This PR has been generated automatically.
For more details see
[upmerge_pr.yaml](/Sylius/Sylius/blob/2.1/.github/workflows/upmerge_pr.yaml).
**Remember!** The upmerge should always be merged with using `Merge pull
request` button.
In case of conflicts, please resolve them manually with usign the
following commands:
```
git fetch upstream
gh pr checkout <this-pr-number>
git merge upstream/2.1 -m "Resolve conflicts between 1.14 and 2.1"
```
If you use other name for the upstream remote, please replace `upstream`
with the name of your remote pointing to the `Sylius/Sylius` repository.
Once the conflicts are resolved, please run `git merge --continue` and
push the changes to this PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added product channel eligibility validation to prevent checkout when
a product is no longer assigned to the order's channel.
* **Bug Fixes**
* Disabled duplicate product review rating updates during acceptance
transitions.
* **Documentation**
* Added audit ignore documentation for security advisories.
* **Chores**
* Updated user-facing error messaging to indicate product unavailability
across all supported languages.
* Updated dependency injection patterns with union types and nullable
parameters.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets | https://github.com/Sylius/Sylius/issues/16120
| License | MIT
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed duplicate updates of product review average ratings so ratings
are now updated once when a review is accepted.
* **Documentation**
* Added upgrade notes for v2.1.8 explaining the change to review
acceptance behavior to prevent duplicate rating calculations.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This is connected with https://github.com/Sylius/Sylius/pull/18574
| Q | A
|-----------------|-----
| Branch? | 1.14
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets | https://github.com/Sylius/Sylius/issues/16120
| License | MIT
The \Sylius\Bundle\ReviewBundle\EventListener\ReviewChangeListener
(registered as Doctrine event listener) already handles rating
recalculation for all review changes (postPersist, postUpdate,
preRemove), making the
state machine callback redundant.
Solution
Disable the sylius_update_rating callback by adding disabled: true
instead of removing it entirely.
Why disabled: true instead of removal?
1. No BC break - the updateFromReview() method called by this callback
remains intact, preserving the ReviewableRatingUpdaterInterface and
service definitions
2. Flexibility - users who rely on this callback (e.g., for custom
priority ordering with their own callbacks) can re-enable it in their
configuration with disabled: false
3. Transparency - the callback definition remains visible in
configuration, documenting what was disabled and why, which helps with
debugging and understanding the system's
history
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets | -
| License | MIT
Refactored E2E workflow files to use environment variables for Behat
commands, significantly improving readability and maintainability.
All Behat command invocations now use parametrized variables defined in
the job `env` section:
- `BEHAT_BASE_CMD` - base command with common flags
- `BEHAT_*_TAGS` - test tags for different test suites
- `BEHAT_*_SUITES` - suite tags
Changes applied to:
- `ci_e2e-mysql.yaml` (3 jobs)
- `ci_e2e-mariadb.yaml` (1 job)
- `ci_e2e-pgsql.yaml` (1 job)
- `ci_e2e-unstable.yaml` (3 jobs)
This makes it much easier to modify Behat configurations and reduces
duplication across retry logic.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Streamlined CI/CD testing workflows by introducing centralized,
parameterized configurations for test execution across multiple database
environments, reducing redundancy and improving consistency.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
| Q | A
|-----------------|-----
| Branch? | 1.14
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Related tickets | https://github.com/Sylius/Sylius/issues/17568
| License | MIT
When finalizing an order, while checking whether products and variants
are "isEnabled," a check has also been added to see if they are assigned
to the current channel.
Fixes test failures when API is unavailable (third-party issues or
offline development).
**Problem:**
Tests failed with `HTTP/2 500 returned for
https://api.iconify.design/collections` when API was down. Default
Symfony UX Icons config uses on-demand API mode, causing failures
without network.
**Solution:**
Bundle commonly-used icons locally (`tabler:*` for UI, most popular
`flagpack:*` flags) using `icon_sets` configuration in
`SyliusUiExtension`. Icons are registered programmatically with
`__DIR__` paths that work correctly both in development and when bundle
is in vendor directory. Iconify API enabled as fallback for less common
country flags dynamically added by admins.
**Implementation:**
- Icons configured via `PrependExtensionInterface` in
`SyliusUiExtension`
- Uses `icon_sets` with absolute paths resolved at runtime (`__DIR__`)
- Removed YAML config that used `%kernel.project_dir%` (incorrect for
vendor bundles)
**Country flags:**
Default Sylius fixtures include 12 countries (US, FR, DE, AU, CA, MX,
NZ, PT, ES, CN, GB, PL). We bundle these plus 4 popular ones (JP, IT,
BR, IN) locally. For other countries added by admins, flags load via
Iconify API fallback.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Enabled Iconify-based icon management for the UI.
* Added Tabler and Flagpack icon sets for richer visuals.
* Applied a default icon styling class ("icon") across UI icons.
* Configured the system to ignore missing icons gracefully, preventing
runtime errors.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Related tickets | -
| License | MIT
Added PHP 8.5 (released 2025-11-20) support to CI workflows.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated CI/CD workflows to support PHP 8.5 testing across multiple
configurations (static-checks, e2e, frontend/packages).
* Configured architecture checks to skip on PHP 8.5 while expanding test
coverage to the latest PHP version.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This is a continuation of pull request
https://github.com/Sylius/Sylius/pull/18417.
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets |
| License | MIT
<!--
- Bug fixes must be submitted against the 1.14 or 2.0 branch
- Features and deprecations must be submitted against the 2.1 branch
- Make sure that the correct base branch is set
To be sure you are not breaking any Backward Compatibilities, check the
documentation:
https://docs.sylius.com/en/latest/book/organization/backward-compatibility-promise.html
-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved product attribute handling during API denormalization:
attribute info is now consistently used for validation and value
processing, and attribute keys are ensured to be passed first to
downstream processing to prevent misordering and data inconsistencies.
* **Tests**
* Added a test that verifies the attribute key is reordered to be first
during denormalization to guard against regressions.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Ensure attribute is set before setValue() is called by reordering the data
array to ensure 'attribute' key comes first during denormalization.
This prevents BadMethodCallException when API Platform processes attribute
values in JSON key order.
Co-authored-by: Mateusz <mateusz@rustle.pl>
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets |
| License | MIT
Ref:
```
After having deleted a channel in the admin view, I got form errors when editing the shipping methods.
I found out that the “configuration” column of the “sylius_shipping_method” table still contains the channel data as json, e.g.
{"WEB_EUR": {"amount": 960}, "FASHION_WEB": {"amount": 782}}
although both channels are deleted.
The users of our software need to delete the channel without errors.
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit
* **New Features**
* Find shipping methods by channel-specific configuration.
* Automatically remove channel configuration entries from shipping methods when a channel is deleted.
* Added a channel-aware shipping-method updater and wired it into the channel deletion workflow.
* **Tests**
* Added tests for shipping-method lookup by channel code.
* Added tests for channel-configuration removal (including flush behavior and edge cases).
* Added fixtures for shipping methods and zones used by tests.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Add reusable SCSS mixins for text truncation (ellipsis, flex)
- Fix long category names in navbar dropdown (desktop: 1-line ellipsis, mobile: 2-line wrap)
- Fix taxon tree overflow in admin sidebar using flex truncation
- Fix XSS vulnerability in taxon tree by escaping HTML
- Remove global h1 overflow rule, use .text-break class instead
- Ensure offcanvas dropdown menu has no border on mobile/tablet
| Q | A
|-----------------|-----
| Branch? | 1.14
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets | #18549
| License | MIT
Details in file AUDIT-IGNORE.md
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Related tickets | -
| License | MIT
Adding a note that this configuration is no longer used so that people
don't get confused when they edit it and nothing happens.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Deprecations**
* Address log entry grid rendering is deprecated and will be removed in
Sylius 3.0. Current behavior is unchanged for now; only deprecation
notices were added. Users should review and prepare their configurations
for upcoming removal.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
| Q | A
|-----------------|-----
| Branch? | 1.14
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets |
| License | MIT
Fix build CI through added a few cve to ignore section in file
composer.json.
1. PKSA-yhcn-xrg3-68b1 (Twig - CVE-2024-45411)
Sandbox bypass - Attackers can execute dangerous code in Twig templates
by bypassing sandbox security restrictions.
- Fixed in: Twig 1.44.8, 2.16.1, 3.14.0
2. PKSA-2wrf-1xmk-1pky (Twig - CVE-2024-51755)
Access to protected data - Using the ?? operator and array access allows
reading private data without security policy checks.
- Fixed in: Twig 3.11.2, 3.14.1
3. PKSA-gs8r-6kz6-pp56 (likely API Platform)
GraphQL data exposure - Improper caching in GraphQL allows access to
other users' data or bypassing operation security.
- Related to API Platform GraphQL security issues
- Fixed in: API Platform 3.4.17, 4.0.22
4. PKSA-gnn4-pxdg-q76m (likely API Platform or Twig)
Exception details disclosure - Error messages may contain sensitive
system information visible in JSON responses.
- Related to API Platform error handling
- Fixed in: API Platform 3.2.5+
Details:
https://www.cvedetails.com/vulnerability-list/vendor_id-19033/product_id-48690/Symfony-Twig.htmlhttps://api-platform.com/docs/extra/security/
Fixes ECS error:
```
ERROR: The use statement with non-compound name 'RuntimeException' has no effect
in /home/runner/work/Sylius/Sylius/RoboFile.php:18
Error: Process completed with exit code 123.
```
Changes:
- Removed unused `use RuntimeException;` import
- Used fully qualified `\RuntimeException` where needed
- Used `\PHP_EOL` instead of `PHP_EOL` for consistency
| Q | A
|-----------------|-----
| Branch? | 2.1 <!-- see the comment below -->
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update the UPGRADE-*.md file
-->
| Related tickets | fixes#18482, partially #Y, mentioned in #Z
| License | MIT
As described in #18482 i added the `label` key too the options for the
`firstName` and `lastName` childs of the CustomerType form class so that
the translations for `sylius.form.customer.first_name` /
`sylius.form.customer.last_name` are correctly displayed again when
creating/updating a customer in the sylius backend.
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets | n/a
| License | MIT
1. Removes `DOCTRINE_ORM_VERSION` support from packages CI workflow as
we no longer use it.
2. Refactors `RoboFile` slightly.
Fixes Symfony 7.4 compatibility issue in PHPUnit tests where
KernelBrowser tests fail because error renderer selection changed.
## Problem
Symfony 7.4 introduced `RuntimeModeErrorRendererSelector` in
FrameworkBundle that selects error renderer based on runtime mode:
- CLI context → plain text error output
- Web context → HTML error pages
PHPUnit runs in CLI, so Symfony 7.4 renders plain text errors. But
`KernelBrowser` simulates web requests and tests expect HTML error
pages, causing failures like:
```
Failed asserting that 'Symfony\Component\HttpKernel\Exception\NotFoundHttpException...'
contains "The page you are looking for does not exist."
```
Tests expected HTML but got plain text exception dumps.
## Solution
Set `APP_RUNTIME_MODE=web=1` in `phpunit.xml.dist` to force web mode for
all PHPUnit tests.
This env var was introduced in Symfony 6.4 and sets the
`kernel.runtime_mode.web` parameter:
- Format: query string `web=1&worker=0`
- `web=1` → parsed to `kernel.runtime_mode.web: true`
- Backward compatible: exists in Symfony 6.4 but only affects error
rendering in 7.4+
## Why this approach vs config parameter?
**Considered alternatives:**
1. ❌ `kernel.runtime_mode.web: true` in
`config/packages/test/_sylius.yaml` - global, less flexible
2. ✅ `APP_RUNTIME_MODE=web=1` in `phpunit.xml.dist` - proper Symfony
mechanism, test-level control
The env var approach is more idiomatic and allows per-test override if
needed.
## References
- Symfony commit introducing RuntimeModeErrorRendererSelector:
0681ef3b82
- kernel.runtime_mode docs:
https://symfony.com/doc/current/reference/configuration/kernel.html
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated test configuration to explicitly set the runtime mode to web
during testing, ensuring consistent error rendering behavior in web
mode.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Related tickets | fixes#18514, partially #Y, mentioned in #Z
| License | MIT
This pull request adjusts the `z-index` for the side_navigation. Because
currently when you have many content on a page where the side_navigation
is used, and its scrollable, the side navigation starts collapsing with
the header. This was because the `z-index` was too high.
## Before:
<img width="1242" height="1189" alt="image"
src="https://github.com/user-attachments/assets/05e68e14-0587-4891-96e2-3d9823591238"
/>
## After:
<img width="1232" height="1131" alt="image"
src="https://github.com/user-attachments/assets/07520f68-2257-4ea6-9d9a-3332cb4ad79d"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Fixed side navigation stacking order to ensure it displays correctly
above other page elements, preventing visual overlap issues.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
| Q | A
|-----------------|-----
| Branch? | 2.1
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update the UPGRADE-*.md file
-->
| Related tickets | fixes #X, partially #Y, mentioned in #Z
| License | MIT
This PR adds missing translations for german for various places in the
Sylius admin.
For the existing keys i checked also the german CH and german AT files
to make sure that the existing translations for the respective keys are
consistent/the same.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Localization**
* Added descriptive label to the provinces field selector for improved
form usability
* Extended German translations with new localization keys for checkout
currency selection, channel pricing options, password reset fields, and
account credentials management
<!-- end of auto-generated comment: release notes by coderabbit.ai -->