Merge branch 'main' into codex/create-documentation-for-extends

Author: eiriksm

.github/dependabot.yml

@@ -14,3 +14,9 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
+      react-related:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react"
+          - "@types/react-dom"

.github/workflows/extensions-up-to-date.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Dump module output
         run: |

docs/configuration/composer_outdated_flag.mdx

@@ -0,0 +1,82 @@
+---
+title: "composer_outdated_flag"
+date: 2025-11-23T10:00:00+01:00
+anchor: "composer-outdated-flag"
+weight:
+---
+
+## Configuration
+
+<div className="config-wrapper"><div className="config">__name__: composer_outdated_flag</div>
+<div className="config">__type__: string</div>
+<div className="config">__default__: minor</div></div>
+
+```json showLineNumbers
+{
+  "name": "company/project",
+  "extra": {
+    "violinist": {
+// highlight-next-line
+      "composer_outdated_flag": "minor"
+    }
+  }
+}
+```
+
+Control the semantic versioning level for checking outdated packages.
+
+## Explanation
+
+By default, Violinist uses the `composer outdated -D -m` command to check for updates, where the `-m` flag restricts checks to minor SemVer-compatible updates. The `composer_outdated_flag` option allows you to customize this behavior by specifying which level of updates you want to check for.
+
+The option accepts three values:
+
+- **`major`**: Check for all updates including major version changes (no restriction flag)
+- **`minor`**: Check only for minor and patch updates (uses `-m` / `--minor-only` flag) - this is the default
+- **`patch`**: Check only for patch-level updates (uses `-p` / `--patch-only` flag)
+
+This setting affects how Violinist searches for available updates, which in turn determines what pull requests will be created for your project.
+
+## Example
+
+If you want to be more conservative and only receive pull requests for patch-level updates (bug fixes and security patches), you can configure your project like this:
+
+```json showLineNumbers
+{
+  "name": "company/project",
+  "description": "My production application",
+  "require": {
+    "vendor/package": "^2.1.0",
+  },
+  "extra": {
+    "violinist": {
+// highlight-next-line
+      "composer_outdated_flag": "patch"
+    }
+  }
+}
+```
+
+With this configuration, if you have version 2.1.0 installed and versions 2.1.1, 2.2.0, and 3.0.0 are available, Violinist will only create a pull request for version 2.1.1.
+
+Conversely, if you want to receive pull requests for all updates including major version changes:
+
+```json showLineNumbers
+{
+  "name": "company/project",
+  "description": "My development project",
+  "require": {
+    "vendor/package": "^2.1.0",
+  },
+  "extra": {
+    "violinist": {
+// highlight-next-line
+      "composer_outdated_flag": "major"
+    }
+  }
+}
+```
+
+With this configuration, Violinist will create pull requests for major version updates like 3.0.0, in addition to minor and patch updates.
+
+> Note: This option can be combined with other configuration options like [check_only_direct_dependencies](/configuration/check_only_direct_dependencies), [security_updates_only](/configuration/security_updates_only), and others to fine-tune which updates you want to receive.

docs/configuration/default_branch.mdx

@@ -27,7 +27,7 @@ Indicate what branch you want the Violinist pull requests created against.
 
 ## Explanation
 
-Different projects uses different workflows for their branches. For example, your default branch in your VCS provider might be your production branch (for example `main`) while you want the pull requests to be created towards a development branch (for example `develop`). By default, Violinist will use the default branch for the repository to create the pull requests, but if you want the base branch to differ from this setting, you want to use the `default_branch` option.
+Different projects use different workflows for their branches. For example, your default branch in your VCS provider might be your production branch (for example `main`) while you want the pull requests to be created towards a development branch (for example `develop`). By default, Violinist will use the default branch for the repository to create the pull requests, but if you want the base branch to differ from this setting, you want to use the `default_branch` option.
 
 ## Example
 

docs/configuration/default_branch_security.mdx

@@ -0,0 +1,48 @@
+---
+title: "default_branch_security"
+---
+
+## Configuration
+
+<div className="config-wrapper"><div className="config">__name__: default_branch_security</div>
+<div className="config">__type__: string</div>
+<div className="config">__default__: ''</div></div>
+
+```json showLineNumbers
+{
+  "name": "company/project",
+  "extra": {
+    "violinist": {
+      // highlight-next-line
+      "default_branch_security": ""
+    }
+  }
+}
+```
+
+Indicate what branch you want the Violinist pull requests created against, spefically if the update is a security update.
+
+## Explanation
+
+Different projects uses different workflows for their branches. For example, your default branch in your VCS provider might be your production branch (for example `main`) while you want the merge requests to be created towards a development branch (for example `develop`). By default, Violinist will use the default branch for the repository to create the merge requests, but if you want the base branch to differ from this setting when merge requests are security updates, you want to use the `default_branch_security` option.
+
+## Example
+
+If a project uses the `develop` branch as the default branch, and you want the merge requests that are security updates to go straigth to `main`, you might want to configure your project like so:
+
+```json showLineNumbers
+{
+  "name": "company/project",
+  "description": "My awesome project",
+  "extra": {
+    "violinist": {
+      // highlight-next-line
+      "default_branch_security": "main"
+    }
+  }
+}
+```
+
+If you do not enter anything in this field, leaving the default value for it in there (`""` - an empty string) the project will use the settings from the project repository. In the example above that would mean the branch `develop`.
+
+Please also note that if you have a value for the configuration option [default_branch](/configuration/default_branch) then this will be used as a fallback for a default value of empty string (`""`) for this configuration option (`default_branch_security`).

docs/configuration/ignore_platform_requirements.mdx

@@ -0,0 +1,60 @@
+---
+title: "ignore_platform_requirements"
+date: 2026-01-25T10:00:00+01:00
+anchor: "ignore-platform-requirements"
+weight:
+---
+
+## Configuration
+
+<div className="config-wrapper"><div className="config">__name__: ignore_platform_requirements</div>
+<div className="config">__type__: int</div>
+<div className="config">__default__: 0</div></div>
+
+```json showLineNumbers
+{
+  "name": "company/project",
+  "extra": {
+    "violinist": {
+// highlight-next-line
+      "ignore_platform_requirements": 0
+    }
+  }
+}
+```
+
+Ignore PHP platform requirements when checking for updates.
+
+## Explanation
+
+When enabled, Violinist will set the `COMPOSER_IGNORE_PLATFORM_REQS` environment variable. This tells Composer to ignore platform requirements (PHP version, extensions, etc.) when resolving and updating dependencies.
+
+This can be useful when the PHP version or extensions available in Violinist's environment differ from your production environment.
+
+## Example
+
+Say your production environment uses a PHP extension that isn't universally available. Without this option, Composer might refuse to update packages because the extension isn't present when checking for updates. To work around this, enable `ignore_platform_requirements`:
+
+```json showLineNumbers
+{
+  "name": "company/project",
+  "description": "My awesome project",
+  "require": {
+    "php": "^8.2",
+    "ext-acme": "*",
+    "vendor/package": "~1.0.0"
+  },
+  "extra": {
+    "violinist": {
+// highlight-next-line
+      "ignore_platform_requirements": 1
+    }
+  }
+}
+```
+
+:::note
+`ext-acme` is a fictional extension used for illustration purposes.
+:::
+
+With this configuration, Violinist will ignore platform requirements and proceed with checking for updates. Your CI pipeline should still verify that the updated dependencies work correctly with your actual platform configuration.

docs/introduction/commands.mdx

@@ -23,7 +23,10 @@ The two options mean as follows:
 --minor-only (-m): Only shows packages that have minor SemVer-compatible updates.
 ```
 
-There are still several ways this can be manipulated. See the config options for details. For example, If you set the option [check_only_direct_dependencies](#check-only-direct) to `0` the `--direct` flag will not be used.
+There are still several ways this can be manipulated. See the config options for details. For example:
+
+- If you set the option [check_only_direct_dependencies](#check-only-direct) to `0` the `--direct` flag will not be used.
+- You can control the update level (major, minor, or patch) using the [composer_outdated_flag](/configuration/composer_outdated_flag) option.
 
 ## Updating packages
 
@@ -35,4 +38,4 @@ composer update vendor/package --with-dependencies
 
 If you do not want violinist to update with dependencies, you can use the configuration option [update_with_dependencies](#update-with-deps) and set this to `0`.
 
-If you want to update a package bundled with another package, you probably want to have a look at the option [bundled_packages](#bundled-packages).
+If you want to update a package bundled with another package, you probably want to have a look at the option [bundled_packages](/configuration/bundled_packages).

docusaurus.config.ts

@@ -5,7 +5,8 @@ import type * as Preset from '@docusaurus/preset-classic';
 const config: Config = {
   clientModules: ['./src/hashMigrate.js'],
   title: 'Violinist documentation',
-  tagline: "",
+  tagline:
+    'Automated Composer dependency updates for PHP repositories, with pull requests, changelog summaries, and monitoring to keep your projects secure and current.',
   favicon: 'img/favicon.ico',
 
   // Set the production url of your site here