Skip to content

Tags: api-platform/json-api

Tags

v5.0.0-alpha.1

Toggle v5.0.0-alpha.1's commit message
chore: bump inter-package constraints to ^5.0@alpha

Completes 22ece5199 (open 5.0 dev line): root is 5.0.x-dev but the
self-referential api-platform/* constraints were left at ^4.4@alpha,
which is unresolvable in the component split-tests (published 4.4
alphas require metadata ^4.4, conflicting with the 5.0 root).

v4.4.0-alpha.2

Toggle v4.4.0-alpha.2's commit message
chore: require ^4.4@alpha for inter-package dependencies

#7115 added cross-package calls new in 4.4 — getStateOptionsRepositoryMethod()
in api-platform/state and the repositoryMethod constructor argument in
api-platform/doctrine-common — that 4.4 provider code invokes. The old
^4.2/^4.3 sibling floors let `composer update --prefer-lowest` pull releases
lacking these symbols, so the per-component lowest CI jobs failed with
"undefined method" / "unknown named parameter".

Floor all api-platform/* inter-package constraints at ^4.4. The @Alpha
stability flag is required because the subpackages set minimum-stability:beta,
under which a plain ^4.4 would not match the 4.4.0-alpha prereleases. Revert
to plain ^4.4 once 4.4.0 stable ships.

v4.4.0-alpha.1

Toggle v4.4.0-alpha.1's commit message
Merge 4.3

v4.3.15

Toggle v4.3.15's commit message
refactor(jsonapi): single source of truth for the attribute/relations…

…hip split (#8325)

v4.3.14

Toggle v4.3.14's commit message
refactor(jsonapi): single source of truth for the attribute/relations…

…hip split (#8325)

v4.3.13

Toggle v4.3.13's commit message
Merge 4.2 into 4.3

v4.3.12

Toggle v4.3.12's commit message
Merge 4.2 into 4.3

v4.2.26

Toggle v4.2.26's commit message
Merge 4.1 into 4.2

v4.1.30

Toggle v4.1.30's commit message
fix(serializer): validate IRI target class on relation denormalization

AbstractItemNormalizer's relation IRI denormalization loaded the
resource without checking it matched the declared relation class,
since it never passed an operation to IriConverter::getResourceFromIri.
A writable relation declared as `Foo` with no PHP type hint (legacy
`@var`-only style) silently accepted a `/bars/1` IRI and Symfony's
PropertyAccessor could not block it — CWE-843 type confusion.

Add an is_a guard at both inline call sites so a mismatched IRI throws
InvalidArgumentException, mirroring the IriConverter operation check.

GHSA-9rjg-x2p2-h68h

v4.3.11

Toggle v4.3.11's commit message
fix(jsonapi): allow opt-in client-generated IDs on POST per spec (#7930)

Co-authored-by: soyuka <soyuka@users.noreply.github.com>