Bump cakephp/cakephp from 3.10.2 to 4.0.6

[dependabot]

Bumps cakephp/cakephp from 3.10.2 to 4.0.6.

Release notes

Sourced from cakephp/cakephp's releases.

CakePHP 4.0.6 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.6. This is a maintenance release for the 4.0 branch that fixes several community reported issues and a low risk security issue in our CSRF protection middleware.

Bugfixes

You can expect the following changes in 4.0.6. See the changelog for every commit.

• Nirmal Kirubakaran contacted us via the security mailing list and disclosed a vulnerability in our CSRF token generation. If an attacker were to use an XSS vulnerabiity or physical access to fixate a CSRF token they could then exploit additional CSRF attacks. In this release generated tokens contain an HMAC signed with Security.salt. This ensures the tokens were generated by the same application that receives them. CSRF tokens generated in previous versions will now be rejected by 4.0.6 as they do not contain the HMAC.
• Improved session access in IntegrationTestTrait through the new getTestSession() method.
• Fixed generation of pagination links on / URLs.
• cake plugin unload and cake plugin load now handle vendor namespaced plugins.
• Validation::inList() no longer emits a warning on a non-scalar values.
• Schema reflection stored procedures in SQLServer now work in case sensitive configurations.
• Email message wrapping no longer emits errors when lines are the same length as the wrap length.
• App::path() now resolves locale files for plugins.

Contributors to 4.0.6

Thank you to all the contributors that helped make this release happen:

• ADmad
• Corey Taylor
• Mark Scherer
• Mark Story
• Nicolas

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

CakePHP 4.0.5 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.5. This is a maintenance release for the 4.0 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 4.0.5. See the changelog for every commit.

• SMTP delivery failure exceptions now include the error text received from the destination server.
• Improved API documentation.
• Table::saveMany() now correctly rollbacks a transaction when an entity other than the first fails to save because of application rules or database failure.
• ConsoleIntegrationTestTrait now uses mocked _out and _err objects if they have been set.
• ConsoleInput::read() now handles false values from fgets() and readline.
• CounterCacheBehavior now handles null association values better when custom finders are used.
• Http\Response now allows usage of unassigned HTTP status codes between 100 and 599.
• Binary data in SQL query logs is now encoded as hexadecimal to improve readability of query logs.

Contributors to 4.0.5

... (truncated)

Commits

• 776a053 Update version number to 4.0.6
• 4cbc8d5 Merge pull request #14465 from cakephp/psalm
• 46c2b9e Fix CS errors
• c85e239 Fix errors reported by psalm
• 907cf4a Merge pull request #14461 from cakephp/issue-14459
• 94e0a75 Fix docblock.
• 19a271f Fix docblocks.
• d56e2dd Merge pull request #14464 from cakephp/app-path-locales
• d63bf24 Update App::path() to return locales path for plugins too.
• 4e6c835 Fix error when wrapping email message content.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.