The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.6. This is a maintenance release for the 4.0 branch that fixes several community reported issues and a low risk security issue in our CSRF protection middleware.
Bugfixes
You can expect the following changes in 4.0.6. See the changelog for every commit.
Nirmal Kirubakaran contacted us via the security mailing list and disclosed a vulnerability in our CSRF token generation. If an attacker were to use an XSS vulnerabiity or physical access to fixate a CSRF token they could then exploit additional CSRF attacks. In this release generated tokens contain an HMAC signed with Security.salt. This ensures the tokens were generated by the same application that receives them. CSRF tokens generated in previous versions will now be rejected by 4.0.6 as they do not contain the HMAC.
Improved session access in IntegrationTestTrait through the new getTestSession() method.
Fixed generation of pagination links on / URLs.
cake plugin unload and cake plugin load now handle vendor namespaced plugins.
Validation::inList() no longer emits a warning on a non-scalar values.
Schema reflection stored procedures in SQLServer now work in case sensitive configurations.
Email message wrapping no longer emits errors when lines are the same length as the wrap length.
App::path() now resolves locale files for plugins.
Contributors to 4.0.6
Thank you to all the contributors that helped make this release happen:
ADmad
Corey Taylor
Mark Scherer
Mark Story
Nicolas
As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.
CakePHP 4.0.5 released
The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.5. This is a maintenance release for the 4.0 branch that fixes several community reported issues.
Bugfixes
You can expect the following changes in 4.0.5. See the changelog for every commit.
SMTP delivery failure exceptions now include the error text received from the destination server.
Improved API documentation.
Table::saveMany() now correctly rollbacks a transaction when an entity other than the first fails to save because of application rules or database failure.
ConsoleIntegrationTestTrait now uses mocked _out and _err objects if they have been set.
ConsoleInput::read() now handles false values from fgets() and readline.
CounterCacheBehavior now handles null association values better when custom finders are used.
Http\Response now allows usage of unassigned HTTP status codes between 100 and 599.
Binary data in SQL query logs is now encoded as hexadecimal to improve readability of query logs.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hashmich/DHCR-Back-End/network/alerts).
Bumps cakephp/cakephp from 2.10.24 to 4.0.6.
Release notes
Sourced from cakephp/cakephp's releases.
... (truncated)
Commits
776a053
Update version number to 4.0.64cbc8d5
Merge pull request #14465 from cakephp/psalm46c2b9e
Fix CS errorsc85e239
Fix errors reported by psalm907cf4a
Merge pull request #14461 from cakephp/issue-1445994e0a75
Fix docblock.19a271f
Fix docblocks.d56e2dd
Merge pull request #14464 from cakephp/app-path-localesd63bf24
Update App::path() to return locales path for plugins too.4e6c835
Fix error when wrapping email message content.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hashmich/DHCR-Back-End/network/alerts).