Bump sylius/sylius from 1.6.1 to 1.6.9

[dependabot]

Bumps sylius/sylius from 1.6.1 to 1.6.9.

Release notes

Sourced from sylius/sylius's releases.

v1.6.9

• #11369 [Docs] Don't use $HOME in SymfonyCloud deployment cookbook (@tucksaun)
• #11387 Remove the doc reference to a promotion action that no longer exists in Core. (@gabiudrescu)
• #11391 Fallback to the locale code if the associated name isn't found (@dunglas)
• #11390 Bug #9738 Fix nested form collections (@vic-blt)
• #11403 Fix Autolabeler configuration (@Zales0123)
• #11416 doc : add the composer dump-autoload instruction (@davidroberto)
• #11450 [Docs] Enable redirections on ReadTheDocs (@pamil)
• #11452 [Docs] Fix redirection for backwards compatibility promise (@pamil)
• #11944 [Shop] Disabling customer when email has been changed (@lchrusciel)

v1.6.8

• #11018 Fix: Check PropertyPath value for add error to form (@Coosos)
• #11191 Separated order items subtotal calculation logic from twig extension (@4c0n)
• #11341 [Maintenance] Upgrade packages dependencies & fix 1.6 build (@lchrusciel)
• #11342 [Maintenance] Remove memory swap (@lchrusciel)
• #11346 [ADMIN] fix closed gateway config field in payment method form (@bigboss86)
• #11363 Introduce Probot Autolabeler (@Zales0123)
• #11364 fix #11362 : ignore channel locale listener on profiler routes (@thi3rry)
• #11380 Use !default for SCSS variables to allow overriding them (@pamil)

v1.6.5

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

Details

• #10296 Product show page (@kulczy, @AdamKasp)
• #10342 [Fixture] Togglable default locale loading (@lchrusciel)
• #10355 Adding a coupon generator command (@mamazu)

... (truncated)

Changelog

Sourced from sylius/sylius's changelog.

v1.6.9 (2020-10-19)

Details

• #11369 [Docs] Don't use $HOME in SymfonyCloud deployment cookbook (@tucksaun)
• #11387 Remove the doc reference to a promotion action that no longer exists in Core. (@gabiudrescu)
• #11391 Fallback to the locale code if the associated name isn't found (@dunglas)
• #11390 Bug #9738 Fix nested form collections (@vic-blt)
• #11403 Fix Autolabeler configuration (@Zales0123)
• #11416 doc : add the composer dump-autoload instruction (@davidroberto)
• #11450 [Docs] Enable redirections on ReadTheDocs (@pamil)
• #11452 [Docs] Fix redirection for backwards compatibility promise (@pamil)
• #11944 [Shop] Disabling customer when email has been changed (@lchrusciel)

v1.6.8 (2020-04-21)

Details

• #11018 Fix: Check PropertyPath value for add error to form (@Coosos)
• #11191 Separated order items subtotal calculation logic from twig extension (@4c0n)
• #11341 [Maintenance] Upgrade packages dependencies & fix 1.6 build (@lchrusciel)
• #11342 [Maintenance] Remove memory swap (@lchrusciel)
• #11346 [ADMIN] fix closed gateway config field in payment method form (@bigboss86)
• #11363 Introduce Probot Autolabeler (@Zales0123)
• #11364 fix #11362 : ignore channel locale listener on profiler routes (@thi3rry)
• #11380 Use !default for SCSS variables to allow overriding them (@pamil)

v1.6.7 (2020-03-31)

Details

• #11168 [Docs] Remove sensio.sphinx.refinclude (@Tomanhez)
• #11111 [Docs] Recommend trait usage in Plugin Development Guide (@Zales0123)
• #11147 [Plus Docs] Installation guide improvement and Administrator Roles (@CoderMaggie)
• #11169 [missing return] Update basic-usage (@DurandSacha)
• #11146 [Behat][Admin] Fix step with checking number of orders in the list (@GSadee)
• #11177 [Documentation] Sylius Plus docs part 2; including fixes to links (@CoderMaggie)
• #11181 Sylius Plus feature scope update (@dukusz)
• #11179 [Maintenance] Remove uneeded step (@lchrusciel)
• #11192 Fixtures: fix French translation of cap (@dunglas)
• #11299 Remove useless interface in custom_fixture.rst (@dunglas)
• #11304 [Docs] Require tagged plugins for Sylius Store (@Zales0123)
• #11310 Install symfony/polyfill-php80 to fix the psalm build (@Zales0123)

v1.6.6 (2020-02-28)

Details

• #11065 user provider fix exception (@oallain)
• #11079 [Docs] Add organization section to The Book + set up Sphinx redirections (@pamil)

... (truncated)

Commits

• 9ac0c41 Generate changelog for v1.6.9
• 0e043be [Release] Change application version to v1.6.9
• c429c1e bug #11944 [Shop] Disabling customer when email has been changed (lchrusciel)
• 2b6d575 [Behat] Remove dead class
• f9c02e7 [Maintenance] Adjusting symfony.lock to lowest supported PHP version
• 8ce48a8 [Shop] Move email updater listener definition to proper folder
• e5bb1bc [Core] Test tag resolver compiler pass
• c8b0f40 [Core] Add tag resolver compiler pass
• ca512d0 [Admin][Shop][AdminApi] Section resolvers implemented
• 96e1e08 [Composer] Conflict Doctrine/Inflector
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.