Update dependency symfony/http-client to 5.4.* [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/http-client (source)	5.2.* -> 5.4.*

GitHub Vulnerability Alerts

CVE-2024-50342

Description

When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

Resolution

The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.

The fisrt patch for this issue is available here for branch 5.4.

The second one is available here for branch 5.4 also.

Credits

We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

---

Release Notes

symfony/http-client (symfony/http-client)

v5.4.47

Compare Source

Changelog (symfony/http-client@v5.4.46...v5.4.47)

• security symfony/symfony#cve-2024-50342 [HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient (@​nicolas-grekas)

v5.4.46

Compare Source

Changelog (symfony/http-client@v5.4.45...v5.4.46)

• security symfony/symfony#cve-2024-50342 [HttpClient] Filter private IPs before connecting when Host == IP (@​nicolas-grekas)

v5.4.45

Compare Source

Changelog (symfony/http-client@v5.4.44...v5.4.45)

• no significant changes

v5.4.44

Compare Source

Changelog (symfony/http-client@v5.4.43...v5.4.44)

• bug symfony/symfony#58278 [HttpClient] Fix setting CURLMOPT_MAXCONNECTS (@​HypeMC)
• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v5.4.43

Compare Source

Changelog (symfony/http-client@v5.4.42...v5.4.43)

• bug symfony/symfony#58044 [HttpClient] Do not overwrite the host to request when using option "resolve" (@​xabbuh)
• bug symfony/symfony#57981 [HttpClient] reject malformed URLs with a meaningful exception (@​xabbuh)
• bug symfony/symfony#57870 [HttpClient] Disable HTTP/2 PUSH by default when using curl (@​nicolas-grekas)

v5.4.42

Compare Source

Changelog (symfony/http-client@v5.4.41...v5.4.42)

• no significant changes

v5.4.41

Compare Source

Changelog (symfony/http-client@v5.4.40...v5.4.41)

• bug symfony/symfony#57569 [HttpClient][Mailer] Revert "Let curl handle transfer encoding", use HTTP/1.1 for Mailgun (@​nicolas-grekas)
• bug symfony/symfony#57453 [HttpClient] Fix parsing SSE (@​fancyweb)

v5.4.40

Compare Source

Changelog (symfony/http-client@v5.4.39...v5.4.40)

• bug symfony/symfony#54860 [HttpClient] Revert fixing curl default options (@​alexandre-daubois)
• bug symfony/symfony#54830 [HttpClient] Fix cURL default options for PHP 8.4 (@​alexandre-daubois)

v5.4.39

Compare Source

Changelog (symfony/http-client@v5.4.38...v5.4.39)

• bug symfony/symfony#54517 [HttpClient] Let curl handle transfer encoding (@​michaelhue)
• bug symfony/symfony#54242 [HttpClient] [EventSourceHttpClient] Fix consuming SSEs with \r\n separator (@​fancyweb)

v5.4.38

Compare Source

Changelog (symfony/http-client@v5.4.37...v5.4.38)

• bug symfony/symfony#54400 [HttpClient] stop all server processes after tests have run (@​xabbuh)
• bug symfony/symfony#54207 [HttpClient] Lazily initialize CurlClientState (@​arjenm)

v5.4.37

Compare Source

Changelog (symfony/http-client@v5.4.36...v5.4.37)

• bug symfony/symfony#54102 [HttpClient] Fix deprecation on PHP 8.3 (@​nicolas-grekas)

v5.4.36

Compare Source

Changelog (symfony/http-client@v5.4.35...v5.4.36)

• bug symfony/symfony#53889 [HttpClient] Make retry strategy work again (@​Nyholm)

v5.4.35

Compare Source

Changelog (symfony/http-client@v5.4.34...v5.4.35)

• bug symfony/symfony#53671 [HttpClient] Fix pausing responses before they start when using curl (@​nicolas-grekas)
• bug symfony/symfony#53506 [HttpClient] Fix error chunk creation in passthru (@​rmikalkenas)

v5.4.34

Compare Source

Changelog (symfony/http-client@v5.4.33...v5.4.34)

• bug symfony/symfony#52864 [HttpClient][Mailer][Process] always pass microseconds to usleep as integers (@​xabbuh)

v5.4.31

Compare Source

Changelog (symfony/http-client@v5.4.30...v5.4.31)

• bug symfony/symfony#52329 [HttpClient] Psr18Client: parse HTTP Reason Phrase for Response (@​Hanmac)

v5.4.29

Compare Source

Changelog (symfony/http-client@v5.4.28...v5.4.29)

• bug symfony/symfony#51659 [HttpClient] Fix TraceableResponse if response has no destruct method (@​maxhelias)

v5.4.26

Compare Source

Changelog (symfony/http-client@v5.4.25...v5.4.26)

• no significant changes

v5.4.25

Compare Source

Changelog (symfony/http-client@v5.4.24...v5.4.25)

• bug symfony/symfony#50728 [HttpClient] Explicitly exclude CURLOPT_POSTREDIR (@​nicolas-grekas)
• bug symfony/symfony#50671 [HttpClient] Fix encoding some characters in query strings (Daniel Kozák)
• bug symfony/symfony#50698 [HttpClient] Fix int conversion for GenericRetryStrategy with floated multiplier (@​francisbesset)

v5.4.24

Compare Source

Changelog (symfony/http-client@v5.4.23...v5.4.24)

• bug symfony/symfony#49063 [Messenger] Respect isRetryable decision of the retry strategy for re-delivery (@​FlyingDR)
• bug symfony/symfony#50256 [HttpClient] Fix setting duplicate-name headers when redirecting with AmpHttpClient (@​nicolas-grekas)
• bug symfony/symfony#50214 [WebProfilerBundle] Remove legacy filters remnants (@​MatTheCat)
• bug symfony/symfony#50235 [HttpClient] Fix getting through proxies via CONNECT (@​nicolas-grekas)
• bug symfony/symfony#49557 [PropertyInfo] Fix phpDocExtractor nullable array value type (@​fabpot)
• bug symfony/symfony#50213 [ErrorHandler] Prevent conflicts with WebProfilerBundle’s JavaScript (@​MatTheCat)
• bug symfony/symfony#50192 [Serializer] backed enum throw notNormalizableValueException outside construct method (@​alli83)
• bug symfony/symfony#50226 [HttpClient] Ensure HttplugClient ignores invalid HTTP headers (@​nicolas-grekas)

v5.4.23

Compare Source

Changelog (symfony/http-client@v5.4.22...v5.4.23)

• bug #​50072 Fix global state preventing two CurlHttpClient instances from working together (nicolas-grekas)
• bug #​50004 fix proxied redirects in curl client (matthi4s)
• bug #​49926 Fix canceling MockResponse (fancyweb)

v5.4.22

Compare Source

Changelog (symfony/http-client@v5.4.21...v5.4.22)

• bug #​49796 Fix not calling the on progress callback when canceling a MockResponse (fancyweb)
• bug #​49722 Encode and decode curly brackets {} (pbowyer)
• bug #​49580 Fix encoding "+" in URLs (nicolas-grekas)

v5.4.21

Compare Source

Changelog (symfony/http-client@v5.4.20...v5.4.21)

• bug #​49299 Fix over-encoding of URL parts to match browser's behavior (nicolas-grekas)
• bug #​49301 Fix data collector (fancyweb)

v5.4.20

Compare Source

Changelog (symfony/http-client@v5.4.19...v5.4.20)

• bug #​49104 Fix collecting data non-late for the profiler (nicolas-grekas)

v5.4.19

Compare Source

Changelog (symfony/http-client@v5.4.18...v5.4.19)

• bug #​48966 Let curl handle content-length headers (nicolas-grekas)
• bug #​48898 Move Http clients data collecting at a late level (pforesi)

v5.4.17

Compare Source

Changelog (symfony/http-client@v5.4.16...v5.4.17)

• bug #​47836 TraceableHttpClient: increase decorator's priority (adpeyre)

v5.4.16

Compare Source

Changelog (symfony/http-client@v5.4.15...v5.4.16)

• bug #​48173 Handle Amp HTTP client v5 incompatibility gracefully (fancyweb)
• bug #​48103 Do not set http_version instead of setting it to null (Tetragramat)

v5.4.15

Compare Source

Changelog (symfony/http-client@v5.4.14...v5.4.15)

• bug #​47990 Fix retrying requests when the content is used by the strategy (nicolas-grekas)
• bug #​47879 Fix buffering after calling AsyncContext::passthru() (nicolas-grekas, lubo13)

v5.4.14

Compare Source

Changelog (symfony/http-client@v5.4.13...v5.4.14)

• bug #​47808 Fix seeking in not-yet-initialized requests (nicolas-grekas)

v5.4.13

Compare Source

Changelog (symfony/http-client@v5.4.12...v5.4.13)

• bug #​47441 Bugfix for delayed retryableHttpClient (martkop26)
• bug #​47415 Psr18Client ignore invalid HTTP headers (nuryagdym)

v5.4.12

Compare Source

Changelog (symfony/http-client@v5.4.11...v5.4.12)

• bug #​47145 Fix shared connections not being freed on PHP < 8 (nicolas-grekas)
• bug #​47143 Fix memory leak when using StreamWrapper (nicolas-grekas)

v5.4.11

Compare Source

Changelog (symfony/http-client@v5.4.10...v5.4.11)

• bug #​47086 Workaround disabled "var_dump" (nicolas-grekas)

v5.4.9

Compare Source

Changelog (symfony/http-client@v5.4.8...v5.4.9)

• bug #​46382 Honor "max_duration" when replacing requests with async decorators (nicolas-grekas)
• bug #​46380 Add missing HttpOptions::setMaxDuration() (nicolas-grekas)

v5.4.8

Compare Source

Changelog (symfony/http-client@v5.4.7...v5.4.8)

• bug #​45998 Fix sending content-length when streaming the body (nicolas-grekas)

v5.4.7

Compare Source

Changelog (symfony/http-client@v5.4.6...v5.4.7)

• bug #​45906 on redirections don't send content related request headers (xabbuh)
• bug #​45814 Let curl handle Content-Length headers (nicolas-grekas)
• bug #​45813 Move Content-Type after Content-Length (nicolas-grekas)
• bug #​45678 Fix reading proxy settings from dotenv when curl is used (nicolas-grekas)

v5.4.5

Compare Source

Changelog (symfony/http-client@v5.4.4...v5.4.5)

• bug #​45527 Fix overriding default options with null (nicolas-grekas)
• bug #​45261 Fix Content-Length header when possible (nicolas-grekas)

v5.4.3

Compare Source

Changelog (symfony/http-client@v5.4.2...v5.4.3)

• bug #​45073 Fix Failed to open stream: Too many open files (adrienfr)
• bug #​45015 fix resetting DNS/etc when calling CurlHttpClient::reset() (nicolas-grekas)
• bug #​45004 Remove deprecated usage of GuzzleHttp\Promise\promise_for (plozmun)
• bug #​44890 Remove deprecated usage of GuzzleHttp\Promise\queue (GrahamCampbell)
• bug #​44878 Turn negative timeout to a very long timeout (fancyweb)

v5.4.2

Compare Source

Changelog (symfony/http-client@v5.4.1...v5.4.2)

• bug #​44743 fix checking for recent curl consts (nicolas-grekas)
• bug #​44671 Fix tracing requests made after calling withOptions() (nicolas-grekas)
• bug #​44625 fix monitoring responses issued before reset() (nicolas-grekas)
• bug #​44623 Fix dealing with "HTTP/1.1 000 " responses (nicolas-grekas)
• bug #​44601 Fix closing curl-multi handle too early on destruct (nicolas-grekas)
• bug #​44571 Don't reset timeout counter when initializing requests (nicolas-grekas)
• bug #​44479 Double check if handle is complete (Nyholm)
• bug #​44438 Fix handling thrown \Exception in \Generator in MockResponse (fancyweb)

v5.4.1

Compare Source

Changelog (symfony/http-client@v5.4.0...v5.4.1)

• bug #​44361 Fix handling error info in MockResponse (fancyweb)

v5.4.0

Compare Source

Changelog (symfony/http-client@v5.4.0-RC1...v5.4.0)

• no significant changes

v5.3.14

Compare Source

Changelog (symfony/http-client@v5.3.13...v5.3.14)

• bug #​45073 Fix Failed to open stream: Too many open files (adrienfr)
• bug #​45015 fix resetting DNS/etc when calling CurlHttpClient::reset() (nicolas-grekas)
• bug #​45004 Remove deprecated usage of GuzzleHttp\Promise\promise_for (plozmun)
• bug #​44890 Remove deprecated usage of GuzzleHttp\Promise\queue (GrahamCampbell)
• bug #​44878 Turn negative timeout to a very long timeout (fancyweb)

v5.3.13

Compare Source

Changelog (symfony/http-client@v5.3.12...v5.3.13)

• bug #​44743 fix checking for recent curl consts (nicolas-grekas)
• bug #​44671 Fix tracing requests made after calling withOptions() (nicolas-grekas)
• bug #​44625 fix monitoring responses issued before reset() (nicolas-grekas)
• bug #​44623 Fix dealing with "HTTP/1.1 000 " responses (nicolas-grekas)
• bug #​44601 Fix closing curl-multi handle too early on destruct (nicolas-grekas)
• bug #​44571 Don't reset timeout counter when initializing requests (nicolas-grekas)
• bug #​44479 Double check if handle is complete (Nyholm)
• bug #​44438 Fix handling thrown \Exception in \Generator in MockResponse (fancyweb)
• bug #​44361 Fix handling error info in MockResponse (fancyweb)

v5.3.11

Compare Source

Changelog (symfony/http-client@v5.3.10...v5.3.11)

• bug #​44119 Add correct IDN flags for IDNA2008 compliance (j-bernard)
• bug #​43961 Curl http client has to reinit curl multi handle on reset (rmikalkenas)

v5.3.10

Compare Source

Changelog (symfony/http-client@v5.3.9...v5.3.10)

• bug #​43569 fix collecting debug info on destruction of CurlResponse (nicolas-grekas)
• bug #​43537 fix RetryableHttpClient when a response is canceled (nicolas-grekas)
• bug #​43333 fix missing kernel.reset tag on TraceableHttpClient services (nicolas-grekas)
• bug #​43243 accept headers when CURLE_RECV_ERROR is received before the content (nicolas-grekas)

v5.3.8

Compare Source

Changelog (symfony/http-client@v5.3.7...v5.3.8)

• bug #​42896 Fix handling timeouts when responses are destructed (nicolas-grekas)

v5.3.7

Compare Source

Changelog (symfony/http-client@v5.3.6...v5.3.7)

• bug #​42769 Don't pass float to usleep() (derrabus)

v5.3.4

Compare Source

Changelog (symfony/http-client@v5.3.3...v5.3.4)

• bug #​42174 Indicate compatibility with psr/log 2 and 3 (derrabus)

v5.3.3

Compare Source

Changelog (symfony/http-client@v5.3.2...v5.3.3)

• bug #​41807 fix Psr18Client when allow_url_fopen=0 (nicolas-grekas)

v5.3.2

Compare Source

Changelog (symfony/http-client@v5.3.1...v5.3.2)

• bug #​41674 fix compat with cURL <= 7.37 (nicolas-grekas)
• bug #​41656 throw exception when AsyncDecoratorTrait gets an already consumed response (nicolas-grekas)
• bug #​41624 Revert bindto workaround for unaffected PHP versions (derrabus)

v5.3.0

Compare Source

Changelog (symfony/http-client@v5.3.0-RC1...v5.3.0)

• no significant changes

v5.2.12

Compare Source

Changelog (symfony/http-client@v5.2.11...v5.2.12)

• bug #​42174 Indicate compatibility with psr/log 2 and 3 (derrabus)

v5.2.11

Compare Source

Changelog (symfony/http-client@v5.2.10...v5.2.11)

• bug #​41807 fix Psr18Client when allow_url_fopen=0 (nicolas-grekas)
• bug #​41674 fix compat with cURL <= 7.37 (nicolas-grekas)
• bug #​41656 throw exception when AsyncDecoratorTrait gets an already consumed response (nicolas-grekas)
• bug #​41624 Revert bindto workaround for unaffected PHP versions (derrabus)

v5.2.10

Compare Source

Changelog (symfony/http-client@v5.2.9...v5.2.10)

• no significant changes

v5.2.9

Compare Source

Changelog (symfony/http-client@v5.2.8...v5.2.9)

• bug #​41224 fix adding query string to relative URLs with scoped clients (nicolas-grekas)

v5.2.8

Compare Source

Changelog (symfony/http-client@v5.2.7...v5.2.8)

• bug #​41160 Don't prepare the request in ScopingHttpClient (nicolas-grekas)

v5.2.7

Compare Source

Changelog (symfony/http-client@v5.2.6...v5.2.7)

• bug #​40702 allow CurlHttpClient on Windows (n0rbyt3)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update symfony/http-client:5.4.46 --with-dependencies --ignore-platform-reqs --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Package "symfony/http-client:5.4.46" listed for update is not installed. Ignoring.
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 will be shutdown on August 1st 2025. You should upgrade to Composer 2. See https://blog.packagist.com/shutting-down-packagist-org-support-for-composer-1-x/
Updating dependencies (including require-dev)