Skip to content

chore(deps): bump symfony/ux-live-component from 2.32.0 to 2.36.0#95

Open
dependabot[bot] wants to merge 76 commits into
masterfrom
dependabot/composer/symfony/ux-live-component-2.36.0
Open

chore(deps): bump symfony/ux-live-component from 2.32.0 to 2.36.0#95
dependabot[bot] wants to merge 76 commits into
masterfrom
dependabot/composer/symfony/ux-live-component-2.36.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bumps symfony/ux-live-component from 2.32.0 to 2.36.0.

Release notes

Sourced from symfony/ux-live-component's releases.

v2.36.0

Changelog (symfony/ux-live-component@v2.35.0...v2.36.0)

v2.35.0

Changelog (symfony/ux-live-component@v2.34.0...v2.35.0)

v2.34.0

Changelog (symfony/ux-live-component@v2.33.0...v2.34.0)

v2.33.0

Changelog (symfony/ux-live-component@v2.32.0...v2.33.0)

  • bug #3372 Fix reflection issues for private properties from trait and parent class (@​kachnitel)
  • feature #3364 Add debug:live-component command (Mickaël BULIARD)
  • feature #3361 Allow components use dynamically templates (@​xDeSwa)
  • bug #3363 Fix preservation of !important inline style changes (@​xDeSwa)
  • feature #3362 Migrate from tsup (deprecated) to tsdown (@​Kocal)
  • bug #3353 Fix PHPDoc types of TestLiveComponent::call() (@​StevenRenaux)
  • feature #3336 Add option fetchCredentials (@​Kocal)
  • bug #3337 Fix tests with lowest dependencies, incompatibility with zenstruck/foundry and Symfony 5.4 (@​GromNaN)
  • bug #3325 Fix minimum requested 6.x version of FrameworkBundle for LiveComponent (@​Kocal)
  • bug #3304 Fix npm releases due to repository issue (@​Kocal)
  • bug #3290 Update root JS dependencies (@​Kocal)
  • bug #3279 Remove usage of framework.annotations.enabled (@​Kocal)
Changelog

Sourced from symfony/ux-live-component's changelog.

CHANGELOG

3.1

  • Fix dynamic template resolution when using the loading attribute on a deferred component
  • Use aria-busy attribute during component re-render
  • Include field paths and violation messages in UnprocessableEntityHttpException thrown by submitForm() when validation fails
  • Change how the Live Component request checksum is computed (security fix). BC note: users with a payload signed before the upgrade will need to reload their page.
  • Require the X-Requested-With: XMLHttpRequest request header on LiveComponent check. See section 2.36 below for details.

3.0

  • Minimum required Symfony version is now 7.4
  • Minimum required PHP version is now 8.4
  • Remove csrf argument from AsLiveComponent in favor of same-origin/CORS
  • Remove compatibility layer with Symfony PropertyInfo <7.1
  • Remove LegacyLivePropMetadata

2.36

  • Reject malicious child component tags during rendering to prevent crafted component names from being rendered (security fix).

  • Cap the number of actions allowed per _batch request to prevent abuse (security fix).

  • Parse format-less date LiveProps strictly using RFC 3339 to avoid lenient date parsing of attacker-controlled values (security fix).

  • Change how the Live Component request checksum is computed (security fix). BC note: users with a payload signed before the upgrade will need to reload their page.

  • Require the X-Requested-With: XMLHttpRequest request header on LiveComponent requests, in addition to the existing Accept: application/vnd.live-component+html check, to prevent CSRF. The Accept header alone is CORS-safelisted and offers no protection against cross-origin requests crafted with fetch().

    BC break (minor): clients calling LiveComponent endpoints cross-origin must now add X-Requested-With to their CORS Access-Control-Allow-Headers allow-list. The bundled Stimulus controller already sends this header, so standard usage is unaffected.

2.35

  • Allow Symfony UX 3.x packages

2.33

  • Add fetch_credentials option to configure the fetch API credentials mode for cross-origin requests. This is useful when embedding a Live Component from a different domain that requires cookie-based authentication (e.g., JWT stored in cookies)

    Global configuration in config/packages/live_component.yaml:

... (truncated)

Commits
  • a3fb5f2 Update CHANGELOGs for 2.36.0
  • fe2fae7 [LiveComponent] Require X-Requested-With header to prevent CSRF
  • 6d52997 security #cve-2026-49208 [LiveComponent] Parse format-less date LiveProps str...
  • 1290480 security #cve-2026-49209 [LiveComponent] Cap the number of actions per `_batc...
  • b3ab1c5 security #cve-2026-49210 [LiveComponent] Reject malicious child component tag...
  • e207796 [LiveComponent] Bind HMAC checksum to component name and slot
  • d7e30f4 [LiveComponent] Cap the number of actions per _batch request
  • a3de56b [LiveComponent] Parse format-less date LiveProps strictly with RFC 3339
  • 1d1ace2 [LiveComponent] Reject malicious child component tags
  • 156c918 Update versions to 2.35.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot Bot and others added 30 commits May 17, 2026 17:25
Bumps [uuid](https://github.com/uuidjs/uuid) from 11.1.0 to 11.1.1.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/v11.1.1/CHANGELOG.md)
- [Commits](uuidjs/uuid@v11.1.0...v11.1.1)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 11.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [mermaid](https://github.com/mermaid-js/mermaid) from 11.12.3 to 11.15.0.
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.15.0)

---
updated-dependencies:
- dependency-name: mermaid
  dependency-version: 11.15.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [twig/markdown-extra](https://github.com/twigphp/markdown-extra) from 3.23.0 to 3.26.0.
- [Release notes](https://github.com/twigphp/markdown-extra/releases)
- [Commits](twigphp/markdown-extra@v3.23.0...v3.26.0)

---
updated-dependencies:
- dependency-name: twig/markdown-extra
  dependency-version: 3.26.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [twig/twig](https://github.com/twigphp/Twig) from 3.22.2 to 3.26.0.
- [Release notes](https://github.com/twigphp/Twig/releases)
- [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG)
- [Commits](twigphp/Twig@v3.22.2...v3.26.0)

---
updated-dependencies:
- dependency-name: twig/twig
  dependency-version: 3.26.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/security-http](https://github.com/symfony/security-http) from 7.4.3 to 7.4.13.
- [Release notes](https://github.com/symfony/security-http/releases)
- [Changelog](https://github.com/symfony/security-http/blob/8.1/CHANGELOG.md)
- [Commits](symfony/security-http@v7.4.3...v7.4.13)

---
updated-dependencies:
- dependency-name: symfony/security-http
  dependency-version: 7.4.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/routing](https://github.com/symfony/routing) from 7.4.3 to 7.4.13.
- [Release notes](https://github.com/symfony/routing/releases)
- [Changelog](https://github.com/symfony/routing/blob/8.1/CHANGELOG.md)
- [Commits](symfony/routing@v7.4.3...v7.4.13)

---
updated-dependencies:
- dependency-name: symfony/routing
  dependency-version: 7.4.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/web-profiler-bundle](https://github.com/symfony/web-profiler-bundle) from 7.4.3 to 7.4.12.
- [Release notes](https://github.com/symfony/web-profiler-bundle/releases)
- [Changelog](https://github.com/symfony/web-profiler-bundle/blob/8.1/CHANGELOG.md)
- [Commits](symfony/web-profiler-bundle@v7.4.3...v7.4.12)

---
updated-dependencies:
- dependency-name: symfony/web-profiler-bundle
  dependency-version: 7.4.12
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/http-kernel](https://github.com/symfony/http-kernel) from 7.4.3 to 7.4.13.
- [Release notes](https://github.com/symfony/http-kernel/releases)
- [Changelog](https://github.com/symfony/http-kernel/blob/8.1/CHANGELOG.md)
- [Commits](symfony/http-kernel@v7.4.3...v7.4.13)

---
updated-dependencies:
- dependency-name: symfony/http-kernel
  dependency-version: 7.4.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/monolog-bridge](https://github.com/symfony/monolog-bridge) from 7.4.0 to 7.4.12.
- [Release notes](https://github.com/symfony/monolog-bridge/releases)
- [Changelog](https://github.com/symfony/monolog-bridge/blob/8.1/CHANGELOG.md)
- [Commits](symfony/monolog-bridge@v7.4.0...v7.4.12)

---
updated-dependencies:
- dependency-name: symfony/monolog-bridge
  dependency-version: 7.4.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/cache](https://github.com/symfony/cache) from 7.4.3 to 7.4.13.
- [Release notes](https://github.com/symfony/cache/releases)
- [Changelog](https://github.com/symfony/cache/blob/8.1/CHANGELOG.md)
- [Commits](symfony/cache@v7.4.3...v7.4.13)

---
updated-dependencies:
- dependency-name: symfony/cache
  dependency-version: 7.4.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/mime](https://github.com/symfony/mime) from 7.4.0 to 7.4.12.
- [Release notes](https://github.com/symfony/mime/releases)
- [Changelog](https://github.com/symfony/mime/blob/8.1/CHANGELOG.md)
- [Commits](symfony/mime@v7.4.0...v7.4.12)

---
updated-dependencies:
- dependency-name: symfony/mime
  dependency-version: 7.4.12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/mailer](https://github.com/symfony/mailer) from 7.4.4 to 7.4.12.
- [Release notes](https://github.com/symfony/mailer/releases)
- [Changelog](https://github.com/symfony/mailer/blob/8.1/CHANGELOG.md)
- [Commits](symfony/mailer@v7.4.4...v7.4.12)

---
updated-dependencies:
- dependency-name: symfony/mailer
  dependency-version: 7.4.12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/yaml](https://github.com/symfony/yaml) from 7.4.1 to 7.4.12.
- [Release notes](https://github.com/symfony/yaml/releases)
- [Changelog](https://github.com/symfony/yaml/blob/8.1/CHANGELOG.md)
- [Commits](symfony/yaml@v7.4.1...v7.4.12)

---
updated-dependencies:
- dependency-name: symfony/yaml
  dependency-version: 7.4.12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [symfony/polyfill-intl-idn](https://github.com/symfony/polyfill-intl-idn) from 1.33.0 to 1.38.1.
- [Release notes](https://github.com/symfony/polyfill-intl-idn/releases)
- [Commits](symfony/polyfill-intl-idn@v1.33.0...v1.38.1)

---
updated-dependencies:
- dependency-name: symfony/polyfill-intl-idn
  dependency-version: 1.38.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
dependabot Bot and others added 25 commits June 9, 2026 22:03
Bumps [symfony/runtime](https://github.com/symfony/runtime) from 7.4.1 to 7.4.12.
- [Release notes](https://github.com/symfony/runtime/releases)
- [Changelog](https://github.com/symfony/runtime/blob/8.2/CHANGELOG.md)
- [Commits](symfony/runtime@v7.4.1...v7.4.12)

---
updated-dependencies:
- dependency-name: symfony/runtime
  dependency-version: 7.4.12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [guzzlehttp/psr7](https://github.com/guzzle/psr7) from 2.9.0 to 2.11.0.
- [Release notes](https://github.com/guzzle/psr7/releases)
- [Changelog](https://github.com/guzzle/psr7/blob/2.11/CHANGELOG.md)
- [Commits](guzzle/psr7@2.9.0...2.11.0)

---
updated-dependencies:
- dependency-name: guzzlehttp/psr7
  dependency-version: 2.11.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
When a request or complaint deadline has passed, the datatable column
now shows the actual date in red with the alert icon, plus a secondary
"Vencido" label — instead of only showing "Vencido" with no date.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…sr7-2.11.0

chore(deps): bump guzzlehttp/psr7 from 2.9.0 to 2.11.0
…ime-7.4.12

chore(deps): bump symfony/runtime from 7.4.1 to 7.4.12
Bumps [symfony/ux-live-component](https://github.com/symfony/ux-live-component) from 2.32.0 to 2.36.0.
- [Release notes](https://github.com/symfony/ux-live-component/releases)
- [Changelog](https://github.com/symfony/ux-live-component/blob/3.x/CHANGELOG.md)
- [Commits](symfony/ux-live-component@v2.32.0...v2.36.0)

---
updated-dependencies:
- dependency-name: symfony/ux-live-component
  dependency-version: 2.36.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant