Update Symfony to v6.3.8 / v4.4.51

Issue created by @longwave
Comment 8 months ago →
🇺🇸United States cilefen
Why v4?
Comment 7 months ago →
🇺🇸United States xjm
@cilefen Because November is a gray area for Drupal 9 support. We end November 1 because Symfony will not commit to whether their security support for their releases ends at the beginning or the end of the month, but regardless it's meant to correspond to the Symfony EOL. So, since Symfony did a release, it's polite of us to provide one as well as the final patch release of D9. There is also precedent for this from D8 in 8.9.20, which was an actual security update for Drupal 8 to correspond with a Symfony update for Symfony 3 released in November 2021.
First commit to issue fork.
@spokje opened merge request.
Comment 7 months ago →
System Message
Spokje → closed merge request !5447
@spokje opened merge request.
Comment 7 months ago →
🇳🇱Netherlands Spokje
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.1 & MySQL 5.7
last update 7 months ago
30,341 pass
Open in Jenkins → Open on Drupal.org →
Environment: PHP 7.3 & MySQL 5.7
last update 7 months ago
30,374 pass

🇳🇱Netherlands Spokje

Right...

So 9.5.x MRs don't trigger GitLab CI.

Uploaded the diff from the MR as patch to go through Drupal CI (remember that one, you young hipsters?)

I did:

$ composer update symfony/*

Also it makes sense to me to bump composer/composer to deal with https://github.com/advisories/GHSA-jm6m-4632-36hf
(We did that for 10.1.x upwards in 📌 Security update composer/composer (CVE-2023-43655) Downport )

$ composer-lock-diff --no-links
+------------------------------------+---------+---------+
| Production Changes                 | From    | To      |
+------------------------------------+---------+---------+
| symfony/event-dispatcher-contracts | v1.1.13 | v1.10.0 |
| symfony/http-kernel                | v4.4.50 | v4.4.51 |
| symfony/polyfill-ctype             | v1.27.0 | v1.28.0 |
| symfony/polyfill-iconv             | v1.27.0 | v1.28.0 |
| symfony/polyfill-intl-idn          | v1.27.0 | v1.28.0 |
| symfony/polyfill-intl-normalizer   | v1.27.0 | v1.28.0 |
| symfony/polyfill-mbstring          | v1.27.0 | v1.28.0 |
| symfony/polyfill-php80             | v1.27.0 | v1.28.0 |
| symfony/var-dumper                 | v5.4.19 | v5.4.29 |
+------------------------------------+---------+---------+

+------------------------+---------+---------+
| Dev Changes            | From    | To      |
+------------------------+---------+---------+
| composer/composer      | 2.2.18  | 2.2.22  |
| symfony/phpunit-bridge | v5.4.19 | v5.4.31 |
+------------------------+---------+---------+

Assigned to Spokje
Status changed to Needs work 7 months ago8:24am 17 November 2023
Comment 7 months ago →
🇳🇱Netherlands Spokje
@spokje opened merge request.

Comment 7 months ago →

🇳🇱Netherlands Spokje

Nice, 10.0.x doesn't trigger GitLab CI as well...

Diff from MR is patch, did the same as for 9.5.x.

$ composer-lock-diff --no-links
+------------------------------------+---------+---------+
| Production Changes                 | From    | To      |
+------------------------------------+---------+---------+
| symfony/console                    | v6.2.5  | v6.3.8  |
| symfony/dependency-injection       | v6.2.6  | v6.3.8  |
| symfony/deprecation-contracts      | v3.2.0  | v3.4.0  |
| symfony/error-handler              | v6.2.5  | v6.3.5  |
| symfony/event-dispatcher           | v6.2.5  | v6.3.2  |
| symfony/event-dispatcher-contracts | v3.2.0  | v3.4.0  |
| symfony/http-foundation            | v6.2.6  | v6.3.8  |
| symfony/http-kernel                | v6.2.6  | v6.3.8  |
| symfony/mime                       | v6.2.5  | v6.3.5  |
| symfony/polyfill-ctype             | v1.27.0 | v1.28.0 |
| symfony/polyfill-iconv             | v1.27.0 | v1.28.0 |
| symfony/polyfill-intl-grapheme     | v1.27.0 | v1.28.0 |
| symfony/polyfill-intl-idn          | v1.27.0 | v1.28.0 |
| symfony/polyfill-intl-normalizer   | v1.27.0 | v1.28.0 |
| symfony/polyfill-mbstring          | v1.27.0 | v1.28.0 |
| symfony/process                    | v6.2.5  | v6.3.4  |
| symfony/psr-http-message-bridge    | v2.1.4  | v2.3.1  |
| symfony/routing                    | v6.2.5  | v6.3.5  |
| symfony/serializer                 | v6.2.5  | v6.2.13 |
| symfony/service-contracts          | v3.2.0  | v3.4.0  |
| symfony/string                     | v6.2.5  | v6.3.8  |
| symfony/translation-contracts      | v3.2.0  | v3.4.0  |
| symfony/validator                  | v6.2.5  | v6.2.13 |
| symfony/var-dumper                 | v6.2.5  | v6.3.8  |
| symfony/var-exporter               | v6.2.5  | v6.3.6  |
| symfony/yaml                       | v6.2.5  | v6.3.8  |
| symfony/polyfill-php83             | NEW     | v1.28.0 |
+------------------------------------+---------+---------+

+------------------------+--------+--------+
| Dev Changes            | From   | To     |
+------------------------+--------+--------+
| composer/composer      | 2.4.4  | 2.6.5  |
| symfony/browser-kit    | v6.2.5 | v6.3.8 |
| symfony/css-selector   | v6.2.5 | v6.3.2 |
| symfony/dom-crawler    | v6.2.5 | v6.3.4 |
| symfony/filesystem     | v6.2.5 | v6.3.1 |
| symfony/finder         | v6.2.5 | v6.3.5 |
| symfony/lock           | v6.2.5 | v6.3.8 |
| symfony/phpunit-bridge | v6.2.5 | v6.3.8 |
+------------------------+--------+--------+

Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.1 & MySQL 5.7
last update 7 months ago
28,526 pass
Comment 7 months ago →
🇳🇱Netherlands Spokje
Issue was unassigned.
Status changed to Needs review 7 months ago9:39am 17 November 2023
Comment 7 months ago →
🇳🇱Netherlands Spokje
Status changed to Needs work 7 months ago10:52am 17 November 2023
Comment 7 months ago →
needs-review-queue-bot
The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
Comment 7 months ago →
🇳🇱Netherlands Spokje
Yeah, love you too, needs-review-queue-bot...
Status changed to Needs review 7 months ago10:56am 17 November 2023
Comment 7 months ago →
🇳🇱Netherlands Spokje
Comment 7 months ago →
🇬🇧United Kingdom longwave UK
Wondering if we should be even more conservative here and only upgrade the affected packages to cover the security warning? Symfony is pretty good at backward compatibility but if we are to do a 10.0.x release here if we can avoid upgrading all components from Symfony 6.2 to 6.3 I think we should. Similarly the polyfills don't really need to be updated unless we are forced by dependencies of the packages with security updates.
Comment 7 months ago →
🇳🇱Netherlands Spokje
Assuming 9.5.x is OK.

For 10.0.x: Not sure we can stay on 6.2.something without actually making changes to the constraints in the composer.jsons. which would make the new core release stricter than the one before?
Status changed to Needs work 7 months ago3:03pm 17 November 2023
Comment 7 months ago →
🇳🇱Netherlands Spokje
Comment 4 months ago →
🇳🇱Netherlands Spokje
I assume this, although deemed critical then, is now outdated and can be closed?
Status changed to Closed: outdated 4 months ago8:30am 17 February 2024
Comment 4 months ago →
🇬🇧United Kingdom longwave UK
Since we relaxed the requirements on core-recommended so users could self upgrade to newer patch releases, the security team have stopped receiving notifications and complaints from users running vulnerability scanners, so it looks like we don't need to strictly do this sort of thing any more.

Thanks anyway for your vigilance on these issues!

Update Symfony to v6.3.8 / v4.4.51

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comments & Activities