Total issues resolved: 27

Total issues resolved: 5

Total issues resolved: 1

Total issues resolved: 1

3.4.1 had a BC break when handling errors where the acceptable media type listed in the Accept header wasn't the first one. This is now fixed.

Also, with this release, we set the App::VERSION constant to the correct number.

Total issues resolved: 1


  • #1811 - Add Request::reparseBody() to provide a way to allow reparsing of the Request's body


  • #1812 - Handle nested uploaded files correctly.
  • #1808 - Ensure that getParsedBody() returns null if the body cannot be parsed.


  • #1799 - Make $file public in UploadedFile. Resolves issue #1798


  • #1789 - Do not use DeferredCallable in route callable. This resolves issue #1785


  • #1736 - Support the hostOnly cookie flag
  • #1764 - Write to the PHP error log if displayErrorDetails is false to make it easier to find out what's gone wrong!
  • #1770 - Support PHP 7+ errors in the same way that Exceptions are handled.


  • #1716 - Middleware is now only resolved when required.
  • #1745 - Separate service registration from the container to make it easier to use your own Pimple container and then register the default Slim services.


  • #1733 & #1734 - Allow setting an empty array into the Request's query params and parsed body.
  • #1737 - Do not explicitly set the HTTP status code in withJson.
  • #1738 - Named routes added after a call to pathFor can now be resolved in subsequent calls to pathFor.
  • #1739 - Responses with a body of indeterminate length can now have their content sent.

The full list of changes is here

This version makes a number of minor issues and improvements since the release of 3.0.0. The key changes are:


  • #1620 - Add getParsedBodyParam() and getQueryParam() to Slim\Http\Request.
  • #1688 - Add App::process() to allow running a Slim application when you already have a request and response object. This allows a Slim application to be used within the middleware of another middleware pipeline.
  • #1697 - Add HTTP 451 status code to Slim\Http\Response.


  • #1670 - Removed final from Slim\Container to allow extension.
  • #1684 - withJson() will now thrown an Exception if it fails to encode.
  • #1706 - Calling a non-existent method on App will now through an exception.


  • #1682 - Parse REQUEST_URL correctly in Slim\Http\Uri.
  • #1698 - Slim\Http\Request now correctly determines the HTTP protocol version.

The full list of changes is here

This is the first stable release of Slim 3!

Changes since RC2

  • #1643 - Revert detection of Uri's baseUrl so that routing of URLs of the form /foo/index.php/bar/baz work again.
  • #1655 - Ensure that calling $request->withMethod() turns off detection of _METHOD detection.

The full list of changes is here.

This release fixes a security issue, clears up some inconsistencies and fixes a number of bugs.

Security fix in 3.0.0-RC3:

  • #1624 - XXE attacks are now prevented when parsing XML input.

BC breaks in 3.0.0-RC3:

These are the BC breaks since RC2:

  • #1631 - The route callable is now bound to the Container rather than to the App to be consistent with middleware binding. This means that if you are using $this->subRequest then you now need to use ($app) and then $app->subRequest(…). Also if you were using $this->getContainer()->get(…), you need to change this to $this->get(…). Note that using $this->foo to retrieve a service from the container continues to work.
  • #1626 - Route paths are now simply concatentated with no magic. This may affect the way route groups were previously set up, but from now on, it's very predictable.
  • #1625 - Group middleware is now executed before the route's middleware as you would expect. See issue #1622 for details.

The full list of changes is here.

BC breaks in 3.0.0-RC2:

New features in 3.0.0-RC2:

  • #1509 - Slim 3's error handlers now only show exception information if you enable the displayErrorDetails setting.
  • #1552 - The router now has a new method called internalPathFor() for use with subRequest().
  • We have adopted Glenn Eggleton's' PHP-View component for rendering using PHP view scripts.

The full list of changes is here

BC breaks in 3.0.0-RC1:

  • #1489 - getParsedBody() will now return an array in all situations when JSON or form-urlencoded data is sent by the client. Previously, it returned an object when the content type was JSON.
  • #1457 - The Container can now be configured via an array passed into the App's constructor. Note that this means that your settings must now live in a sub-array called 'settings'.
  • #1443 - pathFor now prepends the base path, making URLs easier to generate when you are running Slim within a subdirectory and removes the need to prepend with getBaseUrl().

New features in 3.0.0-RC1:

  • #1490 - Slim 3's error handlers now return JSON, XML or HTML as determined by the request's Accept header.
  • #1488 - You can now disable Slim 3's error handler completely.

The full list of changes is here

Key changes since 3.0-beta1:

  • #1425 - Slim 3 now requires PHP 5.5 or higher
  • #1393, #1369 & #1354 - Various updates to our PSR-7 implementation, including a fix to allow the request body to be read more than once.
  • #1345 - New foundHandler to change the signature of the route callable. By default the handler is RequestResponse which creates callables with a signature of function($request, $response, $args), but we also supply a RequestResponseArgs handler with a callable signature of function($request, $response, $routeParam1, $routeParam2).
  • #1343 - Ability to set default attributes on a route which can then be accessed within the route callable.
  • #1362 - None of the factories in the container need to return a new instance to make it compatible with container-interop.

The full list of changes is here

  • Update unit tests for JSON decoding session cookie data
  • Update build status indicator in README file
  • Escape HTML in PrettyExceptions message and stack trace
  • Fixes object injection vulnerability in SessionCookie.php
  • Added new HTTP status codes
  • Added default HTTP request port for Google App Engine
  • Improved URI parsing
  • Miscellaneous improvements

You can review commits at


You can now use redirectTo when you want to redirect to a named route. redirectTo is a shortcut for redirect(urlfor(..))

$app->get('/', function () {})->name('home');
$app->get('/home', function () use ($app) {

Route::via() and Route::appendHttpMethods()

Allow passing array of methods to via() and appendHttpMethods()

$app->get('/', function () {
    echo "This route only available on GET and POST requests";
})->via(array('GET', 'POST'));

Other Changes

  • Fix failed test because of hardcoded directory separator on Windows
  • Add PHP 5.6 to Travis CI tests
  • Added how to run Slim on Google App Engine/Cloud Platform to the README.markdown
  • Lazy-initialize callables in \Slim\Route::setCallable()
  • Fix \Slim\Http\Util::parseCookie() for cookie values that contain "="
  • Improved debug stack trace output
  • Allow default values for \Slim\Http\Request::params()
  • Fix X-Forwarded-For header detection
  • Require phpunit as Composer dev dependency
  • Improve controller method name detection in \Slim\Route::setCallable()
  • Re-merge commits from a mistakenly-deleted earlier branch
  • Add (string) cast in encodeSecureCookie call to hash_hmac
  • Routes can be case-insensitive based on a config setting.
  • Try running unit tests on HHVM
  • Let Slim use the $_SERVER["HTTP_CONTENT_TYPE"] value for use with the PHP built-in server.

Class controllers

You may now use a controller class instance as a callback for your Slim app routes.

$app->get('/hello/:name', '\Greeting:sayHello');

In this example, when the app receives a request for "/hello/Josh", it will instantiate class \Greeting and pass the value "Josh" into its sayHello method.

Note that we separate the class name and the class method with a single ":" colon. This is a unique syntax used by Slim to implement this functionality. Do not confuse this with the "::" syntax used for static method calls.

Request parameter defaults

When fetching request data with the \Slim\Http\Request object's get(), post(), put(), patch(), or delete() methods, you can define the default value you want if the requested data is not available. For example:

$app->get('/books', function () use ($app) {
    $value = $app->request->get('genre', 'fiction');

In this example, we expect the HTTP request to have a URL query parameter genre. If this query parameter does not exist, we will use "fiction" as the default value.

View Template Data

You may now pass data into a view template with \Slim\View::display() and \Slim\View::fetch().

// Fetch a rendered template into a variable
$renderedTemplate = $app->view->fetch('my-template.php', ['foo' => 'bar']);

// Echo a rendered template to the output buffer
$app->view->display('my-template.php', ['foo' => 'bar']);

Other Changes

  • Remove mcrypt dependency
  • Add PHP 5.5 to Travis CI tests
  • Improve typehinting with popular PHP IDEs
  • Ensure application view template directory is defined on view construction
  • Add HTTP 418 status code to \Slim\Http\Response

Fixes \Slim\Environment path parsing issue for Windows users.

Fix a regression with \Slim\Environment path parsing. This regression affected developers relying on Apache Aliases or filesystem symlinks.

HipHop VM users must now explicitly define the SCRIPT_NAME server variable in their HHVM configuration file, at least until HipHop VM sets this server variable correctly on its own.

This is a maintenance release and remains backward-compatible with Slim 2.* applications.

  • Let \Slim\Flash implement Countable
  • Fix \Slim\Middleware\PrettyExceptions error when custom Log defined
  • Omit response body for HEAD requests
  • Add HHVM compatibility

This is a maintenance release with several bug fixes and improvements. All changes are backwards compatible with existing Slim 2.x applications.

  • Remove encryption concerns from \Slim\Middleware\SessionCookie middleware
  • Fix HTTP method override detection via X-HTTP-Method-Override header
  • Fix padding removal in \Slim\Http\Util::decrypt
  • Prevent XEE attack vector in \Slim\Middleware\ContentTypes::parseXml
  • Fix \Slim\Slim::urlFor when used with escaped regular expression characters
  • Add \Slim\Slim::_isset and \Slim\Slim::__unset methods
  • Add \Slim\Helper\Set::protect method to store Closure values that should not be invoked
  • Fix encrypted cookie expiration time during serialization into HTTP header
  • Fix Last-Modified and Expires header date format
  • Fix \Slim\View::setData so that it protects Closures used as template variables
  • Added route groups
  • Added resource locator
  • Added HTTP PATCH method support
  • Added new \Slim\Helper\Set interface
  • Fixed XSS exploit in \Slim\Slim::urlFor method
  • Simplified default error handler \Slim\Slim::handleErrors
  • Removed \Slim\Middleware\PrettyExceptions when not in debug mode
  • Let HTTP headers retain HTTP_ prefix if present
  • Added \Slim\Helper\Set interface to \Slim\Http\Headers and \Slim\Http\Cookies
  • Updated \Slim\Slim so that environment, request, response, router, log, and view are public properties.
  • Updated \Slim\Http\Request and \Slim\Http\Response so that headers and cookies are public properties that implement \Slim\Helper\Set.
  • Added \Slim\Http\Response methods setStatus(), getStatus(), setBody(), getBody(), and getLength()
  • Updated \Slim\Http\Response object so that its cookies and headers are not serialized and encrypted until the very end of the app lifecycle.
  • Updated \Slim\Log with PSR-3 interface
  • Deprecated \Slim\Log::warn(), replaced with \Slim\Log::warning()
  • Deprecated \Slim\Log::fatal(), replaced with \Slim\Log::critical()
  • Deprecated \Slim\Http\Request methods cookies() and headers()
  • Deprecated \Slim\Http\Response methods headers(), header(), length(), body(), status()
  • Deprecated \Slim\Http\Response interfaces ArrayAccess, Countable, and IteratorAggregate