Problem/Motivation

These are security releases, but we don't use HttpCache so we're not directly affected. However, we should update anyway before doing this week's patch releases.

https://github.com/symfony/symfony/releases/tag/v6.2.6

https://github.com/symfony/symfony/releases/tag/v4.4.50

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#7 3338301-7-9.4.x.patch54.24 KBlongwave
#2 3338301-10.1.x.patch38.53 KBcatch
#2 3338301-10.0.x.patch46.75 KBcatch
#2 3338301-9.5.x.patch6.46 KBcatch

Comments

catch created an issue. See original summary.

catch’s picture

catch
he/him
Primary language English
commented
Status: Active » Needs review
StatusFileSize
new 3338301-9.5.x.patch6.46 KB
new 3338301-10.0.x.patch46.75 KB
new 3338301-10.1.x.patch38.53 KB

composer update symfony/*

Only a couple of 9.5, several on 10.1.x and 10.0

If we really wanted to we could restrict the update just to the affected components, but if we get a green test run with everything, might as well be up-to-date IMO.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs review » Reviewed & tested by the community

Patches look good to me - RTBC assuming they all come back green. Agree that we might as well bump all Symfony components here to get the latest bug fixes; patch level updates are already allowed in core-recommended. The contracts packages do have a minor version bump in 10.0.x but I checked the diff on Symfony's side and it doesn't affect us at all, so this is fine too: https://github.com/symfony/contracts/compare/v3.1.1..v3.2.0

benjifisher’s picture

benjifisher
he/him or they/them
Primary language English
Location Boston area
commented
Status: Reviewed & tested by the community » Needs work

Don't we need a patch for 9.4.x too? NW for that.

From the 10.0 patch:

+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -29,32 +29,32 @@
         "psr/http-message": "~1.0.1",
         "psr/log": "~3.0.0",
         "ralouphie/getallheaders": "~3.0.3",
-        "symfony/console": "~v6.2.2",
-        "symfony/dependency-injection": "~v6.2.2",
-        "symfony/deprecation-contracts": "~v3.1.1",
-        "symfony/error-handler": "~v6.2.2",
-        "symfony/event-dispatcher": "~v6.2.2",
-        "symfony/event-dispatcher-contracts": "~v3.1.1",
-        "symfony/http-foundation": "~v6.2.2",
-        "symfony/http-kernel": "~v6.2.2",
-        "symfony/mime": "~v6.2.2",
+        "symfony/console": "~v6.2.5",
+        "symfony/dependency-injection": "~v6.2.6",
+        "symfony/deprecation-contracts": "~v3.2.0",
+        "symfony/error-handler": "~v6.2.5",
+        "symfony/event-dispatcher": "~v6.2.5",
+        "symfony/event-dispatcher-contracts": "~v3.2.0",

I just want to point out that some of these are minor-version updates, not patch-level.

benjifisher’s picture

benjifisher
he/him or they/them
Primary language English
Location Boston area
commented

Since this is not considered a security update, I guess it is up to the release managers whether to make a new release of 9.4. I think it is worth considering, in case there are 9.4 sites with custom or contrib code that uses the affected Symfony components.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

@benjifisher I noted the minor version bump in #3 - apart from docs and test-only changes, the only real code change is in the SubscribedService attribute which we do not and cannot use yet in Drupal without significant work on the event system, so to me this is OK to bump.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Needs review
StatusFileSize
new 3338301-7-9.4.x.patch54.24 KB

Patch for 9.4.x. This bumps patch level dependencies of all Symfony components, plus minor version bumps of the PHP polyfills - again to me this is OK to do in a patch release, but happy to discuss if we think we should be more conservative.

+------------------------------------+---------+---------+
| Production Changes                 | From    | To      |
+------------------------------------+---------+---------+
| symfony/console                    | v4.4.42 | v4.4.49 |
| symfony/debug                      | v4.4.41 | v4.4.44 |
| symfony/dependency-injection       | v4.4.42 | v4.4.49 |
| symfony/deprecation-contracts      | v2.5.1  | v2.5.2  |
| symfony/error-handler              | v4.4.41 | v4.4.44 |
| symfony/event-dispatcher           | v4.4.42 | v4.4.44 |
| symfony/event-dispatcher-contracts | v1.1.12 | v1.1.13 |
| symfony/http-client-contracts      | v2.5.1  | v2.5.2  |
| symfony/http-foundation            | v4.4.41 | v4.4.49 |
| symfony/http-kernel                | v4.4.42 | v4.4.50 |
| symfony/mime                       | v5.4.9  | v5.4.13 |
| symfony/polyfill-ctype             | v1.25.0 | v1.27.0 |
| symfony/polyfill-iconv             | v1.25.0 | v1.27.0 |
| symfony/polyfill-intl-idn          | v1.25.0 | v1.27.0 |
| symfony/polyfill-intl-normalizer   | v1.25.0 | v1.27.0 |
| symfony/polyfill-mbstring          | v1.25.0 | v1.27.0 |
| symfony/polyfill-php80             | v1.25.0 | v1.27.0 |
| symfony/process                    | v4.4.41 | v4.4.44 |
| symfony/psr-http-message-bridge    | v2.1.2  | v2.1.4  |
| symfony/routing                    | v4.4.41 | v4.4.44 |
| symfony/serializer                 | v4.4.42 | v4.4.47 |
| symfony/service-contracts          | v2.5.1  | v2.5.2  |
| symfony/translation                | v4.4.41 | v4.4.47 |
| symfony/translation-contracts      | v2.5.1  | v2.5.2  |
| symfony/validator                  | v4.4.41 | v4.4.48 |
| symfony/var-dumper                 | v5.4.9  | v5.4.19 |
| symfony/yaml                       | v4.4.37 | v4.4.45 |
+------------------------------------+---------+---------+

+------------------------+---------+---------+
| Dev Changes            | From    | To      |
+------------------------+---------+---------+
| symfony/browser-kit    | v4.4.37 | v4.4.44 |
| symfony/css-selector   | v4.4.37 | v4.4.44 |
| symfony/dom-crawler    | v4.4.42 | v4.4.45 |
| symfony/finder         | v4.4.41 | v4.4.44 |
| symfony/lock           | v4.4.40 | v4.4.46 |
| symfony/phpunit-bridge | v5.4.8  | v5.4.19 |
+------------------------+---------+---------+
jungle’s picture

jungle
He/Him
Location Chongqing, China
commented
Status: Needs review » Reviewed & tested by the community

COMPOSER_ROOT_VERSION=10.1.x-dev composer update symfony/* -vvv
COMPOSER_ROOT_VERSION=10.0.x-dev composer update symfony/* -vvv
COMPOSER_ROOT_VERSION=9.5.x-dev composer update symfony/* -vvv
COMPOSER_ROOT_VERSION=9.4.x-dev composer update symfony/* -vvv

Checked with the commands above against the corresponding branch, and the results are identical.

  • longwave committed f81b11ef on 10.0.x 
    Issue #3338301 by catch, longwave, benjifisher, jungle: Update Symfony...

  • longwave committed 6a9f48d0 on 10.1.x 
    Issue #3338301 by catch, longwave, benjifisher, jungle: Update Symfony...

  • longwave committed 10e6d00f on 9.4.x 
    Issue #3338301 by catch, longwave, benjifisher, jungle: Update Symfony...

  • longwave committed 6d2bf846 on 9.5.x 
    Issue #3338301 by catch, longwave, benjifisher, jungle: Update Symfony...
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Reviewed & tested by the community » Fixed

Committed and pushed 6a9f48d093 to 10.1.x and f81b11ef9a to 10.0.x and 6d2bf8467a to 9.5.x and 10e6d00f94 to 9.4.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.