4.0.0

Breaking changes

• Requires PHP >= 8.1 (previously no PHP constraint).
• symfony/yaml 4.x and 5.x (EOL) are no longer supported; allowed versions are ^6.4.40 || ^7.4.12 || ^8.0.12.
• grasmash/expander 1.x and 2.x are no longer supported; requires ^3.0.1.
• Native parameter and return types on the public API (parse(), expandArrayProperties()). Passing non-string YAML or a non-array reference array now throws TypeError.
• parse() now returns [] for empty YAML and throws UnexpectedValueException when YAML parses to a non-array value (previously both surfaced as an opaque TypeError).

Security

• symfony/yaml constraint excludes versions vulnerable to CVE-2026-45304 (YAML parser "Billion Laughs" memory exhaustion).
• PHPUnit dev constraint excludes versions vulnerable to CVE-2026-24765.
• Dropped php-coveralls, which pulled in vulnerable guzzlehttp releases at lowest versions; coverage is now uploaded with coverallsapp/github-action.
• All GitHub Actions are pinned to commit SHAs.
• New README guidance: only parse YAML from trusted sources.

Improvements

• The constructor logger is now optional and defaults to NullLogger: new YamlExpander().
• declare(strict_types=1) throughout.
• 100% test coverage; new tests for empty input, scalar input, invalid YAML, and unresolved-placeholder behavior.
• Test suite modernized to PHPUnit 10–13 (attributes, static data providers).
• CI now tests PHP 8.1–8.4, including a working lowest-dependencies job (the previous prefer-lowest job silently never ran), with Dependabot enabled for composer and GitHub Actions.
• README examples rewritten to match the actual API; CONTRIBUTING.md and RELEASE.md now contain accurate instructions.
• squizlabs/php_codesniffer 4.x allowed for development.

Full Changelog: 3.0.3...4.0.0

🤖 Generated with Claude Code

3.0.3

What's Changed

• #27: Allow 7.x release of symfony/yaml. by @vishalkhode1 in #28

New Contributors

• @vishalkhode1 made their first contribution in #28

Full Changelog: 3.0.2...3.0.3

3.0.2

• Switch to GitHub Actions
• Allow grasmash/expander 3.x

Full Changelog: 3.0.1...3.0.2

3.0.1

What's Changed

• Update dflydev/dot-access-data to 3.x by @joelpittet in #24
• Fixes #25 to allow grasmash/expander ^2. by @mikemadison13 in #26

New Contributors

• @joelpittet made their first contribution in #24
• @mikemadison13 made their first contribution in #26

Full Changelog: 3.0.0...3.0.1

3.0.0

• Changing Symfony requirement to ^4 | ^5
• Updating PHPUnit dev requirement to ^8.2
• Removing testing for PHP 7.0 and 7.1.

2.0.0

The 2.x is much lighter weight and relies on grasmash/expander for most expansion logic.

• This library is now a simple yaml-specific wrapper around grasmash/expander.
• It is backwards in compatible due to class renaming.
• Support for PHP 5.4 and 5.5 has been dropped.

1.4.0

Adding support for environmental variables in the form of ${env.test}.

1.3.0

Adds support for Symfony 4.

1.2.0

This release adds support for expanding placeholders that reference arrays.