From 1ca021dea644ef9ce3fecd720ad57942e6f5045d Mon Sep 17 00:00:00 2001
From: nuno maduro <enunomaduro@gmail.com>
Date: Mon, 11 May 2026 22:08:47 -0300
Subject: [PATCH 1/5] chore: pin GitHub Actions to commit SHAs (#1695)

* chore: pin GitHub Actions to commit SHAs

* chore: pin GitHub Actions to commit SHAs
---
 .github/workflows/static.yml | 6 +++---
 .github/workflows/tests.yml  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index 2bfd4010..a71584c3 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -28,10 +28,10 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
       with:
         php-version: 8.3
         tools: composer:v2
@@ -44,7 +44,7 @@ jobs:
       run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
     - name: Cache Composer dependencies
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: static-php-8.3-${{ matrix.dependency-version }}-composer-${{ hashFiles('**/composer.json', '**/composer.lock') }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ce3b3349..b38afad2 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -35,10 +35,10 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
       with:
         php-version: ${{ matrix.php }}
         tools: composer:v2
@@ -51,7 +51,7 @@ jobs:
       run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
     - name: Cache Composer dependencies
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ matrix.os }}-php-${{ matrix.php }}-symfony-${{ matrix.symfony }}-composer-${{ hashFiles('**/composer.json', '**/composer.lock') }}

From ba074972193a08f8f43c55513fc3a697e8d4a238 Mon Sep 17 00:00:00 2001
From: nuno maduro <enunomaduro@gmail.com>
Date: Mon, 11 May 2026 22:12:07 -0300
Subject: [PATCH 2/5] chore: enable Dependabot version updates for GitHub
 Actions (#1700)

---
 .github/dependabot.yml | 46 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..c463a040
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,46 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "1.x"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "2.x"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "3.x"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "5.x"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

From 783ca4bcd6f442b05dbedb3e04a5474fb717e2b4 Mon Sep 17 00:00:00 2001
From: nuno maduro <enunomaduro@gmail.com>
Date: Tue, 12 May 2026 02:34:08 +0100
Subject: [PATCH 3/5] chore(deps): limit dependabot to maintained branches (4.x
 + 5.x)

---
 .github/dependabot.yml | 27 ---------------------------
 1 file changed, 27 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c463a040..4ec17cfa 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,33 +8,6 @@ updates:
       github-actions:
         patterns:
           - "*"
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    target-branch: "1.x"
-    groups:
-      github-actions:
-        patterns:
-          - "*"
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    target-branch: "2.x"
-    groups:
-      github-actions:
-        patterns:
-          - "*"
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    target-branch: "3.x"
-    groups:
-      github-actions:
-        patterns:
-          - "*"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

From d649de1988e4b5e798f49162c7328b145055a31c Mon Sep 17 00:00:00 2001
From: nuno maduro <enunomaduro@gmail.com>
Date: Tue, 12 May 2026 02:48:25 +0100
Subject: [PATCH 4/5] chore: add security policy

---
 .github/SECURITY.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 00000000..f3e7ea9e
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+**PLEASE DON'T DISCLOSE SECURITY-RELATED ISSUES PUBLICLY, [SEE BELOW](#reporting-a-vulnerability).**
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Pest, please report it privately using one of the following channels:
+
+1. **GitHub Private Vulnerability Reporting** (preferred) — go to the repository's **Security** tab and click **"Report a vulnerability"**. This creates a private advisory visible only to maintainers and provides a structured workflow for triage, fix coordination, and CVE assignment.
+
+2. **Email** — send the details to Nuno Maduro at **enunomaduro@gmail.com**.
+
+All security vulnerabilities will be promptly addressed.

From 1c21a7647a935758bc606ef19c6d7b81b86ee140 Mon Sep 17 00:00:00 2001
From: nuno maduro <enunomaduro@gmail.com>
Date: Wed, 13 May 2026 12:20:00 +0100
Subject: [PATCH 5/5] chore: fixes types

---
 composer.json              | 2 +-
 src/Mixins/Expectation.php | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index 957e68eb..09b9a31f 100644
--- a/composer.json
+++ b/composer.json
@@ -59,7 +59,7 @@
         ]
     },
     "require-dev": {
-        "mrpunyapal/peststan": "^0.2.9",
+        "mrpunyapal/peststan": "^0.2.10",
         "pestphp/pest-dev-tools": "^4.1.0",
         "pestphp/pest-plugin-browser": "^4.3.1",
         "pestphp/pest-plugin-type-coverage": "^4.0.4",
diff --git a/src/Mixins/Expectation.php b/src/Mixins/Expectation.php
index 014e69fc..0a7329a9 100644
--- a/src/Mixins/Expectation.php
+++ b/src/Mixins/Expectation.php
@@ -954,6 +954,7 @@ final class Expectation
         } catch (Throwable $e) {
 
             if ($exception instanceof Throwable) {
+                // @phpstan-ignore-next-line
                 expect($e)
                     ->toBeInstanceOf($exception::class, $message)
                     ->and($e->getMessage())->toBe($exceptionMessage ?? $exception->getMessage(), $message);