This week, Symfony 6.4.0 beta 3 and Symfony 7.0.0 beta 3 were published because their final release is approaching fast and it will take place before the end of November 2023. Meanwhile, the maintenance versions 4.4.51, 5.4.31 and 6.3.8 were published to fix some potential security vulnerabilities.

Symfony development highlights

This week, 47 pull requests were merged (43 in code and 4 in docs) and 26 issues were closed (22 in code and 4 in docs). Excluding merges, 22 authors made 937 additions and 334 deletions. See details for code and docs.

5.4 changelog:

  • de8c5fc: [Cache, HttpFoundation, Lock] fix empty username/password for PDO PostgreSQL
  • 03ef859: [HttpFoundation] ensure string type with mbstring func overloading enabled
  • a454d0c: [Messenger] fix compatibility with Doctrine DBAL 4
  • 0ff9ed4: [String] method toByteString conversion using iconv is unreachable
  • 9b2c2a4: [Config] prefix FileExistenceResource::__toString() to avoid conflict with FileResource
  • 86c8f97: [SecurityBundle] wire the secret for Symfony 6.4 compatibility
  • 7467bd7: [Security] fix possible session fixation when only the token changes
  • 5d095d5: [TwigBridge] ensure CodeExtension's filters properly escape their input
  • 5611ed4: [Validator] update Greek translation

6.3 changelog:

  • b8bba36: [HttpClient, WebProfilerBundle] do not generate cURL command when files are uploaded
  • 03ef859: [HttpFoundation] ensure string type with mbstring func overloading enabled
  • 3922e80: [VarDumper] accept mixed key on DsPairStub
  • d42b5c3: [FrameworkBundle] don't reference SYMFONY_IDE env var in non-debug mode
  • 5d095d5: [TwigBridge] ensure CodeExtension's filters properly escape their input
  • 82b811d: [RateLimiter] CompoundLimiter was accepting requests even when some limiters already consumed all tokens
  • c329f2d: [Webhook] remove user-submitted type from HTTP response

6.4 changelog:

  • d308e2c: [Console, FrameworkBundle] fix missing profile option for console commands
  • fbc44f2: [HttpKernel] the debug log processor must be a callable
  • cf5510d: check whether secrets are empty and mark them all as sensitive
  • f0fcc9f: [HttpKernel] add ControllerResolver::allowControllers() to define which callables are legit controllers when the _check_controller_is_allowed request attribute is set
  • caf41fc: [Webhook] check that the secret passed to RequestParser is not empty
  • 1984b96: [HttpKernel] check controllers are allowed when using the fallback surrogate strategy
  • f04ea7c: [Ldap] set exception code to ldap error number
  • 1ec29ce: [String] remove error handler not needed on PHP 8
  • 3128c60: [AssetMapper] fix jsdelivr import parsing with no imported value
  • fa4726f: [AssetMapper] if assets are served from a subdirectory or CDN, also adjust importmap keys
  • a647f55: [AssetMapper] avoid caching MappedAsset inside JavaScript Import
  • 18d866c: [AssetMapper] improving exception if a vendor asset's path is not mapped
  • 541c80c: [AssetMapper] only download a CSS file if it is explicitly advertised

Newest issues and pull requests

Symfony CLI

Symfony CLI is a must-have tool when developing Symfony applications on your local machine. It includes the Symfony Local Server, the best way to run local Symfony applications. This week Symfony CLI released its new 5.7.1 and 5.7.2 versions with the following changes:

  • Use the original inotify repository (@fabpot)
  • Make DOCKER_HOST configurable (@fabpot)
  • Add support for PHP streaming support (@tucksaun)
  • Use --wait instead of --detach for docker_composer worker (@tucksaun)

SymfonyCasts Updates

SymfonyCasts is the official way to learn Symfony. Select a track for a guided path through 100+ video tutorial courses about Symfony, PHP and JavaScript.

This week, SymfonyCasts announced a new course called 30 Days with LAST Stack. These were some of the most relevant SymfonyCasts updates of the week:

They talked about us

Call to Action

Published in #A week of symfony