Skip to content

Bump symfony/cache from 7.4.7 to 8.0.13#174

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/symfony/cache-8.0.13
Open

Bump symfony/cache from 7.4.7 to 8.0.13#174
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/symfony/cache-8.0.13

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 27, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Bumps symfony/cache from 7.4.7 to 8.0.13.

Release notes

Sourced from symfony/cache's releases.

v8.0.13

Changelog (symfony/cache@v8.0.12...v8.0.13)

v8.0.12

Changelog (symfony/cache@v8.0.10...v8.0.12)

v8.0.10

Changelog (symfony/cache@v8.0.9...v8.0.10)

v8.0.9

Changelog (symfony/cache@v8.0.8...v8.0.9)

v8.0.8

Changelog (symfony/cache@v8.0.7...v8.0.8)

  • bug #63818 Ensure compatibility with Relay extension 0.21.0 (@​lyrixx)
  • bug #63747 Fix Psr16Cache::getMultiple() returning ValueWrapper with TagAwareAdapter (@​pcescon)
  • bug #63736 Fix undefined array key when tag save fails in AbstractTagAwareAdapter (@​pcescon)
  • bug #63655 Fix ChainAdapter ignoring item expiry when propagating to earlier adapters (@​guillaumeVDP)

v8.0.7

Changelog (symfony/cache@v8.0.6...v8.0.7)

v8.0.6

Changelog (symfony/cache@v8.0.5...v8.0.6)

v8.0.5

Changelog (symfony/cache@v8.0.4...v8.0.5)

... (truncated)

Changelog

Sourced from symfony/cache's changelog.

CHANGELOG

8.0

  • Remove CouchbaseBucketAdapter, use CouchbaseCollectionAdapter instead

7.4

  • Bump ext-redis to 6.1 and ext-relay to 0.12 minimum

7.3

  • Add support for \Relay\Cluster in RedisAdapter
  • Add support for valkey: / valkeys: schemes
  • Add support for namespace-based invalidation
  • Rename options "redis_cluster" and "redis_sentinel" to "cluster" and "sentinel" respectively

7.2

  • igbinary_serialize() is no longer used instead of serialize() by default when the igbinary extension is installed, due to behavior compatibilities between the two
  • Add optional Psr\Clock\ClockInterface parameter to ArrayAdapter

7.1

  • Add option sentinel_master as an alias for redis_sentinel
  • Deprecate CouchbaseBucketAdapter, use CouchbaseCollectionAdapter
  • Add support for URL encoded characters in Couchbase DSN
  • Add support for using DSN with PDOAdapter
  • The algorithm for the default cache namespace changed from SHA256 to XXH128

7.0

  • Add parameter $isSameDatabase to DoctrineDbalAdapter::configureSchema()
  • Drop support for Postgres < 9.5 and SQL Server < 2008 in DoctrineDbalAdapter

6.4

  • EarlyExpirationHandler no longer implements MessageHandlerInterface, rely on AsMessageHandler instead

6.3

... (truncated)

Commits
  • 75f9223 Merge branch '7.4' into 8.0
  • 4c09e18 Merge branch '6.4' into 7.4
  • 5490a57 Merge branch '5.4' into 6.4
  • bf58147 [Cache] skip tests for adapters that cannot clear by prefix
  • 62ee88d Merge branch '7.4' into 8.0
  • f796e47 Ignore Doctrine DBAL deprecations that can't be worked around
  • 12cc026 Merge branch '7.4' into 8.0
  • bf9d30f Merge branch '6.4' into 7.4
  • 03472b6 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doCl...
  • 8602405 Merge branch '5.4' into 6.4
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Major Symfony cache upgrade with PHP 8.4 requirement on the package and a security-related clear() prefix change; impact is mostly on dev tooling unless runtime resolves the same tree.

Overview
Updates composer.lock only: bumps symfony/cache from 7.4.7 to 8.0.13 (Symfony 8 major) and pulls in matching transitive bumps (symfony/var-exporter to 8.0.9, symfony/cache-contracts, symfony/deprecation-contracts, and symfony/service-contracts to 3.7.0). The resolved symfony/cache package now requires PHP >= 8.4 (was >= 8.2) and drops several Symfony 6.x-era conflict constraints; it is consumed transitively (e.g. via overtrue/phplint in dev), not declared in root composer.json.

Notable upstream changes in this range include a security fix for prefix validation on AbstractAdapter::clear() (CVE-2026-45073 in 8.0.12) plus Redis/Relay, tag-aware, and chain-adapter bug fixes. 8.0 also removes CouchbaseBucketAdapter in favor of CouchbaseCollectionAdapter if that adapter is used anywhere in the stack.

Reviewed by Cursor Bugbot for commit 92b309a. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump symfony/cache from 7.4.7 to 8.0.13
92b309a 
Bumps [symfony/cache](https://github.com/symfony/cache) from 7.4.7 to 8.0.13.
- [Release notes](https://github.com/symfony/cache/releases)
- [Changelog](https://github.com/symfony/cache/blob/8.1/CHANGELOG.md)
- [Commits](symfony/cache@v7.4.7...v8.0.13)

---
updated-dependencies:
- dependency-name: symfony/cache
  dependency-version: 8.0.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels May 27, 2026
cursor[bot]
cursor Bot reviewed May 27, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 92b309a. Configure here.

Comment thread composer.lock
},
"require": {
"php": ">=8.2",
"php": ">=8.4",

@cursor cursor Bot May 27, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Major version bump breaks PHP 8.3 compatibility

High Severity

The bumped symfony/cache v8.0.13 and symfony/var-exporter v8.0.9 both require php: >=8.4, but the project's phpcs.xml declares testVersion of 8.3-, indicating PHP 8.3 is the minimum supported version. Running composer install on PHP 8.3 will fail because the locked dependencies are incompatible with that runtime.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 92b309a. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update Php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants