Bump the composer group across 1 directory with 13 updates

[dependabot]

Bumps the composer group with 11 updates in the / directory:

Package	From	To
symfony/cache	6.4.38	6.4.40
symfony/mailer	6.4.34	6.4.40
symfony/mailjet-mailer	6.4.35	6.4.40
symfony/yaml	6.4.39	6.4.40
twig/cssinliner-extra	3.24.0	3.26.0
twig/intl-extra	3.24.0	3.26.0
symfony/monolog-bridge	6.4.37	7.4.12
symfony/routing	6.4.37	7.4.13
symfony/security-http	6.4.39	7.4.13
symfony/twig-bridge	6.4.36	6.4.40
symfony/dom-crawler	6.4.34	7.4.12

Updates symfony/cache from 6.4.38 to 6.4.40

Release notes

Sourced from symfony/cache's releases.

v6.4.40

Changelog (symfony/cache@v6.4.38...v6.4.40)

• security #cve-2026-45073 Validate the prefix given to AbstractAdapter::clear() (@​nicolas-grekas)

Commits

• 8f9b022 Merge branch '5.4' into 6.4
• 03b191d [Cache] Validate the prefix given to AbstractAdapter::clear()
• See full diff in compare view

Updates symfony/mailer from 6.4.34 to 6.4.40

Release notes

Sourced from symfony/mailer's releases.

v6.4.40

Changelog (symfony/mailer@v6.4.31...v6.4.40)

• security #cve-2026-45068 Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@​alexandre-daubois)

Commits

• 94fd44f Merge branch '5.4' into 6.4
• 5b5385b [Mailer] Add end-of-options separator before recipients in SendmailTransport;...
• 602519c PHP CS Fixer: backports changes toward 6.4 branch
• a2918c6 CS fixes - native_function_invocation & static_lambda
• d56a83b [CS] Back config from 8.1 and apply heredoc_indentation rule
• See full diff in compare view

Updates symfony/mailjet-mailer from 6.4.35 to 6.4.40

Release notes

Sourced from symfony/mailjet-mailer's releases.

v6.4.40

Changelog (symfony/mailjet-mailer@v6.4.35...v6.4.40)

• security #cve-2026-45754 Reject webhooks with missing or invalid Basic credentials (@​alexandre-daubois)

Commits

• 1b8100c [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials
• See full diff in compare view

Updates symfony/mime from 6.4.37 to 6.4.41

Release notes

Sourced from symfony/mime's releases.

v6.4.41

Changelog (symfony/mime@v6.4.40...v6.4.41)

• bug #64343 Harden __unserialize against __toString trampolines (@​nicolas-grekas)

v6.4.40

Changelog (symfony/mime@v6.4.37...v6.4.40)

• security #cve-2026-45067 Reject email addresses containing line breaks in Address (@​alexandre-daubois)

Commits

• 5575d37 [Routing][RateLimiter][Mime][Security] Harden __unserialize against __toStrin...
• 7ccfb0c Merge branch '5.4' into 6.4
• 8f89d3a [Mime] Reject email addresses containing line breaks in Address
• f2f05cb [Mime] Fix transient test
• See full diff in compare view

Updates symfony/yaml from 6.4.39 to 6.4.40

Release notes

Sourced from symfony/yaml's releases.

v6.4.40

Changelog (symfony/yaml@v6.4.39...v6.4.40)

• security #cve-2026-45305 Harden the Parser::cleanup() regexes against catastrophic backtracking (@​nicolas-grekas)
• security #cve-2026-45304 Bound collection-alias resolution in the parser (@​nicolas-grekas)
• security #cve-2026-45133 Bound recursion depth in the parser (@​nicolas-grekas)

Commits

• 68dcd1f Merge branch '5.4' into 6.4
• b0b2705 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking
• 5a351ff [Yaml] Bound collection-alias resolution in the parser
• b02ba66 [Yaml] Bound recursion depth in the parser
• See full diff in compare view

Updates twig/cssinliner-extra from 3.24.0 to 3.26.0

Release notes

Sourced from twig/cssinliner-extra's releases.

v3.26.0

Changelog (twigphp/cssinliner-extra@v3.20.0...v3.26.0)

• security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)

Commits

• 1b0dc90 Pre-escape HTML input on inline_css and inky_to_html filters
• 50f5ea4 Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• See full diff in compare view

Updates twig/intl-extra from 3.24.0 to 3.26.0

Release notes

Sourced from twig/intl-extra's releases.

v3.26.0

Changelog (twigphp/intl-extra@v3.23.0...v3.26.0)

• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)

Commits

• 98f5ad5 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• See full diff in compare view

Updates twig/twig from 3.24.0 to 3.27.0

Release notes

Sourced from twig/twig's releases.

v3.27.0

Changelog (twigphp/Twig@v3.26.0...v3.27.0)

• security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@​fabpot)
• security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@​fabpot)
• security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@​fabpot)
• security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@​fabpot)
• security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@​fabpot)
• feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@​fabpot)
• feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@​fabpot)
• bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@​fabpot)
• bug #4807 Escape root profile name in HtmlDumper (@​fabpot)
• bug #4808 Restrict allowed classes in Profile::unserialize() (@​fabpot)
• feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@​fabpot)

v3.26.0

Changelog (twigphp/Twig@v3.25.0...v3.26.0)

• security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@​fabpot)
• security #cve-2026-46628 Pre-escape HTML input on the spaceless filter (@​fabpot)
• security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@​fabpot)
• security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@​alexandre-daubois)
• security #cve-2026-47732 [Sandbox] Fix __toString() support (@​fabpot)
• security #cve-2026-47730 [Profiler] Escape template and profile names in HtmlDumper (@​nicolas-grekas)
• security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46638 Fix sandbox bypass in the { sandbox } tag when including a preloaded template (@​alexandre-daubois)
• security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@​alexandre-daubois, @​fabpot)
• security #cve-2026-46629 Fix unbounded memoisation of IntlDateFormatter / NumberFormatter (@​alexandre-daubois)
• security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@​nicolas-grekas)
• security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@​alexandre-daubois)
• security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@​fabpot)

v3.25.0

Changelog (twigphp/Twig@v3.24.0...v3.25.0)

• feature #4795 Lazy load EscaperRuntime in EscaperExtension (@​GromNaN)
• feature #4800 Add a needs_is_sandboxed option for filters, functions, and tests (@​fabpot)
• bug #4797 Make embeds deterministic (@​itsalmostchristmas)

Changelog

Sourced from twig/twig's changelog.

3.27.0 (2026-05-27)

• Add a strict mode to Twig\Sandbox\SecurityPolicy to opt-in to the 4.0 behavior for the extends/use tags and the parent/block/attribute functions, which are otherwise still implicitly allowed in a sandbox
• Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template
• Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached Template instance
• Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed ArrayAccess attribute access with a float key
• Restrict allowed classes in Twig\Profiler\Profile::unserialize() to prevent arbitrary class instantiation
• Escape root profile name in HtmlDumper
• Fix sandbox bypass in deprecated internal wrappers twig_array_some(), twig_array_every(), and twig_check_arrow_in_sandbox() (src/Resources/core.php)
• Deprecate the Twig\Sandbox\SourcePolicyInterface interface with no replacement
• Fix sandbox bypass in the "column" filter when sandboxing is enabled via SourcePolicyInterface
• Fix sandbox __toString bypass via Traversable arguments to the join and replace filters (also covers containers that implement both Stringable and Traversable)
• Fix sandbox __toString bypass via the in and not in operators
• Prevent a stack overflow in SandboxExtension::ensureToStringAllowed() when a self-referencing iterable is passed to a sandboxed template
• Add support for any expression as a dynamic mapping key (attribute access, filters, ...)
• Fix sandbox __toString policy bypass via dynamic mapping keys

3.26.0 (2026-05-20)

• Document that the sandbox doesn't protect against resource exhaustion
• Document template_from_string caveats when used in a sandboxed environment
• Add docs on Markup about the goal of this class in the context of a sandbox
• Pre-escape HTML input on the spaceless filter
• Pre-escape HTML input on inline_css and inky_to_html filters
• Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• [Profiler] Escape template and profile names in HtmlDumper
• Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• Fix sandbox bypass in the "column" filter
• Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
• Fix sandbox bypass: PHP code injection via {% use %} template name
• Fix sandbox bypass: PHP code injection via _self / import macro reference
• Fix sandbox bypass in object destructuring assignment
• Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
• Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
• Fix sandbox __toString bypasses
• Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

3.25.0 (2026-05-17)

• Add a needs_is_sandboxed option for filters, functions, and tests
• Use deterministic suffixes for generated embed classes
• Lazy-load EscaperRuntime in EscaperExtension

Commits

• 04ae1bf Prepare the 3.27.0 release
• 99a1038 security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox ...
• 23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes ...
• 7d55aa8 security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (...
• 9fcf690 security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (...
• 635cea4 Document new support for any expression as a dynamic mapping key
• 9ff4101 Fix sandbox __toString policy bypass via dynamic mapping keys
• baebc46 security #535 Fix sandbox __toString bypasses via Traversable in join/`...
• e3f6665 Fix deprecation notices in tests
• 475fb69 Guard sandbox __toString walker against self-referencing iterables
• Additional commits viewable in compare view

Updates symfony/monolog-bridge from 6.4.37 to 7.4.12

Release notes

Sourced from symfony/monolog-bridge's releases.

v7.4.12

Changelog (symfony/monolog-bridge@v7.4.9...v7.4.12)

• security #cve-2026-45077 Bind server:log to localhost by default (@​nicolas-grekas)
• bug #64207 Fix interactive_only not preventing propagation (@​philbates35)

v7.4.9

Changelog (symfony/monolog-bridge@v7.4.8...v7.4.9)

• bug #64030 Guard against re-entrant calls in AbstractTokenProcessor (@​ousamabenyounes)

v7.4.8

Changelog (symfony/monolog-bridge@v7.4.7...v7.4.8)

• bug #63720 Fix ConsoleHandler losing output after nested command terminates (@​mp3000mp)

v7.4.6

Changelog (symfony/monolog-bridge@v7.4.5...v7.4.6)

• no significant changes

v7.4.4

Changelog (symfony/monolog-bridge@v7.4.3...v7.4.4)

• no significant changes

v7.4.0

Changelog (symfony/monolog-bridge@v7.4.0-RC3...v7.4.0)

• no significant changes

v7.4.0-RC1

Changelog (symfony/monolog-bridge@v7.4.0-BETA2...v7.4.0-RC1)

• no significant changes

v7.4.0-BETA2

Changelog (symfony/monolog-bridge@v7.4.0-BETA1...v7.4.0-BETA2)

• bug symfony/symfony#62242 [MonologBridge] Accept HttpExceptionInterface in HttpCodeActivationStrategy (@​GromNaN)

v7.4.0-BETA1

Changelog (symfony/monolog-bridge@v7.3.4...v7.4.0-BETA1)

• feature symfony/symfony#61836 [MonologBridge] Deprecate NotFoundActivationStrategy (@​HypeMC)
• feature symfony/symfony#59955 [MonologBridge] Add ability to react to console input being interactive or not (@​dkarlovi)

v7.3.10

Changelog (symfony/monolog-bridge@v7.3.9...v7.3.10)

... (truncated)

Changelog

Sourced from symfony/monolog-bridge's changelog.

CHANGELOG

8.1

• Add subjectMaxLength option to MailerHandler to truncate long email subjects (defaults to 200)

8.0

• Remove NotFoundActivationStrategy, use HttpCodeActivationStrategy instead

7.4

• Deprecate class NotFoundActivationStrategy, use HttpCodeActivationStrategy instead

7.0

• Drop support for monolog < 3.0
• Remove class Logger, use HttpKernel's DebugLoggerConfigurator instead

6.4

• Add native return type to Logger::clear() and to DebugProcessor::clear()
• Deprecate class Logger, use HttpKernel's DebugLoggerConfigurator instead

6.1

• Add support for Monolog 3

6.0

• The $actionLevel constructor argument of NotFoundActivationStrategy has been replaced by the $inner one which expects an ActivationStrategyInterface to decorate instead
• The $actionLevel constructor argument of HttpCodeActivationStrategy has been replaced by the $inner one which expects an ActivationStrategyInterface to decorate instead
• Remove ResetLoggersWorkerSubscriber in favor of "reset_on_message" option in messenger configuration
• Remove SwiftMailerHandler, use MailerHandler instead

5.4

• Deprecate ResetLoggersWorkerSubscriber to reset buffered logs in messenger workers, use "reset_on_message" option in messenger configuration instead.

5.3

... (truncated)

Commits

• 20bb234 Merge branch '6.4' into 7.4
• 85500da Merge branch '5.4' into 6.4
• c903fd3 [MonologBridge] Fix interactive_only not preventing propagation
• 3d69868 [MonologBridge] Bind server:log to localhost by default
• 20366bc Merge branch '6.4' into 7.4
• 4ea8d53 Update XSD references in phpunit.xml.dist files
• b1c3905 Merge branch '6.4' into 7.4
• 25b54ed Add deprecationTrigger ignoreUndefinedTriggers="true" in phpunit.xml.dist files
• b52aeb4 Merge branch '6.4' into 7.4
• 087eba9 Configure deprecation triggers
• Additional commits viewable in compare view

Updates symfony/routing from 6.4.37 to 7.4.13

Release notes

Sourced from symfony/routing's releases.

v7.4.13

Changelog (symfony/routing@v7.4.12...v7.4.13)

• security #cve-2026-48784 Fix dot-segment encoding for chained "../" and "./" in generated URLs (@​nicolas-grekas)
• bug #64343 Harden __unserialize against __toString trampolines (@​nicolas-grekas)

v7.4.12

Changelog (symfony/routing@v7.4.9...v7.4.12)

• security #cve-2026-45065 Fix regex alternation anchoring in UrlGenerator requirement validation (@​alexandre-daubois)

v7.4.9

Changelog (symfony/routing@v7.4.6...v7.4.9)

• bug #63981 Honor the Request's method in UrlMatcher::matchRequest() (@​ousamabenyounes)

v7.4.8

Changelog (symfony/routing@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/routing@v7.4.5...v7.4.6)

• bug #54236 Fix exclude option being ignored for non-glob and PSR-4 resources (@​NeilPeyssard)
• bug #60662 assign attribute aliases to localized route if applicable (@​alcohol)

v7.4.4

Changelog (symfony/routing@v7.4.3...v7.4.4)

• no significant changes

v7.4.3

Changelog (symfony/routing@v7.4.2...v7.4.3)

• bug symfony/symfony#62791 [Routing] Fix simple parameter mappings in routes (@​nicolas-grekas)
• bug symfony/symfony#62747 [Routing] Do not renumber query parameters with numeric key (@​tillhoerner)

v7.4.0

Changelog (symfony/routing@v7.4.0-RC3...v7.4.0)

• feature symfony/symfony#62469 [Security] Keep SymfonyCasts as backers of the Security components v7.4 🤗 (@​nicolas-grekas)

v7.4.0-RC3

Changelog (symfony/routing@v7.4.0-RC2...v7.4.0-RC3)

• bug symfony/symfony#62459 [Routing] Fix case sensitivity for static host matching in compiled routes (@​yoeunes)
• bug symfony/symfony#62461 [Routing] Fix localized prefix updates breaking aliases (@​yoeunes)
• bug symfony/symfony#62460 [Routing] Fix addNamePrefix breaking aliases to external routes (@​yoeunes)

... (truncated)

Changelog

Sourced from symfony/routing's changelog.

CHANGELOG

8.1

• Add a $trailingSlashOnRoot argument to CollectionConfigurator::prefix() to allow disabling the trailing slash on root routes

8.0

• Remove support for accessing the internal scope of the loader in PHP config files, use only its public API instead
• Providing a non-array _query parameter to UrlGenerator causes an InvalidParameterException
• Remove the protected AttributeClassLoader::$routeAnnotationClass property and the setRouteAnnotationClass() method, use AttributeClassLoader::setRouteAttributeClass() instead
• Remove class aliases in the Annotation namespace, use attributes instead
• Remove getters and setters in attribute classes in favor of public properties
• Remove support for the XML configuration format

7.4

• Add AttributeServicesLoader and RoutingControllerPass to auto-register routes from attributes on services
• Allow query-specific parameters in UrlGenerator using _query
• Add support of multiple env names in the Symfony\Component\Routing\Attribute\Route attribute
• Add argument $parameters to RequestContext's constructor
• Handle declaring routes using PHP arrays that follow the same shape as corresponding yaml files
• Add RoutesReference to help writing PHP configs using yaml-like array-shapes
• Deprecate class aliases in the Annotation namespace, use attributes instead
• Deprecate getters and setters in attribute classes in favor of public properties
• Deprecate accessing the internal scope of the loader in PHP config files, use only its public API instead
• Deprecate XML configuration format, use YAML, PHP or attributes instead

7.3

• Allow aliases and deprecations in #[Route] attribute
• Add the Requirement::MONGODB_ID constant to validate MongoDB ObjectIDs in hexadecimal format

7.2

• Add the Requirement::UID_RFC9562 constant to validate UUIDs in the RFC 9562 format
• Deprecate the AttributeClassLoader::$routeAnnotationClass property

7.1

• Add {foo:bar} syntax to define a mapping between a route parameter and its corresponding request attribute

7.0

... (truncated)

Commits

• 3a16217 Merge branch '6.4' into 7.4
• af04c79 Merge branch '5.4' into 6.4
• e6f3f03 Fix tests and merge resolution after merging 6.4 into 7.4
• 5156fe8 Merge branch '6.4' into 7.4
• be4ce34 [Routing][RateLimiter][Mime][Security] Harden __unserialize against __toStrin...
• f4ca0c5 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs
• 3b04a5e Merge branch '6.4' into 7.4
• 0cd0d2f Merge branch '5.4' into 6.4
• 287771d [7.4] Remove usages of named arguments in tests
• 453501c Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Updates symfony/security-http from 6.4.39 to 7.4.13

Release notes

Sourced from symfony/security-http's releases.

v7.4.13

Changelog (symfony/security-http@v7.4.12...v7.4.13)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@​nicolas-grekas)
• bug #64337 Initialize lazy users before serializing them (@​MatTheCat)

v7.4.12

Changelog (symfony/security-http@v7.4.11...v7.4.12)

• security #cve-2026-45069 Add missing claims in OidcTokenHandler (@​alexandre-daubois)
• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@​alexandre-daubois)
• security #cve-2026-45074 Require configuring trusted hosts when using CAS authentication (@​nicolas-grekas)
• security #cve-2026-45075 Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@​nicolas-grekas)
• bug #64213 Fix impersonation being deauthenticated on every request (@​nicolas-grekas)

v7.4.11

Changelog (symfony/security-http@v7.4.9...v7.4.11)

• bug #64181 Preserve webserver base URL in HttpUtils::createRequest() (@​ousamabenyounes)

v7.4.9

Changelog (symfony/security-http@v7.4.3...v7.4.9)

• bug #63983 Throw BadCredentialsException on empty JSON login username/password (@​ousamabenyounes)

v7.4.8

Changelog (symfony/security-http@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/security-http@v7.4.5...v7.4.6)

• no significant changes

v7.4.4

Changelog (symfony/security-http@v7.4.3...v7.4.4)

• no significant changes

v7.4.3

Changelog (symfony/security-http@v7.4.2...v7.4.3)

• bug symfony/symfony#62796 [Security] do not use PHPUnit mock objects without configured expectations (@​xabbuh)

v7.4.1

Changelog (symfony/security-http@v7.4.0...v7.4.1)

• bug symfony/symfony#62495 [Security][Http] Fix OIDC discovery when multiple HttpClient instances are used (@​Ali-HENDA)

... (truncated)

Changelog

Sourced from symfony/security-http's changelog.

CHANGELOG

8.1

• Add support for the clientHints, prefetchCache, and prerenderCache ClearSite-Data directives
• Add this to #[IsGranted] subject expression variables when available
• Add support for closures and this in #[IsCsrfTokenValid] when evaluating its id
• Add $enforceKeyUsageVerification argument to OidcTokenHandler::enableDiscovery() to allow accepting JWKs lacking use/key_ops (lax mode)
• Deprecate the $eraseCredentials argument of AuthenticatorManager::__construct(), as the eraseCredentials() method was removed in Symfony 8.0

8.0

• When extending the RememberMeDetails class and overriding its constructor, the $userFqcn parameter has to be removed from its signature:

  Before:

  class CustomRememberMeDetails extends RememberMeDetails
  {
      public function __construct(string $userFqcn, string $userIdentifier, int $expires, string $value)
      {
          parent::__construct($userFqcn, $userIdentifier, $expires, $value);
      }
  }

  After:

  class CustomRememberMeDetails extends RememberMeDetails
  {
      public function __construct(string $userIdentifier, int $expires, string $value)
      {
          parent::__construct($userIdentifier, $expires, $value);
      }
  }

• Remove RememberMeDetails::getUserFqcn()

• Remove callable firewall listeners support, extend AbstractListener or implement FirewallListenerInterface instead

• Remove AbstractListener::__invoke

• Throw a BadCredentialsException when passing an empty string as $userIdentifier argument to UserBadge constructor

• Accept only ExposeSecurityLevel enums for AuthenticatorManager's $exposeSecurityErrors argument

• Respectively accept only AlgorithmManager and JWKSet for OidcTokenHandler's $signatureAlgorithm and $signatureKeyset arguments

• Add argument $attributes to UserAuthenticatorInterface::authenticateUser()

7.4

... (truncated)

Commits

• da3c280 Merge branch '6.4' into 7.4
• 1a01cd7 CS fix
• 7ea7162 Merge branch '6.4' into 7.4
• b4acd83 Merge branch '5.4' into 6.4
• 119cc48 [Security] Don't honor user-supplied _failure_path on failure_forward
• 5312b62 Merge branch '6.4' into 7.4
• 8602860 Fix tests and merge resolution after merging 6.4 into 7.4
• 1081160 Merge branch '6.4' into 7.4
• 4523a53 Remove protectedHeaderOnly from claim checkers
• 20636d3 [Security] Initialize lazy users before serializing them in the session
• Additional commits viewable in compare view

Updates symfony/twig-bridge from 6.4.36 to 6.4.40

Release notes

Sourced from symfony/twig-bridge's releases.

v6.4.40

Changelog (symfony/twig-bridge@v6.4.36...v6.4.40)

• security #cve-2026-45072 Fix XSS issue in CodeExtension::fileExcerpt() (@​nicolas-grekas)

Commits

• 5a68963 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt()
• 2130327 [FrameworkBundle][TwigBridge] Bump symfony/mime requirement
• e06912a More CS fixes
• 44bcf2a CS fixes - native_function_invocation & static_lambda
• 7a01a58 Backport some CS fixes from 7.4
• bd33dfc [CS] Back config from 8.1 and apply heredoc_indentation rule
• See full diff in compare view

Updates symfony/dom-crawler from 6.4.34 to 7.4.12

Release notes

Sourced from symfony/dom-crawler's releases.

v7.4.12

Changelog (symfony/dom-crawler@v7.4.1...v7.4.12)

• bug #64258 Fix ChoiceFormField::addChoice() clobbering values on multi-selects (@​nicolas-grekas)
• security #cve-2026-45071 Fix XXE in addXmlContent() by not enabling validateOnParse (@​alexandre-daubois)

v7.4.8

Changelog (symfony/dom-crawler@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/dom-crawler@v7.4.5...v7.4.6)

• no significant changes

v7.4.4

Changelog (symfony/dom-crawler@v7.4.3...v7.4.4)

• no significant changes

v7.4.1

Changelog (symfony/dom-crawler@v7.4.0...v7.4.1)

• bug symfony/symfony#62671 [DomCrawler] Fixing dealing with invalid charset (@​ThomasLandauer)

v7.4.0

Changelog (symfony/dom-crawler@v7.4.0-RC3...v7.4.0)

• no significant changes

v7.4.0-RC1

Changelog (symfony/dom-crawler@v7.4.0-BETA2...v7.4.0-RC1)

• no significant changes

v7.4.0-BETA2

Changelog (symfony/dom-crawler@v7.4.0-BETA1...v7.4.0-BETA2)

• bug symfony/symfony#62240 [DomCrawler] Handle malformed tags in HTML5 parser (@​longwave)
• bug symfony/symfony#62186 [DomCrawler] Fix converting HTML5 trees to DOM nodes (@​nicolas-grekas)
• bug symfony/symfony#62180 [DomCrawler] Properly ignore errors when using the native HTML5 parser (@​nicolas-grekas)

v7.4.0-BETA1

Changelog (symfony/dom-crawler@v7.3.4...v7.4.0-BETA1)

• feature symfony/symfony#61475 [DomCrawler] Use the native HTML5 parser on PHP 8.4 (@​nicolas-grekas)

v7.3.10

Changelog (symfony/dom-crawler@v7.3.9...v7.3.10)

... (truncated)

Changelog

Sourced from symfony/dom-crawler's changelog.

CHANGELOG

8.1

• Make ChoiceFormField::addChoice() part of the supported public API
• Always set LIBXML_NONET in Crawler::addXmlContent() so external entities cannot trigger network requests

8.0

• Remove argument $useHtml5Parser of Crawler's constructor; the native HTML5 parser is used unconditionally

7.4

• Disabling HTML5 parsing is deprecated; Symfony 8 will unconditionally use the native HTML5 parser

7.0

• Add argument $normalizeWhitespace to Crawler::innerText()
• Add argument $default to Crawler::attr()

6.4

• Add CrawlerAnySelectorTextContains test constraint
• Add CrawlerAnySelectorTextSame test constraint
• Add argument $default to Crawler::attr()

6.3

• Add $useHtml5Parser argument to Crawler
• Add CrawlerSelectorCount test constraint
• Add argument $normalizeWhitespace to Crawler::innerText()
• Make Crawler::innerText() return the first non-empty text

6.0

• Remove Crawler::parents() method, use ancestors() instead

5.4

• Add Crawler::innerText method.

... (truncated)

Commits

• b59b591 Merge branch '6.4' into 7.4
• 7e65f76 Merge branch '5.4' into 6.4
• b18373e Merge branch '6.4' into 7.4
• 505deba [DomCrawler] Fix ChoiceFormField::addChoice() clobbering values on multi-se...
• f474100 Update XSD references in phpunit.xml.dist files
• b4cf17f [DomCrawler] Fix XXE in addXmlContent() by not enabling validateOnParse
• 6d86f97 [Tests] Fix "Incomplete version" PHPUnit warnings
• 04ca269 Merge branch '6.4' into 7.4
• eac26cf More CS fixes
• ca5ad73 Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #8520.