This week, development activity focused on adding new features to the upcoming Symfony 8.1 version. Meanwhile, we published 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 versions to address a potential security vulnerability. Finally, we published an article about hardening Symfony with recent security improvements.

Symfony development highlights

This week, 78 pull requests were merged (65 in code and 13 in docs) and 48 issues were closed (41 in code and 7 in docs). Excluding merges, 42 authors made additions and deletions. See details for code and docs.

6.4 changelog:

4d887e9: [Serializer] apply #[Ignore] to the right metadata
381475e: [Finder] fix appending empty iterators
3520393: [Process] fix escaping for MSYS on Windows
55457bb: [FrameworkBundle] clean http_cache dir in KernelTestCase::ensureKernelShutdown()
939c8ec: [PropertyInfo] fix resolution of self/parent types in inherited DocBlocks
29ff926: [Process] fix escaping for MSYS on Windows
a2dfc9e: [Messenger] only send UNLISTEN query if we are actively listening
89bf526: [HttpClient] fix dealing with multiple levels of AsyncResponse decoration
668123e: [HttpFoundation] fix PdoSessionHandler charset-collation mismatch with the Doctrine DBAL
8932fbb: [RateLimiter] persist state when consuming negative tokens
734e626: [PropertyInfo] fix DocBlock resolution for inherited promoted properties
d9e6ab9: [HttpClient] fix dealing with truncated streams after headers arrived with CurlHttpClient
1eff3ba: [Finder] fix SortableIterator inadvertently and inconsistently deduplicating appended iterators
5df14d4: [Cache, HttpFoundation, Lock] fix engine declaration on MySQL pdo table creations
477981c: [Messenger] fix calling nack() when ack() fails
33d0609: [Translation] fix for Crowdin Translation File Replaced with Partial Data When Pushing Default Locale Without --force
41d50ce: [DependencyInjection, HttpKernel] fix parsing Target attributes on properties and on controllers
a2f5f0f: [Messenger] avoid skipping batch handlers on flush
f008610: [FrameworkBundle] fix accessing the test container when using KernelTestCase in non-debug mode
8d7189c: [Console] fall back to 0 when getCode() does not provide an integer
92a6eff: [HttpFoundation] fix calling UploadedFile::getErrorMessage() to a file which has no error and is uploaded successfully
046f865: [DependencyInjection] fix ignore invalid_reference behavior param for the some services
a91b5ee: [FrameworkBundle] add missing useAttributeAsKey calls

7.3 changelog:

ba9dc32: [DependencyInjection] fix lazy proxy type resolution for decorated services

7.4 changelog:

166ad7e: [FrameworkBundle] fix clearing the HttpCache store in tests
75c90a4: [HttpKernel] bypass mapping construction when RedirectController::urlRedirectAction is triggered

8.1 changelog:

0689cbb: [Lock] Use more precise FlockStore::$lockPath types
b136c94: [Console] allow object as default for input options and arguments
76798a7: [TypeInfo] allow resolving object shapes
28e7f46: [Messenger] add support for custom type in Serializer Transport
7396361: [FrameworkBundle, JsonStreamer] add default options
8cf156d: [Security] decouple SameOriginCsrfTokenManager from event listening
495c1bb: [FrameworkBundle] add shortcut to run console command in tests
007ef07: [Console] add TesterTrait::assertCommandFailed and TesterTrait::assertCommandIsInvalid helpers
ab2bc8f: [Security] adjust deprecated messages in SameOriginCsrfTokenManager
40aa073: [Messenger] added the ability to force RedisCluster
07d7b74: [FrameworkBundle] allow default action in HtmlSanitizer configuration
5f2d658: [Notifier] add support for local API server in Telegram
c074fa3: [Serializer] trigger deprecation when could not parse date with default format
848b546, 98671dd: [Validator] add Xml constraint
0dd4323: [ExpressionLanguage] add support for null-safe syntax for array access
d96073c: [Finder] allow finder to set the UNIX_PATH flag when recursing directories
503e6b9: [Messenger] add regex support for transport name matching in messenger:consume command
9f22346: [Security] add retrieval of parent role names
07f8717: [DomCrawler] allow to add choices to single select
74dcd22: [DependencyInjection] add target parameter to #[AsAlias] attribute

Newest issues and pull requests

Symfony Jobs

These are some of the most recent Symfony job offers:

Backend Symfony Developer at Licorn Group SA
Contract / Freelance - €350 – €450 / day
Full remote
View details
Software Architect for a Symfony project at Califrais
Full-time - €60,000 – €75,000 / year
Remote + part-time onsite (Paris, France)
View details
Symfony Developer at Paystone
Full-time - CA$75,000 – CA$100,000 / year
Full remote
View details
Symfony Developer at Dutch Volleyball Federation Nevobo
Full-time - €33,000 – €46,000 / year
Remote + part-time onsite (Utrecht, Netherlands)
View details
DevOps for a Symfony project at Dayuse
Full-time - €50,000 – €60,000 / year
Remote + part-time onsite (Paris, France)
View details

You can publish a Symfony job offer for free on symfony.com.

SymfonyCasts Updates

SymfonyCasts is the official way to learn Symfony. Select a track for a guided path through 100+ video tutorial courses about Symfony, PHP and JavaScript.

This week, SymfonyCasts published the following updates:

(Video) Symfony 7 Forms: The Basics: Organizing Form Fields
(Video) Symfony 7 Forms: The Basics: Validation Constraints

They talked about us

Call to Action

Follow Symfony on X, on Mastodon, on Bluesky and on Threads and share this article.
Subscribe to the Symfony blog RSS and never miss a Symfony story again.

Published in #A week of symfony

January 26 – February 1, 2026 A Week of Symfony #996