Skip to content

Bump the composer group across 1 directory with 6 updates#1

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/api/composer-a5dc8d099f
Closed

Bump the composer group across 1 directory with 6 updates#1
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/api/composer-a5dc8d099f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Copy link
Copy Markdown

Bumps the composer group with 4 updates in the /api directory: dompdf/dompdf, guzzlehttp/guzzle, symfony/http-foundation and symfony/http-kernel.

Updates dompdf/dompdf from 1.0.2 to 2.0.4

Release notes

Sourced from dompdf/dompdf's releases.

Dompdf 2.0.4

Change highlights since 2.0.3

This release addresses the following announced vulnerability:

Vulnerability References Type Severity
Possible DoS caused by infinite recursion when validating SVG images GHSA-3qx2-6f78-w2j2 Resource Exhaustion Moderate

2.0.x highlights

  • Modifies callback and page_script/page_text handling
  • Switches the HTML5 parser to Masterminds/HTML5
  • Improves CSS property parsing and representation
  • Switches installed fonts and font metrics cache file format to JSON

View all changes since the previous release in the commit history.

We would like to extend our gratitude to the community members who helped make this release possible.

Requirements

Dompdf 2.0.4 requires the following:

  • PHP 7.1 or greater
  • html5-php v2.0.0 or greater
  • php-font-lib v0.5.4 or greater
  • php-svg-lib v0.3.3 or greater

Note that some dependencies may have further dependencies (notably php-svg-lib requires sabberworm/php-css-parser).

Additionally, the following are recommended for optimal use:

  • GD (for image processing)
  • allow_url_fopen set to true or the curl PHP extension (for retrieving stylesheets, images, etc via http)

For full requirements and recommendations see the requirements page on the wiki.

Download Instructions

The dompdf team recommends that you use Composer for easier dependency management.

If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf_2-0-4.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.

Dompdf 2.0.3

This release addresses the following vulnerability:

Vulnerability References Type Severity
URI validation failure on SVG parsing [GHSA-56gj-mvh6-rp75][GHSA-56gj-mvh6-rp75], [CVE-2023-24813][CVE-2023-24813] Remote Code Execution Critical

... (truncated)

Commits
  • 093f2d9 Bump version to 2.0.4
  • 41cbac1 Improve SVG file reference recursion validation
  • e8d2d5e Bump version to 2.0.3
  • 95009ea Validate both bare and namespaced SVG image HREF attributes
  • 2a8a6b8 Resets version string to commit hash
  • ad4c631 Bump version to 2.0.2
  • 7558f07 SVG parsing - comparing the tag name in a case insensitive way
  • ae1ca4a Adds Security Advisory feature information
  • 68fabc5 Removes version info
  • f586c13 Fixed bug where svg polylines get automatically closed
  • Additional commits viewable in compare view

Updates guzzlehttp/guzzle from 6.5.5 to 6.5.8

Release notes

Sourced from guzzlehttp/guzzle's releases.

Release 6.5.8

See change log for changes.

Release 6.5.7

See change log for changes.

Release 6.5.6

See change log for changes.

Changelog

Sourced from guzzlehttp/guzzle's changelog.

6.5.8 - 2022-06-20

  • Fix change in port should be considered a change in origin
  • Fix CURLOPT_HTTPAUTH option not cleared on change of origin

6.5.7 - 2022-06-09

  • Fix failure to strip Authorization header on HTTP downgrade
  • Fix failure to strip the Cookie header on change in host or HTTP downgrade

6.5.6 - 2022-05-25

  • Fix cross-domain cookie leakage
Commits

Updates guzzlehttp/psr7 from 1.8.2 to 1.9.1

Release notes

Sourced from guzzlehttp/psr7's releases.

1.9.1

See change log for changes.

1.9.0

See change log for changes.

1.8.5

See change log for changes.

1.8.4

See change log for changes.

1.8.3

See change log for changes.

Changelog

Sourced from guzzlehttp/psr7's changelog.

1.9.1 - 2023-04-17

Fixed

  • Fixed header validation issue

1.9.0 - 2022-06-20

Added

  • Added UriComparator::isCrossOrigin method

1.8.5 - 2022-03-20

Fixed

  • Correct header value validation

1.8.4 - 2022-03-20

Fixed

  • Validate header values properly

1.8.3 - 2021-10-05

Fixed

  • Return null in caching stream size if remote size is null
Commits

Updates phenx/php-svg-lib from 0.3.4 to 0.5.4

Release notes

Sourced from phenx/php-svg-lib's releases.

Nattering Narwhal

What's Changed

Full Changelog: dompdf/php-svg-lib@0.5.3...0.5.4 Addressed Issues: https://github.com/dompdf/php-svg-lib/milestone/9?closed=1

Masticating Manatee

What's Changed

Full Changelog: dompdf/php-svg-lib@0.5.2...0.5.3 Addressed Issues: 0.5.3 milestone

Lounging Llama

Security release to address the following reported vulnerability:

Full Changelog: dompdf/php-svg-lib@0.5.1...0.5.2

Kickin' Koala

Security release to address the following reported vulnerabilities:

Jesting Jackal

  • Adds full support for non-user space length values (percent, unit values)
  • Improves processing of use elements
  • Improves path rendering and syntax support
  • Adds support for colors with alpha
  • Adds support for non-namespaced "href" attribute
  • Improves font parsing

See the 0.5.0 milestone for issues and PRs

Gracious thanks to the contributors who helped make this release possible.

Ignaminous Iguanga

  • Re-target base PHP support to 7.1
  • Skips rendering of indeterminate (return-to-origin) arc segments

Howling Hyena

  • Improves compatibility with PHP 8.1
    • Update Cpdf to latest version
    • Updates php-css-parser dependency to 8.4
Commits
  • 46b25da Update PathTest.php for PHPunit compatibility
  • 0e9dc9d Handle nested definition elements
  • 0e46722 Render a line for a path segment with a radius of zero
  • 964d9a9 Improve symbol element parsing
  • 3d6b248 Add method to apply element viewBox
  • 092e32c Improve use handling
  • bb2eee6 Update license property in composer.json
  • 519791c Update README links
  • 52d6776 Update .gitignore and .gitattributes
  • 720b707 Merge CPdf updated from Dompdf
  • Additional commits viewable in compare view

Updates symfony/http-foundation from 5.3.6 to 5.4.50

Release notes

Sourced from symfony/http-foundation's releases.

v5.4.50

Changelog (symfony/http-foundation@v5.4.49...v5.4.50)

v5.4.48

Changelog (symfony/http-foundation@v5.4.47...v5.4.48)

v5.4.46

Changelog (symfony/http-foundation@v5.4.45...v5.4.46)

v5.4.45

Changelog (symfony/http-foundation@v5.4.44...v5.4.45)

v5.4.44

Changelog (symfony/http-foundation@v5.4.43...v5.4.44)

v5.4.42

Changelog (symfony/http-foundation@v5.4.41...v5.4.42)

v5.4.40

Changelog (symfony/http-foundation@v5.4.39...v5.4.40)

v5.4.39

Changelog (symfony/http-foundation@v5.4.38...v5.4.39)

v5.4.38

Changelog (symfony/http-foundation@v5.4.37...v5.4.38)

  • no significant changes
Changelog

Sourced from symfony/http-foundation's changelog.

CHANGELOG

8.1

  • Add BinaryFileResponse::shouldDeleteFileAfterSend()
  • Deprecate setting public properties of Request and Response objects directly; use setters or constructor arguments instead
  • Add SessionHasFlashMessage test constraint
  • Response::__construct() now accepts a ResponseHeaderBag as its third argument
  • ParameterBag::getInt() and ParameterBag::getBoolean() now throw UnexpectedValueException instead of silently returning 0/false when the value cannot be converted

8.0

  • Drop HTTP method override support for methods GET, HEAD, CONNECT and TRACE
  • Add argument $subtypeFallback to Request::getFormat()
  • Remove the following deprecated session options from NativeSessionStorage: referer_check, use_only_cookies, use_trans_sid, sid_length, sid_bits_per_character, trans_sid_hosts, trans_sid_tags
  • Trigger PHP warning when using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
  • Add arguments $v4Bytes and $v6Bytes to IpUtils::anonymize()
  • Add argument $partitioned to ResponseHeaderBag::clearCookie()
  • Add argument $expiration to UriSigner::sign()
  • Remove Request::get(), use properties ->attributes, query or request directly instead
  • Remove accepting null $format argument to Request::setFormat()

7.4

  • Add #[WithHttpStatus] to define status codes: 404 for SignedUriException and 403 for ExpiredSignedUriException
  • Add support for the QUERY HTTP method
  • Add support for structured MIME suffix
  • Add Request::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden
  • Deprecate using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
  • Deprecate method Request::get(), use properties ->attributes, query or request directly instead
  • Make Request::createFromGlobals() parse the body of PUT, DELETE, PATCH and QUERY requests
  • Deprecate HTTP method override for methods GET, HEAD, CONNECT and TRACE; it will be ignored in Symfony 8.0
  • Deprecate accepting null $format argument to Request::setFormat()

7.3

  • Add support for iterable of string in StreamedResponse
  • Add EventStreamResponse and ServerEvent classes to streamline server event streaming
  • Add support for valkey: / valkeys: schemes for sessions
  • Request::getPreferredLanguage() now favors a more preferred language above exactly matching a locale
  • Allow UriSigner to use a ClockInterface
  • Add UriSigner::verify()

7.2

... (truncated)

Commits
  • 1a0706e [HttpFoundation] Fix parsing pathinfo with no leading slash
  • 3f38b8a [HttpFoundation] Fix test
  • 897e8a2 [HttpFoundation] Revert risk change
  • 3280c9d Work around parse_url() bug (bis)
  • 168b77c security #cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid ch...
  • 32310ff [HttpFoundation] Reject URIs that contain invalid characters
  • 38bd9bc [HttpFoundation] Remove invalid HTTP method from exception message
  • 3f38426 Ensure compatibility with mongodb v2
  • 35f7b4c session names must not be empty
  • e641edd ensure session storages are opened in tests before destroying them
  • Additional commits viewable in compare view

Updates symfony/http-kernel from 5.3.6 to 5.4.52

Release notes

Sourced from symfony/http-kernel's releases.

v5.4.52

Changelog (symfony/http-kernel@v5.4.48...v5.4.52)

v5.4.51

Changelog (symfony/http-kernel@v5.4.50...v5.4.51)

  • no significant changes

v5.4.50

Changelog (symfony/http-kernel@v5.4.49...v5.4.50)

  • no significant changes

v5.4.48

Changelog (symfony/http-kernel@v5.4.47...v5.4.48)

v5.4.47

Changelog (symfony/http-kernel@v5.4.46...v5.4.47)

  • no significant changes
Changelog

Sourced from symfony/http-kernel's changelog.

CHANGELOG

8.1

  • Add setNonce() to DumpDataCollector to forward CSP nonces to every HtmlDumper it instantiates
  • Add #[MapRequestHeader] to map a header from Request to a controller argument
  • Add hasErrors() method to Profile to track profiles with errors (exceptions or error-level logs)
  • Validate typed route parameters before calling controllers and return an HTTP error when an invalid value is provided
  • Add ControllerAttributeEvent et al. to dispatch events named after controller attributes
  • Add support for UploadedFile when using MapRequestPayload
  • Add support for bundles as compiler pass
  • Add support for SOURCE_DATE_EPOCH environment variable
  • Add property $controllerMetadata to several kernel events to give listeners access to controller metadata
  • Add Request attribute _controller_attributes to decouple controller attributes from their source code
  • Return attributes as a flat list when using Controller[Arguments]Event::getAttributes('*')
  • Pass request and args variables to Cache attribute expressions containing the Request object and controller arguments
  • Allow using closures with the Cache attribute
  • Allow setting a condition when the Cache attribute should be applied
  • Add ControllerEvent::evaluate() et al. to help with evaluating expressions or closures in controller attributes
  • Deprecate passing a non-flat list of attributes to Controller::setController()
  • Deprecate the Symfony\Component\HttpKernel\DependencyInjection\Extension class, use the parent Symfony\Component\DependencyInjection\Extension\Extension class instead
  • Allow using Expression or \Closure for validationGroups in #[MapRequestPayload] and #[MapQueryString]
  • Deprecate passing a ControllerArgumentsEvent to the ViewEvent constructor; pass a ControllerArgumentsMetadata instead
  • Support variadic argument with #[MapRequestPayload]
  • Add #[Serialize] to serialize values returned by controllers
  • Add argument $mapWhenEmpty to MapQueryString and MapRequestPayload for always attempting denormalization with empty query and request payload
  • Deprecate Bundle::registerCommands(), use the #[AsCommand] attribute or the console.command service tag instead of overriding this method
  • Deprecate BundleInterface, use the one from the DependencyInjection component instead
  • Deprecate MergeExtensionConfigurationPass, use the one from the DependencyInjection component instead
  • Deprecate FileLocator, use the one from the DependencyInjection component instead
  • Add #[RateLimit] attribute to declaratively enforce rate limiting on controllers.
  • Deprecate ServicesResetter, ServicesResetterInterface, and ResettableServicePass, use the ones from the DependencyInjection component instead

8.0

  • Remove AddAnnotatedClassesToCachePass
  • Remove Extension::getAnnotatedClassesToCompile() and Extension::addAnnotatedClassesToCompile()
  • Remove Kernel::getAnnotatedClassesToCompile() and Kernel::setAnnotatedClassCache()
  • Make ServicesResetter class final
  • Add argument $logChannel to ErrorListener::logException()
  • Add argument $event to DumpListener::configure()
  • Replace __sleep/wakeup() by __(un)serialize() on kernels and data collectors
  • Add method getShareDir() to KernelInterface

7.4

... (truncated)

Commits
  • bc30eed Update VERSION for 5.4.52
  • f0223f2 Update VERSION for 5.4.51
  • 2fe5cf9 Update VERSION for 5.4.50
  • 89f9a3f Update VERSION for 5.4.49
  • 93304a6 Bump Symfony version to 5.4.49
  • c2dbfc9 Update VERSION for 5.4.48
  • 455dfd3 [HttpKernel] Ensure HttpCache::getTraceKey() does not throw exception
  • 91c97d9 Bump Symfony version to 5.4.48
  • 0ac42d5 Update VERSION for 5.4.47
  • f41cb8a Bump Symfony version to 5.4.47
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the composer group across 1 directory with 6 updates
9e3088f 
Bumps the composer group with 4 updates in the /api directory: [dompdf/dompdf](https://github.com/dompdf/dompdf), [guzzlehttp/guzzle](https://github.com/guzzle/guzzle), [symfony/http-foundation](https://github.com/symfony/http-foundation) and [symfony/http-kernel](https://github.com/symfony/http-kernel).


Updates `dompdf/dompdf` from 1.0.2 to 2.0.4
- [Release notes](https://github.com/dompdf/dompdf/releases)
- [Commits](dompdf/dompdf@v1.0.2...v2.0.4)

Updates `guzzlehttp/guzzle` from 6.5.5 to 6.5.8
- [Release notes](https://github.com/guzzle/guzzle/releases)
- [Changelog](https://github.com/guzzle/guzzle/blob/6.5.8/CHANGELOG.md)
- [Commits](guzzle/guzzle@6.5.5...6.5.8)

Updates `guzzlehttp/psr7` from 1.8.2 to 1.9.1
- [Release notes](https://github.com/guzzle/psr7/releases)
- [Changelog](https://github.com/guzzle/psr7/blob/1.9.1/CHANGELOG.md)
- [Commits](guzzle/psr7@1.8.2...1.9.1)

Updates `phenx/php-svg-lib` from 0.3.4 to 0.5.4
- [Release notes](https://github.com/dompdf/php-svg-lib/releases)
- [Commits](dompdf/php-svg-lib@0.3.4...0.5.4)

Updates `symfony/http-foundation` from 5.3.6 to 5.4.50
- [Release notes](https://github.com/symfony/http-foundation/releases)
- [Changelog](https://github.com/symfony/http-foundation/blob/8.1/CHANGELOG.md)
- [Commits](symfony/http-foundation@v5.3.6...v5.4.50)

Updates `symfony/http-kernel` from 5.3.6 to 5.4.52
- [Release notes](https://github.com/symfony/http-kernel/releases)
- [Changelog](https://github.com/symfony/http-kernel/blob/8.1/CHANGELOG.md)
- [Commits](symfony/http-kernel@v5.3.6...v5.4.52)

---
updated-dependencies:
- dependency-name: dompdf/dompdf
  dependency-version: 2.0.4
  dependency-type: direct:production
  dependency-group: composer
- dependency-name: guzzlehttp/guzzle
  dependency-version: 6.5.8
  dependency-type: indirect
  dependency-group: composer
- dependency-name: guzzlehttp/psr7
  dependency-version: 1.9.1
  dependency-type: indirect
  dependency-group: composer
- dependency-name: phenx/php-svg-lib
  dependency-version: 0.5.4
  dependency-type: indirect
  dependency-group: composer
- dependency-name: symfony/http-foundation
  dependency-version: 5.4.50
  dependency-type: indirect
  dependency-group: composer
- dependency-name: symfony/http-kernel
  dependency-version: 5.4.52
  dependency-type: indirect
  dependency-group: composer
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 21, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 5, 2026

Copy link
Copy Markdown
Author

Superseded by #2.

@dependabot dependabot Bot closed this Jun 5, 2026
@dependabot dependabot Bot deleted the dependabot/composer/api/composer-a5dc8d099f branch June 5, 2026 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants