Update api-platform packages to v4

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
api-platform/core (source)	^3.4.17 → ^4.3.13

---

Release Notes

api-platform/core (api-platform/core)

v4.3.13

Compare Source

Bug fixes

• 098d52766 fix(elasticsearch): coerce document _id to declared int identifier type (#​8296)
• 20baa6180 fix(openapi): throw clear error for openapi parameter missing name in yaml config (#​8297)
• 9e18fe013 fix(jsonschema): embed relations of non-resource objects in output schema (#​8294)

v4.3.12

Compare Source

Bug fixes

• 6bcbeb2db fix(serializer): validate IRI target class on relation denormalization
• 6b1fe1e47 fix(doctrine): guard unmapped relation links in ORM handleLinks (#​8293)
• cc021e4fa fix(graphql): honor custom mutation output class in payload type (#​8300)

v4.3.11

Compare Source

Bug fixes

• 2726085ae fix(metadata): keep explicitly set GraphQL mutation description (#​8286)
• 4819b5f9f fix(metadata): metadata mutators for resource & operations with lower priority (#​8273)
• 6b8bd0a3d fix(metadata): read ApiProperty from trait private properties inherited via parent class (#​8275)
• aced52dd0 fix(metadata): preserve nested array query parameters in IriHelper (#​8278)
• c37e27079 fix(metadata): preserve explicit class on ApiResource when propagating defaults (#​8262)
• c79045718 fix(jsonschema): embed genId:false relations in output schema (#​8272)
• ce4f6c210 fix(jsonschema): don't leak operation deprecation onto sub-schemas (#​8289)
• 134bb5cd7 fix(jsonld): replace already-populated nested relation from embedded @​id on patch (#​8274)
• 4b50a4edc fix(hydra): declare hydra:view links as nullable in json schema (#​8277)
• 78538aa90 fix(mcp): resolve $ref inside oneOf/anyOf when flattening tool outputSchema (#​8268)
• a8d4b00f5 fix(mcp): always serialize payload into TextContent when structuredContent is disabled (#​8270)
• 1ffe0ada8 fix(symfony): register http cache purgers independently of invalidation flag (#​8260)
• 81a1307fe fix(symfony): expose uri variables in security expression context (#​8279)
• d6fd5bfae fix(httpcache): allow custom http method on SouinPurger and SurrogateKeysPurger (#​8259)
• b3b376225 fix(openapi): ship oauth2-redirect.js with swagger-ui assets (#​8261)
• fb2062465 fix(swagger): improve dark mode button in swaggerUI (#​8265)

Notes

• JSON-LD PATCH: an embedded @id on a nested writable relation now replaces the currently-linked relation when it points to a different resource. A dangling embedded @id now returns a 400 instead of being silently ignored (it previously mutated the existing relation in place). See #​8274.

v4.3.10

Compare Source

Bug fixes

• 149adf70f fix(laravel): register graphql routes before catch-all entrypoint (#​8248)
• 1bc670c72 fix(jsonapi): allow opt-in client-generated IDs on POST per spec (#​7930)
• 39edcdddd fix(symfony): skip ErrorResourceAttributeLoaderPass on Symfony 6.4 (#​8253)
• 4609a9e5d fix(graphql): dispatch item Query through its own provider (#​8237)
• 5c62c1bd8 fix(jsonapi): do not require id in input schema for post operations (#​8252)
• 7bde11eb9 fix(swagger): fix SwaggerUI CSS override (#​8245)
• 86a09b3c3 fix(state): guard hex2bin against malformed query parameter keys (#​8255)
• a6bdf7134 fix(laravel): detect enum casts in eloquent property metadata factory (#​8247)
• b5c41aff5 fix(laravel): honor path_segment_name_generator config for url segments (#​8251)
• d5d8176f1 fix(serializer): allow nullable to-many relations to normalize as null (#​8254)
• f4d2b56c2 fix(laravel): persist dirty embedded belongsTo relations (#​8246)

v4.3.9

Compare Source

Bug fixes

• e7968852c fix(serializer): bump api-platform/serializer to ^4.3.8 and cover Hal in CI (#​8242)
• d59c24490 fix(graphql): return identifier-only node on circular reference (#​8239)
• b714a4451 fix(graphql): nested resources without graphqloperations propagate fields (#​8236)
• ca8fbf9de fix(hydra): format datetime fields as iso 8601 in cursor pagination urls (#​8241)
• cfe1bc324 fix(doctrine): extract alias from sql function in orderby parts (#​8240)
• 8567366a7 fix(test): capture streamedresponse body in test client response (#​8235)

v4.3.8

Compare Source

Bug fixes

• cf55c0e7b fix(serializer): gate cache_key in JsonApi and Hal with isCacheKeySafe
• 0e0c58b87 fix(symfony): filter nested constraint groups in Sequentially/Compound (#​8223)
• 277589de6 fix(symfony): keep error serialization mapping when enable_attributes is disabled (#​8231)
• 30f1f977a fix(tests): symfony 8.1 compat (#​8210)
• 37e361339 fix(jsonapi): keep flat custom params with flat page (#​8216) (#​8217)
• 4059c6303 fix(laravel): wire jsonapi.use_iri_as_id in ApiPlatformProvider (#​8224)
• 4378916ac fix(jsonapi): drop consumed pagination keys before raw-param replace
• 46c25c7e4 fix(symfony): reject duplicate operation names instead of silently dropping operations (#​8232)
• 6fc55c27d fix(metadata): apply YAML/XML attributes to virtual (method-backed) properties (#​8220)
• 71fcb9314 fix(test): default content-type in ApiTestCase matches configured formats (#​8227)
• 7aed9d10c fix(openapi): emit valid 3.0 schemas when downgrading from 3.1 (#​8225)
• 90bcfb09a fix(doctrine): resolve parent link toProperty during PUT create (#​8233)
• 9aca842d4 fix(state): omit Content-Type when response has no body (#​8218)
• abef010cf fix(openapi): emit Draft 4 boolean exclusive bounds for spec 3.0.0 (#​8222)
• c83558954 fix(openapi): disambiguate definition names when input and output share a shortname (#​8230)
• ef40bcda6 fix(graphiql): migrate to v5 via esm.sh CDN (#​8209)
• ef79ab337 fix(symfony): guard null ExpressionLanguage in ResourceAccessChecker::usesObjectVariable()
• fd08d296a fix(openapi): coerce metadata parameters in user-supplied openapi operation (#​8229)
• fd2518695 fix(serializer): bump min serializer dep and fix phpstan probe typing

v4.3.7

Compare Source

Bug fixes

• 90ae5142b fix(openapi): include jsonapi collection schema (#​8190)
• ab8bfd529 fix(symfony): isolate api_platform.property_info tags (#​8206)

v4.3.6

Compare Source

Bug fixes

• 080574ad3 fix(symfony): register property_info fallback when not provided by Symfony (#​7969)
• 286a47e72 fix(jsonapi): merge flat page/itemsPerPage params with bracket filter (#​8193)
• 412682ede fix(serializer): translate PropertyAccess type mismatches to NotNormalizableValueException (#​7967)
• 44bb18ddd fix(state): convert BackedEnum denormalization errors into validation violations (#​8195)
• 53d8f5615 fix(metadata): :property dedup drops repeated parameters (#​8196)
• 84d15b1f1 fix(metadata): negotiate wildcard Accept with parameters (#​8192)
• 91f93e013 fix(laravel): set application/ld+json content-type on /contexts/{shortName} (#​7973)
• ae4ea864e fix(symfony,laravel): IriConverter local cache key collision between item and collection ops (#​7975)
• bf3fded64 fix(symfony): include value-object transformers in JSON-LD streamer locator (#​7968)
• f533810f7 fix(graphql): accept FilterInterface instance in QueryParameter (#​7972)

v4.3.5

Compare Source

Bug fixes

• 78c4ddf02 fix(symfony): Symfony 8.1 compatibility (#​7955)
• 14d5e8279 fix(symfony): api_platform_iris loader misses item Gets and api_genid (#​7946)
• f88b9122f fix(hydra): emit hydra:next and hydra:previous on empty cursor-paginated collections (#​7961)
• 1721a7366 fix(mcp): jsonld schema handle oneOf and anyOf (#​7962)
• 03ca10c17 fix(mcp): add title support to Tool
• 30a8e9ef0 fix(laravel): inject missing dependencies into HydraSchemaFactory (#​7963)
• 173dc6631 fix(laravel): fall back to resource class when object is null in ResourceAccessChecker (#​7948)
• 445529519 fix(laravel): don't cache empty Eloquent attributes for missing table
• 67d7a3dc2 fix(laravel): use lowercase asc/desc for Eloquent orderBy
• 85f6269c3 fix(laravel): expose ReDoc/Scalar in docs footer

v4.3.4

Compare Source

Bug fixes

• 0160a72e1 fix(doctrine): IriFilter ignores custom ApiProperty identifier on ODM (#​7937)
• 37f248a45 fix(state): use exception message for user-facing violation when available (#​7894)
• 472ae3f22 fix(openapi): generate both singular and array parameter variants for filters (#​7906)
• 88ddc3680 fix(symfony): ensure ErrorListener is fully stateless to prevent stat… (#​7921)
• 90875fb46 fix: unnecessary nullable operator
• 967ff7925 fix(jsonapi): use parent-resolved class in denormalizeRelation
• 98112eab7 fix(symfony): api_platform_iris route loader for graphql-only setups (#​7934)
• 98f3d0f49 fix(symfony): security regression when ResourceAccessChecker is decorated (#​7896) (#​7897)
• ac374fcc4 fix(state): preserve Type message when expectedTypes is set (#​7935)
• cf80a82d5 fix(laravel): skip relation metadata for abstract Eloquent models (#​7933)
• d08eb7f44 fix: ResourceClassInfoTrait::isResourceClass() is always true (#​7924)
• e19154930 fix(validator): handle nested groups and group sequences (#​7914)
• fcfaf3844 fix(metadata): nested property filters fail to generate JOINs when relation target entity is not directly declared as ApiResource (#​7926)

v4.3.3

Compare Source

Bug fixes

• 4ad230247 fix(openapi): default explode to true for form and cookie style param… (#​7891)

v4.3.2

Compare Source

Bug fixes

• 2d6e47460 fix(openapi)!: oauth scopes with dashes in name (#​7853)
• 892c1c796 fix(openapi): uri variable default description (#​7884)
• a0daa07f9 fix(openapi): fallback description on summary (#​7874)
• a7072be4a fix(metadata): nested filtering only on resource classes (#​7864)
• e14ae87fa fix(laravel): resolve casts defined via casts() method (#​7859)

Notes

• The fix for oauth scopes with dashes in name (#​7853) may change the current OpenAPI description but the risk is low.

v4.3.1

Compare Source

Bug fixes

• 098d52766 fix(elasticsearch): coerce document _id to declared int identifier type (#​8296)
• 20baa6180 fix(openapi): throw clear error for openapi parameter missing name in yaml config (#​8297)
• 9e18fe013 fix(jsonschema): embed relations of non-resource objects in output schema (#​8294)

v4.3.0

Compare Source

Features

• fa3b69635 feat(mcp): introduce api-platform/mcp component (#​7703)
• d13c24759 feat: mcp bundle tool integration (#​7595)
• ed0ae92ce feat: add support of collection to MCP (#​7724)
• 6e9e88dc2 feat(laravel): mcp support (#​7709)
• 6addc554d feat(openapi): Scalar API Reference documentation support (#​7817)
• 05a5d4d93 feat(laravel): object mapper (#​7704)
• 359a128cd feat(symfony): isGranted before provider (#​7500)
• 32e94848c feat: support relations on filters (#​7711)
• 2682fc5fc feat: defaults parameters (#​7758)
• d640d106b feat(doctrine): uuid filter (#​7628)
• c56a35469 feat(doctrine): add nested relation support to IriFilter and UuidFilter (#​7759)
• 5a876cc92 feat(doctrine): ComparisonFilter decorator for range filtering (#​7760)
• 19809c617 feat(doctrine): ne (not equal) operator for ComparisonFilter (#​7814)
• 6ba9c8b4d feat(doctrine): Add caseSensitive option to PartialSearchFilter (#​7675)
• 9f98aff46 feat(doctrine): add ODM SortFilter and nested property support for parameter-based filters (#​7780)
• 6f5d41458 feat(doctrine): remove PUT & PATCH for readonly entity (#​7453)
• 64b46b2d0 feat(jsonschema): support for normalization/denormalization with attributes (#​7629)
• c70cd449f feat(json-schema): handle union object types in iterable properties (#​7726)
• 625438cf2 feat(jsonapi): support entity identifiers instead of IRIs as resource id
• 833f3fec6 feat(serializer): option to preserve key in CollectionNormalizer (#​7721)
• 383a5fa67 feat(serializer): global defaults.normalization_context.gen_id configuration option (#​7775)
• 516ee3a28 feat(elasticsearch): OpenSearch support (#​7811)
• 21aa2572d feat(elasticsearch): add SSL options for Elasticsearch configuration (#​4059)
• fe63ddec8 feat(validator): uuid/ulid parameter validation (#​7649)
• 1427dfa91 feat(metadata): expose default attribute on parameters (#​7551)
• 63fba2a4e feat(metadata): cache operation metadata factory (#​7516)
• 350390ba3 feat(state): add headers to comply with LDP specification (#​6917)
• 8bdb2bc91 feat(symfony): allow symfony makers namespace configuration (#​7497)
• 45831a93c feat: enable to skip autoconfiguration with new SkipAutoconfigure attribute (#​7467)
• 26d1ac4d6 feat: allow both uppercase and lowercase order direction in OrderFilter schema (#​7741)
• 6626549b6 feat: correctly map problem-detail fields when using ProblemExceptionInterface (#​7776)
• db147a52f feat(laravel): split render logic from error handler (#​7790)

Bug fixes

• 263dbd8b2 fix: call object mapper with the expected class on 4.3 (#​7796)
• af7c22749 fix(jsonld): use operation shortName for @​context URI with multiple ApiResources
• 86b97d5ea fix(mcp): propagate session via processor context
• 3b9ed3bd4 fix(laravel): make api-platform/mcp optional (#​7824) (#​7828)
• 27cc4dbb3 fix(laravel): improve UI selection for documentation (#​7826)
• e16f7ec4f fix(laravel): add init-scalar-ui.js to Laravel's assets (#​7825)
• 5ca646111 fix(mcp): fallback to sdk handler when not found (#​7818)
• 95ec407bf fix(jsonapi): wrong variable name during merge (#​7816)
• 04c30b7ee fix(jsonapi): prevent double unwrapping of data.attributes with input DTOs
• 191a46122 fix(serializer): apply API Platform name converter to input/output DTOs (#​7779)
• 2e0b8ffb6 fix(serializer): prevent api_platform_output context from leaking to nested non-resource objects (#​7787)
• c6236f313 fix(serializer): report all missing constructor arguments in instantiateObject
• 31289b838 fix(symfony): make enable_docs a master switch for disabling documentation (#​7806)
• 64247b050 fix(metadata): sort parameters by priority after pattern expansion (#​7788)
• 813e4f793 fix(validator): missing required properties when using GroupSequence (#​7784)
• 90dfc3554 fix(validator): handle nested groups and group sequences (#​7791)
• 28834e6d6 fix(validator): validate entities after ObjectMapper transformation (#​7731)
• 98b8efb68 fix(laravel): exclude .blade.php files from recursive class scan (#​7813)
• cfdc22c1c fix(laravel): do not exclude custom primary keys matching HasMany foreign keys (#​7810)
• 9f1109365 fix(hydra): example type - use @​type prefix per JSON-LD spec (#​7768)
• 75ffdc43f fix(hydra): hide search key when there is parameter without filter (#​7773)
• e0ba0068d fix(hydra): unique class @​id with subClassOf for semantic types (#​7771)
• 9fdc6c27d fix(openapi): allow Operations to override global config in getPaginationParameters (#​7807)
• 0f025e849 fix(state): handle partial pagination with object mapper (#​7769)
• a2efb39e1 fix(elasticsearch): mono-repo v9 support (#​7766)
• 332272c6f fix(jsonld): restore item_uri_template @​type resolution after 4.2 merge (#​7764)
• 390056fbb fix(jsonld): item uri template type (#​7518)
• f0b355984 fix(symfony): use AsCommand description parameter for console commands (#​7763)
• 23840f9df fix(symfony): publish mercure updates for all resources of an entity (#​7774)
• c624daf68 fix(symfony): allow toggling GraphQL Playground to ensure BC
• c741bd62e fix: add missing RPC messenger handler for Symfony 8.1 compatibility
• a4715f063 fix(doctrine): enforce api-platform/serializer dependency (#​7781)
• 149fe24a1 fix(doctrine): throw exception if property is null for the doctrine filters (#​7681)
• 17b6ff221 fix(jsonschema): name collision when an operation name is already used by another class (#​7778)
• 4f6c4e1b4 fix(laravel): object-mapper / mcp-bundle versions

Breaking changes

• JSON-LD @type with output and itemUriTemplate: When using output with itemUriTemplate on a collection operation, the JSON-LD @type now uses the resource class name instead of the output DTO class name for semantic consistency with itemUriTemplate behavior. Update any client code that relies on the DTO class name in @type.
• Doctrine filters require explicit property (#​7681): Doctrine parameter-based filters (ExactFilter, IriFilter, PartialSearchFilter, UuidFilter) now throw InvalidArgumentException if the property attribute is missing. If you have filter parameters without an explicit property, you must either add one or use the :property placeholder in your parameter name.
• Readonly Doctrine entities lose PUT & PATCH (#​7453): Entities marked as readonly via Doctrine metadata ($classMetadata->markReadOnly()) will no longer expose PUT and PATCH operations. Clients sending PUT/PATCH to these resources will receive a 404. If you need write operations on readonly entities, explicitly define them in your ApiResource attribute.

Behavioral changes

• Hydra class @id now always uses #ShortName (#​7771): Hydra documentation classes now consistently use #ShortName as their @id instead of schema.org type URIs (e.g. schema:Product). This resolves class identifier collisions when multiple resources shared the same semantic type, which previously caused api-doc-parser conflation. Semantic types configured via types are now exposed through rdfs:subClassOf. Clients should expect class @id and property range changes in the Hydra documentation if resources had custom types configured.
• isGranted evaluated before provider (#​7500): Security expressions are now evaluated before the state provider runs. Expressions that do not reference the object variable will be checked earlier (at the pre_read stage), improving security by preventing unnecessary database queries on unauthorized requests. Expressions that reference object still wait for the provider to resolve the entity. Review any security expressions that relied on provider side-effects running before authorization.
• LDP-compliant response headers (#​6917): API responses now include Allow and Accept-Post headers per the Linked Data Platform specification. These are informational headers that help clients discover API capabilities and should not break existing integrations.
• Scalar API Reference UI (#​7817): Scalar is now available as an alternative documentation UI alongside Swagger UI. It is enabled by default when TwigBundle is available. Access it via ?ui=scalar. To disable it, set enable_scalar: false in your API Platform configuration.

v4.2.26

Compare Source

🔒 Security

Fixes CVE-2026-54164 (GHSA-9rjg-x2p2-h68h) — type confusion: relation IRIs were not type-checked, so a writable relation could be assigned a resource of the wrong type.

• fix(serializer): validate IRI target class on relation denormalization (6bcbeb2)

Full Changelog: api-platform/core@v4.2.25...v4.2.26

v4.2.25

Compare Source

Bug fixes

• 019fd9012 fix(serializer): gate cache_key in JsonApi and Hal with isCacheKeySafe
• 1bfd6eecd fix(serializer): bump min serializer dep and fix phpstan probe typing

v4.2.24

Compare Source

Bug fixes

• 8cb5a6044 fix(state): do not map to input class in ObjectMapperProvider (#​7892)

v4.2.23

Compare Source

Bug fixes

• 1bddff82f fix(doctrine): inject nameConverter into AbstractFilter via QueryParameter (#​7877)
• 5a3a7dc4b fix(state): prioritize input class over output in ObjectMapperProvider (#​7879)
• 7c562a51f fix(laravel): partial patch validation config to replace required with sometimes (#​7882)
• 9c2810b08 fix(metadata): read operation tags from OpenAPI context in XML (#​7865)
• a1292592e fix(doctrine): skip links with no join info when fromClass differs from entityClass (#​7878)
• aefeca529 fix(symfony): remove json stream conflicting service (#​7867)
• e447ab1fc fix(serializer): disable normalizer cache to prevent wrong normalizer in worker mode (#​7868) (#​7873)
• fff8213b2 fix(serializer): handle nullable constructor params without default value (#​7883)

v4.2.22

Compare Source

Bug fixes

• 3e96fc679 fix(serializer): evaluate ApiProperty security on input DTOs (#​7852)
• c7ababf2d fix(hydra): use compact IRI for owl:onProperty and Collection @​id in DocumentationNormalizer (#​7849)

v4.2.21

Compare Source

Bug fixes

• 20ced5fca fix(laravel): clear SkolemIriConverter state between requests (#​7838)
• 2b2b7bca2 fix(filter): use correct type for int-backed enums in BackedEnumFilter
• 42a2d7fc6 fix(symfony): register DateTimeValueObjectTransformer for JsonStreamer (#​7839)
• 63e6b57f8 fix(openapi): correct redocly openapi errors (#​7834)
• 6a472a2db fix(jsonapi): swap arguments in DefinitionNameFactory::create() call
• bbfd4cafa fix(filter): do not nest array while generating default schema (#​7832)
• c20a41c20 fix(symfony): clear SkolemIriConverter state between requests via ResetInterface (#​7829)
• d6ecbe122 fix(serializer): Use serializer when denormalizing relation inside Input (#​7830)
• da6232468 fix(metadata): allow GraphQL-only resources without identifiers (#​3975) (#​7836)
• f4002902a fix(state): on creation, give expected class to object mapper (#​7795)

v4.2.20

Compare Source

Bug fixes

• 31289b838 fix(symfony): make enable_docs a master switch for disabling documentation (#​7806)
• 64115e152 fix(odm): partial pagination limit the documents entering $facet (#​7822)
• 98b8efb68 fix(laravel): exclude .blade.php files from recursive class scan (#​7813)
• 9fdc6c27d fix(opena

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.