CakePHP 4.4.3 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.3. This is a maintenance release for the 4.4 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.4.3. See the changelog for every commit.

• Fixed a potential method call on null in file assertion methods.
• Improved compatibility with PHP 8.2.
• TableLocator::get() no longer throws an error if a table is configured with options and then mocked.
• Updated CI configuration to use windows 2022 image.
• Fixed a regression in Folder::create() where umask was not correctly set.
• Cache keys used with FileEngine are now URL encoded. This aligns the characters valid in cache keys with other engines. It could cause cache misses for applications that were previously using characters outside of the alpha-numeric ranges.
• Removed redundant class type checks.
• Fixed ResultSet indexes being mutated by exceptions thrown within a loop while xdebug is enabled.
• TableLocator now handles getting tables by namespaced class name better.
• Unused properties in Database\Query were deprecated.
• Improve casting of integer routing parameters.

Contributors to 4.4.3

Thank you to all the contributors that helped make this release happen:

• ADmad
• Apisathan
• chris cnizzardini
• Edgaras Janušauskas
• Erwane Breton
• Kevin Pfeifer
• Mark Story
• othercorey

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.4.2 released

CakePHP 4.4.2 Released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.2. This is a maintenance release for the 4.4 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.4.2. See the changelog for every commit.

• Updated constraints on laminas packages.
• Improved EntityTrait::_accessible type annotation.
• Added the encrypt and trustServerCertificate options to SqlServerDriver.
• When viewClasses() based extension driven content-negotiation fails a NotFoundException will now be raised.
• Fixed ServerRequest::is('xml') from returning true on the default Accept header sent by Firefox.
• Added deprecation for the Error.errorLogger configure option. This was missed during the development of the ErrorTrap sub-system.
• Improved API documentation.

Contributors to 4.4.2

Thank you to all the contributors that helped make this release happen:

• ADmad
• Cristian Haunsen
• Mark Story
• Michael Hoffmann
• Nicos Panayides
• othercorey

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.4.1 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.1. This is a maintenance release for the 4.4 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.4.1. See the changelog for every commit.

• Fixed broken links in API documentation.
• Reverted a deprecation in implementedEvents() as DebugKit was relying on it and we missed identifying this usage earlier.
• Added scanCount to RedisEngine to give more control over how keys are cleared.
• Improved deprecation warning for ResultSetInterface proxying.
• Fixed updating belongsToMany association junction records that contain composite primary keys that involve a column that is mapped to a non-scalar value
• Fixed P1D date interval expressions when used as cache TTL values.

Contributors to 4.4.1

Thank you to all the contributors that helped make this release happen:

• ADmad
• Alex Mayer
• Corey Taylor
• Erwane
• Mark Story
• Nicos Panayides
• ndm2
• othercorey

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.4.0 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.4.0. This is the first stable release of 4.4.0. 4.4.0 provides a number improvements to CakePHP.

Upgrading to 4.4.0

You can use composer to upgrade to CakePHP 4.4.0::

php composer.phar require --update-with-dependencies "cakephp/cakephp:4.4.*"

Deprecation Warnings

4.4 introduces a few deprecations. All of these features will continue for the duration of 4.x but will be removed in 5.0. See the migration guide.

What's new in 4.4.0?

The migration guide has a complete list of what's new in 4.4.0. We recommend you give that page a read when upgrading. A few highlights from 4.4.0 are:

• A new Error and Exception handling framework that is easier to extend and requires less application code to operate.
• The RedisEngine now supports fast deletes with deleteAsync().
• bin/cake routes now highlights collisions in route templates.
• Controller::viewClasses() was added. This method enables controllers to take control of what content-types they can respond as.
• View classes can define the static method contentType() to participate in content-type negotiation.
• Query::expr() was added as an alternative to Query::newExpr().
• The QueryExpression::case() builder now supports inferring the type from expressions passed to then() and else() that implement \Cake\Database\TypedResultInterface.
• BaseApplication::handle() now adds the $request into the service container all the time.
• HttpsEnforcerMiddleware now has an hsts option that allows you to configure the Strict-Transport-Security header.
• TreeBehavior now supports triggering ORM callbacks when deleting nodes.

Contributors to 4.4.0

Thank you to all the contributors that helped make 4.4 happen:

• ADmad
• Alejandro Ibarra
• Chetan Varshney
• Corey Taylor
• Gerhard Lechner
• itosho
• Jorge González
• Kevin Pfeifer
• Mark Scherer
• Mark Story
• naveen
• saeideng

As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests. 4.4.0 is a large release and would not have been possible without the community support and feedback.

What's Next

With 4.4.0 shipped, the core team's focus will be primarily on CakePHP 5.0. So far in the 5.x branch, the team has:

• Bumped the required version of PHP to 8.1.0
• Removed all the behavior that was deprecated in 4.x.
• Improved typehinting by using features in PHP 8.1.
• Updated interfaces with @method annotations.

The roadmap for 5.x is still under development, and if there is a feature you feel passionate about or a tedious behavior you'd like to see changed, please open an issue and get the discussion started.

CakePHP 4.3.10 released

The CakePHP core team is happy to announce the immediate availability of CakePHP
4.3.10. This is a maintenance release for the 4.3 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.3.10. See the changelog for every commit.

• Fixed patchEntity() failing when a table contains a field that matches the name and casing of the table alias.
• Fixed Collection::__debugInfo() failing when a count could not be generated.

Contributors to 4.3.10

Thank you to all the contributors that helped make this release happen:

• Kevin Pfeifer
• Mark Story
• naveen
• othercorey
• Robert Gasch
• Sheldon Reiff

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 3.10.4 Released

The CakePHP core team is happy to announce the immediate availability of CakePHP 3.10.4. This is a maintenance and security release for the 3.10 branch that fixes a community reported issue, and patches a security vulnerability.

Security Fixes

The 3.10.4 release fixes an encoding issue with the verified tokens feature of CsrfProtectionMiddleware released in 3.10.3. In 3.10.3 verfied tokens were generated using random bytes and would often fail to match as the bytes would be incorrectly encoded when rendered in HTML.

Bugfixes

You can expect the following changes in 3.10.4. See the changelog for every commit.

• Fixed incorrectly encoded CSRF tokens when using the verifyTokenSource option.

Contributors to 3.10.4

Thank you to all the contributors that helped make this release happen:

• Marc Würth
• Mark Story

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.4.0-RC2 released

The CakePHP core team is proud to announce the second release candidate of CakePHP 4.4.0. The 4.4.0 release will introduce several new features and a handful of deprecations.

New Features

The migration guide has a complete list of what's new in 4.4.0. We recommend you give that page a read when upgrading as it outlines the deprecations present in 4.4.

Changes Since 4.4.0-RC1

• The current request is now automatically added to your application's dependency injection container making it easier to have services that depend on the current request.
• Fixture schema reflection now clears the table registry to prevent errors with applications that initialize tables in initialize() hooks.
• PaginatorHelper::limitControl() now works with multiple pagination.
• Additional features on Debugger were deprecated in favour of using ErrorTrap instead.
• Pagination classes were moved under Cake\Datasources\Paging.
• Renamed DefaultPaginator to NumericPaginator.
• The experimental flag was removed from the dependency injection container. It is now considered a stable API.
• Improved the logging configuration in ErrorTrap and ExceptionTrap.
• Fixed missing use of bindingKey in BelongsToMany associations.
• Improved handling of invalid cookie names.
• Improved content-negotiation with file types that have multiple content-type options.
• The FormContext adapter for FormHelper now supports non-default validation rule sets.
• Added a 'match all' type to View so that fallback view classes can be implemented in the new content-negotiation feature.
• Added deleteAsync() and clearBlocking() methods to the redis cache engine.
• Added new methods to ErrorLoggerInterface with annotations. The new logError() and logException() methods will replace the logMessage() and log() methods respectively in 5.x. Before using the new error handling subsystem you should update any custom error loggers.
• Improved API documentation.
• Removed usage of string interpolation that is deprecated in PHP 8.2

How you Can Help

You can help by trying out the RC in your application. Please open issues for any new test failures or regressions the new version creates in your application.

Contributors to 4.4.0-RC2

Thank you to all the contributors that have helped with 4.4.0:

• ADmad
• Andrii Pukhalevych
• Corey Taylor
• Danial Khoshkhou
• dependabot[bot]
• Gerasimos
• itosho
• Kevin Pfeifer
• Mark Scherer
• Mark Story
• OJMichael
• othercorey
• Remy Bos

We would also like to thank Guarang Maheta for notifying us of a security issue in bakery.cakephp.org and helping us resolve it.

As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests.

CakePHP 4.3.9 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.3.9. This is a maintenance release for the 4.3 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.3.9. See the changelog for every commit.

• Improved API documentation.
• Removed redundant function calls in session handling.
• Updated to phpstan 1.6

Contributors to 4.3.9

Thank you to all the contributors that helped make this release happen:

• Mark Scherer
• Mark Story
• othercorey
• Remy Bos

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 3.10.3 Released

The CakePHP core team is happy to announce the immediate availability of CakePHP 3.10.2. This is a maintenance and security release for the 3.10 branch that fixes a couple community reported issues, and patches a security vulnerability.

Security Fixes

The 3.10.3 release contains an opt in security fix for CsrfProtectionMiddleware. Prior to this release, if an application has a cross-site-scripting vulnerability, or an attacker has access to a victim's browser CSRF tokens could be manipulated allowing CSRF bypass. This weakness stems from CSRF middleware accepting any matching pair of tokens. With the fix applied, only tokens generated by the host application will be accepted. This fix requires opt-in because it breaks compatibility with existing CSRF tokens that may be in user's browsers/sessions. To enable the new style tokens add the following:

// in src/Application.php
$middlewareQueue->add(new CsrfProtectionMiddleware([
    'verifyTokenSource' => true
]));

Bugfixes

You can expect the following changes in 3.10.3. See the changelog for every commit.

• Fixed a memory leak in TranslatorRegistry when loading translations from cache.

Contributors to 3.10.3

Thank you to all the contributors that helped make this release happen:

• Mark Story
• Val Bancer

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.3.8 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.3.8. This is a maintenance release for the 4.3 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.3.8. See the changelog for every commit.

• Improved examples in documentation blocks.
• Fixed missing usage of bindingKey in associations generated by BelongsToMany.
• Fixed a TypeError coming from CsrfProtectionMiddleware when cookie data contained invalid base64 encoded data.
• Improved handling of numeric keys in cookie parsing.

Contributors to 4.3.8

Thank you to all the contributors that helped make this release happen:

• ADmad
• Andrii Pukhalevych
• Corey Taylor
• Danial Khoshkhou
• Gerasimos
• Kevin Pfeifer
• Mark Scherer
• Mark Story

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.