🚨 [security] [php] Update symfony/process 7.3.0 → 7.3.11 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ symfony/process (indirect, 7.3.0 → 7.3.11) · Repo · Changelog

Security Advisories 🚨

🚨 Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

Summary

The Symfony Process component did not correctly treat some characters (notably =) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters.

This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended.

Impact

If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. rmdir, del, etc.) with a path argument containing =, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive.

The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration).

Resolution

Upgrade to a Symfony release that includes the fix from symfony/symfony#63164 (which updates Windows argument escaping to ensure arguments containing = and other MSYS2-sensitive characters are properly quoted/escaped).
The patch for branch 5.4 is available at symfony/symfony@ec154f6

Workarounds / Mitigations

Avoid running PHP/your tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables.
Avoid passing paths containing = (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2.
Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via MSYS2_ARG_CONV_EXCL), understanding this may affect other tooling behavior.

Release Notes

7.3.11

Changelog (v7.3.10...v7.3.11)

• security #cve-2026-24739 Fix escaping for MSYS on Windows (nicolas-grekas)
• bug #63164 Fix escaping for MSYS on Windows (@nicolas-grekas)

7.3.9

Changelog (v7.3.8...v7.3.9)

• bug symfony/symfony#62775 [Process] Fix dealing with broken stdin pipes (@nicolas-grekas)

7.3.4

Changelog (v7.3.3...v7.3.4)

• bug symfony/symfony#61727 Replace __sleep/wakeup() by __(un)serialize() for throwing and internal usages (@nicolas-grekas)

7.3.3

Changelog (v7.3.2...v7.3.3)

• bug symfony/symfony#61401 [Process] Enhance hasSystemCallBeenInterrupted function for non-english locale (@christianseel)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Merge branch '6.4' into 7.3
• [Process] Fix escaping for MSYS on Windows
• Merge branch '6.4' into 7.3
• [Process] Adjust Process mustRun method phpdoc
• Merge branch '6.4' into 7.3
• [Process] Ignore invalid env var names
• Merge branch '6.4' into 7.3
• [Process] Fix dealing with broken stdin pipes
• Merge branch '6.4' into 7.3
• Replace __sleep/wakeup() by __(un)serialize() for throwing and internal usages
• Merge branch '6.4' into 7.3
• [Process] Enhance hasSystemCallBeenInterrupted function for non-english locale
• Merge branch '6.4' into 7.3
• Fix wrong boolean values
• CS fixes

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}