symfony/symfony
The Symfony PHP framework
Repo tech stack
languages detected by GitHub · % code
My contributions · PR by PR
every merged PR, grouped by type, newest first
-
fix #64174 merged on May 11, 2026
[Scheduler] Use stored checkpoint as base date for debug:scheduler
In Scheduler's `DebugCommand`, reads the persisted `scheduler_checkpoint_<name>` cache entry with `$save=false` as the base date when `--date` is omitted and the schedule is stateful.
+105 −6 2 files -
fix #64153 merged on May 11, 2026
[Messenger] Drop trace args from FlattenException normalization
Sanitizes stack-trace args inside `FlattenExceptionNormalizer::normalize()` by recursively replacing non-UTF-8 string arguments with `'(binary string)'`, preventing `NotEncodableValueException` when JSON-encoding Messenger's `ErrorDetailsStamp` for the failure transport.
+43 −2 2 files -
fix #64119 merged on May 5, 2026
[Yaml] fix flow collection drops `&anchor` and `!!str &anchor` items
In `Inline::parseSequence`/`parseMapping`, skips `&xxx` anchor extraction when the scalar originated from a tag (`!!str`) or a bare anchor, aligning the flow parser with the block parser for `[&x]` and `[!!str &x]`.
+29 −6 2 files -
fix #64112 merged on May 4, 2026
[FrameworkBundle] Improve KernelBrowser::loginUser() error when the user is not serializable
Wraps `serialize($token)` in `KernelBrowser::loginUser()` (KernelBrowser.php:142) with a try/catch that rethrows a `\LogicException` naming the User class and pointing to `__serialize()`/`__unserialize()`, original exception kept as `previous`.
+89 −1 2 files -
fix #64103 merged on May 4, 2026
[AssetMapper] Stop baking CSP nonce into the importmap polyfill body
Removes `nonce` from attributes inlined into the es-module-shims polyfill IIFE rendered by `ImportMapRenderer` and propagates it at runtime via `document.currentScript?.nonce`, stabilizing Turbo's `<head>` signature.
+31 −7 2 files -
fix #64100 merged on May 4, 2026
[Translation] URL-encode tmp path in XliffUtils::shouldEnableEntityLoader
URL-encodes each tmp path segment via rawurlencode inside XliffUtils::shouldEnableEntityLoader before feeding it to DOMDocument::schemaValidateSource, killing the libxml warning that flooded dev.log on Windows user profiles containing spaces.
+185 −36 3 files -
fix #64095 merged on May 4, 2026
[RateLimiter] Carry over reserved tokens past fixed window resets
Fixes `Window::add()` zeroing `hitCount` on reset by carrying reservation debt via `getCarriedHitCount()`; `getExpirationTime()` now grows with outstanding debt so idle FixedWindow limiters don't lose state and re-issue borrowed tokens.
+114 −7 2 files -
fix #64110 merged on May 4, 2026
[Security] Document that AbstractLoginFormAuthenticator::getLoginUrl() must return a path
Clarifies in the PHPDoc of `AbstractLoginFormAuthenticator::getLoginUrl()` that its return value is compared verbatim against `$request->getBaseUrl().$request->getPathInfo()` inside `supports()`, so an absolute URL from `HttpUtils::generateUri()` silently bypasses authentication.
2 exchanges 1 commits 29h open+10 −2 1 files -
fix #64099 merged on May 4, 2026
[Ldap] Cast `default_socket_timeout` to `int`
Casts `ini_get('default_socket_timeout')` to `int` when stored as fallback in `Connection`, since PHP 8.4 ext-ldap rejects strings for `LDAP_OPT_NETWORK_TIMEOUT`, breaking `bind()` when `network_timeout` is unset.
+1 −1 1 files -
fix #63992 merged on Apr 29, 2026
[Messenger] Keep deduplication lock when handler throws
Moves deduplication lock release out of the finally block in DeduplicateMiddleware: lock stays held when the handler throws, released only on success, preventing duplicates while the envelope sits on the retry transport.
+32 −6 2 files -
fix #63993 merged on Apr 29, 2026
[Mailer][Postmark] Handle alternate error payload shapes for Payload Too Large
Reads `ErrorCode ?? 0` and `Message ?? message ?? ''` defensively in `PostmarkApiTransport::doSendApi()` to handle the lowercased 413 payload without `Undefined array key` crash.
+47 −3 2 files -
fix #64067 merged on Apr 29, 2026
[Serializer] Move type-mismatch and uninitialized-property handling into concrete normalizers
Moves the `\TypeError` → `NotNormalizableValueException` translation into `PropertyNormalizer::setAttributeValue()` and replaces the parent's string-match on the « must not be accessed before initialization » message with a proactive `ReflectionProperty::isInitialized()` check.
+178 −52 8 files -
fix #64065 merged on Apr 29, 2026
[Notifier][Ntfy] Fix Basic auth header by keeping base64 padding
Drops the `rtrim('=')` on the Ntfy transport's `Authorization: Basic` header to preserve RFC 4648 base64 padding, fixing auth rejection when `user:password` byte length isn't a multiple of 3.
+2 −2 2 files -
fix #64045 merged on Apr 29, 2026
[Config] Allow env placeholders in NumericNode min/max checks
Adds an `isHandlingPlaceholder()` guard in `NumericNode::finalizeValue()` that skips the min/max check while a typed env placeholder is being resolved, preventing rejection of the sentinel 0 fixture.
+30 −0 3 files -
fix #64047 merged on Apr 29, 2026
[Mime] Preserve inline part filename instead of overwriting it with the Content-ID
In Email::prepareParts(), stops overwriting inline DataPart name with auto-generated Content-ID; falls back to Content-ID only when name is empty, avoiding 5.7.1 Forbidden attachment type rejections.
+19 −1 2 files -
fix #64044 merged on Apr 29, 2026
[FrameworkBundle] Apply tagged MIME type guessers in File::getMimeType()
Makes `FrameworkBundle::boot()` eagerly fetch the `mime_types` service so `MimeTypes::setDefault()` fires, and has `AddMimeTypeGuesserPass` mark it public only when a `mime.mime_type_guesser`-tagged service exists.
+143 −5 8 files -
fix #64030 merged on Apr 29, 2026
[MonologBridge] Guard against re-entrant calls in AbstractTokenProcessor
Adds a `$processing` boolean flag in `AbstractTokenProcessor::doInvoke()` wrapped in `try/finally` that short-circuits and returns the record untouched when Monolog re-enters the processor while `getToken()` is still triggering the firewall initializer.
+47 −8 2 files -
fix #63996 merged on Apr 29, 2026
[RateLimiter] Keep token bucket alive while reservation debt is unpaid
Fixes `TokenBucket::getExpirationTime()` which returned `calculateTimeForTokens(burstSize)`: TTL now becomes `max(burstSize, burstSize - tokens)` so a negative-token reservation debt survives cache eviction before refill.
+21 −1 2 files -
fix #64046 merged on Apr 29, 2026
[HttpClient] Don't share CURL_LOCK_DATA_CONNECT to honor max_host_connections
Removes CURL_LOCK_DATA_CONNECT from CurlHttpClient's curl_share since the multi handle already shares the connection cache, restoring CURLMOPT_MAX_HOST_CONNECTIONS enforcement for max_host_connections.
+4 −3 1 files -
fix #64032 merged on Apr 29, 2026
[DoctrineBridge] Fail with a clear exception when symfony/form is missing
Adds an `interface_exists(FormTypeGuesserInterface::class)` guard before `DoctrineOrmTypeGuesser`'s class keyword, throwing `LogicException` instead of the PHP fatal triggered since 7.4.7 by `DebugClassLoader`'s reworked interface traversal.
+4 −0 1 files -
fix #64031 merged on Apr 29, 2026
[DoctrineBridge] Prevent install with incompatible symfony/property-info versions
Widens DoctrineBridge composer.json `conflict` entry to `<5.4|>=8`, blocking symfony/property-info 8.x whose new `getType()` interface leaves `DoctrineExtractor::getTypes()` as an unimplemented abstract method.
+1 −1 1 files -
fix #63991 merged on Apr 21, 2026
[FrameworkBundle] Strip --no-fill marker from every translation domain
Replaces the hardcoded `messages` loop in `TranslationExtractCommand::removeNoFillTranslations()` with iteration over `$operation->getDomains()`, preventing the `\0NoFill\0` sentinel from leaking into YAML files for `validators` or `validators+intl-icu` catalogues.
+41 −3 2 files -
fix #63982 merged on Apr 21, 2026
[Messenger] Respect SentToFailureTransportStamp when failure transports are configured
In `SendFailedMessageToFailureTransportListener`, now matches `SentToFailureTransportStamp::getOriginalReceiverName()` against the current receiver instead of requiring empty `failureTransportsByName`, restoring manual opt-out for transient errors.
+25 −2 2 files -
fix #63990 merged on Apr 21, 2026
[Messenger] Do not apply --max to --stats unless explicitly set
Detects explicit `--max` via `InputInterface::hasParameterOption(['--max'], true)` in `FailedMessagesShowCommand`; otherwise passes `null` to `ListableReceiverInterface::all()` so `--stats` counts every failed message instead of capping at 50.
+43 −2 2 files -
fix #63983 merged on Apr 18, 2026
[Security] Throw BadCredentialsException on empty JSON login username/password
Splits checks in `JsonLoginAuthenticator::getCredentials()`: empty username/password now throws `BadCredentialsException` (routed through `onAuthenticationFailure`) instead of `BadRequestHttpException` 400, matching `UserBadge` behavior since #58007.
+17 −8 2 files -
fix #63981 merged on Apr 18, 2026
[Routing] Honor the Request's method in UrlMatcher::matchRequest()
In `UrlMatcher::matchRequest()`, temporarily swaps `$this->context` for a `RequestContext::fromRequest()` derived from the passed Request, restored via `finally`, so `matchCollection()` reads the correct HTTP method.
+37 −6 2 files -
fix #63980 merged on Apr 18, 2026
[DependencyInjection] Log every build parameter removed during compilation
Emits a `Keeping array build parameter` log in `RemoveBuildParametersPass` when `preserveArrays=true` keeps a dot-prefixed array parameter, previously dropped silently from the dumped container by `PhpDumper`.
+10 −2 2 files