Bump symfony/http-foundation from 7.2.3 to 7.4.13

[dependabot]

Bumps symfony/http-foundation from 7.2.3 to 7.4.13.

Release notes

Sourced from symfony/http-foundation's releases.

v7.4.13

Changelog (symfony/http-foundation@v7.4.7...v7.4.13)

• security #cve-2026-48736 Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@​nicolas-grekas)

v7.4.8

Changelog (symfony/http-foundation@v7.4.7...v7.4.8)

• no significant changes

v7.4.7

Changelog (symfony/http-foundation@v7.4.6...v7.4.7)

• bug #63603 Fix session cookie_lifetime not applied in mock session storage (@​nicolas-grekas)

v7.4.6

Changelog (symfony/http-foundation@v7.4.5...v7.4.6)

• bug #63448 Handle empty session data in updateTimestamp() to fix compat with PHP 8.6 (@​nicolas-grekas)
• bug #63319 BinaryFileResponse: always return 206 if Range is valid (@​Jimbolino)
• bug #63262 Reject invalid paths (@​nicolas-grekas)
• bug #54304 When calling UploadedFile::getErrorMessage() to a file which has no error and is uploaded successfully, it should not return an error (@​ArmCyber)
• bug #63230 fix engine declaration on mysql pdo table creations (@​tandev)

v7.4.5

Changelog (symfony/http-foundation@v7.4.4...v7.4.5)

• bug #63137 Fix PdoSessionHandler charset-collation mismatch with the Doctrine DBAL (@​samy-mahmoudi)

v7.4.4

Changelog (symfony/http-foundation@v7.4.3...v7.4.4)

• bug #63012 Fix double-prefixing of session keys when using redis/memcached (@​nicolas-grekas)

v7.4.3

Changelog (symfony/http-foundation@v7.4.2...v7.4.3)

• bug symfony/symfony#62799 [Cache][HttpFoundation] Fix VARBINARY columns on sqlsrv (@​nicolas-grekas)

v7.4.1

Changelog (symfony/http-foundation@v7.4.0...v7.4.1)

• bug symfony/symfony#62663 [HttpFoundation] Improve logic in Request::createFromGlobals() (@​nicolas-grekas)

v7.4.0

Changelog (symfony/http-foundation@v7.4.0-RC3...v7.4.0)

• no significant changes

v7.4.0-RC1

... (truncated)

Changelog

Sourced from symfony/http-foundation's changelog.

CHANGELOG

8.1

• Add BinaryFileResponse::shouldDeleteFileAfterSend()
• Deprecate setting public properties of Request and Response objects directly; use setters or constructor arguments instead
• Add SessionHasFlashMessage test constraint
• Response::__construct() now accepts a ResponseHeaderBag as its third argument
• ParameterBag::getInt() and ParameterBag::getBoolean() now throw UnexpectedValueException instead of silently returning 0/false when the value cannot be converted

8.0

• Drop HTTP method override support for methods GET, HEAD, CONNECT and TRACE
• Add argument $subtypeFallback to Request::getFormat()
• Remove the following deprecated session options from NativeSessionStorage: referer_check, use_only_cookies, use_trans_sid, sid_length, sid_bits_per_character, trans_sid_hosts, trans_sid_tags
• Trigger PHP warning when using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Add arguments $v4Bytes and $v6Bytes to IpUtils::anonymize()
• Add argument $partitioned to ResponseHeaderBag::clearCookie()
• Add argument $expiration to UriSigner::sign()
• Remove Request::get(), use properties ->attributes, query or request directly instead
• Remove accepting null $format argument to Request::setFormat()

7.4

• Add #[WithHttpStatus] to define status codes: 404 for SignedUriException and 403 for ExpiredSignedUriException
• Add support for the QUERY HTTP method
• Add support for structured MIME suffix
• Add Request::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden
• Deprecate using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Deprecate method Request::get(), use properties ->attributes, query or request directly instead
• Make Request::createFromGlobals() parse the body of PUT, DELETE, PATCH and QUERY requests
• Deprecate HTTP method override for methods GET, HEAD, CONNECT and TRACE; it will be ignored in Symfony 8.0
• Deprecate accepting null $format argument to Request::setFormat()

7.3

• Add support for iterable of string in StreamedResponse
• Add EventStreamResponse and ServerEvent classes to streamline server event streaming
• Add support for valkey: / valkeys: schemes for sessions
• Request::getPreferredLanguage() now favors a more preferred language above exactly matching a locale
• Allow UriSigner to use a ClockInterface
• Add UriSigner::verify()

7.2

... (truncated)

Commits

• bc354f4 Merge branch '6.4' into 7.4
• 48d76c2 security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUt...
• fda5ebe Merge branch '6.4' into 7.4
• 5979ae8 Ignore Doctrine DBAL deprecations that can't be worked around
• 10d5daa [HttpFoundation] Fix tests for PHP 8.6: session.cookie_samesite=Lax
• 3ebc78a [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS
• 051a962 Merge branch '6.4' into 7.4
• 5402ad1 Remove wrong documentation
• c38f205 [7.4] Remove usages of named arguments in tests
• a762b60 Update XSD references in phpunit.xml.dist files
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.