Skip to content

Bump symfony/yaml from 7.4.6 to 8.0.13#56

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/symfony/yaml-8.0.13
Open

Bump symfony/yaml from 7.4.6 to 8.0.13#56
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/symfony/yaml-8.0.13

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 28, 2026
edited by cursor Bot
Loading

Bumps symfony/yaml from 7.4.6 to 8.0.13.

Release notes

Sourced from symfony/yaml's releases.

v8.0.13

Changelog (symfony/yaml@v8.0.12...v8.0.13)

v8.0.12

Changelog (symfony/yaml@v8.0.11...v8.0.12)

v8.0.11

Changelog (symfony/yaml@v8.0.10...v8.0.11)

v8.0.10

Changelog (symfony/yaml@v8.0.6...v8.0.10)

v8.0.8

Changelog (symfony/yaml@v8.0.7...v8.0.8)

  • no significant changes

v8.0.6

Changelog (symfony/yaml@v8.0.5...v8.0.6)

v8.0.1

Changelog (symfony/yaml@v8.0.0...v8.0.1)

v8.0.0-RC2

Changelog (symfony/yaml@v8.0.0-RC1...v8.0.0-RC2)

v8.0.0-BETA1

Changelog (symfony/yaml@v7.3.4...v8.0.0-BETA1)

... (truncated)

Changelog

Sourced from symfony/yaml's changelog.

CHANGELOG

8.0

  • Remove support for parsing duplicate mapping keys whose value is null

7.3

  • Add compact nested mapping support by using the Yaml::DUMP_COMPACT_NESTED_MAPPING flag
  • Add the Yaml::DUMP_FORCE_DOUBLE_QUOTES_ON_VALUES flag to enforce double quotes around string values

7.2

  • Deprecate parsing duplicate mapping keys whose value is null
  • Add support for dumping null as an empty value by using the Yaml::DUMP_NULL_AS_EMPTY flag

7.1

  • Add support for getting all the enum cases with !php/enum Foo

7.0

  • Remove the !php/const: tag, use !php/const instead (without the colon)

6.3

  • Add support to dump int keys as strings by using the Yaml::DUMP_NUMERIC_KEY_AS_STRING flag

6.2

  • Add support for !php/enum and !php/enum *->value
  • Deprecate the !php/const: tag in key which will be replaced by the !php/const tag (without the colon) since 3.4

6.1

  • In cases where it will likely improve readability, strings containing single quotes will be double-quoted

5.4

  • Add a $maxNestingLevel argument to Parser::__construct(), Yaml::parse() and Yaml::parseFile() to bound recursion depth (default 128)

... (truncated)

Commits
  • a1cdf99 Merge branch '7.4' into 8.0
  • a7ec3b1 Merge branch '6.4' into 7.4
  • e8fdf34 CS fix
  • dcfacbd Merge branch '7.4' into 8.0
  • 4b5658c Merge branch '6.4' into 7.4
  • 69b7344 Merge branch '5.4' into 6.4
  • ae0bbb4 [Yaml] Allow trailing newlines after the end-of-document marker
  • 2a36f4b Merge branch '7.4' into 8.0
  • 8b6952b Merge branch '6.4' into 7.4
  • 68dcd1f Merge branch '5.4' into 6.4
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Major Symfony YAML upgrade with PHP 8.4 minimum and parser security fixes; risk is mainly dev-toolchain/CI compatibility, not runtime app code in this diff.

Overview
Updates composer.lock only: symfony/yaml moves from 7.4.6 to 8.0.13 (Symfony 8 major), with transitive bumps to symfony/deprecation-contracts (v3.6.0 → v3.7.0) and symfony/polyfill-ctype (v1.33.0 → v1.37.0).

The yaml package now requires PHP ≥ 8.4 (was ≥ 8.2) and tightens console compatibility; release notes include security fixes for the YAML parser (recursion/collection-alias bounds, regex hardening) plus parsing bugfixes. Confirm your CI/local dev PHP version meets 8.4 before merging.

Reviewed by Cursor Bugbot for commit e85987b. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump symfony/yaml from 7.4.6 to 8.0.13
e85987b 
Bumps [symfony/yaml](https://github.com/symfony/yaml) from 7.4.6 to 8.0.13.
- [Release notes](https://github.com/symfony/yaml/releases)
- [Changelog](https://github.com/symfony/yaml/blob/8.1/CHANGELOG.md)
- [Commits](symfony/yaml@v7.4.6...v8.0.13)

---
updated-dependencies:
- dependency-name: symfony/yaml
  dependency-version: 8.0.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 28, 2026
cursor[bot]
cursor Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit e85987b. Configure here.

Comment thread composer.lock
"require": {
"php": ">=8.2",
"symfony/deprecation-contracts": "^2.5|^3",
"php": ">=8.4",
Copy link
Copy Markdown

@cursor cursor Bot May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Major version bump raises PHP requirement to 8.4

High Severity

The symfony/yaml bump crosses a major version boundary (7.4.6 → 8.0.13), silently raising the minimum PHP requirement from >=8.2 to >=8.4. Other locked dev dependencies like overtrue/phplint (^8.2), phpro/grumphp-shim (~8.2.0 || ~8.3.0 || ...), and symfony/cache (>=8.2) all support PHP 8.2/8.3, but composer install will now fail on those PHP versions due to this single transitive dependency. The security CVEs cited in this PR were also patched in the 7.4.x branch, so the major version bump is unnecessary.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit e85987b. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants