9.0.0-beta1 (2023-11-07)
Overview of merged pull requests
FEATURE: Add more information for object arguments in debugging
For stacktraces in exceptions and logs we now render some representation of content for objects to ease debugging with DTOs.
Specifically we will try to obtain a string representation for such an object by using either in this order:
a string cast if __toString() is available
json_encode if it is JsonSerializable
json_encode on the array of public properties
For readability json_encode will be limited to the first level, also all of those string representations will be cut off after 100 characters.
If any of those options works we will also shorten the className to avoid this output becoming overly long.
Note that we use JSON_PARTIAL_OUTPUT_ON_ERROR to make sure some output is provided. This might lead to partial or weird outputs depending on the object structure, but might still provide pointers for debugging.
Fixes: #3165
Packages:
Flow
9.0 FEATURE: Add `unique flowQuery operation <https://github.com/neos/flow-development-collection/pull/3102>`_
This operation applies array_unique to the current flowQuery context.
While the same could previously achieved via Array.unique() the flow query operation can be placed in an operation chain without extra wrapping.
Review instructions
There is also a node specific implementation of the unique operation in https://github.com/neos/neos-development-collection/pull/4355
I know the php code looks oldish but the style is in line with the other flowQuery operations around.
Packages:
Eel
FEATURE: Add `getAccessorByPath to NeosUtilityArrays for type safe accessing of array values <https://github.com/neos/flow-development-collection/pull/3149>`_
The array utility allows to create a type safe accessor via Arrays::getAccessorByPath($arrayValue, 'your.path'). The accessor provides the following methods that will either return the requested type or throw a \\UnexpectedValueException.
int(): intfloat(): floatnumber(): int|floatstring(): stringclassString(): string- with annotation for class-stringarray(): arrayinstanceOf(string $className): object- with annotation for dynamic typeintOrNull(): ?intfloatOrNull(): ?floatnumberOrNull(): null|int|floatstringOrNull(): ?stringclassStringOrNull(): ?string- with annotation for class-string | nullarrayOrNull(): ?arrayinstanceOfOrNull(string $className): ?object- with annotation for dynamic type | null
This will allow to write code that accesses settings via pathes without checking every level for existence still beeing type safe and accessible for static analysis.
This can be used together with settingInjection.
```php public function injectSettings(array $settings): void {
$this->limit = Arrays::getAccessorByPath($settings, ‘limit’)->intOrNull();
}
Resolves: #3164
Review instructions
It may look inefficient to manually throw TypeErrors that in many cases would be thrown automatically because of the declared return types. However this is not a performance issue as those are never on the happy-path and the created TypeError provides additional informations to help understand and fix problems faster.
Packages:
FlowUtility.Arrays
FEATURE: Exclude classes from constructor autowiring
Classes can now explicitly be excluded from constructor autowiring through a new setting.
The setting accepts an array of fully qualified class names, each class name being a regular expression. Classes of scope prototype which expect objects to be passed to their constructor are usually considered for autowiring which results in a proxy class being generated.
This option allows to exclude classes from this process. This is useful for classes like data transfer objects, read models, commands, events and value objects which usually don’t rely on dependency injection.
Flow cannot reliably detect weather a prototype class depends on autowiring for constructor arguments or not. Use this option to optimize your application to avoid the small but measurable overhead of proxy generation for those kinds of classes.
Note that if there are other reasons than constructor injection which require a proxy class to be generated, the proxy class will be generated no matter what.
This change partly reverts `#3050 <https://github.com/neos/flow-development-collection/issues/3050>`_because now proxy classes _are_ generated for prototype classes by default. Otherwise a lot of existing Flow applications would not work correctly anymore.
resolves: #3049
Packages:
Flow
FEATURE: Replace self with static in proxy classes
Factory methods which use code like new self() for creating a new instance are now handled correctly in proxy classes. The compiler automatically replaces “self” keywords with “static” in the rendered proxy class file to make this possible.
This implementation has not been optimized for performance.
Resolves: #3059
Packages:
Flow
FEATURE: Support private constructors in proxy classes
Flow now can correctly build proxy classes for classes with private constructors. Previously, such classes caused errors and proxy class building had to be disabled with the Proxy(false) annotation. Now classes with private constructors can take advantage of setter and property injection and are considered for advices through the AOP framework.
Resolves: #3058
Packages:
Flow
FEATURE: Add support for readonly classes
Flow now respects readonly classes during proxy class building and makes sure that proxy classes are readonly as well.
resolves: #3025
Packages:
Flow
BUGFIX: Use correct exception class
Fix the use of an exception class that is no longer where it was.
Packages:
Flow
BUGFIX: Use method to set validated instances container
Fixes: #3205
Packages:
Flow
BUGFIX: Require collection packages as `self.version again <https://github.com/neos/flow-development-collection/pull/3206>`_
See: #3035 for the original change
Packages:
FlowEelFluidAdaptorKickstarter
BUGFIX: Only set distinct on count clause if explicitely set to improve performance
F.e. Postgres has performance issues with large datasets and the DISTINCT clause. In a test this change reduced the query time of a count query for ~900.000 entities by >80%.
In a custom project this affected their Neos Media.UI in which the following results were found:
Count all assets | 580ms -> 260ms
Query 20 assets | 690ms -> 350ms
Query 100 assets | 990ms -> 650ms
Module load | 1900ms -> 1400ms
Review instructions
Everything should work the same, as https://github.com/neos/flow-development-collection/pull/415 already sets the distinct flag where (possibly) necessary.
Packages:
Flow
BUGFIX: Sanitize uploaded svg files from suspicious content
Adding an internal methods isSanitizingRequired and sanitizeImportedFileContent to the resourceManager. The import is adjusted to first determine the mediaType of an imported resource to decide wether sanitizing is needed which for now happens only for SVG files. If no sanitizing is needed the code will perform as before by passing streams or filenames around.
If suspicious content was removed from a warning is logged that mentions the remove data and line. The sanitizing is done using “enshrined/svg-sanitize” that is used by other cms aswell.
The initial implementation will only sanitize SVG files as those can contain malicious scripts. In future this should be expanded to a feature that allows registering of custom sanitizing functions.
The sanitizing logic itself ist basically the same as what is done by typo3 here: https://github.com/TYPO3/typo3/blob/357b07064cf2c7f1735cfb8f73ac4a7248ab040e/typo3/sysext/core/Classes/Resource/Security/SvgSanitizer.php
This addresses the issue described here: https://nvd.nist.gov/vuln/detail/CVE-2023-37611
Review Instructions
The change adds quite a bit of complexity to the importResource method to avoid loading the file content into ram whenever possible. As this method accepts filenames and resources this leads to quite some nested checking. I consider this kindoff necessary as one does not want to read a full video file into php ram to check wether it may be an svg.
Better suggestions are welcome.
Packages:
Utility.MediaTypes
BUGFIX: Replacement proxy methods rendered again
This fixes a bug introduced in d939e6b8 switching to laminuas-code. A proxy method can replace the full body of an existing method or even be a fully new method, in which case only body will be set in the proxy method. We still want those to be generated. This for example currently breaks the CompileStatic feature, as those methods do not get rendered anymore resulting in worse performance in Production context compared to before.
This fix renders a proxy method also when a body was set for it, but still skips it if neither pre/post nor body is set.
It also enabled CompileStatic in Testing Context so that it is testable and adds a test to make sure it works as intended.
Fixes: #3099
Packages:
Flow
BUGFIX: Remove injected properties before serialization
This fixes a regression introduced recently which resulted in serialization errors if the object to be serialized contained properties which were previously injected.
Resolves: #3066
Packages:
Flow
BUGFIX: Support mixed return type in proxied methods
Flow’s proxy class building now supports mixed return types for methods.
This change merely adds a test which proves that the feature is working. The actual implementation was part of https://github.com/neos/flow-development-collection/issues/3042.
resolves: https://github.com/neos/flow-development-collection/issues/2899
Packages:
Flow
BUGFIX: Union types in proxy classes
Flow’s proxy class building now supports union types in method signatures.
This change merely adds a test which proves that the feature is working. The actual implementation was part of #3042.
resolves: #2941
Packages:
Flow
BUGFIX: Create serialization code for transient properties
Due to a recent optimization, Flow was not generating __sleep() methods for classes which are not either entities or were configured with a session scope. This led to errors in classes which were using the @Transient annotation to exclude certain properties from serialization. Therefore, Flow now also generates proxy classes with __sleep() methods if the original class contains such annotations.
Resolves: #3062
Packages:
Flow
BUGFIX: Skip proxy for optional straight values
When a promoted property was an optional straight value, the proxy class builder decided to create a proxy class because it could be a straight value configured in the object configuration via Objects.yaml. Flow now checks the value of the given argument and only triggers proxy class building if the argument is not null. That way, Flow will not build useless proxies for typical read models which expect a mix of objects and straight values in their constructor.
Packages:
Flow
BUGFIX: Move access to objectAccess of TemplateObjectAccessInterface into getByPath
… as accessors are not used anymore for variable provider within fluid, starting v2.8.0.
Due to the missing accessors the objectAccess of TemplateObjectAccessInterface didn’t get called anymore, so the result of the getByPath method was an object of FusionPathProxy instead of an rendered string.
See: https://github.com/TYPO3/Fluid/compare/2.7.4…2.8.0#diff-`a0aa72aa19d9eb57cdb9a4dcd344c3706d75ae7c <https://github.com/neos/flow-development-collection/commit/a0aa72aa19d9eb57cdb9a4dcd344c3706d75ae7c>`_a408286f91a846e495b3c766L122 https://github.com/TYPO3/Fluid/compare/2.7.4…2.8.0#diff-`a0aa72aa19d9eb57cdb9a4dcd344c3706d75ae7c <https://github.com/neos/flow-development-collection/commit/a0aa72aa19d9eb57cdb9a4dcd344c3706d75ae7c>`_a408286f91a846e495b3c766L341 https://github.com/TYPO3/Fluid/compare/2.7.4…2.8.0#diff-`a0aa72aa19d9eb57cdb9a4dcd344c3706d75ae7c <https://github.com/neos/flow-development-collection/commit/a0aa72aa19d9eb57cdb9a4dcd344c3706d75ae7c>`_a408286f91a846e495b3c766L312
Packages:
FluidAdaptor
!!! TASK: Modernized code style in ReflectionService
Code in the reflection service was adjusted to the current code style best practices.
The method arguments in the Reflection Service are now strictly typed. Therefore, third-party code which relied on loose types and passes invalid types, need to be adjusted. Tests in the Flow package were adjusted were necessary.
As part of the clean up, the setStatusCache() method in ReflectionService was fixed which used a wrong order of parameters in its is_callable() call.
Preparation for #2913
Packages:
Flow
!!! TASK: Require PHP 8.2
The minimum requirement for the Flow Framework, including all packages of its distribution, was raised to PHP 8.2.
Packages:
FlowUtility.ObjectHandling
TASK: Migrate to PHPStan for Flow 8
This is a backport of https://github.com/neos/flow-development-collection/pull/3216
Adds PHPStan level 1 to the whole Flow code base and CI. Psalm was removed.
Packages:
Flow.githubCache
TASK: Carefully fix psalm types across codebase to make it green ;)
Upgrade instructions
Packages:
Flow
TASK: Update default settings for stored throwable dumps
This updates the default settings in YAML to 30 days of dump retention and a maximum of 10.000 files.
The class properties keep their 0 default, so that in case the class has been extended no change is enforced.
Review instructions
Needs upmerge of https://github.com/neos/flow-development-collection/pull/3187
TASK: Use new Behat `FlowBootstrapTrait <https://github.com/neos/flow-development-collection/pull/3208>`_
Adjust to behat adjustments see https://github.com/neos/behat/pull/35
Upgrade instructions
Packages:
Flow
TASK: Clean up stored throwable dumps
Whenever a new dump is written, check the existing dumps and remove those that are older than allowed or exceed the maximum count.
By default nothing is cleaned up.
Resolves: #3158
Review instructions
Should remove old dump files as configured…
Packages:
Flow
TASK: Fix overlooked dependency…
See: #3035 for the original change
Packages:
Flow
TASK: Fix cache RedisBackend unittest
A test failed due to a missing return value from a method not being mocked (correctly),
Packages:
Cache
TASK: Fix documentation builds
… by pinning updated dependencies.
Review instructions
Best is to see if the builds succeed on RTD again with this merged…
Packages:
Flow
TASK: document and deprecate flows internal isolated behat tests
Related https://github.com/neos/flow-development-collection/issues/3170
The infrastructure is quite complex and not in relation to those two tests. That’s why we declare it ready to be removed.
Upgrade instructions
Packages:
Flow
TASK: Support PHP never, null, false, and true as stand-alone types
This change adds functional tests to prove that Flow can handle PHP 8 stand-alone return types in AOP proxy class building.
Note that “null” is not supported yet by laminas-code, therefore the corresponding test is not active yet.
Resolves: #3027
Packages:
Flow
TASK: Use Laminas Code for proxy method rendering
Flow now uses laminas/laminas-code for rendering proxy methods. The Dependency Injection Proxy Class Builder was refactored and the classes ProxyConstructor and ProxyMethod were replaced by new implementations called ProxyConstructorGenerator and ProxyMethodGenerator respectively.
Resolves: #3042
Packages:
Flow
TASK: Clean up code in AOP and ObjectManagement
This change contains various code clean-ups which fell off with the preparation of a new bug fix for AOP.
Packages:
Flow
TASK: Replace “adviced” by “advised”
Fixed a good old typo everywhere in Flow by replacing all occurrences of “adviced” by “advised”.
Packages:
Flow
TASK: Clean up functional tests for AOP
This also re-activates a functional test targeting PHP 7.1 features which was disabled at some point in history.
Packages:
Flow
TASK: Only add constructor injection code if needed
The proxy class builder now skips code generation for constructor injection code if the given original class is prototype, no user-defined object configuration exists and all potentially autowired constructor arguments are prototypes or simple values. This change should result in a significantly less amount of proxy classes generated in most modern Flow projects.
resolves: #3049 resolves: #1539
Packages:
Flow
TASK: Only add serialization entities code if needed
Proxy classes created by the Dependency Injection Proxy Class Builder now only contain code related to serialization and deserialization of related entities if needed.
The code is only rendered if one of the following conditions is met:
The class is annotated with Entity
The class is annotated with Scope(“session”)
Despite the previous condition, the code will not be rendered if the following condition is true:
The class already has a __sleep() method (we assume that the developer wants to take care of serialization themself)
As part of this change, the generated code related to serialization was slightly adjusted for stricter type handling.
related: #1539
Review instructions
try to find an existing application which relies on serialization of related entities, for example a Flow application which uses ORM with relations or uses entities in a session scope.
remove all caches and then access your application in a browser using the current Flow 9 branch (without this patch)
create a backup of the Cache/Code/Flow_Object_Classes directory
switch to a branch with this change, remove all caches and access the application again in a browser
use a diff tool (e.g. Kaleidoscope) to compare both cache directories to see what is now different
check if your application still works
Packages:
Flow