Skip to content

fix: clone Parameters before mutation in security and validator providers#8378

Open
ostrolucky wants to merge 1 commit into
api-platform:4.3from
ostrolucky:4.3
Open

fix: clone Parameters before mutation in security and validator providers#8378
ostrolucky wants to merge 1 commit into
api-platform:4.3from
ostrolucky:4.3

Conversation

@ostrolucky

@ostrolucky ostrolucky commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
Q A
Branch? 4.3
Tickets
License MIT
Doc PR

Calling $parameters->add() on the Parameters object was mutating shared state. In long-running processes this caused uri-variable Links added at request time to leak into subsequent metadata reads, producing a phantom in:query parameter in the OpenAPI output in my case, resulting most obviously in flaky tests in my case

…ders

SecurityParameterProvider and ParameterValidatorProvider both called
$parameters->add() on the Parameters object returned directly from the
cached operation, mutating shared state. In long-running processes
(Behat/FrankenPHP/RoadRunner) this caused uri-variable Links added at request
time to leak into subsequent metadata reads, producing a phantom
in:query parameter in the OpenAPI output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant