Bump the php-prod group across 1 directory with 14 updates

[dependabot]

Bumps the php-prod group with 10 updates in the / directory:

Package	From	To
doctrine/dbal	3.10.4	3.10.5
doctrine/orm	3.6.1	3.6.2
nelmio/security-bundle	3.7.0	3.9.0
symfony/expression-language	7.4.0	7.4.8
symfony/form	7.4.3	7.4.8
symfony/runtime	7.4.1	7.4.8
symfony/security-bundle	7.4.0	7.4.6
symfony/translation	7.4.3	7.4.8
symfony/twig-bundle	7.4.3	7.4.8
twig/extra-bundle	3.22.2	3.24.0

Updates doctrine/dbal from 3.10.4 to 3.10.5

Release notes

Sourced from doctrine/dbal's releases.

3.10.5

Release Notes for 3.10.5

3.10.5

• Total issues resolved: 0
• Total pull requests resolved: 13
• Total contributors: 6

CI

• 7319: Bump laminas/automatic-releases from 1.25.0 to 1.26.2 thanks to @​dependabot[bot]
• 7259: Bump dessant/lock-threads from 5 to 6 thanks to @​dependabot[bot]
• 7258: Bump actions/upload-artifact from 5 to 6 thanks to @​dependabot[bot]
• 7257: Bump actions/download-artifact from 6 to 7 thanks to @​dependabot[bot]
• 7235: chore: show parameters in name of CI jobs thanks to @​alexislefebvre

Dependencies,Test Suite

• 7298: Bump PHPUnit version thanks to @​greg0ire

Dependencies

• 7292: Bump coding standard tools thanks to @​greg0ire

CI,MariaDB,MySQL

• 7283: Test against newer MySQL/MariaDB releases thanks to @​derrabus

CI,SQL Server

• 7279: Test against SQL Server 2025 in nightly builds thanks to @​morozov
• 7265: Test against SQL Server 2025 thanks to @​derrabus

Bug

• 7272: Add phpstan-baseline.neon, CONTRIBUTING.md, README.md to export-ignore list thanks to @​sasezaki

CI,PHP,pdo_oci

• 7236: Test Oracle drivers on PHP 8.5 thanks to @​derrabus

Documentation

• 7233: Prepare the 4.4.0 release thanks to @​derrabus

Commits

• 95d8486 Bump laminas/automatic-releases from 1.25.0 to 1.26.2 (#7319)
• 49c3ccf Bump PHPUnit version (#7298)
• 817ef04 Merge pull request #7292 from greg0ire/bump-cs
• c497c12 Bump coding standard tools
• 8ff8387 Test against newer MySQL/MariaDB releases (#7283)
• 1650fe6 Merge pull request #7279 from morozov/sql-server-nightly
• 5b21a4b Test against SQL Server 2025 nightly
• 2821991 Merge pull request #7272 from sasezaki/patch-1
• ceb3e3a Also add README.md,CONTRIBUTING.md to export-ignore list - https://github.com...
• 48172cd Add phpstan-baseline.neon to export-ignore list
• Additional commits viewable in compare view

Updates doctrine/orm from 3.6.1 to 3.6.2

Release notes

Sourced from doctrine/orm's releases.

3.6.2

Release Notes for 3.6.2

3.6.x bugfix release (patch)

3.6.2

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

Bugfix

• [12366: fix: update index to be serialized in __sleep()](doctrine/orm#12366) thanks to @​vvaswani

Improvement

• 12343: Update phpstan-dbal2 to phpstan-dbal3 in .gitattributes thanks to @​sasezaki

Commits

• 4262eb4 fix: update index to be serialized in __sleep() (#12366)
• d3b47d2 Merge pull request #12355 from doctrine/2.20.x
• 026f5bf Merge pull request #12350 from greg0ire/missing-order-by
• 0b0f2f4 Add missing ORDER BY clause
• 0bd839a Merge pull request #12345 from greg0ire/3.6.x
• b65004f Merge remote-tracking branch 'origin/2.20.x' into 3.6.x
• d2418ab Merge pull request #12344 from greg0ire/update-baseline
• 39a05e3 Update PHPStan baseline
• ab156a5 Update phpstan-dbal2 to phpstan-dbal3 in .gitattributes (#12343)
• See full diff in compare view

Updates nelmio/security-bundle from 3.7.0 to 3.9.0

Release notes

Sourced from nelmio/security-bundle's releases.

v3.9.0

What's Changed

• Added PHPUnit assertions for security headers and update testing documentation by @​Spomky in nelmio/NelmioSecurityBundle#389

Full Changelog: nelmio/NelmioSecurityBundle@v3.8.0...v3.9.0

v3.8.0

What's Changed

• Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP) by @​Spomky in nelmio/NelmioSecurityBundle#372

Full Changelog: nelmio/NelmioSecurityBundle@v3.7.0...v3.8.0

Commits

• 86dd4d1 Merge pull request #389 from Spomky/feature/test-assertions
• 0dc7667 feat(tests): Add PHPUnit assertions for security headers and update testing d...
• 2fafee1 Merge pull request #372 from Spomky/features/cross-origin-policy
• 63da27e Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP)
• See full diff in compare view

Updates symfony/config from 7.4.3 to 7.4.8

Release notes

Sourced from symfony/config's releases.

v7.4.8

Changelog (symfony/config@v7.4.7...v7.4.8)

• no significant changes

v7.4.7

Changelog (symfony/config@v7.4.6...v7.4.7)

• no significant changes

v7.4.6

Changelog (symfony/config@v7.4.5...v7.4.6)

• bug #54236 Fix exclude option being ignored for non-glob and PSR-4 resources (@​NeilPeyssard)
• bug #63478 Fix ArrayShapeGenerator required keys with deep merging (@​lacatoire)
• bug #63450 Fix missing resource tracking for type extensions in FormPass (@​ranpafin)

v7.4.4

Changelog (symfony/config@v7.4.3...v7.4.4)

• bug #63053 add back missing enabled key in normalization step (xabbuh)
• bug #63002 Fix merging node that canBeDisable()/canBeEnabled() (nicolas-grekas)
• bug #62920 Allow ParamConfigurator in ParametersConfig (@​jack-worman)

Commits

• 2d19dde Configure deprecation triggers
• 9ae4cec [Config] Fix invalid array-shape
• 6c17162 [Config] Fix NodeDefinition template to be covariant
• 9400e2f Merge branch '6.4' into 7.4
• ce9cb0c [Config][Routing] Fix exclude option being ignored for non-glob and PSR-4 res...
• 69271cf bug #63478 [Config] Fix ArrayShapeGenerator required keys with deep merging (...
• f2dbc7f [Config] Fix ArrayShapeGenerator required keys with deep merging
• 14a2318 Merge branch '6.4' into 7.4
• 5254855 [Form] Add resource tracking for type extension classes in FormPass
• 4275b53 Merge branch '7.3' into 7.4
• Additional commits viewable in compare view

Updates symfony/console from 7.4.3 to 7.4.8

Release notes

Sourced from symfony/console's releases.

v7.4.8

Changelog (symfony/console@v7.4.7...v7.4.8)

• bug #63749 Fix performance regression in OutputFormatter for ASCII content (@​pcescon)

v7.4.7

Changelog (symfony/console@v7.4.6...v7.4.7)

• bug #63604 Fix ApplicationTester ignoring interactive and verbosity options when SHELL_VERBOSITY is set (@​nicolas-grekas)
• bug #63570 Fix OUTPUT_RAW corrupting binary content on Windows (@​guillaumeVDP)

v7.4.6

Changelog (symfony/console@v7.4.5...v7.4.6)

• bug #47432 Fix various completion edge cases (@​Seldaek)
• bug #63456 Fix validator exception masked by MissingInputException on empty input (@​nicolas-grekas)
• bug #63444 Fix arguments set via # wrongly considered null in profiler (@​chalasr)
• bug #63438 ProgressIndicator console helper display with multiple processes (@​guillaumeVDP)
• bug #63436 Silence shell_exec warning in hasSttyAvailable (@​lacatoire)
• bug #63415 Fix profiling commands that use # (@​chalasr)
• bug #63368 Fix ProgressBar remaining and estimated placeholder guards (@​yoeunes)
• bug #63351 Fix SymfonyStyle block output with \r\n line endings (@​lacatoire)
• bug #63281 Treat emoji VS16 as wide in width calc (@​fabpot)
• bug #63238 Fall back to 0 when getCode() does not provide an integer (@​makomweb)

v7.4.4

Changelog (symfony/console@v7.4.3...v7.4.4)

• no significant changes

Commits

• 1e92e39 Merge branch '6.4' into 7.4
• 9f481cf [Console] Fix performance regression in OutputFormatter for ASCII content
• f2ef86f Configure deprecation triggers
• e1e6770 Fix merge
• 66aaab8 Merge branch '6.4' into 7.4
• 49257c9 [Console] Fix ApplicationTester ignoring interactive and verbosity opti...
• de4f40b Merge branch '6.4' into 7.4
• 4d5318a [Console] Fix OUTPUT_RAW corrupting binary content on Windows
• 6d643a9 Fix merge
• 87fb10f Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Updates symfony/expression-language from 7.4.0 to 7.4.8

Release notes

Sourced from symfony/expression-language's releases.

v7.4.8

Changelog (symfony/expression-language@v7.4.7...v7.4.8)

• no significant changes

v7.4.4

Changelog (symfony/expression-language@v7.4.3...v7.4.4)

• no significant changes

Commits

• 87ff956 Configure deprecation triggers
• f3a6497 Merge branch '7.3' into 7.4
• bb4594c Merge branch '6.4' into 7.3
• 89c10ef do not use PHPUnit mock objects without configured expectations
• See full diff in compare view

Updates symfony/form from 7.4.3 to 7.4.8

Release notes

Sourced from symfony/form's releases.

v7.4.8

Changelog (symfony/form@v7.4.7...v7.4.8)

• bug #63656 Fix typed property initialization in ValidatorExtension (@​SeverinGloeckle)

v7.4.7

Changelog (symfony/form@v7.4.6...v7.4.7)

• bug #63589 Fix session data contamination by non-serializable objects in form flow (@​nicolas-grekas)
• bug #63572 Fix duplicate validation errors when ValidatorExtension is instantiated multiple times (@​nicolas-grekas)

v7.4.6

Changelog (symfony/form@v7.4.5...v7.4.6)

• bug #54324 Fix merging POST params and files when collection entries have mismatched indices (@​priyadi)
• bug #63450 Fix missing resource tracking for type extensions in FormPass (@​ranpafin)

v7.4.4

Changelog (symfony/form@v7.4.3...v7.4.4)

• bug #63144 Fix OrderedHashMap auto-increment logic with mixed keys (yoeunes)
• bug #63154 don't skip custom view transformers while normalizing submitted newlines (xabbuh)
• bug #63113 Fix ICU 72+ whitespace handling in DateTimeToLocalizedStringTransformer (roukmoute)
• bug #62884 Prevent cached block prefixes from leaking across nested collections (@​nicolas-grekas)

Commits

• fbb79fc Configure deprecation triggers
• 6bdfce0 Fix merge
• 5f8657b Merge branch '6.4' into 7.4
• 3a38a81 [Form] Fix typed property initialization in ValidatorExtension
• 5f24175 [Form] Fix session data contamination by non-serializable objects in form flow
• 72325e3 Merge branch '6.4' into 7.4
• 37b2f68 [Form] Fix duplicate validation errors when ValidatorExtension is instantiate...
• 1ec55f7 Merge branch '6.4' into 7.4
• ed9275a [Form] Fix merging POST params and files when collection entries have mismatc...
• dfe3a51 Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Updates symfony/http-foundation from 7.4.3 to 7.4.8

Release notes

Sourced from symfony/http-foundation's releases.

v7.4.8

Changelog (symfony/http-foundation@v7.4.7...v7.4.8)

• no significant changes

v7.4.7

Changelog (symfony/http-foundation@v7.4.6...v7.4.7)

• bug #63603 Fix session cookie_lifetime not applied in mock session storage (@​nicolas-grekas)

v7.4.6

Changelog (symfony/http-foundation@v7.4.5...v7.4.6)

• bug #63448 Handle empty session data in updateTimestamp() to fix compat with PHP 8.6 (@​nicolas-grekas)
• bug #63319 BinaryFileResponse: always return 206 if Range is valid (@​Jimbolino)
• bug #63262 Reject invalid paths (@​nicolas-grekas)
• bug #54304 When calling UploadedFile::getErrorMessage() to a file which has no error and is uploaded successfully, it should not return an error (@​ArmCyber)
• bug #63230 fix engine declaration on mysql pdo table creations (@​tandev)

v7.4.5

Changelog (symfony/http-foundation@v7.4.4...v7.4.5)

• bug #63137 Fix PdoSessionHandler charset-collation mismatch with the Doctrine DBAL (@​samy-mahmoudi)

v7.4.4

Changelog (symfony/http-foundation@v7.4.3...v7.4.4)

• bug #63012 Fix double-prefixing of session keys when using redis/memcached (@​nicolas-grekas)

Commits

• 9381209 Configure deprecation triggers
• f94b3e7 Merge branch '6.4' into 7.4
• cffffd0 [HttpFoundation] Fix session cookie_lifetime not applied in mock session storage
• fd97d5e Merge branch '6.4' into 7.4
• 5bb346d [HttpFoundation] Handle empty session data in updateTimestamp() to fix compat...
• 17de1a3 Merge branch '6.4' into 7.4
• 31b030e stop using with*() without expects()
• 36ba5c7 Merge branch '6.4' into 7.4
• 31e2a27 BinaryFileResponse: always return 206 if Range is valid
• 669ac23 Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Updates symfony/runtime from 7.4.1 to 7.4.8

Release notes

Sourced from symfony/runtime's releases.

v7.4.8

Changelog (symfony/runtime@v7.4.7...v7.4.8)

• no significant changes

Commits

• 6d792a6 Configure deprecation triggers
• See full diff in compare view

Updates symfony/security-bundle from 7.4.0 to 7.4.6

Release notes

Sourced from symfony/security-bundle's releases.

v7.4.6

Changelog (symfony/security-bundle@v7.4.5...v7.4.6)

• bug #63454 Fix lazy firewall triggering remember me authentication on POST requests to public routes (@​nicolas-grekas)
• bug #63439 Update security-1.0.xsd with missing oauth2 element (@​welcoMattic)

v7.4.4

Changelog (symfony/security-bundle@v7.4.3...v7.4.4)

• bug #62973 fix the security profiler template (@​aurac)

Commits

• d79c6d9 Merge branch '6.4' into 7.4
• f67bd24 [Security] Fix lazy firewall triggering remember me authentication on POST re...
• f738b7b Update security-1.0.xsd with missing oauth2 element
• a907dbe Merge branch '6.4' into 7.4
• 31604f8 remove usages of the deprecated any() invoked count expectation
• a325e38 use PHPUnit 13 on PHP 8.4+
• 7281b64 Merge branch '7.3' into 7.4
• 03d6ba1 bug #62973 [WebProfiler] fix the security profiler template (aurac)
• 4289702 [WebProfiler] fix the security profiler template
• 1a55c47 Merge branch '7.3' into 7.4
• Additional commits viewable in compare view

Updates symfony/translation from 7.4.3 to 7.4.8

Release notes

Sourced from symfony/translation's releases.

v7.4.8

Changelog (symfony/translation@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/translation@v7.4.5...v7.4.6)

• bug #63231 Fix for Crowdin Translation File Replaced with Partial Data When Pushing Default Locale Without --force (@​bhdnb)

v7.4.4

Changelog (symfony/translation@v7.4.3...v7.4.4)

• bug #63064 Fix handling of empty lines in CsvFileLoader (@​fnogatz)

Commits

• 33600f8 Configure deprecation triggers
• 1888cf0 Merge branch '6.4' into 7.4
• d07d117 remove usages of the deprecated any() invoked count expectation
• bfde137 Merge branch '7.3' into 7.4
• 3d2b54f Merge branch '6.4' into 7.3
• d6cc8e2 [Translation] Fix handling of empty lines in CsvFileLoader
• See full diff in compare view

Updates symfony/twig-bundle from 7.4.3 to 7.4.8

Release notes

Sourced from symfony/twig-bundle's releases.

v7.4.8

Changelog (symfony/twig-bundle@v7.4.7...v7.4.8)

• no significant changes

v7.4.4

Changelog (symfony/twig-bundle@v7.4.3...v7.4.4)

• no significant changes

Commits

• ba1e06d Configure deprecation triggers
• e8829e0 Merge branch '7.3' into 7.4
• 5dfe33a Merge branch '6.4' into 7.3
• a5c8dcc do not use PHPUnit mock objects without configured expectations
• See full diff in compare view

Updates twig/extra-bundle from 3.22.2 to 3.24.0

Release notes

Sourced from twig/extra-bundle's releases.

v3.24.0

Changelog (twigphp/twig-extra-bundle@v3.23.0...v3.24.0)

• no significant changes

v3.23.0

No release notes provided.

Commits

• 6a621fc Fix CS
• 7a27e78 minor #4718 Add .gitignore & .gitattributes to all .gitattributes (jmsche)
• 8f6488a Add .gitignore & .gitattributes to all .gitattributes
• See full diff in compare view

Updates twig/twig from 3.22.2 to 3.24.0

Release notes

Sourced from twig/twig's releases.

v3.24.0

Changelog (twigphp/Twig@v3.23.0...v3.24.0)

• feature #3930 Add an html_attr function to make outputting HTML attributes easier (@​mpdude, @​polarbirke)
• bug #4778 Fix null coalescing operator with imported macros (@​fabpot)
• feature #4775 Add getOperatorTokens() to ExpressionParserInterface to separate operator token registration from parser identity (@​fabpot)
• bug #4774 Ensure filters/attributes aren't mistaken for operators (@​brandonkelly)
• feature #4771 Deprecate passing non AbstractExpression nodes to MatchesBinary (@​fabpot)
• feature #4769 Deprecate passing a non-AbstractExpression node to Parser::setParent() (@​fabpot)
• feature #4748 Support short-circuiting in null-safe operator chains (@​HypeMC)
• feature #4743 Add html_attr_relaxed escaping strategy (@​mpdude)
• feature #4759 Add support for renaming variables in object destructuring (@​fabpot)

Changelog

Sourced from twig/twig's changelog.

3.24.0 (2026-03-17)

• Deprecate not implementing the getOperatorTokens() method in ExpressionParserInterface implementations
• Deprecate passing a non-AbstractExpression node to Twig\Node\Expression\Binary\MatchesBinary constructor
• Deprecate passing a non-AbstractExpression node to Parser::setParent()
• Add support for renaming variables in object destructuring ({name: userName} = user)
• Add html_attr_relaxed escaping strategy that preserves :, @, [, and ] for front-end framework attribute names
• Add support for short-circuiting in null-safe operator chains
• Add the html_attr function and html_attr_merge as well as html_attr_type filters

3.23.0 (2026-01-23)

• Add = assignment operator (allows to set variables in expression or to replace the short-form of the set tag)
• Add sequence, mapping, and object destructuring
• Add ?. null-safe operator
• Add === and !== operators (equivalent to the same as and not same as tests)
• Fix opcache preload warning for unlinked anonymous class
• Fix spread operator behavior

Commits

• a6769ae Prepare the 3.24.0 release
• 8abec84 minor #4784 Add two tests for error conditions in #3930 (mpdude)
• 2fcc939 Fix CS
• 25bfb59 Add two tests for error conditions in #3930
• 8b93364 feature #3930 Add an html_attr function to make outputting HTML attributes ...
• 42c12fa Add an html_attr function to make outputting HTML attributes easier
• 9c85915 minor #4779 fix MatchesBinary namespace in changelog (xabbuh)
• 442bcd4 fix MatchesBinary namespace in changelog
• e56cdfd bug #4778 Fix null coalescing operator with imported macros (fabpot)
• faa7e87 feature #4775 Add getOperatorTokens() to ExpressionParserInterface to separat...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions