Skip to content

Upgrade dependencies#2162

Draft
blued-gear wants to merge 46 commits into
mainfrom
upgrade_dependencies
Draft

Upgrade dependencies#2162
blued-gear wants to merge 46 commits into
mainfrom
upgrade_dependencies

Conversation

@blued-gear

@blued-gear blued-gear commented Jun 28, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR upgrades all dependencies, including PHP, Symfony and JS. Broken code was fixed, many (but not all) new deprecations cleaned and the functionality of the site restored with best effort. A summary of major version jumps is attached at the end of this text.

I'm asking you to

verify the state of the site. There are many things I and the tests can not check; like 2FA and OAuth authenticator integration (Google, Github, ...).
We need a graceful rollout of this branch from dev to prod-like environments to ensure all broken thing (which likely still exist) get caught.

Other fixes

While I was at it, I fixed smaller things which annoyed me ;)

  • in the "create entry" page the Magazine search is now case-insensitive and clears old search-results when typing a name

Todo

  • upgrade PHP in the Docker containers
  • revert content of to be reverted commits
  • update docs

Upgrades

php:
php 8.3 -> 8.5
- notable new features:
- Asymmetric Visibility
- Property hooks
- New array_*() functions + array_first() and array_last() functions
- Fatal Errors (such as an exceeded maximum execution time) now include a backtrace
- Pipe Operator
- Uri class
- breaking changes:
- Using null as an array offset or when calling array_key_exists() is now deprecated
doctrine-bundle 2.18 -> 3.2
- https://github.com/greg0ire/DoctrineBundle/blob/4.0.x/UPGRADE-3.0.md
doctrine-migrations-bundle 3.7 -> 4.0
- https://github.com/derrabus/DoctrineMigrationsBundle/blob/4.0.x/UPGRADE.md
- https://github.com/doctrine/migrations/blob/3.0.x/UPGRADE.md
- need to run the doctrine:migrations:sync-metadata-storage command
oauth2-google 4 -> 5
- https://github.com/thephpleague/oauth2-google/blob/main/CHANGELOG.md
reflection-docblock 5.4 -> 6.0
- do we even use this?
2fa-backup-code, 2fa-bundle, 2fa-totp 7.5 -> 8.6
- https://github.com/scheb/2fa/blob/8.x/UPGRADE.md#7x-to-8x
- Priority of the two-factor authenticator has changed from 0 to -100
oauth2-keycloak 5.1 -> 6.1
- https://github.com/stevenmaguire/oauth2-keycloak/releases/tag/6.0.0
- nothing major changed
ux-autocomplete 2.18 -> 3.2
- https://github.com/symfony/ux-autocomplete/blob/3.x/CHANGELOG.md
- nothing major changed for us
ux-chartjs 2.18 -> 3.2
- https://github.com/symfony/ux-chartjs/blob/3.x/CHANGELOG.md
- nothing major changed for us
ux-twig-component 2.18 -> 3.2
- https://github.com/symfony/ux-twig-component/blob/3.x/CHANGELOG.md
- nothing major changed for us
webmozart/assert 1.11 -> 2.4
- https://github.com/webmozarts/assert/blob/master/CHANGELOG.md
- nothing major changed for us
phpunit 12.5 -> 13.2
- https://github.com/sebastianbergmann/phpunit/releases/tag/13.0.0
- nothing major changed for us

js:
babel/core 7.29 -> 8.0
- https://babeljs.io/docs/v8-migration/
babel/preset-env 7.29 -> 8.0
eslint/js 9.39 -> 10.0, eslint 9.39 -> 10.5
- https://github.com/eslint/eslint/releases/tag/v10.0.0
fontawesome-free 6.7 -> 7.3
- https://fontawesome.com/changelog
- Icon canvases now render at a consistent fixed width. To use the default rendering from v6, add our new fa-width-auto class.
stylistic/eslint-plugin 2.13 -> 5.10
- https://github.com/eslint-stylistic/eslint-stylistic/releases/tag/v5.0.0
- nothing major changed for us
symfony/stimulus-bridge 3.2 -> 4.0
- https://github.com/symfony/stimulus-bridge/releases/tag/v4.0.0
- nothing major changed for us
symfony/webpack-encore 5.3 -> 7.1
- https://github.com/symfony/webpack-encore/blob/main/UPGRADE.md
- needed changes were applied
chart.js 3.8 -> 4.5
- https://www.chartjs.org/docs/latest/migration/v4-migration.html
- not directly used by us (Symfony handles it)
globals 15.15 -> 17.7
hotkeys-js 3.13 -> 4.0
- https://github.com/jaywcjlove/hotkeys-js/releases/tag/v4.0.0
- no notable changes
- do we even use this?
sass-loader 16.0 -> 17.0
- https://github.com/webpack/sass-loader/releases/tag/v17.0.0
- no notable changes
simple-icons-font 14.15 -> 16.24
- https://github.com/simple-icons/simple-icons-font/releases/tag/15.0.0
- https://github.com/simple-icons/simple-icons/releases/tag/16.0.0
- no notable changes
webpack-cli 5.1 -> 7.0
- https://github.com/webpack/webpack-cli/blob/main/CHANGELOG.md
- only used by Symfony

GL HF

@blued-gear blued-gear marked this pull request as draft June 28, 2026 22:18
@garrettw

garrettw commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

I probably wouldn't have done a PHP upgrade at the same time as all dependencies. This is a pretty big surface area for one PR.

I would probably split it up as (in this order):

  • Low-impact dep upgrades (security patches, non-BC-breaking stuff)
  • High-impact dep upgrades (major versions, BC breaks ... and depending on how many packages it is and how many changes are needed to support the upgrade, maybe not all of them in the same PR)
  • PHP upgrade, plus only the packages that must be upgraded as part of the PHP change
  • Then go back and repeat...
  • Low-impact
  • High-impact

It's just that this is a lot to review, and when you change so many moving pieces at once ... I just feel like there's more chances for something to go wrong. I tend to feel more confident about smaller, more incremental PRs.

Oh and I typically would separate PHP dep updates from JS ones, but that could be just me.

@blued-gear

Copy link
Copy Markdown
Collaborator Author

I get what you are saying and am not totally against it, but still would prefer to get through this in one go. We did not maintain our dependencies correctly in the past which created this tech debt and splitting it up into the process described by you would create a lot of PRs with duplicated work and in sum as much for you to review as when it is done at once. I'm quite sure it would take much longer to finish the process as everyone would have to find time to go through new PRs again and again + running it on their instances (with one PR we can easily roll back to a known good state as no DB migrations are involved). Also, some of the versions (like Symfony and some JS dependencies) must be updated together.

I know this is a lot, but after this we will keep things updated in a timely manner and with narrow-scoped PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants