Bump the composer group across 1 directory with 12 updates

[dependabot]

Bumps the composer group with 6 updates in the / directory:

Package	From	To
symfony/runtime	5.3.4	5.4.46
symfony/security-bundle	5.3.4	5.4.20
symfony/validator	5.3.6	5.4.43
lcobucci/jwt	4.1.4	4.3.0
phpseclib/phpseclib	3.0.9	3.0.49
symfony/twig-bridge	5.3.4	5.4.19

Updates symfony/runtime from 5.3.4 to 5.4.46

Release notes

Sourced from symfony/runtime's releases.

v5.4.46

Changelog (symfony/runtime@v5.4.45...v5.4.46)

• security symfony/symfony#cve-2024-50340 [Runtime] Do not read from argv on non-CLI SAPIs (@​wouterj)

v5.4.45

Changelog (symfony/runtime@v5.4.44...v5.4.45)

• bug symfony/symfony#58372 Tweak error/exception handler registration (@​nicolas-grekas)

v5.4.40

Changelog (symfony/runtime@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/runtime@v5.4.38...v5.4.39)

• no significant changes

v5.4.35

Changelog (symfony/runtime@v5.4.34...v5.4.35)

• no significant changes

v5.4.26

Changelog (symfony/runtime@v5.4.25...v5.4.26)

• bug symfony/symfony#50994 [ErrorHandler][Runtime] Don't mess with ini_set('assert.warning') (@​nicolas-grekas)

v5.4.25

Changelog (symfony/runtime@v5.4.24...v5.4.25)

• bug symfony/symfony#50656 Only update autoload_runtime.php when it changed (@​Seldaek)

v5.4.22

Changelog (symfony/runtime@v5.4.21...v5.4.22)

• no significant changes

v5.4.21

Changelog (symfony/runtime@v5.4.20...v5.4.21)

• no significant changes

v5.4.19

Changelog (symfony/runtime@v5.4.18...v5.4.19)

• bug #49046 Fix for Windows when projects are deployed on junctions/symlinks (nerdgod)

... (truncated)

Changelog

Sourced from symfony/runtime's changelog.

CHANGELOG

7.4

• Add JSON encoded value support for APP_RUNTIME_OPTIONS
• Add FrankenPhpWorkerRunner
• Add automatic detection of FrankenPHP worker mode in SymfonyRuntime
• Expose the runtime class in $_SERVER['APP_RUNTIME']
• Expose the runtime options in $_SERVER['APP_RUNTIME_OPTIONS']
• Make project_dir configurable in composer.json
• Expose project_dir as APP_PROJECT_DIR env var

6.4

• Add argument bool $debug = false to HttpKernelRunner::__construct()

5.4

• The component is not experimental anymore
• Add options "env_var_name" and "debug_var_name" to GenericRuntime and SymfonyRuntime
• Add option "dotenv_overload" to SymfonyRuntime

5.3.0

• Add the component

Commits

• 242b4d7 [Runtime] fix tests
• 443f7d2 Do not read from argv on non-CLI SAPIs
• ae232b0 minor #58355 Add PR template and auto-close PR on subtree split repositories ...
• ea38ad2 Add PR template and auto-close PR on subtree split repositories
• ba1a6cb Tweak error/exception handler registration
• 50096d4 Revert "minor #54653 Auto-close PRs on subtree-splits (nicolas-grekas)"
• f143d17 Auto-close PRs on subtree-splits
• a32a623 Apply php-cs-fixer fix --rules nullable_type_declaration_for_default_null_value
• 4659b55 [Runtime][ErrorHandler] Don't mess with ini_set('assert.warning')
• 03e9c5d Only update autoload_runtime.php when it changed
• Additional commits viewable in compare view

Updates symfony/security-bundle from 5.3.4 to 5.4.20

Changelog

Sourced from symfony/security-bundle's changelog.

CHANGELOG

8.1

• Add support for the clientHints, prefetchCache, and prerenderCache ClearSite-Data directives
• Add support for #[AsTaggedItem] attribute to configure voter priority

8.0

• Remove the deprecated hide_user_not_found configuration option, use expose_security_errors instead
• Remove the deprecated algorithm and key options from the OIDC token handler configuration, use algorithms and keyset instead
• Remove LazyFirewallContext::__invoke()
• Make ExpressionCacheWarmer class final
• Remove autowiring aliases for RateLimiterFactory; use RateLimiterFactoryInterface instead

7.4

• Add debug:security:role-hierarchy command to dump role hierarchy graphs in the Mermaid.js flowchart format

• Add Security::getAccessDecision() and getAccessDecisionForUser() helpers

• Add options to configure a cache pool and storage service for login throttling rate limiters

• Register alias for argument for password hasher when its key is not a class name:

  With the following configuration:

  security:
    password_hashers:
        recovery_code: auto

  It is possible to inject the recovery_code password hasher in a service:

  public function __construct(
      #[Target('recovery_code')]
      private readonly PasswordHasherInterface $passwordHasher,
  ) {
  }

• Deprecate LazyFirewallContext::__invoke()

7.3

• Add Security::isGrantedForUser() to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
• Add encryption support to OidcTokenHandler (JWE)
• Add expose_security_errors config option to display AccountStatusException

... (truncated)

Commits

• 1a049b7 Merge branch '4.4' into 5.4
• 076fd20 [Security/Http] Remove CSRF tokens from storage on successful login
• e16ac30 [SecurityBundle] Fix using same handler for multiple authenticators
• 8203ec9 Bump license year to 2023
• 5891533 Compatibility with doctrine/annotations 2
• 5c96cbd Fix getting the name of closures on PHP 8.1.11+
• 86b49fe Fix CS
• 8ec874d Merge branch '4.4' into 5.4
• d2a6bf4 Fix CS
• 4d5f495 [SecurityBundle] Remove dead class_exists checks
• Additional commits viewable in compare view

Updates symfony/serializer from 5.3.4 to 5.4.45

Release notes

Sourced from symfony/serializer's releases.

v5.4.45

Changelog (symfony/serializer@v5.4.44...v5.4.45)

• no significant changes

v5.4.44

Changelog (symfony/serializer@v5.4.43...v5.4.44)

• no significant changes

v5.4.43

Changelog (symfony/serializer@v5.4.42...v5.4.43)

• no significant changes

v5.4.42

Changelog (symfony/serializer@v5.4.41...v5.4.42)

• no significant changes

v5.4.41

Changelog (symfony/serializer@v5.4.40...v5.4.41)

• bug symfony/symfony#57341 [Serializer] properly handle invalid data for false/true types (@​xabbuh)
• bug symfony/symfony#57187 [Serializer] Fix ObjectNormalizer with property path (@​HypeMC)
• bug symfony/symfony#52699 [Serializer] [PropertyAccessor] Ignore non-collection interface generics (@​mtarld)

v5.4.40

Changelog (symfony/serializer@v5.4.39...v5.4.40)

• bug symfony/symfony#54913 [Serializer] Fix CurrentType for missing property (@​ElisDN)
• bug symfony/symfony#54828 [Serializer] Fix GetSetMethodNormalizer not working with setters with optional args (@​HypeMC)
• bug symfony/symfony#54804 [Serializer] separate the property info and write info extractors (@​xabbuh)
• bug symfony/symfony#54714 [Serializer] convert empty CSV header names into numeric keys (@​xabbuh)

v5.4.39

Changelog (symfony/serializer@v5.4.38...v5.4.39)

• bug symfony/symfony#54635 [Serializer] Revert "Fix object normalizer when properties has the same name as their accessor" - it was a BC Break (@​NeilPeyssard)
• bug symfony/symfony#52917 [Serializer] Fix unexpected allowed attributes (@​mtarld)
• bug symfony/symfony#52698 [Serializer] Fix XML scalar to object denormalization (@​mtarld)
• bug symfony/symfony#54485 [Serializer] Ignore when using #[Ignore] on a non-accessor (@​nicolas-grekas)

v5.4.38

Changelog (symfony/serializer@v5.4.37...v5.4.38)

• bug symfony/symfony#54148 [Serializer] Fix object normalizer when properties has the same name as their accessor (@​NeilPeyssard)

v5.4.36

Changelog (symfony/serializer@v5.4.35...v5.4.36)

... (truncated)

Changelog

Sourced from symfony/serializer's changelog.

CHANGELOG

8.1

• Improve NotNormalizableValueException exception messages in BackedEnumNormalizer to contain more useful information

8.0

• Remove CsvEncoder::ESCAPE_CHAR_KEY constant and escape character functionality

• Remove CsvEncoderContextBuilder::withEscapeChar() method

• Remove AbstractNormalizerContextBuilder::withDefaultContructorArguments(), use withDefaultConstructorArguments() instead

• Change signature of NameConverterInterface::normalize() and NameConverterInterface::denormalize() methods:

  Before:

  public function normalize(string $propertyName): string;
  public function denormalize(string $propertyName): string;

  After:

  public function normalize(string $propertyName, ?string $class = null, ?string $format = null, array $context = []): string;
  public function denormalize(string $propertyName, ?string $class = null, ?string $format = null, array $context = []): string;

• Remove AdvancedNameConverterInterface, use NameConverterInterface instead

• Remove ClassMetadataFactoryCompiler, CompiledClassMetadataFactory and CompiledClassMetadataCacheWarmer

• Remove class aliases in the Annotation namespace, use attributes instead

• Remove getters in attribute classes in favor of public properties

7.4

• Add #[ExtendsSerializationFor] to declare new serialization attributes for a class
• Add AttributeMetadataPass to declare compile-time constraint metadata using attributes
• Add CDATA_WRAPPING_NAME_PATTERN support to XmlEncoder
• Add support for can*() methods to AttributeLoader
• Make AttributeMetadata and ClassMetadata final
• Add XmlEncoder::PRESERVE_NUMERIC_KEYS context option
• Deprecate class aliases in the Annotation namespace, use attributes instead
• Deprecate getters in attribute classes in favor of public properties
• Deprecate ClassMetadataFactoryCompiler
• Add FORCE_TIMEZONE_KEY to DateTimeNormalizer to force the timezone during denormalization

7.3

... (truncated)

Commits

• 460c5df Add PR template and auto-close PR on subtree split repositories
• 0f100df Mutate remaining data providers to static ones
• 88eeb78 [Uid][Serializer][Validator] Mention RFC 9562
• b4ad9e6 remove custom CSV escape character from tests
• 1e538a6 use more entropy with uniqid()
• c97dba5 [Serializer] Check if exception message in test is correct
• 3fd3eca bug #57341 [Serializer] properly handle invalid data for false/true types (xa...
• 296df0c bug #57187 [Serializer] Fix ObjectNormalizer with property path (HypeMC)
• d1ffba3 [Serializer] Fix ObjectNormalizer with property path
• 8cdef77 bug #52699 [Serializer] [PropertyAccessor] Ignore non-collection interface ge...
• Additional commits viewable in compare view

Updates symfony/validator from 5.3.6 to 5.4.43

Release notes

Sourced from symfony/validator's releases.

v5.4.43

Changelog (symfony/validator@v5.4.42...v5.4.43)

• bug symfony/symfony#58127 [Validator] synchronize IBAN formats (@​xabbuh)
• bug symfony/symfony#57984 [Validator] Add D regex modifier in relevant validators (@​alexandre-daubois)
• bug symfony/symfony#57925 [Validator] reset the validation context after validating nested constraints (@​xabbuh)
• bug symfony/symfony#57905 [Validator] allow more unicode characters in URL paths (@​xabbuh)

v5.4.42

Changelog (symfony/validator@v5.4.41...v5.4.42)

• bug symfony/symfony#57812 [Validator] treat uninitialized properties referenced by property paths as null (@​xabbuh)

v5.4.41

Changelog (symfony/validator@v5.4.40...v5.4.41)

• bug symfony/symfony#57213 [Validator] [UniqueValidator] Use correct variable as parameter in (custom) error message (@​seho-nl, Sebastien Hoek)

v5.4.40

Changelog (symfony/validator@v5.4.39...v5.4.40)

• bug symfony/symfony#57275 Fix autoload configs to avoid warnings when building optimized autoloaders (@​Seldaek)
• bug symfony/symfony#54924 [Validator] IBAN Check digits should always between 2 and 98 (@​karstennilsen)
• bug symfony/symfony#54834 [Validator] Check Locale class existence before using it (@​alexandre-daubois)
• bug symfony/symfony#54760 [Validator] handle union and intersection types for cascaded validations (@​xabbuh)

v5.4.39

Changelog (symfony/validator@v5.4.38...v5.4.39)

• bug symfony/symfony#54751 [Validator]  detect wrong e-mail validation modes (@​xabbuh)

v5.4.38

Changelog (symfony/validator@v5.4.37...v5.4.38)

• bug symfony/symfony#54219 [Validator] Allow BICs’ first four characters to be digits (@​MatTheCat)

v5.4.36

Changelog (symfony/validator@v5.4.35...v5.4.36)

• bug symfony/symfony#53755 [Validator] Fix fields without constraints in Collection (@​xabbuh, @​HypeMC)

Changelog

Sourced from symfony/validator's changelog.

CHANGELOG

8.0

• Remove support for configuring constraint options implicitly with the XML format

  Before:

  <class name="Symfony\Component\Validator\Tests\Fixtures\NestedAttribute\Entity">
    <constraint name="Callback">
      <value>Symfony\Component\Validator\Tests\Fixtures\CallbackClass</value>
      <value>callback</value>
    </constraint>
  </class>

  After:

  <class name="Symfony\Component\Validator\Tests\Fixtures\NestedAttribute\Entity">
    <constraint name="Callback">
      <option name="callback">
        <value>Symfony\Component\Validator\Tests\Fixtures\CallbackClass</value>
        <value>callback</value>
      </option>
    </constraint>
  </class>

• Remove support for configuring constraint options implicitly with the YAML format

  Before:

  Symfony\Component\Validator\Tests\Fixtures\NestedAttribute\Entity:
    constraints:
      - Callback: validateMeStatic
      - Callback: [Symfony\Component\Validator\Tests\Fixtures\CallbackClass, callback]

  After:

  Symfony\Component\Validator\Tests\Fixtures\NestedAttribute\Entity:
    constraints:
      - Callback:
          callback: validateMeStatic
      - Callback:

... (truncated)

Commits

• 21d022d synchronize IBAN formats
• a1b845a [Translation] Review Serbian translations
• a28c302 [Validator] added Polish translation for units 116-119
• 6586306 minor #57987 [Validator] add German translations for the Week constraint mess...
• 30a719d add German translations for the Week constraint messages
• 3a2f903 bug #57984 [Validator] Add D regex modifier in relevant validators (alexand...
• f44d137 sync Week constraint messages translations
• eac749c [Validator] Add D regex modifier in relevant validators
• f34398f [Validator] Add French translation for the Week constraint
• e6ef5f2 reset the validation context after validating nested constraints
• Additional commits viewable in compare view

Updates lcobucci/jwt from 4.1.4 to 4.3.0

Release notes

Sourced from lcobucci/jwt's releases.

4.3.0

Release Notes for 4.3.0

Feature release (minor)

4.3.0

• Total issues resolved: 0
• Total pull requests resolved: 4
• Total contributors: 4

Dependencies,Improvement

• 986: Allow lcobucci/clock:^3.0 to be installed with lcobucci/jwt:^4 thanks to @​Ocramius

Improvement,Minor BC-break

• 968: Deprecate Ecdsa create thanks to @​lcobucci

Improvement

• 938: Deprecate empty Signer, empty Key and empty Signature thanks to @​Slamdunk

Documentation

• 879: fix typo : you must create a new token builder, thanks to @​roxie-dev

4.2.1

Release Notes for 4.2.1

This release fixes a documentation mistake.

4.2.1

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Documentation,Minor BC-break

• 874: Make method explicitly internal thanks to @​lcobucci

4.2.0

Release Notes for 4.2.0

This release provides a high-level API, a new (non-standard) algorithm, and validation for key length requirements. The latter is a minor BC-break for users that aren't following the RFC recommendations.

To contain the impact of the changes and give time for people to rotate keys, we have deprecated implementations that maintain the previous behaviour and allow unsafe keys. For more information, please read the documentation.

... (truncated)

Commits

• 4d7de2f Merge pull request #986 from lcobucci/feature/allow-newer-lcobucci-clock-inst...
• d15f460 Pinpoint a composer-normalize version that supports PHP 7.4
• be16968 Allow lcobucci/clock:^3.0 to be installed with lcobucci/jwt:^4
• 68caae9 Merge pull request #938 from Slamdunk/no_empty_please
• 3388430 Deprecate empty Signer, empty Key and empty Signature
• 007530d Merge pull request #968 from lcobucci/deprecate-ecdsa-create
• 9c55a7b Deprecated method that uses static construction
• 5a97b2b Merge pull request #879 from roxie-dev/patch-1
• a6a7d96 fix typo : you must create a new token builder,
• f3cba0e Merge pull request #875 from lcobucci/4.2.x-merge-up-into-4.3.x_6BWiy2Na
• Additional commits viewable in compare view

Updates phpseclib/phpseclib from 3.0.9 to 3.0.49

Release notes

Sourced from phpseclib/phpseclib's releases.

3.0.49

• more PHP 8.5 deprecations (#2113)
• Keys/OpenSSH: add support for pub keys with multiple spaces / tabs (#2116)

3.0.48

• readd SCP support (#2108)
• SSH2: adjust want_reply handling for GLOBAL_REQUEST and CHANNEL_REQUEST (#2111)
• ASN1: add more validation checks to asn1map (#2104)
• RSA/PSS: more elegant int conversion (#2107)
• more PHP 8.5 deprecations (#2103, #2113)

3.0.47

• fix PHP 8.5 deprecations
• SFTP: check if realpath succeeded when changing SFTP directory (#2098)
• SFTP: add copy() method (only usable if copy-data ext is available) (#2101)

3.0.46

• BigInteger/BCMath: strict_types fix (#2089)

3.0.45

• BigInteger: modPow() calls with negative base gave incorrect result (#2086)
• BigInteger: barrett reduction returned '' vs '0' for bcmath engine (#2087)

3.0.44

• SSH2: add send_eof() method (#2062)
• SSH2: server identification string handling enhancements (#2082, #2083)
• SSH2: shore up terrapin counter measures
• SSH2: fix for packets sent between KEXINIT packets (#2084)
• SFTP: convert filenames to strings (#2065)
• Hash: add cmac_aes algorithm (#1967)
• ASN1: support tags with values >= 30 (#2066)
• PublicKeyLoader: improve handling of bad keys (#2077, #2079)
• RSA: fix for keys with negative modulos (#2085)
• BigInteger: adjust priority with which BCMath is used for PHP 8.4+

3.0.43

• fix PHP 8.4 deprecations
• BigInteger: workaround for regression in GMP that PHP introduced
• BigInteger: speed up Barrett reductions
• X509: make the attributes section of new CSRs be blank (#1522)
• X509: add getRequestedCertificateExtensions()
• X509: algorithmidentifier parameters could get incorrectly set (#2051)
• SSH2: ignore kex-strict-s-v00@openssh.com in key re-exchanges (#2050)
• SSH2: make it so phpseclib initiates key re-exchange after 1GB (#2050)
• SSH2: if string is passed to setPreferredAlgorithms treat as array
• SSH2: update setPreferredAlgorithms() to accept csv's

3.0.42

• X509: CRL version number wasn't correctly being saved (#2037)
• Hash: significantly speed up umac algorithms

... (truncated)

Changelog

Sourced from phpseclib/phpseclib's changelog.

3.0.49 - 2026-01-27

• more PHP 8.5 deprecations (#2113)
• Keys/OpenSSH: add support for pub keys with multiple spaces / tabs (#2116)

3.0.48 - 2025-12-15

• readd SCP support (#2108)
• SSH2: adjust want_reply handling for GLOBAL_REQUEST and CHANNEL_REQUEST (#2111)
• ASN1: add more validation checks to asn1map (#2104)
• RSA/PSS: more elegant int conversion (#2107)
• more PHP 8.5 deprecations (#2103, #2113)

3.0.47 - 2025-10-05

• fix PHP 8.5 deprecations
• SFTP: check if realpath succeeded when changing SFTP directory (#2098)
• SFTP: add copy() method (only usable if copy-data ext is available) (#2101)

3.0.46 - 2025-06-29

• BigInteger/BCMath: strict_types fix (#2089)

3.0.45 - 2025-06-22

• BigInteger: modPow() calls with negative base gave incorrect result (#2086)
• BigInteger: barrett reduction returned '' vs '0' for bcmath engine (#2087)

3.0.44 - 2025-06-15

• SSH2: add send_eof() method (#2062)
• SSH2: server identification string handling enhancements (#2082, #2083)
• SSH2: shore up terrapin counter measures
• SSH2: fix for packets sent between KEXINIT packets (#2084)
• SFTP: convert filenames to strings (#2065)
• Hash: add cmac_aes algorithm (#1967)
• ASN1: support tags with values >= 30 (#2066)
• PublicKeyLoader: improve handling of bad keys (#2077, #2079)
• RSA: fix for keys with negative modulos (#2085)
• BigInteger: adjust priority with which BCMath is used for PHP 8.4+

3.0.43 - 2024-12-14

• fix PHP 8.4 deprecations
• BigInteger: workaround for regression in GMP that PHP introduced
• BigInteger: speed up Barrett reductions
• X509: make the attributes section of new CSRs be blank (#1522)
• X509: add getRequestedCertificateExtensions()
• X509: algorithmidentifier parameters could get incorrectly set (#2051)
• SSH2: ignore kex-strict-s-v00@openssh.com in key re-exchanges (#2050)

... (truncated)

Commits

• 6233a1e Merge branch '2.0' into 3.0
• ed661e7 Merge branch '1.0' into 2.0
• 700d82c CHANGELOG: add 1.0.26 release
• 109ec38 Merge branch '2.0' into 3.0
• ad8a742 Merge branch '1.0' into 2.0
• 4b51d52 BigInteger: another PHP 8.5 deprecation fix
• 94bf93e Merge branch '2.0' into 3.0
• a717aab Merge branch '1.0' into 2.0
• 652fb84 RSA: fix for PHP 8.5 deprecations for RSA / PSS
• 26f567d Merge branch '2.0' into 3.0
• Additional commits viewable in compare view

Updates symfony/http-foundation from 5.3.6 to 5.4.50

Release notes

Sourced from symfony/http-foundation's releases.

v5.4.50

Changelog (symfony/http-foundation@v5.4.49...v5.4.50)

• security symfony/symfony#cve-2025-64500 [HttpFoundation] Fix parsing pathinfo with no leading slash (@​nicolas-grekas)

v5.4.48

Changelog (symfony/http-foundation@v5.4.47...v5.4.48)

• bug symfony/symfony#58836 Work around parse_url() bug (bis) (@​nicolas-grekas)

v5.4.46

Changelog (symfony/http-foundation@v5.4.45...v5.4.46)

• security symfony/symfony#cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid characters (@​nicolas-grekas)

v5.4.45

Changelog (symfony/http-foundation@v5.4.44...v5.4.45)

• bug symfony/symfony#58619 [HttpFoundation][Lock] Ensure compatibility with ext-mongodb v2 (@​GromNaN)

v5.4.44

Changelog (symfony/http-foundation@v5.4.43...v5.4.44)

• bug symfony/symfony#58181 [HttpFoundation] Update links for X-Accel-Redirect and fail properly when X-Accel-Mapping is missing (@​nicolas-grekas)
• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v5.4.42

Changelog (symfony/http-foundation@v5.4.41...v5.4.42)

• bug symfony/symfony#57585 [HttpFoundation] Fix MockArraySessionStorage to generate more conform ids (@​Seldaek)

v5.4.40

Changelog (symfony/http-foundation@v5.4.39...v5.4.40)

• bug symfony/symfony#54910 [HttpFoundation]  filter out empty HTTP header parts (@​xabbuh)
• bug symfony/symfony#54816 [Cache] Fix support for predis/predis:^2.0 (@​mfettig)

v5.4.39

Changelog (symfony/http-foundation@v5.4.38...v5.4.39)

• bug symfony/symfony#54506 [HttpFoundation] Set content-type header in RedirectResponse (@​smnandre)

v5.4.38

Changelog (symfony/http-foundation@v5.4.37...v5.4.38)

• no significant changes

v5.4.35

Changelog (symfony/http-foundation@v5.4.34...v5.4.35)

... (truncated)

Changelog

Sourced from symfony/http-foundation's changelog.

CHANGELOG

8.0

• Drop HTTP method override support for methods GET, HEAD, CONNECT and TRACE
• Add argument $subtypeFallback to Request::getFormat()
• Remove the following deprecated session options from NativeSessionStorage: referer_check, use_only_cookies, use_trans_sid, sid_length, sid_bits_per_character, trans_sid_hosts, trans_sid_tags
• Trigger PHP warning when using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Add arguments $v4Bytes and $v6Bytes to IpUtils::anonymize()
• Add argument $partitioned to ResponseHeaderBag::clearCookie()
• Add argument $expiration to UriSigner::sign()
• Remove Request::get(), use properties ->attributes, query or request directly instead
• Remove accepting null $format argument to Request::setFormat()

7.4

• Add #[WithHttpStatus] to define status codes: 404 for SignedUriException and 403 for ExpiredSignedUriException
• Add support for the QUERY HTTP method
• Add support for structured MIME suffix
• Add Request::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden
• Deprecate using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Deprecate method Request::get(), use properties ->attributes, query or request directly instead
• Make Request::createFromGlobals() parse the body of PUT, DELETE, PATCH and QUERY requests
• Deprecate HTTP method override for methods GET, HEAD, CONNECT and TRACE; it will be ignored in Symfony 8.0
• Deprecate accepting null $format argument to Request::setFormat()

7.3

• Add support for iterable of string in StreamedResponse
• Add EventStreamResponse and ServerEvent classes to streamline server event streaming
• Add support for valkey: / valkeys: schemes for sessions
• Request::getPreferredLanguage() now favors a more preferred language above exactly matching a locale
• Allow UriSigner to use a ClockInterface
• Add UriSigner::verify()

7.2

• Add optional $requests parameter to RequestStack::__construct()
• Add optional $v4Bytes and $v6Bytes parameters to IpUtils::anonymize()
• Add PRIVATE_SUBNETS as a shortcut for private IP address ranges to Request::setTrustedProxies()
• Deprecate passing referer_check, use_only_cookies, use_trans_sid, trans_sid_hosts, trans_sid_tags, sid_bits_per_character and sid_length options to NativeSessionStorage

7.1

... (truncated)

Commits

• 1a0706e [HttpFoundation] Fix parsing pathinfo with no leading slash
• 3f38b8a [HttpFoundation] Fix test
• 897e8a2 [HttpFoundation] Revert risk change
• 3280c9d Work around parse_url() bug (bis)
• 168b77c security #cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid ch...
• 32310ff [HttpFoundation] Reject URIs that contain invalid characters
• 38bd9bc [HttpFoundation] Remove invalid HTTP method from exception message
• 3f38426 Ensure compatibility with mongodb v2
• 35f7b4c session names must not be empty
• e641edd ensure session storages are opened in tests before destroying them
• Additional commits viewable in compare view

Updates symfony/http-kernel from 5.3.6 to 5.4.50

Release notes

Sourced from symfony/http-kernel's releases.

v5.4.50

Changelog (symfony/http-kernel@v5.4.49...v5.4.50)

• no significant changes

v5.4.48

Changelog (symfony/http-kernel@v5.4.47...v5.4.48)

• bug symfony/symfony#58921 [HttpKernel] Ensure HttpCache::getTraceKey() does not throw exception (@​lyrixx)

v5.4.47

Changelog (symfony/http-kernel@v5.4.46...v5.4.47)

• no significant changes

v5.4.46

Changelog (symfony/http-kernel@v5.4.45...v5.4.46)

• no significant changes

v5.4.45

Changelog (symfony/http-kernel@v5.4.44...v5.4.45)

• bug symfony/symfony#58613 Symfony 5.4 LTS will get security fixes until Feb 2029 thanks to Ibexa' sponsoring (@​nicolas-grekas)
• bug symfony/symfony#58376 [HttpKernel] Correctly merge max-age/s-maxage and Expires headers (@​aschempp)
• bug symfony/symfony#58372 Tweak error/exception handler registration (@​nicolas-grekas)

v5.4.44

Changelog (symfony/http-kernel@v5.4.43...v5.4.44)

• bug symfony/symfony#58289 [HttpKernel] Skip logging uncaught exceptions in ErrorHandler, assume $kernel->terminateWithException() will do it (@​nicolas-grekas)
• bug symfony/symfony#58266 [HttpKernel] pass CSV escape characters explicitly (@​xabbuh)

v5.4.43

Changelog (symfony/http-kernel@v5.4.42...v5.4.43)

• no significant changes

v5.4.42

Changelog (symfony/http-kernel@v5.4.41...v5.4.42)

• no significant changes

v5.4.41

Changelog (symfony/http-kernel@v5.4.40...v5.4.41)

• bug symfony/symfony#57372 [HttpKernel][Security] Fix accessing session for stateless request (@​VincentLanglet)

v5.4.40

Changelog (symfony/http-kernel@v5.4.39...v5.4.40)

... (truncated)

Changelog

Sourced from symfony/http-kernel's changelog.

CHANGELOG

8.1

• Add support for UploadedFile when using MapRequestPayload
• Add support for bundles as compiler pass
• Add support for SOURCE_DATE_EPOCH environment variable
• Add property $controllerArgumentsEvent to ResponseEvent
• Add Request attribute _controller_attributes to decouple controller attributes from their source code
• Return attributes as a flat list when using Controller[Arguments]Event::getAttributes('*')
• Pass request and args variables to Cache attribute expressions containing the Request object and controller arguments
• Allow using closures with the Cache attribute
• Allow setting a condition when the Cache attribute should be applied
• Deprecate passing a non-flat list of attributes to Controller::setController()
• Deprecate the Symfony\Component\HttpKernel\DependencyInjection\Extension class, use the parent Symfony\Component\DependencyInjection\Extension\Extension class instead

8.0

• Remove AddAnnotatedClassesToCachePass
• Remove Extension::getAnnotatedClassesToCompile() and Extension::addAnnotatedClassesToCompile()
• Remove Kernel::getAnnotatedClassesToCompile() and Kernel::setAnnotatedClassCache()
• Make ServicesResetter class final
• Add argument $logChannel to ErrorListener::logException()
• Add argument $event to DumpListener::configure()
• Replace __sleep/wakeup() by __(un)serialize() on kernels and data collectors
• Add method getShareDir() to KernelInterface

7.4

• Add support for the QUERY HTTP method
• Deprecate implementing __sleep/wakeup() on kernels; use __(un)serialize() instead
• Deprecate implementing __sleep/wakeup() on data collectors; use __(un)serialize() instead
• Add #[IsSignatureValid] attribute to validate URI signatures
• Make Profile final and Profiler::__sleep() internal
• Collect the application runner class
• Allow configuring DumpListener to use a different dumper when CLI profiling is enabled

7.3

• Record a waitingDescription has been truncated