Add composer-dependency-analyser (fix shadow dependencies)

[janedbal]

Hi, I tested your repository with composer-dependency-analyser and it found some shadow dependencies:

---

All those seem valid to me, so I added those to composer and the tool to CI to avoid possible issues in future.

[patrickkusebauch]

Yep, you are right, I found the tool last week and thinking the same.

[janedbal]

The failed CI job looks like a bug, reported here: IonBazan/composer-diff#30

[janedbal]

I tried fixing the issue as suggested in the bugreport, but as I'm just sending fork, GitHub security measures are not executing the new job (when pull_request_target is kept) or not allowing pull_requests: write permission (when pull_request is used).

So in order to unblock this PR, some maintainer need to adjust the broken job.

---

Note: I removed my commit that attempted to fix it.

[janedbal]

The bug should be solvable just by bumping the version:

diff --git a/.github/workflows/composer-diff.yml b/.github/workflows/composer-diff.yml
index 3bfdb4fc..f5748bdc 100644
--- a/.github/workflows/composer-diff.yml
+++ b/.github/workflows/composer-diff.yml
@@ -19,6 +19,6 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - name: Comment composer.lock diff
-        uses: WyriHaximus/github-action-composer.lock-diff@v1
+        uses: WyriHaximus/github-action-composer.lock-diff@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

But as said above, I cannot do it in PR due to security measures of GitHub.

[gennadigennadigennadi]

@janedbal could you fix the conflict?

[janedbal]

Fixed conflict

[gennadigennadigennadi]

@janedbal thank you for your contribution.