Symfony PHP framework v2

Changelog (since https://github.com/symfony/symfony/compare/v2.8.51...v2.8.52)

• security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (@nicolas-grekas)
• security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (@stof)

[PR] https://github.com/symfony/symfony/pull/34349
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.8.49...v2.8.50)

• security #cve-2019-10910 [DI] Check service IDs are valid (@nicolas-grekas)
• security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (@stof)
• security #cve-2019-10912 [PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (@nicolas-grekas)
• security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (@pborreli)
• security #cve-2019-10913 [HttpFoundation] reject invalid method override (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/31145
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.7.50...v2.7.51)

• security #cve-2019-10910 [DI] Check service IDs are valid (@nicolas-grekas)
• security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine - CVE-2019-10909 (@stof)
• security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (@pborreli)
• security #cve-2019-10913 [HttpFoundation] reject invalid method override (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/31144
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.8.48...v2.8.49)

• security #cve-2018-19790 [Security\Http] detect bad redirect targets using backslashes (@xabbuh)
• security #cve-2018-19789 [Form] Filter file uploads out of regular form types (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/29487
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.7.49...v2.7.50)

• security #cve-2018-19790 [Security\Http] detect bad redirect targets using backslashes (@xabbuh)
• security #cve-2018-19789 [Form] Filter file uploads out of regular form types (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/29486
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.8.47...v2.8.48)

• bug #28917 [DoctrineBridge] catch errors while converting to db values in data collector (@alekitto)
• bug #27314 [DoctrineBridge] fix case sensitivity issue in RememberMe\DoctrineTokenProvider (@PF4Public)
• bug #29308 [Translation] Use XLIFF source rather than resname when there's no target (@thewilkybarkid)
• bug #26244 [BrowserKit] fixed BC Break for HTTP_HOST header (@brizzz)
• bug #28147 [DomCrawler] exclude fields inside "template" tags (@Gorjunov)
• bug #29271 [HttpFoundation] Fix trailing space for mime-type with parameters (@Sascha Dens)
• bug #29223 [Validator] Added the missing constraints instance checks (@thomasbisignani)
• bug #29182 [Form] Fixed empty data for compound date types (@HeahDude)
• bug #29185 [Form] Fixed keeping hash of equal \DateTimeInterface on submit (@HeahDude)
• bug #28731 [Form] invalidate forms on transformation failures (@xabbuh)
• bug #29152 [Config] Unset key during normalization (@ro0NL)
• bug #29057 [HttpFoundation] replace any preexisting Content-Type headers (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/29333

Changelog (since https://github.com/symfony/symfony/compare/v2.8.46...v2.8.47)

• bug #29020 Fix ini_get() for boolean values (@deguif)
• bug #28861 [DependencyInjection] Skip empty proxy code (@olvlvl)
• bug #28801 Convert InsufficientAuthenticationException to HttpException with 401 status code (@vincentchalamon)
• bug #28840 add missing double-quotes to extra_fields output message (@danielkay)
• bug #28712 [Form] reverse transform RFC 3339 formatted dates (@xabbuh)
• bug #28813 Fix for race condition in console output stream write (@rudolfratusinski)
• bug #27772 [Console] Fixes multiselect choice question defaults in non-interactive mode (@veewee)
• bug #28689 [Process] fix locking of pipe files on Windows (@nicolas-grekas)
• bug #28704 [Form] fix multi-digit seconds fraction handling (@xabbuh)
• bug #28648 [PHPUnitBridge] Fix ClockMock microtime() format (@acasademont)

[PR] https://github.com/symfony/symfony/pull/29069

Changelog (since https://github.com/symfony/symfony/compare/v2.8.45...v2.8.46)

• bug #28376 [TwigBundle] Fixed caching of templates in src/Resources//views on cache warmup (@yceruto)
• bug #28565 [HttpFoundation][Security] forward locale and format to subrequests (@nicolas-grekas)
• bug #28545 [Console] Send the right exit code to console.terminate listeners (@mpdude)
• bug #28466 [Form] fail reverse transforming invalid RFC 3339 dates (@xabbuh)
• bug #28540 [Intl] parse numbers terminated with decimal separator (@xabbuh)
• bug #28548 [Console] Fixed boxed table style with colspan (@ro0NL)
• bug #28433 [HttpFoundation] Allow reuse of Session between requests if ID did not change (@tgalopin)
• bug #28508 [Form] forward false label option to nested types (@xabbuh)
• bug #28464 [Form] forward the invalid_message option in date types (@xabbuh)
• bug #28499 [Ldap] Use shut up operator on connection errors at ldap_start_tls (@Andras Debreczeni)
• bug #28372 [Form] Fix DateTimeType html5 input format (@franzwilding, @mcfedr)
• bug #28396 [Intl] Blacklist Eurozone and United Nations in Region Data Generator (@gregurco)
• bug #28393 [Console] fixed corrupt error output for unknown multibyte short option (@downace)
• bug #28401 [Console] Fix SymfonyQuestionHelper::askQuestion() with choice value as default (@chalasr)
• bug #28377 fix fopen flags (@SpacePossum)
• bug #27970 [FileValidator] Format file size in validation message according to binaryFormat option (@jfredon)
• bug #28029 [TwigBundle] remove cache warmers when Twig cache is disabled (@xabbuh)
• bug #28344 [HttpKernel][FrameworkBundle] Fix escaping of serialized payloads passed to test clients (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/28640

Changelog (since https://github.com/symfony/symfony/compare/v2.8.44...v2.8.45)

• bug #28278 [HttpFoundation] Fix unprepared BinaryFileResponse sends empty file (@wackymole)
• bug #28241 [HttpKernel] fix forwarding trusted headers as server parameters (@nicolas-grekas)
• bug #28220 [PropertyAccess] fix type error handling when writing values (@xabbuh)
• bug #28100 [Security] Call AccessListener after LogoutListener (@chalasr)
• bug #28144 [HttpFoundation] fix false-positive ConflictingHeadersException (@nicolas-grekas)
• bug #28055 [PropertyInfo] Allow nested collections (@jderusse)
• bug #28083 Remove the Expires header when calling Response::expire() (@javiereguiluz)

[PR] https://github.com/symfony/symfony/pull/28286

Changelog (since https://github.com/symfony/symfony/compare/v2.8.43...v2.8.44)

• security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
• security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)
• bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (@netiul)
• bug #28045 [HttpFoundation] Fix Cookie::isCleared (@ro0NL)
• bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (@Phobetor)

[PR] https://github.com/symfony/symfony/pull/28101
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.7.48...v2.7.49)

• security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
• security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/28098
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.8.42...v2.8.43)

• bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (@yceruto)
• bug #27997 Serbo-Croatian has Serbian plural rule (@kylekatarnls)
• bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (@jmsche)
• bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (@rubencm)
• bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (@webnet-fr)
• bug #27904 [Filesystem] fix lock file permissions (@fritzmg)
• bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (@alcalyn)
• bug #27831 Check for Hyper terminal on all operating systems. (@azjezz)
• bug #27794 Add color support for Hyper terminal . (@azjezz)
• bug #27809 [HttpFoundation] Fix tests: new message for status 425 (@dunglas)
• bug #27716 [DI] fix dumping deprecated service in yaml (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/28031

Changelog (since https://github.com/symfony/symfony/compare/v2.8.41...v2.8.42)

• bug #27669 [Filesystem] fix file lock on SunOS (@fritzmg)
• bug #27309 Fix surrogate not using original request (@Toflar)
• bug #27630 [Validator][Form] Remove BOM in some xlf files (@gautierderuette)
• bug #27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (@nicolas-grekas)
• bug #27581 Fix bad method call with guard authentication + session migration (@weaverryan)
• bug #27452 Avoid migration on stateless firewalls (@weaverryan)
• bug #27514 [Debug] Pass previous exception to FatalErrorException (@pmontoya)
• bug #26973 [HttpKernel] Set first trusted proxy as REMOTE_ADDR in InlineFragmentRenderer. (@kmadejski)
• bug #27303 [Process] Consider "executable" suffixes first on Windows (@sanmai)
• bug #27297 Triggering RememberMe's loginFail() when token cannot be created (@weaverryan)
• bug #27366 [DI] never inline lazy services (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/27703

Changelog (since https://github.com/symfony/symfony/compare/v2.8.40...v2.8.41)

• bug #27359 [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization (@nicolas-grekas)
• security #cve-2018-11408 [SecurityBundle] Fail if security.http_utils cannot be configured
• security #cve-2018-11406 clear CSRF tokens when the user is logged out
• security #cve-2018-11385 Adding session authentication strategy to Guard to avoid session fixation
• security #cve-2018-11385 Adding session strategy to ALL listeners to avoid any possible fixation
• security #cve-2018-11386 [HttpFoundation] Break infinite loop in PdoSessionHandler when MySQL is in loose mode

[PR] https://github.com/symfony/symfony/pull/27375
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.7.47...v2.7.48)

• bug #27359 [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization (@nicolas-grekas)
• security #cve-2018-11408 [SecurityBundle] Fail if security.http_utils cannot be configured
• security #cve-2018-11406 clear CSRF tokens when the user is logged out
• security #cve-2018-11385 Adding session strategy to ALL listeners to avoid any possible fixation
• security #cve-2018-11386 [HttpFoundation] Break infinite loop in PdoSessionHandler when MySQL is in loose mode

[PR] https://github.com/symfony/symfony/pull/27374
[EOM] End of maintenance release for branch 2.7
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.8.39...v2.8.40)

• bug #26781 [Form] Fix precision of MoneyToLocalizedStringTransformer's divisions on transform() (@syastrebov)
• bug #27286 [Translation] Add Occitan plural rule (@kylekatarnls)
• bug #27246 Disallow invalid characters in session.name (@ostrolucky)
• bug #24805 [Security] Fix logout (@MatTheCat)
• bug #27141 [Process] Suppress warnings when open_basedir is non-empty (@cbj4074)
• bug #27250 [Session] limiting :key for GET_LOCK to 64 chars (@oleg-andreyev)
• bug #27237 [Debug] Fix populating error_get_last() for handled silent errors (@nicolas-grekas)
• bug #27236 [Filesystem] Fix usages of error_get_last() (@nicolas-grekas)
• bug #27152 [HttpFoundation] use brace-style regex delimiters (@xabbuh)
• feature #24896 Add CODE_OF_CONDUCT.md (@egircys)

[PR] https://github.com/symfony/symfony/pull/27328

Changelog (since https://github.com/symfony/symfony/compare/v2.7.46...v2.7.47)

• bug #26781 [Form] Fix precision of MoneyToLocalizedStringTransformer's divisions on transform() (@syastrebov)
• bug #27286 [Translation] Add Occitan plural rule (@kylekatarnls)
• bug #27246 Disallow invalid characters in session.name (@ostrolucky)
• bug #24805 [Security] Fix logout (@MatTheCat)
• bug #27141 [Process] Suppress warnings when open_basedir is non-empty (@cbj4074)
• bug #27250 [Session] limiting :key for GET_LOCK to 64 chars (@oleg-andreyev)
• bug #27237 [Debug] Fix populating error_get_last() for handled silent errors (@nicolas-grekas)
• bug #27236 [Filesystem] Fix usages of error_get_last() (@nicolas-grekas)
• bug #27152 [HttpFoundation] use brace-style regex delimiters (@xabbuh)
• feature #24896 Add CODE_OF_CONDUCT.md (@egircys)
• bug #27067 [HttpFoundation] Fix setting session-related ini settings (@e-moe)

[PR] https://github.com/symfony/symfony/pull/27327

Changelog (since https://github.com/symfony/symfony/compare/v2.8.38...v2.8.39)

• bug #27067 [HttpFoundation] Fix setting session-related ini settings (@e-moe)
• bug #27016 [Security][Guard] GuardAuthenticationProvider::authenticate cannot return null (@biomedia-thomas)
• bug #26831 [Bridge/Doctrine] count(): Parameter must be an array or an object that implements Countable (@gpenverne)
• bug #27044 [Security] Skip user checks if not implementing UserInterface (@chalasr)
• bug #26014 [Security] Fixed being logged out on failed attempt in guard (@iltar)
• bug #26910 Use new PHP7.2 functions in hasColorSupport (@johnstevenson)
• bug #26999 [VarDumper] Fix dumping of SplObjectStorage (@corphi)
• bug #25841 [DoctrineBridge] Fix bug when indexBy is meta key in PropertyInfo\DoctrineExtractor (@insekticid)
• bug #26886 Don't assume that file binary exists on *nix OS (@teohhanhui)
• bug #26643 Fix that ESI/SSI processing can turn a "private" response "public" (@mpdude)
• bug #26932 [Form] Fixed trimming choice values (@HeahDude)
• bug #26875 [Console] Don't go past exact matches when autocompleting (@nicolas-grekas)
• bug #26823 [Validator] Fix LazyLoadingMetadataFactory with PSR6Cache for non classname if tested values isn't existing class (@Pascal Montoya, @pmontoya)
• bug #26834 [Yaml] Throw parse error on unfinished inline map (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/27095

Changelog (since https://github.com/symfony/symfony/compare/v2.7.45...v2.7.46)

• bug #26831 [Bridge/Doctrine] count(): Parameter must be an array or an object that implements Countable (@gpenverne)
• bug #27044 [Security] Skip user checks if not implementing UserInterface (@chalasr)
• bug #26910 Use new PHP7.2 functions in hasColorSupport (@johnstevenson)
• bug #26999 [VarDumper] Fix dumping of SplObjectStorage (@corphi)
• bug #26886 Don't assume that file binary exists on *nix OS (@teohhanhui)
• bug #26643 Fix that ESI/SSI processing can turn a "private" response "public" (@mpdude)
• bug #26932 [Form] Fixed trimming choice values (@HeahDude)
• bug #26875 [Console] Don't go past exact matches when autocompleting (@nicolas-grekas)
• bug #26823 [Validator] Fix LazyLoadingMetadataFactory with PSR6Cache for non classname if tested values isn't existing class (@Pascal Montoya, @pmontoya)
• bug #26834 [Yaml] Throw parse error on unfinished inline map (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/27070

Changelog (since https://github.com/symfony/symfony/compare/v2.8.37...v2.8.38)

• bug #26788 [Security] Load the user before pre/post auth checks when needed (@chalasr)
• bug #26774 [SecurityBundle] Add missing argument to security.authentication.provider.simple (@i3or1s, @chalasr)
• bug #26763 [Finder] Remove duplicate slashes in filenames (@helhum)
• bug #26749 Add PHPDbg support to HTTP components (@hkdobrev)
• bug #26609 [Console] Fix check of color support on Windows (@mlocati)

[PR] https://github.com/symfony/symfony/pull/26841

Changelog (since https://github.com/symfony/symfony/compare/v2.7.44...v2.7.45)

• bug #26763 [Finder] Remove duplicate slashes in filenames (@helhum)
• bug #26749 Add PHPDbg support to HTTP components (@hkdobrev)
• bug #26609 [Console] Fix check of color support on Windows (@mlocati)

[PR] https://github.com/symfony/symfony/pull/26835

Changelog (since https://github.com/symfony/symfony/compare/v2.8.36...v2.8.37)

• bug #26727 [HttpCache] Unlink tmp file on error (@Chansig)
• bug #26675 [HttpKernel] DumpDataCollector: do not flush when a dumper is provided (@ogizanagi)
• bug #26663 [TwigBridge] Fix rendering of currency by MoneyType (@ro0NL)
• bug #26677 Support phpdbg SAPI in Debug::enable() (@hkdobrev)
• bug #26589 [Ldap] cast to string when checking empty passwords (@ismail1432)
• bug #26621 [Form] no type errors with invalid submitted data types (@xabbuh)
• bug #26337 [Finder] Fixed leading/trailing / in filename (@lyrixx)
• bug #26584 [TwigBridge] allow html5 compatible rendering of forms with null names (@systemist)
• bug #24401 [Form] Change datetime to datetime-local for HTML5 datetime input (@pierredup)
• bug #26370 [Security] added userChecker to SimpleAuthenticationProvider (@i3or1s)
• bug #26569 [BrowserKit] Fix cookie path handling when $domain is null (@dunglas)
• bug #26598 Fixes #26563 (open_basedir restriction in effect) (@temperatur)
• bug #26568 [Debug] Reset previous exception handler earlier to prevent infinite loop (@nicolas-grekas)
• bug #26567 [DoctrineBridge] Don't rely on ClassMetadataInfo->hasField in DoctrineOrmTypeGuesser anymore (@fancyweb)
• bug #26356 [FrameworkBundle] HttpCache is not longer abstract (@lyrixx)
• bug #26548 [DomCrawler] Change bad wording in ChoiceFormField::untick (@dunglas)
• bug #26433 [DomCrawler] extract(): fix a bug when the attribute list is empty (@dunglas)
• bug #26452 [Intl] Load locale aliases to support alias fallbacks (@jakzal)
• bug #26450 [CssSelector] Fix CSS identifiers parsing - they can start with dash (@jakubkulhan)

[PR] https://github.com/symfony/symfony/pull/26742

Changelog (since https://github.com/symfony/symfony/compare/v2.7.43...v2.7.44)

• bug #26727 [HttpCache] Unlink tmp file on error (@Chansig)
• bug #26675 [HttpKernel] DumpDataCollector: do not flush when a dumper is provided (@ogizanagi)
• bug #26663 [TwigBridge] Fix rendering of currency by MoneyType (@ro0NL)
• bug #26677 Support phpdbg SAPI in Debug::enable() (@hkdobrev)
• bug #26621 [Form] no type errors with invalid submitted data types (@xabbuh)
• bug #26337 [Finder] Fixed leading/trailing / in filename (@lyrixx)
• bug #26584 [TwigBridge] allow html5 compatible rendering of forms with null names (@systemist)
• bug #24401 [Form] Change datetime to datetime-local for HTML5 datetime input (@pierredup)
• bug #26370 [Security] added userChecker to SimpleAuthenticationProvider (@i3or1s)
• bug #26569 [BrowserKit] Fix cookie path handling when $domain is null (@dunglas)
• bug #26598 Fixes #26563 (open_basedir restriction in effect) (@temperatur)
• bug #26568 [Debug] Reset previous exception handler earlier to prevent infinite loop (@nicolas-grekas)
• bug #26567 [DoctrineBridge] Don't rely on ClassMetadataInfo->hasField in DoctrineOrmTypeGuesser anymore (@fancyweb)
• bug #26356 [FrameworkBundle] HttpCache is not longer abstract (@lyrixx)
• bug #26548 [DomCrawler] Change bad wording in ChoiceFormField::untick (@dunglas)
• bug #26433 [DomCrawler] extract(): fix a bug when the attribute list is empty (@dunglas)
• bug #26452 [Intl] Load locale aliases to support alias fallbacks (@jakzal)
• bug #26450 [CssSelector] Fix CSS identifiers parsing - they can start with dash (@jakubkulhan)

[PR] https://github.com/symfony/symfony/pull/26741

Changelog (since https://github.com/symfony/symfony/compare/v2.8.35...v2.8.36)

• bug #26368 [WebProfilerBundle] Fix Debug toolbar breaks app (@xkobal)

[PR] https://github.com/symfony/symfony/pull/26415

Changelog (since https://github.com/symfony/symfony/compare/v2.7.42...v2.7.43)

• bug #26368 [WebProfilerBundle] Fix Debug toolbar breaks app (@xkobal)

[PR] https://github.com/symfony/symfony/pull/26414

Changelog (since https://github.com/symfony/symfony/compare/v2.8.34...v2.8.35)

• bug #26338 [Debug] Keep previous errors of Error instances (@Philipp91)
• bug #26312 [Routing] Don't throw 405 when scheme requirement doesn't match (@nicolas-grekas)
• bug #26298 Fix ArrayInput::toString() for InputArgument::IS_ARRAY args (@maximium)
• bug #26236 [PropertyInfo] ReflectionExtractor: give a chance to other extractors if no properties (@dunglas)
• bug #25557 [WebProfilerBundle] add a way to limit ajax request (@Simperfit)
• bug #26228 [HttpFoundation] Fix missing "throw" in JsonResponse (@nicolas-grekas)
• bug #26211 [Console] Suppress warning from sapi_windows_vt100_support (@adawolfa)
• bug #26156 Fixes #26136: Avoid emitting warning in hasParameterOption() (@greg-1-anderson)
• bug #26183 [DI] Add null check for removeChild (@changmin.keum)
• bug #26173 [Security] fix accessing request values (@xabbuh)
• bug #26159 created validator.tl.xlf for Form/Translations (@ergiegonzaga)
• bug #26100 [Routing] Throw 405 instead of 404 when redirect is not possible (@nicolas-grekas)
• bug #26040 [Process] Check PHP_BINDIR before $PATH in PhpExecutableFinder (@nicolas-grekas)
• bug #26012 Exit as late as possible (@greg0ire)
• bug #26111 [Security] fix merge of 2.7 into 2.8 + add test case (@dmaicher)
• bug #25893 [Console] Fix hasParameterOption / getParameterOption when used with multiple flags (@greg-1-anderson)
• bug #25940 [Form] keep the context when validating forms (@xabbuh)
• bug #25373 Use the PCRE_DOLLAR_ENDONLY modifier in route regexes (@mpdude)
• bug #26010 [CssSelector] For AND operator, the left operand should have parentheses, not only right operand (@Arnaud CHASSEUX)
• bug #25971 [Debug] Fix bad registration of exception handler, leading to mem leak (@nicolas-grekas)
• bug #25962 [Routing] Fix trailing slash redirection for non-safe verbs (@nicolas-grekas)
• bug #25948 [Form] Fixed empty data on expanded ChoiceType and FileType (@HeahDude)
• bug #25972 support sapi_windows_vt100_support for php 7.2+ (@jhdxr)
• bug #25744 [TwigBridge] Allow label translation to be safe (@MatTheCat)

[PR] https://github.com/symfony/symfony/pull/26361

Changelog (since https://github.com/symfony/symfony/compare/v2.7.41...v2.7.42)

• bug #26338 [Debug] Keep previous errors of Error instances (@Philipp91)
• bug #26312 [Routing] Don't throw 405 when scheme requirement doesn't match (@nicolas-grekas)
• bug #26298 Fix ArrayInput::toString() for InputArgument::IS_ARRAY args (@maximium)
• bug #25557 [WebProfilerBundle] add a way to limit ajax request (@Simperfit)
• bug #26228 [HttpFoundation] Fix missing "throw" in JsonResponse (@nicolas-grekas)
• bug #26211 [Console] Suppress warning from sapi_windows_vt100_support (@adawolfa)
• bug #26156 Fixes #26136: Avoid emitting warning in hasParameterOption() (@greg-1-anderson)
• bug #26183 [DI] Add null check for removeChild (@changmin.keum)
• bug #26159 created validator.tl.xlf for Form/Translations (@ergiegonzaga)
• bug #26100 [Routing] Throw 405 instead of 404 when redirect is not possible (@nicolas-grekas)
• bug #26040 [Process] Check PHP_BINDIR before $PATH in PhpExecutableFinder (@nicolas-grekas)
• bug #26012 Exit as late as possible (@greg0ire)
• bug #25893 [Console] Fix hasParameterOption / getParameterOption when used with multiple flags (@greg-1-anderson)
• bug #25940 [Form] keep the context when validating forms (@xabbuh)
• bug #25373 Use the PCRE_DOLLAR_ENDONLY modifier in route regexes (@mpdude)
• bug #26010 [CssSelector] For AND operator, the left operand should have parentheses, not only right operand (@Arnaud CHASSEUX)
• bug #25971 [Debug] Fix bad registration of exception handler, leading to mem leak (@nicolas-grekas)
• bug #25962 [Routing] Fix trailing slash redirection for non-safe verbs (@nicolas-grekas)
• bug #25948 [Form] Fixed empty data on expanded ChoiceType and FileType (@HeahDude)
• bug #25972 support sapi_windows_vt100_support for php 7.2+ (@jhdxr)
• bug #25744 [TwigBridge] Allow label translation to be safe (@MatTheCat)

[PR] https://github.com/symfony/symfony/pull/26346

Changelog (since https://github.com/symfony/symfony/compare/v2.8.33...v2.8.34)

• bug #25922 [HttpFoundation] Use the correct syntax for session gc based on Pdo driver (@tanasecosminromeo)
• bug #25933 Disable CSP header on exception pages only in debug (@ostrolucky)
• bug #25926 [Form] Fixed Button::setParent() when already submitted (@HeahDude)
• bug #25927 [Form] Fixed submitting disabled buttons (@HeahDude)
• bug #25891 [DependencyInjection] allow null values for root nodes in YAML configs (@xabbuh)
• bug #25848 [Validator] add missing parent isset and add test (@Simperfit)
• bug #25861 do not conflict with egulias/email-validator 2.0+ (@xabbuh)
• bug #25851 [Validator] Conflict with egulias/email-validator 2.0 (@emodric)
• bug #25837 [SecurityBundle] Don't register in memory users as services (@chalasr)
• bug #25835 [HttpKernel] DebugHandlersListener should always replace the existing exception handler (@nicolas-grekas)
• bug #25829 [Debug] Always decorate existing exception handlers to deal with fatal errors (@nicolas-grekas)
• bug #25824 Fixing a bug where the dump() function depended on bundle ordering (@weaverryan)
• bug #25789 Enableable ArrayNodeDefinition is disabled for empty configuration (@kejwmen)
• bug #25816 Problem in phar see mergerequest #25579 (@betzholz)
• bug #25781 [Form] Disallow transform dates beyond the year 9999 (@curry684)
• bug #25812 Copied NO language files to the new NB locale (@derrabus)
• bug #25801 [Router] Skip anonymous classes when loading annotated routes (@pierredup)
• bug #25657 [Security] Fix fatal error on non string username (@chalasr)
• bug #25799 Fixed Request::__toString ignoring cookies (@Toflar)
• bug #25755 [Debug] prevent infinite loop with faulty exception handlers (@nicolas-grekas)
• bug #25771 [Validator] 19 digits VISA card numbers are valid (@xabbuh)
• bug #25751 [FrameworkBundle] Add the missing enabled session attribute (@sroze)
• bug #25750 [HttpKernel] Turn bad hosts into 400 instead of 500 (@nicolas-grekas)
• bug #25490 [Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR (@diversantvlz)
• bug #25709 Tweaked some styles in the profiler tables (@javiereguiluz)
• feature #25669 [Security] Fail gracefully if the security token cannot be unserialized from the session (@thewilkybarkid)

[PR] https://github.com/symfony/symfony/pull/25954

Changelog (since https://github.com/symfony/symfony/compare/v2.7.40...v2.7.41)

• bug #25922 [HttpFoundation] Use the correct syntax for session gc based on Pdo driver (@tanasecosminromeo)
• bug #25933 Disable CSP header on exception pages only in debug (@ostrolucky)
• bug #25926 [Form] Fixed Button::setParent() when already submitted (@HeahDude)
• bug #25927 [Form] Fixed submitting disabled buttons (@HeahDude)
• bug #25891 [DependencyInjection] allow null values for root nodes in YAML configs (@xabbuh)
• bug #25848 [Validator] add missing parent isset and add test (@Simperfit)
• bug #25861 do not conflict with egulias/email-validator 2.0+ (@xabbuh)
• bug #25851 [Validator] Conflict with egulias/email-validator 2.0 (@emodric)
• bug #25837 [SecurityBundle] Don't register in memory users as services (@chalasr)
• bug #25835 [HttpKernel] DebugHandlersListener should always replace the existing exception handler (@nicolas-grekas)
• bug #25829 [Debug] Always decorate existing exception handlers to deal with fatal errors (@nicolas-grekas)
• bug #25824 Fixing a bug where the dump() function depended on bundle ordering (@weaverryan)
• bug #25789 Enableable ArrayNodeDefinition is disabled for empty configuration (@kejwmen)
• bug #25816 Problem in phar see mergerequest #25579 (@betzholz)
• bug #25781 [Form] Disallow transform dates beyond the year 9999 (@curry684)
• bug #25812 Copied NO language files to the new NB locale (@derrabus)
• bug #25801 [Router] Skip anonymous classes when loading annotated routes (@pierredup)
• bug #25657 [Security] Fix fatal error on non string username (@chalasr)
• bug #25799 Fixed Request::__toString ignoring cookies (@Toflar)
• bug #25755 [Debug] prevent infinite loop with faulty exception handlers (@nicolas-grekas)
• bug #25771 [Validator] 19 digits VISA card numbers are valid (@xabbuh)
• bug #25751 [FrameworkBundle] Add the missing enabled session attribute (@sroze)
• bug #25750 [HttpKernel] Turn bad hosts into 400 instead of 500 (@nicolas-grekas)
• bug #25490 [Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR (@diversantvlz)
• feature #25669 [Security] Fail gracefully if the security token cannot be unserialized from the session (@thewilkybarkid)

[PR] https://github.com/symfony/symfony/pull/25953

Changelog (since https://github.com/symfony/symfony/compare/v2.8.32...v2.8.33)

• bug #25532 [HttpKernel] Disable CSP header on exception pages (@ostrolucky)
• bug #25491 [Routing] Use the default host even if context is empty (@sroze)
• bug #25662 Dumper shouldn't use html format for phpdbg / cli-server (@jhoff)
• bug #25529 [Validator] Fix access to root object when using composite constraint (@ostrolucky)
• bug #25430 Fixes for Oracle in PdoSessionHandler (@elislenio)
• bug #25599 Add application/ld+json format associated to json (@vincentchalamon)
• bug #25407 [Console] Commands with an alias should not be recognized as ambiguous (@Simperfit)
• bug #25521 [Console] fix a bug when you are passing a default value and passing -n would output the index (@Simperfit)
• bug #25489 [FrameworkBundle] remove esi/ssi renderers if inactive (@dmaicher)
• bug #25427 Preserve percent-encoding in URLs when performing redirects in the UrlMatcher (@mpdude)
• bug #25480 [FrameworkBundle] add missing validation options to XSD file (@xabbuh)
• bug #25487 [Console] Fix a bug when passing a letter that could be an alias (@Simperfit)
• bug #25233 [TwigBridge][Form] Fix hidden currency element with Bootstrap 3 theme (@julienfalque)
• bug #25408 [Debug] Fix catching fatal errors in case of nested error handlers (@nicolas-grekas)
• bug #25330 [HttpFoundation] Support 0 bit netmask in IPv6 (::/0) (@stephank)
• bug #25410 [HttpKernel] Fix logging of post-terminate errors/exceptions (@nicolas-grekas)
• bug #25323 [ExpressionLanguage] throw an SyntaxError instead of an undefined index notice (@Simperfit)

[PR] https://github.com/symfony/symfony/pull/25689

Changelog (since https://github.com/symfony/symfony/compare/v2.7.39...v2.7.40)

• bug #25532 [HttpKernel] Disable CSP header on exception pages (@ostrolucky)
• bug #25491 [Routing] Use the default host even if context is empty (@sroze)
• bug #25662 Dumper shouldn't use html format for phpdbg / cli-server (@jhoff)
• bug #25529 [Validator] Fix access to root object when using composite constraint (@ostrolucky)
• bug #25430 Fixes for Oracle in PdoSessionHandler (@elislenio)
• bug #25599 Add application/ld+json format associated to json (@vincentchalamon)
• bug #25407 [Console] Commands with an alias should not be recognized as ambiguous (@Simperfit)
• bug #25521 [Console] fix a bug when you are passing a default value and passing -n would output the index (@Simperfit)
• bug #25489 [FrameworkBundle] remove esi/ssi renderers if inactive (@dmaicher)
• bug #25427 Preserve percent-encoding in URLs when performing redirects in the UrlMatcher (@mpdude)
• bug #25480 [FrameworkBundle] add missing validation options to XSD file (@xabbuh)
• bug #25487 [Console] Fix a bug when passing a letter that could be an alias (@Simperfit)
• bug #25233 [TwigBridge][Form] Fix hidden currency element with Bootstrap 3 theme (@julienfalque)
• bug #25408 [Debug] Fix catching fatal errors in case of nested error handlers (@nicolas-grekas)
• bug #25330 [HttpFoundation] Support 0 bit netmask in IPv6 (::/0) (@stephank)
• bug #25410 [HttpKernel] Fix logging of post-terminate errors/exceptions (@nicolas-grekas)
• bug #25323 [ExpressionLanguage] throw an SyntaxError instead of an undefined index notice (@Simperfit)

[PR] https://github.com/symfony/symfony/pull/25688

Changelog (since https://github.com/symfony/symfony/compare/v2.8.31...v2.8.32)

• bug #25278 Fix for missing whitespace control modifier in form layout (@kubawerlos)
• bug #25236 [Form][TwigBridge] Fix collision between view properties and form fields (@yceruto)
• bug #25258 [link] Prevent warnings when running link with 2.7 (@dunglas)
• bug #24750 [Validator] ExpressionValidator should use OBJECT_TO_STRING (@Simperfit)
• bug #25182 [HttpFoundation] AutExpireFlashBag should not clear new flashes (@Simperfit, @sroze)
• bug #25152 [Form] Don't rely on Symfony\Component\HttpFoundation\File\File if http-foundation isn't in FileType (@issei-m)
• bug #24987 [Console] Fix global console flag when used in chain (@Simperfit)
• bug #25043 [Yaml] added ability for substitute aliases when mapping is on single line (@Michał Strzelecki, @xabbuh)
• bug #25102 [Form] Fixed ContextErrorException in FileType (@chihiro-adachi)
• bug #25130 [DI] Fix handling of inlined definitions by ContainerBuilder (@nicolas-grekas)
• bug #25072 [Bridge/PhpUnit] Remove trailing "\n" from ClockMock::microtime(false) (@joky)
• bug #24956 Fix ambiguous pattern (@weltling)

[PR] https://github.com/symfony/symfony/pull/25318

Changelog (since https://github.com/symfony/symfony/compare/v2.7.38...v2.7.39)

• bug #25278 Fix for missing whitespace control modifier in form layout (@kubawerlos)
• bug #25236 [Form][TwigBridge] Fix collision between view properties and form fields (@yceruto)
• bug #25258 [link] Prevent warnings when running link with 2.7 (@dunglas)
• bug #24750 [Validator] ExpressionValidator should use OBJECT_TO_STRING (@Simperfit)
• bug #25182 [HttpFoundation] AutExpireFlashBag should not clear new flashes (@Simperfit, @sroze)
• bug #25152 [Form] Don't rely on Symfony\Component\HttpFoundation\File\File if http-foundation isn't in FileType (@issei-m)
• bug #24987 [Console] Fix global console flag when used in chain (@Simperfit)
• bug #25043 [Yaml] added ability for substitute aliases when mapping is on single line (@Michał Strzelecki, @xabbuh)
• bug #25102 [Form] Fixed ContextErrorException in FileType (@chihiro-adachi)
• bug #25130 [DI] Fix handling of inlined definitions by ContainerBuilder (@nicolas-grekas)
• bug #24956 Fix ambiguous pattern (@weltling)

[PR] https://github.com/symfony/symfony/pull/25317

Changelog (since https://github.com/symfony/symfony/compare/v2.8.30...v2.8.31)

• security #24995 Validate redirect targets using the session cookie domain (@nicolas-grekas)
• security #24994 Prevent bundle readers from breaking out of paths (@xabbuh)
• security #24993 Ensure that submitted data are uploaded files (@xabbuh)
• security #24992 Namespace generated CSRF tokens depending of the current scheme (@dunglas)

[PR] https://github.com/symfony/symfony/pull/25000
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.7.37...v2.7.38)

• security #24995 Validate redirect targets using the session cookie domain (@nicolas-grekas)
• security #24994 Prevent bundle readers from breaking out of paths (@xabbuh)
• security #24993 Ensure that submitted data are uploaded files (@xabbuh)
• security #24992 Namespace generated CSRF tokens depending of the current scheme (@dunglas)

[PR] https://github.com/symfony/symfony/pull/24997
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.8.29...v2.8.30)

• bug #24952 [HttpFoundation] Fix session-related BC break (@nicolas-grekas, @sroze)
• bug #24929 [Console] Fix traversable autocomplete values (@ro0NL)

[PR] https://github.com/symfony/symfony/pull/24957

Changelog (since https://github.com/symfony/symfony/compare/v2.7.36...v2.7.37)

• bug #24952 [HttpFoundation] Fix session-related BC break (@nicolas-grekas, @sroze)
• bug #24929 [Console] Fix traversable autocomplete values (@ro0NL)

[PR] https://github.com/symfony/symfony/pull/24955

Changelog (since https://github.com/symfony/symfony/compare/v2.8.28...v2.8.29)

• bug #24888 [FrameworkBundle] Specifically inject the debug dispatcher in the collector (@ogizanagi)
• bug #24909 [Intl] Update ICU data to 60.1 (@jakzal)
• bug #24906 [Bridge/ProxyManager] Remove direct reference to value holder property (@nicolas-grekas)
• bug #24900 [Validator] Fix Costa Rica IBAN format (@Bozhidar Hristov)
• bug #24904 [Validator] Add Belarus IBAN format (@Bozhidar Hristov)
• bug #24531 [HttpFoundation] Fix forward-compat of NativeSessionStorage with PHP 7.2 (@sroze)
• bug #24665 Fix dump panel hidden when closing a dump (@julienfalque)
• bug #24814 [Intl] Make intl-data tests pass and save language aliases again (@jakzal)
• bug #24764 [HttpFoundation] add Early Hints to Reponse to fix test (@Simperfit)
• bug #24605 [FrameworkBundle] Do not load property_access.xml if the component isn't installed (@ogizanagi)
• bug #24606 [HttpFoundation] Fix FileBag issue with associative arrays (@enumag)
• bug #24660 Escape trailing \ in QuestionHelper autocompletion (@kamazee)
• bug #24644 [Security] Fixed auth provider authenticate() cannot return void (@glye)
• bug #24642 [Routing] Fix resource miss (@dunglas)
• bug #24608 Adding the Form default theme files to be warmed up in Twig's cache (@weaverryan)
• bug #24626 streamed response should return $this (@DQNEO)
• bug #24589 Username and password in basic auth are allowed to contain '.' (@Richard Quadling)
• bug #24566 Fixed unsetting from loosely equal keys OrderedHashMap (@maryo)
• bug #24570 [Debug] Fix same vendor detection in class loader (@Jean-Beru)
• bug #24563 [Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed (@dunglas)
• bug #24571 [PropertyInfo] Add support for the iterable type (@dunglas)
• bug #24579 pdo session fix (@mxp100)
• bug #24536 [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails (@kbond)
• bug #24519 [Validator] [Twig] added magic method __isset() to File Constraint class (@loru88)
• bug #24532 [DI] Fix possible incorrect php-code when dumped strings contains newlines (@Strate)
• bug #24502 [HttpFoundation] never match invalid IP addresses (@xabbuh)
• bug #24460 [Form] fix parsing invalid floating point numbers (@xabbuh)
• bug #24490 [HttpFoundation] Combine Cache-Control headers (@c960657)
• bug #23711 Fix support for PHP 7.2 (@Simperfit, @nicolas-grekas)
• bug #24494 [HttpFoundation] Add missing session.lazy_write config option (@nicolas-grekas)
• bug #24434 [Form] Use for=ID on radio/checkbox label. (@Nyholm)
• bug #24455 [Console] Escape command usage (@sroze)

[PR] https://github.com/symfony/symfony/pull/24915

Changelog (since https://github.com/symfony/symfony/compare/v2.7.35...v2.7.36)

• bug #24888 [FrameworkBundle] Specifically inject the debug dispatcher in the collector (@ogizanagi)
• bug #24909 [Intl] Update ICU data to 60.1 (@jakzal)
• bug #24906 [Bridge/ProxyManager] Remove direct reference to value holder property (@nicolas-grekas)
• bug #24900 [Validator] Fix Costa Rica IBAN format (@Bozhidar Hristov)
• bug #24904 [Validator] Add Belarus IBAN format (@Bozhidar Hristov)
• bug #24531 [HttpFoundation] Fix forward-compat of NativeSessionStorage with PHP 7.2 (@sroze)
• bug #24814 [Intl] Make intl-data tests pass and save language aliases again (@jakzal)
• bug #24764 [HttpFoundation] add Early Hints to Reponse to fix test (@Simperfit)
• bug #24605 [FrameworkBundle] Do not load property_access.xml if the component isn't installed (@ogizanagi)
• bug #24606 [HttpFoundation] Fix FileBag issue with associative arrays (@enumag)
• bug #24660 Escape trailing \ in QuestionHelper autocompletion (@kamazee)
• bug #24644 [Security] Fixed auth provider authenticate() cannot return void (@glye)
• bug #24626 streamed response should return $this (@DQNEO)
• bug #24589 Username and password in basic auth are allowed to contain '.' (@Richard Quadling)
• bug #24566 Fixed unsetting from loosely equal keys OrderedHashMap (@maryo)
• bug #24570 [Debug] Fix same vendor detection in class loader (@Jean-Beru)
• bug #24563 [Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed (@dunglas)
• bug #24579 pdo session fix (@mxp100)
• bug #24536 [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails (@kbond)
• bug #24519 [Validator] [Twig] added magic method __isset() to File Constraint class (@loru88)
• bug #24532 [DI] Fix possible incorrect php-code when dumped strings contains newlines (@Strate)
• bug #24502 [HttpFoundation] never match invalid IP addresses (@xabbuh)
• bug #24460 [Form] fix parsing invalid floating point numbers (@xabbuh)
• bug #24490 [HttpFoundation] Combine Cache-Control headers (@c960657)
• bug #23711 Fix support for PHP 7.2 (@Simperfit, @nicolas-grekas)
• bug #24494 [HttpFoundation] Add missing session.lazy_write config option (@nicolas-grekas)
• bug #24434 [Form] Use for=ID on radio/checkbox label. (@Nyholm)
• bug #24455 [Console] Escape command usage (@sroze)

[PR] https://github.com/symfony/symfony/pull/24914

Changelog (since https://github.com/symfony/symfony/compare/v2.8.27...v2.8.28)

• bug #24448 [Session] fix MongoDb session handler to gc all expired sessions (@Tobion)
• bug #24417 [Yaml] parse references on merge keys (@xabbuh)
• bug #24421 [Config] Fix dumped files invalidation by OPCache (@nicolas-grekas)
• bug #23980 Tests and fix for issue in array model data in EntityType field with multiple=true (@stoccc)
• bug #22586 [Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible (@aaa2000)
• bug #24157 [Intl] Fixed support of Locale::getFallback (@lyrixx)
• bug #24198 [HttpFoundation] Fix file upload multiple with no files (@enumag)
• bug #24036 [Form] Fix precision of MoneyToLocalizedStringTransformer's divisions and multiplications (@Rubinum)
• bug #24367 PdoSessionHandler: fix advisory lock for pgsql (@Tobion)
• bug #24243 HttpCache does not consider ESI resources in HEAD requests (@mpdude)
• bug #24304 [FrameworkBundle] Fix Routing\DelegatingLoader (@nicolas-grekas)
• bug #24219 [Console] Preserving line breaks between sentences according to the exception message (@yceruto)
• bug #23722 [Form] Fixed GroupSequence with "constraints" option (@HeahDude)
• bug #22321 [Filesystem] Fixed makePathRelative (@ausi)
• bug #23473 [Filesystem] mirror - fix copying content with same name as source/target. (@gitlost)
• bug #24162 [WebProfilerBundle] fixed TemplateManager when using Twig 2 without compat interfaces (@fabpot)
• bug #24141 [DomCrawler] Fix conversion to int on GetPhpFiles (@MaraBlaga)
• bug #23853 Filtering empty uuids in ORMQueryBuilderLoader. (@mlazovla)
• bug #24101 [Security] Fix exception when use_referer option is true and referer is not set or empty (@linniksa)
• bug #24105 [Filesystem] check permissions if dump target dir is missing (@xabbuh)
• bug #24115 [FrameworkBundle] Get KERNEL_DIR through $_ENV too for KernelTestCase (@yceruto)
• bug #24041 [ExpressionLanguage] throws an exception on calling uncallable method (@fmata)
• bug #24096 Fix ArrayInput::toString() for VALUE_IS_ARRAY options/args (@chalasr)
• bug #23730 Fixed the escaping of back slashes and << in console output (@javiereguiluz)

[PR] https://github.com/symfony/symfony/pull/24451

Changelog (since https://github.com/symfony/symfony/compare/v2.7.34...v2.7.35)

• bug #24448 [Session] fix MongoDb session handler to gc all expired sessions (@Tobion)
• bug #24417 [Yaml] parse references on merge keys (@xabbuh)
• bug #24421 [Config] Fix dumped files invalidation by OPCache (@nicolas-grekas)
• bug #23980 Tests and fix for issue in array model data in EntityType field with multiple=true (@stoccc)
• bug #22586 [Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible (@aaa2000)
• bug #24157 [Intl] Fixed support of Locale::getFallback (@lyrixx)
• bug #24198 [HttpFoundation] Fix file upload multiple with no files (@enumag)
• bug #24036 [Form] Fix precision of MoneyToLocalizedStringTransformer's divisions and multiplications (@Rubinum)
• bug #24367 PdoSessionHandler: fix advisory lock for pgsql (@Tobion)
• bug #24243 HttpCache does not consider ESI resources in HEAD requests (@mpdude)
• bug #24304 [FrameworkBundle] Fix Routing\DelegatingLoader (@nicolas-grekas)
• bug #24219 [Console] Preserving line breaks between sentences according to the exception message (@yceruto)
• bug #23722 [Form] Fixed GroupSequence with "constraints" option (@HeahDude)
• bug #22321 [Filesystem] Fixed makePathRelative (@ausi)
• bug #23473 [Filesystem] mirror - fix copying content with same name as source/target. (@gitlost)
• bug #24162 [WebProfilerBundle] fixed TemplateManager when using Twig 2 without compat interfaces (@fabpot)
• bug #24141 [DomCrawler] Fix conversion to int on GetPhpFiles (@MaraBlaga)
• bug #23853 Filtering empty uuids in ORMQueryBuilderLoader. (@mlazovla)
• bug #24101 [Security] Fix exception when use_referer option is true and referer is not set or empty (@linniksa)
• bug #24105 [Filesystem] check permissions if dump target dir is missing (@xabbuh)
• bug #24115 [FrameworkBundle] Get KERNEL_DIR through $_ENV too for KernelTestCase (@yceruto)
• bug #24041 [ExpressionLanguage] throws an exception on calling uncallable method (@fmata)
• bug #24096 Fix ArrayInput::toString() for VALUE_IS_ARRAY options/args (@chalasr)
• bug #23730 Fixed the escaping of back slashes and << in console output (@javiereguiluz)

[PR] https://github.com/symfony/symfony/pull/24450

Changelog (since https://github.com/symfony/symfony/compare/v2.8.26...v2.8.27)

• bug #23989 [Debug] Remove false-positive check in DebugClassLoader (@nicolas-grekas)
• bug #23982 [VarDumper] Strengthen dumped JS (@nicolas-grekas)
• bug #23925 [Validator] Fix use of GroupSequenceProvider in child classes (@linniksa)
• bug #23945 [Validator] Fix Greek translation (@azhurb)
• bug #23909 [Console] Initialize lazily to render exceptions properly (@nicolas-grekas)
• bug #23856 [DI] Fix dumping abstract with YamlDumper (@nicolas-grekas)
• bug #23752 Ignore memcached missing key error on session destroy (@jderusse)
• bug #23658 [HttpFoundation] Generate safe fallback filename for wrongly encoded filename (@xelaris)
• bug #23783 Avoid infinite loops when profiler data is malformed (@javiereguiluz)
• bug #23729 [Bridge\ProxyManager] Dont call __destruct() on non-instantiated services (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/24012

Changelog (since https://github.com/symfony/symfony/compare/v2.7.33...v2.7.34)

• bug #23989 [Debug] Remove false-positive check in DebugClassLoader (@nicolas-grekas)
• bug #23982 [VarDumper] Strengthen dumped JS (@nicolas-grekas)
• bug #23925 [Validator] Fix use of GroupSequenceProvider in child classes (@linniksa)
• bug #23945 [Validator] Fix Greek translation (@azhurb)
• bug #23909 [Console] Initialize lazily to render exceptions properly (@nicolas-grekas)
• bug #23856 [DI] Fix dumping abstract with YamlDumper (@nicolas-grekas)
• bug #23752 Ignore memcached missing key error on session destroy (@jderusse)
• bug #23658 [HttpFoundation] Generate safe fallback filename for wrongly encoded filename (@xelaris)
• bug #23783 Avoid infinite loops when profiler data is malformed (@javiereguiluz)
• bug #23729 [Bridge\ProxyManager] Dont call __destruct() on non-instantiated services (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/24010

Changelog (since https://github.com/symfony/symfony/compare/v2.8.25...v2.8.26)

• bug #22244 [Console] Fix passing options with defaultCommand (@Jakub Sacha)
• bug #23684 [Debug] Missing escape in debug output (@c960657)
• bug #23662 [VarDumper] Adapt to php 7.2 changes (@nicolas-grekas)
• bug #23649 [Form][TwigBridge] Don't render _method in form_rest() for a child form (@fmarchalemisys)
• bug #23023 [DoctrineBridge][PropertyInfo] Added support for Doctrine Embeddables (@vudaltsov)
• bug #23619 [Validator] Fix IbanValidator for ukrainian IBANs (@paroe)
• bug #23238 [Security] ensure the 'route' index is set before attempting to use it (@gsdevme)
• bug #23330 [WebProfilerBundle] Fix full sized dump hovering in toolbar (@ogizanagi)
• bug #23580 Fix login redirect when referer contains a query string (@fabpot)
• bug #23574 [VarDumper] Move locale sniffing to dump() time (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/23735

Changelog (since https://github.com/symfony/symfony/compare/v2.7.32...v2.7.33)

• bug #22244 [Console] Fix passing options with defaultCommand (@Jakub Sacha)
• bug #23684 [Debug] Missing escape in debug output (@c960657)
• bug #23662 [VarDumper] Adapt to php 7.2 changes (@nicolas-grekas)
• bug #23649 [Form][TwigBridge] Don't render _method in form_rest() for a child form (@fmarchalemisys)
• bug #23619 [Validator] Fix IbanValidator for ukrainian IBANs (@paroe)
• bug #23238 [Security] ensure the 'route' index is set before attempting to use it (@gsdevme)
• bug #23580 Fix login redirect when referer contains a query string (@fabpot)
• bug #23574 [VarDumper] Move locale sniffing to dump() time (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/23734

Changelog (since https://github.com/symfony/symfony/compare/v2.8.24...v2.8.25)

• security #23507 [Security] validate empty passwords again (@xabbuh)
• bug #23526 [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content (@jnvsor)
• bug #23540 Disable inlining deprecated services (@alekitto)
• bug #23468 [DI] Handle root namespace in service definitions (@ro0NL)
• bug #23256 [Security] Fix authentication.failure event not dispatched on AccountStatusException (@chalasr)
• bug #23461 Use rawurlencode() to transform the Cookie into a string (@javiereguiluz)
• bug #23459 [TwigBundle] allow to configure custom formats in XML configs (@xabbuh)
• bug #23460 Don't display the Symfony debug toolbar when printing the page (@javiereguiluz)
• bug #23261 Fixed absolute url generation for query strings and hash urls (@alexander-schranz)
• bug #23398 [Filesystem] Dont copy perms when origin is remote (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/23553
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.7.31...v2.7.32)

• security #23507 [Security] validate empty passwords again (@xabbuh)
• bug #23526 [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content (@jnvsor)
• bug #23468 [DI] Handle root namespace in service definitions (@ro0NL)
• bug #23256 [Security] Fix authentication.failure event not dispatched on AccountStatusException (@chalasr)
• bug #23461 Use rawurlencode() to transform the Cookie into a string (@javiereguiluz)
• bug #23459 [TwigBundle] allow to configure custom formats in XML configs (@xabbuh)
• bug #23261 Fixed absolute url generation for query strings and hash urls (@alexander-schranz)
• bug #23398 [Filesystem] Dont copy perms when origin is remote (@nicolas-grekas)

[PR] https://github.com/symfony/symfony/pull/23552
[SECURITY] Security release

Changelog (since https://github.com/symfony/symfony/compare/v2.8.23...v2.8.24)

• bug #23378 [FrameworkBundle] Do not remove files from assets dir (@1ed)

[PR] https://github.com/symfony/symfony/pull/23401

Changelog (since https://github.com/symfony/symfony/compare/v2.7.30...v2.7.31)

• bug #23378 [FrameworkBundle] Do not remove files from assets dir (@1ed)

[PR] https://github.com/symfony/symfony/pull/23397

Changelog (since https://github.com/symfony/symfony/compare/v2.8.22...v2.8.23)

• bug #23341 [DoctrineBridge][Security][Validator] do not validate empty values (@xabbuh)
• bug #23274 Display a better error design when the toolbar cannot be displayed (@yceruto)
• bug #23333 [PropertyAccess] Fix TypeError discard (@dunglas)
• bug #23345 [Console] fix description of INF default values (@xabbuh)
• bug #23279 Don't call count on non countable object (@pierredup)
• bug #23283 [TwigBundle] add back exception check (@xabbuh)
• bug #23268 Show exception is checked twice in ExceptionController of twig (@gmponos)
• bug #23266 Display a better error message when the toolbar cannot be displayed (@javiereguiluz)
• bug #23271 [FrameworkBundle] allow SSI fragments configuration in XML files (@xabbuh)
• bug #23254 [Form][TwigBridge] render hidden _method field in form_rest() (@xabbuh)
• bug #23250 [Translation] return fallback locales whenever possible (@xabbuh)
• bug #23240 [Console] Fix catching exception type in QuestionHelper (@voronkovich)
• bug #23229 [WebProfilerBundle] Eliminate line wrap on count column (routing) (@e-moe)
• bug #22732 [Security] fix switch user _exit without having current token (@dmaicher)
• bug #22730 [FrameworkBundle] Sessions: configurable "use_strict_mode" option for NativeSessionStorage (@MacDada)
• bug #23195 [FrameworkBundle] [Command] Clean bundle directory, fixes #23177 (@NicolasPion)
• bug #23052 [TwigBundle] Add Content-Type header for exception response (@rchoquet)
• bug #23199 Reset redirectCount when throwing exception (@hvanoch)
• bug #23186 [TwigBundle] Move template.xml loading to a compiler pass (@ogizanagi)
• bug #23130 Keep s-maxage when expiry and validation are used in combination (@mpdude)
• bug #23129 Fix two edge cases in ResponseCacheStrategy (@mpdude)
• feature #22636 [Routing] Expose request in route conditions, if needed and possible (@ro0NL)
• bug #22636 [Routing] Expose request in route conditions, if needed and possible (@ro0NL)
• bug #23057 [Translation][FrameworkBundle] Fix resource loading order inconsistency reported in #23034 (@mpdude)
• bug #23092 [Filesystem] added workaround in Filesystem::rename for PHP bug (@VolCh)
• bug #23128 [HttpFoundation] fix for Support for new 7.1 session options (@vincentaubert)
• bug #23176 [VarDumper] fixes (@nicolas-grekas)
• bug #22953 #22839 - changed debug toolbar dump section to relative and use full window width (@mkurzeja)
• bug #23086 [FrameworkBundle] Fix perf issue in CacheClearCommand::warmup() (@nicolas-grekas)
• bug #23098 Cache ipCheck (2.7) (@gonzalovilaseca)
• bug #23069 [SecurityBundle] Show unique Inherited roles in profile panel (@yceruto)

[PR] https://github.com/symfony/symfony/pull/23367

Changelog (since https://github.com/symfony/symfony/compare/v2.7.29...v2.7.30)

• bug #23341 [DoctrineBridge][Security][Validator] do not validate empty values (@xabbuh)
• bug #23274 Display a better error design when the toolbar cannot be displayed (@yceruto)
• bug #23333 [PropertyAccess] Fix TypeError discard (@dunglas)
• bug #23345 [Console] fix description of INF default values (@xabbuh)
• bug #23279 Don't call count on non countable object (@pierredup)
• bug #23283 [TwigBundle] add back exception check (@xabbuh)
• bug #23268 Show exception is checked twice in ExceptionController of twig (@gmponos)
• bug #23266 Display a better error message when the toolbar cannot be displayed (@javiereguiluz)
• bug #23271 [FrameworkBundle] allow SSI fragments configuration in XML files (@xabbuh)
• bug #23254 [Form][TwigBridge] render hidden _method field in form_rest() (@xabbuh)
• bug #23250 [Translation] return fallback locales whenever possible (@xabbuh)
• bug #22732 [Security] fix switch user _exit without having current token (@dmaicher)
• bug #22730 [FrameworkBundle] Sessions: configurable "use_strict_mode" option for NativeSessionStorage (@MacDada)
• bug #23195 [FrameworkBundle] [Command] Clean bundle directory, fixes #23177 (@NicolasPion)
• bug #23052 [TwigBundle] Add Content-Type header for exception response (@rchoquet)
• bug #23199 Reset redirectCount when throwing exception (@hvanoch)
• bug #23186 [TwigBundle] Move template.xml loading to a compiler pass (@ogizanagi)
• bug #23130 Keep s-maxage when expiry and validation are used in combination (@mpdude)
• bug #23129 Fix two edge cases in ResponseCacheStrategy (@mpdude)
• feature #22636 [Routing] Expose request in route conditions, if needed and possible (@ro0NL)
• bug #22636 [Routing] Expose request in route conditions, if needed and possible (@ro0NL)
• bug #23057 [Translation][FrameworkBundle] Fix resource loading order inconsistency reported in #23034 (@mpdude)
• bug #23092 [Filesystem] added workaround in Filesystem::rename for PHP bug (@VolCh)
• bug #23128 [HttpFoundation] fix for Support for new 7.1 session options (@vincentaubert)
• bug #23176 [VarDumper] fixes (@nicolas-grekas)
• bug #23086 [FrameworkBundle] Fix perf issue in CacheClearCommand::warmup() (@nicolas-grekas)
• bug #23098 Cache ipCheck (2.7) (@gonzalovilaseca)

[PR] https://github.com/symfony/symfony/pull/23361

Changelog (since https://github.com/symfony/symfony/compare/v2.8.21...v2.8.22)

• bug #23073 [TwigBridge] Fix namespaced classes (@ogizanagi)
• bug #22936 [Form] Mix attr option between guessed options and user options (@yceruto)
• bug #22988 [PropertyInfo][DoctrineBridge] The bigint Doctrine's type must be converted to string (@dunglas)
• bug #23014 Fix optional cache warmers are always instantiated whereas they should be lazy-loaded (@romainneutron)
• bug #23024 [EventDispatcher] Fix ContainerAwareEventDispatcher::hasListeners(null) (@nicolas-grekas)
• bug #22996 [Form] Fix \IntlDateFormatter timezone parameter usage to bypass PHP bug #66323 (@romainneutron)
• bug #22994 Harden the debugging of Twig filters and functions (@stof)

[PR] https://github.com/symfony/symfony/pull/23099

Changelog (since https://github.com/symfony/symfony/compare/v2.7.28...v2.7.29)

• bug #23069 [SecurityBundle] Show unique Inherited roles in profile panel (@yceruto)
• bug #23073 [TwigBridge] Fix namespaced classes (@ogizanagi)
• bug #22936 [Form] Mix attr option between guessed options and user options (@yceruto)
• bug #23024 [EventDispatcher] Fix ContainerAwareEventDispatcher::hasListeners(null) (@nicolas-grekas)
• bug #22996 [Form] Fix \IntlDateFormatter timezone parameter usage to bypass PHP bug #66323 (@romainneutron)
• bug #22994 Harden the debugging of Twig filters and functions (@stof)

[PR] https://github.com/symfony/symfony/pull/23096

Changelog (since https://github.com/symfony/symfony/compare/v2.8.20...v2.8.21)

• bug #22847 [Console] ChoiceQuestion must have choices (@ro0NL)
• bug #22900 [FrameworkBundle][Console] Fix the override of a command registered by the kernel (@aaa2000)
• bug #22910 [Filesystem] improve error handling in lock() (@xabbuh)
• bug #22718 [Console] Fixed different behaviour of key and value user inputs in multiple choice question (@borNfreee)
• bug #22901 Fix missing abstract key in XmlDumper (@weaverryan)
• bug #22817 [PhpUnitBridge] optional error handler arguments (@xabbuh)
• bug #22752 Improved how profiler errors are displayed on small screens (@javiereguiluz)
• bug #22647 [VarDumper] Fix dumping of non-nested stubs (@nicolas-grekas)
• bug #22584 [Security] Avoid unnecessary route lookup for empty logout path (@ro0NL)
• bug #22690 [Console] Fix errors not rethrown even if not handled by console.error listeners (@chalasr)
• bug #22669 [FrameworkBundle] AbstractConfigCommand: do not try registering bundles twice (@ogizanagi)
• bug #22676 [FrameworkBundle] Adding the extension XML (@flug)

[PR] https://github.com/symfony/symfony/pull/22946

Changelog (since https://github.com/symfony/symfony/compare/v2.7.27...v2.7.28)

• bug #22847 [Console] ChoiceQuestion must have choices (@ro0NL)
• bug #22900 [FrameworkBundle][Console] Fix the override of a command registered by the kernel (@aaa2000)
• bug #22910 [Filesystem] improve error handling in lock() (@xabbuh)
• bug #22718 [Console] Fixed different behaviour of key and value user inputs in multiple choice question (@borNfreee)
• bug #22901 Fix missing abstract key in XmlDumper (@weaverryan)
• bug #22817 [PhpUnitBridge] optional error handler arguments (@xabbuh)
• bug #22647 [VarDumper] Fix dumping of non-nested stubs (@nicolas-grekas)
• bug #22584 [Security] Avoid unnecessary route lookup for empty logout path (@ro0NL)
• bug #22690 [Console] Fix errors not rethrown even if not handled by console.error listeners (@chalasr)
• bug #22669 [FrameworkBundle] AbstractConfigCommand: do not try registering bundles twice (@ogizanagi)
• bug #22676 [FrameworkBundle] Adding the extension XML (@flug)

[PR] https://github.com/symfony/symfony/pull/22945

Changelog (since https://github.com/symfony/symfony/compare/v2.8.19...v2.8.20)

• bug #22550 Allow Upper Case property names in ObjectNormalizer (@insekticid)
• bug #22528 [Asset] Starting slash should indicate no basePath wanted (@weaverryan)
• bug #22541 [EventDispatcher] fix: unwrap listeners for correct info (@dmaicher)
• bug #22526 [Asset] Preventing the base path or absolute URL from being prefixed incorrectly (@weaverryan)
• bug #22523 [WebProfilerBundle] Fixed the flickering when loading complex profiler panels (@javiereguiluz)
• bug #22435 [Console] Fix dispatching throwables from ConsoleEvents::COMMAND (@nicolas-grekas)
• bug #22478 [Serializer] XmlEncoder: fix negative int and large numbers handling (@dunglas)
• bug #22424 [Debug] Set exit status to 255 on error (@nicolas-grekas)
• bug #22426 [PropertyInfo] Prevent returning int values in some cases (@dunglas)
• bug #22399 Prevent double registrations related to tag priorities (@nicolas-grekas)
• bug #22396 Prevent double registrations related to tag priorities (@nicolas-grekas)
• bug #22352 [HttpFoundation] Add use_strict_mode in validOptions for session (@sstok)
• bug #22351 [Yaml] don't keep internal state between parser runs (@xabbuh)
• bug #22307 [Debug] Fix php notice (@enumag)
• bug #22311 [DI] Fix second auto-registration (@nicolas-grekas)
• bug #22109 [Validator] check for empty host when calling checkdnsrr() (@apetitpa)
• bug #22280 [DI] Fix the xml schema (@GuilhemN)
• bug #22282 [DI] Prevent AutowirePass from triggering irrelevant deprecations (@chalasr)
• bug #22255 [Translation] avoid creating cache files for fallback locales. (@aitboudad)
• bug #22292 Fixes #22264 - add support for Chrome headless (@redthor)

[PR] https://github.com/symfony/symfony/pull/22599

Changelog (since https://github.com/symfony/symfony/compare/v2.7.26...v2.7.27)

• bug #22528 [Asset] Starting slash should indicate no basePath wanted (@weaverryan)
• bug #22526 [Asset] Preventing the base path or absolute URL from being prefixed incorrectly (@weaverryan)
• bug #22435 [Console] Fix dispatching throwables from ConsoleEvents::COMMAND (@nicolas-grekas)
• bug #22478 [Serializer] XmlEncoder: fix negative int and large numbers handling (@dunglas)
• bug #22424 [Debug] Set exit status to 255 on error (@nicolas-grekas)
• bug #22396 Prevent double registrations related to tag priorities (@nicolas-grekas)
• bug #22352 [HttpFoundation] Add use_strict_mode in validOptions for session (@sstok)
• bug #22351 [Yaml] don't keep internal state between parser runs (@xabbuh)
• bug #22307 [Debug] Fix php notice (@enumag)
• bug #22109 [Validator] check for empty host when calling checkdnsrr() (@apetitpa)
• bug #22280 [DI] Fix the xml schema (@GuilhemN)
• bug #22255 [Translation] avoid creating cache files for fallback locales. (@aitboudad)
• bug #22292 Fixes #22264 - add support for Chrome headless (@redthor)

[PR] https://github.com/symfony/symfony/pull/22598

Changelog (since https://github.com/symfony/symfony/compare/v2.8.18...v2.8.19)

• bug #22265 Allow Upper Case property names (@insekticid)
• bug #22258 [DI] Autowiring and factories are incompatible with each others (@nicolas-grekas)
• bug #22254 [DI] Don't use auto-registered services to populate type-candidates (@nicolas-grekas)
• bug #22229 [ExpressionLanguage] Provide the expression in syntax errors (@k0pernikus, @stof)
• bug #22251 [PropertyInfo] Support nullable array or collection (@4rthem)
• bug #22240 [DI] Fix fatal error at ContainerBuilder::compile() if config is not installed (@chalasr)
• bug #22140 [Form] Improve the exceptions when trying to get the data in a PRE_SET_DATA listener and the data has not already been set (@fancyweb)
• bug #22217 [Console] Fix table cell styling (@ro0NL)
• bug #22194 [Console] CommandTester: disable color support detection (@julienfalque)
• bug #22188 [Console] Revised exception rendering (@ro0NL)
• bug #22154 [WebProfilerBundle] Normalize whitespace in exceptions passed in headers (@curry684)
• bug #22142 [Console] Escape exception messages in renderException (@chalasr)
• bug #22172 Fix port usage in server:status command (@alcaeus)
• bug #22164 [Bridge\Doctrine] Fix change breaking doctrine-bundle test suite (@nicolas-grekas)
• bug #22133 [Filesystem] normalize paths before making them relative (@xabbuh)
• bug #22138 [HttpFoundation][bugfix] $bags should always be initialized (@MacDada)
• bug #21810 #21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile (@Antanas Arvasevicius)
• bug #22123 [WebProfilerBundle] Fix for CSS attribute at Profiler Translation Page (@e-moe)
• bug #19778 [Security] Fixed roles serialization on token from user object (@eko)
• bug #22036 Set Date header in Response constructor already (@mpdude)
• bug #22022 [Validator] fix URL validator to detect non supported chars according to RFC 3986 (@e-moe)
• bug #21849 [HttpFoundation] Fix missing handling of for/host/proto info from "Forwarded" header (@nicolas-grekas)
• bug #21968 Fixed pathinfo calculation for requests starting with a question mark. (@syzygymsu)
• bug #22027 Revert "bug #21841 [Console] Do not squash input changes made from console.command event (chalasr)" (@chalasr)
• bug #21846 [HttpFoundation] Fix Request::getHost() when having several hosts in X_FORWARDED_HOST (@nicolas-grekas)
• bug #21208 [Validator] Add object handling of invalid constraints in Composite (@SenseException)
• bug #22044 [Serializer] [XML] Ignore Process Instruction (@jordscream)
• bug #22079 [HttpKernel] Fixed bug with purging of HTTPS URLs (@ausi)
• bug #21523 #20411 fix Yaml parsing for very long quoted strings (@RichardBradley)
• bug #22001 [Doctrine Bridge] fix priority for doctrine event listeners (@dmaicher)
• bug #21981 [Console] Use proper line endings in BufferedOutput (@julienfalque)
• bug #21976 [VarDumper] Add missing isset() checks in some casters (@nicolas-grekas)
• bug #21957 [Form] Choice type int values (BC Fix) (@mcfedr)
• bug #21923 [travis] Test with hhvm 3.18 (@nicolas-grekas)
• bug #21823 dumpFile(), preserve existing file permissions (@chs2)
• bug #21865 [Security] context listener: hardening user provider handling (@xabbuh)
• bug #21883 [HttpKernel] fix Kernel name when stored in a directory starting with a number (@fabpot)

[PR] https://github.com/symfony/symfony/pull/22284

Changelog (since https://github.com/symfony/symfony/compare/v2.7.25...v2.7.26)

• bug #22229 [ExpressionLanguage] Provide the expression in syntax errors (@k0pernikus, @stof)
• bug #22240 [DI] Fix fatal error at ContainerBuilder::compile() if config is not installed (@chalasr)
• bug #22140 [Form] Improve the exceptions when trying to get the data in a PRE_SET_DATA listener and the data has not already been set (@fancyweb)
• bug #22217 [Console] Fix table cell styling (@ro0NL)
• bug #22194 [Console] CommandTester: disable color support detection (@julienfalque)
• bug #22188 [Console] Revised exception rendering (@ro0NL)
• bug #22154 [WebProfilerBundle] Normalize whitespace in exceptions passed in headers (@curry684)
• bug #22142 [Console] Escape exception messages in renderException (@chalasr)
• bug #22172 Fix port usage in server:status command (@alcaeus)
• bug #22164 [Bridge\Doctrine] Fix change breaking doctrine-bundle test suite (@nicolas-grekas)
• bug #22133 [Filesystem] normalize paths before making them relative (@xabbuh)
• bug #22138 [HttpFoundation][bugfix] $bags should always be initialized (@MacDada)
• bug #21810 #21809 [SecurityBundle] bugfix: if security provider's name contains upper cases then container didn't compile (@Antanas Arvasevicius)
• bug #19778 [Security] Fixed roles serialization on token from user object (@eko)
• bug #22022 [Validator] fix URL validator to detect non supported chars according to RFC 3986 (@e-moe)
• bug #21968 Fixed pathinfo calculation for requests starting with a question mark. (@syzygymsu)
• bug #21846 [HttpFoundation] Fix Request::getHost() when having several hosts in X_FORWARDED_HOST (@nicolas-grekas)
• bug #21208 [Validator] Add object handling of invalid constraints in Composite (@SenseException)
• bug #22044 [Serializer] [XML] Ignore Process Instruction (@jordscream)
• bug #22079 [HttpKernel] Fixed bug with purging of HTTPS URLs (@ausi)
• bug #21523 #20411 fix Yaml parsing for very long quoted strings (@RichardBradley)
• bug #22001 [Doctrine Bridge] fix priority for doctrine event listeners (@dmaicher)
• bug #21981 [Console] Use proper line endings in BufferedOutput (@julienfalque)
• bug #21957 [Form] Choice type int values (BC Fix) (@mcfedr)
• bug #21923 [travis] Test with hhvm 3.18 (@nicolas-grekas)
• bug #21823 dumpFile(), preserve existing file permissions (@chs2)
• bug #21865 [Security] context listener: hardening user provider handling (@xabbuh)
• bug #21883 [HttpKernel] fix Kernel name when stored in a directory starting with a number (@fabpot)

[PR] https://github.com/symfony/symfony/pull/22263

Changelog (since https://github.com/symfony/symfony/compare/v2.8.17...v2.8.18)

• bug #21823 dumpFile(), preserve existing file permissions (@chs2)
• bug #21865 [Security] context listener: hardening user provider handling (@xabbuh)
• bug #21883 [HttpKernel] fix Kernel name when stored in a directory starting with a number (@fabpot)
• bug #21841 [Console] Do not squash input changes made from console.command event (@chalasr)
• bug #21671 [Serializer] Xml encoder throws exception for valid data (@gr1ev0us)
• bug #21805 Provide less state in getRequestFormat (@dawehner)
• bug #21832 [Routing] Ignore hidden directories when loading routes from annotations (@jakzal)
• bug #21769 [Form] Improve rounding precision (@foaly-nr1)
• bug #21825 [PhpUnitBridge] disable global test listener when not registered (@xabbuh)
• bug #21267 [Form] Fix ChoiceType to ensure submitted data is not nested unnecessarily (@issei-m)
• bug #21731 Fix emacs link (@rubenrua)
• bug #21800 Fix issues reported by static analyze (@romainneutron)
• bug #21798 Revert "bug #21791 [SecurityBundle] only pass relevant user provider (xabbuh)" (@xabbuh)
• bug #21791 [SecurityBundle] only pass relevant user provider (@xabbuh)
• bug #21787 [PhpUnitBridge] do not register the test listener twice (@xabbuh)
• bug #21756 [Yaml] Stop replacing NULLs when merging (@gadelat)
• bug #21689 [WebServerBundle] fixed html attribute escape (@Seb33300)
• bug #21722 [ExpressionLanguage] Registering functions after calling evaluate(), compile() or parse() is not supported (@maidmaid)
• bug #21679 [SecurityBundle] fix priority ordering of security voters (@xabbuh)
• bug #21115 [Validator] do not guess getter method names (@xabbuh)
• bug #21670 [DependencyInjection] Fix autowiring types when there are more than 2 services colliding (@GuilhemN)
• bug #21665 [DependencyInjection] Fix autowiring collisions detection (@nicolas-grekas, @GuilhemN)
• bug #21661 Fix Composer constraints (@fabpot)
• bug #21582 [HttpCache] purge both http and https from http cache (@dbu)
• bug #21637 [FrameworkBundle] remove translation data collector when not usable (@xabbuh)
• bug #21634 [VarDumper] Added missing persistent stream cast (@lyrixx)
• bug #21436 [DependencyInjection] check for circular refs caused by method calls (@xabbuh)
• bug #21400 [Serializer] fix upper camel case conversion (see #21399) (@markusu49)
• bug #21599 [Console][Table] fixed render when using multiple rowspans. (@aitboudad)
• bug #21613 [Process] Permit empty suffix on Windows (@Bilge)
• bug #21057 [DI] Auto register extension configuration classes as a resource (@ro0NL)
• bug #21592 [Validator] property constraints can be added in child classes (@angelk, @xabbuh)
• bug #21458 [Config] Early return for DirectoryResource (@robfrawley)
• bug #21562 [DoctrineBridge] make sure that null can be the invalid value (@xabbuh)
• bug #21584 [WebProfilerBundle] Readd Symfony version status in the toolbar (@wouterj)
• bug #21557 [VarDumper] Improve dump of AMQP* Object (@lyrixx)
• bug #21542 [VarDumper] Fixed dumping of terminated generator (@lyrixx)

[PR] https://github.com/symfony/symfony/pull/21885