diff --git a/composer.json b/composer.json
index 32edd20b..a380d943 100644
--- a/composer.json
+++ b/composer.json
@@ -2,7 +2,7 @@
 	"require-dev": {
 		"mediawiki/lua-sandbox": "3.0.1",
 		"mediawiki/mediawiki-codesniffer": "34.0.0",
-		"mediawiki/mediawiki-phan-config": "0.10.5",
+		"mediawiki/mediawiki-phan-config": "0.10.6",
 		"mediawiki/minus-x": "1.1.0",
 		"php-parallel-lint/php-console-highlighter": "0.5.0",
 		"php-parallel-lint/php-parallel-lint": "1.2.0"
diff --git a/includes/engines/LuaCommon/UstringLibrary.php b/includes/engines/LuaCommon/UstringLibrary.php
index 626d46e5..3e1c50c4 100644
--- a/includes/engines/LuaCommon/UstringLibrary.php
+++ b/includes/engines/LuaCommon/UstringLibrary.php
@@ -372,12 +372,13 @@ class Scribunto_LuaUstringLibrary extends Scribunto_LuaLibraryBase {
 	 *  - $re: The regular expression
 	 *  - $capt: Definition of capturing groups, see addCapturesFromMatch()
 	 *  - $anypos: Whether any positional captures were encountered in the pattern.
+	 * @return-taint none
 	 */
 	private function patternToRegex( $pattern, $anchor, $name ) {
 		$cacheKey = serialize( [ $pattern, $anchor ] );
 		if ( !$this->patternRegexCache->has( $cacheKey ) ) {
 			$this->checkPattern( $name, $pattern );
-			$pat = preg_split( '//us', $pattern, null, PREG_SPLIT_NO_EMPTY );
+			$pat = preg_split( '//us', $pattern, -1, PREG_SPLIT_NO_EMPTY );
 
 			static $charsets = null, $brcharsets = null;
 			if ( $charsets === null ) {
diff --git a/includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php b/includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php
index 68941b5f..cbfacd50 100755
--- a/includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php
+++ b/includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php
@@ -50,11 +50,11 @@ if ( count( $argv ) > 1 ) {
 
 // @phan-suppress-next-line SecurityCheck-XSS
 echo "Loading UtfNormal from $utfnormalDir...\n";
-// @phan-suppress-next-line SecurityCheck-OTHER
+// @phan-suppress-next-line SecurityCheck-PathTraversal
 require_once "$utfnormalDir/Validator.php";
-// @phan-suppress-next-line SecurityCheck-OTHER
+// @phan-suppress-next-line SecurityCheck-PathTraversal
 require_once "$utfnormalDir/UtfNormalData.inc";
-// @phan-suppress-next-line SecurityCheck-OTHER
+// @phan-suppress-next-line SecurityCheck-PathTraversal
 require_once "$utfnormalDir/UtfNormalDataK.inc";
 
 if ( !Validator::$utfCheckNFC ||