=== Variant/Bypass Tests for GHSA-v7m3-fpcr-h7m2 ===
Testing serializer at: /root/.pruva/runs/ghsa-v7m3-fpcr-h7m2_20260220-144406/json-serializer-fixed
Version detection: FIXED (3.2.3+)

[TEST 1] Basic arbitrary class instantiation
  [PASS] Blocked: Class GadgetClass is not allowed for deserialization. Use setAllowedClasses() to configure the list of allowed classes.

[TEST 2] Case sensitivity bypass (PHP classes are case-insensitive)
  [PASS] Case sensitivity properly handled - blocked

[TEST 3] Nested object with disallowed class in property
  [PASS] Nested objects also blocked

[TEST 4] Null allowlist (default backward-compatible mode)
  [DANGER] GadgetClass __wakeup() called!
  [EXPECTED] Default behavior allows all classes (backward compatible)

[TEST 5] Empty allowlist should block all classes
  [PASS] Empty allowlist blocks all classes

[TEST 6] Namespaced class handling
  [INFO] Exception: Invalid JSON to unserialize.

[TEST 7] Custom object serializer path
  [INFO] Custom serializer bypass works (as designed): stdClass

[TEST 8] Unicode encoding bypass attempt
  [INFO] Exception: Class GadgetClass is not allowed for deserialization. Use setAllowedClasses() to configure the list of allowed classes.

=== Summary ===
All security tests passed - no bypasses found.