🚨 [security] [php] Update symfony/http-foundation 7.3.5 → 7.3.7 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ symfony/http-foundation (indirect, 7.3.5 → 7.3.7) · Repo · Changelog

Security Advisories 🚨

🚨 Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass

Description

The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption.

Resolution

The Request class now ensures that URL paths always start with a /.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.

Release Notes

7.3.7

Changelog (v7.3.6...v7.3.7)

• no significant changes

7.3.6

Changelog (v7.3.5...v7.3.6)

• bug symfony/symfony#62324 [HttpFoundation] Fix parsing hosts and schemes in URLs (@nicolas-grekas)
• bug symfony/symfony#62246 [HttpFoundation] Allow Request::setFormat() to override predefined formats (@longwave)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• Merge branch '6.4' into 7.3
• Merge branch '5.4' into 6.4
• Merge branch '6.4' into 7.3
• [HttpFoundation] Fix parsing hosts and schemes in URLs
• [HttpFoundation] Fix parsing pathinfo with no leading slash
• Merge branch '6.4' into 7.3
• [HttpFoundation] Allow Request::setFormat() to override predefined formats

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[semanticdiff-com]

Review changes with  

[pr-code-reviewer]

👋 Hi there!

Everything looks good!

_{^{Automatically generated with the help of gpt-3.5-turbo.
Feedback? Please don't hesitate to drop me an email at [email protected].}}

[korbit-ai]

By default, I don't review pull requests opened by bots. If you would like me to review this pull request anyway, you can request a review via the /korbit-review command in a comment.

[korbit-ai]

I was unable to write a description for this pull request. This could be because I only found files I can't scan.

[gooroo-dev]

Please double check the following review of the pull request:

🐞Mistake	🤪Typo	🚨Security	🚀Performance	💪Best Practices	📖Readability	❓Others
0	0	0	0	0	0	0

Changes in the diff

• 🛠️ No changes detected in the diff.

Identified Issues

No code changes were provided in the diff, so no issues could be identified.

---

Since the diff is empty, no code changes were made in this pull request. The title indicates an update of symfony/http-foundation from version 7.3.5 to 7.3.7 for security reasons, but no actual code or dependency file modifications are shown here.

Recommendations:

• Ensure that the dependency update is properly reflected in the relevant files (e.g., composer.json, composer.lock).
• Provide the actual diff showing the update for review.
• Add or update tests if the update affects behavior.

No further review or tests can be generated without code changes.

Summon me to re-review when updated! Yours, Gooroo.dev
React or reply to let me know what you think!

[codara-ai-code-review]

Potential issues, bugs, and flaws that can introduce unwanted behavior:

1. Inconsistent Versions/References

   • /composer.lock - The update of the symfony/http-foundation dependency from version v7.3.5 to v7.3.7 includes a corresponding change in both the Git reference and the distribution URL, yet an inconsistency could arise if the new version has breaking changes or incompatibilities with other dependencies. This warrants tests and checks post-upgrade to ensure compatibility across the application.

2. Timestamp Mismatch

   • /composer.lock - The 'time' field has been changed from 2025-10-24T21:42:11+00:00 to 2025-11-08T16:41:12+00:00. If it does not align with expected or documented release schedules, this could lead to confusion regarding the freshness of the version. Make sure to confirm this timestamp with the actual release date recorded by Symfony.

Code suggestions and improvements for better exception handling, logic, standardization, and consistency:

1. Dependency Version Testing

   • /composer.lock - Consider implementing automated tests that check for compatibility after such dependency version upgrades. This can help catch any issues introduced by changing dependencies immediately.

2. Documentation Updates

   • /composer.lock - If the upgrade leads to functional changes, update documentation or release notes accordingly to reflect any notable changes introduced by v7.3.7. This aids in maintaining clarity for future developers regarding new features or alterations.

3. Pin Version Constraints

   • /composer.lock - Rather than directly upgrading to v7.3.7, it may be prudent to adopt version constraints (like ^7.3) which allow for minor updates while avoiding potential breaking changes from major version increments. This enhances overall stability in dependency management.

4. Check Dependency Tree

   • /composer.lock - After updating, it's advisable to analyze the full dependency tree to ensure that all transitive dependencies are satisfied and to check that no deprecated packages are being pulled in due to the update. This can help catch downstream issues early.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[deepsource-io]

Here's the code health analysis summary for commits 0e66e42..b953d81. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
SQL	✅ Success		View Check ↗
Test coverage	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
PHP	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗

Code Coverage Report

Metric	Aggregate	Php
Branch Coverage	100%	100%
Composite Coverage	33.3%	33.3%
Line Coverage	33.3%	33.3%

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[guibranco]

Automatically approved by gstraccini[bot]

[guibranco]

@depfu merge

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[korbit-ai]

I was unable to write a description for this pull request. This could be because I only found files I can't scan.