chore(deps): bump phpoffice/phpspreadsheet from 1.29.9 to 1.30.5

[dependabot]

Bumps phpoffice/phpspreadsheet from 1.29.9 to 1.30.5.

Release notes

Sourced from phpoffice/phpspreadsheet's releases.

1.30.5

Security Note

• File::prohibitWrappers and Drawing::setPath now reject phar paths with extra leading slashes (e.g. phar:///…) that escaped the prior parse_url-based filter.

Fixed

• Third-party security patches.

1.30.4

Fixed

• Security patches.

1.30.3

Fixed

• Security patches.
• Option to whitelist external images. Security-related backport of [PR #4793](PHPOffice/PhpSpreadsheet#4793)

1.30.2

Changed

• Evaluation of WEBSERVICE no longer requires external client, but will use oldCalculatedValue unless the request is for a domain in a user-supplied whitelist. Security-related backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

Deprecated

• Settings methods setHttpClient, unsetHttpClient, getHttpClient, and getRequestFactory are no longer used. No replacement.

Fixed

• Changes to WEBSERVICE. Backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

1.30.1

Functionally Frozen

• Except for security changes, no further maintenance will be applied to this branch. You are encouraged to upgrade to a maintained branch as soon as possible. Maintained branches are master (preferred - version is 5.2.0 as of the date when this is being written), release390 (current version is 3.10.1), and release222 (2.4.1).
• Of particular note is that this branch should not run under Php 8.5+, and will not be updated to avoid deprecation notices introduced with Php 8.5.

1.30.0

Breaking Changes

• Images will be loaded from an external source (e.g. http://example.com/img.png) only if the reader is explicitly set to allow it via $reader->setAllowExternalImages(true). We do not believe that loading of external images is a widely used feature. This is a necessary change for security purposes. It unfortunately breaks Semantic Versioning for reasons described above; there is no way to start a new major version for this branch.

1.29.12

Added

• Add to all readers the option to allow or forbid fetching external images. This is unconditionally allowed now. The default will be set to "allow", so no code changes are necessary. However, we are giving consideration to changing the default.[PR #4545](PHPOffice/PhpSpreadsheet#4545)

... (truncated)

Changelog

Sourced from phpoffice/phpspreadsheet's changelog.

2026-05-30 - 1.30.5

Security Note

• File::prohibitWrappers and Drawing::setPath now reject phar paths with extra leading slashes (e.g. phar:///…) that escaped the prior parse_url-based filter.

Fixed

• Third-party security patches.

2026-04-19 - 1.30.4

Fixed

• Security patches.

2026-04-09 - 1.30.3

Fixed

• Security patches.
• Option to whitelist external images. Security-related backport of [PR #4793](PHPOffice/PhpSpreadsheet#4793)

2026-01-10 - 1.30.2

Changed

• Evaluation of WEBSERVICE no longer requires external client, but will use oldCalculatedValue unless the request is for a domain in a user-supplied whitelist. Security-related backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

Deprecated

• Settings methods setHttpClient, unsetHttpClient, getHttpClient, and getRequestFactory are no longer used. No replacement.

Fixed

• Changes to WEBSERVICE. Backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

2025-10-25 - 1.30.1

Functionally Frozen

• Except for security changes, no further maintenance will be applied to this branch. You are encouraged to upgrade to a maintained branch as soon as possible. Maintained branches are master (preferred - version is 5.4.0 as of the date when this is being written), 3.10.x (current version is 3.10.3), and 2.4.x (2.4.3).
• Of particular note is that this branch should not run under Php 8.5+, and will not be updated to avoid deprecation notices introduced with Php 8.5.

2025-08-10 - 1.30.0

Breaking Changes

... (truncated)

Commits

• 97bcabd actions/checkout v6
• 0e2a4e2 actions/cache v5
• 1433b34 Security Patch
• 0297038 Security Patches
• d28d482 Prepare Changelog for New Release
• 87a0eb5 Option to Whitelist External Images r129 (#4854)
• b6c44a4 Security Patches
• 7919868 Update License 1.30.x
• 09cdde5 Instantiator Problem (#4778)
• 4ad82d2 Prepare Changelog for New Release
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.