fix(deps): update dependency symfony/security-bundle to 6.4.* [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/security-bundle (source)	6.2.* -> 6.4.*

GitHub Vulnerability Alerts

CVE-2024-50341

Description

The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login.

Resolution

The Security::login method now ensure to call the configured user_checker.

The patch for this issue is available here for branch 6.4.

Credits

We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.

---

Release Notes

symfony/security-bundle (symfony/security-bundle)

v6.4.10

Compare Source

v6.4.9

Compare Source

Changelog (symfony/security-bundle@v6.4.8...v6.4.9)

• bug symfony/symfony#57520 [SecurityBundle] Remove unused memory users’ name attribute from the XSD (@​MatTheCat)
• bug symfony/symfony#57467 [SecurityBundle] Add provider XML attribute to the authenticators it’s missing from (@​MatTheCat)

v6.4.8

Compare Source

Changelog (symfony/security-bundle@v6.4.7...v6.4.8)

• no significant changes

v6.4.7

Compare Source

Changelog (symfony/security-bundle@v6.4.6...v6.4.7)

• no significant changes

v6.4.6

Compare Source

Changelog (symfony/security-bundle@v6.4.5...v6.4.6)

• bug symfony/symfony#54248 [Security] Correctly initialize the voter property (@​aschempp)

v6.4.5

Compare Source

Changelog (symfony/security-bundle@v6.4.4...v6.4.5)

• no significant changes

v6.4.4

Compare Source

Changelog (symfony/security-bundle@v6.4.3...v6.4.4)

• bug symfony/symfony#53913 [TwigBridge] Fix compat with Twig v3.9 (@​nicolas-grekas)
• bug symfony/symfony#53744 [SecurityBundle] add missing partition attribute to the schema definition (@​xabbuh)
• bug symfony/symfony#53703 [HttpFoundation] Fix clearing CHIPS cookies (@​misaert)

v6.4.3

Compare Source

Changelog (symfony/security-bundle@v6.4.2...v6.4.3)

• bug symfony/symfony#53656 [Form] Use self-closing <input /> syntax again, reverting #​47715 (@​mpdude)

v6.4.2

Compare Source

Changelog (symfony/security-bundle@v6.4.1...v6.4.2)

• bug symfony/symfony#53172 [SecurityBundle] Prevent to login/logout without a request context (@​symfonyaml)
• bug symfony/symfony#52870 [SecurityBundle] Fix redeclaration of InternalSecurity class when opcache preload is active (@​kaznovac)

v6.4.0

Compare Source

Changelog (symfony/security-bundle@v6.4.0-RC2...v6.4.0)

• no significant changes

v6.3.12

Compare Source

Changelog (symfony/security-bundle@v6.3.11...v6.3.12)

• no significant changes

v6.3.11

Compare Source

Changelog (symfony/security-bundle@v6.3.10...v6.3.11)

• bug symfony/symfony#53172 [SecurityBundle] Prevent to login/logout without a request context (@​symfonyaml)

v6.3.8

Compare Source

Changelog (symfony/security-bundle@v6.3.7...v6.3.8)

• bug symfony/symfony#52506 [SecurityBundle] wire the secret for Symfony 6.4 compatibility (@​xabbuh)

v6.3.7

Compare Source

Changelog (symfony/security-bundle@v6.3.6...v6.3.7)

• bug symfony/symfony#52308 [SecurityBundle] Fix missing login-link element in xsd schema (@​fancyweb)

v6.3.6

Compare Source

Changelog (symfony/security-bundle@v6.3.5...v6.3.6)

• bug symfony/symfony#51858 [Security] Fix resetting traceable listeners (@​chalasr)

v6.3.5

Compare Source

Changelog (symfony/security-bundle@v6.3.4...v6.3.5)

• bug symfony/symfony#51686 [SecurityBundle][PasswordHasher] Fix password migration with custom hasher service with security bundle config (@​ogizanagi)

v6.3.4

Compare Source

Changelog (symfony/security-bundle@v6.3.3...v6.3.4)

• bug symfony/symfony#51104 [Security] Fix loading user from UserBadge (@​guillaumesmo)
• bug symfony/symfony#51359 [Security] Fix error with lock_factory in login_throttling (@​BaptisteContreras)

v6.3.3

Compare Source

Changelog (symfony/security-bundle@v6.3.2...v6.3.3)

• no significant changes

v6.3.2

Compare Source

Changelog (symfony/security-bundle@v6.3.1...v6.3.2)

• bug symfony/symfony#51056 [SecurityBundle] Add firewalls.logout.csrf_token_manager to XSD (@​HeahDude)
• bug symfony/symfony#50819 [SecurityBundle] Do not translate Bearer header’s error_description (@​MatTheCat)

v6.3.1

Compare Source

Changelog (symfony/security-bundle@v6.3.0...v6.3.1)

• bug symfony/symfony#50503 [SecurityBundle] Fix error message when using OIDC and web-token/jwt-core is not installed (@​nicolas-grekas)

v6.3.0

Compare Source

Changelog (symfony/security-bundle@v6.3.0-RC2...v6.3.0)

• bug symfony/symfony#50432 [Security] Validate aud and iss claims on OidcTokenHandler (@​vincentchalamon)
• bug symfony/symfony#50477 [Security] Add clock dependency to OidcTokenHandler (@​nicolas-grekas)
• bug symfony/symfony#50453 [SecurityBundle] add missing xsd definition for OIDC (@​aegypius)
• bug symfony/symfony#50470 [SecurityBundle] Fix configuring OIDC user info token handler client (@​vincentchalamon)

v6.2.13

Compare Source

Changelog (symfony/security-bundle@v6.2.12...v6.2.13)

• bug symfony/symfony#50819 [SecurityBundle] Do not translate Bearer header’s error_description (@​MatTheCat)

v6.2.12

Compare Source

Changelog (symfony/security-bundle@v6.2.11...v6.2.12)

• no significant changes

v6.2.11

Compare Source

Changelog (symfony/security-bundle@v6.2.10...v6.2.11)

• bug symfony/symfony#50442 [SecurityBundle] Update security-1.0.xsd to include missing access-token definition (@​aegypius)
• bug symfony/symfony#49063 [Messenger] Respect isRetryable decision of the retry strategy for re-delivery (@​FlyingDR)

v6.2.10

Compare Source

Changelog (symfony/security-bundle@v6.2.9...v6.2.10)

• bug symfony/symfony#50115 [FrameworkBundle] Make service edges unique (@​rmikalkenas)
• bug symfony/symfony#50088 [DependencyInjection] Do not ignore tags name attribute when it does not define their name (@​MatTheCat)
• bug symfony/symfony#48886 [Console] Fix computing column width containing multibyte chars (@​cay89)
• bug symfony/symfony#47505 [Mime] Form field values with integer keys not resolved correctly (@​claudiu-cristea)
• bug symfony/symfony#48837 [Messenger] [Redis] Fixed problem where worker stops handling messages on first empty message (@​jvmanji)
• bug symfony/symfony#49317 [Messenger] Fix warning message on failed messenger show command (@​gstapinato)
• bug symfony/symfony#48972 [HttpFoundation] Fix memory limit problems in BinaryFileResponse (@​glady)
• bug symfony/symfony#49009 [Form] Cast choices value callback result to string (@​Matth--)
• bug symfony/symfony#49581 Avoid leading .. for temporary files from Filesystem recursive remove (@​giosh94mhz)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: apps/composer.lock

Command failed: composer update symfony/security-bundle:6.4.10 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
Dependency symfony/event-dispatcher is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/mime is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/property-access is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/process is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - symfony/framework-bundle is locked to version v6.2.9 and an update of this package was not requested.
    - Root composer.json requires symfony/security-bundle 6.4.* -> satisfiable by symfony/security-bundle[v6.4.10].
    - symfony/security-bundle v6.4.10 conflicts with symfony/framework-bundle <6.4.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.