Skip to content

fix: clone Parameters before mutation in security and validator providers#8378

Merged
soyuka merged 1 commit into
api-platform:4.3from
ostrolucky:4.3
Jul 2, 2026
Merged

fix: clone Parameters before mutation in security and validator providers#8378
soyuka merged 1 commit into
api-platform:4.3from
ostrolucky:4.3

Conversation

@ostrolucky

@ostrolucky ostrolucky commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
Q A
Branch? 4.3
Tickets
License MIT
Doc PR

Calling $parameters->add() on the Parameters object was mutating shared state. In long-running processes this caused uri-variable Links added at request time to leak into subsequent metadata reads, producing a phantom in:query parameter in the OpenAPI output in my case, resulting most obviously in flaky tests in my case

…ders

SecurityParameterProvider and ParameterValidatorProvider both called
$parameters->add() on the Parameters object returned directly from the
cached operation, mutating shared state. In long-running processes
(Behat/FrankenPHP/RoadRunner) this caused uri-variable Links added at request
time to leak into subsequent metadata reads, producing a phantom
in:query parameter in the OpenAPI output.
@soyuka soyuka merged commit a9c1b53 into api-platform:4.3 Jul 2, 2026
111 of 112 checks passed
@soyuka

soyuka commented Jul 2, 2026

Copy link
Copy Markdown
Member

Nice one thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants