Update Drupal core to 8.4.7 via Composer. Security update; I *think* we've been lucky to get away with this so far, as we don't support self-registration which seems to be used by the so-called "drupalgeddon 2" attack that 8.4.5 was vulnerable to.

Anonymous classes
-----
<?php
new class
($x)
  extends X
{ };
-----
$new = $stmts[0]->expr;
$new->class->extends = null;
$new->args[] = new Expr\Variable('y');
-----
<?php
new class
($x, $y)
{ };