #10824
• Add MissingClassConstType Issue by @jack-worman in #10828
• Enforce parameter names for consistent constructors by @kkmuffme in #10821
• Add misc missing errors for invalid callable methods by @kkmuffme in #10839

Fixes

• Forbid named arguments for ArrayAcccess methods by @weirdan in #10804
• Don't crash on invalid templates by @weirdan in #10806
• report error for single param name mismatch too since named args can even be used then by @kkmuffme in #10822
• add support for named arguments for filter_var and filter_input by @pilif in #10815
• When inside isset, make array fetch result nullable by @edsrzf in #10756
• Promoted properties missing in extended __construct should report PropertyNotSetInConstructor by @kkmuffme in #10817
• Updating signature of getmxrr() by @ThomasLandauer in #10847
• Improve string-int juggle consistency in array keys and display for int-like strings in type by @kkmuffme in #10814
• Fix storage not available in thread for intersection doc types by @simonberger in #10856
• Don't emit MissingOverrideAttribute for implicit Stringable implementations by @edsrzf in #10858
• Specify array return type of session_get_cookie_params by @jorgsowa in #10859
• Unknown @psalm annotation should not make whole docblock invalid by @kkmuffme in #10885
• Add mail to impure functions list by @smaddock in #10923
• Update PHP 8.2 Call map delta with refined types for string comparison functions by @gsteel in #10883

Docs

• document that @psalm-internal works for namespace + class too by @kkmuffme in #10866

Internal changes

• fix tests running with other than called PHP binary if called with a non-default PHP binary by @kkmuffme in #10842
• Explicitly set value in config to fix warning in tests by @kkmuffme in #10843
• [PHP 8.4] Fixes for implicit nullability deprecation by @Ayesh in #10832
• Throw exception instead of silently logging issues occurred during scan by @danog in #10902

Other changes

• Fix conditional on non empty literal string by @VincentLanglet in #10912
• Ignore jsonSerialize for implementors of JsonSerializable by @josephwynn-sc in #10891
• Add XML functions to ImpureFunctionsList #10882 by @DKhalil in #10887

New Contributors

• @Ayesh made their first contribution in #10832
• @smaddock made their first contribution in #10923
• @josephwynn-sc made their first contribution in #10891
• @DKhalil made their first contribution in #10887

Full Changelog: 5.23.1...5.24.0

What's Changed

Fixes

• Fixed analysis of existing static methods if the __callStatic() method exists by @issidorov in #10812

Full Changelog: 5.23.0...5.23.1

What's Changed

Features

• Update PHP 8.2 stubs to include SensitiveParameterValue by @gsteel in #10726
• Add list of statements to BeforeFileAnalysisEvent by @ohader in #10728
• Forbid iterating over generators with non-nullable send() by @weirdan in #10697
• Initial support for named parameters for callables by @weirdan in #10772

Fixes

• Improve randomizer stubs by @danog in #10709
• Fix detecting magic static methods by @issidorov in #10704
• Fix non-empty-lowercase-string handling with literal non-lowercase strings by @kkmuffme in #10722
• Fix RiskyTruthyFalsyComparison irrelevant errors when there is no explicit truthy/falsy type by @kkmuffme in #10733
• Allow Override attribute to be used in pure contexts by @weirdan in #10734
• Revert "Allow tainted numerics except for 'html' and 'has_quotes'" by @ohader in #10729
• Fix loading stubs from phar file on Windows by @weirdan in #10748
• Fix a false flag issue with InvalidConstantAssignmentValue by @MelechMizrachi in #10738
• Set inside_isset false when analyzing ArrayDimFetch index by @edsrzf in #10752
• Set inside_isset = false when analyzing arguments by @edsrzf in #10753
• Fix PHP notice - crash on invalid taint-escape by @kkmuffme in #10760
• Fix version comparison for @since by @weirdan in #10764
• Since annotations outside phpstub should not infer php version by @kkmuffme in #10769
• Backport WeakMap iterator fix from master by @weirdan in #10778
• Namespace anonymous classes by @weirdan in #10779
• Update CallMap for sqlsrv_connect and sqlsrv_errors to match reflection by @theodorejb in #10781
• $resource parameter of mkdir() is nullable since PHP 7.3 by @weirdan in #10802
• Use wider class-string when combining class strings with intersections by @weirdan in #10800

Internal changes

• Use TaintKind/TaintKindGroup constants instead of string values by @ohader in #10746
• Skip symlink test on Windows by @weirdan in #10749
• Avoid duplicating code for RiskyTruthyFalsyComparison by @theodorejb in #10765
• fix PHP 8 tests running with wrong --php-version=/phpVersion= if not explicitly specified by @kkmuffme in #10776
• CS fix by @weirdan in #10801

New Contributors

• @MelechMizrachi made their first contribution in #10738

Full Changelog: 5.22.2...5.23.0

What's Changed

Fixes

• Catch missing classlike exceptions during scanning by @weirdan and @ohader in #10720

Full Changelog: 5.22.1...5.22.2

What's Changed

Fixes

• Improve parsing of @psalm-type by @weirdan in #10713

Full Changelog: 5.22.0...5.22.1

What's Changed

Features

• Allow inline comments in typedef shapes by @weirdan in #10623
• allow typedef imports from any kind of classlike by @weirdan in #10625
• Allow enum cases to be global constants by @weirdan in #10634
• New InvalidOverride issue for Override attribute by @edsrzf in #10644
• Analyze dynamic names for static property and const fetches by @edsrzf in #10629
• New MissingOverrideAttribute issue by @edsrzf in #10651
• Flag stdClass::__construct() calls that have arguments by @weirdan in #10661
• Improve Reflection stubs by @vudaltsov in #10091
• Forbid constructors from returning any values by @weirdan in #10686
• Report first class callables generated for unknown static methods by @weirdan in #10691
• Process @psalm-this-out on __construct() as well by @weirdan in #10690
• Report invalid number of arguments for psalm-taint-* by @staabm in #10699

Fixes

• Fix ownerDocument type in dom-ext classes by @fluffycondor in #10619
• Fix numeric scalar validate filter var input return type wrong by @kkmuffme in #10621
• Stable baseline by @weirdan in #10633
• Allow sebastian/diff v6 by @simPod in #10639
• CallMap: Adjust return type for inotify_add_watch() to int|false by @UlrichEckhardt in #10637
• Fix check-type when using builtin types from within a namespace by @robchett in #10648
• Do not add callable as a native property type by @weirdan in #10654
• Fix additional places where base_dir was broken due to missing separator by @kkmuffme in #10630
• Late binding of enum cases by @weirdan in #10655
• Suppress UndefinedClass in whatever_exists() by @weirdan in #10659
• Fix parsing magic method annotations by @issidorov in #10665
• Strip callmap prefixes from parameter names by @weirdan in #10666
• Narrow ord() return type to int<0,255> by @weirdan in #10676
• Template union object incorrect assertions by @robchett in #10677
• Don't show backtrace in InvalidDocblock issue message by @weirdan in #10679
• Class consts in array shapes by @weirdan in #10678
• Prevent mixed|null by @robchett in #10675

Internal changes

• Drop unused local composer repo by @weirdan in #10647
• Clarify that Pull request labels failure is to be resolved by maintainers by @weirdan in #10649
• Fix unstable hasFullyQualified(Interface|Enum)() by @weirdan in #10603
• Revert partial mistakenly pushed fix by @danog in #10671

Full Changelog: 5.21.1...5.22.0