Bump the php-prod group across 1 directory with 13 updates

[dependabot]

Bumps the php-prod group with 9 updates in the / directory:

Package	From	To
doctrine/dbal	3.10.4	3.10.5
doctrine/orm	3.6.1	3.6.2
nelmio/security-bundle	3.7.0	3.9.0
symfony/expression-language	7.4.0	7.4.4
symfony/form	7.4.3	7.4.4
symfony/security-bundle	7.4.0	7.4.6
symfony/translation	7.4.3	7.4.6
symfony/twig-bundle	7.4.3	7.4.4
twig/extra-bundle	3.22.2	3.23.0

Updates doctrine/dbal from 3.10.4 to 3.10.5

Release notes

Sourced from doctrine/dbal's releases.

3.10.5

Release Notes for 3.10.5

3.10.5

• Total issues resolved: 0
• Total pull requests resolved: 13
• Total contributors: 6

CI

• 7319: Bump laminas/automatic-releases from 1.25.0 to 1.26.2 thanks to @​dependabot[bot]
• 7259: Bump dessant/lock-threads from 5 to 6 thanks to @​dependabot[bot]
• 7258: Bump actions/upload-artifact from 5 to 6 thanks to @​dependabot[bot]
• 7257: Bump actions/download-artifact from 6 to 7 thanks to @​dependabot[bot]
• 7235: chore: show parameters in name of CI jobs thanks to @​alexislefebvre

Dependencies,Test Suite

• 7298: Bump PHPUnit version thanks to @​greg0ire

Dependencies

• 7292: Bump coding standard tools thanks to @​greg0ire

CI,MariaDB,MySQL

• 7283: Test against newer MySQL/MariaDB releases thanks to @​derrabus

CI,SQL Server

• 7279: Test against SQL Server 2025 in nightly builds thanks to @​morozov
• 7265: Test against SQL Server 2025 thanks to @​derrabus

Bug

• 7272: Add phpstan-baseline.neon, CONTRIBUTING.md, README.md to export-ignore list thanks to @​sasezaki

CI,PHP,pdo_oci

• 7236: Test Oracle drivers on PHP 8.5 thanks to @​derrabus

Documentation

• 7233: Prepare the 4.4.0 release thanks to @​derrabus

Commits

• 95d8486 Bump laminas/automatic-releases from 1.25.0 to 1.26.2 (#7319)
• 49c3ccf Bump PHPUnit version (#7298)
• 817ef04 Merge pull request #7292 from greg0ire/bump-cs
• c497c12 Bump coding standard tools
• 8ff8387 Test against newer MySQL/MariaDB releases (#7283)
• 1650fe6 Merge pull request #7279 from morozov/sql-server-nightly
• 5b21a4b Test against SQL Server 2025 nightly
• 2821991 Merge pull request #7272 from sasezaki/patch-1
• ceb3e3a Also add README.md,CONTRIBUTING.md to export-ignore list - https://github.com...
• 48172cd Add phpstan-baseline.neon to export-ignore list
• Additional commits viewable in compare view

Updates doctrine/orm from 3.6.1 to 3.6.2

Release notes

Sourced from doctrine/orm's releases.

3.6.2

Release Notes for 3.6.2

3.6.x bugfix release (patch)

3.6.2

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

Bugfix

• [12366: fix: update index to be serialized in __sleep()](doctrine/orm#12366) thanks to @​vvaswani

Improvement

• 12343: Update phpstan-dbal2 to phpstan-dbal3 in .gitattributes thanks to @​sasezaki

Commits

• 4262eb4 fix: update index to be serialized in __sleep() (#12366)
• d3b47d2 Merge pull request #12355 from doctrine/2.20.x
• 026f5bf Merge pull request #12350 from greg0ire/missing-order-by
• 0b0f2f4 Add missing ORDER BY clause
• 0bd839a Merge pull request #12345 from greg0ire/3.6.x
• b65004f Merge remote-tracking branch 'origin/2.20.x' into 3.6.x
• d2418ab Merge pull request #12344 from greg0ire/update-baseline
• 39a05e3 Update PHPStan baseline
• ab156a5 Update phpstan-dbal2 to phpstan-dbal3 in .gitattributes (#12343)
• See full diff in compare view

Updates nelmio/security-bundle from 3.7.0 to 3.9.0

Release notes

Sourced from nelmio/security-bundle's releases.

v3.9.0

What's Changed

• Added PHPUnit assertions for security headers and update testing documentation by @​Spomky in nelmio/NelmioSecurityBundle#389

Full Changelog: nelmio/NelmioSecurityBundle@v3.8.0...v3.9.0

v3.8.0

What's Changed

• Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP) by @​Spomky in nelmio/NelmioSecurityBundle#372

Full Changelog: nelmio/NelmioSecurityBundle@v3.7.0...v3.8.0

Commits

• 86dd4d1 Merge pull request #389 from Spomky/feature/test-assertions
• 0dc7667 feat(tests): Add PHPUnit assertions for security headers and update testing d...
• 2fafee1 Merge pull request #372 from Spomky/features/cross-origin-policy
• 63da27e Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP)
• See full diff in compare view

Updates symfony/config from 7.4.3 to 7.4.7

Release notes

Sourced from symfony/config's releases.

v7.4.7

Changelog (symfony/config@v7.4.6...v7.4.7)

• no significant changes

v7.4.6

Changelog (symfony/config@v7.4.5...v7.4.6)

• bug #54236 Fix exclude option being ignored for non-glob and PSR-4 resources (@​NeilPeyssard)
• bug #63478 Fix ArrayShapeGenerator required keys with deep merging (@​lacatoire)
• bug #63450 Fix missing resource tracking for type extensions in FormPass (@​ranpafin)

v7.4.4

Changelog (symfony/config@v7.4.3...v7.4.4)

• bug #63053 add back missing enabled key in normalization step (xabbuh)
• bug #63002 Fix merging node that canBeDisable()/canBeEnabled() (nicolas-grekas)
• bug #62920 Allow ParamConfigurator in ParametersConfig (@​jack-worman)

Commits

• 6c17162 [Config] Fix NodeDefinition template to be covariant
• 9400e2f Merge branch '6.4' into 7.4
• ce9cb0c [Config][Routing] Fix exclude option being ignored for non-glob and PSR-4 res...
• 69271cf bug #63478 [Config] Fix ArrayShapeGenerator required keys with deep merging (...
• f2dbc7f [Config] Fix ArrayShapeGenerator required keys with deep merging
• 14a2318 Merge branch '6.4' into 7.4
• 5254855 [Form] Add resource tracking for type extension classes in FormPass
• 4275b53 Merge branch '7.3' into 7.4
• 26ddb5e do not use PHPUnit mock objects without configured expectations
• 077e131 Merge branch '7.3' into 7.4
• Additional commits viewable in compare view

Updates symfony/console from 7.4.3 to 7.4.7

Release notes

Sourced from symfony/console's releases.

v7.4.7

Changelog (symfony/console@v7.4.6...v7.4.7)

• bug #63604 Fix ApplicationTester ignoring interactive and verbosity options when SHELL_VERBOSITY is set (@​nicolas-grekas)
• bug #63570 Fix OUTPUT_RAW corrupting binary content on Windows (@​guillaumeVDP)

v7.4.6

Changelog (symfony/console@v7.4.5...v7.4.6)

• bug #47432 Fix various completion edge cases (@​Seldaek)
• bug #63456 Fix validator exception masked by MissingInputException on empty input (@​nicolas-grekas)
• bug #63444 Fix arguments set via # wrongly considered null in profiler (@​chalasr)
• bug #63438 ProgressIndicator console helper display with multiple processes (@​guillaumeVDP)
• bug #63436 Silence shell_exec warning in hasSttyAvailable (@​lacatoire)
• bug #63415 Fix profiling commands that use # (@​chalasr)
• bug #63368 Fix ProgressBar remaining and estimated placeholder guards (@​yoeunes)
• bug #63351 Fix SymfonyStyle block output with \r\n line endings (@​lacatoire)
• bug #63281 Treat emoji VS16 as wide in width calc (@​fabpot)
• bug #63238 Fall back to 0 when getCode() does not provide an integer (@​makomweb)

v7.4.4

Changelog (symfony/console@v7.4.3...v7.4.4)

• no significant changes

Commits

• e1e6770 Fix merge
• 66aaab8 Merge branch '6.4' into 7.4
• 49257c9 [Console] Fix ApplicationTester ignoring interactive and verbosity opti...
• de4f40b Merge branch '6.4' into 7.4
• 4d5318a [Console] Fix OUTPUT_RAW corrupting binary content on Windows
• 6d643a9 Fix merge
• 87fb10f Merge branch '6.4' into 7.4
• 7b1f1c3 [Console] Fix various completion edge cases
• 11c4f79 Merge branch '6.4' into 7.4
• a0613ff [Console] Fix validator exception masked by MissingInputException on empty input
• Additional commits viewable in compare view

Updates symfony/expression-language from 7.4.0 to 7.4.4

Release notes

Sourced from symfony/expression-language's releases.

v7.4.4

Changelog (symfony/expression-language@v7.4.3...v7.4.4)

• no significant changes

Commits

• f3a6497 Merge branch '7.3' into 7.4
• bb4594c Merge branch '6.4' into 7.3
• 89c10ef do not use PHPUnit mock objects without configured expectations
• See full diff in compare view

Updates symfony/form from 7.4.3 to 7.4.4

Release notes

Sourced from symfony/form's releases.

v7.4.4

Changelog (symfony/form@v7.4.3...v7.4.4)

• bug #63144 Fix OrderedHashMap auto-increment logic with mixed keys (yoeunes)
• bug #63154 don't skip custom view transformers while normalizing submitted newlines (xabbuh)
• bug #63113 Fix ICU 72+ whitespace handling in DateTimeToLocalizedStringTransformer (roukmoute)
• bug #62884 Prevent cached block prefixes from leaking across nested collections (@​nicolas-grekas)

Commits

• 264fc87 Merge branch '7.3' into 7.4
• 4bc8440 Merge branch '6.4' into 7.3
• b758162 bug #63144 [Form] Fix OrderedHashMap auto-increment logic with mixed keys (...
• cb356ab [Form] Fix OrderedHashMap auto-increment logic with mixed keys
• 5188efe don't skip custom view transformers while normalizing submitted newlines
• 8482e91 Merge branch '7.3' into 7.4
• e6b4024 Merge branch '6.4' into 7.3
• 61318b8 [Form] Fix ICU 72+ whitespace handling in DateTimeToLocalizedStringTransformer
• b085d61 Merge branch '7.3' into 7.4
• fd74772 do not use PHPUnit mock objects without configured expectations
• Additional commits viewable in compare view

Updates symfony/http-foundation from 7.4.3 to 7.4.7

Release notes

Sourced from symfony/http-foundation's releases.

v7.4.7

Changelog (symfony/http-foundation@v7.4.6...v7.4.7)

• bug #63603 Fix session cookie_lifetime not applied in mock session storage (@​nicolas-grekas)

v7.4.6

Changelog (symfony/http-foundation@v7.4.5...v7.4.6)

• bug #63448 Handle empty session data in updateTimestamp() to fix compat with PHP 8.6 (@​nicolas-grekas)
• bug #63319 BinaryFileResponse: always return 206 if Range is valid (@​Jimbolino)
• bug #63262 Reject invalid paths (@​nicolas-grekas)
• bug #54304 When calling UploadedFile::getErrorMessage() to a file which has no error and is uploaded successfully, it should not return an error (@​ArmCyber)
• bug #63230 fix engine declaration on mysql pdo table creations (@​tandev)

v7.4.5

Changelog (symfony/http-foundation@v7.4.4...v7.4.5)

• bug #63137 Fix PdoSessionHandler charset-collation mismatch with the Doctrine DBAL (@​samy-mahmoudi)

v7.4.4

Changelog (symfony/http-foundation@v7.4.3...v7.4.4)

• bug #63012 Fix double-prefixing of session keys when using redis/memcached (@​nicolas-grekas)

Commits

• f94b3e7 Merge branch '6.4' into 7.4
• cffffd0 [HttpFoundation] Fix session cookie_lifetime not applied in mock session storage
• fd97d5e Merge branch '6.4' into 7.4
• 5bb346d [HttpFoundation] Handle empty session data in updateTimestamp() to fix compat...
• 17de1a3 Merge branch '6.4' into 7.4
• 31b030e stop using with*() without expects()
• 36ba5c7 Merge branch '6.4' into 7.4
• 31e2a27 BinaryFileResponse: always return 206 if Range is valid
• 669ac23 Merge branch '6.4' into 7.4
• 2ed100b [HttpFoundation] Reject invalid paths
• Additional commits viewable in compare view

Updates symfony/security-bundle from 7.4.0 to 7.4.6

Release notes

Sourced from symfony/security-bundle's releases.

v7.4.6

Changelog (symfony/security-bundle@v7.4.5...v7.4.6)

• bug #63454 Fix lazy firewall triggering remember me authentication on POST requests to public routes (@​nicolas-grekas)
• bug #63439 Update security-1.0.xsd with missing oauth2 element (@​welcoMattic)

v7.4.4

Changelog (symfony/security-bundle@v7.4.3...v7.4.4)

• bug #62973 fix the security profiler template (@​aurac)

Commits

• d79c6d9 Merge branch '6.4' into 7.4
• f67bd24 [Security] Fix lazy firewall triggering remember me authentication on POST re...
• f738b7b Update security-1.0.xsd with missing oauth2 element
• a907dbe Merge branch '6.4' into 7.4
• 31604f8 remove usages of the deprecated any() invoked count expectation
• a325e38 use PHPUnit 13 on PHP 8.4+
• 7281b64 Merge branch '7.3' into 7.4
• 03d6ba1 bug #62973 [WebProfiler] fix the security profiler template (aurac)
• 4289702 [WebProfiler] fix the security profiler template
• 1a55c47 Merge branch '7.3' into 7.4
• Additional commits viewable in compare view

Updates symfony/translation from 7.4.3 to 7.4.6

Release notes

Sourced from symfony/translation's releases.

v7.4.6

Changelog (symfony/translation@v7.4.5...v7.4.6)

• bug #63231 Fix for Crowdin Translation File Replaced with Partial Data When Pushing Default Locale Without --force (@​bhdnb)

v7.4.4

Changelog (symfony/translation@v7.4.3...v7.4.4)

• bug #63064 Fix handling of empty lines in CsvFileLoader (@​fnogatz)

Commits

• 1888cf0 Merge branch '6.4' into 7.4
• d07d117 remove usages of the deprecated any() invoked count expectation
• bfde137 Merge branch '7.3' into 7.4
• 3d2b54f Merge branch '6.4' into 7.3
• d6cc8e2 [Translation] Fix handling of empty lines in CsvFileLoader
• See full diff in compare view

Updates symfony/twig-bundle from 7.4.3 to 7.4.4

Release notes

Sourced from symfony/twig-bundle's releases.

v7.4.4

Changelog (symfony/twig-bundle@v7.4.3...v7.4.4)

• no significant changes

Commits

• e8829e0 Merge branch '7.3' into 7.4
• 5dfe33a Merge branch '6.4' into 7.3
• a5c8dcc do not use PHPUnit mock objects without configured expectations
• See full diff in compare view

Updates twig/extra-bundle from 3.22.2 to 3.23.0

Commits

• 7a27e78 minor #4718 Add .gitignore & .gitattributes to all .gitattributes (jmsche)
• 8f6488a Add .gitignore & .gitattributes to all .gitattributes
• See full diff in compare view

Updates twig/twig from 3.22.2 to 3.23.0

Changelog

Sourced from twig/twig's changelog.

3.23.0 (2026-01-23)

• Add = assignment operator (allows to set variables in expression or to replace the short-form of the set tag)
• Add sequence, mapping, and object destructuring
• Add ?. null-safe operator
• Add === and !== operators (equivalent to the same as and not same as tests)
• Fix opcache preload warning for unlinked anonymous class
• Fix spread operator behavior

Commits

• a64dc5d Prepare the release
• b0c42a9 Update CHANGELOG
• b609ae9 feature #4744 Add support for object and mapping destructuring (fabpot)
• 8a0f8ac Add support for object and mapping destructuring
• 76c404e Rename classes
• d784400 feature #4742 Assignment operator array destructuring (fabpot)
• bb99af3 Assignment operator array destructuring
• dfeb162 Fix doc notes
• 85ccfb1 Fix doc notes
• be1797d feature #4735 Add the = assignment operator (fabpot)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions