docker run --rm <image> php -r "var_dump(require '.env.local.php');"

The output showed everything that composer dump-env prod had compiled into the image at build time. Which meant it showed everything that had been in the .env file when the image was built. Which meant it showed these, among others:

INFLUXDB_INIT_ADMIN_TOKEN=<influxdb-admin-token>
GF_SECURITY_ADMIN_USER=admin
GF_SECURITY_ADMIN_PASSWORD=admin123
BLACKFIRE_CLIENT_ID=<blackfire-client-id>
BLACKFIRE_CLIENT_TOKEN=<blackfire-client-token>
BLACKFIRE_SERVER_ID=<blackfire-server-id>
BLACKFIRE_SERVER_TOKEN=<blackfire-server-token>
NGROK_AUTHTOKEN=replace-me-optionnal

Twenty-five variables in total. Every credential that had accumulated in the root .env over three years, now permanent in an image layer.

How dump-env works

composer dump-env prod is a legitimate Symfony optimization. Instead of parsing .env files on every request, the runtime loads a pre-compiled PHP array from .env.local.php. Faster and simpler.

The problem is what it reads. The Dockerfile copies the repository into the image with COPY . ./, .env included. Then dump-env prod reads that file and compiles every variable into .env.local.php. The image ships with a frozen snapshot of the credentials that were in .env at build time.

Docker layers are immutable archives. Even if a subsequent step removed .env from the container filesystem, the layer containing it would still exist inside the image. docker save <image> produces a tarball of every layer; extracting any file from any point in the build history is straightforward. The credentials are invisible at runtime. They are not gone.

Factor V calls this out directly: a build artifact should be environment-agnostic, with config arriving at the release step from outside. Once credentials are compiled in, the image is no longer portable. You can’t promote it across environments. You build twice and hope the second build behaves like the first.

How twenty-five variables accumulate

Before tracing how this gets fixed, it’s worth understanding how it happened.

The BLACKFIRE_* tokens are the easy case to understand. A team member sets up profiling, needs to share the configuration, and the repository is already open to everyone. One line in .env is the path of least resistance. The InfluxDB and Grafana credentials follow the same logic — shared tooling, shared repo, one commit.

Then there are the variables that reveal a different kind of drift. In some of the service-level .env files:

APP__RATINGS__SERIALS='{"brand1":{"fr":"12345"},...}'  # ~40 lines of JSON
APP__YOUTUBE__CREDENTIALS='{"brand1":{"client_id":"xxx","refresh_token":"yyy"},...}'

Audience measurement serial numbers. YouTube API refresh tokens per brand. These aren’t secrets in the Blackfire sense. They’re business data — the kind of values that vary between brands and environments, that someone decided to version in .env because they behaved like configuration and .env was where configuration lived.

Twenty-five variables is the sum of incremental decisions, none of which felt wrong in isolation. The problem is structural: when .env is the only answer available, everything starts looking like it belongs there.

Where things actually belong

Emptying the file required answering one question for each variable: where does this actually belong?

The answers revealed three categories that the team had never explicitly named:

Static config lives in code. Business rules, routing logic, Symfony parameter files — anything that doesn’t vary between deployments. A change requires a rebuild. The JSON blobs for audience measurement serials turned out not to be static config at all: they were queried from a dedicated Config service at runtime. They had no business being in a file.

Environment config varies between deployments: hostnames, connection strings, third-party credentials. This is what Factor III means by “config in environment variables” — real OS-level variables injected by the runtime, never files that travel with the code. In Kubernetes, this becomes a ConfigMap for non-sensitive values and a Kubernetes Secret for credentials. The choice for secrets management was SOPS — credentials are encrypted and committed to git, rather than stored in an external vault like Azure Key Vault or HashiCorp Vault. A vault trades simplicity for auditability: automatic rotation, centralized audit logs, workload identity-based access with no key to protect. SOPS trades those capabilities for a simpler operational model — no external service to query at deploy time, secrets travel through the normal code review process, git history serves as the audit trail. The accepted downsides are manual rotation and the responsibility of protecting the decryption key itself. For the team’s scale, the tradeoff was deliberate.

Dynamic config changes without a deployment: editorial parameters, per-brand thresholds, content moderation settings. It belongs in a database, managed through the application’s Config service. Some of what had accumulated in .env files was this category all along, passing as static defaults because it changed rarely enough that nobody noticed.

Once the categories had names, the variables sorted themselves. The root .env ended at four lines:

DOMAIN=platform.127.0.0.1.sslip.io
XDEBUG_MODE=off
SERVER_NAME=:80
APP_ENV=dev

Safe defaults. Nothing sensitive. dump-env prod now compiles empty strings; real values arrive at runtime from Kubernetes.

The PostgreSQL image

The PostgreSQL image used in CI has a hardcoded password:

FROM postgres:15
ENV POSTGRES_PASSWORD=admin123

This looks like the same problem. It isn’t, because the threat model is different. The CI database is ephemeral — it exists for the duration of a pipeline run, contains no real data, and runs in an isolated network. A hardcoded password on a throwaway test database is an acceptable risk, not a policy exception.

In production, the question doesn’t arise: the platform uses Azure Flexible Server, a managed PostgreSQL service. There is no Docker image. Credentials arrive via Helm chart injection, never touching a layer.

What survives the build now

The image that ships to production now contains a guarantee: var_dump(require '.env.local.php') returns only empty strings and safe defaults. The credentials aren’t there because they were never put there — they arrive at runtime, from outside.

That’s the responsibility boundary dump-env had been quietly erasing: the image is the application, the runtime is the environment. They should not know each other’s secrets.

Message signing in Messenger

Transport security in Messenger has always been the application’s problem to solve. 7.4 adds message signing: a stamp-based mechanism that signs dispatched messages and validates signatures on reception.

The target use case is multi-tenant or external transport scenarios where you need cryptographic proof that a message wasn’t tampered with or injected from outside. Configuration lives at the transport level:

framework:
    messenger:
        transports:
            async:
                dsn: '%env(MESSENGER_TRANSPORT_DSN)%'
                options:
                    signing_key: '%env(MESSENGER_SIGNING_KEY)%'

PHP array configuration

Symfony’s configuration formats have always been YAML (default), XML, and PHP. The PHP format existed but it was awkward: a fluent builder DSL that required method chaining and gave your IDE nothing useful to work with.

7.4 swaps the fluent format for standard PHP arrays. IDEs can now actually analyze it, config/reference.php is auto-generated as a type-annotated reference, and the result reads like data rather than code:

return static function (FrameworkConfig $framework): void {
    $framework->router()->strictRequirements(null);
    $framework->session()->enabled(true);
};

The fluent format is deprecated. Arrays are the future, and honestly it’s a better format.

OIDC improvements

#[IsSignatureValid] validates signed URLs directly in controllers, cutting out the boilerplate of manual validation. OpenID Connect now supports multiple discovery endpoints, and a new security:oidc-token:generate command makes dev and testing a lot less painful.

The support window

7.4 LTS: bugs until November 2028, security fixes until November 2029. The path to 8.4 LTS (the next long-term target) goes through 7.4’s deprecation notices and the PHP 8.4 upgrade. Fix the deprecations now and the jump to 8.x will be much less painful.

Attributes get more precise

#[CurrentUser] now accepts union types, which matters in practice when a route can be reached by more than one user class:

public function index(#[CurrentUser] AdminUser|Customer $user): Response

#[Route] accepts an array for the env option, so a debug route active only in dev and test no longer needs two separate definitions. #[AsDecorator] is now repeatable, meaning one class can decorate multiple services at once. #[AsEventListener] method signatures accept union event types. #[IsGranted] gets a methods option to scope an authorization check to specific HTTP verbs without duplicating the route.

Request class stops doing too much

Request::get() is deprecated, and honestly good riddance. The method searched route attributes, then query parameters, then request body, in that order, silently returning whatever it found first. That ambiguity caused real bugs. It’s gone in 8.0; in 7.4 it still works but triggers a deprecation. The replacements are explicit: $request->attributes->get(), $request->query->get(), $request->request->get().

Body parsing for PUT, PATCH, DELETE, and QUERY requests arrives at the same time. Previously Symfony only parsed application/x-www-form-urlencoded and multipart/form-data for POST. Those same content types now get parsed for the other writable methods too, which kills a common REST API workaround.

HTTP method override for GET, HEAD, CONNECT, and TRACE is deprecated. Overriding a safe method with a header was always semantically broken anyway. You can now explicitly allow only the methods that make sense for your app:

Request::setAllowedHttpMethodOverride(['PUT', 'PATCH', 'DELETE']);

Workflows accept BackedEnums

Workflow places and transitions can now be defined with PHP backed enums, both in YAML (via the !php/enum tag) and in PHP config. The marking store works with enum values directly, so your domain model and your workflow definition finally use the same types:

framework:
    workflows:
        blog_publishing:
            initial_marking: !php/enum App\Status\PostStatus::Draft
            places: !php/enum App\Status\PostStatus
            transitions:
                publish:
                    from: !php/enum App\Status\PostStatus::Review
                    to: !php/enum App\Status\PostStatus::Published

Extending validation and serialization for third-party classes

Ever needed to add validation or serialization metadata to a class from a bundle you don’t own? 7.4 has #[ExtendsValidationFor] and #[ExtendsSerializationFor] for that. You write a companion class with your extra annotations, point the attribute at the target class, and Symfony merges the metadata at container compilation time:

#[ExtendsValidationFor(UserRegistration::class)]
abstract class UserRegistrationValidation
{
    #[Assert\NotBlank(groups: ['my_app'])]
    #[Assert\Length(min: 3, groups: ['my_app'])]
    public string $name = '';

    #[Assert\Email(groups: ['my_app'])]
    public string $email = '';
}

Symfony verifies at compile time that the declared properties actually exist on the target class. A rename won’t silently break your validation.

DX: the things that don’t headline but matter

The Question helper in Console accepts a timeout. Ask the user to confirm something, and if they don’t respond in N seconds, the default answer kicks in. Very handy in deployment scripts that can’t afford to wait forever for a human.

messenger:consume gets --exclude-receivers. Combined with --all, it lets you consume from every transport except specific ones:

bin/console messenger:consume --all --exclude-receivers=low_priority

FrankenPHP worker mode is now auto-detected. If the process is running inside FrankenPHP, Symfony switches to worker mode automatically. No extra package needed.

The debug:router command hides the Scheme and Host columns when all routes use ANY, which removes a lot of noise from the default output. HTTP methods are now color-coded too.

Functional tests get $client->getSession() before the first request. Previously you had to make at least one request to access the session, which was annoying. Now you can pre-seed CSRF tokens or A/B testing flags up front:

$session = $client->getSession();
$session->set('_csrf/checkout', 'test-token');
$session->save();

Lock: DynamoDB store

DynamoDbStore lands as a new Lock backend. Useful in AWS-native deployments where Redis isn’t in the stack, and it works exactly like any other store:

$store = new DynamoDbStore('dynamodb://default/locks');
$factory = new LockFactory($store);

Doctrine bridge: day and time point types

Two new Doctrine column types: day_point stores a date-only value (no time component) and time_point stores a time-only value, both mapping to DatePoint. Good when your domain genuinely separates date from time:

#[ORM\Column(type: 'day_point')]
public DatePoint $birthDate;

#[ORM\Column(type: 'time_point')]
public DatePoint $openingTime;

Routing: explicit query parameters

The _query key in URL generation lets you set query parameters explicitly, separate from route parameters. This matters when a route parameter and a query parameter share the same name:

$url = $urlGenerator->generate('report', [
    'site' => 'fr',
    '_query' => ['site' => 'us'],
]);
// /report/fr?site=us

WebLink: parsing incoming Link headers

HttpHeaderParser parses Link response headers into structured objects. Before this, parsing Link headers from API responses meant either pulling in a third-party library or writing regex. The use case is HTTP APIs that advertise related resources or pagination via Link headers, like GitHub’s API does.

HTML5 parsing gets faster on PHP 8.4

DomCrawler and HtmlSanitizer switch to PHP 8.4’s native HTML5 parser when available. No code changes needed on your end. The native parser is faster and more spec-compliant than the previous fallback. On PHP 8.2 or 8.3 nothing changes.

Translation: StaticMessage

StaticMessage implements TranslatableInterface but intentionally doesn’t translate. It passes the string through unchanged regardless of locale. The use case is API responses that must stay in a fixed language regardless of the user’s locale, or audit log entries where you need to preserve the original text as-is.

This isn’t just a version bump. It’s a commitment to build against the current language instead of the historical floor.

The security system, finally rebuilt

The Symfony security component has two systems. The old one (AnonymousToken, GuardAuthenticatorInterface, a tangle of interfaces that made you implement methods you didn’t need) had been deprecated. 6.0 removes it entirely.

The new security system (security.enable_authenticator_manager: true in 5.x) is now the only system. It’s cleaner: one interface to implement, clear separation between authentication and authorization, passport-based credential checking. The upgrade from the old guard authenticators isn’t painless, but the destination is a lot less confusing.

The Filesystem Path class

Working with filesystem paths in PHP is basically a string manipulation problem. __DIR__, concatenation, realpath(), platform-specific separators: the standard library gives you primitives but no real model.

The new Path class handles this:

use Symfony\Component\Filesystem\Path;

Path::join('/var/www', 'html', '../uploads'); // /var/www/uploads
Path::makeRelative('/var/www/html', '/var/www'); // html
Path::isAbsolute('./relative/path'); // false

Cross-platform, no side effects, no filesystem access needed. Also in 6.0: nested .gitignore pattern support in Finder.

Enums in the form system

Building on 5.4’s groundwork, 6.0 takes enum support further. BackedEnum values round-trip through forms and the serializer without custom transformers. The form component understands enum cases as choice options out of the box.

What 6.0 removes

The removal list is extensive: the old security system, the Templating component, PHP annotations support (replaced by native attributes), Doctrine Cache support, ContainerAwareTrait. Six years of accumulated @deprecated markers, finally cleaned out.

Apps that took 5.4 deprecation warnings seriously had a clean upgrade path. Apps that didn’t had work to do.

Tab completion was always the gap

The Console component got shell autocompletion, and it’s properly integrated: define a complete() method on your command, and Tab in Bash will suggest valid values for options and arguments.

class DeployCommand extends Command
{
    public function complete(CompletionInput $input, CompletionSuggestions $suggestions): void
    {
        if ($input->mustSuggestOptionValuesFor('env')) {
            $suggestions->suggestValues(['prod', 'staging', 'dev']);
        }
    }
}

All built-in Symfony commands got completion too: debug:router, cache:pool:clear, lint:yaml, and about fifteen others. Run bin/console completion bash >> ~/.bashrc and you’re done.

Messenger, now with attributes and batch processing

The #[AsMessageHandler] attribute replaces the old MessageHandlerInterface. Less boilerplate, and you can now configure transport affinity and priority directly on the attribute:

#[AsMessageHandler(fromTransport: 'async', priority: 10)]
class SendWelcomeEmailHandler
{
    public function __invoke(UserRegistered $message): void { ... }
}

The other significant addition: BatchHandlerInterface. When you’re inserting a thousand rows, handling messages one by one is wasteful. Batch handlers collect messages and process them in groups. The default batch size is 10, controlled by BatchHandlerTrait::shouldFlush(). The Acknowledger handles individual success and failure within the batch.

reset_on_message: true in the Messenger config resets container services between messages. Previously, a Monolog buffer could fill up across message handling and nobody noticed until production. This prevents that class of statefulness bug without requiring manual cleanup.

The DI container gets more expressive

Three changes that matter in practice.

Union and intersection types now autowire. PHP 8.1 added intersection types, and Symfony 6.0 wires them:

public function __construct(
    private NormalizerInterface&DenormalizerInterface $serializer
) {}

This works as long as both interfaces point to the same service through autowiring aliases.

TaggedIterator and TaggedLocator attributes gained defaultPriorityMethod and defaultIndexMethod options. You no longer need YAML to express ordering or indexing for tagged services:

public function __construct(
    #[TaggedIterator(tag: 'app.handler', defaultPriorityMethod: 'getPriority')]
    private iterable $handlers,
) {}

SubscribedService (the attribute that replaces the implicit magic of ServiceSubscriberTrait) makes lazy service access explicit and typeable:

#[SubscribedService]
private function mailer(): MailerInterface
{
    return $this->container->get(__METHOD__);
}

Validation gets three new tools

CssColor validates CSS color values in whatever formats you care about: hex, RGB, HSL, named colors, or any mix. Useful for theme config fields where you want to accept #ff0000 but not red, or vice versa.

#[Assert\CssColor(formats: Assert\CssColor::HEX_LONG)]
private string $brandColor;

Cidr validates CIDR notation for IPv4 and IPv6, with options to pin the version and constrain the netmask range. Infrastructure tools and network config forms finally have a first-class constraint.

The third addition isn’t a new constraint. It’s PHP 8.1 nested attributes making existing compound constraints usable without XML. AtLeastOneOf, Collection, All, Sequentially: all of these previously required annotation workarounds. Now they just work as attributes:

#[Assert\Collection(
    fields: [
        'email' => new Assert\Email(),
        'role'  => [new Assert\NotBlank(), new Assert\Choice(['admin', 'user'])],
    ]
)]
private array $payload;

Serializer, cleaned up

Two things. First, serialization context is now configurable globally instead of being repeated on every serialize() call:

# config/packages/serializer.yaml
serializer:
    default_context:
        enable_max_depth: true

Second, the COLLECT_DENORMALIZATION_ERRORS option changes how the serializer handles type errors on deserialization. Instead of throwing on the first problem, it collects all of them and surfaces them through PartialDenormalizationException. If you’re writing an API that deserializes request bodies, this is the difference between returning “first field that fails” and “all fields that fail” in a single response.

The string utilities nobody knew they needed

trimPrefix() and trimSuffix() on the UnicodeString / ByteString classes. Not glamorous, but stripping a known prefix with ltrim() is a subtle footgun: it strips characters, not strings. These are correct:

use function Symfony\Component\String\u;

u('file-image-001.png')->trimPrefix('file-');   // 'image-001.png'
u('report.html.twig')->trimSuffix('.twig');     // 'report.html'

Also in this release: NilUlid for zero-value ULIDs, perMonth() and perYear() on RateLimiter for when hourly limits don’t make sense, and appendToFile() in the Filesystem component gained an optional LOCK_EX parameter for concurrent writers.

Debugging the environment

debug:dotenv is a new console command that shows which .env files were loaded and where each value came from. When you have .env, .env.local, .env.test, and .env.test.local all fighting each other and something is wrong, this command tells you exactly which file won. It only shows up when the Dotenv component is in use, which is the case for any standard Symfony app.

This is good news, even if it doesn’t feel that way when you’re the one migrating.

The mcrypt problem

mcrypt has been unmaintained since 2007. More than a decade of stagnation in a cryptography library. It was deprecated in 7.1, and 7.2 removes it entirely. The replacement is sodium, now bundled as a core extension.

Sodium is the PHP binding for libsodium, a modern cryptographic library built around safe defaults. Where mcrypt required you to pick the right cipher, mode, and padding (and get it wrong silently), sodium’s API makes dangerous choices structurally hard. sodium_crypto_secretbox() for symmetric encryption, sodium_crypto_box() for asymmetric, sodium_crypto_sign() for signatures. The names tell you what you’re doing.

If you have mcrypt code in production, the migration is unavoidable. Worth doing carefully too: cryptography code that “still works” can be silently broken in ways you won’t notice until it’s too late.

The object type hint

7.2 adds object as a parameter and return type:

function serialize(object $data): string {
    // accepts any object
}

It’s broad — any object satisfies it — but it’s better than no type at all when you genuinely don’t care about the specific class. Complements the existing array, callable, and class-specific hints.

Argon2 in password_hash

$hash = password_hash($password, PASSWORD_ARGON2I);

PASSWORD_BCRYPT was the default and still reasonable, but Argon2 won the Password Hashing Competition for a reason: it’s memory-hard, which makes GPU-based cracking significantly more expensive. Worth switching for new apps.

7.2 is more of a security release than a language one. Remove mcrypt, add sodium, and you’ve moved the platform to a place where you can actually trust it with sensitive data. The language features are incremental. The infrastructure shift is not.

Parameter types you can now drop on purpose

7.2 formalizes something that was previously just a smell: when you implement an interface or override a method, you can now omit the parameter type entirely. This is valid contravariance under the Liskov substitution principle.

interface Serializable {
    public function serialize(array $data): string;
}

class JsonSerializer implements Serializable {
    public function serialize($data): string { // no type — accepts more, still valid
        return json_encode($data);
    }
}

It reads oddly at first. But it’s logically sound: a method that accepts anything is strictly more permissive than one that only accepts arrays. The type system agrees, even if your code reviewer raises an eyebrow.

Abstract methods that evolve

When an abstract class extends another abstract class, it can now override the abstract method with a different signature. The constraint is directional: parameters can be widened (contravariant), return types can be narrowed (covariant).

abstract class BaseProcessor {
    abstract function process(string $input);
}

abstract class TypedProcessor extends BaseProcessor {
    abstract function process($input): int; // parameter widened, return type added
}

This was rejected before 7.2. It unlocks intermediate abstractions without forcing every leaf class to repeat the same signature.

Trailing commas in grouped use statements

Small, but I notice its absence when it’s missing. Grouped namespace imports can now have a trailing comma on the last item:

use App\Services\{
    UserService,
    OrderService,
    NotificationService, // comma here — finally
};

This means you can reorder or add lines without touching the previous last entry. Git diffs get cleaner, merge conflicts get rarer.

count() grew a conscience

Before 7.2, count(null) returned 0. Silently. No warning. That’s exactly the kind of thing that buries a bug for months. Now it emits E_WARNING when you pass something that isn’t an array or a Countable object.

count(null);  // Warning: count(): Parameter must be an array or an object that implements Countable
count(42);    // same
count("hi");  // same

The behavior didn’t change for valid inputs. Only the silence was broken. That’s the correct direction.

spl_object_id() — the thing you were emulating with SplObjectStorage

If you’ve ever built a map keyed on object identity, you’ve written something like this:

$storage = new SplObjectStorage();
$storage[$obj] = true;

7.2 adds spl_object_id(), which returns a unique integer for the lifetime of an object. It’s the same internal handle SplObjectStorage uses, made directly accessible:

$id = spl_object_id($obj); // e.g. 42
$map[$id] = 'something';

The integer is reused after the object is destroyed, so don’t hold onto it past the object’s lifetime. Within a well-scoped context though, it’s a cheap identity key.

PDO: national character strings

When working with databases that distinguish between regular and national character string types (Oracle, SQL Server), 7.2 adds the flags you needed:

$stmt = $pdo->prepare("SELECT * FROM users WHERE name = ?");
$stmt->bindValue(1, 'Ångström', PDO::PARAM_STR | PDO::PARAM_STR_NATL);

Or set a connection-level default:

$pdo->setAttribute(PDO::ATTR_DEFAULT_STR_PARAM, PDO::PARAM_STR_NATL);

PDO::PARAM_STR_NATL signals that the string is a national character type (NCHAR/NVARCHAR). Obscure, yes. Essential if you’ve ever watched your Unicode data come out mangled because the driver had no idea about the difference.

GD got BMP support and clipping rectangles

Two things worth knowing. First, BMP files are now first-class citizens in the GD extension:

$image = imagecreatefrombmp('photo.bmp');
imagebmp($image, 'output.bmp');

Second, you can now define a clipping rectangle so that drawing operations only affect a portion of the image:

imagesetclip($image, 10, 10, 200, 150); // x1, y1, x2, y2
// everything drawn outside this rectangle is silently ignored

Neither feature reshapes how most apps work, but both replace “install an extra library” with “it’s just in core now.”

mb_chr() and mb_ord() — Unicode’s chr() and ord()

PHP has had chr() and ord() forever. They work on bytes. For Unicode code points, you were on your own. 7.2 adds the multibyte equivalents:

$char = mb_chr(0x1F600); // returns the 😀 emoji
$code = mb_ord('é');     // returns 233

And mb_scrub(), which strips invalid byte sequences from a string rather than failing silently or throwing:

$clean = mb_scrub($untrustedInput, 'UTF-8');

Handy at any external boundary: API responses, file uploads, database reads from legacy systems.

Deprecations worth knowing before 7.4 arrives

Several things were soft-deprecated in 7.2 that will become errors in later versions. The ones most likely to bite:

__autoload() is deprecated. If you’re still registering a global autoload function instead of using spl_autoload_register(), fix it before it becomes a fatal.

create_function() is deprecated. It’s a wrapper around eval() and was always dangerous. Use a closure:

// before
$fn = create_function('$x', 'return $x * 2;');

// after
$fn = fn($x) => $x * 2;

each() is deprecated. The loop pattern it enabled is better written as foreach. There’s no loss here.

parse_str() without a second argument dumps parsed values into the local symbol table — a security issue that should never have been allowed. Always pass the output variable:

parse_str($queryString, $params); // correct

The (unset) cast is deprecated because it always returns null, which you can just write as null. Completely pointless syntax that should never have existed.