chore: upgrade saloonphp/saloon to ^4.0

[jordanpartridge]

Summary

Bumps saloonphp/saloon from ^3.10 to ^4.0 to remediate three security advisories. Drops 0 LOC of production code: Saloon 4 keeps every public API this package depends on.

Closes #28.

Why ^4.0 and not ^3.16

Issue #28 suggested bumping to ^3.16 once the patch lands on 3.x. That patch was never released — all three CVEs ship the fix in 4.0.0 and only 4.0.0. The advisory metadata confirms Affected versions: <4.0.0 for each.

CVE	Severity	Issue	Saloon 4 fix
CVE-2026-33942	high	Insecure deserialization in AccessTokenAuthenticator	__serialize / __unserialize removed from the class
CVE-2026-33182	medium	Absolute URL in resolveEndpoint() overrode the connector's base URL (SSRF + credential leakage)	New $allowBaseUrlOverride flag on Connector, defaults to false
CVE-2026-33183	medium	Fixture name path traversal in the mock client	Fixture path resolution hardened

Pre-upgrade composer audit listed all three. Post-upgrade only phpunit/phpunit and symfony/process advisories remain — both dev-only, both unrelated to this change.

BC changes applied to connector code

None. Saloon 4 preserves every API surface this package touches:

• Saloon\Http\Connector (extended in src/Connector.php)
• Saloon\Contracts\Authenticator (returned by every auth strategy)
• Saloon\Http\Auth\TokenAuthenticator (used by TokenAuthentication, GitHubOAuth, GitHubAppAuthentication)
• Saloon\Http\Response (typed in every custom exception and in getRequestException())
• Saloon\Http\Request, Saloon\Enums\Method (used in tests)
• Saloon\Http\Faking\MockClient, Saloon\Http\Faking\MockResponse (used in tests)
• Saloon\Traits\Plugins\AcceptsJson
• Connector::getRequestException(Response, ?Throwable): ?Throwable signature unchanged
• Connector::resolveBaseUrl(): string contract unchanged

The new $allowBaseUrlOverride flag defaults to false, which matches our behavior: every GitHub endpoint resolves relative to https://api.github.com. No request in this package or downstream consumers passes an absolute URL through resolveEndpoint(), so the secure default is correct.

PHP minimum stays at ^8.2|^8.3|^8.4 — Saloon 4 requires PHP ^8.2.

Downstream impact for conduit-ui/pr

No upgrade required. conduit-ui/pr consumes ConduitUi\GitHubConnector\Connector and never imports a Saloon\ namespace directly. The connector's public API does not leak any Saloon type whose shape changed in v4 — it returns custom exceptions (GitHubException subclasses), accepts an AuthenticationStrategy (this package's interface), and exposes static repo-context helpers that have no Saloon coupling.

If conduit-ui/pr ever upgrades to Saloon 4 directly (for example to use the mock client in its own tests) it will inherit the same secure defaults — its only existing Saloon touch point is constructing Connector instances, which is forward-compatible.

Test plan

• composer test — 85 passed (Pest), unchanged from pre-upgrade
• composer analyse — PHPStan level 4 clean, no errors
• composer audit — all three Saloon CVEs gone
• Verify GitHub Actions / Sentinel Gate runs green on this branch

[jordanpartridge]

Appended two dev-dep bumps to this branch to also clear the Sentinel Gate's pre-existing composer audit failures. Lockfile-only changes — no composer.json constraints widened.

CVEs cleared:

• phpunit/phpunit 11.5.33 → 11.5.50 — CVE-2026-24765 (high, unsafe deserialization in PHPT code coverage). Required a patch bump of pestphp/pest (v3.8.4 → v3.8.6) within the existing ^3.0 constraint to satisfy phpunit ^11.5.50.
• symfony/process v7.4.0 → v7.4.11 — CVE-2026-24739 (medium, incorrect arg escaping under MSYS2/Git Bash on Windows). Dev-only transitive.

Verification on the latest commit (97bf02e):

• composer audit → No security vulnerability advisories found.
• composer test → 85 passed (matches prior baseline on this branch, 1 pre-existing network-test warning unchanged).
• composer analyse → No errors (PHPStan level 8).