Bump the composer group across 1 directory with 10 updates

[dependabot]

Bumps the composer group with 8 updates in the /api directory:

Package	From	To
dompdf/dompdf	2.0.1	2.0.4
phpoffice/phpspreadsheet	1.29.0	1.30.4
onelogin/php-saml	4.0.0	4.3.2
symfony/cache	5.3.12	5.4.53
symfony/polyfill-intl-idn	1.27.0	1.38.1
symfony/process	5.3.12	5.4.51
symfony/routing	5.3.11	5.4.53
symfony/dom-crawler	5.3.14	5.4.52

Updates dompdf/dompdf from 2.0.1 to 2.0.4

Release notes

Sourced from dompdf/dompdf's releases.

Dompdf 2.0.4

Change highlights since 2.0.3

This release addresses the following announced vulnerability:

Vulnerability	References	Type	Severity
Possible DoS caused by infinite recursion when validating SVG images	GHSA-3qx2-6f78-w2j2	Resource Exhaustion	Moderate

2.0.x highlights

• Modifies callback and page_script/page_text handling
• Switches the HTML5 parser to Masterminds/HTML5
• Improves CSS property parsing and representation
• Switches installed fonts and font metrics cache file format to JSON

View all changes since the previous release in the commit history.

We would like to extend our gratitude to the community members who helped make this release possible.

Requirements

Dompdf 2.0.4 requires the following:

• PHP 7.1 or greater
• html5-php v2.0.0 or greater
• php-font-lib v0.5.4 or greater
• php-svg-lib v0.3.3 or greater

Note that some dependencies may have further dependencies (notably php-svg-lib requires sabberworm/php-css-parser).

Additionally, the following are recommended for optimal use:

• GD (for image processing)
• allow_url_fopen set to true or the curl PHP extension (for retrieving stylesheets, images, etc via http)

For full requirements and recommendations see the requirements page on the wiki.

Download Instructions

The dompdf team recommends that you use Composer for easier dependency management.

If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf_2-0-4.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.

Dompdf 2.0.3

This release addresses the following vulnerability:

Vulnerability	References	Type	Severity
URI validation failure on SVG parsing	[GHSA-56gj-mvh6-rp75][GHSA-56gj-mvh6-rp75], [CVE-2023-24813][CVE-2023-24813]	Remote Code Execution	Critical

... (truncated)

Commits

• 093f2d9 Bump version to 2.0.4
• 41cbac1 Improve SVG file reference recursion validation
• e8d2d5e Bump version to 2.0.3
• 95009ea Validate both bare and namespaced SVG image HREF attributes
• 2a8a6b8 Resets version string to commit hash
• ad4c631 Bump version to 2.0.2
• 7558f07 SVG parsing - comparing the tag name in a case insensitive way
• ae1ca4a Adds Security Advisory feature information
• 68fabc5 Removes version info
• f586c13 Fixed bug where svg polylines get automatically closed
• Additional commits viewable in compare view

Updates phpoffice/phpspreadsheet from 1.29.0 to 1.30.4

Release notes

Sourced from phpoffice/phpspreadsheet's releases.

1.30.4

Fixed

• Security patches.

1.30.3

Fixed

• Security patches.
• Option to whitelist external images. Security-related backport of [PR #4793](PHPOffice/PhpSpreadsheet#4793)

1.30.2

Changed

• Evaluation of WEBSERVICE no longer requires external client, but will use oldCalculatedValue unless the request is for a domain in a user-supplied whitelist. Security-related backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

Deprecated

• Settings methods setHttpClient, unsetHttpClient, getHttpClient, and getRequestFactory are no longer used. No replacement.

Fixed

• Changes to WEBSERVICE. Backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

1.30.1

Functionally Frozen

• Except for security changes, no further maintenance will be applied to this branch. You are encouraged to upgrade to a maintained branch as soon as possible. Maintained branches are master (preferred - version is 5.2.0 as of the date when this is being written), release390 (current version is 3.10.1), and release222 (2.4.1).
• Of particular note is that this branch should not run under Php 8.5+, and will not be updated to avoid deprecation notices introduced with Php 8.5.

1.30.0

Breaking Changes

• Images will be loaded from an external source (e.g. http://example.com/img.png) only if the reader is explicitly set to allow it via $reader->setAllowExternalImages(true). We do not believe that loading of external images is a widely used feature. This is a necessary change for security purposes. It unfortunately breaks Semantic Versioning for reasons described above; there is no way to start a new major version for this branch.

1.29.12

Added

• Add to all readers the option to allow or forbid fetching external images. This is unconditionally allowed now. The default will be set to "allow", so no code changes are necessary. However, we are giving consideration to changing the default.[PR #4545](PHPOffice/PhpSpreadsheet#4545)

1.29.11

Changed

• Allow php-cs-fixer to Handle Implicit Backslashes.

Added

• Allow spreadsheet to be serialized. [PR #4405](PHPOffice/PhpSpreadsheet#4405)

... (truncated)

Changelog

Sourced from phpoffice/phpspreadsheet's changelog.

2026-04-19 - 1.30.4

Fixed

• Security patches.

2026-04-09 - 1.30.3

Fixed

• Security patches.
• Option to whitelist external images. Security-related backport of [PR #4793](PHPOffice/PhpSpreadsheet#4793)

2026-01-10 - 1.30.2

Changed

• Evaluation of WEBSERVICE no longer requires external client, but will use oldCalculatedValue unless the request is for a domain in a user-supplied whitelist. Security-related backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

Deprecated

• Settings methods setHttpClient, unsetHttpClient, getHttpClient, and getRequestFactory are no longer used. No replacement.

Fixed

• Changes to WEBSERVICE. Backport of [PR #4751](PHPOffice/PhpSpreadsheet#4751)

2025-10-25 - 1.30.1

Functionally Frozen

• Except for security changes, no further maintenance will be applied to this branch. You are encouraged to upgrade to a maintained branch as soon as possible. Maintained branches are master (preferred - version is 5.4.0 as of the date when this is being written), 3.10.x (current version is 3.10.3), and 2.4.x (2.4.3).
• Of particular note is that this branch should not run under Php 8.5+, and will not be updated to avoid deprecation notices introduced with Php 8.5.

2025-08-10 - 1.30.0

Breaking Changes

• Images will be loaded from an external source (e.g. http://example.com/img.png) only if the reader is explicitly set to allow it via $reader->setAllowExternalImages(true). We do not believe that loading of external images is a widely used feature. This is a necessary change for security purposes. It unfortunately breaks Semantic Versioning for reasons described above; there is no way to start a new major version for this branch.

2025-07-23 - 1.29.12

Added

• Add to all readers the option to allow or forbid fetching external images. This is unconditionally allowed now. The default will be set to "allow", so no code changes are necessary. However, we are giving consideration to changing the default.[PR #4545](PHPOffice/PhpSpreadsheet#4545)

2025-06-22 - 1.29.11

... (truncated)

Commits

• 0297038 Security Patches
• d28d482 Prepare Changelog for New Release
• 87a0eb5 Option to Whitelist External Images r129 (#4854)
• b6c44a4 Security Patches
• 7919868 Update License 1.30.x
• 09cdde5 Instantiator Problem (#4778)
• 4ad82d2 Prepare Changelog for New Release
• 1ca2b80 Changes to WEBSERVICE R129 (#4758)
• e862463 Update README With New Branch Names
• fa8257a Prep Work for 1.30.1
• Additional commits viewable in compare view

Updates onelogin/php-saml from 4.0.0 to 4.3.2

Release notes

Sourced from onelogin/php-saml's releases.

OneLogin's SAML PHP Toolkit v4.3.2

• Updates xmlseclibs to 3.1.5 due CVE-2026-32313

OneLogin's SAML PHP Toolkit v4.3.1

• Update xmlseclibs version requirement to 3.1.4 due CVE-2025-66475

OneLogin's SAML PHP Toolkit v4.3.0

• PHP 8.4 Compatibility via #600 and #607.
• #619 Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773
• #603 Fix typo in ignoreValidUntil that breaks metadata. Add parameter to exclude validUntil on Settings getSPMetadata
• #594 Add support for encrypted name id in encrypted assertion
• Fix buildWithBaseURLPath. See #581
• Doc fix typo
• Remove Travis CI references

OneLogin's SAML PHP Toolkit v4.2.0

• #586 IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate
• #585 Declare conditional return types
• #577 Allow empty NameID value when no strict or wantNameId is false
• #570 Support X509 cert comments
• #569 Add parameter to exclude validUntil on SP Metadata XML
• #551 Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST
• LogoutRequest and the LogoutResponse object to separate functions
• Make Saml2\Auth can accept a param $spValidationOnly
• Fix typos on readme.
• #480 Fix typo on SPNameQualifier mismatch error message
• Remove unbound version constraints on xmlseclibs
• Update dependencies
• Fix test payloads
• Remove references to OneLogin.

OneLogin's SAML PHP Toolkit v4.1.0

• Add pipe through for the $spValidationOnly setting in the Auth class.

OneLogin's SAML PHP Toolkit v4.0.1

• Add compatibility with PHP 8.1
  • If null param are provided to trim or preg_match, when PHP 8.1 has deprecation errors enabled, php-saml will raise errors.

Changelog

Sourced from onelogin/php-saml's changelog.

v4.3.2

• Update xmlseclibs version requirement to 3.1.5 due CVE-2026-32313

v4.3.1

• Update xmlseclibs version requirement to 3.1.4 due CVE-2025-66475

v4.3.0

• PHP 8.4 Compatibility via #600 and #607.
• #619 Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773
• #603 Fix typo in ignoreValidUntil that breaks metadata. Add a new parameter to exclude validUntil on Settings getSPMetadata
• #594 Add support for encrypted name id in encrypted assertion
• Fix buildWithBaseURLPath. See #581
• Doc fix typo
• Remove Travis CI references

v4.2.0

• #586 IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate
• #585 Declare conditional return types
• #577 Allow empty NameID value when no strict or wantNameId is false
• #570 Support X509 cert comments
• #569 Add parameter to exclude validUntil on SP Metadata XML
• #551 Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST
• LogoutRequest and the LogoutResponse object to separate functions
• Make Saml2\Auth can accept a param $spValidationOnly
• Fix typos on readme.
• #480 Fix typo on SPNameQualifier mismatch error message
• Remove unbound version constraints on xmlseclibs
• Update dependencies
• Fix test payloads
• Remove references to OneLogin.

v4.1.0

• Add pipe through for the $spValidationOnly setting in the Auth class.

v4.0.1

• Add compatibility with PHP 8.1
• #487 Enable strict check on in_array method
• Add warning about Open Redirect and Reply attacks
• Add warning about the use of IdpMetadataParser class. If Metadata URLs are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF

Commits

• 26b3a47 Prepare release 4.3.2
• f326e94 Update README with CVE-2026-32313 reference
• e5f1bd2 Merge pull request #644 from sneakyvv/fix-cve-2026-32313
• e789555 Fix CVE-2026-32313: Require robrichards/xmlseclibs ^3.1.5
• 5d3aeb5 Update README with CVE-2025-66475 reference
• b009f16 Prepare release 4.3.1
• bf0c0de Update xmlseclibs version requirement to 3.1.4 due CVE-2025-66475
• 341215d Update CHANGELOG with missed entry
• bf5efce Prepare release 4.3.0
• ba244ae Fix buildWithBaseURLPath, See #581
• Additional commits viewable in compare view

Updates phenx/php-svg-lib from 0.3.4 to 0.5.4

Release notes

Sourced from phenx/php-svg-lib's releases.

Nattering Narwhal

What's Changed

• Handle nested definition elements in dompdf/php-svg-lib#120

Full Changelog: dompdf/php-svg-lib@0.5.3...0.5.4 Addressed Issues: https://github.com/dompdf/php-svg-lib/milestone/9?closed=1

Masticating Manatee

What's Changed

• Update color parsing logic in dompdf/php-svg-lib#105
• Improve use handling in dompdf/php-svg-lib#111
• Render a line for a path segment with a radius of zero in dompdf/php-svg-lib#112

Full Changelog: dompdf/php-svg-lib@0.5.2...0.5.3 Addressed Issues: 0.5.3 milestone

Lounging Llama

Security release to address the following reported vulnerability:

• Lack of path validation on font through SVG inline styles

Full Changelog: dompdf/php-svg-lib@0.5.1...0.5.2

Kickin' Koala

Security release to address the following reported vulnerabilities:

• Possible DoS caused by infinite recursion when parsing SVG document
• Unsafe attributes merge when parsing use tag

Jesting Jackal

• Adds full support for non-user space length values (percent, unit values)
• Improves processing of use elements
• Improves path rendering and syntax support
• Adds support for colors with alpha
• Adds support for non-namespaced "href" attribute
• Improves font parsing

See the 0.5.0 milestone for issues and PRs

Gracious thanks to the contributors who helped make this release possible.

Ignaminous Iguanga

• Re-target base PHP support to 7.1
• Skips rendering of indeterminate (return-to-origin) arc segments

Howling Hyena

• Improves compatibility with PHP 8.1
  • Update Cpdf to latest version
  • Updates php-css-parser dependency to 8.4

Commits

• 46b25da Update PathTest.php for PHPunit compatibility
• 0e9dc9d Handle nested definition elements
• 0e46722 Render a line for a path segment with a radius of zero
• 964d9a9 Improve symbol element parsing
• 3d6b248 Add method to apply element viewBox
• 092e32c Improve use handling
• bb2eee6 Update license property in composer.json
• 519791c Update README links
• 52d6776 Update .gitignore and .gitattributes
• 720b707 Merge CPdf updated from Dompdf
• Additional commits viewable in compare view

Updates robrichards/xmlseclibs from 3.1.1 to 3.1.5

Release notes

Sourced from robrichards/xmlseclibs's releases.

3.1.5

Validate AES-GCM Authentication Tag

3.1.4

fix canonicalization error

3.1.3

Removes BC breaking change

3.1.2

Add tab to list of whitespace values to remove from cert loadKey should check return value for openssl_get_privatekey Switch to GitHub actions Support OAEP (from unreleased 3.1.1)

Changelog

Sourced from robrichards/xmlseclibs's changelog.

xmlseclibs.php ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ??, ??? ????, 4.0.0 Security Improvements:

Features:

• Remove support for PHP < 8.0
• add support for RSA PSS (Julius Türich and joonlabs)
• use phpseclib for encrypting rsa-oaep and rsa-oaep-mgf1p (Julius Türich and joonlabs)

12, Dec 2026, 3.1.5 Security:

• Validate AES-GCM Authentication Tag (Sideni)

08, Dec 2025, 3.1.4 Security:

• fix canonicalization bypass error (d0ge)

20, Nov 2024, 3.1.3 Bug Fixes:

• remove loadKey check due to BC issues

20, Nov 2024, 3.1.2 Improvements:

• Add tab to list of whitespace values to remove from cert. refs #252
• loadKey should check return value for openssl_get_privatekey (sammarshallou)
• Switch to GitHub actions (SharkMachine)

05, Sep 2020, 3.1.1 Features:

• Support OAEP (iggyvolz)

Bug Fixes:

• Fix AES128 (iggyvolz)

Improvements:

• Fix tests for older PHP

22, Apr 2020, 3.1.0 Features:

• Support AES-GCM. Requires PHP 7.1. (François Kooman)

Improvements:

• Fix Travis tests for older PHP versions.
• Use DOMElement interface to fix some IDEs reporting documentation errors

Bug Fixes:

• FIX missing InclusiveNamespaces PrefixList from Java + Apache WSS4J. (njake)

... (truncated)

Commits

• 03062be Merge commit from fork
• bc87389 Merge commit from fork
• 2bdfd74 remove BC breaking code
• 56361cc Update date and prep for 3.1.2 release
• cf50b50 ci: Use GitHub Actions V3 (#253)
• e899d2b Update changelog
• 158c735 loadKey should check return value for openssl_get_privatekey (#249)
• ebeaef1 Add tab to whitespaces to remove (#252)
• 61657f3 Switch to GitHub actions (#240)
• a268e60 Fix subject name.
• Additional commits viewable in compare view

Updates symfony/cache from 5.3.12 to 5.4.53

Release notes

Sourced from symfony/cache's releases.

v5.4.53

Changelog (symfony/cache@v5.4.52...v5.4.53)

• bug #64336 Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@​nicolas-grekas)

v5.4.52

Changelog (symfony/cache@v5.4.46...v5.4.52)

• security #cve-2026-45073 Validate the prefix given to AbstractAdapter::clear() (@​nicolas-grekas)

v5.4.46

Changelog (symfony/cache@v5.4.45...v5.4.46)

• bug symfony/symfony#58753 [Cache] Fix clear() when using Predis (@​nicolas-grekas)

v5.4.45

Changelog (symfony/cache@v5.4.44...v5.4.45)

• bug symfony/symfony#58669 [Cache] Revert "Initialize RedisAdapter cursor to 0" (@​nicolas-grekas)
• bug symfony/symfony#58661 [Cache] Initialize RedisAdapter cursor to 0 (@​thomas-hiron)

v5.4.44

Changelog (symfony/cache@v5.4.43...v5.4.44)

• bug symfony/symfony#58260 [Cache] Fix RedisSentinel param types (Paweł Stasicki)

v5.4.42

Changelog (symfony/cache@v5.4.41...v5.4.42)

• bug symfony/symfony#57674 [Cache] Improve dbindex DSN parameter parsing (@​constantable)
• bug symfony/symfony#57663 [Cache] use copy() instead of rename() on Windows (@​xabbuh)

Changelog

Sourced from symfony/cache's changelog.

CHANGELOG

8.0

• Remove CouchbaseBucketAdapter, use CouchbaseCollectionAdapter instead

7.4

• Bump ext-redis to 6.1 and ext-relay to 0.12 minimum

7.3

• Add support for \Relay\Cluster in RedisAdapter
• Add support for valkey: / valkeys: schemes
• Add support for namespace-based invalidation
• Rename options "redis_cluster" and "redis_sentinel" to "cluster" and "sentinel" respectively

7.2

• igbinary_serialize() is no longer used instead of serialize() by default when the igbinary extension is installed, due to behavior compatibilities between the two
• Add optional Psr\Clock\ClockInterface parameter to ArrayAdapter

7.1

• Add option sentinel_master as an alias for redis_sentinel
• Deprecate CouchbaseBucketAdapter, use CouchbaseCollectionAdapter
• Add support for URL encoded characters in Couchbase DSN
• Add support for using DSN with PDOAdapter
• The algorithm for the default cache namespace changed from SHA256 to XXH128

7.0

• Add parameter $isSameDatabase to DoctrineDbalAdapter::configureSchema()
• Drop support for Postgres < 9.5 and SQL Server < 2008 in DoctrineDbalAdapter

6.4

• EarlyExpirationHandler no longer implements MessageHandlerInterface, rely on AsMessageHandler instead

6.3

... (truncated)

Commits

• bf58147 [Cache] skip tests for adapters that cannot clear by prefix
• 4acd37c [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear()
• 03b191d [Cache] Validate the prefix given to AbstractAdapter::clear()
• 0fe08ee [Cache] Fix clear() when using Predis
• 12b03e3 Revert "bug #58661 [Cache] Initialize RedisAdapter cursor to 0 (thomas-hiron)"
• e135eb8 initialize RedisAdapter cursor to 0
• c2b90da do not skip tests from data providers
• 6cf23ad drop existing schema if tests create it explicitly
• 7050072 do not mix named and positional arguments in data provider definitions
• 911f2bc do not use TestCase::getName() when possible
• Additional commits viewable in compare view

Updates symfony/polyfill-intl-idn from 1.27.0 to 1.38.1

Release notes

Sourced from symfony/polyfill-intl-idn's releases.

v1.38.1

Changelog (symfony/polyfill-intl-idn@v1.31.0...v1.38.1)

• security #cve-2026-46644 Reject xn-- labels whose Punycode payload decodes to ASCII-only (@​nicolas-grekas)

v1.37.0

Changelog (symfony/polyfill-intl-idn@v1.36.0...v1.37.0)

• no significant changes

v1.36.0

Changelog (symfony/polyfill-intl-idn@v1.35.0...v1.36.0)

• no significant changes

v1.35.0

Changelog (symfony/polyfill-intl-idn@v1.34.0...v1.35.0)

• no significant changes

v1.34.0

Changelog (symfony/polyfill-intl-idn@v1.33.0...v1.34.0)

• no significant changes

Commits

• dc21118 [Intl][Idn] Reject xn-- labels whose Punycode payload decodes to ASCII-only
• 9614ac4 Give testing some love
• c36586d Bump to PHP 7.2, stick to phpunit 8.5
• a6e83bd Revert "minor #477 Auto-close PRs on subtree-splits (kbond)"
• 872bf45 Auto-close PRs on subtree-splits
• 412b0a6 Conform to IDNA version 15.1.0 revision 31
• a287ed7 Remove branch-alias from composer.json
• ecaafce feature #334 [PHP 8.1] Add CURLStringFile polyfill (Ayesh, nicolas-grekas)
• b5b0079 CS fix
• 5a42f2d Bump for 1.28
• Additional commits viewable in compare view

Updates symfony/process from 5.3.12 to 5.4.51

Release notes

Sourced from symfony/process's releases.

v5.4.51

Changelog (symfony/process@v5.4.50...v5.4.51)

• security #cve-2026-24739 Fix escaping for MSYS on Windows (@​nicolas-grekas)

v5.4.47

Changelog (symfony/process@v5.4.46...v5.4.47)

• no significant changes

v5.4.46

Changelog (symfony/process@v5.4.45...v5.4.46)

• security symfony/symfony#cve-2024-51736 [Process] Use PATH before CD to load the shell on Windows (@​nicolas-grekas)
• bug symfony/symfony#58752 [Process] Fix escaping /X arguments on Windows (@​nicolas-grekas)
• bug symfony/symfony#58735 [Process] Return built-in cmd.exe commands directly in ExecutableFinder (@​Seldaek)
• bug symfony/symfony#58723 [Process] Properly deal with not-found executables on Windows (@​nicolas-grekas)
• bug symfony/symfony#58711 [Process] Fix handling empty path found in the PATH env var with ExecutableFinder (@​nicolas-grekas)

v5.4.45

Changelog (symfony/process@v5.4.44...v5.4.45)

• no significant changes

v5.4.44

Changelog (symfony/process@v5.4.43...v5.4.44)

• bug symfony/symfony#58291 [Process] Fix finding executables independently of open_basedir (@​BlackbitDevs)

v5.4.40

Changelog (symfony/process@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/process@v5.4.38...v5.4.39)

• no significant changes

v5.4.36

Changelog (symfony/process@v5.4.35...v5.4.36)

• bug symfony/symfony#53821 [Process] Fix Inconsistent Exit Status in proc_get_status for PHP Versions Below 8.3 (@​Luc45)

v5.4.35

Changelog (symfony/process@v5.4.34...v5.4.35)

• bug symfony/symfony#53481 [Process] Fix executable finder when the command starts with a dash (@​kayw-geek)

v5.4.34

... (truncated)

Commits

• 467bfc5 [Process] Fix escaping for MSYS on Windows
• 5d1662f normalize paths to avoid failures if a path is referenced by different names
• 0190687 [Process] Fix test
• ee75984 security #cve-2024-51736 [Process] Use %PATH% before %CD% to load the shell o...
• 05c2ccc [Process] Use %PATH% before %CD% to load the shell on Windows
• d94dda5 [Process] Fix escaping /X arguments on Windows
• 72baf6b fix the constant being used
• 81e1a0c fix the path separator being used
• d67303e minor #58747 [Process] fix the directory separator being used (xabbuh)
• 5cdd400 minor #58746 [Process] Improve test cleanup by unlinking in a finally block...
• Additional commits viewable in compare view

Updates symfony/routing from 5.3.11 to 5.4.53

Release notes

Sourced from symfony/routing's releases.

v5.4.53

Changelog (symfony/routing@v5.4.52...v5.4.53)

• security #cve-2026-48784 Fix dot-segment encoding for chained "../" and "./" in generated URLs (@​nicolas-grekas)

v5.4.52

Changelog (symfony/routing@v5.4.48...v5.4.52)

• security #cve-2026-45065 Fix regex alternation anchoring in UrlGenerator requirement validation (@​alexandre-daubois)

v5.4.48

Changelog (symfony/routing@v5.4.47...v5.4.48)

• bug symfony/symfony#58842 [Routing] Fix: lost priority when defining hosts in configuration (@​BeBlood)

v5.4.45

Changelog (symfony/routing@v5.4.44...v5.4.45)

• no significant changes

v5.4.43

Changelog (symfony/routing@v5.4.42...v5.4.43)

• no significant changes

v5.4.42

Changelog (symfony/routing@v5.4.41...v5.4.42)

• bug symfony/symfony#57645 [Routing] Discard in-memory cache of routes when writing the file-based cache (@​mpdude)

v5.4.40

Changelog (symfony/routing@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/routing@v5.4.38...v5.4.39)

• no significant changes

v5.4.38

Changelog (symfony/routing@v5.4.37...v5.4.38)

• no significant changes

v5.4.37

Changelog (symfony/routing@v5.4.36...v5.4.37)

• bug symfony/symfony#54080 [Routing] Enhance error handling in StaticPrefixCollection for compatibility with libpcre2-10.43 (@​Lustmored)

... (truncated)

Commits

• f4ca0c5 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs
• 275b313 [Routing] Fix regex alternation anchoring in UrlGenerator requirement validation
• dd08c19 [Routing] Fix: lost priority when defining hosts in configuration
• 986597b do not use TestCase::getName() when possible
• 7289d3c Add PR template and auto-close PR on subtree split repositories
• b6f7178 Fix typos
• f8dd6f8 use more entropy with uniqid()
• c99c74b bug #57645 [Routing] Discard in-memory cache of routes when writing the file-...
• 7bec6df [Router] Discard in-memory cache of routes when writing the file-based cache
• 6df1dd8 Revert "minor #54653 Auto-close PRs on subtree-splits (nicolas-grekas)"
• Additional commits viewable in compare view

Updates symfony/dom-crawler from 5.3.14 to 5.4.52

Release notes

Sourced from symfony/dom-crawler's releases.

v5.4.52

Changelog (symfony/dom-crawler@v5.4.48...v5.4.52)

• security #cve-2026-45071 Fix XXE in addXmlContent() by not enabling validateOnParse (@​alexandre-daubois)

v5.4.48

Changelog (symfony/dom-crawler@v5.4.47...v5.4.48)

• bug symfony/symfony#58836 Work around parse_url() bug (bis) (@​nicolas-grekas)

v5.4.45

Changelog (symfony/dom-crawler@v5.4.44...v5.4.45)

• bug symfony/symfony#58627 Minor fixes around parse_url() checks (@​nicolas-grekas)

v5.4.44

Changelog (symfony/dom-crawler@v5.4.43...v5.4.44)

• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v5.4.40

Changelog (symfony/dom-crawler@v5.4.39...v5.4.40)

• no significant changes

v5.4.39

Changelog (symfony/dom-crawler@v5.4.38...v5.4.39)

• bug symfony/symfony#54456 [DomCrawler] Encode html entities only if nessecary (@​ausi)

v5.4.35

Changelog (symfony/dom-crawler@v5.4.34...v5.4.35)

• no significant changes

v5.4.32

Changelog (symfony/dom-crawler@v5.4.31...v5.4.32)

• bug symfony/symfony#52631 [DomCrawler] Revert "bug symfony/symfony#52579 UriResolver support path with colons" (@​lyrixx)
• bug symfony/symfony#52579 [DomCrawler] UriResolver support path with colons (@​vdauchy)

v5.4.25

Changelog (symfony/dom-crawler@v5.4.24...v5.4.25)

• no significant changes

v5.4.23

Changelog (symfony/dom-crawler@v5.4.22...v5.4.23)

• bug #49983 Avoid passing null to substr/strrpos methods (VincentLanglet)

... (truncated)

Changelog

Sourced from symfony/dom-crawler's changelog.

CHANGELOG

8.1

• Make ChoiceFormField::addChoice() part of the supported public API
• Always set LIBXML_NONET in Crawler::addXmlContent() so external entities cannot trigger network requests

8.0

• Remove argument $useHtml5Parser of Crawler's constructor; the native HTML5 parser is used unconditionally

7.4

• Disabling HTML5 parsing is deprecated; Symfony 8 will unconditionally use the native HTML5 parser

7.0

• Add argument $normalizeWhitespace to Crawler::innerText()
• Add argument $default to Crawler::attr()

6.4

• Add CrawlerAnySelectorTextContains test constraint
• Add CrawlerAnySelectorTextSame test constraint
• Add argument $default to Crawler::attr()

6.3

• Add $useHtml5Parser argument to Crawler
• Add CrawlerSelectorCount test constraint
• Add argument $normalizeWhitespace to Crawler::innerText()
• Make Crawler::innerText() return the first non-empty text

6.0

• Remove Crawler::parents() method, use ancestors() instead

5.4

• Add Crawler::innerText method.

... (truncated)

Commits

• b4cf17f [DomCrawler] Fix XXE in addXmlContent() by not enabling validateOnParse
• b57df76 Work around parse_url() bug (bis)
• 89647a5 Minor fixes around parse_url() checks
• 7111520 Add PR template and auto-close PR on subtree split repositories
• 4c76e41 Work around parse_url() bug
• 2ad469c Revert "minor #54653 Auto-close PRs on subtree-splits (nicolas-grekas)"
• 1dffb11 Auto-close PRs on subtree-splits
• 000634e [DomCrawler] Encode html entities only if nessecary
• e3b4806 Apply php-cs-fixer fix --rules nullable_type_declaration_for_default_null_value
• 728f1fc [DomCrawler] Revert "bug #52579 UriResolver support path with colons"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

De...

Description has been truncated

[codacy-production]

Not up to standards ⛔

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}