Major Version Update: PHP 8.5, Symfony 7.4, etc.

[mbusch3]

Major Dependencies Update

The primary concern is that older, outdated versions of required libraries may present security vulnerabilities. To test, delete all caches and builds (like var/cache/prod) and rebuild from scratch.

package.json Required Build Packages

"php": "^7.4.0 || ^8.1 || ^8.2 || ^8.4"

PHP 8.2 is no longer receiving active support, and security support is only offered until December 2026. I jumped straight to PHP 8.5, which is security supported until December 2029 (full support through December 2027).

"symfony/*": "^6.4"

There are a LOT of core symfony packages that update together. We have been using Symfony 6.4, which is two major versions behind. Some individual packages are not core components, like symfony/flex, and are on a different versioning cadence. While there IS a version 8.0 available, I opted for version 7.4, which is the latest long-term supported version (through the end of 2028).

phpAlly

This PR also removes phpAlly as a dependency and all the code that refers to it, including phpAlly-specific classes for issues and reports.

PHP Packages updated

• "php": "^7.4.0 || ^8.1 || ^8.2 || ^8.4" => "^8.5"
• "doctrine/doctrine-bundle": "^2.4" => "^3.2"
• "doctrine/doctrine-migrations-bundle": "^3.1" => "^4.0"
• "doctrine/orm": "^2.9" => "^3.6"
• "firebase/php-jwt": "^5.2" => "^7.0"
• "oro/doctrine-extensions": "^2.0" => "^3.0"
• "sentry/sentry-symfony": "^5.3" => "^5.9"
• "symfony/asset": "^6.4" => "^7.4"
• "symfony/console": "^6.4" => "^7.4"
• "symfony/doctrine-messenger": "^6.4 => "^7.4"
• "symfony/dotenv": "^6.4" => "^7.4"
• "symfony/expression-language": "^6.4" => "^7.4"
• "symfony/flex": "^1.3.1" => "^2.10"
• "symfony/form": "^6.4" => "^7.4"
• "symfony/framework-bundle": "^6.4" => "^7.4"
• "symfony/http-client": "^6.4" => "^7.4"
• "symfony/intl": "^6.4" => "^7.4"
• "symfony/messenger": "^6.4" => "^7.4"
• "symfony/monolog-bundle": "^3.1" => "^7.4"
• "symfony/notifier": "^6.4" => "^7.4"
• "symfony/process": "^6.4" => "^7.4"
• "symfony/property-access": "^6.4" => "^7.4"
• "symfony/property-info": "^6.4" => "^7.4"
• "symfony/security-bundle": "^6.4" => "^7.4"
• "symfony/serializer": "^6.4" => "^7.4"
• "symfony/string": "^6.4" => "^7.4"
• "symfony/translation": "^6.4" => "^7.4"
• "symfony/twig-bundle": "^6.4"
• "symfony/uid": "^6.4" => "^7.4"
• "symfony/validator": "^6.4" => "^7.4"
• "symfony/web-link": "^6.4" => "^7.4"
• "symfony/webpack-encore-bundle": "^1.7" => "^2.0"
• "symfony/yaml": "^6.4" => "^7.4"
• "twig/extra-bundle": "^2.12|^3.0" => "^3.0"
• "twig/twig": "^2.12|^3.0" => "^3.0"

It is very likely that one or more of the symfony/* packages that were updated is no longer used, and further cleanup may be done in the near future.

PHP Packages Removed

The following packages are no longer used in the project and have been removed as dependencies.

• "ext-ctype": "*" (Note: ctype is still installed on the server and allowed as a backfill replacement)
• "ext-iconv": "*" (Note: iconv is still installed on the server and allowed as a backfill replacement)
• "ext-sodium": "*"
• "aws/aws-sdk-php": "^3.324",
• "composer/package-versions-deprecated": "1.11.99.3" (Package fully deprecated, latest release Jan. 2022)
• "htmlawed/htmlawed": "^1.1"
• "knplabs/knp-snappy-bundle": "^1.7"
• "knpuniversity/oauth2-client-bundle": "^2.9",
• "mpdf/mpdf": "^8.0" (Was used for exporting PDF reports in previous versions)
• "phpdocumentor/reflection-docblock": "^5.2"
• "phpstan/phpdoc-parser": "^0.5.3"
• "sensio/framework-extra-bundle": "^6.2",
• "sunra/php-simple-html-dom-parser": "1.5.2",
• "symfony/apache-pack": "^1.0",
• "symfony/mailer": "^6.4"
• "symfony/proxy-manager-bridge": "^6.4" (Deprecated, now part of core)
• "ucfopen/phpally": "~1.2.1"

The removal of a few of these packages also affected config/bundles.php.

Additional Changes Required for the Update

A LOT of small things broke, which required additional minor changes to correct. They are all listed here to make reviewing easier.

PHP Upgrade

To move to PHP 8.5, I needed to update the Dockerfiles to grab the right base image, including in Dockerfile.composer, where I updated to a newer version of Composer that is compatible with PHP 8.5.

Files affected:

• Dockerfile
• Dockerfile.build
• Dockerfile.composer
• Dockerfile.php.pdo.mysql

Routing

In the newer version of Symfony, Routes are handled in the Routing\Attribute component instead of the Routing\Annotation component. I just needed to change the import in some of the main failes with Routes.

Additionally, in the newer version of Symfony, the /udoit3 route prefix was making it through, so our software was trying to find /udoit3/lti/authorize (for instance) instead or /lti/authorize. I needed to tweak the nginx configurations to fix that.

Files affected:

• src/Controller/AdminController.php
• src/Controller/AuthController.php
• src/Controller/DashboardController.php
• src/Controller/FileItemsController.php
• src/Controller/IssuesController.php
• src/Controller/LtiController.php
• src/Controller/ReportsController.php
• src/Controller/SyncController.php
• src/Controller/UserController.php
• build/nginx/local.conf
• build/nginx/deploy.conf

Table Auto-Naming

The older versions of doctrine/orm took PascalCase variables and automatically created table names in snake_case. It no longer does that, and so table names need to be manually declared. The single-word ones don't necessarily, but I included them for consistency.

Files affected:

• src/Entity/ContentItem.php
• src/Entity/Course.php
• src/Entity/FileItem.php
• src/Entity/Institution.php
• src/Entity/Issue.php
• src/Entity/LogEntry.php
• src/Entity/Report.php
• src/Entity/UserSession.php

Deprecated Code

• src/Controller/LtiController.php

With the update to the firebase/php-jwt package, calling the JWT:decode function only accepts two parameters, not three (the encoding is now passed as part of the second parameter). Updated the function call.

• src/MessageHandler/QueueItemHandler.php

Deprecated Messenger/Handler/MessageHandlerInterface replaced with Messenger/Attribute/AsMessageHandler. It's a bit of a weird fix, but seems to be working cleanly.

• src/Repository/IssueRepository.php

The CreateQueryBuilder function no longer supports setParameters with an array, just setParameter. Luckily, that particular construction was only used once. I updated it to match the setParameter pattern.

• src/security/SessionAuthenticator.php

Removed an unused reference to a now-deprecated library (PassportInterface).

• config/packages/*

There are a few parameters that are no longer supported in the config files. For instance, enable_authentication_manager is now always enabled in security.yaml.

Initial Scans

Running composer audit returned the following:

+-------------------+----------------------------------------------------------------------------------+
| Package           | aws/aws-sdk-php                                                                  |
| Severity          | high                                                                             |
| Advisory ID       | PKSA-4t1p-xpk2-nsss                                                              |
| CVE               | NO CVE                                                                           |
| Title             | AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters  |
| URL               | https://github.com/advisories/GHSA-27qh-8cxx-2cr5                                |
| Affected versions | >=3.11.7,<=3.371.3                                                               |
| Reported at       | 2026-03-27T19:54:58+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | aws/aws-sdk-php                                                                  |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-dxyf-6n16-t87m                                                              |
| CVE               | CVE-2025-14761                                                                   |
| Title             | Key Commitment Issues in S3 Encryption Clients                                   |
| URL               | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/                 |
| Affected versions | >=3.0.0,<3.368.0                                                                 |
| Reported at       | 2025-12-17T20:15:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | firebase/php-jwt                                                                 |
| Severity          | low                                                                              |
| Advisory ID       | PKSA-y2cr-5h3j-g3ys                                                              |
| CVE               | CVE-2025-45769                                                                   |
| Title             | php-jwt contains weak encryption                                                 |
| URL               | https://github.com/advisories/GHSA-2x45-7fc3-mxwq                                |
| Affected versions | <7.0.0                                                                           |
| Reported at       | 2025-07-31T21:31:53+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | firebase/php-jwt                                                                 |
| Severity          | critical                                                                         |
| Advisory ID       | PKSA-2kqm-ps5x-s4f5                                                              |
| CVE               | CVE-2021-46743                                                                   |
| Title             | Key/algorithm type confusion                                                     |
| URL               | https://github.com/advisories/GHSA-8xf4-w7qw-pjjw                                |
| Affected versions | <6.0.0                                                                           |
| Reported at       | 2022-03-30T00:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | setasign/fpdi                                                                    |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-p3w6-ybvq-zfbx                                                              |
| CVE               | CVE-2025-54869                                                                   |
| Title             | FPDI allows Memory Exhaustion (OOM) in PDF Parser which leads to Denial of       |
|                   | Service                                                                          |
| URL               | https://github.com/advisories/GHSA-jxhh-4648-vpp3                                |
| Affected versions | <2.6.4                                                                           |
| Reported at       | 2025-08-05T15:23:54+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/http-foundation                                                          |
| Severity          | high                                                                             |
| Advisory ID       | PKSA-365x-2zjk-pt47                                                              |
| CVE               | CVE-2025-64500                                                                   |
| Title             | CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization |
|                   | bypass                                                                           |
| URL               | https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead- |
|                   | to-limited-authorization-bypass                                                  |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
|                   | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
|                   | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
|                   | 0|>=7.3.0,<7.3.7                                                                 |
| Reported at       | 2025-11-12T11:09:14+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/process                                                                  |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-rkkf-636k-qjb3                                                              |
| CVE               | CVE-2026-24739                                                                   |
| Title             | Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to           |
|                   | destructive file operations on Windows                                           |
| URL               | https://github.com/advisories/GHSA-r39x-jcww-82v6                                |
| Affected versions | >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51                    |
| Reported at       | 2026-01-28T21:28:10+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | twig/twig                                                                        |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-v3kg-5xkr-pykw                                                              |
| CVE               | CVE-2025-24374                                                                   |
| Title             | Missing output escaping for the null coalesce operator                           |
| URL               | https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-nul |
|                   | l-coalesce-operator                                                              |
| Affected versions | >=3.16.0,<3.19.0                                                                 |
| Reported at       | 2025-01-29T06:52:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+-------------------------------+----------------------------------------------------------------------------------+
| Abandoned Package             | Suggested Replacement                                                            |
+-------------------------------+----------------------------------------------------------------------------------+
| sensio/framework-extra-bundle | Symfony                                                                          |
+-------------------------------+----------------------------------------------------------------------------------+

Running composer outdated returned the following:

Direct dependencies required in composer.json:
aws/aws-sdk-php                      3.336.11  3.374.2   AWS SDK for PHP - Use Amazon Web Services in your PHP project
composer/package-versions-deprecated 1.11.99.3 1.11.99.5 Composer plugin that provides efficient querying for installed package versions (no runtime IO)
doctrine/doctrine-bundle             2.13.1    3.2.2     Symfony DoctrineBundle
doctrine/doctrine-migrations-bundle  3.3.1     4.0.0     Symfony DoctrineMigrationsBundle
doctrine/orm                         2.20.1    3.6.2     Object-Relational-Mapper for PHP
firebase/php-jwt                     5.5.1     7.0.3     A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.
knplabs/knp-snappy-bundle            1.10.4    1.10.6    Easily create PDF and images in Symfony by converting Twig/HTML templates.
knpuniversity/oauth2-client-bundle   2.18.3    2.20.2    Integration with league/oauth2-client to provide services
mpdf/mpdf                            8.2.5     8.3.1     PHP library generating PDF files from UTF-8 encoded HTML
oro/doctrine-extensions              2.0.5     3.0       Doctrine Extensions for MySQL and PostgreSQL.
phpdocumentor/reflection-docblock    5.3.0     6.0.3     With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded...
phpstan/phpdoc-parser                0.5.7     2.3.2     PHPDoc parser with support for nullable, intersection and generic types
sensio/framework-extra-bundle        6.2.10    6.2.10    This bundle provides a way to configure your controllers with annotations
Package sensio/framework-extra-bundle is abandoned, you should avoid using it. Use Symfony instead.
sentry/sentry-symfony                5.3.0     5.9.0     Symfony integration for Sentry (http://getsentry.com)
symfony/asset                        6.4.13    8.0.6     Manages URL generation and versioning of web assets such as CSS stylesheets, JavaScript files and image files
symfony/console                      6.4.17    8.0.7     Eases the creation of beautiful and testable command line interfaces
symfony/doctrine-messenger           6.4.13    8.0.6     Symfony Doctrine Messenger Bridge
symfony/dotenv                       6.4.16    8.0.7     Registers environment variables from a .env file
symfony/expression-language          6.4.13    8.0.4     Provides an engine that can compile and evaluate expressions
symfony/flex                         1.21.8    2.10.0    Composer plugin for Symfony
symfony/form                         6.4.13    8.0.7     Allows to easily create, process and reuse HTML forms
symfony/framework-bundle             6.4.17    8.0.7     Provides a tight integration between Symfony components and the Symfony full-stack framework
symfony/http-client                  6.4.17    8.0.7     Provides powerful methods to fetch HTTP resources synchronously or asynchronously
symfony/intl                         6.4.15    8.0.6     Provides access to the localization data of the ICU library
symfony/mailer                       6.4.13    8.0.6     Helps sending emails
symfony/messenger                    6.4.16    8.0.7     Helps applications send and receive messages to/from other applications or via message queues
symfony/monolog-bundle               3.10.0    4.0.1     Symfony MonologBundle
symfony/notifier                     6.4.13    8.0.6     Sends notifications via one or more channels (email, SMS, ...)
symfony/process                      6.4.15    8.0.5     Executes commands in sub-processes
symfony/property-access              6.4.13    8.0.4     Provides functions to read and write from/to an object or array using a simple string notation
symfony/property-info                6.4.17    8.0.7     Extracts information about PHP class' properties using metadata of popular sources
symfony/proxy-manager-bridge         6.4.13    6.4.28    Provides integration for ProxyManager with various Symfony components
symfony/security-bundle              6.4.13    8.0.6     Provides a tight integration of the Security component into the Symfony full-stack framework
symfony/serializer                   6.4.15    8.0.7     Handles serializing and deserializing data structures, including object graphs, into array structures or other formats like XML and...
symfony/stopwatch                    6.4.13    8.0.0     Provides a way to profile code
symfony/string                       6.4.15    8.0.6     Provides an object-oriented API to strings and deals with bytes, UTF-8 code points and grapheme clusters in a unified way
symfony/translation                  6.4.13    8.0.6     Provides tools to internationalize your application
symfony/twig-bundle                  6.4.13    8.0.4     Provides a tight integration of Twig into the Symfony full-stack framework
symfony/uid                          6.4.13    8.0.4     Provides an object-oriented API to generate and represent UIDs
symfony/validator                    6.4.17    8.0.7     Provides tools to validate values
symfony/web-link                     6.4.13    8.0.4     Manages links between resources
symfony/webpack-encore-bundle        1.17.2    2.4.0     Integration with your Symfony app & Webpack Encore!
symfony/yaml                         6.4.13    8.0.6     Loads and dumps YAML files
twig/extra-bundle                    3.18.0    3.24.0    A Symfony bundle for extra Twig extensions
twig/twig                            3.18.0    3.24.0    Twig, the flexible, fast, and secure template language for PHP

Transitive dependencies not required in composer.json:
doctrine/annotations                 2.0.2     2.0.2     Docblock Annotations Parser
Package doctrine/annotations is abandoned, you should avoid using it. No replacement was suggested.
doctrine/cache                       2.2.0     2.2.0     PHP Doctrine Cache library is a popular cache implementation that supports many different drivers such as redis, memcache, apc, mon...
Package doctrine/cache is abandoned, you should avoid using it. No replacement was suggested.
doctrine/collections                 2.2.2     3.0.0     PHP Doctrine Collections library that adds additional functionality on top of PHP arrays.
doctrine/dbal                        3.9.3     4.4.3     Powerful PHP database abstraction layer (DBAL) with many features for database schema introspection and management.
doctrine/deprecations                1.1.4     1.1.6     A small layer on top of trigger_error(E_USER_DEPRECATED) or PSR-3 logging with options to disable all deprecations or selectively f...
doctrine/event-manager               2.0.1     2.1.1     The Doctrine Event Manager is a simple PHP event system that was built to be used with the various Doctrine projects.
doctrine/inflector                   2.0.10    2.1.0     PHP Doctrine Inflector is a small library that can perform string manipulations with regard to upper/lowercase and singular/plural ...
doctrine/instantiator                2.0.0     2.1.0     A small, lightweight utility to instantiate objects in PHP without invoking their constructors
doctrine/migrations                  3.8.2     3.9.6     PHP Doctrine Migrations project offer additional functionality on top of the database abstraction layer (DBAL) for versioning your ...
doctrine/persistence                 3.4.0     4.1.1     The Doctrine Persistence project is a set of shared interfaces and functionality that the different Doctrine object mappers share.
doctrine/sql-formatter               1.5.1     1.5.4     a PHP SQL highlighting library
egulias/email-validator              4.0.3     4.0.4     A library for validating emails against several RFCs
friendsofphp/proxy-manager-lts       1.0.18    1.0.19    Adding support for a wider range of PHP versions to ocramius/proxy-manager
guzzlehttp/guzzle                    7.9.2     7.10.0    Guzzle is a PHP HTTP client library
guzzlehttp/promises                  2.0.4     2.3.0     Guzzle promises library
guzzlehttp/psr7                      2.7.1     2.9.0     PSR-7 message implementation that also provides common utility methods
kaltura/api-client-library           17.18.0   22.15.0   An auto generated Composer package for the Kaltura API client library
knplabs/knp-snappy                   1.5.1     1.6.0     PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Wrapper for wkhtmltopdf/wkhtmltoimage.
laminas/laminas-code                 4.16.0    4.17.0    Extensions to the PHP Reflection API, static code scanning, and code generation
league/oauth2-client                 2.8.0     2.9.0     OAuth 2.0 Client Library
monolog/monolog                      3.8.1     3.10.0    Sends your logs to files, sockets, inboxes, databases and various web services
myclabs/deep-copy                    1.12.1    1.13.4    Create deep copies (clones) of your objects
phpdocumentor/type-resolver          1.6.2     2.0.0     A PSR-5 based resolver of Class names, Types and Structural Element Names
sentry/sentry                        4.14.2    4.23.0    PHP SDK for Sentry (http://sentry.io)
setasign/fpdi                        2.6.2     2.6.6     FPDI is a collection of PHP classes facilitating developers to read pages from existing PDF documents and use them as templates in ...
symfony/cache                        7.2.1     8.0.7     Provides extended PSR-6, PSR-16 (and tags) implementations
symfony/cache-contracts              3.5.1     3.6.0     Generic abstractions related to caching
symfony/clock                        7.2.0     8.0.0     Decouples applications from the system clock
symfony/config                       6.4.14    8.0.7     Helps you find, load, combine, autofill and validate configuration values of any kind
symfony/dependency-injection         6.4.16    8.0.7     Allows you to standardize and centralize the way objects are constructed in your application
symfony/doctrine-bridge              7.2.2     8.0.7     Provides integration for Doctrine with various Symfony components
symfony/error-handler                7.2.1     8.0.4     Provides tools to manage errors and ease debugging PHP code
symfony/event-dispatcher             7.2.0     8.0.4     Provides tools that allow your application components to communicate with each other by dispatching events and listening to them
symfony/event-dispatcher-contracts   3.5.1     3.6.0     Generic abstractions related to dispatching event
symfony/filesystem                   7.2.0     8.0.6     Provides basic utilities for the filesystem
symfony/finder                       7.2.2     8.0.6     Finds files and directories via an intuitive fluent interface
symfony/http-client-contracts        3.5.2     3.6.0     Generic abstractions related to HTTP clients
symfony/http-foundation              7.2.2     8.0.7     Defines an object-oriented layer for the HTTP specification
symfony/http-kernel                  6.4.17    8.0.7     Provides a structured process for converting a Request into a Response
symfony/mime                         7.2.1     8.0.7     Allows manipulating MIME messages
symfony/monolog-bridge               7.2.0     8.0.6     Provides integration for Monolog with various Symfony components
symfony/options-resolver             7.3.2     8.0.0     Provides an improved replacement for the array_replace PHP function
symfony/password-hasher              7.2.0     8.0.6     Provides password hashing utilities
symfony/polyfill-intl-grapheme       1.31.0    1.33.0    Symfony polyfill for intl's grapheme_* functions
symfony/polyfill-intl-icu            1.31.0    1.33.0    Symfony polyfill for intl's ICU-related data and classes
symfony/polyfill-intl-idn            1.31.0    1.33.0    Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
symfony/polyfill-intl-normalizer     1.31.0    1.33.0    Symfony polyfill for intl's Normalizer class and related functions
symfony/polyfill-mbstring            1.31.0    1.33.0    Symfony polyfill for the Mbstring extension
symfony/polyfill-php80               1.32.0    1.33.0    Symfony polyfill backporting some PHP 8.0+ features to lower PHP versions
symfony/polyfill-php81               1.31.0    1.33.0    Symfony polyfill backporting some PHP 8.1+ features to lower PHP versions
symfony/polyfill-php83               1.31.0    1.33.0    Symfony polyfill backporting some PHP 8.3+ features to lower PHP versions
symfony/polyfill-uuid                1.31.0    1.33.0    Symfony polyfill for uuid functions
symfony/psr-http-message-bridge      7.3.0     8.0.4     PSR HTTP message bridge
symfony/routing                      7.2.0     8.0.6     Maps an HTTP request to a set of configuration variables
symfony/security-core                7.2.0     8.0.4     Symfony Security Component - Core Library
symfony/security-csrf                7.2.2     8.0.6     Symfony Security Component - CSRF Library
symfony/security-http                7.2.1     8.0.6     Symfony Security Component - HTTP Integration
symfony/service-contracts            3.5.1     3.6.1     Generic abstractions related to writing services
symfony/translation-contracts        3.5.1     3.6.1     Generic abstractions related to translation
symfony/twig-bridge                  6.4.17    8.0.7     Provides integration for Twig with various Symfony components
symfony/var-dumper                   7.2.0     8.0.6     Provides mechanisms for walking through any arbitrary PHP variable
symfony/var-exporter                 7.2.0     8.0.0     Allows exporting any serializable PHP data structure to plain PHP code
webmozart/assert                     1.11.0    2.1.6     Assertions to validate method input/output with nice error messages.

Concluding Scans

Running composer audit returned the following:

No security vulnerability advisories found.

Running composer outdated returned the following:

Direct dependencies required in composer.json:
symfony/asset                   7.4.6 8.0.6 Manages URL generation and versioning of web assets such as...
symfony/browser-kit             7.4.4 8.0.4 Simulates the behavior of a web browser, allowing you to ma...
symfony/console                 7.4.7 8.0.7 Eases the creation of beautiful and testable command line i...
symfony/css-selector            7.4.6 8.0.6 Converts CSS selectors to XPath expressions
symfony/debug-bundle            7.4.7 8.0.7 Provides a tight integration of the Symfony VarDumper compo...
symfony/doctrine-messenger      7.4.6 8.0.6 Symfony Doctrine Messenger Bridge
symfony/dotenv                  7.4.7 8.0.7 Registers environment variables from a .env file
symfony/expression-language     7.4.4 8.0.4 Provides an engine that can compile and evaluate expressions
symfony/form                    7.4.7 8.0.7 Allows to easily create, process and reuse HTML forms
symfony/framework-bundle        7.4.7 8.0.7 Provides a tight integration between Symfony components and...
symfony/http-client             7.4.7 8.0.7 Provides powerful methods to fetch HTTP resources synchrono...
symfony/intl                    7.4.6 8.0.6 Provides access to the localization data of the ICU library
symfony/messenger               7.4.7 8.0.7 Helps applications send and receive messages to/from other ...
symfony/notifier                7.4.6 8.0.6 Sends notifications via one or more channels (email, SMS, ...)
symfony/phpunit-bridge          7.4.7 8.0.7 Provides utilities for PHPUnit, especially user deprecation...
symfony/process                 7.4.5 8.0.5 Executes commands in sub-processes
symfony/property-access         7.4.4 8.0.4 Provides functions to read and write from/to an object or a...
symfony/property-info           7.4.7 8.0.7 Extracts information about PHP class' properties using meta...
symfony/security-bundle         7.4.6 8.0.6 Provides a tight integration of the Security component into...
symfony/serializer              7.4.7 8.0.7 Handles serializing and deserializing data structures, incl...
symfony/stopwatch               7.4.0 8.0.0 Provides a way to profile code
symfony/string                  7.4.6 8.0.6 Provides an object-oriented API to strings and deals with b...
symfony/translation             7.4.6 8.0.6 Provides tools to internationalize your application
symfony/uid                     7.4.4 8.0.4 Provides an object-oriented API to generate and represent UIDs
symfony/validator               7.4.7 8.0.7 Provides tools to validate values
symfony/web-link                7.4.4 8.0.4 Manages links between resources
symfony/web-profiler-bundle     7.4.7 8.0.7 Provides a development tool that gives detailed information...
symfony/yaml                    7.4.6 8.0.6 Loads and dumps YAML files

Transitive dependencies not required in composer.json:
doctrine/collections            2.6.0 3.0.0 PHP Doctrine Collections library that adds additional funct...
symfony/cache                   7.4.7 8.0.7 Provides extended PSR-6, PSR-16 (and tags) implementations
symfony/clock                   7.4.0 8.0.0 Decouples applications from the system clock
symfony/config                  7.4.7 8.0.7 Helps you find, load, combine, autofill and validate config...
symfony/dependency-injection    7.4.7 8.0.7 Allows you to standardize and centralize the way objects ar...
symfony/doctrine-bridge         7.4.7 8.0.7 Provides integration for Doctrine with various Symfony comp...
symfony/dom-crawler             7.4.6 8.0.6 Eases DOM navigation for HTML and XML documents
symfony/error-handler           7.4.4 8.0.4 Provides tools to manage errors and ease debugging PHP code
symfony/event-dispatcher        7.4.4 8.0.4 Provides tools that allow your application components to co...
symfony/filesystem              7.4.6 8.0.6 Provides basic utilities for the filesystem
symfony/finder                  7.4.6 8.0.6 Finds files and directories via an intuitive fluent interface
symfony/http-foundation         7.4.7 8.0.7 Defines an object-oriented layer for the HTTP specification
symfony/http-kernel             7.4.7 8.0.7 Provides a structured process for converting a Request into...
symfony/monolog-bridge          7.4.6 8.0.6 Provides integration for Monolog with various Symfony compo...
symfony/options-resolver        7.4.0 8.0.0 Provides an improved replacement for the array_replace PHP ...
symfony/password-hasher         7.4.6 8.0.6 Provides password hashing utilities
symfony/psr-http-message-bridge 7.4.4 8.0.4 PSR HTTP message bridge
symfony/routing                 7.4.6 8.0.6 Maps an HTTP request to a set of configuration variables
symfony/security-core           7.4.4 8.0.4 Symfony Security Component - Core Library
symfony/security-csrf           7.4.6 8.0.6 Symfony Security Component - CSRF Library
symfony/security-http           7.4.6 8.0.6 Symfony Security Component - HTTP Integration
symfony/twig-bridge             7.4.7 8.0.7 Provides integration for Twig with various Symfony components
symfony/twig-bundle             7.4.4 8.0.4 Provides a tight integration of Twig into the Symfony full-...
symfony/type-info               7.4.7 8.0.7 Extracts PHP types information.
symfony/var-dumper              7.4.6 8.0.6 Provides mechanisms for walking through any arbitrary PHP v...
symfony/var-exporter            7.4.0 8.0.0 Allows exporting any serializable PHP data structure to pla...

[panbed]

Changing the PHP version used in the CICD pipeline config files from 8.4 to 8.5 solved the previous issue:

Error: Your lock file does not contain a compatible set of packages. Please run composer update.

  Problem 1
    - Root composer.json requires php ^8.5 but your php version (8.4.19) does not satisfy that requirement.

However, there seems to be a new issue when we get to the Postgres step of the CICD pipeline:

Error: Migration DoctrineMigrations\Version20210525163808 failed during Execution. Error: "Call to undefined method Doctrine\DBAL\Platforms\PostgreSQLPlatform::getName()"

It seems like something is causing Postgres to no longer work, I'll try to look into it as well.

[panbed]

After testing (Danny and I tested recreating UDOIT from scratch) it seems like the change in deploy.conf and local.conf breaks loading UDOIT for the first time to authorize from Canvas, as we get a 404 error from nginx when trying to access the /authorize endpoint.

I think we should revert back from fastcgi_param REQUEST_URI $uri?$args; to fastcgi_param REQUEST_URI /udoit3$uri?$args;, since that seems to fix the 404 errors when setting up UDOIT from scratch.