Symfony 5.4.9 has just been released. Here is the list of the most important changes since 5.4.8: bug #46386 [Console] Fix missing negative variation of negatable options in shell completion (@GromNaN) bug #46448 [DependencyInjection] Fix "proxy" tag: resolve its parameters and pass it to child definitions (@nicolas-grekas) bug #46442 [FrameworkBundle] Revert "bug #46125 Always add CacheCollectorPass (fancyweb)" (@chalasr) bug #46443 [DoctrineBridge] Don't reinit managers when they are proxied as ghost objects (@nicolas-grekas) bug #46427 [FrameworkBundle] fix wiring of annotations.cached_reader (@nicolas-grekas) bug #46425 [DependencyInjection] Ignore unused bindings defined by attribute (@nicolas-grekas) bug #46434 [FrameworkBundle] Fix BC break in abstract config commands (@yceruto) bug #46424 [Form] do not accept array input when a form is not multiple (@xabbuh) bug #46367 [Mime] Throw exception when body in Email attach method is not ok (@alamirault) bug #46421 [VarDumper][VarExporter] Deal with DatePeriod->include_end_date on PHP 8.2 (@nicolas-grekas) bug #46401 [Cache] Throw when "redis_sentinel" is used with a non-Predis "class" option (@buffcode) bug #46414 Bootstrap 4 fieldset for row errors (@konradkozaczenko) bug #46412 [FrameworkBundle] Fix dumping extension config without bundle (@yceruto) bug #46382 [HttpClient] Honor "max_duration" when replacing requests with async decorators (@nicolas-grekas) bug #46407 [Filesystem] Safeguard (sym)link calls (@derrabus) bug #46098 [Form] Fix same choice loader with different choice values (@HeahDude) bug #46380 [HttpClient] Add missing HttpOptions::setMaxDuration() (@nicolas-grekas) bug #46249 [HttpFoundation] [Session] Regenerate invalid session id (@peter17) bug #46328 [Config] Allow scalar configuration in PHP Configuration (@jderusse, @HypeMC) bug #46366 [Mime] Add null check for EmailHeaderSame (@magikid) bug #46364 [Config] Fix looking for single files in phars with GlobResource (@nicolas-grekas) bug #46365 [HttpKernel] Revert "bug #46327 Allow ErrorHandler ^5.0 to be used" (@nicolas-grekas) bug #46114 Fixes "Incorrectly nested style tag found" error when using multi-line header content (@Perturbatio) bug #46325 [Ldap] Fix LDAP connection options (@buffcode) bug #46341 Fix aliases handling in command name completion (@Seldaek) bug #46317 [Security/Http] Ignore invalid URLs found in failure/success paths (@nicolas-grekas) bug #46309 [Security] Fix division by zero (@tvlooy) bug #46327 [HttpKernel] Allow ErrorHandler ^5.0 to be used in HttpKernel 4.4 (@mpdude) bug #46297 [Serializer] Fix JsonSerializableNormalizer ignores circular reference handler in $context (@BreyndotEchse) bug #46291 [Console] Suppress unhandled error in some specific use-cases. (@rw4lll) bug #46302 [ErrorHandler] Fix list of tentative return types (@nicolas-grekas) bug #45981 [Serializer][PropertyInfo] Fix support for "false" built-in type on PHP 8.2 (@alexandre-daubois) bug #46277 [HttpKernel] Fix SessionListener without session in request (@edditor) bug #46282 [DoctrineBridge] Treat firstResult === 0 like null (@derrabus) bug #46239 [Translation] Refresh local translations on PushCommand if the provider has domains (@Florian-B) bug #46278 [Workflow] Fix deprecated syntax for interpolated strings (@nicolas-grekas) bug #46264 [Console] Better required argument check in InputArgument (@jnoordsij) bug #46262 [EventDispatcher] Fix removing listeners when using first-class callable syntax (@javer) bug #46216 [Form] fix populating single widget time view data with different timezones (@xabbuh) bug #46221 [DomCrawler][VarDumper] Fix html-encoding emojis (@nicolas-grekas) bug #46167 [VarExporter] Fix exporting DateTime objects on PHP 8.2 (@nicolas-grekas) Want to upgrade to this new release? Because Symfony protects backwards-compatibility very closely, this should be quite easy. Use SymfonyInsight upgrade reports to detect the code you will need to change in your project and read our upgrade documentation to learn more. Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.
Sponsor the Symfony project.https://symfony.com/blog/symfony-5-4-9-released?utm_source=Symfony%20Blog%20Feed&utm_medium=feed
Login to add comment
Other posts in this group
We were absolutely thrilled to gather with the incredible Symfony community for the first time in Vienna, Austria, from December 5th to 6th, surrounded by the warm and festive atmosphere of the
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.
💻
Symfony has been active on X, Mastodon, and Bluesky for some time, but until recently, not all platforms received equal attention. Since Twitter (now X) was our first social network, all blog posts we
SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here.
As we are now unveiling th
Affected versions
Twig versions >=3.16.0,<3.19.0 are affected by this security issue.
The issue has been fixed in Twig 3.19.0.
Description
When using the null coalesce operator (??), output esc
Symfony 6.4.18 has just been released. Here is the list of the most important changes since 6.4.17:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
Symfony 7.1.11 has just been released. Here is the list of the most important changes since 7.1.10:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
