CakePHP 5.0.0-RC1 released

The CakePHP core team is happy to announce the first release candidate for CakePHP 5.0.0. Since the beta2 release the core team has continued to refine, simplify, and prepare 5.0 for the upcoming future. Some of the highlights of this work include:

• Removing more code that will be deprecated in 4.5.
• Added Time extensions with translation integrations.
• Adding Time support to the ORM. Going forward time type columns will be mapped to this type. Additionally, date type columns will be mapped to immutable Date objects.
• Added support for typed finders. Typed finders allows you to call finders with named parameters and have those named parameters runtime typechecked. This allows for more expressive finders with no additional boilerplate for typechecking.
• Upgrade to PHPUnit 10. This was a challenging upgrade for us, and it may be challenging for some applications. If you identify ways that CakePHP could make the combined upgrade easier please open an issue.
• Improved layout of development error pages.
• Continued work on the rector rules for 4.5 and 5.0

Finally, the scope for 5.x isn't locked down so if you'd like to see a feature added please open an issue.

New Features

The migration guide has a complete list of what's new in 5.0.0. We recommend you give that page a read when upgrading as it notes the various breaking changes present in 5.0.

How you Can Help

You can help deliver 5.0 by contributing in one of many ways:

1. Check the documentation for mistakes, outdated, unclear or broken examples. We've been trying to update the documentation as we go, but there are likely examples or sections we've missed.
2. Try it out! Give CakePHP 5.0 a test drive in a non-production application. We'd love to hear how converting a small application went and what was harder than it should have been.
3. File issues for regressions in existing features, or suggest new features. Even if those features don't make it into 5.0, we would appreciate community input on what should be part of 5.1 and 5.2

Contributors to 5.0.0-beta1

Thank you to all the contributors that have helped since the beta2 release:

• ADmad
• Kevin Pfeifer
• Marcelo Rocha
• Marc Würth
• Mark Scherer
• Mark Story
• ndm2
• othercorey
• Roland Waldner

As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests.

CakePHP 4.4.14 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.14. This is a maintenance release for the 4.4 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.4.14. See the changelog for every commit.

• Implemented SSL XOAUTH2 support in SmtpTransport. This improves compatibility with Microsoft based servers.
• Improve API documentation.
• Fixed support for postgres schemas other than public in Fixture schema generation.
• Validation::utf8() and by extension the Validator::utf8() method as well now fail on invalid UTF8 bytes even when the extended range is enabled.
• Fix usage of ROOT in deprecationWarning(). This was causing failures in standalone package usage.

Contributors to 4.4.14

Thank you to all the contributors that helped make this release happen:

• ADmad
• Marc Würth
• Mark Story
• othercorey

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.4.13 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.13. This is a maintenance release for the 4.4 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.4.13. See the changelog for every commit.

• Fix DateTimeType::manyToPHP with int.
• Handle numeric keys in cookies being parsed from the server request.
• Catch all exceptions when generating sql for Query::__debugInfo().
• Fix loading of vendor namespaced plugins.

Contributors to 4.4.13

Thank you to all the contributors that helped make this release happen:

• ADmad
• Kevin Pfeifer
• Mark Scherer
• Mark Story
• othercorey

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 5.0.0-beta2 released

The CakePHP core team is happy to announce the second beta release of CakePHP5.0.0. Since the beta1 release the core team has continued to refine andsimplify the framework. Some of the highlights of this work include:

• Removing more code that was deprecated in 4.x.
• Adding namespaces to all the global functions that CakePHP provides. This enables application code to define their own global function names or use the global function shims provided by CakePHP.
• Added support for PSR-17 HTTP factories interfaces.
• Improved the runtime deprecation coverage to include all documentation only deprecations.
• Begun work on the rector rules for 4.5 and 5.0
• Added a Time only object to Chronos (will be added to CakePHP soon).

Finally, the scope for 5.x isn't locked down so if you'd like to see a feature
or breaking change made please open an issue.

New Features

The migration guide has a complete list of what's new in 5.0.0. We recommend you give that page a read when upgrading as it notes the various breaking changes present in 5.0.

How you Can Help

You can help deliver 5.0 by contributing in one of many ways:

1. Check the documentation for mistakes, outdated, unclear or broken examples. We've been trying to update the documentation as we go, but there are likely examples or sections we've missed.
2. Try it out! Give CakePHP 5.0 a test drive in a non-production application. We'd love to hear how converting a small application went and what was harder than it should have been.
3. File issues for regressions in existing features, or suggest new features. Even if those features don't make it into 5.0, we would appreciate community input on what should be part of 5.1 and 5.2

Contributors to 5.0.0-beta1

Thank you to all the contributors that have helped since the beta1 release:

• ADmad
• Alejandro Ibarra
• Andrii Pukhalevych
• andrii-pukhalevych
• Brad McNaughton
• Brian French
• Chris Hallgren
• Edgaras Janušauskas
• Erwane Breton
• fabsn182
• Jamison Bryant
• Jaro Varga
• J.Brabec
• Jose Daian
• Kevin Pfeifer
• Marc Würth
• Mark Scherer
• Mark Story
• Matthias Wirtz
• Mikkel Bonde
• Nicos Panayides
• othercorey
• saeideng

As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests.

CakePHP 4.4.12 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.12. This is a maintenance release for the 4.4 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.4.12. See the changelog for every commit.

• Fix regression in missing_controller template where class was undefined.
• Add opt-in exception wrapping for PDOError that preserves the queryString attribute used in error templates. This is a workaround for dynamic properties being deprecated in PHP 8.2.
• Improve how validation rules work on array elements with numeric keys.
• Fix mutation side-effects in TestEmailTransport caused by Mailer instances being delivered within a loop. These mutations would result in test assertions having access to incorrect information.
• Fixed cookie expiration when the default server timezone was ahead of UTC.
• Added additional composer package metadata for PSR interface implementations.
• An exception will now be thrown if the session cannot be started due to headers being sent. Previously a hard to understand TypeError would be raised when attempting to write to a session that failed to start.
• cake plugin load now detects and prevents duplicates.

Contributors to 4.4.12

Thank you to all the contributors that helped make this release happen:

• ADmad
• Andrii Pukhalevych
• Brad McNaughton
• Brian French
• Chris Hallgren
• Erwane Breton
• Jamison Bryant
• Kevin Pfeifer
• Marc Würth
• Mark Scherer
• Mark Story
• mscherer
• Nicos Panayides

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.4.11 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.11. This is a maintenance release for the 4.4 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.4.11. See the changelog for every commit.

• View can now iterates templates paths that were defined as an associative array.
• The i18n extract command now checks for directory existence before trying to enumerate the files within directories provided as inputs.
• Update SECURITY policy docs to include 3.x end-of-life status.
• Improve API documentation.
• Fix dynamic-property error in PHP8.2 when PDOError objects are logged.
• Switch to using phive to install static analysis tools.
• Set the request into the routing context before processing middleware. This ensures that links on error pages always have access to the current request.

Contributors to 4.4.11

Thank you to all the contributors that helped make this release happen:

• ADmad
• Edgaras Janušauskas
• fabsn182
• Kevin Pfeifer
• Marc Würth
• Mark Scherer
• Mark Story
• Mikkel Bonde
• othercorey

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.2.12 Released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.2.12. This release corrects a regression introduced when backporting the recent security fix from 4.4.10 to the 4.2 branch.

Bugfixes

You can expect the following changes in 4.4.12. See the changelog for every commit.

• Fix regression in Query::offset() and Query::limit().

CakePHP 4.4.10 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.10. This release contain a security fix for the limit() and offset() methods of Cake\Database\Query. If passed unfiltered request data, these methods would allow for SQL injection. If your application does not use CakePHP's Pagination wrappers and directly passes request data into one of these methods your application is vulnerable. We'd like to thank 'Tanaka' for reporting this issue.

Additional Bugfixes in 4.4.10

The 4.4.10 release contains the aforementioned security fix as well as the following fixes. See the changelog for every commit.

• Update association definitions in ORM tests.
• Update build images to Ubuntu 22.04.

Contributors to 4.4.10

Thank you to all the contributors that helped make this release happen:

• ADmad
• Kevin Pfeifer
• Mark Scherer
• Mark Story
• othercorey

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.3.11 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.3.11. This release contain a security fix for the limit() and offset() methods of Cake\Database\Query. If passed unfiltered request data, these methods would allow for SQL injection. If your application does not use CakePHP's Pagination wrappers and directly passes request data into one of these methods your application is vulnerable. We'd like to thank 'Tanaka' for reporting this issue.

CakePHP 4.2.11 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.2.11. This release contain a security fix for the limit() and offset() methods of Cake\Database\Query. If passed unfiltered request data, these methods would allow for SQL injection. If your application does not use CakePHP's Pagination wrappers and directly passes request data into one of these methods your application is vulnerable. We'd like to thank 'Tanaka' for reporting this issue.