Bump symfony/security-http from 6.4.41 to 7.4.13 in the composer group across 1 directory

[dependabot]

Bumps the composer group with 1 update in the / directory: symfony/security-http.

Updates symfony/security-http from 6.4.41 to 7.4.13

Release notes

Sourced from symfony/security-http's releases.

v7.4.13

Changelog (symfony/security-http@v7.4.12...v7.4.13)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@​nicolas-grekas)
• bug #64337 Initialize lazy users before serializing them (@​MatTheCat)

v7.4.12

Changelog (symfony/security-http@v7.4.11...v7.4.12)

• security #cve-2026-45069 Add missing claims in OidcTokenHandler (@​alexandre-daubois)
• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@​alexandre-daubois)
• security #cve-2026-45074 Require configuring trusted hosts when using CAS authentication (@​nicolas-grekas)
• security #cve-2026-45075 Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@​nicolas-grekas)
• bug #64213 Fix impersonation being deauthenticated on every request (@​nicolas-grekas)

v7.4.11

Changelog (symfony/security-http@v7.4.9...v7.4.11)

• bug #64181 Preserve webserver base URL in HttpUtils::createRequest() (@​ousamabenyounes)

v7.4.9

Changelog (symfony/security-http@v7.4.3...v7.4.9)

• bug #63983 Throw BadCredentialsException on empty JSON login username/password (@​ousamabenyounes)

v7.4.8

Changelog (symfony/security-http@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/security-http@v7.4.5...v7.4.6)

• no significant changes

v7.4.4

Changelog (symfony/security-http@v7.4.3...v7.4.4)

• no significant changes

v7.4.3

Changelog (symfony/security-http@v7.4.2...v7.4.3)

• bug symfony/symfony#62796 [Security] do not use PHPUnit mock objects without configured expectations (@​xabbuh)

v7.4.1

Changelog (symfony/security-http@v7.4.0...v7.4.1)

• bug symfony/symfony#62495 [Security][Http] Fix OIDC discovery when multiple HttpClient instances are used (@​Ali-HENDA)

... (truncated)

Changelog

Sourced from symfony/security-http's changelog.

CHANGELOG

8.1

• Add support for the clientHints, prefetchCache, and prerenderCache ClearSite-Data directives
• Add this to #[IsGranted] subject expression variables when available
• Add support for closures and this in #[IsCsrfTokenValid] when evaluating its id
• Add $enforceKeyUsageVerification argument to OidcTokenHandler::enableDiscovery() to allow accepting JWKs lacking use/key_ops (lax mode)
• Deprecate the $eraseCredentials argument of AuthenticatorManager::__construct(), as the eraseCredentials() method was removed in Symfony 8.0

8.0

• When extending the RememberMeDetails class and overriding its constructor, the $userFqcn parameter has to be removed from its signature:

  Before:

  class CustomRememberMeDetails extends RememberMeDetails
  {
      public function __construct(string $userFqcn, string $userIdentifier, int $expires, string $value)
      {
          parent::__construct($userFqcn, $userIdentifier, $expires, $value);
      }
  }

  After:

  class CustomRememberMeDetails extends RememberMeDetails
  {
      public function __construct(string $userIdentifier, int $expires, string $value)
      {
          parent::__construct($userIdentifier, $expires, $value);
      }
  }

• Remove RememberMeDetails::getUserFqcn()

• Remove callable firewall listeners support, extend AbstractListener or implement FirewallListenerInterface instead

• Remove AbstractListener::__invoke

• Throw a BadCredentialsException when passing an empty string as $userIdentifier argument to UserBadge constructor

• Accept only ExposeSecurityLevel enums for AuthenticatorManager's $exposeSecurityErrors argument

• Respectively accept only AlgorithmManager and JWKSet for OidcTokenHandler's $signatureAlgorithm and $signatureKeyset arguments

• Add argument $attributes to UserAuthenticatorInterface::authenticateUser()

7.4

... (truncated)

Commits

• da3c280 Merge branch '6.4' into 7.4
• 7ea7162 Merge branch '6.4' into 7.4
• 5312b62 Merge branch '6.4' into 7.4
• 8602860 Fix tests and merge resolution after merging 6.4 into 7.4
• 1081160 Merge branch '6.4' into 7.4
• 4523a53 Remove protectedHeaderOnly from claim checkers
• 1fc7ca6 Merge branch '6.4' into 7.4
• 626a6f3 security #cve-2026-45074 [Security] Require configuring trusted hosts when us...
• 2322d5a security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing m...
• e89d245 [Security] Fix impersonation being deauthenticated on every request
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.