Bump the composer group across 1 directory with 2 updates

[dependabot]

Bumps the composer group with 2 updates in the / directory: symfony/yaml and symfony/mime.

Updates symfony/yaml from 6.2.7 to 6.4.40

Release notes

Sourced from symfony/yaml's releases.

v6.4.40

Changelog (symfony/yaml@v6.4.39...v6.4.40)

• security #cve-2026-45305 Harden the Parser::cleanup() regexes against catastrophic backtracking (@​nicolas-grekas)
• security #cve-2026-45304 Bound collection-alias resolution in the parser (@​nicolas-grekas)
• security #cve-2026-45133 Bound recursion depth in the parser (@​nicolas-grekas)

v6.4.39

Changelog (symfony/yaml@v6.4.38...v6.4.39)

• bug #64196 Reject non-stringables when using "!!binary" (@​nicolas-grekas)

v6.4.38

Changelog (symfony/yaml@v6.4.34...v6.4.38)

• bug #64119 fix flow collection drops &anchor and !!str &anchor items (@​ousamabenyounes)

v6.4.34

Changelog (symfony/yaml@v6.4.33...v6.4.34)

• bug #57292 Fix parsing nested mappings in sequences (@​HypeMC)

v6.4.30

Changelog (symfony/yaml@v6.4.29...v6.4.30)

• bug symfony/symfony#62612 [Yaml] Fix regression handling blank lines in unquoted scalars (@​yoeunes)
• bug symfony/symfony#62409 [Yaml] Align unquoted multiline scalar parsing with spec for comments (@​yoeunes)
• bug symfony/symfony#62359 [Yaml] Fix parsing of unquoted multiline scalars with comments or blank lines (@​yoeunes)

v6.4.26

Changelog (symfony/yaml@v6.4.25...v6.4.26)

• bug symfony/symfony#61855 [DoctrineBridge][Yaml] don't cast strings exceeding the min/max int ranges (@​xabbuh)

v6.4.25

Changelog (symfony/yaml@v6.4.24...v6.4.25)

• bug symfony/symfony#61520 [Yaml] Fix scope resolution operator in flow mapping keys (@​MatTheCat)

v6.4.24

Changelog (symfony/yaml@v6.4.23...v6.4.24)

• no significant changes

v6.4.23

Changelog (symfony/yaml@v6.4.22...v6.4.23)

• bug symfony/symfony#60648 [Yaml] fix support for years outside of the 32b range on x86 arch on PHP 8.4 (@​nicolas-grekas)

v6.4.21

... (truncated)

Changelog

Sourced from symfony/yaml's changelog.

CHANGELOG

8.0

• Remove support for parsing duplicate mapping keys whose value is null

7.3

• Add compact nested mapping support by using the Yaml::DUMP_COMPACT_NESTED_MAPPING flag
• Add the Yaml::DUMP_FORCE_DOUBLE_QUOTES_ON_VALUES flag to enforce double quotes around string values

7.2

• Deprecate parsing duplicate mapping keys whose value is null
• Add support for dumping null as an empty value by using the Yaml::DUMP_NULL_AS_EMPTY flag

7.1

• Add support for getting all the enum cases with !php/enum Foo

7.0

• Remove the !php/const: tag, use !php/const instead (without the colon)

6.3

• Add support to dump int keys as strings by using the Yaml::DUMP_NUMERIC_KEY_AS_STRING flag

6.2

• Add support for !php/enum and !php/enum *->value
• Deprecate the !php/const: tag in key which will be replaced by the !php/const tag (without the colon) since 3.4

6.1

• In cases where it will likely improve readability, strings containing single quotes will be double-quoted

5.4

• Add a $maxNestingLevel argument to Parser::__construct(), Yaml::parse() and Yaml::parseFile() to bound recursion depth (default 128)

... (truncated)

Commits

• 68dcd1f Merge branch '5.4' into 6.4
• b0b2705 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking
• 5a351ff [Yaml] Bound collection-alias resolution in the parser
• e4fb993 [Yaml] Reject non-stringables when using "!!binary"
• b02ba66 [Yaml] Bound recursion depth in the parser
• f8d2f4a [Yaml] fix flow collection drops &anchor and !!str &anchor items
• 323ed2d CS fixes - native_function_invocation & static_lambda
• f33e2fb Backport some CS fixes from 7.4
• fe7a693 [CS] Back config from 8.1 and apply heredoc_indentation rule
• 7bca30d [Yaml] Fix parsing nested mappings in sequences
• Additional commits viewable in compare view

Updates symfony/mime from 6.2.7 to 6.4.41

Release notes

Sourced from symfony/mime's releases.

v6.4.41

Changelog (symfony/mime@v6.4.40...v6.4.41)

• bug #64343 Harden __unserialize against __toString trampolines (@​nicolas-grekas)

v6.4.40

Changelog (symfony/mime@v6.4.37...v6.4.40)

• security #cve-2026-45067 Reject email addresses containing line breaks in Address (@​alexandre-daubois)

v6.4.37

Changelog (symfony/mime@v6.4.36...v6.4.37)

• bug #64047 Preserve inline part filename instead of overwriting it with the Content-ID (@​ousamabenyounes)
• bug #64044 Apply tagged MIME type guessers in File::getMimeType() (@​ousamabenyounes)

v6.4.36

Changelog (symfony/mime@v6.4.35...v6.4.36)

• bug #63683 Fix image method to use DataPart content ID (@​pavelwitassek)

v6.4.35

Changelog (symfony/mime@v6.4.34...v6.4.35)

• bug #63584 Use shell_exec() instead of passthru() in FileBinaryMimeTypeGuesser (@​nicolas-grekas)

v6.4.34

Changelog (symfony/mime@v6.4.33...v6.4.34)

• no significant changes

v6.4.32

Changelog (symfony/mime@v6.4.31...v6.4.32)

• no significant changes

v6.4.30

Changelog (symfony/mime@v6.4.29...v6.4.30)

• no significant changes

v6.4.26

Changelog (symfony/mime@v6.4.25...v6.4.26)

• bug symfony/symfony#61766 Fix ord()-related PHP 8.5 deprecations (@​nicolas-grekas)
• bug symfony/symfony#61727 Replace __sleep/wakeup() by __(un)serialize() for throwing and internal usages (@​nicolas-grekas)

v6.4.24

Changelog (symfony/mime@v6.4.23...v6.4.24)

... (truncated)

Changelog

Sourced from symfony/mime's changelog.

CHANGELOG

8.0

• Replace __sleep/wakeup() by __(un)serialize() on AbstractPart implementations

7.4

• Deprecate implementing __sleep/wakeup() on AbstractPart implementations; use __(un)serialize() instead

7.0

• Remove Email::attachPart(), use Email::addPart() instead
• Argument $body is now required (at least null) in Message::setBody()
• Require explicit argument when calling Message::setBody()

6.3

• Support detection of related parts if Content-Id is used instead of the name
• Add TextPart::getDisposition()

6.2

• Add File
• Deprecate Email::attachPart(), use addPart() instead
• Deprecate calling Message::setBody() without arguments

6.1

• Add DataPart::getFilename() and DataPart::getContentType()

6.0

• Remove Address::fromString(), use Address::create() instead
• Remove Serializable interface from RawMessage

5.2.0

• Add support for DKIM
• Deprecated Address::fromString(), use Address::create() instead

... (truncated)

Commits

• 5575d37 [Routing][RateLimiter][Mime][Security] Harden __unserialize against __toStrin...
• 7ccfb0c Merge branch '5.4' into 6.4
• 8f89d3a [Mime] Reject email addresses containing line breaks in Address
• f2f05cb [Mime] Fix transient test
• 330077b bug #64047 [Mime] Preserve inline part filename instead of overwriting it wit...
• 4c7099f [Mime] Preserve inline part filename instead of overwriting it with the Conte...
• e2ae51d [FrameworkBundle] Apply tagged MIME type guessers in File::getMimeType()
• 3d48678 More CS fixes
• 05099f5 CS fixes - native_function_invocation & static_lambda
• f56fd2b [CS] Back config from 8.1 and apply heredoc_indentation rule
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.