Tags: api-platform/json-api
Tags
chore: bump inter-package constraints to ^5.0@alpha Completes 22ece5199 (open 5.0 dev line): root is 5.0.x-dev but the self-referential api-platform/* constraints were left at ^4.4@alpha, which is unresolvable in the component split-tests (published 4.4 alphas require metadata ^4.4, conflicting with the 5.0 root).
chore: require ^4.4@alpha for inter-package dependencies #7115 added cross-package calls new in 4.4 — getStateOptionsRepositoryMethod() in api-platform/state and the repositoryMethod constructor argument in api-platform/doctrine-common — that 4.4 provider code invokes. The old ^4.2/^4.3 sibling floors let `composer update --prefer-lowest` pull releases lacking these symbols, so the per-component lowest CI jobs failed with "undefined method" / "unknown named parameter". Floor all api-platform/* inter-package constraints at ^4.4. The @Alpha stability flag is required because the subpackages set minimum-stability:beta, under which a plain ^4.4 would not match the 4.4.0-alpha prereleases. Revert to plain ^4.4 once 4.4.0 stable ships.
fix(serializer): validate IRI target class on relation denormalization AbstractItemNormalizer's relation IRI denormalization loaded the resource without checking it matched the declared relation class, since it never passed an operation to IriConverter::getResourceFromIri. A writable relation declared as `Foo` with no PHP type hint (legacy `@var`-only style) silently accepted a `/bars/1` IRI and Symfony's PropertyAccessor could not block it — CWE-843 type confusion. Add an is_a guard at both inline call sites so a mismatched IRI throws InvalidArgumentException, mirroring the IriConverter operation check. GHSA-9rjg-x2p2-h68h
PreviousNext