Bump the composer group across 1 directory with 6 updates

[dependabot]

Bumps the composer group with 1 update in the / directory: craftcms/cms.

Updates craftcms/cms from 4.8.9 to 4.13.8

Release notes

Sourced from craftcms/cms's releases.

4.13.8

• Fixed a bug where asset edit page URLs contained spaces if the asset filename contained spaces. (#15236)
• Fixed a bug where custom fields were getting included in rendered field layout forms, even if their getInputHtml() method returned an empty string.
• Fixed a bug where the password input on the Set Password page wasn’t including the “Show” button.
• Fixed a SQL error that could occur if an element was saved with a title longer than 255 characters.
• Fixed a bug where some UI messages began with a lowercase letter in some languages. (#16354)
• Fixed an RCE vulnerability.

4.13.7

• Fixed a bug where elements’ getPrev() and getNext() methods could cause duplicate queries. (#16329)
• Fixed a bug where assets that were shorter than the preview thumb container weren’t getting vertically centered within it.
• Fixed a bug where it was possible to set a focal point on SVGs, even though focal points on SVGs aren’t supported. (#16258)
• Fixed a bug where ancestors, children, descendants, and parent eager-loading wasn’t working for previewed elements. (#16327)

4.13.6

• Fixed a bug where blank user group descriptions weren’t getting omitted from project config data. (#16272)
• Fixed a bug where pressing Return when a color text input within an editable table was focused was submitting the form rather than moving focus to the next row.
• Fixed a JavaScript error that occurred on the Plugins index page, if there were any missing plugins associated with the Craft CMS license and no plugins were Composer-installed yet.

4.13.5

• Fixed a bug where asset, category, and entry sources defined by the EVENT_REGISTER_SOURCES event didn’t have any custom fields available to them, unless the EVENT_REGISTER_FIELD_LAYOUTS event was also used to define the available field layouts for the event-defined source. (#16256)

4.13.4

• Reduced the likelihood of a deadlock error occurring when updating search indexes. (#15221)
• The PHP Info utility is no longer shown in environments where the phpinfo() function is disabled. (#16229)
• Fixed an error that could occur when duplicating an element with an Assets field that had a dynamic subpath. (#16214)
• Fixed a bug where renaming asset folders could move them to the webroot on Windows. (#16215)
• Fixed a bug where Matrix fields’ content tables weren’t getting renamed properly when applying project config changes. (#16227)
• Fixed a bug where utilities’ isSelectable() methods weren’t being respected.
• Fixed an exception that could be thrown when displaying entry indexes, if any EVENT_INIT or EVENT_DEFINE_BEHAVIORS entry event handlers were calling getSection() or getType() on the entry. (#16254)

4.13.3

• Element indexes now sort by ID by default, for sources that don’t define a default sort option.
• Fixed a bug where element indexes were sorting by the first sortable attribute alphabetically by default, rather than the first sortable attribute defined by the element type.
• Fixed a bug where bulk asset actions where shown as available when subfolders were selected, when they shouldn’t have. (#16151)
• Fixed a bug where craft\events\ApplyFieldSaveEvent::$field wasn’t being set consistently by craft\services\Fields::EVENT_BEFORE_APPLY_FIELD_SAVE. (#16156)
• Fixed a bug where the address field layout’s project config data wasn’t getting recreated when running project-config/rebuild. (#16189)

4.13.2

• Fixed an error that could occur if an invalid folder ID was passed to craft\services\Assets::deleteFoldersByIds(). (#16147)
• Fixed an RCE vulnerability.

4.13.1.1

• Fixed a PHP error. (#16142)

4.13.1

• Fixed a JavaScript error that could occur on element edit pages. (#16055)
• Fixed a Twig deprecation error. (#16107)
• Fixed a bug where craft\services\Structures::fillGapsInElements() wasn’t working properly if the elements weren’t passed in hierarchical order. (#16085)
• Fixed an RCE vulnerability.

... (truncated)

Changelog

Sourced from craftcms/cms's changelog.

4.13.8 - 2025-01-02

• Fixed a bug where asset edit page URLs contained spaces if the asset filename contained spaces. (#15236)
• Fixed a bug where custom fields were getting included in rendered field layout forms, even if their getInputHtml() method returned an empty string.
• Fixed a bug where the password input on the Set Password page wasn’t including the “Show” button.
• Fixed a SQL error that could occur if an element was saved with a title longer than 255 characters.
• Fixed a bug where some UI messages began with a lowercase letter in some languages. (#16354)
• Fixed an RCE vulnerability.

4.13.7 - 2024-12-17

• Fixed a bug where elements’ getPrev() and getNext() methods could cause duplicate queries. (#16329)
• Fixed a bug where assets that were shorter than the preview thumb container weren’t getting vertically centered within it.
• Fixed a bug where it was possible to set a focal point on SVGs, even though focal points on SVGs aren’t supported. (#16258)
• Fixed a bug where ancestors, children, descendants, and parent eager-loading wasn’t working for previewed elements. (#16327)

4.13.6 - 2024-12-10

• Fixed a bug where blank user group descriptions weren’t getting omitted from project config data. (#16272)
• Fixed a bug where pressing Return when a color text input within an editable table was focused was submitting the form rather than moving focus to the next row.
• Fixed a JavaScript error that occurred on the Plugins index page, if there were any missing plugins associated with the Craft CMS license and no plugins were Composer-installed yet.

4.13.5 - 2024-12-03

• Fixed a bug where asset, category, and entry sources defined by the EVENT_REGISTER_SOURCES event didn’t have any custom fields available to them, unless the EVENT_REGISTER_FIELD_LAYOUTS event was also used to define the available field layouts for the event-defined source. (#16256)

4.13.4 - 2024-12-02

• Reduced the likelihood of a deadlock error occurring when updating search indexes. (#15221)
• The PHP Info utility is no longer shown in environments where the phpinfo() function is disabled. (#16229)
• Fixed an error that could occur when duplicating an element with an Assets field that had a dynamic subpath. (#16214)
• Fixed a bug where renaming asset folders could move them to the webroot on Windows. (#16215)
• Fixed a bug where Matrix fields’ content tables weren’t getting renamed properly when applying project config changes. (#16227)
• Fixed a bug where utilities’ isSelectable() methods weren’t being respected.
• Fixed an exception that could be thrown when displaying entry indexes, if any EVENT_INIT or EVENT_DEFINE_BEHAVIORS entry event handlers were calling getSection() or getType() on the entry. (#16254)

4.13.3 - 2024-11-22

• Element indexes now sort by ID by default, for sources that don’t define a default sort option.
• Fixed a bug where element indexes were sorting by the first sortable attribute alphabetically by default, rather than the first sortable attribute defined by the element type.
• Fixed a bug where bulk asset actions where shown as available when subfolders were selected, when they shouldn’t have. (#16151)
• Fixed a bug where craft\events\ApplyFieldSaveEvent::$field wasn’t being set consistently by craft\services\Fields::EVENT_BEFORE_APPLY_FIELD_SAVE. (#16156)
• Fixed a bug where the address field layout’s project config data wasn’t getting recreated when running project-config/rebuild. (#16189)

4.13.2 - 2024-11-19 [CRITICAL]

• Fixed an error that could occur if an invalid folder ID was passed to craft\services\Assets::deleteFoldersByIds(). (#16147)
• Fixed an RCE vulnerability.

4.13.1.1 - 2024-11-18

... (truncated)

Commits

• 5a47f8a Finish 4.13.8
• df20e00 Merge pull request #16377 from craftcms/t9n/4.x
• 6cc0dcf New translations app.php (German, Switzerland)
• 516ec9a New translations app.php (German)
• 22f7c04 Merge pull request #16360 from craftcms/t9n/4.x
• 7c8f1bd Doh
• 5755af3 Capitalize the first letter of strings that start with {type} in German
• c815128 New translations app.php (German, Switzerland)
• 583fcbc Missing @deprecated
• eddcc95 Revert "Filter out field layouts for invalid element types"
• Additional commits viewable in compare view

Updates composer/composer from 2.7.3 to 2.7.7

Release notes

Sourced from composer/composer's releases.

2.7.7

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

• Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
• Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
• Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
• Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
• Security: Fixed perforce argument escaping (3773f775)
• Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
• Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion, reported by Splitline Huang (3130a7455, 04a63b324)
• Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
• Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
• Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
• Fixed ability for config command to remove autoload keys (#11967)
• Fixed empty type support in init command (#11999)
• Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
• Fixed regression showing network errors on PHP <8.1 (#11974)
• Fixed some color bleed from a few warnings (#11972)

Full Changelog: composer/composer@2.7.6...2.7.7

2.7.6

• Fixed regression when script handlers add an autoloader which uses a private callback (#11960)

2.7.5

• Added uninstall alias to remove command (#11951)
• Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
• Fixed root usage warnings showing up within Podman containers (#11946)
• Fixed config command not handling objects correctly in some conditions (#11945)
• Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
• Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
• Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)

2.7.4

• Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)

As a side-note, requiring composer/composer is frowned upon and should really only be done in circumstances where it is absolutely necessary, and ideally you should talk to us first to see if we can't help avoid it or help by extracting some code in a smaller library.

Changelog

Sourced from composer/composer's changelog.

[2.7.7] 2024-06-10

• Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
• Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
• Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
• Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
• Security: Fixed perforce argument escaping (3773f775)
• Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
• Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
• Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
• Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
• Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
• Fixed ability for config command to remove autoload keys (#11967)
• Fixed empty type support in init command (#11999)
• Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
• Fixed regression showing network errors on PHP <8.1 (#11974)
• Fixed some color bleed from a few warnings (#11972)

[2.7.6] 2024-05-04

• Fixed regression when script handlers add an autoloader which uses a private callback (#11960)

[2.7.5] 2024-05-03

• Added uninstall alias to remove command (#11951)
• Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
• Fixed root usage warnings showing up within Podman containers (#11946)
• Fixed config command not handling objects correctly in some conditions (#11945)
• Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
• Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
• Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)

[2.7.4] 2024-04-22

• Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)

Commits

• 2919429 Release 2.7.7
• e354a8d Update changelog
• 04a63b3 Add more characters for best fit encoding protection
• ad8985e Update changelog
• 3130a74 Fix windows parameter encoding to prevent abuse of unicode characters with be...
• 5aa7b03 Fix test
• ee28354 Merge pull request from GHSA-47f6-5gq3-vx9c
• 6bd43df Merge pull request from GHSA-v9qv-c7wm-wgmf
• fa3b958 Fix secure-http check to avoid bypass using emojis
• f3e877a Update deps
• Additional commits viewable in compare view

Updates symfony/http-client from 6.4.6 to 6.4.17

Release notes

Sourced from symfony/http-client's releases.

v6.4.17

Changelog (symfony/http-client@v6.4.16...v6.4.17)

• bug symfony/symfony#59250 [HttpClient] Fix a typo in NoPrivateNetworkHttpClient (@​Jontsa)
• bug symfony/symfony#59062 [HttpClient] Always set CURLOPT_CUSTOMREQUEST to the correct HTTP method in CurlHttpClient (@​KurtThiemann)
• bug symfony/symfony#59023 [HttpClient] Fix streaming and redirecting with NoPrivateNetworkHttpClient (@​nicolas-grekas)

v6.4.16

Changelog (symfony/http-client@v6.4.15...v6.4.16)

• bug symfony/symfony#59013 [HttpClient] Fix checking for private IPs before connecting (@​nicolas-grekas)
• bug symfony/symfony#58562 [HttpClient] Close gracefull when the server closes the connection abruptly (@​discordier)
• bug symfony/symfony#58924 [HttpClient] Fix empty hosts in option "resolve" (@​nicolas-grekas)
• bug symfony/symfony#58915 [HttpClient] Fix option "resolve" with IPv6 addresses (@​nicolas-grekas)
• bug symfony/symfony#58914 [HttpClient] Fix option "bindto" with IPv6 addresses (@​nicolas-grekas)
• bug symfony/symfony#58875 [HttpClient] Removed body size limit (Carl Julian Sauter)
• bug symfony/symfony#58860 [HttpClient] Fix catching some invalid Location headers (@​nicolas-grekas)
• bug symfony/symfony#58836 Work around parse_url() bug (bis) (@​nicolas-grekas)
• bug symfony/symfony#58850 [HttpClient] fix PHP 7.2 compatibility (@​xabbuh)

v6.4.15

Changelog (symfony/http-client@v6.4.14...v6.4.15)

• security symfony/symfony#cve-2024-50342 [HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient (@​nicolas-grekas)

v6.4.14

Changelog (symfony/http-client@v6.4.13...v6.4.14)

• security symfony/symfony#cve-2024-50342 [HttpClient] Filter private IPs before connecting when Host == IP (@​nicolas-grekas)
• bug symfony/symfony#58704 [HttpClient] fix for HttpClientDataCollector fails if proc_open is disabled via php.ini (@​ZaneCEO)

v6.4.13

Changelog (symfony/http-client@v6.4.12...v6.4.13)

• no significant changes

v6.4.12

Changelog (symfony/http-client@v6.4.11...v6.4.12)

• bug symfony/symfony#58278 [HttpClient] Fix setting CURLMOPT_MAXCONNECTS (@​HypeMC)
• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v6.4.11

Changelog (symfony/http-client@v6.4.10...v6.4.11)

• bug symfony/symfony#58044 [HttpClient] Do not overwrite the host to request when using option "resolve" (@​xabbuh)
• bug symfony/symfony#57981 [HttpClient] reject malformed URLs with a meaningful exception (@​xabbuh)
• bug symfony/symfony#57870 [HttpClient] Disable HTTP/2 PUSH by default when using curl (@​nicolas-grekas)

v6.4.10

... (truncated)

Commits

• 88898d8 [HttpClient] Fix a typo in NoPrivateNetworkHttpClient
• 8057c7c [HttpClient] Test POST to GET redirects
• f4f6d81 [HttpClient] Always set CURLOPT_CUSTOMREQUEST to the correct HTTP method in C...
• 18725f0 Merge branch '5.4' into 6.4
• d77d8e2 [HttpClient] Fix streaming and redirecting with NoPrivateNetworkHttpClient
• 60a1136 Merge branch '5.4' into 6.4
• 63a1278 [HttpClient] Fix checking for private IPs before connecting
• 7aed35f Merge branch '5.4' into 6.4
• 5acf07c [HttpClient] Close gracefull when the server closes the connection abruptly
• 7e5c9fd [HttpClient] More consistency cleanups
• Additional commits viewable in compare view

Updates symfony/process from 6.4.4 to 7.2.0

Release notes

Sourced from symfony/process's releases.

v7.2.0

Changelog (symfony/process@v7.2.0-RC1...v7.2.0)

• no significant changes

v7.2.0-BETA2

Changelog (symfony/process@v7.2.0-BETA1...v7.2.0-BETA2)

• security symfony/symfony#cve-2024-51736 [Process] Use PATH before CD to load the shell on Windows (@​nicolas-grekas)
• bug symfony/symfony#58752 [Process] Fix escaping /X arguments on Windows (@​nicolas-grekas)
• bug symfony/symfony#58735 [Process] Return built-in cmd.exe commands directly in ExecutableFinder (@​Seldaek)
• bug symfony/symfony#58723 [Process] Properly deal with not-found executables on Windows (@​nicolas-grekas)
• bug symfony/symfony#58711 [Process] Fix handling empty path found in the PATH env var with ExecutableFinder (@​nicolas-grekas)

v7.2.0-BETA1

Changelog (symfony/process@v7.1.6...v7.2.0-BETA1)

• feature symfony/symfony#58258 [Process] Add Laravel Herd php detection path (@​mpociot)
• feature symfony/symfony#52679 [Process] ExecutableFinder::addSuffix() has no effect (@​TravisCarden)

v7.1.8

Changelog (symfony/process@v7.1.7...v7.1.8)

• no significant changes

v7.1.7

Changelog (symfony/process@v7.1.6...v7.1.7)

• security symfony/symfony#cve-2024-51736 [Process] Use PATH before CD to load the shell on Windows (@​nicolas-grekas)
• bug symfony/symfony#58752 [Process] Fix escaping /X arguments on Windows (@​nicolas-grekas)
• bug symfony/symfony#58735 [Process] Return built-in cmd.exe commands directly in ExecutableFinder (@​Seldaek)
• bug symfony/symfony#58723 [Process] Properly deal with not-found executables on Windows (@​nicolas-grekas)
• bug symfony/symfony#58711 [Process] Fix handling empty path found in the PATH env var with ExecutableFinder (@​nicolas-grekas)

v7.1.6

Changelog (symfony/process@v7.1.5...v7.1.6)

• no significant changes

v7.1.5

Changelog (symfony/process@v7.1.4...v7.1.5)

• bug symfony/symfony#58291 [Process] Fix finding executables independently of open_basedir (@​BlackbitDevs)
• bug symfony/symfony#58195 [Process] Fix the removal of host-specific configuration when managing the ini settings in PhpSubprocess (@​M-arcus)
• bug symfony/symfony#58189 [Process] Fix backwards compatibility for invalid commands (@​ausi)

v7.1.3

Changelog (symfony/process@v7.1.2...v7.1.3)

• no significant changes

... (truncated)

Changelog

Sourced from symfony/process's changelog.

CHANGELOG

7.1

• Add Process::setIgnoredSignals() to disable signal propagation to the child process

6.4

• Add PhpSubprocess to handle PHP subprocesses that take over the configuration from their parent
• Add RunProcessMessage and RunProcessMessageHandler

5.2.0

• added Process::setOptions() to set Process specific options
• added option create_new_console to allow a subprocess to continue to run after the main script exited, both on Linux and on Windows

5.1.0

• added Process::getStartTime() to retrieve the start time of the process as float

5.0.0

• removed Process::inheritEnvironmentVariables()
• removed PhpProcess::setPhpBinary()
• Process must be instantiated with a command array, use Process::fromShellCommandline() when the command should be parsed by the shell
• removed Process::setCommandLine()

4.4.0

• deprecated Process::inheritEnvironmentVariables(): env variables are always inherited.
• added Process::getLastOutputTime() method

4.2.0

• added the Process::fromShellCommandline() to run commands in a shell wrapper
• deprecated passing a command as string when creating a Process instance
• deprecated the Process::setCommandline() and the PhpProcess::setPhpBinary() methods
• added the Process::waitUntil() method to wait for the process only for a specific output, then continue the normal execution of your application

... (truncated)

Commits

• d34b22b Merge branch '7.1' into 7.2
• 4278337 Merge branch '6.4' into 7.1
• 3cb242f Merge branch '5.4' into 6.4
• 5d1662f normalize paths to avoid failures if a path is referenced by different names
• 37f5c1f Merge branch '7.1' into 7.2
• 9b8a40b Merge branch '6.4' into 7.1
• 25214ad Merge branch '5.4' into 6.4
• 0190687 [Process] Fix test
• f2f5bb9 Merge branch '7.1' into 7.2
• 66716d3 Merge branch '6.4' into 7.1
• Additional commits viewable in compare view

Updates twig/twig from 3.8.0 to 3.14.2

Changelog

Sourced from twig/twig's changelog.

3.14.2 (2024-11-07)

• Fix an infinite recursion in the sandbox code

3.14.1 (2024-11-06)

• [BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects They are now checked via the property policy
• Fix a security issue in the sandbox mode allowing an attacker to be able to call toString() under some circumstances on an object even if the __toString() method is not allowed by the security policy

3.14.0 (2024-09-09)

• Fix a security issue when an included sandboxed template has been loaded before without the sandbox context
• Add the possibility to reset globals via Environment::resetGlobals()
• Deprecate Environment::mergeGlobals()

3.13.0 (2024-09-07)

• Add the types tag (experimental)
• Deprecate the Twig\Test\NodeTestCase::getTests() data provider, override provideTests() instead.
• Mark Twig\Test\NodeTestCase::getEnvironment() as final, override createEnvironment() instead.
• Deprecate Twig\Test\NodeTestCase::getVariableGetter(), call createVariableGetter() instead.
• Deprecate Twig\Test\NodeTestCase::getAttributeGetter(), call createAttributeGetter() instead.
• Deprecate not overriding Twig\Test\IntegrationTestCase::getFixturesDirectory(), this method will be abstract in 4.0
• Marked Twig\Test\IntegrationTestCase::getTests() and getLegacyTests() as final

3.12.0 (2024-08-29)

• Deprecate the fact that the extends and use tags are always allowed in a sandboxed template. This behavior will change in 4.0 where these tags will need to be explicitly allowed like any other tag.
• Deprecate the "tag" constructor argument of the "Twig\Node\Node" class as the tag is now automatically set by the Parser when needed
• Fix precedence of two-word tests when the first word is a valid test
• Deprecate the spaceless filter
• Deprecate some internal methods from Parser: getBlockStack(), hasBlock(), getBlock(), hasMacro(), hasTraits(), getParent()
• Deprecate passing null to Twig\Parser::setParent()
• Update Node::__toString() to include the node tag if set
• Add support for integers in methods of Twig\Node\Node that take a Node name
• Deprecate not passing a BodyNode instance as the body of a ModuleNode or MacroNode constructor
• Deprecate returning "null" from "TokenParserInterface::parse()".
• Deprecate OptimizerNodeVisitor::OPTIMIZE_TEXT_NODES
• Fix performance regression when use_yield is false (which is the default)
• Improve compatibility when use_yield is false (as extensions still using echo will work as is)
• Accept colons (:) in addition to equals (=) to separate argument names and values in named arguments
• Add the html_cva function (in the HTML extra package)
• Add support for named arguments to the block and attribute functions
• Throw a SyntaxError exception at compile time when a Twig callable has not the minimum number of required arguments
• Add a CallableArgumentsExtractor class
• Deprecate passing a name to FunctionExpression, FilterExpression, and TestExpression; pass a TwigFunction, TwigFilter, or TestFilter instead

... (truncated)

Commits

• 0b6f9d8 Prepare the 3.14.2 release
• fe9e0d0 Merge branch '3.11.x' into 3.14.x
• 3b06600 Prepare the 3.11.3 release
• dbd734a Update CHANGELOG
• 83a21d3 Merge branch '3.11.x' into 3.14.x
• d3fc074 Improve detection of recursion
• a0f7756 Fix recursion when arrays contain self-references in sandboxed mode
• 5b580ec Fix code
• 94612e7 Prepare the 3.11.2 release
• 8b52782 Update CHANGELOG
• Additional commits viewable in compare view

Updates yiisoft/yii2 from 2.0.48.1 to 2.0.51

Changelog

Sourced from yiisoft/yii2's changelog.

2.0.51 July 18, 2024

• Bug #16116: Codeception: oci does not support enabling/disabling integrity check (@​terabytesoftw)
• Bug #20147: Fix error handler compatibility with PHP 8.3 (samdark)
• Bug #20191: Fix ActiveRecord::getDirtyAttributes() for JSON columns with multi-dimensional array values (brandonkelly)
• Bug #20195: Do not set non abstract values into ColumnSchema->type on MSSQL version less then 2017 (axeltomasson)
• Bug #20211: Add acceptable parameters to MaskedInput::init() method (alxlnk)
• Bug #20226: Revert all PR for "Data providers perform unnecessary COUNT queries that negatively affect performance" (@​terabytesoftw)
• Bug #20230: Fix getting ID in \yii\filters\Cors::actions() when attached to a module (timkelty)

2.0.50 May 30, 2024

• Bug #13920: Fixed erroneous validation for specific cases (tim-fischer-maschinensucher)
• Bug #17181: Improved BaseUrl::isRelative($url) performance (sammousa, bizley, rob006)
• Bug #17191: Fixed BaseUrl::isRelative($url) method in yii\helpers\BaseUrl (ggh2e3)
• Bug #18469: Fixed Link::serialize(array $links) method in yii\web\Link (ggh2e3)
• Bug #19060: Fix yii\widgets\Menu bug when using Closure for active item and adding additional tests in tests\framework\widgets\MenuTest (atrandafir)
• Bug #19691: Allow using custom class to style error summary (skepticspriggan)
• Bug #19817: Add MySQL Query addCheck() and dropCheck() (@​bobonov)
• Bug #19855: Fixed yii\validators\FileValidator to not limit some of its rules only to array attribute (bizley)
• Bug #19927: Fixed console\controllers\MessageController when saving translations to database: fixed FK error when adding new string and language at the same time, checking/regenerating all missing messages and dropping messages for unused languages (atrandafir)
• Bug #20002: Fixed superfluous query on HEAD request in serializer (xicond)
• Bug #20005: Fix yii\console\controllers\ServeController to specify the router script (terabytesoftw)
• Bug #20040: Fix type boolean in MSSQL (terabytesoftw)
• Bug #20055: Fix Response header X-Pagination-Total-Count is always 0 (lav45, xicond)
• Bug #20083: Fix deprecated warning implicit conversion from float (skepticspriggan)
• Bug #20122: Fixed parsing of boolean keywords (e.g. used in SQLite) in \yii\db\ColumnSchema::typecast() (rhertogh)
• Bug #20141: Update ezyang/htmlpurifier dependency to version 4.17 (@​terabytesoftw)
• Bug #20165: Adjust pretty name of closures for PHP 8.4 compatibility (@​staabm)
• Bug: CVE-2024-32877, Fix Reflected XSS in Debug mode (Antiphishing)
• Bug: CVE-2024-4990, Fix Unsafe Reflection in base Component class (@​mtangoo)
• Enh #12743: Added new methods BaseActiveRecord::loadRelations() and BaseActiveRecord::loadRelationsFor() to eager load related models for existing primary model instances (PowerGamer1)
• Enh #20030: Improve performance of handling ErrorHandler::$memoryReserveSize (antonshevelev, rob006)
• Enh #20032: Added yii\helpers\BaseStringHelper::mask() method for string masking with multibyte support (salehhashemi1992)
• Enh #20034: Added yii\helpers\BaseStringHelper::findBetween() to retrieve a substring that lies between two strings (salehhashemi1992)
• Enh #20042: Add empty array check to ActiveQueryTrait::findWith() (renkas)
• Enh #20087: Add custom attributes to script tags (skepticspriggan)
• Enh #20121: Added yiisoft/yii2-coding-standards to composer require-dev and lint code to comply with PSR12 (razvanphp)
• Enh #20134: Raise minimum PHP version to 7.3 (@​terabytesoftw)
• Enh #20171: Support JSON columns for MariaDB 10.4 or higher (@​terabytesoftw)
• New #20137: Added yii\caching\CallbackDependency to allow using a callback to determine if a cache dependency is still valid (laxity7)

2.0.49.2 October 12, 2023

• Bug #19925: Improved PHP version check when handling MIME types (schmunk42)

... (truncated)

Commits

• ea1f112 release version 2.0.51
• 6723648 Fix #20230: Fix getting ID in \yii\filters\Cors::actions() when attached to...
• 1568fbb Fix #20147: Fix error handler compatibility with PHP 8.3 (#20228)
• e7ccd72 Add accidentally removed phpdoc
• 0e91252 Fix #20226: Revert all PR for "Data providers perform unnecessary COUNT queri...
• f68f183 Merge pull request #20212 from alxlnk/master
• de163dc Update CHANGELOG.md
• c101ecc Add upgrade note for 2.0.50 (#20200)
• db4ac22 update links (#20219)
• 06643e3 Add regex property to one of required option.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.