v6.4.0-RC2

Changelog (v6.4.0-RC1...v6.4.0-RC2)

• bug #52724 [Security] make secret required for DefaultLoginRateLimiter (@RobertMe)
• bug #52617 [AssetMapper] Fix resolving jsdeliver default + other exports from modules (@ogizanagi)
• feature #52712 [AssetMapper] Exclude dot files (@weaverryan)
• bug #52725 [AssetMapper] Fix: also download files referenced by url() in CSS (@weaverryan)
• bug #52702 [AssetMapper] Fix eager imports are not deduplicated (@smnandre)
• bug #52719 [Mime] Add TemplatedEmail::$locale to the serialized props (@mkrauser)
• bug #52677 [Translation] [Lokalise] Fix language format on Lokalise Provider (@welcoMattic)
• bug #52715 [Cache] fix detecting the database server version (@xabbuh)
• bug #52688 [Cache] Add url decoding of password in RedisTrait DSN (@alexandre-daubois)
• bug #52172 [Serializer] Fix denormalizing empty string into object|null parameter (@Jeroeny)
• bug #52693 [Messenger] Fix message handlers with multiple from_transports (@valtzu)
• bug #52684 [PropertyInfo] Fixed promoted property type detection for PhpStanExtractor (@LastDragon-ru)
• bug #52681 [Serializer] Fix support for DiscriminatorMap in PropertyNormalizer (@mtarld)
• bug #52680 [Serializer] Fix access to private properties/getters when using the @Ignore annotation (@mtarld)
• bug #52713 [Serializer] Fix deserialization_path missing using contructor (@mtarld)
• bug #52683 [Serializer] Fix constructor deserialization path (@mtarld)
• bug #52707 [HttpKernel] Fix logging deprecations to the "php" channel when channel "deprecation" is not defined (@nicolas-grekas)
• bug #52589 [Serializer] Fix XML attributes not added on empty node (@mtarld)
• bug #52686 [Cache] fix detecting the server version with Doctrine DBAL 4 (@xabbuh)
• bug #52629 [Messenger] Fix support for Redis Sentinel using php-redis 6.0.0 (@pepeh)
• bug #52656 [FrameworkBundle] Add TemplateController to the list of allowed controllers for fragments (@nicolas-grekas)
• bug #52459 [Cache][HttpFoundation][Lock] Fix PDO store not creating table + add tests (@HypeMC)
• bug #52626 [Serializer] Fix denormalizing date intervals having both weeks and days (@oneNevan)
• bug #52578 [Serializer] Fix denormalize constructor arguments (@mtarld)
• bug #52526 Add some more non-countable English nouns (@paullallier)
• bug #52604 [FrameworkBundle] register the virtual request stack together with common profiling services (@xabbuh)
• bug #52039 [Scheduler] Continue with stored Checkpoint::$time on lock (@Jeroeny)
• bug #52631 [DomCrawler] Revert "bug #52579 UriResolver support path with colons" (@lyrixx)
• bug #52618 [VarExporter] Fix handling mangled property names returned by __sleep() (@nicolas-grekas)

[PR] #52742

v7.0.0-RC1

Changelog (v7.0.0-BETA3...v7.0.0-RC1)

• bug #52597 [DependencyInjection] Fix dumping containers with null-referenced services (@nicolas-grekas)
• bug #52588 [Messenger] Use extension_loaded call to check if pcntl extension is loaded, as SIGTERM might be set be swoole (Sergii Dolgushev)
• feature #52569 [VarExporter] Drop support for partially initialized lazy object (@nicolas-grekas)
• bug #52567 [AssetMapper] Fixing js sourceMappingURL extraction when sourceMappingURL used in code (@weaverryan)
• bug #52579 [DomCrawler] UriResolver support path with colons (@vdauchy)
• bug #52581 [Messenger] attach all required parameters to query (@xabbuh)
• feature #52568 [VarExporter] Deprecate per-property lazy-initializers (@nicolas-grekas)
• feature #52560 [Mailer] Update default Mailjet port (@Katario)

[PR] #52600

v6.4.0-RC1

Changelog (v6.4.0-BETA3...v6.4.0-RC1)

• bug #52588 [Messenger] Use extension_loaded call to check if pcntl extension is loaded, as SIGTERM might be set be swoole (Sergii Dolgushev)
• bug #52567 [AssetMapper] Fixing js sourceMappingURL extraction when sourceMappingURL used in code (@weaverryan)
• bug #52579 [DomCrawler] UriResolver support path with colons (@vdauchy)
• bug #52581 [Messenger] attach all required parameters to query (@xabbuh)
• feature #52568 [VarExporter] Deprecate per-property lazy-initializers (@nicolas-grekas)
• feature #52560 [Mailer] Update default Mailjet port (@Katario)

[PR] #52599

v7.0.0-BETA3

Changelog (v7.0.0-BETA2...v7.0.0-BETA3)

• bug #51666 [RateLimiter] CompoundLimiter was accepting requests even when some limiters already consumed all tokens (@10n)
• bug #52524 [AssetMapper] Only download a CSS file if it is explicitly advertised (@weaverryan)
• bug #52523 [AssetMapper] avoid caching MappedAsset inside JavaScript Import (@weaverryan)
• bug #52519 [AssetMapper] If assets are served from a subdirectory or CDN, also adjust importmap keys (@weaverryan)
• bug #52508 [AssetMapper] Fix jsdelivr import parsing with no imported value (@weaverryan)
• security #cve-2023-46734 [TwigBridge] Ensure CodeExtension's filters properly escape their input (@nicolas-grekas, @GromNaN)
• security #cve-2023-46735 [Webhook] Remove user-submitted type from HTTP response (@nicolas-grekas)
• security #cve-2023-46733 [Security] Fix possible session fixation when only the token changes (@RobertMe)
• bug #52514 [FrameworkBundle] Don't reference SYMFONY_IDE env var in non-debug mode (@nicolas-grekas)
• bug #52506 [SecurityBundle] wire the secret for Symfony 6.4 compatibility (@xabbuh)
• bug #52496 [VarDumper] Accept mixed key on DsPairStub (@marc-mabe)
• bug #52502 [Config] Prefixing FileExistenceResource::__toString() to avoid conflict with FileResource (@weaverryan)
• bug #52491 [String] Method toByteString conversion using iconv is unreachable (@Vincentv92)
• bug #52488 [HttpKernel] Fix PHP deprecation (@nicolas-grekas)
• bug #52469 Check whether secrets are empty and mark them all as sensitive (@nicolas-grekas)
• feature #52471 [HttpKernel] Add ControllerResolver::allowControllers() to define which callables are legit controllers when the _check_controller_is_allowed request attribute is set (@nicolas-grekas)
• bug #52476 [Messenger] fix compatibility with Doctrine DBAL 4 (@xabbuh)
• bug #52434 [Console][FrameworkBundle] Fix missing profile option for console commands (@keulinho)
• bug #52474 [HttpFoundation] ensure string type with mbstring func overloading enabled (@xabbuh)
• bug #52472 [HttpClient][WebProfilerBundle] Do not generate cURL command when files are uploaded (@MatTheCat)
• bug #52457 [Cache][HttpFoundation][Lock] Fix empty username/password for PDO PostgreSQL (@HypeMC)
• bug #52443 [Yaml] Fix uid binary parsing (@mRoca)
• feature #52449 [TwigBridge] Mark CodeExtension as @internal (@fabpot)
• bug #52429 [HttpClient] Replace escapeshellarg to prevent overpassing ARG_MAX (@alexandre-daubois)
• bug #52442 Disable the "Copy as cURL" button when the debug info are disabled (@stof)
• bug #52444 Remove full DSNs from exception messages (@nicolas-grekas)
• bug #52438 [HttpKernel] Fix uninitialized property in Bundle class (@javiereguiluz)
• feature #52336 [HttpFoundation][Lock] Makes MongoDB adapters usable with ext-mongodb only (@GromNaN)
• bug #52428 [HttpKernel] Preventing error 500 when function putenv is disabled (@ShaiMagal)
• bug #52427 [Console][Process] do not let context classes extend the message classes (@xabbuh)
• bug #52408 [Yaml] Fix block scalar array parsing (@NickSdot)
• bug #52132 [Console] Fix horizontal table top border is incorrectly rendered (@OskarStark)
• bug #52368 [AssetMapper] Fixing bug where JSCompiler used non-absolute importmap entry path (@weaverryan)
• bug #52367 [Uid] Fix UuidV7 collisions within the same ms (@nicolas-grekas)
• bug #52287 [FrameworkBundle] Fix deprecation layer for "enable_annotations" in validation and serializer configuration (@lyrixx)
• bug #52222 [MonologBridge] Fix support for monolog 3.0 (@louismariegaborit)

[PR] #52541
[SECURITY] Security release

v6.4.0-BETA3

Changelog (v6.4.0-BETA2...v6.4.0-BETA3)

• bug #51666 [RateLimiter] CompoundLimiter was accepting requests even when some limiters already consumed all tokens (@10n)
• bug #52524 [AssetMapper] Only download a CSS file if it is explicitly advertised (@weaverryan)
• bug #52523 [AssetMapper] avoid caching MappedAsset inside JavaScript Import (@weaverryan)
• bug #52519 [AssetMapper] If assets are served from a subdirectory or CDN, also adjust importmap keys (@weaverryan)
• bug #52508 [AssetMapper] Fix jsdelivr import parsing with no imported value (@weaverryan)
• security #cve-2023-46734 [TwigBridge] Ensure CodeExtension's filters properly escape their input (@nicolas-grekas, @GromNaN)
• security #cve-2023-46735 [Webhook] Remove user-submitted type from HTTP response (@nicolas-grekas)
• security #cve-2023-46733 [Security] Fix possible session fixation when only the token changes (@RobertMe)
• bug #52514 [FrameworkBundle] Don't reference SYMFONY_IDE env var in non-debug mode (@nicolas-grekas)
• bug #52506 [SecurityBundle] wire the secret for Symfony 6.4 compatibility (@xabbuh)
• bug #52496 [VarDumper] Accept mixed key on DsPairStub (@marc-mabe)
• bug #52502 [Config] Prefixing FileExistenceResource::__toString() to avoid conflict with FileResource (@weaverryan)
• bug #52491 [String] Method toByteString conversion using iconv is unreachable (@Vincentv92)
• bug #52488 [HttpKernel] Fix PHP deprecation (@nicolas-grekas)
• bug #52469 Check whether secrets are empty and mark them all as sensitive (@nicolas-grekas)
• feature #52471 [HttpKernel] Add ControllerResolver::allowControllers() to define which callables are legit controllers when the _check_controller_is_allowed request attribute is set (@nicolas-grekas)
• bug #52476 [Messenger] fix compatibility with Doctrine DBAL 4 (@xabbuh)
• bug #52434 [Console][FrameworkBundle] Fix missing profile option for console commands (@keulinho)
• bug #52474 [HttpFoundation] ensure string type with mbstring func overloading enabled (@xabbuh)
• bug #52472 [HttpClient][WebProfilerBundle] Do not generate cURL command when files are uploaded (@MatTheCat)
• bug #52457 [Cache][HttpFoundation][Lock] Fix empty username/password for PDO PostgreSQL (@HypeMC)
• bug #52443 [Yaml] Fix uid binary parsing (@mRoca)
• feature #52449 [TwigBridge] Mark CodeExtension as @internal (@fabpot)
• bug #52429 [HttpClient] Replace escapeshellarg to prevent overpassing ARG_MAX (@alexandre-daubois)
• bug #52442 Disable the "Copy as cURL" button when the debug info are disabled (@stof)
• bug #52444 Remove full DSNs from exception messages (@nicolas-grekas)
• feature #52336 [HttpFoundation][Lock] Makes MongoDB adapters usable with ext-mongodb only (@GromNaN)
• bug #52428 [HttpKernel] Preventing error 500 when function putenv is disabled (@ShaiMagal)
• bug #52427 [Console][Process] do not let context classes extend the message classes (@xabbuh)
• bug #52408 [Yaml] Fix block scalar array parsing (@NickSdot)
• bug #52132 [Console] Fix horizontal table top border is incorrectly rendered (@OskarStark)
• bug #52368 [AssetMapper] Fixing bug where JSCompiler used non-absolute importmap entry path (@weaverryan)
• bug #52367 [Uid] Fix UuidV7 collisions within the same ms (@nicolas-grekas)
• bug #52287 [FrameworkBundle] Fix deprecation layer for "enable_annotations" in validation and serializer configuration (@lyrixx)
• bug #52222 [MonologBridge] Fix support for monolog 3.0 (@louismariegaborit)

[PR] #52538
[SECURITY] Security release

v6.3.8

Changelog (v6.3.7...v6.3.8)

• bug #51666 [RateLimiter] CompoundLimiter was accepting requests even when some limiters already consumed all tokens (@10n)
• security #cve-2023-46734 [TwigBridge] Ensure CodeExtension's filters properly escape their input (@nicolas-grekas, @GromNaN)
• security #cve-2023-46735 [Webhook] Remove user-submitted type from HTTP response (@nicolas-grekas)
• security #cve-2023-46733 [Security] Fix possible session fixation when only the token changes (@RobertMe)
• bug #52514 [FrameworkBundle] Don't reference SYMFONY_IDE env var in non-debug mode (@nicolas-grekas)
• bug #52506 [SecurityBundle] wire the secret for Symfony 6.4 compatibility (@xabbuh)
• bug #52496 [VarDumper] Accept mixed key on DsPairStub (@marc-mabe)
• bug #52502 [Config] Prefixing FileExistenceResource::__toString() to avoid conflict with FileResource (@weaverryan)
• bug #52491 [String] Method toByteString conversion using iconv is unreachable (@Vincentv92)
• bug #52488 [HttpKernel] Fix PHP deprecation (@nicolas-grekas)
• bug #52476 [Messenger] fix compatibility with Doctrine DBAL 4 (@xabbuh)
• bug #52474 [HttpFoundation] ensure string type with mbstring func overloading enabled (@xabbuh)
• bug #52472 [HttpClient][WebProfilerBundle] Do not generate cURL command when files are uploaded (@MatTheCat)
• bug #52457 [Cache][HttpFoundation][Lock] Fix empty username/password for PDO PostgreSQL (@HypeMC)
• bug #52443 [Yaml] Fix uid binary parsing (@mRoca)
• bug #52429 [HttpClient] Replace escapeshellarg to prevent overpassing ARG_MAX (@alexandre-daubois)
• bug #52442 Disable the "Copy as cURL" button when the debug info are disabled (@stof)
• bug #52444 Remove full DSNs from exception messages (@nicolas-grekas)
• bug #52428 [HttpKernel] Preventing error 500 when function putenv is disabled (@ShaiMagal)
• bug #52408 [Yaml] Fix block scalar array parsing (@NickSdot)
• bug #52132 [Console] Fix horizontal table top border is incorrectly rendered (@OskarStark)
• bug #52367 [Uid] Fix UuidV7 collisions within the same ms (@nicolas-grekas)
• bug #52222 [MonologBridge] Fix support for monolog 3.0 (@louismariegaborit)

[PR] #52536
[SECURITY] Security release

v5.4.31

Changelog (v5.4.30...v5.4.31)

• security #cve-2023-46734 [TwigBridge] Ensure CodeExtension's filters properly escape their input (@nicolas-grekas, @GromNaN)
• security #cve-2023-46733 [Security] Fix possible session fixation when only the token changes (@RobertMe)
• bug #52506 [SecurityBundle] wire the secret for Symfony 6.4 compatibility (@xabbuh)
• bug #52502 [Config] Prefixing FileExistenceResource::__toString() to avoid conflict with FileResource (@weaverryan)
• bug #52491 [String] Method toByteString conversion using iconv is unreachable (@Vincentv92)
• bug #52488 [HttpKernel] Fix PHP deprecation (@nicolas-grekas)
• bug #52476 [Messenger] fix compatibility with Doctrine DBAL 4 (@xabbuh)
• bug #52474 [HttpFoundation] ensure string type with mbstring func overloading enabled (@xabbuh)
• bug #52457 [Cache][HttpFoundation][Lock] Fix empty username/password for PDO PostgreSQL (@HypeMC)
• bug #52443 [Yaml] Fix uid binary parsing (@mRoca)
• bug #52444 Remove full DSNs from exception messages (@nicolas-grekas)
• bug #52428 [HttpKernel] Preventing error 500 when function putenv is disabled (@ShaiMagal)
• bug #52408 [Yaml] Fix block scalar array parsing (@NickSdot)
• bug #52329 [HttpClient] Psr18Client: parse HTTP Reason Phrase for Response (@Hanmac)

[PR] #52535
[SECURITY] Security release

v4.4.51

Changelog (v4.4.50...v4.4.51)

• security #cve-2023-46734 [TwigBridge] Ensure CodeExtension's filters properly escape their input (@nicolas-grekas, @GromNaN)

[PR] #52534
[SECURITY] Security release

v7.0.0-BETA2

Changelog (v7.0.0-BETA1...v7.0.0-BETA2)

• bug #52329 [HttpClient] Psr18Client: parse HTTP Reason Phrase for Response (@Hanmac)
• bug #52323 [AssetMapper] Allowing circular references in JavaScriptImportPathCompiler (@weaverryan)
• bug #52331 [AssetMapper] Fix file deleting errors & remove nullable MappedAsset on JS import (@weaverryan)
• bug #52332 [Yaml] Fix deprecated passing null to trim() (@javaDeveloperKid)
• bug #52349 [AssetMapper] Fix in-file imports to resolve via filesystem (@weaverryan)
• bug #52343 [Intl] Update the ICU data to 74.1 (@jderusse)
• bug #52347 [Form] Fix merging form data and files (ter) (Jan Pintr)
• bug #52330 [AssetMapper] Fixing memory bug where we stored way more file content than needed (@weaverryan)
• bug #52325 [AssetMapper] jsdelivr "no version" import syntax (@weaverryan)
• bug #52307 [Scheduler] Save checkpoint in a finally block (@FrancoisPog)
• feature #52193 [PhpUnitBridge] Allow setting the locale using SYMFONY_PHPUNIT_LOCALE env var (@VincentLanglet)
• bug #52290 [DebugBundle] ignore a not-existing virtual request stack (@xabbuh)
• bug #52308 [SecurityBundle] Fix missing login-link element in xsd schema (@fancyweb)
• bug #51331 [Messenger] add handler description as array key to HandlerFailedException::getWrappedExceptions() (@kbond)
• bug #52298 [HttpKernel] Update AbstractBundle.php, use !isset($this->path) (@tacman)
• bug #51992 [Serializer] Fix using DateIntervalNormalizer with union types (@Jeroeny)
• bug #52276 DB table locks on messenger_messages with many failures (@bn-jdcook)
• bug #52232 [Messenger] declare constructor argument as optional for backwards compatibility (@xabbuh)
• bug #52254 [AssetMapper] Adding import-parsing case where import contains a path (@weaverryan)
• bug #52283 [Serializer] Handle default context when denormalizing timestamps in DateTimeNormalizer (@mtarld)
• bug #52272 [VarDump] Fix order of dumped properties - parent goes first (@lyrixx)
• bug #52274 [FrameworkBundle] re-introduce conflict rule with WebProfilerBundle < 6.4 (@xabbuh)
• bug #52268 [Mailer][Notifier] Update Sendinblue / Brevo API host (@stephanie)
• bug #52255 [Form] Skip merging params & files if there are no files in the first place (@dmaicher, @priyadi)
• bug #52234  add return type hints to EntityFactory (@xabbuh)
• bug #52229 [FrameworkBundle] Fix CommandDataCollector is always registered (@smnandre)
• bug #52218 [FrameworkBundle] Add conflict with WebProfilerBundle < 6.4 (@HeahDude)

[PR] #52362

v6.4.0-BETA2

Changelog (v6.4.0-BETA1...v6.4.0-BETA2)

• bug #52329 [HttpClient] Psr18Client: parse HTTP Reason Phrase for Response (@Hanmac)
• bug #52323 [AssetMapper] Allowing circular references in JavaScriptImportPathCompiler (@weaverryan)
• bug #52331 [AssetMapper] Fix file deleting errors & remove nullable MappedAsset on JS import (@weaverryan)
• bug #52332 [Yaml] Fix deprecated passing null to trim() (@javaDeveloperKid)
• bug #52349 [AssetMapper] Fix in-file imports to resolve via filesystem (@weaverryan)
• bug #52343 [Intl] Update the ICU data to 74.1 (@jderusse)
• bug #52347 [Form] Fix merging form data and files (ter) (Jan Pintr)
• bug #52330 [AssetMapper] Fixing memory bug where we stored way more file content than needed (@weaverryan)
• bug #52325 [AssetMapper] jsdelivr "no version" import syntax (@weaverryan)
• bug #52307 [Scheduler] Save checkpoint in a finally block (@FrancoisPog)
• feature #52193 [PhpUnitBridge] Allow setting the locale using SYMFONY_PHPUNIT_LOCALE env var (@VincentLanglet)
• bug #52290 [DebugBundle] ignore a not-existing virtual request stack (@xabbuh)
• bug #52308 [SecurityBundle] Fix missing login-link element in xsd schema (@fancyweb)
• bug #51331 [Messenger] add handler description as array key to HandlerFailedException::getWrappedExceptions() (@kbond)
• bug #51992 [Serializer] Fix using DateIntervalNormalizer with union types (@Jeroeny)
• bug #52276 DB table locks on messenger_messages with many failures (@bn-jdcook)
• bug #52232 [Messenger] declare constructor argument as optional for backwards compatibility (@xabbuh)
• bug #52254 [AssetMapper] Adding import-parsing case where import contains a path (@weaverryan)
• bug #52283 [Serializer] Handle default context when denormalizing timestamps in DateTimeNormalizer (@mtarld)
• bug #52272 [VarDump] Fix order of dumped properties - parent goes first (@lyrixx)
• bug #52274 [FrameworkBundle] re-introduce conflict rule with WebProfilerBundle < 6.4 (@xabbuh)
• bug #52268 [Mailer][Notifier] Update Sendinblue / Brevo API host (@stephanie)
• bug #52255 [Form] Skip merging params & files if there are no files in the first place (@dmaicher, @priyadi)
• bug #52234  add return type hints to EntityFactory (@xabbuh)
• bug #52229 [FrameworkBundle] Fix CommandDataCollector is always registered (@smnandre)
• bug #52218 [FrameworkBundle] Add conflict with WebProfilerBundle < 6.4 (@HeahDude)

[PR] #52358