Update dependencies using hotfixed process

[schlessera]

This uses a hotfixed version of symfony/process (tagged as 5.9.99) to combine the fix for GHSA-qq5c-677p-737q with PHP 5.6 compatibility.

Fixes #719

[schlessera]

@swissspidy would love your thoughts on this.

[swissspidy]

Hmm doesn't this cause issues for anyone who requires wp-cli/wp-cli-bundle via Composer? Because they would need the same repositories config — unless we'd push this hotfix on Packagist with a new name (wp-cli/process) and a replace. Also, symfony/process is included via composer/composer from wp-cli/package-command, so maybe that dependency change should happen there?

Or is the idea simply to get composer update working again in this repo & to have an updated Phar, but not touch the rest?

[schlessera]

Good point with the Composer flow. Normally, you shouldn't use wp-cli/wp-cli-bundle when using a Composer flow, but some people might still do that.

On the other hand, if they are already using the wrong package, we might as well make sure they are not hitting a security issue.

Let me think some more about this...

[swissspidy]

Normally, you shouldn't use wp-cli/wp-cli-bundle when using a Composer flow, but some people might still do that.

Seems relatively common: https://github.com/search?q=path%3Acomposer.json+%22wp-cli%2Fwp-cli-bundle%22&type=code

[schlessera]

Ignoring coverage failure and merging.