A Week of Symfony #932 (4-10 November 2024)

This week, Symfony 5.4.46, 6.4.14, and 7.1.7, maintenance versions were released. In addition, we released the second beta version of Symfony 7.2 ahead of its final release at the end of November 2024. Lastly, we published eight security advisories to fix some reported security issues in Symfony and Twig.

Symfony development highlights

This week, 63 pull requests were merged (54 in code and 9 in docs) and 31 issues were closed (29 in code and 2 in docs). Excluding merges, 27 authors made 110,464 additions and 83,806 deletions. See details for code and docs.

5.4 changelog:

• 81bffdf: [Process] return built-in cmd.exe commands directly in ExecutableFinder
• f9c3a00: [Process] ignore case of built-in cmd.exe commands
• 3f16033: [Process] improve test cleanup by unlinking in a finally block
• de6090a, 69e69a1: [Process] fix the directory separator being used
• 5865f28: [Process] fix escaping /X arguments on Windows
• 25c9cbe: [WebProfilerBoundle] form data collector check passed and resolved options are defined
• e37bdf0: [Config] handle Phar absolute path in FileLocator
• 5ebc4c3: [Cache] fix clear() when using Predis
• c905bb4: [Security] store original token in token storage when implicitly exiting impersonation
• d2ba257: [RateLimiter] fix DateInterval normalization
• 5d5e728: [VarDumper] fix detecting anonymous exception classes on Windows and PHP 7
• 30810ed: [Runtime] security #cve-2024-50340: do not read from argv on non-CLI SAPIs
• ad0a241: [HttpFoundation] security #cve-2024-50345: reject URIs that contain invalid characters
• 3fc5471: [HttpClient] security #cve-2024-50342: filter private IPs before connecting when Host == IP
• eb79fc2: [Process] security #cve-2024-51736: use %PATH% before %CD% to load the shell on Windows
• e1da961: [DoctrineBridge] backport detection fix of Xml/Yaml driver in DoctrineExtension
• 7fc0b9e: [Process] normalize paths to avoid failures if a path is referenced by different names
• 67e9009: [Console] skip autocomplete test when stty is not available
• 05ab010: [PropertyInfo] fix support for phpstan/phpdoc-parser 2
• d51863d: update ICU data from 75.1 to 76.1
• d77f5d9: relax format assertions for fstat() results on Windows
• da4eb8b: [RateLimiter] handle error results of DateTime::modify()

6.4 changelog:

• a7aa4b1: [WebProfilerBundle] re-add missing Profiler shortcuts on Profiler homepage
• 7e1af9f: [HttpFoundation] require Cache component versions compatible with Redis 6.1
• 91acfa8: [Messenger, RateLimiter] fix additional message handled when using a rate limiter
• 6fb5163: [Twitter, Notifier] fix post INIT upload
• d9cecb7: [AssetMapper] fix JavaScriptImportPathCompiler regex for non-latin characters
• c15a195: [RateLimiter] fix bucket size reduced when previously created with bigger size
• 8dabfd7: [Serializer] fixed object normalizer for a class with cancel method

7.1 changelog:

• d846c6e: [Notifier] fix test with hard coded date in SmsboxTransportTest
• 4829c82: [HttpFoundation] fix support for \SplTempFileObject in BinaryFileResponse
• e713ac2: [Serializer] revert Default groups

7.2 changelog:

• dd8c233: [Routing] rename annotations to attribute in AttributeClassLoader
• 3b5f623: [Mime] don't require passing the encoder name to TextPart
• 5557736: [TwigBridge] use reproducible variable names in the default domain node visitor
• 352786c: [DependencyInjection, HttpClient, Routing] reject URIs that contain invalid characters
• 19f89d6: [Validator] improve type for the mode property of the Bic constraint
• d8f8080: [Mailer] use microsecond precision SMTP logging
• 2f57eaf: [Runtime] negate register_argc_argv when On
• 861a84e: [Messenger] use official YAML media type
• 4e682e4: [Messenger] extend SQS visibility timeout for messages that are still being processed

Newest issues and pull requests

• [FrameworkBundle] Add the config() function
• [VarDumper] Add dq() function for SQL query debugging
• Add a command to dump static error pages
• [WebProfilerBundle] add debugbar on StreamedResponse
• [Mailer], add support for custom headers in Amazon ses+api

Symfony Jobs

These are some of the most recent Symfony job offers:

• Backend Symfony Developer at Ticketpark Ltd.
  Full-time - €60,000 – €80,000 / year
  Full remote
  View details
• Backend Symfony Developer at Cobbleweb
  Full-time - €40,000 – €60,000 / year
  Full remote
  View details
• Technical Expert for a Symfony project at SensioLabs
  Full-time - €55,000 – €80,000 / year
  Full remote
  View details

You can publish a Symfony job offer for free on symfony.com.

SymfonyCasts Updates

SymfonyCasts is the official way to learn Symfony. Select a track for a guided path through 100+ video tutorial courses about Symfony, PHP and JavaScript.

This week, SymfonyCasts published the following updates:

• New course announced: Mailer and Webhook with Mailtrap
• (Video) Dependency Injection Attributes: Lazy Services
• (Video) Dependency Injection Attributes: More Laziness Attributes

They talked about us

• Supercharge Your Symfony App with Smart Device Detection
• New in EasyAdmin: Pretty URLs

Call to Action

• Follow Symfony on X, on Mastodon, on Bluesky and on Threads and share this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.