4.0.0

What's new in 4.0

Major modernization release. Requires PHP 8.2+.

Bug and security fixes

• Fixed memory-exhaustion DoS: circular property references with surrounding text (e.g. ['a' => 'x${b}', 'b' => 'y${a}']) previously grew unboundedly until the process crashed. Expansion is now capped at 25 passes / 1 MiB per value.
• ${env.*} placeholders no longer read HTTP_* keys from $_SERVER — in a web context those originate from client-supplied request headers, not the environment.
• Falsy environment variables now expand: VAR=0 previously failed a truthiness check and left the placeholder unexpanded.
• Type preservation in reference-data mode: booleans, integers, and floats expanded via a reference array previously coerced to strings (true became "1"). Types are now preserved.
• Single-placeholder strings are expanded once instead of twice, eliminating duplicate logger and stringifier side effects.
• A PCRE failure during replacement now restores the original value instead of nulling it.

Breaking changes

• PHP 8.2+ is required.
• All source files declare strict_types=1, with full parameter and return type declarations.
• StringifierInterface::stringifyArray() is now an instance method rather than a static method. Custom implementations and static callers must update.
• Expander::expandArrayProperties() requires $reference_array to be an array.
• Expander::expandPropertyWithReferenceData() returns mixed instead of ?string.

Tooling

• PHPUnit ^10.5 || ^11 || ^12 || ^13, phpstan level 5, PHP_CodeSniffer ^3.13 || ^4.0.
• CI matrix covers PHP 8.2, 8.3, 8.4, and 8.5, with a composer audit step.
• 100% line, method, and class test coverage.
• Dependabot keeps composer and GitHub Actions dependencies current.

Full changelog: 3.0.1...4.0.0