Unread items (80)

Add roadmap references across docs, README, and LLM context files

Add project roadmap: v10.3.0 through v11.1.0

Covers bug fixes, build modernization, docs overhaul, headless mode,
ESM output, accessibility improvements, plugin system, and multi-source
search. Shaped by community feedback, open issues, and contributor PRs.

Re-activate unit tests for user literals.

Redirect test temp dirs to system temp directory

* Redirect test temp dirs to system temp directory. Fixes #1178

Move all test-generated output (compiled templates, cache files, and
temporary template sources) from per-test-directory folders inside the
working tree to a parallel structure under sys_get_temp_dir()/smarty-tests/.

This removes 215 boilerplate .gitignore files from the repo and ensures
running the test suite leaves zero uncommitted files in the working tree.

All 2296 tests continue to pass with identical behavior.

* Isolate each test class in a unique temp directory

getTempDir() now appends a per-class uniqid token to the temp path, so
concurrent or sequential test runs never share compiled/cached output.
The token is generated lazily on first use and reset in
tearDownAfterClass(), giving every test class a fresh isolated directory.

As a result, the Bootstrap.php pre-run cleanup of smarty-tests/ is no
longer needed for correctness (stale paths are unreachable) and was
harmful to concurrent runs, so it has been removed.

* Remove individualFolders dead code and spurious assertTrue from cleanDirs()

- Remove the never-active individualFolders code path from setUpSmarty()
  (the constant was always true, making the branch unreachable)
- Remove define('individualFolders') from Config.php and the constructor
- Remove $this->assertTrue(true) from cleanDirs(): it existed solely to
  make testInit() count as a passing test; now that cleanDirs() is called
  from setUpSmarty() and from test methods directly, the assertion was
  spuriously inflating assertion counts
- Add tests/**/templates_c/, cache/, templates_tmp/ to .gitignore to
  prevent stale test output from appearing as untracked files

* Clean up each test class's unique temp dir in tearDownAfterClass()

Add a private static removeDir() helper and call it from
tearDownAfterClass() to recursively delete the per-class unique temp
directory after each test class finishes. Cleanup failures are silently
ignored (@ suppression) so they never cause test failures.

Set KEEP_SMARTY_TEST_ARTIFACTS=1 in the environment to skip cleanup and
keep the artifacts on disk for debugging.

* cleanup of unused template files, non-shared files stored in __shared folder, no longer required calls to add template folders et cetera

* fixed the unit tests

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* remove useless resetting of static properties in tearDownAfterClass

* changed an incorrect doc and formatted some code.

* add changelog

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Docs: overhaul documentation with new recipes, accessibility, comparison, and full changelog

- Fix Recent Searches .reverse() mutation bug (#438), replaced with .toReversed()
- Move security/XSS warning higher in usage.md with DOMPurify code example
- Document full feedback object shape on selection event in configuration.md
- Add comprehensive accessibility section (ARIA attributes, keyboard map, screen reader behavior)
- Add 4 new interactive how-to-guide recipes (force selection, async error handling, custom rendering, multi-key search)
- Add Fuse.js integration recipe for custom search engine usage
- Add comparison page with competitive analysis table (Downshift, Tom Select, Select2, Choices.js, Algolia, react-select)
- Add comparison table to README.md
- Sync llms.txt and llms-full.txt with new patterns and comparison data
- Consolidate CHANGELOG.md with full release history from v1.0 to v10.2.10

Remove call to strcpy (#2844)

This is safe but the memcpy approach is more efficient.  Also enable the
clang-tidy check.  Suggested by Claude.

Use more secure std::random_device instead of rand (#2843)

Suggested by Claude.

Fix TOCTOU in mkdirp (#2842)

It is safer to create the directory and let it fail with EEXIST than to
check then create.  Suggested by Claude.

Assign correct SSL bundle on FreeBSD (#2841)

This has always been broken, at least since
5db550a29864248048c1ebd28e5d61f384024cfb.  Suggested by Claude.

Set cache permissions to 700 (#2840)

Claude flagged this world-writable directory.

Upgrade to S3Proxy 3.1.0 (#2838)

Also set Content-Type for s3_cp test helper curl's --data-binary
defaults Content-Type to application/x-www-form-urlencoded, which
causes Jetty 12 to drain the request body as form parameters before
S3Proxy 3.1.0 can hash it for x-amz-content-sha256 verification,
failing the check with 400 XAmzContentSHA256Mismatch. Send
application/octet-stream instead.  Release notes:

https://github.com/gaul/s3proxy/releases/tag/s3proxy-3.1.0

Update Language.ro.xml (#1636)

* Update Language.ro.xml

* Update Language.ro edited.xml

Merge pull request #1440 from google:dependabot/github_actions/github/codeql-action-4.35.1

PiperOrigin-RevId: 898835966

Fix erroneous 2 TiB limit for hidden file containers in GUI wizard (#1672)

Bump github/codeql-action from 4.31.7 to 4.35.1 (#1440)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.7 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/cf1bb45a277cb3c205638b2cd5c984db1c46a412...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>

Merge branch 'master' into dependabot/github_actions/github/codeql-action-4.35.1

Bump github/codeql-action from 4.31.7 to 4.35.1

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.7 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/cf1bb45a277cb3c205638b2cd5c984db1c46a412...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Bump actions/download-artifact from 6.0.0 to 8.0.1 (#1441)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>

Bump actions/setup-python from 6.1.0 to 6.2.0 (#1442)

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/83679a892e2d95755f2dac6acb0bfd1e9ac5d548...a309ff8b426b58ec0e2a45f0f869d46889d02405)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>

Bump step-security/harden-runner from 2.16.0 to 2.16.1 (#1445)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.16.0 to 2.16.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594...fe104658747b27e96e4f7e80cd0a94068e53901d)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.16.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>

Bump mymindstorm/setup-emsdk from 14 to 15 (#1446)

Bumps [mymindstorm/setup-emsdk](https://github.com/mymindstorm/setup-emsdk) from 14 to 15.
- [Release notes](https://github.com/mymindstorm/setup-emsdk/releases)
- [Commits](https://github.com/mymindstorm/setup-emsdk/compare/6ab9eb1bda2574c4ddb79809fc9247783eaf9021...667eb33f24e84e7f362c16d8d7fff0629a73e15e)

---
updated-dependencies:
- dependency-name: mymindstorm/setup-emsdk
  dependency-version: '15'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>

Fix ghost drive letter after CLI dismount (GH #337, GH #1426) (#1658)

When dismounting via CLI (/d /q /s), SHChangeNotify is called without
SHCNF_FLUSH flag, making it asynchronous. The process exits before
Explorer processes the notification, leaving a phantom drive letter
visible in Explorer as an inaccessible Local Disk until reboot.

Add SHCNF_FLUSH in Silent (CLI) mode to force synchronous shell
notification processing in both single-volume (UnmountVolumeBase)
and dismount-all (DismountAll) code paths. The flush is only added
in CLI mode to avoid adding latency to interactive GUI operations.

Co-authored-by: Contributor <contributor@example.com>

Fix: Incorrect tooltip on mouseover due to bad translation key (fix #1635) (#1637)

The commit 9ea5ccc4aa35dc3d11863571fe9419f2950c7eef introduced this bug
by creating a translation key named "DISABLE_SCREEN_PROTECTION_WARNING"
but used the key "DISABLE_SCREEN_PROTECTION_HELP" into the installation
wizard.

Fix links to documentation in README.md (#1617)

Linux: add support for building against FUSE3

macOS: fix typo in defaultDirs in Process::FindSystemBinary

Remove Community Plugins section from README

Add Used By section with 21 verified projects across 14 industries

Add cross-project references for Eleva.js and Skalex.js

Add "Also by the Author" section to both the README and docs
homepage linking to Eleva.js and Skalex.js with brief descriptions.

Fix: Docs rendering issue with tilde character

v10.2.10 => Resolve #442

- Fixed: Async function detection fails in transpiled environments
- Added: llms.txt and llms-full.txt for AI agent discoverability
- Added: FAQ page with common usage patterns
- Added: robots.txt with sitemap reference
- Added: Twitter Card meta tags
- Added: JSON-LD structured data (SoftwareApplication, BreadcrumbList, FAQPage)
- Added: Canonical URL tags
- Added: CHANGELOG.md
- Updated: Development dependencies
- Updated: Sitemap with current dates and missing pages
- Updated: Meta descriptions standardized across all pages
- Updated: OG tags with proper per-image metadata
- Updated: All HTTP links to HTTPS
- Updated: Protocol-relative URLs to explicit HTTPS
- Updated: Analytics consolidated to GA4
- Updated: Bundlephobia badge switched to shields.io
- Updated: Documentation and copyright year
- Fixed: Duplicate meta description in docs
- Fixed: og:url pointing to wrong page
- Fixed: og:type inconsistency between pages
- Fixed: Duplicate manifest link in demo
- Fixed: Broken msapplication-TileImage path in demo

Update pre-commit versions (#7348)

* Update pre-commit versions

* Add dependabot entry for pre-commit

* Update pre-commit and ruff hooks

Cleanup docs and add i18n wrappers (#7354)

Upgrade to S3Proxy 3.0.0 (#2837)

Release notes:

https://github.com/gaul/s3proxy/releases/tag/s3proxy-3.0.0

Revert #2783 to call PreventStatCacheExpire again

Temporarily bypass a test fails to delete directories in macOS

Always block media autoplay

Add weekly link check schedule (Mondays 09:00 UTC)

Replace Awesome Bot with Lychee for link checking

- Switch from awesome_bot (Ruby 2.7, unmaintained) to lychee (Rust, actively maintained)
- Run on pull requests as well as pushes to master, so broken links are caught before merge
- Expand whitelist with domains known to block crawlers: leanpub.com, jetbrains.com, wiki.php.net, zend.com, nusphere.com
- Accept HTTP 429 (rate limited) as non-failure to avoid false positives
- Upload lychee results as an artifact on failure

Accept and apply changes from PRs #1391, #1356, #1308, #1321, #1227

PR #1391 — Add Anthropic PHP and Anthropic for Laravel to LLMs section
PR #1356 — Add Trap to Debugging and Profiling, Buggregator to Error Tracking
PR #1308 — Add Inertia.js to Framework Extras (description rewritten)
PR #1321 — Add OctoberCMS to CMS (Tempest already present, HydePHP skipped)
PR #1227 — Add WinterCMS to CMS (Statamic/WordPress changes superseded by ours)

tidying up

Prevent Response self-reference in redirect history (#7328)

license-update: add documentation about PHP license changes (#29)

RFC: https://wiki.php.net/rfc/php_license_update

Exempt adding Type and Value Errors from BC break policy (#27)

RFC: https://wiki.php.net/rfc/policy-exempt-type-value-error-bc-policy

Co-authored-by: Theodore Brown <theodorejb@outlook.com>

v1.1.0

v1.1.0

v1.1.0

Run docs.yml on Ubuntu 24.04

Run docs.yml for all changes

Restricting the workflow to run on changes to `*.rst` files only will prevent
CI from catching mistakes in the workflow itself, for example on Dependabot
updates.

Restrict docs.yml workflow permissions

This workflow is not deploying anywhere and thus neither needs
`id-token: write`, nor `pages: write`.

Fix branch filter in docs.yml workflow

Add Zizmor workflow and make initial updates

rebuild doc for 1.4.1 release

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

upgrade Bootstrap in _build to 3.4.1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

upgrade Bootstrap from 3.3.0 to 3.4.1

Fixes XSS vulnerabilities (CVE-2018-14040, CVE-2018-14041, CVE-2019-8331)
flagged by GitHub Dependabot.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Bump github/codeql-action from 4.34.1 to 4.35.1

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.34.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

add 1.4.1 release news entry

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

update version to 1.4.1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

relax Markdown version pin to >= 3.0

The codebase already uses the Markdown 3.x Registry API (register/
deregister) and the correct extendMarkdown(md) signature. Tested
against Markdown 3.5.2 — all 16 tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

remove Python 2 compatibility layer

Delete _compat.py and replace all usages with direct Python 3 stdlib
equivalents: filter(), str(), socketserver, http.server. Remove all
from __future__ and from io import open imports.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

add test extras_require with pytest and sh dependencies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

update version

v2.33.1

Fix malformed value parsing for Content-Type (#7309)

Fix cosmetic header validity parsing regex (#7308)

Fix unintended test extra (#7306)

Cleanup extracted file after extract_zipped_path test (#7305)

Packaging: DRY out extras definition (#7277)

Update Awesome Bot whitelist to include Drupal link

Merge pull request #1406 from ziadoz/fix-broken-links

Fix broken links

Fix broken links

Remove 21 unmaintained/archived libraries (#1402)

* Remove 9 unmaintained libraries (no updates since 2016-2017)

* Also remove 12 GitHub-archived repositories