Symfony 6.4.0-BETA3 released

Symfony 6.4.0-BETA3 has just been released. Here is the list of the most important changes since 6.4.0-BETA2:

• bug #51666 [RateLimiter] CompoundLimiter was accepting requests even when some limiters already consumed all tokens (@10n)
• bug #52524 [AssetMapper] Only download a CSS file if it is explicitly advertised (@weaverryan)
• bug #52523 [AssetMapper] avoid caching MappedAsset inside JavaScript Import (@weaverryan)
• bug #52519 [AssetMapper] If assets are served from a subdirectory or CDN, also adjust importmap keys (@weaverryan)
• bug #52508 [AssetMapper] Fix jsdelivr import parsing with no imported value (@weaverryan)
• security #cve-2023-46734 [TwigBridge] Ensure CodeExtension's filters properly escape their input (@nicolas-grekas, @GromNaN)
• security #cve-2023-46735 [Webhook] Remove user-submitted type from HTTP response (@nicolas-grekas)
• security #cve-2023-46733 [Security] Fix possible session fixation when only the token changes (@RobertMe)
• bug #52514 [FrameworkBundle] Don't reference SYMFONY_IDE env var in non-debug mode (@nicolas-grekas)
• bug #52506 [SecurityBundle] wire the secret for Symfony 6.4 compatibility (@xabbuh)
• bug #52496 [VarDumper] Accept mixed key on DsPairStub (@marc-mabe)
• bug #52502 [Config] Prefixing FileExistenceResource::__toString() to avoid conflict with FileResource (@weaverryan)
• bug #52491 [String] Method toByteString conversion using iconv is unreachable (@Vincentv92)
• bug #52488 [HttpKernel] Fix PHP deprecation (@nicolas-grekas)
• bug #52469 Check whether secrets are empty and mark them all as sensitive (@nicolas-grekas)
• feature #52471 [HttpKernel] Add ControllerResolver::allowControllers() to define which callables are legit controllers when the _check_controller_is_allowed request attribute is set (@nicolas-grekas)
• bug #52476 [Messenger] fix compatibility with Doctrine DBAL 4 (@xabbuh)
• bug #52434 [Console][FrameworkBundle] Fix missing profile option for console commands (@keulinho)
• bug #52474 [HttpFoundation] ensure string type with mbstring func overloading enabled (@xabbuh)
• bug #52472 [HttpClient][WebProfilerBundle] Do not generate cURL command when files are uploaded (@MatTheCat)
• bug #52457 [Cache][HttpFoundation][Lock] Fix empty username/password for PDO PostgreSQL (@HypeMC)
• bug #52443 [Yaml] Fix uid binary parsing (@mRoca)
• feature #52449 [TwigBridge] Mark CodeExtension as @internal (@fabpot)
• bug #52429 [HttpClient] Replace escapeshellarg to prevent overpassing ARG_MAX (@alexandre-daubois)
• bug #52442 Disable the "Copy as cURL" button when the debug info are disabled (@stof)
• bug #52444 Remove full DSNs from exception messages (@nicolas-grekas)
• feature #52336 [HttpFoundation][Lock] Makes MongoDB adapters usable with ext-mongodb only (@GromNaN)
• bug #52428 [HttpKernel] Preventing error 500 when function putenv is disabled (@ShaiMagal)
• bug #52427 [Console][Process] do not let context classes extend the message classes (@xabbuh)
• bug #52408 [Yaml] Fix block scalar array parsing (@NickSdot)
• bug #52132 [Console] Fix horizontal table top border is incorrectly rendered (@OskarStark)
• bug #52368 [AssetMapper] Fixing bug where JSCompiler used non-absolute importmap entry path (@weaverryan)
• bug #52367 [Uid] Fix UuidV7 collisions within the same ms (@nicolas-grekas)
• bug #52287 [FrameworkBundle] Fix deprecation layer for "enable_annotations" in validation and serializer configuration (@lyrixx)
• bug #52222 [MonologBridge] Fix support for monolog 3.0 (@louismariegaborit)

Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. Use SymfonyInsight upgrade reports to detect the code you will need to change in your project and read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.