Sourced from dompdf/dompdf's releases.

Dompdf 2.0.4

Change highlights since 2.0.3

This release addresses the following announced vulnerability:

Vulnerability	References	Type	Severity
Possible DoS caused by infinite recursion when validating SVG images	GHSA-3qx2-6f78-w2j2	Resource Exhaustion	Moderate

2.0.x highlights

• Modifies callback and page_script/page_text handling
• Switches the HTML5 parser to Masterminds/HTML5
• Improves CSS property parsing and representation
• Switches installed fonts and font metrics cache file format to JSON

View all changes since the previous release in the commit history.

We would like to extend our gratitude to the community members who helped make this release possible.

Requirements

Dompdf 2.0.4 requires the following:

• PHP 7.1 or greater
• html5-php v2.0.0 or greater
• php-font-lib v0.5.4 or greater
• php-svg-lib v0.3.3 or greater

Note that some dependencies may have further dependencies (notably php-svg-lib requires sabberworm/php-css-parser).

Additionally, the following are recommended for optimal use:

• GD (for image processing)
• allow_url_fopen set to true or the curl PHP extension (for retrieving stylesheets, images, etc via http)

For full requirements and recommendations see the requirements page on the wiki.

Download Instructions

The dompdf team recommends that you use Composer for easier dependency management.

If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf_2-0-4.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.

Dompdf 2.0.3

This release addresses the following vulnerability:

Vulnerability	References	Type	Severity
URI validation failure on SVG parsing	[GHSA-56gj-mvh6-rp75][GHSA-56gj-mvh6-rp75], [CVE-2023-24813][CVE-2023-24813]	Remote Code Execution	Critical

... (truncated)

• 093f2d9 Bump version to 2.0.4
• 41cbac1 Improve SVG file reference recursion validation
• e8d2d5e Bump version to 2.0.3
• 95009ea Validate both bare and namespaced SVG image HREF attributes
• 2a8a6b8 Resets version string to commit hash
• ad4c631 Bump version to 2.0.2
• 7558f07 SVG parsing - comparing the tag name in a case insensitive way
• ae1ca4a Adds Security Advisory feature information
• 68fabc5 Removes version info
• f586c13 Fixed bug where svg polylines get automatically closed
• Additional commits viewable in compare view

Sourced from symfony/yaml's releases.

v5.4.52

Changelog (symfony/yaml@v5.4.44...v5.4.52)

• security #cve-2026-45305 Harden the Parser::cleanup() regexes against catastrophic backtracking (@​nicolas-grekas)
• security #cve-2026-45304 Bound collection-alias resolution in the parser (@​nicolas-grekas)
• security #cve-2026-45133 Bound recursion depth in the parser (@​nicolas-grekas)

v5.4.45

Changelog (symfony/yaml@v5.4.44...v5.4.45)

• no significant changes

v5.4.44

Changelog (symfony/yaml@v5.4.43...v5.4.44)

• bug symfony/symfony#58279 [Yaml] parse empty sequence elements as null (@​xabbuh)

v5.4.43

Changelog (symfony/yaml@v5.4.42...v5.4.43)

• bug symfony/symfony#57968 [Yaml] 🐛 throw ParseException on invalid date (@​homersimpsons)

v5.4.40

Changelog (symfony/yaml@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/yaml@v5.4.38...v5.4.39)

• bug symfony/symfony#54706 [Yaml] call substr() with integer offsets (@​xabbuh)

v5.4.35

Changelog (symfony/yaml@v5.4.34...v5.4.35)

• no significant changes

v5.4.31

Changelog (symfony/yaml@v5.4.30...v5.4.31)

• bug symfony/symfony#52443 [Yaml] Fix uid binary parsing (@​mRoca)
• bug symfony/symfony#52408 [Yaml] Fix block scalar array parsing (@​NickSdot)

v5.4.30

Changelog (symfony/yaml@v5.4.29...v5.4.30)

• no significant changes

v5.4.23

Changelog (symfony/yaml@v5.4.22...v5.4.23)

... (truncated)

Sourced from symfony/yaml's changelog.

CHANGELOG

8.0

• Remove support for parsing duplicate mapping keys whose value is null

7.3

• Add compact nested mapping support by using the Yaml::DUMP_COMPACT_NESTED_MAPPING flag
• Add the Yaml::DUMP_FORCE_DOUBLE_QUOTES_ON_VALUES flag to enforce double quotes around string values

7.2

• Deprecate parsing duplicate mapping keys whose value is null
• Add support for dumping null as an empty value by using the Yaml::DUMP_NULL_AS_EMPTY flag

7.1

• Add support for getting all the enum cases with !php/enum Foo

7.0

• Remove the !php/const: tag, use !php/const instead (without the colon)

6.3

• Add support to dump int keys as strings by using the Yaml::DUMP_NUMERIC_KEY_AS_STRING flag

6.2

• Add support for !php/enum and !php/enum *->value
• Deprecate the !php/const: tag in key which will be replaced by the !php/const tag (without the colon) since 3.4

6.1

• In cases where it will likely improve readability, strings containing single quotes will be double-quoted

5.4

• Add a $maxNestingLevel argument to Parser::__construct(), Yaml::parse() and Yaml::parseFile() to bound recursion depth (default 128)

... (truncated)

• b0b2705 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking
• 5a351ff [Yaml] Bound collection-alias resolution in the parser
• b02ba66 [Yaml] Bound recursion depth in the parser
• a454d47 Add PR template and auto-close PR on subtree split repositories
• 7025b96 parse empty sequence elements as null
• 62f96e1 🐛 throw ParseException on invalid date
• 81cad0c Revert "minor #54653 Auto-close PRs on subtree-splits (nicolas-grekas)"
• bc780e1 call substr() with integer offsets
• a38ba0b Auto-close PRs on subtree-splits
• e78db7f Apply php-cs-fixer fix --rules nullable_type_declaration_for_default_null_value
• Additional commits viewable in compare view

Sourced from guzzlehttp/guzzle's releases.

Release 6.5.8

See change log for changes.

Release 6.5.7

See change log for changes.

Release 6.5.6

See change log for changes.

Sourced from guzzlehttp/guzzle's changelog.

6.5.8 - 2022-06-20

• Fix change in port should be considered a change in origin
• Fix CURLOPT_HTTPAUTH option not cleared on change of origin

6.5.7 - 2022-06-09

• Fix failure to strip Authorization header on HTTP downgrade
• Fix failure to strip the Cookie header on change in host or HTTP downgrade

6.5.6 - 2022-05-25

• Fix cross-domain cookie leakage

• a52f044 Release 6.5.8 (#3042)
• 724562f Release 6.5.7 (#3022)
• f092dd7 [6.x] Fix cross-domain cookie leakage (#3017)
• e8ed4db Fixed tests (#2720)
• See full diff in compare view

Sourced from guzzlehttp/psr7's releases.

1.9.1

See change log for changes.

1.9.0

See change log for changes.

1.8.5

See change log for changes.

1.8.4

See change log for changes.

1.8.3

See change log for changes.

Sourced from guzzlehttp/psr7's changelog.

1.9.1 - 2023-04-17

Fixed

• Fixed header validation issue

1.9.0 - 2022-06-20

Added

• Added UriComparator::isCrossOrigin method

1.8.5 - 2022-03-20

Fixed

• Correct header value validation

1.8.4 - 2022-03-20

Fixed

• Validate header values properly

1.8.3 - 2021-10-05

Fixed

• Return null in caching stream size if remote size is null

• e4490ca Release 1.9.1
• c8b21de Release 1.9.1
• 18fd891 Patch header validation issue
• 0e75375 Remove branch alias
• 7cd3009 Update CI workflows (#552)
• e98e3e6 Release 1.9.0 (#520)
• 337e3ad Release 1.8.5 (#491)
• 902db15 Release 1.8.4 (#486)
• 1afdd86 Release 1.8.3 (#446)
• a0c4a5f Return null in caching stream size if remote is null (#438)
• Additional commits viewable in compare view

Sourced from phenx/php-svg-lib's releases.

Nattering Narwhal

What's Changed

• Handle nested definition elements in dompdf/php-svg-lib#120

Full Changelog: dompdf/php-svg-lib@0.5.3...0.5.4 Addressed Issues: https://github.com/dompdf/php-svg-lib/milestone/9?closed=1

Masticating Manatee

What's Changed

• Update color parsing logic in dompdf/php-svg-lib#105
• Improve use handling in dompdf/php-svg-lib#111
• Render a line for a path segment with a radius of zero in dompdf/php-svg-lib#112

Full Changelog: dompdf/php-svg-lib@0.5.2...0.5.3 Addressed Issues: 0.5.3 milestone

Lounging Llama

Security release to address the following reported vulnerability:

• Lack of path validation on font through SVG inline styles

Full Changelog: dompdf/php-svg-lib@0.5.1...0.5.2

Kickin' Koala

Security release to address the following reported vulnerabilities:

• Possible DoS caused by infinite recursion when parsing SVG document
• Unsafe attributes merge when parsing use tag

Jesting Jackal

• Adds full support for non-user space length values (percent, unit values)
• Improves processing of use elements
• Improves path rendering and syntax support
• Adds support for colors with alpha
• Adds support for non-namespaced "href" attribute
• Improves font parsing

See the 0.5.0 milestone for issues and PRs

Gracious thanks to the contributors who helped make this release possible.

Ignaminous Iguanga

• Re-target base PHP support to 7.1
• Skips rendering of indeterminate (return-to-origin) arc segments

Howling Hyena

• Improves compatibility with PHP 8.1
  • Update Cpdf to latest version
  • Updates php-css-parser dependency to 8.4

• 46b25da Update PathTest.php for PHPunit compatibility
• 0e9dc9d Handle nested definition elements
• 0e46722 Render a line for a path segment with a radius of zero
• 964d9a9 Improve symbol element parsing
• 3d6b248 Add method to apply element viewBox
• 092e32c Improve use handling
• bb2eee6 Update license property in composer.json
• 519791c Update README links
• 52d6776 Update .gitignore and .gitattributes
• 720b707 Merge CPdf updated from Dompdf
• Additional commits viewable in compare view

Sourced from symfony/cache's releases.

v5.4.53

Changelog (symfony/cache@v5.4.52...v5.4.53)

• bug #64336 Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@​nicolas-grekas)

v5.4.52

Changelog (symfony/cache@v5.4.46...v5.4.52)

• security #cve-2026-45073 Validate the prefix given to AbstractAdapter::clear() (@​nicolas-grekas)

v5.4.46

Changelog (symfony/cache@v5.4.45...v5.4.46)

• bug symfony/symfony#58753 [Cache] Fix clear() when using Predis (@​nicolas-grekas)

v5.4.45

Changelog (symfony/cache@v5.4.44...v5.4.45)

• bug symfony/symfony#58669 [Cache] Revert "Initialize RedisAdapter cursor to 0" (@​nicolas-grekas)
• bug symfony/symfony#58661 [Cache] Initialize RedisAdapter cursor to 0 (@​thomas-hiron)

v5.4.44

Changelog (symfony/cache@v5.4.43...v5.4.44)

• bug symfony/symfony#58260 [Cache] Fix RedisSentinel param types (Paweł Stasicki)

v5.4.42

Changelog (symfony/cache@v5.4.41...v5.4.42)

• bug symfony/symfony#57674 [Cache] Improve dbindex DSN parameter parsing (@​constantable)
• bug symfony/symfony#57663 [Cache] use copy() instead of rename() on Windows (@​xabbuh)

Sourced from symfony/cache's changelog.

CHANGELOG

8.0

• Remove CouchbaseBucketAdapter, use CouchbaseCollectionAdapter instead

7.4

• Bump ext-redis to 6.1 and ext-relay to 0.12 minimum

7.3

• Add support for \Relay\Cluster in RedisAdapter
• Add support for valkey: / valkeys: schemes
• Add support for namespace-based invalidation
• Rename options "redis_cluster" and "redis_sentinel" to "cluster" and "sentinel" respectively

7.2

• igbinary_serialize() is no longer used instead of serialize() by default when the igbinary extension is installed, due to behavior compatibilities between the two
• Add optional Psr\Clock\ClockInterface parameter to ArrayAdapter

7.1

• Add option sentinel_master as an alias for redis_sentinel
• Deprecate CouchbaseBucketAdapter, use CouchbaseCollectionAdapter
• Add support for URL encoded characters in Couchbase DSN
• Add support for using DSN with PDOAdapter
• The algorithm for the default cache namespace changed from SHA256 to XXH128

7.0

• Add parameter $isSameDatabase to DoctrineDbalAdapter::configureSchema()
• Drop support for Postgres < 9.5 and SQL Server < 2008 in DoctrineDbalAdapter

6.4

• EarlyExpirationHandler no longer implements MessageHandlerInterface, rely on AsMessageHandler instead

6.3

... (truncated)

• bf58147 [Cache] skip tests for adapters that cannot clear by prefix
• 4acd37c [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear()
• 03b191d [Cache] Validate the prefix given to AbstractAdapter::clear()
• 0fe08ee [Cache] Fix clear() when using Predis
• 12b03e3 Revert "bug #58661 [Cache] Initialize RedisAdapter cursor to 0 (thomas-hiron)"
• e135eb8 initialize RedisAdapter cursor to 0
• c2b90da do not skip tests from data providers
• 6cf23ad drop existing schema if tests create it explicitly
• 7050072 do not mix named and positional arguments in data provider definitions
• 911f2bc do not use TestCase::getName() when possible
• Additional commits viewable in compare view

Sourced from symfony/http-foundation's releases.

v5.4.50

Changelog (symfony/http-foundation@v5.4.49...v5.4.50)

• security symfony/symfony#cve-2025-64500 [HttpFoundation] Fix parsing pathinfo with no leading slash (@​nicolas-grekas)

v5.4.48

Changelog (symfony/http-foundation@v5.4.47...v5.4.48)

• bug symfony/symfony#58836 Work around parse_url() bug (bis) (@​nicolas-grekas)

v5.4.46

Changelog (symfony/http-foundation@v5.4.45...v5.4.46)

• security symfony/symfony#cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid characters (@​nicolas-grekas)

v5.4.45

Changelog (symfony/http-foundation@v5.4.44...v5.4.45)

• bug symfony/symfony#58619 [HttpFoundation][Lock] Ensure compatibility with ext-mongodb v2 (@​GromNaN)

v5.4.44

Changelog (symfony/http-foundation@v5.4.43...v5.4.44)

• bug symfony/symfony#58181 [HttpFoundation] Update links for X-Accel-Redirect and fail properly when X-Accel-Mapping is missing (@​nicolas-grekas)
• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v5.4.42

Changelog (symfony/http-foundation@v5.4.41...v5.4.42)

• bug symfony/symfony#57585 [HttpFoundation] Fix MockArraySessionStorage to generate more conform ids (@​Seldaek)

v5.4.40

Changelog (symfony/http-foundation@v5.4.39...v5.4.40)

• bug symfony/symfony#54910 [HttpFoundation]  filter out empty HTTP header parts (@​xabbuh)
• bug symfony/symfony#54816 [Cache] Fix support for predis/predis:^2.0 (@​mfettig)

Sourced from symfony/http-foundation's changelog.

CHANGELOG

8.1

• Add BinaryFileResponse::shouldDeleteFileAfterSend()
• Deprecate setting public properties of Request and Response objects directly; use setters or constructor arguments instead
• Add SessionHasFlashMessage test constraint
• Response::__construct() now accepts a ResponseHeaderBag as its third argument
• ParameterBag::getInt() and ParameterBag::getBoolean() now throw UnexpectedValueException instead of silently returning 0/false when the value cannot be converted

8.0

• Drop HTTP method override support for methods GET, HEAD, CONNECT and TRACE
• Add argument $subtypeFallback to Request::getFormat()
• Remove the following deprecated session options from NativeSessionStorage: referer_check, use_only_cookies, use_trans_sid, sid_length, sid_bits_per_character, trans_sid_hosts, trans_sid_tags
• Trigger PHP warning when using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Add arguments $v4Bytes and $v6Bytes to IpUtils::anonymize()
• Add argument $partitioned to ResponseHeaderBag::clearCookie()
• Add argument $expiration to UriSigner::sign()
• Remove Request::get(), use properties ->attributes, query or request directly instead
• Remove accepting null $format argument to Request::setFormat()

7.4

• Add #[WithHttpStatus] to define status codes: 404 for SignedUriException and 403 for ExpiredSignedUriException
• Add support for the QUERY HTTP method
• Add support for structured MIME suffix
• Add Request::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden
• Deprecate using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Deprecate method Request::get(), use properties ->attributes, query or request directly instead
• Make Request::createFromGlobals() parse the body of PUT, DELETE, PATCH and QUERY requests
• Deprecate HTTP method override for methods GET, HEAD, CONNECT and TRACE; it will be ignored in Symfony 8.0
• Deprecate accepting null $format argument to Request::setFormat()

7.3

• Add support for iterable of string in StreamedResponse
• Add EventStreamResponse and ServerEvent classes to streamline server event streaming
• Add support for valkey: / valkeys: schemes for sessions
• Request::getPreferredLanguage() now favors a more preferred language above exactly matching a locale
• Allow UriSigner to use a ClockInterface
• Add UriSigner::verify()

7.2

... (truncated)

• 1a0706e [HttpFoundation] Fix parsing pathinfo with no leading slash
• 3f38b8a [HttpFoundation] Fix test
• 897e8a2 [HttpFoundation] Revert risk change
• 3280c9d Work around parse_url() bug (bis)
• 168b77c security #cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid ch...
• 32310ff [HttpFoundation] Reject URIs that contain invalid characters
• 38bd9bc [HttpFoundation] Remove invalid HTTP method from exception message
• 3f38426 Ensure compatibility with mongodb v2
• 35f7b4c session names must not be empty
• e641edd ensure session storages are opened in tests before destroying them
• Additional commits viewable in compare view

Sourced from symfony/http-kernel's releases.

v5.4.53

Changelog (symfony/http-kernel@v5.4.52...v5.4.53)

• data #64370 Release v5.4.53

v5.4.52

Changelog (symfony/http-kernel@v5.4.48...v5.4.52)

• data #64302 Release v5.4.52

v5.4.51

Changelog (symfony/http-kernel@v5.4.50...v5.4.51)

• no significant changes

v5.4.50

Changelog (symfony/http-kernel@v5.4.49...v5.4.50)

• no significant changes

v5.4.48

Changelog (symfony/http-kernel@v5.4.47...v5.4.48)

• bug symfony/symfony#58921 [HttpKernel] Ensure HttpCache::getTraceKey() does not throw exception (@​lyrixx)

Sourced from symfony/http-kernel's changelog.

CHANGELOG

8.1

• Add setNonce() to DumpDataCollector to forward CSP nonces to every HtmlDumper it instantiates
• Add #[MapRequestHeader] to map a header from Request to a controller argument
• Add hasErrors() method to Profile to track profiles with errors (exceptions or error-level logs)
• Validate typed route parameters before calling controllers and return an HTTP error when an invalid value is provided
• Add ControllerAttributeEvent et al. to dispatch events named after controller attributes
• Add support for UploadedFile when using MapRequestPayload
• Add support for bundles as compiler pass
• Add support for SOURCE_DATE_EPOCH environment variable
• Add property $controllerMetadata to several kernel events to give listeners access to controller metadata
• Add Request attribute _controller_attributes to decouple controller attributes from their source code
• Return attributes as a flat list when using Controller[Arguments]Event::getAttributes('*')
• Pass request and args variables to Cache attribute expressions containing the Request object and controller arguments
• Allow using closures with the Cache attribute
• Allow setting a condition when the Cache attribute should be applied
• Add ControllerEvent::evaluate() et al. to help with evaluating expressions or closures in controller attributes
• Deprecate passing a non-flat list of attributes to Controller::setController()
• Deprecate the Symfony\Component\HttpKernel\DependencyInjection\Extension class, use the parent Symfony\Component\DependencyInjection\Extension\Extension class instead
• Allow using Expression or \Closure for validationGroups in #[MapRequestPayload] and #[MapQueryString]
• Deprecate passing a ControllerArgumentsEvent to the ViewEvent constructor; pass a ControllerArgumentsMetadata instead
• Support variadic argument with #[MapRequestPayload]
• Add #[Serialize] to serialize values returned by controllers
• Add argument $mapWhenEmpty to MapQueryString and MapRequestPayload for always attempting denormalization with empty query and request payload
• Deprecate Bundle::registerCommands(), use the #[AsCommand] attribute or the console.command service tag instead of overriding this method
• Deprecate BundleInterface, use the one from the DependencyInjection component instead
• Deprecate MergeExtensionConfigurationPass, use the one from the DependencyInjection component instead
• Deprecate FileLocator, use the one from the DependencyInjection component instead
• Add #[RateLimit] attribute to declaratively enforce rate limiting on controllers.
• Deprecate ServicesResetter, ServicesResetterInterface, and ResettableServicePass, use the ones from the DependencyInjection component instead

8.0

• Remove AddAnnotatedClassesToCachePass
• Remove Extension::getAnnotatedClassesToCompile() and Extension::addAnnotatedClassesToCompile()
• Remove Kernel::getAnnotatedClassesToCompile() and Kernel::setAnnotatedClassCache()
• Make ServicesResetter class final
• Add argument $logChannel to ErrorListener::logException()
• Add argument $event to DumpListener::configure()
• Replace __sleep/wakeup() by __(un)serialize() on kernels and data collectors
• Add method getShareDir() to KernelInterface

7.4

... (truncated)

• ff18e12 Update VERSION for 5.4.53
• 0059c8e Fix CI
• bc30eed Update VERSION for 5.4.52
• f0223f2 Update VERSION for 5.4.51
• 2fe5cf9 Update VERSION for 5.4.50
• 89f9a3f Update VERSION for 5.4.49
• 93304a6 Bump Symfony version to 5.4.49
• c2dbfc9 Update VERSION for 5.4.48
• 455dfd3 [HttpKernel] Ensure HttpCache::getTraceKey() does not throw exception
• 91c97d9 Bump Symfony version to 5.4.48
• Additional commits viewable in compare view

Sourced from symfony/polyfill-intl-idn's releases.

v1.38.1

Changelog (symfony/polyfill-intl-idn@v1.31.0...v1.38.1)

• security #cve-2026-46644 Reject xn-- labels whose Punycode payload decodes to ASCII-only (@​nicolas-grekas)

v1.37.0

Changelog (symfony/polyfill-intl-idn@v1.36.0...v1.37.0)

• no significant changes

v1.36.0

Changelog (symfony/polyfill-intl-idn@v1.35.0...v1.36.0)

• no significant changes

v1.35.0

Changelog (symfony/polyfill-intl-idn@v1.34.0...v1.35.0)

• no significant changes

v1.34.0

Changelog (symfony/polyfill-intl-idn@v1.33.0...v1.34.0)

• no significant changes

• dc21118 [Intl][Idn] Reject xn-- labels whose Punycode payload decodes to ASCII-only
• 9614ac4 Give testing some love
• c36586d Bump to PHP 7.2, stick to phpunit 8.5
• a6e83bd Revert "minor #477 Auto-close PRs on subtree-splits (kbond)"
• 872bf45 Auto-close PRs on subtree-splits
• 412b0a6 Conform to IDNA version 15.1.0 revision 31
• a287ed7 Remove branch-alias from composer.json
• ecaafce feature #334 [PHP 8.1] Add CURLStringFile polyfill (Ayesh, nicolas-grekas)
• b5b0079 CS fix
• 5a42f2d Bump for 1.28
• Additional commits viewable in compare view

Sourced from symfony/routing's releases.

v5.4.53

Changelog (symfony/routing@v5.4.52...v5.4.53)

• security #cve-2026-48784 Fix dot-segment encoding for chained "../" and "./" in generated URLs (@​nicolas-grekas)

v5.4.52

Changelog (symfony/routing@v5.4.48...v5.4.52)

• security #cve-2026-45065 Fix regex alternation anchoring in UrlGenerator requirement validation (@​alexandre-daubois)

v5.4.48

Changelog (symfony/routing@v5.4.47...v5.4.48)

• bug symfony/symfony#58842 [Routing] Fix: lost priority when defining hosts in configuration (@​BeBlood)

v5.4.45

Changelog (symfony/routing@v5.4.44...v5.4.45)

• no significant changes

v5.4.43

Changelog (symfony/routing@v5.4.42...v5.4.43)

• no significant changes

v5.4.42

Changelog (symfony/routing@v5.4.41...v5.4.42)

• bug symfony/symfony#57645 [Routing] Discard in-memory cache of routes when writing the file-based cache (@​mpdude)

v5.4.40

Changelog (symfony/routing@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/routing@v5.4.38...v5.4.39)

• no significant changes

v5.4.38

Changelog (symfony/routing@v5.4.37...v5.4.38)

• no significant changes

v5.4.37

Changelog (symfony/routing@v5.4.36...v5.4.37)

• bug symfony/symfony#54080 [Routing] Enhance error handling in StaticPrefixCollection for compatibility with libpcre2-10.43 (@​Lustmored)

... (truncated)

• f4ca0c5 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs
• 275b313 [Routing] Fix regex alternation anchoring in UrlGenerator requirement validation
• dd08c19 [Routing] Fix: lost priority when defining hosts in configuration
• 986597b do not use TestCase::getName() when possible
• 7289d3c Add PR template and auto-close PR on subtree split repositories
• b6f7178 Fix typos
• f8dd6f8 use more entropy with uniqid()
• c99c74b bug #57645 [Routing] Discard in-memory cache of routes when writing the file-...
• 7bec6df [Router] Discard in-memory cache of routes when writing the file-based cache
• 6df1dd8 Revert "minor #54653 Auto-close PRs on subtree-splits (nicolas-grekas)"
• Additional commits viewable in compare view

Sourced from symfony/security-http's releases.

v5.4.53

Changelog (symfony/security-http@v5.4.52...v5.4.53)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@​nicolas-grekas)

v5.4.52

Changelog (symfony/security-http@v5.4.47...v5.4.52)

• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@​alexandre-daubois)

v5.4.47

Changelog (symfony/security-http@v5.4.46...v5.4.47)

• security symfony/symfony#cve-2024-51996 [Security] Check owner of persisted remember-me cookie (@​jderusse)

v5.4.46

Changelog (symfony/security-http@v5.4.45...v5.4.46)

• bug symfony/symfony#58754 [Security] Store original token in token storage when implicitly exiting impersonation (@​wouterj)

v5.4.45

Changelog (symfony/security-http@v5.4.44...v5.4.45)

• no significant changes

v5.4.44

Changelog (symfony/security-http@v5.4.43...v5.4.44)

• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v5.4.43

Changelog (symfony/security-http@v5.4.42...v5.4.43)

• bug symfony/symfony#58002 [Security] Revert stateless check for ContextListener (@​VincentLanglet)

v5.4.41

Changelog (symfony/security-http@v5.4.40...v5.4.41)

• bug symfony/symfony#57372 [HttpKernel][Security] Fix accessing session for stateless request (@​VincentLanglet)

v5.4.40

Changelog (symfony/security-http@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/security-http@v5.4.38...v5.4.39)

• bug symfony/symfony#54059 [Security] Validate that CSRF token in form login is string similar to username/password (@​glaubinix)

... (truncated)

Sourced from symfony/security-http's changelog.

CHANGELOG

8.1

• Add support for the clientHints, prefetchCache, and prerenderCache ClearSite-Data directives
• Add this to #[IsGranted] subject expression variables when available
• Add support for closures and this in #[IsCsrfTokenValid] when evaluating its id
• Add $enforceKeyUsageVerification argument to OidcTokenHandler::enableDiscovery() to allow accepting JWKs lacking use/key_ops (lax mode)
• Deprecate the $eraseCredentials argument of AuthenticatorManager::__construct(), as the eraseCredentials() method was removed in Symfony 8.0

8.0

• When extending the RememberMeDetails class and overriding its constructor, the $userFqcn parameter has to be removed from its signature:

  Before:

  class CustomRememberMeDetails extends RememberMeDetails
  {
      public function __construct(string $userFqcn, string $userIdentifier, int $expires, string $value)
      {
          parent::__construct($userFqcn, $userIdentifier, $expires, $value);
      }
  }

  After:

  class CustomRememberMeDetails extends RememberMeDetails
  {
      public function __cons...
  Description has been truncated