Symfony 4.4.11 has just been released. Here is a list of the most important changes:

• bug #37590 Allows RedisClusterProxy instance in Lock RedisStore (@jderusse)
• bug #37583 [Mime] Fix EmailHeaderSame to make use of decoded value (@evertharmeling)
• bug #37569 [Messenger] Allow same middleware to be used multiple times with different arguments (@HypeMC)
• bug #37624 [Cache] Connect to RedisCluster with password auth (@mforbak)
• bug #37635 [Cache] fix catching auth errors (@nicolas-grekas)
• bug #37628 [Serializer] Support multiple levels of discriminator mapping (@jeroennoten)
• bug #37572 [FrameworkBundle] set default session.handler alias if handle _id is not provided (@Youssef BENHSSAIEN)
• bug #37607 Fix checks for phpunit releases on Composer 2 (@colinodell)
• bug #37594 Use hexadecimal numerals instead of hexadecimals in strings to repres… (@arekzb)
• bug #37576 [WebProfilerBundle] modified url generation to use absolute urls (@smatyas)
• bug #36888 [Mailer] Fix mandrill raw http request setting from email/name (@JohJohan)
• bug #37527 [Mailer] Fix reply-to functionality in the SendgridApiTransport (@jt2k)
• bug #37581 [Mime] Fix compat with HTTP requests (@fabpot)
• bug #37580 [Mime] Keep Sender full address when used by non-SMTP transports (@fabpot)
• bug #37511 [DependencyInjection][Config] Use several placeholder unique prefixes for dynamic placeholder values (@fancyweb)
• bug #37562 [Cache] Use the default expiry when saving (not when creating) items (@philipp-kolesnikov)
• bug #37563 Fix DBAL deprecation (@nicolas-grekas)
• bug #37521 [Form] Fix ChoiceType translation domain (@VincentLanglet)
• bug #37550 [OptionsResolver] Fix force prepend normalizer (@hason)
• bug #37520 [Form] silently ignore uninitialized properties when mapping data to forms (@ph-fritsche)
• bug #37526 [Cache][Config] ensure compatibility with PHP 8 stack traces (@xabbuh)
• bug #37513 [PhpUnitBridge] ExcludeList usage for PHPUnit 9.4 (@gennadigennadigennadi)
• bug #37461 [Process] Fix Permission Denied error when writing s _pro _00 lock files on Windows (@JasonStephensTAMU)
• bug #37505 [Form] fix handling null as empty data (@xabbuh)
• bug #37385 [Console] Fixes question input encoding on Windows (@YaFou)
• bug #37491 [HttpClient] Fix promise behavior in HttplugClient (@brentybh)
• bug #37469 [Console] always use stty when possible to ask hidden questions (@nicolas-grekas)
• bug #37486 [HttpClient] fix parsing response headers in CurlResponse (@nicolas-grekas)
• bug #37484 [HttpClient][CurlHttpClient] Fix htt _version option usage (@fancyweb)
• bug #37447 [Validator] fix validating lazy properties that evaluate to null (@xabbuh)
• bug #37464 [ErrorHandler] fix throwing from toString() (@nicolas-grekas)
• bug #37449 [Translation] Fix caching of parent locales file in translator (@jvasseur)
• bug #37418 [PhpUnitBridge] Fix compatibility with phpunit 9.3 (@Gennadi Janzen)
• bug #37441 [DoctrineBridge] work around Connection::ping() deprecation (@nicolas-grekas)
• bug #37291 [MimeType] Duplicated MimeType due to PHP Bug (@juanmrad)
• bug #37429 [DI] fix parsing of argument type=binary in xml (@Tobion)
• bug #37425 [Form] fix guessing form types for DateTime types (@xabbuh)
• bug #37392 [Validator] fix handling typed properties as constraint options (@xabbuh)
• bug #37358 Directly use the driverConnection executeUpdate method (@TristanPouliquen)
• bug #37389 [HttpFondation] Change file extension of “audio/mpeg” from “mpga” to “mp3” (@YaFou)
• bug #37379 [HttpClient] Support for cURL handler objects (@derrabus)
• bug #37383 [VarDumper] Support for cURL handler objects (@derrabus)
• bug #37395 add .body wrapper element (@Nemo64)
• bug #37400 [HttpClient] unset activity list when creating CurlResponse (@nicolas-grekas)
• bug #36304 Check whether path is file in DataPart::fromPath() (@freiondrej)
• bug #37345 [Form] collect all transformation failures (@xabbuh)
• bug #37362 [SecurityBundle] Drop cache.securit _expressio _language service if invalid (@chalasr)
• bug #37353 [DI] disable preload.php on the CLI (@nicolas-grekas)
• bug #37268 [Messenger] Fix precedence of DSN options for 4.4 (@jderusse)
• bug #37341 Fix support for PHP8 union types (@nicolas-grekas)
• bug #37271 [FrameworkBundle] preserve dots in query-string when redirecting (@nicolas-grekas)
• bug #37340 Fix support for PHP8 union types (@nicolas-grekas)
• bug #37275 [DI] tighten detection of local dirs to prevent false positives (@nicolas-grekas)
• bug #37090 [PhpUnitBridge] Streamline ansi/no-ansi of composer according to phpunit –colors option (@kick-the-bucket)
• bug #36230 [VarDumper] Fix CliDumper coloration on light arrays (@l-vo)
• bug #37270 [FrameworkBundle] preserve dots in query-string when redirecting (@nicolas-grekas)
• bug #37319 [HttpClient] Convert CurlHttpClient::handlePush() to instance method (@mpesari)
• bug #37342 [Cache] fix compat with DBAL v3 (@nicolas-grekas)
• bug #37286 [Console] Reset question validator attempts only for actual stdin (bis) (@nicolas-grekas)
• bug #37160 Reset question validator attempts only for actual stdin (@ostrolucky)
• bug #36975 [PropertyInfo] Make PhpDocExtractor compatible with phpDocumentor v5 (@DerManoMann)

Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. UseSymfonyInsight upgrade reports to detect the code you will need to change in your project andread our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Symfony 5.0.11 has just been released. Here is a list of the most important changes:

• bug #37590 Allows RedisClusterProxy instance in Lock RedisStore (@jderusse)
• bug #37583 [Mime] Fix EmailHeaderSame to make use of decoded value (@evertharmeling)
• bug #37569 [Messenger] Allow same middleware to be used multiple times with different arguments (@HypeMC)
• bug #37624 [Cache] Connect to RedisCluster with password auth (@mforbak)
• bug #37635 [Cache] fix catching auth errors (@nicolas-grekas)
• bug #37628 [Serializer] Support multiple levels of discriminator mapping (@jeroennoten)
• bug #37572 [FrameworkBundle] set default session.handler alias if handle _id is not provided (@Youssef BENHSSAIEN)
• bug #37607 Fix checks for phpunit releases on Composer 2 (@colinodell)
• bug #37594 Use hexadecimal numerals instead of hexadecimals in strings to repres… (@arekzb)
• bug #37576 [WebProfilerBundle] modified url generation to use absolute urls (@smatyas)
• bug #36888 [Mailer] Fix mandrill raw http request setting from email/name (@JohJohan)
• bug #37527 [Mailer] Fix reply-to functionality in the SendgridApiTransport (@jt2k)
• bug #37581 [Mime] Fix compat with HTTP requests (@fabpot)
• bug #37580 [Mime] Keep Sender full address when used by non-SMTP transports (@fabpot)
• bug #37511 [DependencyInjection][Config] Use several placeholder unique prefixes for dynamic placeholder values (@fancyweb)
• bug #37562 [Cache] Use the default expiry when saving (not when creating) items (@philipp-kolesnikov)
• bug #37563 Fix DBAL deprecation (@nicolas-grekas)
• bug #37521 [Form] Fix ChoiceType translation domain (@VincentLanglet)
• bug #37550 [OptionsResolver] Fix force prepend normalizer (@hason)
• bug #37520 [Form] silently ignore uninitialized properties when mapping data to forms (@ph-fritsche)
• bug #37526 [Cache][Config] ensure compatibility with PHP 8 stack traces (@xabbuh)
• bug #37513 [PhpUnitBridge] ExcludeList usage for PHPUnit 9.4 (@gennadigennadigennadi)
• bug #37514 [String] throw when Alpine is used and translit fails (@nicolas-grekas)
• bug #37461 [Process] Fix Permission Denied error when writing s _pro _00 lock files on Windows (@JasonStephensTAMU)
• bug #37505 [Form] fix handling null as empty data (@xabbuh)
• bug #37385 [Console] Fixes question input encoding on Windows (@YaFou)
• bug #37491 [HttpClient] Fix promise behavior in HttplugClient (@brentybh)
• bug #37469 [Console] always use stty when possible to ask hidden questions (@nicolas-grekas)
• bug #37486 [HttpClient] fix parsing response headers in CurlResponse (@nicolas-grekas)
• bug #37484 [HttpClient][CurlHttpClient] Fix htt _version option usage (@fancyweb)
• bug #37447 [Validator] fix validating lazy properties that evaluate to null (@xabbuh)
• bug #37464 [ErrorHandler] fix throwing from toString() (@nicolas-grekas)
• bug #37449 [Translation] Fix caching of parent locales file in translator (@jvasseur)
• bug #37418 [PhpUnitBridge] Fix compatibility with phpunit 9.3 (@Gennadi Janzen)
• bug #37441 [DoctrineBridge] work around Connection::ping() deprecation (@nicolas-grekas)
• bug #37291 [MimeType] Duplicated MimeType due to PHP Bug (@juanmrad)
• bug #37429 [DI] fix parsing of argument type=binary in xml (@Tobion)
• bug #37425 [Form] fix guessing form types for DateTime types (@xabbuh)
• bug #37392 [Validator] fix handling typed properties as constraint options (@xabbuh)
• bug #37325 Fix the supports() method argument type of the security voter (@francoispluchino)
• bug #37358 Directly use the driverConnection executeUpdate method (@TristanPouliquen)
• bug #37389 [HttpFondation] Change file extension of “audio/mpeg” from “mpga” to “mp3” (@YaFou)
• bug #37379 [HttpClient] Support for cURL handler objects (@derrabus)
• bug #37383 [VarDumper] Support for cURL handler objects (@derrabus)
• bug #37395 add .body wrapper element (@Nemo64)
• bug #37400 [HttpClient] unset activity list when creating CurlResponse (@nicolas-grekas)
• bug #36304 Check whether path is file in DataPart::fromPath() (@freiondrej)
• bug #37345 [Form] collect all transformation failures (@xabbuh)
• bug #37362 [SecurityBundle] Drop cache.securit _expressio _language service if invalid (@chalasr)
• bug #37353 [DI] disable preload.php on the CLI (@nicolas-grekas)
• bug #37268 [Messenger] Fix precedence of DSN options for 4.4 (@jderusse)
• bug #37341 Fix support for PHP8 union types (@nicolas-grekas)
• bug #37271 [FrameworkBundle] preserve dots in query-string when redirecting (@nicolas-grekas)
• bug #37340 Fix support for PHP8 union types (@nicolas-grekas)
• bug #37275 [DI] tighten detection of local dirs to prevent false positives (@nicolas-grekas)
• bug #37090 [PhpUnitBridge] Streamline ansi/no-ansi of composer according to phpunit –colors option (@kick-the-bucket)
• bug #36230 [VarDumper] Fix CliDumper coloration on light arrays (@l-vo)
• bug #37270 [FrameworkBundle] preserve dots in query-string when redirecting (@nicolas-grekas)
• bug #37319 [HttpClient] Convert CurlHttpClient::handlePush() to instance method (@mpesari)
• bug #37342 [Cache] fix compat with DBAL v3 (@nicolas-grekas)
• bug #37286 [Console] Reset question validator attempts only for actual stdin (bis) (@nicolas-grekas)
• bug #37160 Reset question validator attempts only for actual stdin (@ostrolucky)
• bug #36975 [PropertyInfo] Make PhpDocExtractor compatible with phpDocumentor v5 (@DerManoMann)

WARNING: 5.0.11 is the last version for the Symfony 5.0 branch. If some of your projects are still using this version, consider upgrading as soon as possible. However, if you can’t upgrade soon, note that we still provide security issue releases according to our release policy.

Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. UseSymfonyInsight upgrade reports to detect the code you will need to change in your project andread our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Symfony 5.1.3 has just been released. Here is a list of the most important changes:

• bug #37590 Allows RedisClusterProxy instance in Lock RedisStore (@jderusse)
• bug #37583 [Mime] Fix EmailHeaderSame to make use of decoded value (@evertharmeling)
• bug #37569 [Messenger] Allow same middleware to be used multiple times with different arguments (@HypeMC)
• bug #37624 [Cache] Connect to RedisCluster with password auth (@mforbak)
• bug #37635 [Cache] fix catching auth errors (@nicolas-grekas)
• bug #37628 [Serializer] Support multiple levels of discriminator mapping (@jeroennoten)
• bug #37629 [Messenger] fix ignored account & endpoint options amazon sqs connection (@surikman)
• bug #37572 [FrameworkBundle] set default session.handler alias if handle _id is not provided (@Youssef BENHSSAIEN)
• bug #37558 Removed @internal from Composite (@vudaltsov)
• bug #37607 Fix checks for phpunit releases on Composer 2 (@colinodell)
• bug #37611 [Mailer] Fix failover transport (@fabpot)
• bug #37594 Use hexadecimal numerals instead of hexadecimals in strings to repres… (@arekzb)
• bug #37576 [WebProfilerBundle] modified url generation to use absolute urls (@smatyas)
• bug #36888 [Mailer] Fix mandrill raw http request setting from email/name (@JohJohan)
• bug #37527 [Mailer] Fix reply-to functionality in the SendgridApiTransport (@jt2k)
• bug #37581 [Mime] Fix compat with HTTP requests (@fabpot)
• bug #37580 [Mime] Keep Sender full address when used by non-SMTP transports (@fabpot)
• bug #37511 [DependencyInjection][Config] Use several placeholder unique prefixes for dynamic placeholder values (@fancyweb)
• bug #37562 [Cache] Use the default expiry when saving (not when creating) items (@philipp-kolesnikov)
• bug #37563 Fix DBAL deprecation (@nicolas-grekas)
• bug #37521 [Form] Fix ChoiceType translation domain (@VincentLanglet)
• bug #37550 [OptionsResolver] Fix force prepend normalizer (@hason)
• bug #37520 [Form] silently ignore uninitialized properties when mapping data to forms (@ph-fritsche)
• bug #37543 [PhpUnitBridge] consider traits imported in parent classes (@xabbuh)
• bug #37515 [PhpUnitBridge] Fix expectDeprecation() in isolation (@alexpott)
• bug #37526 [Cache][Config] ensure compatibility with PHP 8 stack traces (@xabbuh)
• bug #37513 [PhpUnitBridge] ExcludeList usage for PHPUnit 9.4 (@gennadigennadigennadi)
• bug #37514 [String] throw when Alpine is used and translit fails (@nicolas-grekas)
• bug #37504 [SecurityHttp] Skip remember-me logout on empty token (@chalasr)
• bug #37461 [Process] Fix Permission Denied error when writing s _pro _00 lock files on Windows (@JasonStephensTAMU)
• bug #37505 [Form] fix handling null as empty data (@xabbuh)
• bug #37385 [Console] Fixes question input encoding on Windows (@YaFou)
• bug #37499 [Form] Missing return in loadValuesForChoices method (@yceruto)
• bug #37491 [HttpClient] Fix promise behavior in HttplugClient (@brentybh)
• bug #37469 [Console] always use stty when possible to ask hidden questions (@nicolas-grekas)
• bug #37486 [HttpClient] fix parsing response headers in CurlResponse (@nicolas-grekas)
• bug #37484 [HttpClient][CurlHttpClient] Fix htt _version option usage (@fancyweb)
• bug #37447 [Validator] fix validating lazy properties that evaluate to null (@xabbuh)
• bug #37464 [ErrorHandler] fix throwing from toString() (@nicolas-grekas)
• bug #37449 [Translation] Fix caching of parent locales file in translator (@jvasseur)
• bug #37440 [HttpClient] fix casting TraceableResponse to php streams (@nicolas-grekas)
• bug #37418 [PhpUnitBridge] Fix compatibility with phpunit 9.3 (@Gennadi Janzen)
• bug #37441 [DoctrineBridge] work around Connection::ping() deprecation (@nicolas-grekas)
• bug #37291 [MimeType] Duplicated MimeType due to PHP Bug (@juanmrad)
• bug #37435 [DI] fix minor perf regression when creating non-shared services (@nicolas-grekas)
• bug #37429 [DI] fix parsing of argument type=binary in xml (@Tobion)
• bug #37425 [Form] fix guessing form types for DateTime types (@xabbuh)
• bug #37392 [Validator] fix handling typed properties as constraint options (@xabbuh)
• bug #37325 Fix the supports() method argument type of the security voter (@francoispluchino)
• bug #37358 Directly use the driverConnection executeUpdate method (@TristanPouliquen)
• bug #37389 [HttpFondation] Change file extension of “audio/mpeg” from “mpga” to “mp3” (@YaFou)
• bug #37379 [HttpClient] Support for cURL handler objects (@derrabus)
• bug #37383 [VarDumper] Support for cURL handler objects (@derrabus)
• bug #37395 add .body wrapper element (@Nemo64)
• bug #37400 [HttpClient] unset activity list when creating CurlResponse (@nicolas-grekas)
• bug #37396 [DI] Fix call to sprintf in ServicesConfigurator::stack() (@dunglas)
• bug #37368 [Security] Resolve event bubbling of logout + new events in a compiler pass (@wouterj)
• bug #36304 Check whether path is file in DataPart::fromPath() (@freiondrej)
• bug #37366 [SecurityBundle] Fix UserCheckerListener registration with custom user checker (@wouterj)
• bug #37364 [Messenger] fixed queu _name option on amazon sqs connection (@ck-developer)
• bug #37345 [Form] collect all transformation failures (@xabbuh)
• bug #37362 [SecurityBundle] Drop cache.securit _expressio _language service if invalid (@chalasr)
• bug #37353 [DI] disable preload.php on the CLI (@nicolas-grekas)
• bug #37268 [Messenger] Fix precedence of DSN options for 4.4 (@jderusse)
• bug #37269 [Lock][Messenger] Fix precedence of DSN options for 5.1 (@jderusse)
• bug #37341 Fix support for PHP8 union types (@nicolas-grekas)
• bug #37271 [FrameworkBundle] preserve dots in query-string when redirecting (@nicolas-grekas)
• bug #37340 Fix support for PHP8 union types (@nicolas-grekas)
• bug #37275 [DI] tighten detection of local dirs to prevent false positives (@nicolas-grekas)
• bug #37090 [PhpUnitBridge] Streamline ansi/no-ansi of composer according to phpunit –colors option (@kick-the-bucket)
• bug #36230 [VarDumper] Fix CliDumper coloration on light arrays (@l-vo)
• bug #37270 [FrameworkBundle] preserve dots in query-string when redirecting (@nicolas-grekas)
• bug #37312 Fix package rename when releasing (@94noni)
• bug #37319 [HttpClient] Convert CurlHttpClient::handlePush() to instance method (@mpesari)
• bug #37342 [Cache] fix compat with DBAL v3 (@nicolas-grekas)
• bug #37327 [HttpFoundation] Allow null in InputBag@set (@taylorotwell)

Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. UseSymfonyInsight upgrade reports to detect the code you will need to change in your project andread our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

This week, Symfony 3.4.43, 4.4.11, 5.0.11 and 5.1.3 maintenance versions were released. Symfony 5.0.11 is the last version for the Symfony 5.0 branch, so you should upgrade to Symfony 5.1. In addition, the Symfony 5 book published a new translation in Japanese: 基礎から最速で学ぶ Symfony 5 入門.

Symfony development highlights

This week, 31 pull requests were merged (25 in code and 6 in docs) and 25 issues were closed (23 in code and 2 in docs). Excluding merges, 19 authors made 286 additions and 129 deletions. See details for code and docs.

3.4 changelog:

• e77ff45: minor fixes on tests
• 0eafc01: fix checks for phpunit releases on Composer 2
• 09c97bd: [FrameworkBundle] set default session.handler alias if handler_id is not provided
• 65fc07a: [Cache] fixed catching auth errors

4.4 changelog:

• 3619661: [Ldap] use hexadecimal numerals instead of hexadecimals in strings
• 2dbbe50: [Serializer] support multiple levels of discriminator mapping
• ebc7f4b: [Cache] connect to RedisCluster with password auth
• 0d867bc: [Messenger] allow same middleware to be used multiple times with different arguments
• df1a1ff: [Mime] fixed EmailHeaderSame to make use of decoded value
• 0eae7a6: [Cache] allowed RedisClusterProxy instance in Lock RedisStore

5.0 changelog:

• a0f7c88: required PHPUnit 9.3 on PHP 8

5.1 changelog:

• 08ff65f: [Mailer] fixed failover transport
• ab29e07: [Validator] removed @internal from Composite

Symfony CLI

Symfony CLI is a must-have tool when developing Symfony applications on your local machine. It includes theSymfony Local Server, the best way to run local Symfony applications. This week Symfony CLI released its new 4.18.0 and4.18.1 versions with the following changes:

• Add Github actions support to security:check
• Add support for Composer 2 (symfony composer now looks for a composer1 or composer2 binary depending on composer.lock and falls back to composer if not found)
• Make SymfonyCloud automatically use Composer 1 or 2 depending on composer.lock
• Add support for installing PHP extensions directly from variables defined in .symfony.cloud.yaml

Newest issues and pull requests

• [DX] KernelBrowser (default 'test.client' does not support 'json' as a key to parameters argument of request
• Mailchimp/Mandrill mailer using template
• [Stopwatch] Add name property to StopwatchEvent

They talked about us

• Road to Symfony 5 Certification
• [Angular + Symfony] JWT Authentication
• Adding a custom data collector in the Symfony debug bar
• eZ Accelerator is back!
• Pagerfanta Package Structure Updates
• Zikula CMS Symfony Framework Core 3.0.1 released!
• Another way for a Symfony API to ingest POST requests - No Bundle
• Obtendo Symfony CLI no Windows
• Ajout d'un collecteur de données personnalisé dans la barre de debug Symfony
• Symfony - 安裝與起步

Call to Action

• Follow Symfony on Twitter and retweet this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

As the entire world is not yet recovering from the unfortunate COVID-19 situation and some countries are still strongly facing this pandemic situation, we took the very hard decision to postpone SymfonyCon Disneyland Paris 2020 to 2021. To ensure a safe environment and to enable everyone from the community to join us, it is safer to postpone the conference to 2021, when, hopefully, this global pandemic crisis will be behind us. It’s with sadness but for necessary precautions that we took the hard decision to postpone SymfonyCon Disneyland Paris 2020.

SymfonyCon Disneyland Paris 2021 will take place from November 30th to December 4th 2021 as follow:

• Pre-conference workshop days: November 30th and December 1st
• Conference days: December 2nd and 3rd
• Hackday: December 4th

All the registered attendees to SymfonyCon Disneyland Paris 2020 are automatically transfered to SymfonyCon Disneyland Paris 2021, meaning that your current registration is already confirmed for 2021. If you’re not available for 2021, you will be fully reimbursed. Contact us via our support to ask for your reimbursement. If you already booked an hotel room in one of the Disneyland Paris hotels, your hotel room will be reimbursed too. You'll need to call Disneyland Paris Business Solutions team at +33 (0)1 60 45 73 99 Mondays thru Fridays from 9am to 6pm - local time to claim your reimbursement.

Early bird registration for SymfonyCon Disneyland Paris 2021 is now open, get your early bird conference ticket for 399€ (VAT excl.). Call for Papers and Call for Trainers are also open, submit your talk and workshop proposals for the international Symfony conference.

As we still want to meet and gather the Symfony community this year, we’re pleased to organize the first SymfonyWorld online conference at the same dates as the initially scheduled SymfonyCon Disneyland Paris 2020. Discover more about our first ever SymfonyWorld conference in our blog post. Let’s meet virtually to celebrate Symfony’s 15th anniversary! We can’t wait to meet you in person next year at SymfonyCon Disneyland Paris 2021, but first see you online at the end of this year at SymfonyWorld 2020.

Stay home and safe!

We’re very happy to announce that we’ll meet you all online this year at SymfonyWorld 2020. Unfortunately, we’ve sadly announced the postponement of SymfonyCon Disneyland Paris 2020 to 2021 due to the current global COVID-19 pandemic situation. But as we are eager to still meet this year the great Symfony community from all over the world, we've created the SymfonyWorld conference.

The SymfonyWorld conference is a 100% online event from December 1st to 5th organized for the entire Symfony community. The talks will be available online in live or just after in replay. Registering to the conference days enables you to attend the live talks but all the replays of all talks too. The SymfonyWorld experience is a 5-day event and a new way to attend our conference.

Here is the conference agenda:

• Pre-conference workshop days: December 1st and 2nd
• Conference days: December 3rd and 4th
• Hackday: December 5th all day via Slack, open to anyone

Having a full online conference prevents us from any sanitary risks and make sure every attendee feels safe, comfortable and healthy during this unprecedented COVID-19 crisis. No matter where you live and the current sanitary restrictions you may face, you’ll be able to attend the international online Symfony conference.

We’ll use Hopin for the entire conference which enables us to offer you several conference tracks from beginner to advanced talks. The entire event will be organized online in English. All talks will be available in live and right away for replay to enable everyone no matter your time zone to watch them. Call for Papers and Call for Trainers are now open until August 31st 2020. Submit now your talk and workshop proposals!

Early bird registration is also open until August 31st 2020, buy your:

• 2-day conference ticket at 59€ (VAT excl.)
• your combo 4-day workshop and conference ticket at 390€ (VAT excl.)

Several workshops will be offered, you’ll be able to create your personal workshop combo and your personal conference experience. SymfonyWorld brings you the Symfony conference experience from the comfort of your home! As your safety is the most important to us, with SymfonyWorld you take no risks and can relax while enjoying the best out of the Symfony conference. Meet and listen online to famous speakers from the Symfony community and hear the latest about Symfony and its ecosystem. Plus, you’ll be able to celebrate online Symfony’s 15th anniversary with us!

We’re also extremely pleased to offer you a brand new attendee’s experience with our new conference website design! Check it out now the SymfonyWorld website! We’ve enhanced your entire attendee’s experience starting from your registration to your online conference attendance.

Finally, we’re super excited to unveil our special Symfony 15 years elePHPant limited edition! Only available with a SymfonyWorld ticket purchase or any conference ticket purchase on our brand new conferences websites. Plus, for the online conference, you can also order your official conference t-shirt at the unique price of 10€ (VAT excl.). Special Symfony 15 years elePHPant are available at 25€ each (VAT excl.), it will be the only occasion to add it to your collection, don’t miss the opportunity! Register now to the online conference and get your special Symfony swag!

Join us for our online event, join us at anytime, a replay will be available right away if you missed a talk! Let's network and discuss together in a brand new way. We’re super excited to meet you virtually at SymfonyWorld 2020! Check the conference website, discover our brand new design, register now at early bird rate and secure your Symfony 15 years elePHPant!

Stay safe and see you soon!

I've been working on making the Symfony 5 book, The Fast Track, available online for free. It has been a bit more challenging that I expected it to be. At first, I wanted to create a dedicated website for the book, but soon realized it was too much work and it was really about copy pasting too much code from symfony.com. So, at the end, I decided to integrate it on symfony.com and benefit from everything already available.

I still have some open questions like how to let people contribute fixes for translations. As the translated book is not available as source files, but as translations files, it is not as easy as expected. I'm working on integrating that into the translation workflow, but it's not ready yet.

Anyway, I've decided to not wait anymore and share my work with you. So, as of today, theChinese,Persian,Arabic,Romanian,Portuguese (Brazil), andDutch versions of the book are available online for everyone to read. Expect more languages to be released soon. You can still buy the PDF if you want to support the Symfony project.

All other versions are available on the main book page as PDF files. As of now, we have 14 available versions: English, French, Arabic, Spanish, German, Persian, Japanese, Russian, Italian, Dutch, Polish, Portuguese (Brazil), Romanian, and Chinese (China).

I created the PHP security advisory database more than 6 years ago, and I’ve been been maintaining it since then.

On top of the database, I’ve also developed various tools to help people check their projects against the database, from an online API, to a command line tool. One of the main “issue” is that the command line tool is also an interface to the API, meaning that all checks depend on the availability of the API server. The traffic on the server is huge and maintaining it is an unnecessary burden.

So, more recently, we’ve incorporated a security:check command in theSymfony CLI that does everything locally (downloading the database from Github directly).

Today, I want to share yet some other ways that don’t use the API. If you don’t use the Symfony CLI, you might not necessarily want to download it and keep it updated. As of today, it is not needed anymore and you can use the new Symfony CLI Docker image instead:

1

docker run --rm -v $(pwd):$(pwd) -w $(pwd) symfonycorp/cli check:security

If you are using Github Actions, you can also use the The PHP Security Checker action. The README contains everything you need to know. You can even integrate it into a workflow that makes decisions depending on found vulnerabilities:

1
2
3

steps:-uses:actions/checkout@v2-uses:symfonycorp/security-checker-action@v2

If you are still using the API or the dedicated CLI tool, please consider switching to the Symfony CLI or the Docker image/Github integration.

This week, Symfony postponed SymfonyCon Disneyland Paris conference until next year and announced SymfonyWorld 2020, a new world-wide online conference. In addition, the first translations of the Symfony 5 book were published for free on Symfony website.

Symfony development highlights

This week, 27 pull requests were merged (27 in code and 0 in docs) and 19 issues were closed (17 in code and 2 in docs). Excluding merges, 16 authors made 1,458 additions and 111 deletions. See details for code and docs.

3.4 changelog:

• b61fa44: [Cache] fixed saving no-expiry items with ArrayAdapter
• b940b5a: [VarDumper] improved previous fix on light array coloration

4.4 changelog:

• 600e5d1: [Messenger] removed redundant strtolower in ConsumeMessagesCommand
• b6ea86e: [Messenger] reduced column length for MySQL 5.6 compatibility
• e69b8b1: [Mailer] added the missing reset tag to mailer.logger_message_listener
• bea4319: [Finder] fixed GitIgnore parser when dealing with (sub)directories and take order of lines into account
• 909158b: [WebProfilerBundle] fixed error with custom function and web profiler routing tab

5.1 changelog:

• c931d07: [FrameworkBundle] KernelBrowser::getContainer cannot return null anymore
• bfc0351: [Messenger] fixed invalid option sslmode in AmazonSqs bridge

Master changelog:

• e411c96: [Routing] allowed inline definition of requirements and defaults for host
• 79bc5b7: [Twig Bridge] fixed getTranslationNodeVisitor() return type
• 13a5e47: [Stopwatch] updated StopwatchPeriod
• bd59105: [Router] allow to use \A and \z as regex start and end
• 374d705: [Security] use NullToken while checking authorization
• 281a752: [DependencyInjection] added the name of the env to RuntimeException
• 5256323: [String] added a French inflector
• 32941f2: [FrameworkBundle] deprecated some public services to private
• 7aaf99d: [Console] added info method to symfony style
• f1dc422: [DependencyInjection] resolved parameters in tag arguments
• bea6c99: [Validator] added support for cascade validation on typed properties
• 2d5e7b0: [Console] added signal event

Symfony CLI

Symfony CLI is a must-have tool when developing Symfony applications on your local machine. It includes theSymfony Local Server, the best way to run local Symfony applications. This week Symfony CLI released its new 4.18.2 and4.18.3 versions with the following changes:

• Fix running symfony console on Enterprise clusters fails
• Fix Symfony environment is set to dev during the build stage
• Add missing SYMFONY_APPLICATION_DEFAULT_ROUTE_URL and SYMFONY_PROJECT_DEFAULT_ROUTE_URL when running Local Web Server
• Checkout the first step of the book instead of the last one when running symfony new --book
• Release the CLI as a Docker image
• Fix usage error might show the help of another command with the same name
• Fix symfony composer should not load .env files

Newest issues and pull requests

• Allow listed deprecations to be skipped
• Add debugging shortcut commands
• Symfony Mailer: Multiple Email Transports
• [Validator] Unique constraint value comparison

They talked about us

• Mock API Response using Symfony and Behat
• An update on Bolt 4
• Using Symfony's service iterators for secondary flows
• How to Switch from YAML/XML Configs to PHP Today with Migrify
• How to solve Symfony 5 and Doctrine Migrations Bundle 3 upgrade error
• Symfony 5 book 翻訳本出版

Call to Action

• Follow Symfony on Twitter and retweet this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

Earlier in June, we've announced the launch of the official Symfony store and it's been a huge success so far! We're already running out of some items but we'll add more great swag soon.

We're now super pleased to ship worldwide, meaning that wherever you are in the world you can receive your Symfony swag! If you're a company ordering from Europe, please contact us to check your VAT options. Create your cart now on our official Symfony store!

You are a Symfony user group or a company interested in ordering 10 or more small Symfony elephpants? Well, the good news is that for any 10 small Symfony elephpants package bought, we offer you a free one, on top of your order (you'll then receive 11 elephpants). This deal only works if you buy 10 elephpants of the same color. Select 11 small elephpants of the same color and add them to your cart, then use the following discount code to get your free one:

• BIG_DEAL_GREY (for an order of 11 small grey Symfony elephpants)
• BIG_DEAL_BLACK (for an order of 11 small black Symfony elephpants)

If you're interested in buying Fabien's book, which is now available in 14 languages (a big shout out again to all the Symfony community members working on translations), you can buy the printed version of the "Symfony 5: the Fast Track" book (available in French or English) on our store and you will receive the PDF version for free.

Buy online all our Symfony swag and receive it anywhere. Prices are excluding taxes and shipping is calculated depending on the country. You want to show the world how much you love Symfony? Here is what you can buy and receive at home:

• Symfony 5: the Fast Track, printed version of the official Symfony book (available in English or French, PDF version included!)
• Small Symfony elePHPant (available in black or grey)
• Big Symfony elePHPant (available in black or grey)
• Symfony t-shirts (several designs available)
• And more!

Each order comes with a surprise gift!

Stay tuned to discover more upcoming products and get our futures limited edition collections.

This week, the HttpClient component added a special EventSourceHttpClient to consume Server-Sent Events. Meanwhile, the Notifier component added new bridges for Zulip and Google Chat. Lastly, the official Symfony Store started shipping all over the world.

Symfony development highlights

This week, 30 pull requests were merged (20 in code and 10 in docs) and 17 issues were closed (14 in code and 3 in docs). Excluding merges, 18 authors made 2,937 additions and 486 deletions. See details for code and docs.

3.4 changelog:

• f92b727: [Validator] sync translations
• 995d784: [Serializer] fix that it will never reach DOMNode

4.4 changelog:

• d81eb08: [FrameworkBundle] fail properly when the required service is not defined

5.1 changelog:

• a8ea11b: [String] updated tests for PHPUnit 9.3
• 0258200: [WebProfilerBundle] removed outdated references from base_js.html.twig file

Master changelog:

• b94eb47: [Console] allowed testing single command apps using CommandTester
• c0a707f: [Security] class Security implements AuthorizationCheckerInterface
• 9db0f20: [Notifier] made Freemobile config more flexible
• b968497: [Notifier] fixed SentMessage implementation
• 558dfa8: [Notifier] added Zulip notifier bridge
• d66a0a7: [HttpClient] added EventSourceHttpClient to consume Server-Sent Events
• e1cfbd2: [Lock] downgrade log.info to log.debug
• 669b3df: [Notifier] added Google Chat bridge
• 7520884: [Notifier] changed notifier recipient handling

Newest issues and pull requests

• Fix accessibility of toolbar toggler
• [Translator] Parse message to get domain from message
• [Validator] Add support uuid v6
• [Testing] Improve error messages of assert methods

They talked about us

• Deploy a Symfony ❤️ application in AWS Lambda 💭
• Symfony search engine with elasticsearch

Call to Action

• Follow Symfony on Twitter and retweet this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

This week, the upcoming Symfony 5.2 version reworked the signal integration in the Console component, continued improving the new Security system with new events and a NullToken voter and introduced autoconfiguration for DataCollectors.

Symfony development highlights

This week, 57 pull requests were merged (57 in code and 0 in docs) and 37 issues were closed (33 in code and 4 in docs). Excluding merges, 29 authors made 6,393 additions and 944 deletions. See details for code and docs.

3.4 changelog:

• 1dcb67e: [ClassLoader, Routing] fixed namespace parsing on PHP 8
• b45e3ed: fixed deprecated libxml_disable_entity_loader
• 0e9cd90: [Form] fixed mapping errors from unmapped forms
• a77901d: [Yaml] allowed PHP constant as first key in block
• 92eae57: [Validator] added target guards for Composite nested constraints
• 6972bc2: stop using the deprecated at() PHPUnit matcher
• f0778ce: updated Tagalog translation
• 804b8dd: updated Italian translation

4.4 changelog:

• b2e99e2: fixed Redis connect with empty password
• 0f92b9a: [Console] support table cells with newlines after a cell with colspan >= 2
• f3753e9: [Validator] added BC layer for notInRangeMessage when min and max are set
• 7f2726a: [VarDumper] backport handler lock when using VAR_DUMPER_FORMAT

5.1 changelog:

• 5a6b24b: [FrameworkBundle] removed unused form-resources complex type from XSD file
• 49e047b: [FrameworkBundle] added missing router config

Master changelog:

• c5d6c10: [Notifier] added Infobip bridge
• a6c27fd: [HttpKernel] provided status code in fragment handler exception
• 7c522e2: [Serializer] added CompiledClassMetadataFactory
• 8449f70: [FrameworkBundle] do not use deprecated mailer.logger_message_listener service
• d2b5ee0: [Console] allow multiline responses to console questions
• fc8a1ac: [Notifier] add doc for free mobile DSN
• 25095d8: [Workflow] added Context to Workflow Event
• 31c194f: [Security] added event to inspect authenticated token before it becomes effective
• acda2dc: [Notifier] added Mobyt bridge
• fee690a: [FrameworkBundle] allow to leverage autoconfiguration for DataCollectors with template
• a45428c: [Console] different approach on merging application definition
• f3962d4: [Workflow] choose which Workflow events should be dispatched
• ab3b0c9: [VarDumper] added VAR_DUMPER_FORMAT=server format
• 6805d1d: [Messenger] added Beanstalkd bridge
• f99f774: added cache.adapter.redis_tag_aware to use RedisCacheAwareAdapter
• 4703bf8: [Mailer] added a transport that uses php.ini settings for configuration
• ae677cc: [Messenger] don't require doctrine/persistence when installing symfony/messenger
• d6ccc4f: [Console] rework the signal integration
• 1c67261: [Security] added missing NullToken vote
• 08ec459: [Notifier] use Slack Web API chat.postMessage instead of WebHooks
• 8b3df37: [VarDumper] support PHPUnit --colors option

Symfony CLI

Symfony CLI is a must-have tool when developing Symfony applications on your local machine. It includes theSymfony Local Server, the best way to run local Symfony applications. This week Symfony CLI released its new 4.18.4 version with the following changes:

• Fix deploy does not work when using only -project flag
• Add missing option prune-branches to Bitbucket integration
• Add support for MySQL/MariaDB Docker images using MARIADB_ instead of MYSQL_ for en vars
• Allow to use env:debug with the main environment of non production projects
• Allow to use `env:debug --off with any environment on any project
• Fix parsing of PHP and FPM log lines

Newest issues and pull requests

• [Messenger] ReQueue amqp message without retry strategy
• [HttpClient], allow to change the curl_setopt options
• [Routing] TypeErrors in a controller route should return HTTP 400 (Invalid request) instead of 500
• Add ability for commands to read from STDIN and make testing of this part of CommandTester

They talked about us

• Symfony search engine with elasticsearch
• Symfony user checker(check for login of users with status = active) Easy way
• Symfony. Preparando un entorno de desarrollo web en Windows
• SSR: рендеринг ReactJS приложения на бекэнде используя PHP

Call to Action

• Follow Symfony on Twitter and retweet this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

I've just released 5 additional languages for the Symfony 5 book free online version:

• Spanish
• German
• Russian
• Italian
• Polish

The following translations were already released a couple of weeks ago:

• Chinese
• Persian
• Arabic
• Romanian
• Portuguese (Brazil)
• Dutch

Enjoy reading these new translated versions.

This week, more than 100 pull requests were merged across the board to fix bugs and merge new features. The upcoming Symfony 5.2 version added support for pseudo-localization, Mailer and Notifier components added compatibility with new third-party services and a new build/ directory was added to separate it from the cache directory. In addition, the Symfony 5 book added new languages.

Symfony development highlights

This week, 72 pull requests were merged (56 in code and 16 in docs) and 48 issues were closed (45 in code and 3 in docs). Excluding merges, 40 authors made 4,774 additions and 790 deletions. See details for code and docs.

3.4 changelog:

• 2abf876: [ExpressionLanguage] fixed passing arguments to call_user_func_array() on PHP 8
• 86310de: [Cache] fixed expected exception message on PHP 8
• 9720061: [Validator] updated Polish translation
• c48b1d3: [Validator] updated Lithuanian translation

4.4 changelog:

• 9d995bd: [FrameworkBundle] added missing mailer transports in xsd
• df3ab76: [Messenger] do not stack retry stamp
• 66b9fef: [Serializer] fixed configuration of the cache key
• 7f7b447: [Serializer] fixed getMappedObjectType() when a discriminator child extends another one
• 5cbb019: [Mailer] fixed envelope recipients on sendgridApiTransport
• 3c270fb: [Mailer] reorder headers used to determine Sender
• 1f4c616: [Mailer] fixed mandrill api header structure
• 8f64d70: [Messenger] stop using the deprecated schema synchronizer API

5.1 changelog:

• c426abe: [Lock] MongoDbStore handle duplicate querystring keys in mongodb uri when stripping
• 679cc4d: [PropertyInfo] fixed ReflectionExtractor
• 3c270fb: [Mailer] reorder headers used to determine Sender
• dd19056: [Notifier] fixed base_uri while call auth/time API
• af91bf8: [Mailer] support reply-to in SesApiAsyncAwsTransport
• 8f64d70: [Messenger] stop using the deprecated schema synchronizer API

Master changelog:

• 779303a: [Serializer] fixed Mime message serialization
• fe5021e: [Messenger] fixed BC layer for stamps moved into separate packages
• 09ff501: [Security] verify if the password field is null
• 14c9d05: [Notifier] added LinkedIn provider
• 7974f2a: [Mailer] added Mailjet bridge
• 6539a0f: [BrowserKit] cast all Request parameter values to string
• 27d84db: [Translation] added a pseudo localization translator
• d6980e5: [PropertyAccess] allow to disable magic __get & __set
• dd19056: [Notifier] fixed base_uri while call auth/time API
• 890f8f0: [Mailer] properly format Cc and Bcc for Mailjet API
• e98fdc7: [HttpKernel] added $kernel->getBuildDir() to separate it from the cache directory
• a80dbc5: improved toolbar toggler accessibility
• 28ede1f: [FrameworkBundle] properly choose the best mailer message logger listener
• d4c8be7: improved link script with rollback when using symlink
• f1d1514: [Mailer] added support for Amazon SES ConfigurationSetName
• c281867: [HttpFoundation] added support for X_FORWARDED_PREFIX header

Newest issues and pull requests

• Injecting certain services causes O(n) compilation complexity, while injecting Container is O(1)
• Ability to dump / set a cache value in the console if available
• PHP 8 vs PHP 7 benchmark
• [Messenger] Locking queues to ensure unique id queues
• [Form] Define excluded form types when creating form type extension
• [Translation] Custom cached translation files

They talked about us

• Convert Php/Symfony web app into a Windows Desktop App
• SEO-friendly breadcrumbs with metadata in Symfony’s Twig
• Symfony Doctrine Migrations upgrade to version 3
• JWT Authentication And Refresh Token to API Platform
• Symfony 5 Birthday Reminder Command
• El libro Symfony 5: La vía rápida, ya disponible gratis online

Call to Action

• Follow Symfony on Twitter and retweet this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

This week Symfony merged a ton of bug fixes, including changes for the upcoming PHP 8 version and polyfills for the PHPUnit 9.1 assertions. A new Semaphore component was introduced, as well as support for translatable objects.

Symfony development highlights

This week, 49 pull requests were merged (40 in code and 9 in docs) and 40 issues were closed (33 in code and 7 in docs). Excluding merges, 34 authors made 5,087 additions and 387 deletions. See details for code and docs.

3.4 changelog:

• b98f2af: [Yaml] fixed more numeric cases changing in PHP 8

4.4 changelog:

• 7da56f3: [PhpUnit] added polyfill for assertMatchesRegularExpression
• 8319669: [PhpUnitBridge] moved assertMatchesRegularExpression in PolyfillAssertTrait
• f4115e7: [PhpUnitBridge] polyfill new phpunit 9.1 assertions
• ac96fda: [PhpUnitBridge] create a predictable symlink pointing to the local install
• 03d494d: [PropertyInfo] backported support for typed properties
• 943cbd8: [FrameworkBundle] do not pass the base uri twice to scoped HTTP clients
• 4d6ea77: [HttpClient] throw when the response factory callable does not return a valid response

5.1 changelog:

• df7950d: [Security] fixed RememberMeAuthenticator::autoLogin() logic in the authenticator
• 885390f: [DependencyInjection] fixed dumping lazy non-shared services
• fc3095f: [HttpClient] fixed chaining promises returned by HttplugClient
• 92cb709: [PropertyAccess] fixed accessing dynamic properties
• 9c86cd2: [TwigBridge] allowed null for $message of filter method trans

Master changelog:

• efdc35c: [Serializer] add special serialization group that allows any group
• bd26785: [Notifier] added Esendex bridge
• 12330e8: [Lock] lazy create table in lock PDO store
• 4a89215: [PropertyInfo] ConstructorExtractor which has higher priority than PhpDocExtractor and ReflectionExtractor
• 160b598: [FrameworkBundle] made AbstractPhpFileCacheWarmer public
• 6d521d4: [Security] renamed provider key to firewall name
• d24f040: [Mailer] added ability to pass custom headers to Mailjet API
• ce8b497: [Semaphore] added the component
• fe4d928: [HttpClient] added an option to use the MockClient in functional tests
• 4002297: [HttpClient] fixed pausing AmpResponse
• ba98fd7: [Mailer] mplemented additional mailer transport options
• 2c4e215: [Security] also mark the authenticator security system experimental in 5.2
• 6c094cc: [PropertyInfo] fixed ReflectionExtractor::getTypesFromConstructor
• dc54cc9: [Translation] translatable objects
• 241af80: [Translation] add support for calling 'trans' with ICU formatted messages
• ba48f00: [Workflow] expose the Metadata Store in the DIC

Newest issues and pull requests

• Get metadata configuration from Transition without having to inject the whole graph

They talked about us

• Three simple testing tricks using PHP and Symfony
• JWT Authentication And Refresh Token to API Platform
• Symfony 5 PhpSpreadsheet (Creating Excel File)
• Symfony API Platform Nedir?

Call to Action

• Follow Symfony on Twitter and retweet this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

Symfony 3.4.44 has just been released. Here is a list of the most important changes:

• bug #37949 [Yaml] fix more numeric cases changing in PHP 8 (@xabbuh)
• bug #37921 [Yaml] account for i _numeric() behavior changes in PHP 8 (@xabbuh)
• bug #37912 [ExpressionLanguage] fix passing arguments to cal _use _fun _array() on PHP 8 (@xabbuh)
• bug #37853 [Validator] ensure that the validator is a mock object for backwards-compatibility (@xabbuh)
• bug #37845 [Serializer] Fix variadic support when using type hints (@fabpot)
• bug #37725 [Form] Fix Guess phpdoc return type (@franmomu)
• bug #37771 Use PHPUnit 9.3 on php 8 (@derrabus)
• bug #35843 [Validator] Add target guards for Composite nested constraints (@ogizanagi)
• bug #37744 [Yaml] Fix for #36624; Allow PHP constant as first key in block (@jnye)
• bug #37767 [Form] fix mapping errors from unmapped forms (@xabbuh)
• bug #37763 Fix deprecated libxm _disabl _entit _loader (@jderusse)
• bug #37774 [Console] Make sure we pass a numeric array of arguments to cal _use _fun _array() (@derrabus)
• bug #37701 [Serializer] Fix that it will never reach DOMNode (@TNAJanssen)
• bug #37671 [Cache] fix saving no-expiry items with ArrayAdapter (@philipp-kolesnikov)
• bug #37700 [VarDumper] Improve previous fix on light array coloration (@l-vo)

Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. UseSymfonyInsight upgrade reports to detect the code you will need to change in your project andread our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Symfony 4.4.12 has just been released. Here is a list of the most important changes:

• bug #37966 [HttpClient][MockHttpClient][DX] Throw when the response factory callable does not return a valid response (@fancyweb)
• bug #37971 [PropertyInfo] Backport support for typed properties (PHP 7.4) (@dunglas)
• bug #37970 [PhpUnitBridge] Polyfill new phpunit 9.1 assertions (@phpfour)
• bug #37960 [PhpUnit] Add polyfill for assertMatchesRegularExpression() (@dunglas)
• bug #37949 [Yaml] fix more numeric cases changing in PHP 8 (@xabbuh)
• bug #37921 [Yaml] account for i _numeric() behavior changes in PHP 8 (@xabbuh)
• bug #37912 [ExpressionLanguage] fix passing arguments to cal _use _fun _array() on PHP 8 (@xabbuh)
• bug #37907 [Messenger] stop using the deprecated schema synchronizer API (@xabbuh)
• bug #37900 [Mailer] Fixed mandrill api header structure (@wulff)
• bug #37888 [Mailer] Reorder headers used to determine Sender (@cvmiert)
• bug #37872 [Sendgrid-Mailer] Fixed envelope recipients on sendgridApiTransport (@arendjantetteroo)
• bug #37860 [Serializer][ClassDiscriminatorMapping] Fix getMappedObjectType() when a discriminator child extends another one (@fancyweb)
• bug #37853 [Validator] ensure that the validator is a mock object for backwards-compatibility (@xabbuh)
• bug #36340 [Serializer] Fix configuration of the cache key (@dunglas)
• bug #36810 [Messenger] Do not stack retry stamp (@jderusse)
• bug #37849 [FrameworkBundle] Add missing mailer transports in xsd (@l-vo)
• bug #37586 [ErrorHandler][DebugClassLoader] Add mixed and static return types support (@fancyweb)
• bug #37845 [Serializer] Fix variadic support when using type hints (@fabpot)
• bug #37841 [VarDumper] Backport handler lock when using VA _DUMPE _FORMAT (@ogizanagi)
• bug #37725 [Form] Fix Guess phpdoc return type (@franmomu)
• bug #37771 Use PHPUnit 9.3 on php 8 (@derrabus)
• bug #36140 [Validator] Add BC layer for notInRangeMessage when min and max are set (@l-vo)
• bug #35843 [Validator] Add target guards for Composite nested constraints (@ogizanagi)
• bug #37803 Fix for issue #37681 (@Rav)
• bug #37744 [Yaml] Fix for #36624; Allow PHP constant as first key in block (@jnye)
• bug #37767 [Form] fix mapping errors from unmapped forms (@xabbuh)
• bug #37731 [Console] Table: support cells with newlines after a cell with colspan >= 2 (@GMTA)
• bug #37791 Fix redis connect with empty password (@alexander-schranz)
• bug #37790 Fix deprecated libxm _disabl _entit _loader (@fabpot)
• bug #37763 Fix deprecated libxm _disabl _entit _loader (@jderusse)
• bug #37774 [Console] Make sure we pass a numeric array of arguments to cal _use _fun _array() (@derrabus)
• bug #37729 [FrameworkBundle] fail properly when the required service is not defined (@xabbuh)
• bug #37701 [Serializer] Fix that it will never reach DOMNode (@TNAJanssen)
• bug #37671 [Cache] fix saving no-expiry items with ArrayAdapter (@philipp-kolesnikov)
• bug #37102 [WebProfilerBundle] Fix error with custom function and web profiler routing tab (@JakeFr)
• bug #37560 [Finder] Fix GitIgnore parser when dealing with (sub)directories and take order of lines into account (@Jeroeny)
• bug #37700 [VarDumper] Improve previous fix on light array coloration (@l-vo)
• bug #37705 [Mailer] Added the missing reset tag to mailer.logge _messag _listener (@vudaltsov)
• bug #37697 [Messenger] reduce column length for MySQL 5.6 compatibility (@xabbuh)

Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. UseSymfonyInsight upgrade reports to detect the code you will need to change in your project andread our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Symfony 5.1.4 has just been released. Here is a list of the most important changes:

• bug #37966 [HttpClient][MockHttpClient][DX] Throw when the response factory callable does not return a valid response (@fancyweb)
• bug #37971 [PropertyInfo] Backport support for typed properties (PHP 7.4) (@dunglas)
• bug #37970 [PhpUnitBridge] Polyfill new phpunit 9.1 assertions (@phpfour)
• bug #37960 [PhpUnit] Add polyfill for assertMatchesRegularExpression() (@dunglas)
• bug #37941 [TwigBridge] allow null for $message of filter method trans (@Flinsch)
• bug #37622 [PropertyAccess] Fix accessing dynamic properties (@andreyserdjuk)
• bug #37927 [HttpClient] fix chaining promises returned by HttplugClient (@CthulhuDen)
• bug #37953 [DI] fix dumping lazy non-shared services (@nicolas-grekas)
• bug #37949 [Yaml] fix more numeric cases changing in PHP 8 (@xabbuh)
• bug #37943 [Security] Fixed RememberMeAuthenticator::autoLogin() logic in the authenticator (@wouterj)
• bug #37921 [Yaml] account for i _numeric() behavior changes in PHP 8 (@xabbuh)
• bug #37913 [Mailer] Support Return-Path in SesApiAsyncAwsTransport (@cvmiert)
• bug #37912 [ExpressionLanguage] fix passing arguments to cal _use _fun _array() on PHP 8 (@xabbuh)
• bug #37907 [Messenger] stop using the deprecated schema synchronizer API (@xabbuh)
• bug #37899 [Mailer] Support reply-to in SesApiAsyncAwsTransport (@cvmiert)
• bug #37900 [Mailer] Fixed mandrill api header structure (@wulff)
• bug #37890 [Notifier] Fixed bas _uri while call auth/time API (@leblanc-simon)
• bug #37888 [Mailer] Reorder headers used to determine Sender (@cvmiert)
• bug #37857 [PropertyInfo] Fix ReflectionExtractor + minor tweaks (@ogizanagi)
• bug #37868 [Lock] MongoDbStore handle duplicate querystring keys in mongodb uri when stripping (@kralos)
• bug #37872 [Sendgrid-Mailer] Fixed envelope recipients on sendgridApiTransport (@arendjantetteroo)
• bug #37860 [Serializer][ClassDiscriminatorMapping] Fix getMappedObjectType() when a discriminator child extends another one (@fancyweb)
• bug #37826 [Messenger] Fix BC layer for stamps moved into separate packages (@ogizanagi)
• bug #37853 [Validator] ensure that the validator is a mock object for backwards-compatibility (@xabbuh)
• bug #36340 [Serializer] Fix configuration of the cache key (@dunglas)
• bug #36810 [Messenger] Do not stack retry stamp (@jderusse)
• bug #37849 [FrameworkBundle] Add missing mailer transports in xsd (@l-vo)
• bug #37218 [Lock] MongoDbStore skim non-standard options from uri (@kralos)
• bug #37586 [ErrorHandler][DebugClassLoader] Add mixed and static return types support (@fancyweb)
• bug #37845 [Serializer] Fix variadic support when using type hints (@fabpot)
• bug #37841 [VarDumper] Backport handler lock when using VA _DUMPE _FORMAT (@ogizanagi)
• bug #37821 Postpone Range BC layer removal to 6.0. (@l-vo)
• bug #37725 [Form] Fix Guess phpdoc return type (@franmomu)
• bug #37771 Use PHPUnit 9.3 on php 8 (@derrabus)
• bug #36140 [Validator] Add BC layer for notInRangeMessage when min and max are set (@l-vo)
• bug #35843 [Validator] Add target guards for Composite nested constraints (@ogizanagi)
• bug #37803 Fix for issue #37681 (@Rav)
• bug #37744 [Yaml] Fix for #36624; Allow PHP constant as first key in block (@jnye)
• bug #37767 [Form] fix mapping errors from unmapped forms (@xabbuh)
• bug #37731 [Console] Table: support cells with newlines after a cell with colspan >= 2 (@GMTA)
• bug #37791 Fix redis connect with empty password (@alexander-schranz)
• bug #37790 Fix deprecated libxm _disabl _entit _loader (@fabpot)
• bug #37763 Fix deprecated libxm _disabl _entit _loader (@jderusse)
• bug #37774 [Console] Make sure we pass a numeric array of arguments to cal _use _fun _array() (@derrabus)
• bug #37770 [String] We cannot have a “provides” function in test cases (@derrabus)
• bug #37729 [FrameworkBundle] fail properly when the required service is not defined (@xabbuh)
• bug #37701 [Serializer] Fix that it will never reach DOMNode (@TNAJanssen)
• bug #37671 [Cache] fix saving no-expiry items with ArrayAdapter (@philipp-kolesnikov)
• bug #37102 [WebProfilerBundle] Fix error with custom function and web profiler routing tab (@JakeFr)
• bug #37560 [Finder] Fix GitIgnore parser when dealing with (sub)directories and take order of lines into account (@Jeroeny)
• bug #37700 [VarDumper] Improve previous fix on light array coloration (@l-vo)
• bug #37654 [Messenger] Fix invalid option sslmode in AmazonSqs bridge (@jderusse)
• bug #37705 [Mailer] Added the missing reset tag to mailer.logge _messag _listener (@vudaltsov)
• bug #37697 [Messenger] reduce column length for MySQL 5.6 compatibility (@xabbuh)
• bug #37690 HttpClient profiler error (@noniagriconomie)

Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. UseSymfonyInsight upgrade reports to detect the code you will need to change in your project andread our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

In the last few years, the way applications log messages has changed. Using files was the common way to store logs but with the Cloud (read containers, Docker, and the likes), using stderr to stream logs is recommended.

Did you know that you don’t need Monolog to capture application logs? Since Symfony 3.4, the Symfony HttpKernel component comes with a default PSR3 logger that logs everything in stderr, without the help of any other packages. This feature was added along side the introduction of Flex as new applications start with no extra packages, and so no logger. Loggin via stderr was chosen with containers in mind.

By default, new Symfony applications log in stderr via this default HttpKernel logger. It is probably enough for small applications; I’m using it for fabbot and Twig’s website for instance.

Using Monolog is still very useful as it comes with way more options and configurability. But for historic reasons, and probably practicability on dedicated servers, Monolog default recipe still uses a file to store logs (%kernel.logs_dir%/%kernel.environment%.log). The Symfony Kernel class even has a getLogDir() method as defined in the Kernel interface.

It might make sense on a development server (more on that later), but in production, stderr is a better option, especially when using Docker, SymfonyCloud, lambdas, … So, I now recommend to use php://stderr as the path for Monolog:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

--- a/config/packages/prod/monolog.yaml+++ b/config/packages/prod/monolog.yaml@@ -11,7 +11,7 @@ monolog:
            members: [nested, buffer]
        nested:
            type: stream-            path: "%kernel.logs_dir%/%kernel.environment%.log"+            path: php://stderr
            level: debug
        buffer:
            type: buffer

On SymfonyCloud, using stderr also has a few added benefits (the same should apply to most containerized platforms). Even if in the end, the logs sent to stderr end up in a file as well: app.log. You might wonder how this could be better than using a dedicated file then. First, the app.log file is “managed” by SymfonyCloud: it is automatically rotated (no more log files growing indefinitely until it fills up your disk), the app.log file is stored in a local and fast disk instead of a network disk (which is used when storing files under var/log/). It might also be less expensive as you don’t “waste” network disk capacity with ephemeral logs.

Using stderr also means that there is one less write-able directory needed by Symfony (don’t forget to log deprecation notices in stderr as well and check that no third-party bundles write into the getLogDir() directory).

What about development? Can you use stderr as well? The answer is yes and I recommend you to do so as well.

If you are using PHP-FPM, you need to configure it to “forward” logs to FPM logs (which can be streamed on stderr as well!):

1
2
3

; Ensure worker stdout and stderr are sent to the main error logcatch_workers_output=yesdecorate_workers_output=no (7.3+ only)

If you are using Symfony CLI, that’s the default configuration for PHP-FPM and logs are automatically “un-decorated” for all PHP versions.

Happy logging!

Affected versions

Symfony 4.3, 4.4.0 to 4.4.12, 5.0, and 5.1.0 to 5.1.4 versions of the Symfony HttpClient component are affected by this security issue.

The issue has been fixed in Symfony 4.4.13 and 5.1.5. Symfony 4.3 and 5.0 won't be patched as they are not maintained anymore.

Description

The CachingHttpClient class from the HttpClient Symfony componeny relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Resolution

HTTP headers designed for internal use in HttpCache are now stripped from remote responses before being passed to HttpCache.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.