Fix Symfony security issues

[melroy89]

• Fix Symfony composer audit (first only ran: composer update "symfony/*")
• Update remaining packages (then also followed the remaining minor/patch releases: composer update)

PHP Production Dependencies (require)

Package	Action	Old Version	New Version
aws/aws-crt-php	Upgraded	1.2.6	1.2.7	See details
aws/aws-sdk-php	Upgraded	3.324.1	3.327.1	See details
babdev/pagerfanta-bundle	Upgraded	4.4.0	4.5.0	See details
bacon/bacon-qr-code	Upgraded	3.0.0	3.0.1	See details
composer/ca-bundle	Upgraded	1.5.1	1.5.3	See details
doctrine/common	Upgraded	3.4.4	3.4.5	See details
doctrine/dbal	Upgraded	3.9.1	3.9.3	See details
doctrine/migrations	Upgraded	3.8.1	3.8.2	See details
doctrine/orm	Upgraded	2.19.7	2.20.0	See details
doctrine/persistence	Upgraded	3.3.3	3.4.0	See details
doctrine/sql-formatter	Upgraded	1.4.1	1.5.1	See details
guzzlehttp/promises	Upgraded	2.0.3	2.0.4	See details
knpuniversity/oauth2-client-bundle	Upgraded	2.18.2	2.18.3	See details
lcobucci/clock	Upgraded	3.2.0	3.3.1	See details
lcobucci/jwt	Upgraded	5.3.0	5.4.2	See details
league/flysystem	Upgraded	3.28.0	3.29.1	See details
league/flysystem-aws-s3-v3	Upgraded	3.28.0	3.29.0	See details
league/flysystem-local	Upgraded	3.28.0	3.29.0	See details
league/mime-type-detection	Upgraded	1.15.0	1.16.0	See details
meteo-concept/hcaptcha-bundle	Upgraded	4.1.0	4.2.1	See details
monolog/monolog	Upgraded	3.7.0	3.8.0	See details
nelmio/api-doc-bundle	Upgraded	4.30.0	4.33.4	See details
nette/schema	Upgraded	1.3.0	1.3.2	See details
oneup/flysystem-bundle	Upgraded	4.12.2	4.12.3	See details
phpdocumentor/reflection-docblock	Upgraded	5.4.1	5.6.0	See details
phpdocumentor/type-resolver	Upgraded	1.8.2	1.10.0	See details
scheb/2fa-backup-code	Upgraded	7.5.0	7.6.0	See details
scheb/2fa-bundle	Upgraded	7.5.0	7.6.0	See details
scheb/2fa-totp	Upgraded	7.5.0	7.6.0	See details
scienta/doctrine-json-functions	Upgraded	6.1.0	6.3.0	See details
symfony/amqp-messenger	Upgraded	7.1.1	7.1.6	See details
symfony/asset	Upgraded	7.1.1	7.1.6	See details
symfony/clock	Upgraded	7.1.1	7.1.6	See details
symfony/console	Upgraded	7.1.5	7.1.8	See details
symfony/dependency-injection	Upgraded	7.1.6	7.1.8	See details
symfony/doctrine-bridge	Upgraded	7.1.4	7.1.6	See details
symfony/doctrine-messenger	Upgraded	7.1.4	7.1.6	See details
symfony/flex	Upgraded	2.4.6	2.4.7	See details
symfony/form	Upgraded	7.1.4	7.1.6	See details
symfony/framework-bundle	Upgraded	7.1.4	7.1.6	See details
symfony/http-client	Upgraded	7.1.7	7.1.8	See details
symfony/http-foundation	Upgraded	7.1.7	7.1.8	See details
symfony/http-kernel	Upgraded	7.1.7	7.1.8	See details
symfony/intl	Upgraded	7.1.1	7.1.8	See details
symfony/lock	Upgraded	7.1.1	7.1.6	See details
symfony/mailgun-mailer	Upgraded	7.1.3	7.1.6	See details
symfony/messenger	Upgraded	7.1.5	7.1.8	See details
symfony/monolog-bridge	Upgraded	7.1.1	7.1.6	See details
symfony/options-resolver	Upgraded	7.1.1	7.1.6	See details
symfony/password-hasher	Upgraded	7.1.1	7.1.6	See details
symfony/process	Upgraded	7.1.7	7.1.8	See details
symfony/property-info	Upgraded	7.1.6	7.1.8	See details
symfony/psr-http-message-bridge	Upgraded	7.1.4	7.1.6	See details
symfony/rate-limiter	Upgraded	7.1.1	7.1.8	See details
symfony/redis-messenger	Upgraded	7.1.4	7.1.6	See details
symfony/scheduler	Upgraded	7.1.1	7.1.6	See details
symfony/security-bundle	Upgraded	7.1.4	7.1.6	See details
symfony/security-core	Upgraded	7.1.4	7.1.6	See details
symfony/security-csrf	Upgraded	7.1.1	7.1.6	See details
symfony/security-http	Upgraded	7.1.4	7.1.8	See details
symfony/serializer	Upgraded	7.1.4	7.1.8	See details
symfony/stopwatch	Upgraded	7.1.1	7.1.6	See details
symfony/string	Upgraded	7.1.6	7.1.8	See details
symfony/translation	Upgraded	7.1.5	7.1.6	See details
symfony/twig-bridge	Upgraded	7.1.4	7.1.8	See details
symfony/twig-bundle	Upgraded	7.1.1	7.1.6	See details
symfony/type-info	Upgraded	7.1.6	7.1.8	See details
symfony/ux-twig-component	Upgraded	2.19.2	2.21.0	See details
symfony/validator	Upgraded	7.1.4	7.1.8	See details
symfony/var-dumper	Upgraded	7.1.7	7.1.8	See details
symfony/web-link	Upgraded	7.1.1	7.1.6	See details
symfony/workflow	Upgraded	7.1.1	7.1.6	See details
symfony/yaml	Upgraded	7.1.4	7.1.6	See details
symfonycasts/reset-password-bundle	Upgraded	1.22.0	1.23.0	See details
symfonycasts/verify-email-bundle	Upgraded	1.17.1	1.17.2	See details
zircote/swagger-php	Upgraded	4.10.6	4.11.1	See details

PHP Dev Dependencies (require-dev)

Package	Action	Old Version	New Version
doctrine/data-fixtures	Upgraded	1.7.0	1.8.0	See details
doctrine/doctrine-fixtures-bundle	Upgraded	3.6.1	3.6.2	See details
fakerphp/faker	Upgraded	1.23.1	1.24.0	See details
myclabs/deep-copy	Upgraded	1.12.0	1.12.1	See details
nikic/php-parser	Upgraded	5.3.0	5.3.1	See details
phpstan/phpstan	Upgraded	1.12.6	1.12.10	See details
phpunit/php-code-coverage	Upgraded	11.0.6	11.0.7	See details
phpunit/phpunit	Upgraded	11.4.0	11.4.3	See details
sebastian/comparator	Upgraded	6.1.0	6.2.1	See details
sebastian/version	Upgraded	5.0.1	5.0.2	See details
symfony/browser-kit	Upgraded	7.1.1	7.1.6	See details
symfony/debug-bundle	Upgraded	7.1.1	7.1.6	See details
symfony/dom-crawler	Upgraded	7.1.1	7.1.6	See details
symfony/phpunit-bridge	Upgraded	7.1.4	7.1.6	See details
symfony/web-profiler-bundle	Upgraded	7.1.4	7.1.7	See details

[BentiGorlich]

I think you should write down which packages were updated in such a PR

Did you resd the patch notes of the packages so we know whether there are weird updates that introduce weird stuff like the messenger did once?

[melroy89]

I think you should write down which packages were updated in such a PR

Added

[melroy89]

Did you resd the patch notes of the packages so we know whether there are weird updates that introduce weird stuff like the messenger did once?

No, I then will need to read 50+ patch notes...

However, the latest v7.1.4 of security-http package will fix: cve-2024-51996 - Check owner of persisted remember-me cookie. With Severity high !

I will test this branch on my instance. But if developers follow the major, minor, patch notation. All the updated packages above are NOT major release updates. And all the Symfony package updates above are only patch releases.

[melroy89]

On my instance (kbin.melroy.org), everything seems to work just fine.