Native lazy objects

Symfony’s proxy system, used for lazy service initialization and Doctrine’s entity proxies, has historically relied on code generation. The proxy classes were generated at cache warmup, stored as files, and loaded when needed. It worked, but it added real complexity: generated files to manage, cache to invalidate, code that looked nothing like the class it proxied.

PHP 8.4 added native lazy objects. Symfony 8.0 uses them. The LazyGhostTrait and LazyProxyTrait that powered the old system are removed. Proxy creation is now a runtime operation backed by the engine itself, not a code generation step.

For application developers the change is mostly invisible: lazy services still work. For framework and library authors, a significant surface of complexity just disappears.

FormFlow

Multi-step forms have always been a DIY exercise in Symfony. Session management, step tracking, partial validation, navigation between steps: every project rolled its own solution or pulled in a third-party bundle.

8.0 introduces FormFlow: a built-in mechanism for multi-step form wizards. Steps are defined as a sequence of form types, partial validation is scoped to the current step, and session management is handled automatically.

#[AsFormFlow]
class CheckoutFlow extends AbstractFormFlow
{
    protected function defineSteps(): Steps
    {
        return Steps::create()
            ->add('shipping', ShippingType::class)
            ->add('payment', PaymentType::class)
            ->add('review', ReviewType::class);
    }
}

XML and fluent PHP config removed

The 7.4 deprecation of the fluent PHP configuration format becomes a hard removal in 8.0. XML configuration also exits as a first-class format. The supported formats for application configuration are now YAML and PHP arrays. The footprint shrinks, but what remains is genuinely better.

What else is gone

• PHP 8.2 and 8.3 support (8.4 minimum)
• The ContainerAwareInterface and ContainerAwareTrait
• Symfony’s internal use of LazyGhostTrait and LazyProxyTrait
• HTTP method override for GET and HEAD (only POST makes sense semantically)

Symfony 8.0 is a clean break, and that kind of break only becomes possible when the PHP floor rises. PHP 8.4’s lazy objects are the clearest example: the feature now exists in the language, so the framework can just stop implementing it.

Console becomes more ergonomic for invokable commands

Invokable commands get a significant upgrade. The #[Input] attribute turns a DTO into the command’s argument/option bag. No more calling $input->getArgument() inside the handler:

#[AsCommand(name: 'app:send-report')]
class SendReportCommand
{
    public function __invoke(
        #[Input] SendReportInput $input,
    ): int {
        // $input->email, $input->dryRun, etc.
        return Command::SUCCESS;
    }
}

BackedEnum is supported in invokable commands, so an option declared as a Status enum gets validated and cast automatically. Interactive commands get #[Interact] and #[Ask] attributes to declare question prompts inline. CommandTester works with invokable commands without any extra wiring.

Routing finds its own controllers

Routes defined via #[Route] on controller classes are auto-registered without needing an explicit resource: entry in config/routes.yaml. The tag routing.controller is applied automatically. You still control which directories are scanned, but your YAML config shrinks to a pointer at a directory rather than a manual file list.

#[Route] also gains a _query parameter for setting query parameters at generation time, and multiple environments in the env option.

Security: CSRF and OIDC get better tooling

#[IsCsrfTokenValid] gets a $tokenSource argument so you can specify where the token comes from (header, cookie, form field) rather than relying on a fixed convention. SameOriginCsrfTokenManager adds Sec-Fetch-Site header validation, a browser-native CSRF protection mechanism that doesn’t need token injection at all.

The security:oidc-token:generate command creates tokens for testing OIDC-protected endpoints locally. Multiple OIDC discovery endpoints are supported now, useful in multi-tenant setups where each tenant has its own identity provider.

Two new Twig functions: access_decision() and access_decision_for_user() expose the authorization voter result in templates without going through the security facade. #[IsGranted] can be subclassed for repeated authorization patterns that deserve their own named attribute.

ObjectMapper and JsonStreamer leave experimental

Both components introduced in 7.x graduate to stable in 8.0. ObjectMapper maps between objects without hand-written transformers, using attribute-based configuration. JsonStreamer reads and writes large JSON without loading the full document into memory, and it now supports synthetic properties: virtual fields computed at serialization time.

JsonStreamer also drops its dependency on nikic/php-parser. The code generation for the reader/writer now uses a simpler internal mechanism, cutting a heavy dev dependency.

Uid defaults to UUIDv7

UuidFactory now generates UUIDv7 by default instead of UUIDv4. The difference: v7 is time-ordered, so generated UUIDs sort chronologically. That matters a lot for database index performance. MockUuidFactory provides deterministic UUID generation in tests.

Yaml raises an error on duplicate keys

Previously, a YAML file with two identical keys silently kept the last one. 8.0 raises a parse error. This catches real bugs: duplicate keys in services.yaml or config/packages/*.yaml are almost always copy-paste mistakes and you definitely want to know about them.

Validator: Video constraint and wildcard protocols

A Video constraint joins the Image constraint for validating uploaded video files (MIME type, duration, codec). The Url constraint accepts protocols: ['*'] to allow any RFC 3986-compliant scheme, useful when storing arbitrary URLs that include git+ssh://, file://, or custom app schemes.

Messenger: SQS native retry and new events

SQS transport can now use its own native retry and dead-letter queue configuration instead of Symfony’s retry middleware. For high-volume queues on AWS, this removes a round-trip through PHP for transient failures. A MessageSentToTransportsEvent fires after a message is dispatched, carrying information about which transports actually received it.

messenger:consume gets --exclude-receivers to pair with --all.

Mailer: Microsoft Graph transport

A new transport sends mail via the Microsoft Graph API, which is what Microsoft recommends for applications on Azure Active Directory these days. The other options (SMTP relay, Exchange EWS) still work, but Graph is the right choice for new Azure deployments.

Workflow: weighted transitions

Transitions can now declare weights. When multiple transitions are enabled from the same place, the highest-weight one wins. This lets you express priority directly in the workflow definition without adding a guard that reads an external counter.

return (new Definition(states: ['draft', 'review', 'published']))
    ->addTransition(new Transition('publish', 'review', 'published', weight: 10))
    ->addTransition(new Transition('reject', 'review', 'draft', weight: 1));

Lock: LockKeyNormalizer

LockKeyNormalizer normalizes a lock key to a consistent string before hashing. Useful when the key is derived from user input or external data that may vary in whitespace or casing: the normalizer makes sure the same logical key always maps to the same lock.

HttpFoundation: QUERY method and cleaner body parsing

The IETF QUERY method (a safe, idempotent method with a body, unlike GET) is now supported throughout the stack: Request, HTTP cache, WebProfiler, and HttpClient. If you build search APIs that need a structured request body and also want caching, QUERY is the right semantic choice.

Request::createFromGlobals() now parses the body of PUT, DELETE, PATCH, and QUERY requests automatically.

Config: JSON schema for YAML validation

Symfony 8.0 auto-generates a JSON Schema file for each configuration section. IDEs that support JSON Schema for YAML files (VS Code, PhpStorm) can now validate config/packages/*.yaml against these schemas and provide autocompletion without any plugin. The schema is generated during cache warmup and placed at config/reference.php.

Runtime: FrankenPHP auto-detection

The Runtime component detects FrankenPHP automatically and activates worker mode without any extra package or environment variable. If $_SERVER['APP_RUNTIME'] is set, that runtime class takes precedence. You can also pick the error renderer based on APP_RUNTIME_MODE, which is useful when running the same codebase in HTTP and CLI contexts with different error presentation needs.

Message signing in Messenger

Transport security in Messenger has always been the application’s problem to solve. 7.4 adds message signing: a stamp-based mechanism that signs dispatched messages and validates signatures on reception.

The target use case is multi-tenant or external transport scenarios where you need cryptographic proof that a message wasn’t tampered with or injected from outside. Configuration lives at the transport level:

framework:
    messenger:
        transports:
            async:
                dsn: '%env(MESSENGER_TRANSPORT_DSN)%'
                options:
                    signing_key: '%env(MESSENGER_SIGNING_KEY)%'

PHP array configuration

Symfony’s configuration formats have always been YAML (default), XML, and PHP. The PHP format existed but it was awkward: a fluent builder DSL that required method chaining and gave your IDE nothing useful to work with.

7.4 swaps the fluent format for standard PHP arrays. IDEs can now actually analyze it, config/reference.php is auto-generated as a type-annotated reference, and the result reads like data rather than code:

return static function (FrameworkConfig $framework): void {
    $framework->router()->strictRequirements(null);
    $framework->session()->enabled(true);
};

The fluent format is deprecated. Arrays are the future, and honestly it’s a better format.

OIDC improvements

#[IsSignatureValid] validates signed URLs directly in controllers, cutting out the boilerplate of manual validation. OpenID Connect now supports multiple discovery endpoints, and a new security:oidc-token:generate command makes dev and testing a lot less painful.

The support window

7.4 LTS: bugs until November 2028, security fixes until November 2029. The path to 8.4 LTS (the next long-term target) goes through 7.4’s deprecation notices and the PHP 8.4 upgrade. Fix the deprecations now and the jump to 8.x will be much less painful.

Attributes get more precise

#[CurrentUser] now accepts union types, which matters in practice when a route can be reached by more than one user class:

public function index(#[CurrentUser] AdminUser|Customer $user): Response

#[Route] accepts an array for the env option, so a debug route active only in dev and test no longer needs two separate definitions. #[AsDecorator] is now repeatable, meaning one class can decorate multiple services at once. #[AsEventListener] method signatures accept union event types. #[IsGranted] gets a methods option to scope an authorization check to specific HTTP verbs without duplicating the route.

Request class stops doing too much

Request::get() is deprecated, and honestly good riddance. The method searched route attributes, then query parameters, then request body, in that order, silently returning whatever it found first. That ambiguity caused real bugs. It’s gone in 8.0; in 7.4 it still works but triggers a deprecation. The replacements are explicit: $request->attributes->get(), $request->query->get(), $request->request->get().

Body parsing for PUT, PATCH, DELETE, and QUERY requests arrives at the same time. Previously Symfony only parsed application/x-www-form-urlencoded and multipart/form-data for POST. Those same content types now get parsed for the other writable methods too, which kills a common REST API workaround.

HTTP method override for GET, HEAD, CONNECT, and TRACE is deprecated. Overriding a safe method with a header was always semantically broken anyway. You can now explicitly allow only the methods that make sense for your app:

Request::setAllowedHttpMethodOverride(['PUT', 'PATCH', 'DELETE']);

Workflows accept BackedEnums

Workflow places and transitions can now be defined with PHP backed enums, both in YAML (via the !php/enum tag) and in PHP config. The marking store works with enum values directly, so your domain model and your workflow definition finally use the same types:

framework:
    workflows:
        blog_publishing:
            initial_marking: !php/enum App\Status\PostStatus::Draft
            places: !php/enum App\Status\PostStatus
            transitions:
                publish:
                    from: !php/enum App\Status\PostStatus::Review
                    to: !php/enum App\Status\PostStatus::Published

Extending validation and serialization for third-party classes

Ever needed to add validation or serialization metadata to a class from a bundle you don’t own? 7.4 has #[ExtendsValidationFor] and #[ExtendsSerializationFor] for that. You write a companion class with your extra annotations, point the attribute at the target class, and Symfony merges the metadata at container compilation time:

#[ExtendsValidationFor(UserRegistration::class)]
abstract class UserRegistrationValidation
{
    #[Assert\NotBlank(groups: ['my_app'])]
    #[Assert\Length(min: 3, groups: ['my_app'])]
    public string $name = '';

    #[Assert\Email(groups: ['my_app'])]
    public string $email = '';
}

Symfony verifies at compile time that the declared properties actually exist on the target class. A rename won’t silently break your validation.

DX: the things that don’t headline but matter

The Question helper in Console accepts a timeout. Ask the user to confirm something, and if they don’t respond in N seconds, the default answer kicks in. Very handy in deployment scripts that can’t afford to wait forever for a human.

messenger:consume gets --exclude-receivers. Combined with --all, it lets you consume from every transport except specific ones:

bin/console messenger:consume --all --exclude-receivers=low_priority

FrankenPHP worker mode is now auto-detected. If the process is running inside FrankenPHP, Symfony switches to worker mode automatically. No extra package needed.

The debug:router command hides the Scheme and Host columns when all routes use ANY, which removes a lot of noise from the default output. HTTP methods are now color-coded too.

Functional tests get $client->getSession() before the first request. Previously you had to make at least one request to access the session, which was annoying. Now you can pre-seed CSRF tokens or A/B testing flags up front:

$session = $client->getSession();
$session->set('_csrf/checkout', 'test-token');
$session->save();

Lock: DynamoDB store

DynamoDbStore lands as a new Lock backend. Useful in AWS-native deployments where Redis isn’t in the stack, and it works exactly like any other store:

$store = new DynamoDbStore('dynamodb://default/locks');
$factory = new LockFactory($store);

Doctrine bridge: day and time point types

Two new Doctrine column types: day_point stores a date-only value (no time component) and time_point stores a time-only value, both mapping to DatePoint. Good when your domain genuinely separates date from time:

#[ORM\Column(type: 'day_point')]
public DatePoint $birthDate;

#[ORM\Column(type: 'time_point')]
public DatePoint $openingTime;

Routing: explicit query parameters

The _query key in URL generation lets you set query parameters explicitly, separate from route parameters. This matters when a route parameter and a query parameter share the same name:

$url = $urlGenerator->generate('report', [
    'site' => 'fr',
    '_query' => ['site' => 'us'],
]);
// /report/fr?site=us

WebLink: parsing incoming Link headers

HttpHeaderParser parses Link response headers into structured objects. Before this, parsing Link headers from API responses meant either pulling in a third-party library or writing regex. The use case is HTTP APIs that advertise related resources or pagination via Link headers, like GitHub’s API does.

HTML5 parsing gets faster on PHP 8.4

DomCrawler and HtmlSanitizer switch to PHP 8.4’s native HTML5 parser when available. No code changes needed on your end. The native parser is faster and more spec-compliant than the previous fallback. On PHP 8.2 or 8.3 nothing changes.

Translation: StaticMessage

StaticMessage implements TranslatableInterface but intentionally doesn’t translate. It passes the string through unchanged regardless of locale. The use case is API responses that must stay in a fixed language regardless of the user’s locale, or audit log entries where you need to preserve the original text as-is.

The most visible removal: Doctrine annotations. @Route, @ORM\Column, @Assert - gone. Native PHP attributes have been the recommended approach since Symfony 5.2. 7.0 just makes it official.

Attributes everywhere

The migration from annotations to attributes is mostly mechanical: syntax changes from @ to #[], and the class references move from Doctrine annotation classes to PHP attribute classes:

// before
/** @Route('/users', methods={"GET"}) */

// after
#[Route('/users', methods: ['GET'])]

The real win isn’t just the syntax: attributes are validated by the PHP engine, not a docblock parser. IDEs can resolve them without custom plugins. Static analysis tools understand them natively. No more “it fails silently at runtime because of a typo in a comment.”

Workflow with PHP attributes

Workflow event listeners and guards can now be registered via attributes:

#[AsGuard(workflow: 'order', transition: 'ship')]
public function canShip(Event $event): void
{
    if (!$event->getSubject()->isPaymentConfirmed()) {
        $event->setBlocked(true);
    }
}

The workflow profiler, a dedicated panel showing the current marking and available transitions, is a genuinely useful debugging tool if you’re working with complex state machines.

:clock1: DatePoint in the Clock component

DatePoint, the immutable DateTime with strict error handling introduced in 6.4, is now the recommended way to work with dates. Combine it with PHP 8.2’s readonly properties and date value objects in domain code become almost trivially clean:

readonly class Order {
    public function __construct(
        public DatePoint $createdAt,
        public ?DatePoint $shippedAt = null,
    ) {}
}

What 7.0 removes

The full removal list: Doctrine annotations support, the Templating component bridge, ProxyManager bridge, the Monolog bridge for versions below 3.0, and the Sendinblue transport (replaced by Brevo). PHP 8.0 and 8.1 support also ends. 8.2 is the floor now.

Upgrade from 6.4 with all deprecation notices fixed, and 7.0 is smooth. Skip that step and you’re in for a bad time.

Scheduler and AssetMapper graduate

Two components that shipped as experimental in 6.3 are now stable: Scheduler and AssetMapper. Stable means locked APIs, no more @experimental caveats, and they show up properly in the upgrade guide. You can actually rely on them now.

Scheduler gets #[AsCronTask] and #[AsPeriodicTask] for attribute-based task registration, runtime schedule modification with heap recalculation, FailureEvent, and a --date option on schedule:debug. AssetMapper adds CSS file support in importmap, an outdated command, an audit command, and automatic preloading via WebLink.

#[AsCronTask('0 2 * * *')]
class NightlyReportMessage {}

#[AsPeriodicTask(frequency: '1 hour')]
class HourlyCleanupMessage {}

Service wiring gets two new attributes

#[AutowireLocator] and #[AutowireIterator] landed in 6.4 and graduate to stable in 7.0. They replace the verbose XML/YAML tagged service locator config with something you can just put directly in PHP:

class HandlerRegistry
{
    public function __construct(
        #[AutowireLocator('app.handler', indexAttribute: 'key')]
        private ContainerInterface $handlers,
    ) {}
}

#[Target] also gets smarter: when a service has a named autowiring alias like invoice.lock.factory, you can now write #[Target('invoice')] instead of the full alias name. Less noise when the type already tells you what you want.

Messenger gets more precise failure handling

RejectRedeliveredMessageException tells the worker to not retry a message, which is handy when a message arrives twice because of a transport ack timeout and you need exactly-once semantics. messenger:failed:remove --all clears the entire failure transport in one shot, no loop required. Failed retries can also go directly to the failure transport, bypassing the retry queue entirely.

Multiple Redis Sentinel hosts are now supported in the DSN:

redis-sentinel://host1:26379,host2:26379,host3:26379/mymaster

Console gets signal names and command profiling

SignalMap maps signal integers to their POSIX names. When a worker catches SIGTERM, the log now says SIGTERM instead of 15. Small thing, real improvement. ConsoleTerminateEvent is dispatched even when the process exits via signal, which wasn’t the case before 7.0.

Command profiling lands too: pass --profile to bin/console and the collected data goes straight into the Symfony profiler, browsable from the web UI.

Form: small things that add up

ChoiceType gets a duplicate_preferred_choices option. Set it to false and you stop showing the same option twice when preferred choices overlap with the full list. FormEvent::setData() is deprecated for events where the data is already locked at that point in the lifecycle. The self-closing slash on <input> elements is also gone: <input> is a void element in HTML5 and the slash was technically invalid.

Enum support in forms is a nice one: ChoiceType renders backed enums directly, and translatable enums get their labels through the translator without any custom wiring.

HttpFoundation: small but useful

Response::send() gets a $flush parameter. Pass false to buffer the output without flushing to the client, useful when chaining middleware that needs to inspect the response before it leaves the process.

UriSigner moves from HttpKernel to HttpFoundation, where it belongs semantically. Same class name, different namespace.

Cookies get CHIPS support (Cookies Having Independent Partitioned State), the browser mechanism for cross-site cookies in a first-party partition. Only matters if you build embeddable widgets, but good to know it’s there.

Translation: Phrase provider and tree output

Phrase joins Crowdin and Lokalise as a supported translation provider. Configure it in config/packages/translation.yaml and the translation:push / translation:pull commands handle the sync.

translation:pull gets an --as-tree option that writes translation files in nested YAML rather than flat dot-notation keys. Whether that’s actually better depends entirely on your team.

LocaleSwitcher::runWithLocale() now passes the current locale as an argument to the callback, saving you a getLocale() call inside:

$switcher->runWithLocale('fr', function (string $locale) use ($mailer) {
    $mailer->send($this->buildEmail($locale));
});

A few things in Serializer and DomCrawler

The Serializer’s Context attribute can now target specific classes, so a single DTO can behave differently during (de)serialization depending on which class holds the context. TranslatableNormalizer lands for normalizing objects that implement TranslatableInterface: the translator is called during normalization, not before.

Crawler::attr() gains a $default parameter. Instead of null-checking the return value, pass a fallback:

$src = $crawler->attr('src', '/placeholder.png');

assertAnySelectorText() and assertAnySelectorTextContains() join the DomCrawler assertion set. They pass if at least one matching element satisfies the condition, rather than requiring all of them to match.

HttpClient: HAR responses for testing

MockResponse now accepts HAR (HTTP Archive) files. Record real HTTP interactions in your browser or with a proxy, drop the .har file in your test fixtures, and replay them:

$client = new MockHttpClient(HarFileResponseFactory::createFromFile(__DIR__.'/fixtures/api.har'));

Much better than writing response stubs by hand when you’re dealing with a complex API.

AssetMapper

Modern frontend tooling in Symfony meant Webpack Encore. Encore works: it handles transpilation, bundling, versioning, hot reload. It also requires Node.js, a separate build step, and a non-trivial amount of configuration for what is often a pretty modest frontend.

AssetMapper takes a different position. Modern browsers support ES modules natively. Instead of bundling, ship the files as-is, let the browser resolve imports through an importmap, and manage vendor dependencies through downloaded files rather than npm packages.

composer require symfony/asset-mapper
php bin/console importmap:require lodash

No Node.js. No npm. No build step. JavaScript and CSS files are versioned and served directly, with a digest in the URL for cache busting. For apps where the frontend is not the primary engineering concern, this removes an entire toolchain from the equation.

6.4 adds CSS files to the importmap, automatic CSS preloading via WebLink, and commands to audit and update vendor dependencies. The package.json experience, minus npm.

Scheduler

The Scheduler component (periodic and cron-style task scheduling without an external job runner) exits experimental and becomes stable. The API uses attributes:

#[AsCronTask('0 * * * *')]
class HourlyReport implements ScheduledTaskInterface
{
    public function run(): void { ... }
}

Backed by Messenger transports, tasks run in any environment where a worker is running. For many use cases, this replaces the classic cron entry + console command pattern.

Webhook and RemoteEvent

Also graduating from experimental: the Webhook component handles incoming webhooks from external services. Instead of writing raw controllers that parse payloads and dispatch events by hand, you configure parsers for known services (Stripe, GitHub, Mailgun) and get typed events.

:clock3: DatePoint

A new DatePoint class in the Clock component: an immutable DateTime wrapper that throws exceptions on invalid modifiers instead of silently returning false. Small thing, but meaningful for code that manipulates dates and actually wants to know when something goes wrong.

The support window

6.4 LTS gets bug fixes until November 2026 and security fixes until November 2027. The path from 6.4 to 7.4 (the next LTS) runs through the 6.4 deprecation notices, as usual.

Routes without magic strings

FQCN-based route aliases are now generated automatically. If a controller method has a single route, Symfony creates an alias using its fully qualified class name:

// Previously: only 'blog_index' worked
// Now: both work identically
$this->urlGenerator->generate('blog_index');
$this->urlGenerator->generate(BlogController::class.'::index');

For invokable controllers, the alias is just the class name. The practical benefit is IDE navigation and refactoring safety: you’re referencing a class constant, not a string that can silently drift.

Two new DI attributes

#[AutowireLocator] and #[AutowireIterator] join the DI attribute family. Instead of configuring service locators and tagged iterables in YAML, you just declare them on constructor parameters:

public function __construct(
    #[AutowireLocator([FooHandler::class, BarHandler::class])]
    private ContainerInterface $handlers,
) {}

Aliases, optional services (prefixed with ?), and parameter injection via SubscribedService are all supported. The locator lazy-loads, so only the handlers you actually call get instantiated.

Messenger gets built-in handlers

Three new message classes cover common tasks that previously required custom handlers.

RunProcessMessage dispatches a Process command through the bus. RunCommandMessage does the same for console commands. Both return a context object with the exit code and output. PingWebhookMessage pings a URL, which is useful for monitoring scheduled tasks without spinning up a dedicated health-check service:

$this->bus->dispatch(new RunCommandMessage('cache:clear'));
$this->bus->dispatch(new PingWebhookMessage('GET', 'https://healthchecks.io/ping/abc123'));

The subprocess inheritance problem also got addressed with PhpSubprocess. When you run PHP with a custom memory limit (-d memory_limit=-1), child processes launched with Process don’t inherit it. PhpSubprocess does:

$sub = new PhpSubprocess(['bin/console', 'app:heavy-import']);

Security: three fixes for real situations

The profiler now shows how security badges were resolved during authentication: which ones passed, which failed, and why. Before, you had to add debug output manually when a custom authenticator wasn’t behaving.

Login throttling via RateLimiter now hashes PII in logs automatically. IP addresses and usernames get hashed with the kernel secret before they’re written. No config needed, no regex on log lines.

Firewall patterns now accept arrays:

firewalls:
    no_security:
        pattern:
            - "^/register$"
            - "^/api/webhooks/"

No more regex gymnastics for multi-path exclusions.

Logout without a dummy controller

The logout route used to require a controller that did nothing but throw an exception, with a comment explaining that yes, this is intentional. 6.4 eliminates that:

# config/routes/security.yaml
_security_logout:
    resource: security.route_loader.logout
    type: service

The route loader handles it. The dummy controller is gone. Flex updates the recipe.

The serializer in better shape

Three serializer improvements that each solve a real problem.

Class-level #[Groups] attribute: apply a group to the entire class, then override per property. Useful when a resource has a default serialization group and a few fields that need finer control.

Translatable objects now have a dedicated normalizer. Translatable strings (wrapping Doctrine’s TranslatableInterface) get translated to the locale passed via NORMALIZATION_LOCALE_KEY during normalization. Before this, you had to write a custom normalizer.

In debug mode, JSON decoding errors now use seld/jsonlint for better messages. Instead of “Syntax error”, you get the line and what actually went wrong:

Parse error on line 1: {'foo': 'bar'}
           ^ Invalid string, used single quotes instead of double quotes

Profilers for the things that weren’t HTTP requests

The command profiler extends the existing profiler to console commands. Add --profile to any command and get a full profiler entry: input/output, execution time, memory, database queries, log messages. Commands that used to need --verbose plus manual timing now have the same debugging experience as HTTP requests.

The workflow profiler does the same for state machines. A new panel shows a graphical representation of your workflows and which transitions fired during the request. Zero configuration.

The DX accumulation

Several smaller additions that compound.

renderBlock() and renderBlockView() on AbstractController let you render a named Twig block and return it as a Response or string. Handy for Turbo Stream responses where you want to update a fragment without a full controller action.

The defined env var processor returns a boolean rather than the value: true if the variable exists and is non-empty, false otherwise. Useful for feature flags driven by environment variables:

parameters:
    is_feature_enabled: '%env(defined:FEATURE_FLAG_KEY)%'

HttpClient now accepts max_retries per request, overriding the global retry strategy. The Finder component’s filter() method accepts a second argument to prune entire directories early, which matters when you’re searching large trees.

The BrowserKit click() method now accepts server parameters as extra headers, useful in functional tests that need to simulate authenticated API calls while following links.

Impersonation becomes usable in templates

Two new Twig helpers: impersonation_path() and impersonation_url(). They generate the correct URLs including the switch-user query parameter, which is configurable and has no business being hardcoded in templates. Pair them with the existing impersonation_exit_path() for the full admin impersonation flow.

Locale control, everywhere it was missing

Three gaps filled. TemplatedEmail now has a locale() method for rendering emails in the recipient’s language. The locale switcher’s runWithLocale() now passes the locale as an argument to the callback, so you don’t have to capture it from the outer scope. And app.enabledLocales is available in Twig, so you can build language switchers without hardcoding locale lists.

Deploying to read-only filesystems

APP_BUILD_DIR is now an environment variable recognized by the kernel. Set it to redirect compiled artifacts (router cache, Doctrine proxies, preloaded translations) to a directory that exists, even when the default cache directory doesn’t. The MicroKernelTrait uses it automatically. The WarmableInterface gained a $buildDir parameter to support this separation: custom cache warmers that write read-only artifacts should update accordingly.

This isn’t just a version bump. It’s a commitment to build against the current language instead of the historical floor.

The security system, finally rebuilt

The Symfony security component has two systems. The old one (AnonymousToken, GuardAuthenticatorInterface, a tangle of interfaces that made you implement methods you didn’t need) had been deprecated. 6.0 removes it entirely.

The new security system (security.enable_authenticator_manager: true in 5.x) is now the only system. It’s cleaner: one interface to implement, clear separation between authentication and authorization, passport-based credential checking. The upgrade from the old guard authenticators isn’t painless, but the destination is a lot less confusing.

The Filesystem Path class

Working with filesystem paths in PHP is basically a string manipulation problem. __DIR__, concatenation, realpath(), platform-specific separators: the standard library gives you primitives but no real model.

The new Path class handles this:

use Symfony\Component\Filesystem\Path;

Path::join('/var/www', 'html', '../uploads'); // /var/www/uploads
Path::makeRelative('/var/www/html', '/var/www'); // html
Path::isAbsolute('./relative/path'); // false

Cross-platform, no side effects, no filesystem access needed. Also in 6.0: nested .gitignore pattern support in Finder.

Enums in the form system

Building on 5.4’s groundwork, 6.0 takes enum support further. BackedEnum values round-trip through forms and the serializer without custom transformers. The form component understands enum cases as choice options out of the box.

What 6.0 removes

The removal list is extensive: the old security system, the Templating component, PHP annotations support (replaced by native attributes), Doctrine Cache support, ContainerAwareTrait. Six years of accumulated @deprecated markers, finally cleaned out.

Apps that took 5.4 deprecation warnings seriously had a clean upgrade path. Apps that didn’t had work to do.

Tab completion was always the gap

The Console component got shell autocompletion, and it’s properly integrated: define a complete() method on your command, and Tab in Bash will suggest valid values for options and arguments.

class DeployCommand extends Command
{
    public function complete(CompletionInput $input, CompletionSuggestions $suggestions): void
    {
        if ($input->mustSuggestOptionValuesFor('env')) {
            $suggestions->suggestValues(['prod', 'staging', 'dev']);
        }
    }
}

All built-in Symfony commands got completion too: debug:router, cache:pool:clear, lint:yaml, and about fifteen others. Run bin/console completion bash >> ~/.bashrc and you’re done.

Messenger, now with attributes and batch processing

The #[AsMessageHandler] attribute replaces the old MessageHandlerInterface. Less boilerplate, and you can now configure transport affinity and priority directly on the attribute:

#[AsMessageHandler(fromTransport: 'async', priority: 10)]
class SendWelcomeEmailHandler
{
    public function __invoke(UserRegistered $message): void { ... }
}

The other significant addition: BatchHandlerInterface. When you’re inserting a thousand rows, handling messages one by one is wasteful. Batch handlers collect messages and process them in groups. The default batch size is 10, controlled by BatchHandlerTrait::shouldFlush(). The Acknowledger handles individual success and failure within the batch.

reset_on_message: true in the Messenger config resets container services between messages. Previously, a Monolog buffer could fill up across message handling and nobody noticed until production. This prevents that class of statefulness bug without requiring manual cleanup.

The DI container gets more expressive

Three changes that matter in practice.

Union and intersection types now autowire. PHP 8.1 added intersection types, and Symfony 6.0 wires them:

public function __construct(
    private NormalizerInterface&DenormalizerInterface $serializer
) {}

This works as long as both interfaces point to the same service through autowiring aliases.

TaggedIterator and TaggedLocator attributes gained defaultPriorityMethod and defaultIndexMethod options. You no longer need YAML to express ordering or indexing for tagged services:

public function __construct(
    #[TaggedIterator(tag: 'app.handler', defaultPriorityMethod: 'getPriority')]
    private iterable $handlers,
) {}

SubscribedService (the attribute that replaces the implicit magic of ServiceSubscriberTrait) makes lazy service access explicit and typeable:

#[SubscribedService]
private function mailer(): MailerInterface
{
    return $this->container->get(__METHOD__);
}

Validation gets three new tools

CssColor validates CSS color values in whatever formats you care about: hex, RGB, HSL, named colors, or any mix. Useful for theme config fields where you want to accept #ff0000 but not red, or vice versa.

#[Assert\CssColor(formats: Assert\CssColor::HEX_LONG)]
private string $brandColor;

Cidr validates CIDR notation for IPv4 and IPv6, with options to pin the version and constrain the netmask range. Infrastructure tools and network config forms finally have a first-class constraint.

The third addition isn’t a new constraint. It’s PHP 8.1 nested attributes making existing compound constraints usable without XML. AtLeastOneOf, Collection, All, Sequentially: all of these previously required annotation workarounds. Now they just work as attributes:

#[Assert\Collection(
    fields: [
        'email' => new Assert\Email(),
        'role'  => [new Assert\NotBlank(), new Assert\Choice(['admin', 'user'])],
    ]
)]
private array $payload;

Serializer, cleaned up

Two things. First, serialization context is now configurable globally instead of being repeated on every serialize() call:

# config/packages/serializer.yaml
serializer:
    default_context:
        enable_max_depth: true

Second, the COLLECT_DENORMALIZATION_ERRORS option changes how the serializer handles type errors on deserialization. Instead of throwing on the first problem, it collects all of them and surfaces them through PartialDenormalizationException. If you’re writing an API that deserializes request bodies, this is the difference between returning “first field that fails” and “all fields that fail” in a single response.

The string utilities nobody knew they needed

trimPrefix() and trimSuffix() on the UnicodeString / ByteString classes. Not glamorous, but stripping a known prefix with ltrim() is a subtle footgun: it strips characters, not strings. These are correct:

use function Symfony\Component\String\u;

u('file-image-001.png')->trimPrefix('file-');   // 'image-001.png'
u('report.html.twig')->trimSuffix('.twig');     // 'report.html'

Also in this release: NilUlid for zero-value ULIDs, perMonth() and perYear() on RateLimiter for when hourly limits don’t make sense, and appendToFile() in the Filesystem component gained an optional LOCK_EX parameter for concurrent writers.

Debugging the environment

debug:dotenv is a new console command that shows which .env files were loaded and where each value came from. When you have .env, .env.local, .env.test, and .env.test.local all fighting each other and something is wrong, this command tells you exactly which file won. It only shows up when the Dotenv component is in use, which is the case for any standard Symfony app.

5.4 is the LTS, and its job is to carry as much of 6.0’s feature set as possible while keeping 5.x compatibility intact. It’s also the first Symfony release that actually understands PHP 8.1 features.

Enum support

PHP 8.1 introduced native enums. Symfony 5.4 embraces them immediately:

enum Status: string {
    case Active = 'active';
    case Inactive = 'inactive';
}

The EnumType form type renders enums as select fields, no custom transformers needed. The validator understands backed enums. The serializer maps enum values to their backing type and back. Three components updated in one shot, which meant migrating codebases from pseudo-enum constants to real PHP 8.1 enums was actually pretty smooth.

Security voter cache

The CacheableVoterInterface lets voters that always abstain on a given attribute signal that to the security system, which can then skip them on subsequent checks. For apps with many voters, the gain on permission checks adds up fast. Small change, noticeable in practice.

Messenger matures further

Messenger batch processing (handling multiple messages in a single transaction instead of one by one) is now stable. Rate limiting per transport. Dead letter queues get better tooling. After years as “experimental”, Messenger in 5.4 is finally the async foundation you can bet on for serious workloads.

Console grew a tab key

Symfony 5.4 ships shell autocompletion for all commands. Press Tab and the shell suggests command names, argument values, and option values. For built-in commands this works out of the box. For custom commands, add a complete() method:

use Symfony\Component\Console\Completion\CompletionInput;
use Symfony\Component\Console\Completion\CompletionSuggestions;

public function complete(CompletionInput $input, CompletionSuggestions $suggestions): void
{
    if ($input->mustSuggestOptionValuesFor('format')) {
        $suggestions->suggestValues(['json', 'xml', 'csv']);
    }
}

No interface required, just the method and Symfony picks it up. The community also went through all built-in commands (debug:router, cache:pool:clear, secrets:remove, lint:twig, and a dozen more) to add completions before the release.

Routes can be aliases now

The routing component now supports aliasing: one route can point to another. The obvious use case is renaming a route without breaking anything that still generates URLs with the old name.

# config/routes.yaml
admin_dashboard:
    path: /admin

# legacy name kept during transition
dashboard:
    alias: admin_dashboard
    deprecated:
        package: 'acme/my-bundle'
        version: '2.3'

Generating a URL with dashboard still works, but fires a deprecation notice. Clean rename paths for bundles that need to maintain public route names while moving on.

Exceptions map to HTTP status codes in config

Before 5.4, mapping an exception class to an HTTP status code meant implementing HttpExceptionInterface or writing a listener. Now it’s just a YAML entry:

# config/packages/framework.yaml
framework:
    exceptions:
        App\Exception\PaymentRequiredException:
            status_code: 402
            log_level: warning
        App\Exception\MaintenanceException:
            status_code: 503
            log_level: info

The exception doesn’t need to implement anything. The framework reads the map, sets the status code, logs at the configured level. Handy for domain exceptions that have no business knowing about HTTP.

Two new validator constraints

5.4 adds Cidr and CssColor to the Validator component.

Cidr validates network notation — IP address plus subnet mask — with control over which IP version to accept and bounds on the mask value:

#[Assert\Cidr(version: 4, netmaskMin: 16, netmaskMax: 28)]
private string $allowedSubnet;

CssColor validates that a string is a valid CSS color. Useful for theme editors, CMS config, or any UI that lets users pick colors:

#[Assert\CssColor(
    formats: Assert\CssColor::HEX_LONG,
    message: 'The accent color must be a 6-digit hex value.',
)]
private string $accentColor;

Nested PHP attributes for validation constraints

Symfony 5.2 added validator constraints as PHP attributes, but PHP 8.0 had a hard limit on nested attributes. Complex constraints like All, Collection, or AtLeastOneOf were impossible to express in attribute syntax alone. PHP 8.1 lifted that restriction, and 5.4 makes the most of it:

use Symfony\Component\Validator\Constraints as Assert;

class CartItem
{
    #[Assert\All([
        new Assert\NotNull(),
        new Assert\Range(min: 1),
    ])]
    private array $quantities;

    #[Assert\AtLeastOneOf(
        constraints: [new Assert\Email(), new Assert\Url()],
        message: 'Must be a valid email or URL.',
    )]
    private string $contact;
}

No annotation doc-blocks, no XML mapping. Pure PHP 8.1 attributes all the way down.

Dependency injection: three things worth knowing

Tagged iterators can now be injected into service locators, which previously only accepted explicit service lists. Union type autowiring works when both sides of the union resolve to the same service, which is common with serializer interfaces:

public function __construct(
    private NormalizerInterface & DenormalizerInterface $serializer
) {}

#[SubscribedService] replaces the automatic introspection that ServiceSubscriberTrait did implicitly. It’s now an explicit attribute on methods, which makes the dependency visible without any magic:

use Symfony\Contracts\Service\Attribute\SubscribedService;

class SomeService implements ServiceSubscriberInterface
{
    #[SubscribedService]
    private function router(): RouterInterface
    {
        return $this->container->get(__METHOD__);
    }
}

Messenger: attributes, worker state, and service reset

Messenger handlers can drop the MessageHandlerInterface in favor of #[AsMessageHandler], which also lets you bind a handler to a specific transport and set its priority, all without touching YAML:

#[AsMessageHandler(fromTransport: 'async', priority: 10)]
class ProcessOrderHandler
{
    public function __invoke(ProcessOrder $message): void { /* ... */ }
}

Worker state is now inspectable via WorkerMetadata inside event listeners, useful when you have workers on multiple transports and need to know which one fired a given event.

Long-running workers accumulate state across messages: entity manager buffers, in-memory caches, open connections. The new reset_on_message option takes care of resetting all resettable services between messages:

framework:
    messenger:
        reset_on_message: true

Serializer: collect errors instead of throwing

Deserializing external JSON into a typed DTO used to throw on the very first type mismatch. The COLLECT_DENORMALIZATION_ERRORS option changes that: all type errors get collected into a PartialDenormalizationException, so you can return a proper 400 with a full list of field-level problems:

try {
    $dto = $serializer->deserialize($request->getContent(), OrderDto::class, 'json', [
        DenormalizerInterface::COLLECT_DENORMALIZATION_ERRORS => true,
    ]);
} catch (PartialDenormalizationException $e) {
    return $this->json(
        array_map(fn($err) => ['path' => $err->getPath(), 'expected' => $err->getExpectedTypes()], $e->getErrors()),
        400
    );
}

The serializer’s default context can also be set globally in YAML, so you stop passing the same options on every call.

Language negotiation out of the box

Two new framework options handle the Accept-Language header without custom listeners:

framework:
    enabled_locales: ['en', 'fr', 'de']
    set_locale_from_accept_language: true
    set_content_language_from_locale: true

With this in place, Symfony reads the browser’s preferred language, picks the best match from enabled_locales, sets the request locale, and adds a Content-Language header to the response. The {_locale} route attribute still takes precedence when present.

Translation: extraction, not update

The translation:update command is renamed to translation:extract. The old name sticks around as deprecated. The distinction matters: the command never writes to a database, it extracts translatable strings from source files. The new name finally says what it does.

lint:xliff also gains a --format=github option that outputs errors as GitHub Actions annotations, so translation lint failures show up as PR review comments instead of getting buried in log output.

Controller shortcuts pruned

Three AbstractController shortcuts are deprecated: getDoctrine(), dispatchMessage(), and the generic get() method for pulling arbitrary services from the container. The direction is explicit constructor injection. For getDoctrine() specifically:

// before
$em = $this->getDoctrine()->getManager();

// after — inject it directly
public function __construct(private EntityManagerInterface $em) {}

Request::get() is also deprecated. It searched route attributes, query string, and POST body in an undocumented order, which was a great way to get surprising results. Use $request->query->get(), $request->request->get(), or $request->attributes->get() and be explicit about where the value comes from.

The Path utility class

The Filesystem component gets a Path class ported from webmozart/path-util. It handles the awkward cases that dirname() and realpath() fumble:

use Symfony\Component\Filesystem\Path;

Path::canonicalize('../config/../config/services.yaml'); // '../config/services.yaml'
Path::getDirectory('C:/');                               // 'C:/' (dirname() returns '.')
Path::getLongestCommonBasePath([
    '/var/www/project/src/Controller/FooController.php',
    '/var/www/project/src/Controller/BarController.php',
    '/var/www/project/src/Entity/User.php',
]);
// '/var/www/project/src'

Useful whenever your code deals with paths that cross OS boundaries or involve relative segments.

Smaller things that add up

debug:dotenv shows which .env files were loaded and what value each variable resolves to. The first thing you reach for when environment-specific behavior is acting up.

The String component adds trimPrefix() and trimSuffix() for removing known prefixes or suffixes without writing a substr calculation:

u('file-image-0001.png')->trimPrefix('file-');    // 'image-0001.png'
u('template.html.twig')->trimSuffix('.twig');      // 'template.html'

DomCrawler gets innerText(), which returns only the direct text of a node, excluding child elements. text() returns everything including nested text; innerText() returns just the node’s own content. Small difference, but it matters when scraping.

The RateLimiter component extends its interval support to perMonth() and perYear(), for apps that need to limit events over longer windows: newsletter sends, API quota resets, annual plan limits.

The Finder component now respects .gitignore files in all subdirectories when you call ignoreVCSIgnored(true), not just the root. Child directory rules override parent rules, exactly like git itself.

The LTS window

5.4 gets bug fixes until November 2024 and security fixes until November 2025. The migration from 5.4 to 6.4 (the next LTS) is intentionally smooth: fix the 5.4 deprecation warnings, and the 6.x jump is mechanical.

The deprecation layer in 5.4 points at everything 6.0 removes: the remaining pieces of the old security system, ContainerAwareTrait, and a handful of legacy form and serializer patterns.

The String component

PHP’s string handling is famously scattered: prefix-style functions here (str_), suffix-style there (strpos), inconsistent encoding support, and nothing object-oriented in sight. The String component wraps all of this into a fluent, unicode-aware object API:

use Symfony\Component\String\UnicodeString;

$str = new UnicodeString('  Hello World  ');
echo $str->trim()->lower()->replace(' ', '-'); // hello-world

The practical addition is the Slugger, a locale-aware slug generator that actually handles accented characters correctly:

$slug = $slugger->slug('L\'été à Montréal'); // l-ete-a-montreal

Before, you’d pull in a third-party library or write your own. Now it ships with FrameworkBundle, available by default.

Notifier

Email is handled by Mailer. SMS, push notifications, chat messages: no first-party story, until now. The Notifier component adds one: a unified interface over dozens of channels and providers.

The same notification can hit Slack, trigger an SMS via Twilio, or end up as a push notification, all configured through DSNs. Adding a new channel is a config change, not a code change.

Secrets vault

Storing secrets in .env files works, but the values are plain text, shared environments are a pain, and there’s no native way to encrypt anything at rest.

Symfony 5.0 adds a secrets: command family and a vault mechanism. Secrets are encrypted with a key pair stored outside the repository. The encrypted files get committed; the decrypt key does not. In production, the key comes in as an environment variable or gets injected from a secret manager.

php bin/console secrets:set DATABASE_PASSWORD
php bin/console secrets:decrypt-to-local --force

Not a full-blown secrets management solution, but a real step up from a plain .env file sitting unencrypted in your repo.

Mailer gets a notification layer

The Mailer component arrived in 4.4. What 5.0 adds on top is the NotificationEmail — a pre-styled, responsive email built on Foundation for Emails, with an explicit API for importance levels and call-to-action buttons:

use Symfony\Bridge\Twig\Mime\NotificationEmail;

$email = (new NotificationEmail())
    ->from('alerts@example.com')
    ->to('admin@example.com')
    ->subject('Disk usage critical')
    ->markdown('The disk on **prod-01** is at 94%. Check it now.')
    ->action('Open dashboard', 'https://example.com/servers')
    ->importance(NotificationEmail::IMPORTANCE_URGENT);

No template to write, no inline CSS to wrestle with. For transactional alerts, billing notifications, and system emails, it covers 80% of what you need without touching anything.

Lazy firewalls and the caching problem

Every stateful firewall in Symfony loads the user from session on every request, whether the action needs it or not. Which means any response is uncacheable by default, even for pages that never touch $this->getUser().

5.0 adds lazy mode for firewalls, which defers session access until the code actually calls is_granted() or reaches for the user token:

# config/packages/security.yaml
security:
    firewalls:
        main:
            pattern: ^/
            anonymous: lazy

Pages that don’t need the user become cacheable again. New projects get this by default via the Flex recipe; existing ones need a one-line config change.

Password migrations without the big bang

Migrating a live app from bcrypt to argon2id used to mean forcing a password reset on every user. The PasswordUpgraderInterface makes it gradual: at login, Symfony checks whether the stored hash matches the current algorithm. If not, it rehashes on the spot and calls your upgrader to save it:

// src/Repository/UserRepository.php
class UserRepository extends ServiceEntityRepository implements PasswordUpgraderInterface
{
    public function upgradePassword(UserInterface $user, string $newHashedPassword): void
    {
        $user->setPassword($newHashedPassword);
        $this->getEntityManager()->flush();
    }
}

Pair that with algorithm: auto in the encoder config, and old hashes migrate silently as users log in. No migration script, no downtime, no user friction.

ErrorHandler replaces Debug

The Debug component is gone. Its replacement, ErrorHandler, does the same job (converting PHP errors to exceptions, showing nice error pages) but without requiring Twig. For API apps that never render HTML, that matters: ErrorHandler generates errors in the format of the request (JSON, XML, plain text) following RFC 7807:

{
    "title": "Not Found",
    "status": 404,
    "detail": "Sorry, the page you are looking for could not be found"
}

The routing config moves from TwigBundle to FrameworkBundle, and that’s the only migration step for most projects. One line, done.

Event listeners, finally less verbose

Registering a kernel event listener used to mean explicitly naming the event in the service tag. Symfony 5.0 infers it from the method signature:

// No tag configuration needed beyond kernel.event_listener
final class SecurityListener
{
    public function onKernelRequest(RequestEvent $event): void
    {
        // Symfony reads the type hint and figures out the event
    }
}

# config/services.yaml
App\EventListener\SecurityListener:
    tags: [kernel.event_listener]

Use __invoke() and it works the same way. Bulk-register a whole directory of listeners with one resource block, and Symfony figures out which event each one handles.

HttpClient grows up

The HttpClient component arrived in 4.4 as stable. 5.0 adds a few useful things on top:

NTLM authentication for corporate environments, conditional buffering via a callback (buffer large responses only when the content-type matches), a max_duration option that caps the total request time regardless of network conditions, and toStream() to turn any response into a standard PHP stream for code that expects fread():

$response = $client->request('GET', 'https://api.example.com/large-export', [
    'max_duration' => 30.0,
    'buffer' => fn(array $headers): bool => str_contains($headers['content-type'][0] ?? '', 'json'),
]);

// Stream it instead of loading it all into memory
$stream = $response->toStream();

The client also got full interoperability with PSR-18 and HTTPlug v1/v2, so any library that depends on those abstractions just works with it.

What 5.0 removes

5.0 drops everything deprecated in 4.4. The most notable:

• WebServerBundle (use symfony server:start from the CLI tool instead)
• The old security system’s AnonymousToken (replaced by NullToken)
• Old form event names
• Symfony’s internal ClassLoader
• The Debug component (replaced by ErrorHandler)

If you ran your 4.4 app with deprecation notices active and fixed the warnings, upgrading to 5.0 requires no code changes.

The feature worth singling out arrived in 4.2 and matured through 4.3 and 4.4: HttpClient.

HttpClient

PHP’s built-in HTTP options (file_get_contents with stream contexts, cURL, Guzzle) each have their own model, their own quirks, and their own abstraction cost. Symfony 4.2 introduced HttpClient, a first-party HTTP client with one API over multiple transports.

The interface is clean:

$response = $client->request('GET', 'https://api.example.com/users');
$users = $response->toArray();

The implementation is async by default. Responses are lazy: the network request doesn’t happen until you actually read the response. Multiple requests can be initiated and resolved as data arrives, no threads or callbacks needed.

The built-in mock transport (MockHttpClient) makes testing HTTP calls painless without spinning up servers or patching global functions.

Mailer

Also stabilized in 4.4: the Mailer component, replacing SwiftMailerBundle as the recommended email solution. Transport is configured via DSN:

MAILER_DSN=smtp://user:pass@smtp.example.com:587

The DSN approach means switching providers (Mailgun, Postmark, SES, local SMTP) is a config change, not a code change. Email testing uses a spooler by default in non-production environments.

Messenger matures

The Messenger component landed in 3.4 as experimental. By 4.4 it’s stable and battle-tested: async message handling with retry logic, failure transport, and adapters for AMQP, Redis, Doctrine, and in-process transports.

The pattern it enables (handle a request synchronously, dispatch work asynchronously, retry on failure) replaces a class of Gearman/RabbitMQ setups that required separate libraries and significant configuration.

The LTS window

4.4 is supported for bugs until November 2022 and security fixes until November 2023. If you’re on 4.x and want stability, this is a comfortable place to land. The deprecation warnings it introduces point directly at what 5.0 will require.

The Messenger component, from experimental to production

Messenger arrived in 4.1 as an experiment. The concept was simple: dispatch a message object to a bus, handle it immediately or route it to a transport for async processing. By 4.3 and 4.4, the experiment had become infrastructure.

The 4.3 release added a dedicated failure transport. When a message fails after all retry attempts, it goes somewhere recoverable rather than just disappearing:

framework:
    messenger:
        failure_transport: failed
        transports:
            async: '%env(MESSENGER_TRANSPORT_DSN)%'
            failed: 'doctrine://default?queue_name=failed'
        routing:
            App\Message\SendEmail: async

Messages that land in failed can be inspected and retried manually. Before this, failed messages were a log entry and a headache. After this, they’re a queue you can actually work with.

Event dispatching, finally using objects properly

Since the beginning, Symfony’s event system used string event names as the primary identifier. You’d define OrderEvents::NEW_ORDER = 'order.new_order', listen on that string, and pass the event object as a secondary parameter.

4.3 flipped this around. The event object comes first, and the event name becomes optional:

// Before
$dispatcher->dispatch(OrderEvents::NEW_ORDER, $event);

// 4.3+
$dispatcher->dispatch($event);

Omit the name and Symfony uses the class name as the identifier. Listeners and subscribers can now reference the class directly:

public static function getSubscribedEvents(): array
{
    return [
        OrderPlacedEvent::class => 'onOrderPlaced',
    ];
}

The HttpKernel events were renamed accordingly: GetResponseEvent became RequestEvent, FilterResponseEvent became ResponseEvent. The old names stayed as aliases through 4.x.

VarDumper gets a server

dump() in a controller that returns JSON means your debug output gets injected straight into the response body. For API development, that’s annoying enough to make people disable dumping entirely.

4.1 added a VarDumper server that captures dumps separately:

bin/console server:dump

Configure the dump destination in config/packages/dev/debug.yaml:

debug:
    dump_destination: "tcp://%env(VAR_DUMPER_SERVER)%"

Now dump() in your API controller sends data to the server’s console instead of polluting the response. The server shows the dump alongside its source file, the HTTP request that triggered it, and the timestamp.

VarExporter, for when var_export() fails you

var_export() has two problems: it ignores serialization semantics and its output isn’t PSR-2 compliant. The 4.2 VarExporter component fixes both.

$exported = VarExporter::export([123, ['abc', true]]);
// Returns:
// [
//     123,
//     [
//         'abc',
//         true,
//     ],
// ]

More importantly, it correctly handles objects implementing Serializable, __sleep, and __wakeup. Where var_export() silently drops serialization methods and exports raw properties, VarExporter produces code that calls the same hooks unserialize() would. The practical use case is cache warming: generating PHP files that can be loaded by OPcache without re-executing expensive computations.

Passwords that check against breach databases

The NotCompromisedPassword constraint arrived in 4.3. It checks submitted passwords against haveibeenpwned.com’s breach database without sending the actual password anywhere.

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\NotCompromisedPassword]
    public string $plainPassword;
}

The implementation uses k-anonymity: SHA-1 hash the password, send only the first five characters to the API, get back all matching hashes, check locally. The password never leaves your server. For registration forms, adding this constraint is one line and a genuinely useful security signal.

Workflow gets context

The Workflow component existed before 4.x, but 4.3 added context propagation: the ability to pass arbitrary data through a transition and access it in listeners.

$workflow->apply($article, 'publish', [
    'user' => $user->getUsername(),
    'reason' => $request->request->get('reason'),
]);

The context arrives in TransitionEvent and gets stored alongside the marking. For audit trails, this is the difference between knowing a transition happened and knowing who triggered it and why. You can also inject context from a subscriber without touching every apply() call, which is handy for cross-cutting concerns like timestamps or current user.

The autowiring got smarter

4.2 added binding by type and name together. Before, you could bind by type (LoggerInterface) or by name ($logger), but not both at once. That caused problems when a service needs two different implementations of the same interface:

services:
    _defaults:
        bind:
            Psr\Log\LoggerInterface $orderLogger: '@monolog.logger.orders'
            Psr\Log\LoggerInterface $paymentLogger: '@monolog.logger.payments'

class OrderService
{
    public function __construct(
        private LoggerInterface $orderLogger,   // gets monolog.logger.orders
        private LoggerInterface $paymentLogger, // gets monolog.logger.payments
    ) {}
}

The match requires both type and argument name to align, so there’s no risk of accidentally injecting the wrong logger.

ErrorHandler replaces the Debug component

The Debug component, unchanged since 2013, had an awkward dependency on TwigBundle even for API-only apps. Any uncaught exception in a JSON API would render an HTML error page unless you wrote custom exception listeners.

4.4 extracts this into a dedicated ErrorHandler component. For non-HTML requests, error responses now follow RFC 7807 out of the box:

{
    "title": "Not Found",
    "status": 404,
    "detail": "Sorry, the page you are looking for could not be found"
}

No Twig required. The format follows the Accept header: JSON for JSON requests, XML for XML requests. To customize further, you provide a normalizer via the Serializer component rather than a Twig template.

PHP 7.4 preloading, wired in automatically

PHP 7.4 introduced OPcache preloading: load files into shared memory before any requests arrive, so they’re available as compiled opcodes from the very first request. The practical gain is 30-50% faster response times with no code changes.

The catch is configuration: you need to specify exactly which files to preload in php.ini. Symfony 4.4 generates that file automatically in the cache directory:

; php.ini
opcache.preload=/path/to/project/var/cache/prod/App_KernelProdContainer.preload.php
opcache.preload_user=www-data

Run cache:warmup in production and point OPcache at the generated file. Symfony preloads the container, compiled routes, and Twig templates: the files that are read on every request and never change between deploys.

Console: return codes and NO_COLOR

Two small things in 4.4 that honestly should have existed earlier. Commands that don’t return an integer from execute() now trigger a deprecation warning. In 5.0, the return type becomes mandatory. Returning 0 for success, non-zero for failure: standard Unix behavior, and it makes integration with process supervisors and CI pipelines unambiguous.

protected function execute(InputInterface $input, OutputInterface $output): int
{
    // ...
    return Command::SUCCESS; // = 0
}

The second: NO_COLOR environment variable support, following the convention from no-color.org. Set it and every Symfony console command drops ANSI escape codes regardless of what the terminal claims to support. Useful for CI environments that capture output as text and then choke on color codes embedded in logs.

4.0 is a different philosophy. The Symfony Standard Edition, the monolithic starting point that bundled everything and left you to remove what you didn’t need, is gone. In its place: a microframework that grows.

Flex

Symfony Flex is a Composer plugin that changes how you install Symfony packages. Before Flex, adding a bundle meant: install via Composer, register in AppKernel.php, add config to config/, update routing if needed. Four steps, all manual.

With Flex, installing a package runs a “recipe”: a set of automated steps that registers the bundle, generates a config skeleton, and wires routing. Installing Doctrine:

composer require symfony/orm-pack

That command installs the packages, creates config/packages/doctrine.yaml, adds the env variable stubs to .env, and registers everything. One command, zero manual steps.

Recipes are community-contributed and hosted on a central server. Quality varies, but for major packages they’re maintained alongside the packages themselves.

The new project structure

The Standard Edition layout (app/, src/, web/) is replaced by a leaner structure. Config lives in config/ split by environment. The public directory is now public/, not web/. The kernel is smaller. Controllers are plain classes, no extends Controller required.

More importantly, the default services.yaml uses the 3.3 autowiring defaults that make explicit service configuration mostly unnecessary. New projects start minimal and grow by adding what they actually need.

Services private by default

4.0’s biggest BC break for existing apps: all services are private by default. You can’t fetch a service from the container directly anymore, it has to be injected. This is the right call from a DI perspective, but it breaks anything that used $this->get('service_id') in controllers.

The migration path is AbstractController, which provides the same convenience methods through lazy service locators rather than raw container access.

What was removed

4.0 is clean because it removes everything deprecated in 3.4:

• The old form events, the old security interfaces, the old configuration formats
• Support for PHP < 7.1.3
• The ClassLoader component
• ACL support from SecurityBundle

The removals are aggressive. Apps that skipped fixing their 3.4 deprecations will have a rough time. Apps that did the cleanup beforehand have a smooth path.

Symfony 4.0 is the reset the framework needed. The Standard Edition had accumulated years of “this is how it’s done” that Flex sweeps away in one shot.

Environment variables that actually know their type

Before 3.4 and 4.0, environment variables were strings. Always. Trying to inject DATABASE_PORT into an int parameter would silently break or blow up with a type error. The fix was ugly: cast in PHP or avoid typed parameters entirely.

4.0 ships with env var processors that handle the conversion at the container level:

parameters:
    app.connection.port: '%env(int:DATABASE_PORT)%'
    app.debug_mode: '%env(bool:APP_DEBUG)%'

Beyond casting, processors can decode base64, load from files, parse JSON, or resolve container parameters within a value. The json:file: combination turned into a clean pattern for loading secrets from mounted files in containerized deployments:

parameters:
    env(SECRETS_FILE): '/run/secrets/app.json'
    app.secrets: '%env(json:file:SECRETS_FILE)%'

You can also write custom processors by implementing EnvVarProcessorInterface and tagging the service. Looks like overkill until the day you need it.

Tagged services without the boilerplate

Before 4.0, collecting all services with a given tag into one service meant writing a compiler pass. Forty lines of PHP to say “give me everything tagged app.handler.”

3.4 introduced the !tagged YAML shorthand, and 4.0 carries it forward:

services:
    App\HandlerCollection:
        arguments: [!tagged app.handler]

The collection is lazy by default when type-hinted as iterable, so services aren’t instantiated until you actually iterate. This replaced a whole category of compiler passes that existed for the sole purpose of building lists.

PHP as a configuration format

YAML has been the default for so long it feels required. It isn’t. 4.0 ships with PHP-based configuration using a fluent interface:

// config/services.php
return function (ContainerConfigurator $container) {
    $services = $container->services()
        ->defaults()
            ->autowire()
            ->autoconfigure();

    $services->load('App\\', '../src/')
        ->exclude('../src/{Entity,Repository}');
};

Same approach works for routes. The practical benefit: IDE autocompletion, type checking, and actual PHP logic in configuration without the % parameter interpolation syntax. YAML isn’t going anywhere, but now you have a choice.

Argon2i, because bcrypt was already aging

Symfony 3.4/4.0 added Argon2i support, winner of the 2015 Password Hashing Competition. Configuration is one line:

security:
    encoders:
        App\Entity\User:
            algorithm: argon2i

Argon2i is built into PHP 7.2+ and available via the sodium extension on earlier versions. Like bcrypt, it’s self-salting, no need to manage salt columns. Unlike bcrypt, it’s designed to resist GPU-based attacks with configurable memory usage. If you’re starting a new project on 4.0, there’s really no reason to reach for bcrypt.

The form layer gets a Bootstrap 4 theme

The existing Bootstrap 3 form theme has been around since Symfony 2.x. Bootstrap 4 ships as a first-class option in 4.0:

twig:
    form_themes: ['bootstrap_4_layout.html.twig']

More useful in practice: the tel and color HTML5 input types are now available as TelType and ColorType form types. Before, you had to write custom types or override raw widgets for those.

Local service binding

Global _defaults bindings apply to all services. Sometimes you need a binding scoped to a specific class or namespace, like different logger instances for different subsystems.

4.0 supports per-service bind for exactly that:

services:
    App\Service\OrderService:
        bind:
            Psr\Log\LoggerInterface: '@monolog.logger.orders'

    App\Service\PaymentService:
        bind:
            Psr\Log\LoggerInterface: '@monolog.logger.payments'

Same interface, two different implementations, no factory, no extra configuration. Small feature, but it kills a whole category of awkward workarounds.

3.4 is not a feature release. It ships with exactly the same features as 3.3, plus every deprecation warning that 4.0 will enforce. Its whole purpose is to be the migration tool: upgrade from 3.3 to 3.4, fix what’s in your logs, then step to 4.0 cleanly.

Why LTS releases matter in Symfony’s model

Symfony releases a new minor version every six months. That pace would be brutal for production apps to follow, so the project designates every fourth minor as an LTS: three years of bug fixes, four of security fixes. Which means teams can target 3.4 and mostly stop thinking about upgrades for a while.

3.4 is the last LTS of the 3.x line. If you’re still on 2.x or early 3.x, this is your landing zone.

The deprecation layer

Every feature that 4.0 removes is deprecated in 3.4. Run your app on 3.4 with deprecation notices enabled and your logs become a to-do list. The common ones:

• Services without explicit visibility (public/private) generate warnings — 4.0 makes all services private by default
• ControllerTrait is deprecated in favor of AbstractController
• The old security authenticator interfaces are marked for removal
• YAML-only service configuration without autowiring annotations triggers warnings

The intended workflow: upgrade to 3.4, run the test suite with deprecation notices as errors (SYMFONY_DEPRECATIONS_HELPER=max[self]=0 in PHPUnit), fix everything that fails. After that, the upgrade to 4.0 is basically mechanical.

The support window

3.4 LTS receives bug fixes until November 2020 and security fixes until November 2021. That’s a comfortable runway for apps that can’t follow every release. The cost: staying on the 3.x architecture, with no Flex, no micro-framework structure, no zero-config autowiring by default.

The bridge is there. Whether and when you cross it is a business decision, not a technical one.

Services go private

3.4 flipped the default visibility of services from public to private. Before this, $container->get('app.my_service') was perfectly normal code. After this, it’s an anti-pattern that generates a deprecation warning in 3.4 and breaks entirely in 4.0.

The reasoning is simple: fetching services directly from the container hides dependencies and defeats static analysis. If you inject through the constructor, the container can optimize the graph, tree-shake unused services, and catch mistakes at compile time. If you pull them at runtime, it can’t.

For apps already using autowiring, the migration is usually small. The sticky point is controllers that extend Controller and call $this->get('something'). The fix is switching to AbstractController, which provides the same shortcuts but through lazy service locators instead of raw container access.

For services that genuinely need to be public (accessed from legacy code or functional tests), mark them explicitly:

services:
    App\Service\LegacyAdapter:
        public: true

Binding scalar arguments once

A classic friction point with autowiring: scalar constructor arguments. If ten services all need $projectDir, you had to configure each one individually. The bind key under _defaults fixes that:

services:
    _defaults:
        autowire: true
        autoconfigure: true
        bind:
            $projectDir: '%kernel.project_dir%'
            $mailerDsn: '%env(MAILER_DSN)%'
            Psr\Log\LoggerInterface $auditLogger: '@monolog.logger.audit'

Any service with a constructor parameter named $projectDir gets the bound value automatically. You can also bind by type-hint, which handles the common case where multiple logger channels exist and you need a specific one. Bindings in _defaults apply to all services in the file; you can override per-service if needed.

Injecting tagged services without a compiler pass

Before 3.4, collecting all services with a given tag meant writing a compiler pass. Now there’s a YAML shorthand:

services:
    App\Chain\TransformerChain:
        arguments:
            $transformers: !tagged app.transformer

class TransformerChain
{
    public function __construct(private iterable $transformers) {}
}

The !tagged notation creates an IteratorArgument: services are lazily instantiated as you iterate, so unused transformers never get built. For ordering, add a priority attribute to the tag definition on each service.

A logger that ships with the framework

No Monolog? No problem. Symfony 3.4 includes a PSR-3 logger that writes to php://stderr by default. Autowire it with Psr\Log\LoggerInterface:

use Psr\Log\LoggerInterface;

class MyService
{
    public function __construct(private LoggerInterface $logger) {}

    public function doSomething(): void
    {
        $this->logger->warning('Something questionable happened', ['context' => 'here']);
    }
}

The default minimum level is warning. The target is container and Kubernetes workloads where stderr is the natural log sink. It’s deliberately minimal: no handlers, no processors, no channels. When you need those, install Monolog.

Guard authenticators got a supports() method

The Guard component’s getCredentials() method was pulling double duty: deciding whether the authenticator should handle the request, and extracting the credentials. Returning null was the signal to skip. That made the contract messy.

3.4 added supports() to separate those concerns:

class ApiTokenAuthenticator extends AbstractGuardAuthenticator
{
    public function supports(Request $request): bool
    {
        return $request->headers->has('X-API-TOKEN');
    }

    public function getCredentials(Request $request): array
    {
        // Only called when supports() returns true.
        // Must always return credentials now.
        return ['token' => $request->headers->get('X-API-TOKEN')];
    }
}

The old GuardAuthenticatorInterface is deprecated. The practical benefit: base classes can implement shared getUser() and checkCredentials() logic, while subclasses only override supports() and getCredentials(). One responsibility each.

Two new debug commands

debug:autowiring replaces the old debug:container --types for discovering which type-hints work with autowiring:

$ bin/console debug:autowiring log

Autowirable Services
====================

  Psr\Log\LoggerInterface
      alias to monolog.logger
  Psr\Log\LoggerInterface $auditLogger
      alias to monolog.logger.audit

Pass a keyword to filter. No more guessing whether it’s LoggerInterface or Logger.

debug:form gives you the same introspection capability for form types:

$ bin/console debug:form App\Form\OrderType label_attr

Option: label_attr
  Required: false
  Default: []
  Allowed types: array

Without arguments it lists all registered form types, extensions, and guessers. With a type name and option name it shows every constraint on that option. Before this, you either read the source or trial-and-errored your way through.

Sessions got stricter by default

3.4 implements PHP 7.0’s SessionUpdateTimestampHandlerInterface, which brings two things: lazy session writes (only written when data actually changed) and strict session ID validation (IDs that don’t exist in the store are rejected rather than silently created, which blocks a class of session fixation attacks).

The old WriteCheckSessionHandler, NativeSessionHandler, and NativeProxy classes are deprecated. The MemcacheSessionHandler (note: not Memcached) is gone too, since the underlying PECL extension stopped receiving PHP 7 updates.

Twig form themes can now be scoped

Global form themes apply to every form in the app. If one form needs a completely different look, you had no clean way to opt out. The only keyword handles that:

{% raw %}{% form_theme orderForm with ['form/order_layout.html.twig'] only %}{% endraw %}

The only keyword disables all global themes for that form, including the base form_div_layout.html.twig. Your custom theme then needs to either provide all the blocks it uses, or explicitly pull them in with {% raw %}{% use 'form_div_layout.html.twig' %}{% endraw %}.

Overriding bundle templates without infinite loops

Overriding a bundle template that you also need to extend used to cause a circular reference error. Override @TwigBundle/Exception/error404.html.twig and also try to inherit from it? The old namespace resolution would follow your override and loop forever.

3.4 introduced the @! prefix to explicitly reference the original bundle template, bypassing any overrides:

{% raw %}{# templates/bundles/TwigBundle/Exception/error404.html.twig #}
{% extends '@!Twig/Exception/error404.html.twig' %}

{% block title %}Page not found{% endblock %}{% endraw %}

@TwigBundle resolves to your override if one exists. @!TwigBundle always resolves to the original. Override-and-extend, without the gymnastics.

The autowiring problem

Before 3.3, Symfony’s DI was powerful but verbose. Every service had to be declared explicitly in services.yml with its arguments listed. Autowiring existed since 3.1, but it was opt-in per service and had enough edge cases to bite you. Teams either wrote mountains of YAML or leaned on third-party bundles to cut the noise.

3.3 rewrote the defaults. With autoconfigure: true and autowire: true set once in the defaults section, every class in src/ becomes a service automatically, and its constructor dependencies are resolved by type. What used to take twenty lines of YAML now takes zero:

services:
    _defaults:
        autowire: true
        autoconfigure: true
    App\:
        resource: '../src/'

That single block is the entire service configuration for most apps. The framework discovers services, injects dependencies, and applies tags (command, event subscriber, voter…) based on the interfaces each class implements.

instanceof conditionals

The instanceof keyword in service configuration handles the tagging that previously required explicit declaration:

services:
    _instanceof:
        Symfony\Component\EventDispatcher\EventSubscriberInterface:
            tags: ['kernel.event_subscriber']

Any service implementing EventSubscriberInterface gets the tag automatically. Same for Command, Voter, MessageHandlerInterface. The boilerplate evaporates.

Dotenv component

Before 3.3, Symfony had no built-in way to load .env files. The standard answer was a third-party package. The new Dotenv component reads .env and populates $_ENV and $_SERVER, making environment-based configuration a first-class citizen at last.

Service discovery from the filesystem

The resource option ties it all together. Instead of registering every class individually, you point the container at a directory and it scans for PSR-4 classes:

services:
    App\:
        resource: '../src/'
        exclude: '../src/{Entity,Migrations}'

Every class found becomes a service with its FQCN as the service ID. The exclude option handles things like Doctrine entities that you don’t want the container touching. And no, it’s not magic: it’s a filesystem scan at compile time, so the cost is paid once during cache warmup, not per request.

When you need a subset of the container

Service locators solve a specific tension: some services legitimately need lazy access to a variable set of other services, but injecting the full container is an anti-pattern — it hides dependencies and defeats static analysis. The solution is a locator that explicitly declares what it contains.

services:
    App\Handler\HandlerLocator:
        class: Symfony\Component\DependencyInjection\ServiceLocator
        tags: ['container.service_locator']
        arguments:
            -
                App\Command\CreateOrder: '@App\Handler\CreateOrderHandler'
                App\Command\CancelOrder: '@App\Handler\CancelOrderHandler'

    App\Bus\CommandBus:
        arguments: ['@App\Handler\HandlerLocator']

The locator implements PSR-11’s ContainerInterface, so the receiving class type-hints against Psr\Container\ContainerInterface. Services inside it are lazily instantiated: if a given handler never gets called during a request, it never gets built.

And speaking of PSR-11: Symfony 3.3 made its container implement that standard. Which means any library expecting a PSR-11 container now works directly with Symfony’s container, no adapter needed.

Routing got faster

The routing component rewrote how it generates dump files. In an app with 900 routes, URL matching dropped from 7.5ms to 2.5ms per match: a 66% reduction. The optimizations live in the compiled output, not the runtime path, so existing route definitions benefit automatically after a cache clear.

Finding the project root without counting directory separators

Before 3.3, getting the project root meant using the delightfully awkward %kernel.root_dir%/../ pattern, because getRootDir() pointed at the app/ directory. The new getProjectDir() method walks up from the kernel file until it finds composer.json and returns that directory.

// Before
$path = $this->getParameter('kernel.root_dir') . '/../var/data.db';

// After
$path = $this->getParameter('kernel.project_dir') . '/var/data.db';

The corresponding parameter is %kernel.project_dir%. If you deploy without composer.json, you can override the method in your kernel class and return whatever path makes sense.

Flash messages without touching the session object

The old way of iterating flash messages in Twig required reaching through app.session.flashbag, which also forced the session to start whether or not there were any messages. The new app.flashes helper avoids both:

{% raw %}{% for label, messages in app.flashes %}
    {% for message in messages %}
        <div class="flash-{{ label }}">{{ message }}</div>
    {% endfor %}
{% endfor %}{% endraw %}

If there are no flash messages, the session never starts. You can also filter by type: app.flashes('error') returns only error messages.

The encode-password command grew a brain

The security:encode-password console command got smarter. Instead of requiring you to pass the user class as an argument, it now lists the configured user classes and lets you pick:

$ bin/console security:encode-password

  For which user class would you like to encode a password?
  [0] App\Entity\User
  [1] App\Entity\AdminUser

It also normalizes encoder configuration to handle edge cases with email-format usernames that the previous version would silently corrupt by replacing @ with underscores. Nice catch.

HTTP/2 push and resource hints

The WebLink component handles the Link HTTP header, which tells browsers (and HTTP/2 proxies) to preload, prefetch, or preconnect to resources before the page even asks for them. It comes as a set of Twig functions:

{% raw %}{{ preload('/fonts/custom.woff2', { as: 'font', crossorigin: true }) }}
{{ prefetch('/api/next-page-data.json') }}
{{ dns_prefetch('https://fonts.googleapis.com') }}{% endraw %}

Each call adds a corresponding Link header to the response. For apps behind an HTTP/2-capable proxy, this can trigger server push before the browser has even parsed the HTML. You enable it in config.yml:

framework:
    web_link:
        enabled: true

Deprecations you can actually trust

Container compilation used to generate deprecation warnings that vanished on the next page load because the cached container was already built. 3.3 persists those messages to disk and surfaces them in the web debug toolbar alongside request-phase deprecations. If a class is being deprecated during service compilation, you’ll see it without having to nuke the cache first.

What this meant for 4.0

3.3’s autowiring defaults are exactly what Symfony 4.0 shipped as the new standard project structure. The services.yaml in every new Symfony 4 project is essentially the snippet above. If you had already picked up what 3.3 introduced, 4.0’s “new way” felt familiar rather than foreign.

The direction was clear: less configuration, more convention. Let PHP figure out what to wire together.