Bump yiisoft/yii2 from 2.0.52 to 2.0.55

[dependabot]

Bumps yiisoft/yii2 from 2.0.52 to 2.0.55.

Changelog

Sourced from yiisoft/yii2's changelog.

2.0.55 May 09, 2026

• Bug #17254: Fix MessageController crash on dynamic input in Yii::t() call (CeBe)
• Bug #20159: Fix chroot resolve null route (gozoro)
• Bug #20697: loadTableIndexes() includes LOB indexes with NULL column names, causing strpos() deprecation on PHP 8.1+ (terabytesoftw)
• Bug #20705: Replace $this with self in generics in Psalm annotations (mspirkov)
• Bug #20715: Adjust JSON helper error message assertions for PHP 8.6 compatibility in JsonTest class (terabytesoftw)
• Bug #20733: Replace $this with static and covariant static in generics in PHPStan and PHPDoc annotations (mspirkov)
• Bug #20735: Fix @param annotations for $name in Request::get() and Request::post() (mspirkov)
• Bug #20738: Fix @var annotations for Application::$requestedParams, AssetBundle::$basePath, AssetBundle::$baseUrl, MultiFieldSession::$writeCallback (mspirkov)
• Bug #20738: Fix @return annotations for User::getAuthManager() and User::getAccessChecker() (mspirkov)
• Bug #20738: Fix @param annotation for $value parameter in AssetManager::setConverter() (mspirkov)
• Bug #20739: Fix @var annotation for BaseYii::$app (mspirkov)
• Bug #20746: Fix @var annotations for DbDependency::$db and DbDependency::$sql (mspirkov)
• Bug #20750: Fix @return annotation for yii\console\Controller::runAction() (mspirkov)
• Bug #20750: Add the missing @property-write annotation to yii\console\Controller (mspirkov)
• Bug #20751: Fix @param annotation for $param parameter in Sort::parseSortParam() (mspirkov)
• Bug #20764: Fix @return annotation for Model::rules() (mspirkov)
• Bug #20856: Fix passing generics to BatchQueryResult (mspirkov)
• Bug: CVE-2026-39850, Isolate internal variables in View::renderPhpFile() and ErrorHandler::renderFile() to prevent parameter collisions from overriding included file paths (samdark)
• Enh #20714: Allow overriding the yii\grid\GridView's default filterSelector, allow using Closures for filterSelector (chriscpty)
• Enh #20717: Use PHPStan/Psalm types in PHPDoc annotations (mspirkov)
• Enh #20718: When set_time_limit() is not available, throw a warning only for big files (@​marc-farre)
• Enh #20729: Add default types in @template annotations (mspirkov)
• Enh #20730: Make the configuration type for Application wider (mspirkov)
• Enh #20735: Add conditional types in @return annotations in Request::get() and Request::post() (mspirkov)
• Enh #20743: Remove dead code for PHP < 5.6 in UrlValidator and EmailValidator (WarLikeLaux)
• Enh #20756: Remove dead code for PHP < 5.6 in SchemaBuilderTrait::json() (WarLikeLaux)
• Chg #20757: Remove dead code for PHP < 7.4 in Security (WarLikeLaux)

2.0.54 January 09, 2026

• Bug #19506: Fix @property annotations in yii\console\widgets\Table, yii\di\Container and yii\web\Session (mspirkov)
• Bug #19655: Fix LinkPager::getPageRange when maxButtons is 2 (mspirkov)
• Bug #20432: Fix PHPStan/Psalm annotations for ActiveQuery::asArray (mspirkov)
• Bug #20437: Fix PHPStan/Psalm annotations for BaseArrayHelper::merge (mspirkov)
• Bug #20447: Fix behavior for yii\web\Controller::bindActionParams around mixed type (chriscpty)
• Bug #20453: Fix PHPStan/Psalm types in yii\web\View (mspirkov)
• Bug #20459: Fix return type in RequestParserInterface::parse (mspirkov)
• Bug #20475: Fix Formatter class asScientific() method for PHP 8.5 sprintf precision change (6 to 0) (terabytesoftw)
• Bug #20479: Fix issue with MSSQL related to char and nchar (craiglondon)
• Bug #20482: Fix deprecation of ReflectionMethod::setAccessible() in PHP 8.5 (terabytesoftw)
• Bug #20483: Fix CompositeAuth making bad assumptions on AuthInterface implementations (sammousa)
• Bug #20485: Fix error Cannot unset string offsets in yii\di\Instance:ensure(['__class' => ...], 'some\class\name') (mspirkov)
• Bug #20489: Replace deprecated strftime with date in YiiRequirementChecker (mspirkov)
• Bug #20492: Fix deprecation of finfo_close() in PHP 8.5 by conditionally closing the resource (terabytesoftw)
• Bug #20494: Fix PHPdoc, add PHPStan/Psalm annotations for authMethods property in CompositeAuth class (terabytesoftw)

... (truncated)

Commits

• b900eec release version 2.0.55
• c958b40 Fix: CVE-2026-39850, Isolate internal variables in View::renderPhpFile() an...
• cc6ca93 Fix passing generics to BatchQueryResult (#20856)
• 6d0e2f9 fix chroot resolve null route (#20161)
• 0cde600 Fixed MessageController crash on dynamic input in Yii::t() call (#17254)
• b937b23 loadTableIndexes() includes LOB indexes with NULL column names, causing `...
• e916245 Fix #20757: Remove dead code for PHP < 7.4 in Security
• 4d8bf20 Fix @return annotation for Model::rules() (#20764)
• 77eb193 Remove dead code for PHP < 5.6 in SchemaBuilderTrait::json(). (#20756)
• 04e3919 Analyze the yiiunit\framework\data namespace using PHPStan (#20751)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.