user_guide_src/source/changelogs/v4.7.3.rst
############# Version 4.7.3 #############
Release Date: May 22, 2026
4.7.3 release of CodeIgniter4
.. contents:: :local: :depth: 3
SECURITY
ext_in file upload validation rule now validates the
client filename extension and verifies that it matches the detected MIME type.
Previously, ext_in only checked the MIME-derived guessed extension, so a
file with a mismatched client extension could pass validation.
See the Security advisory GHSA-2gr4-ppc7-7mhx <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx>_
for more information.Message Changes
Cache.invalidHandler message string was added.Changes
-h option for the routes command is renamed to --sort-by-handler to avoid conflict with the common use of -h as a shortcut for --help.
The old -h option will continue to work until v4.8.0, at which point it will be removed and repurposed as a shortcut for --help.
A warning message is displayed when using the old -h option to encourage users to switch to the new --sort-by-handler option.Bugs Fixed
Autoloader::unregister() (used during tests) silently failed to remove handlers from the SPL autoload stack, causing closures to accumulate permanently.CLI::generateDimensions() leaked stty error output (e.g., stty: 'standard input': Inappropriate ioctl for device) to stderr when stdin was not a TTY.CLI::generateDimensions() leaked tput error output (tput: No value for $TERM and no -T specified) to stderr when the stty fallback was reached and the TERM environment variable was not set.env command where passing options only would cause the command to throw a TypeError instead of showing the current environment.key:generate command where the regex used to locate the encryption.key line was fooled by a comment containing the substring (silently writing nothing), and did not handle DotEnv's export encryption.key = ... syntax.serve command where the --host option was concatenated into the passthru() call without escapeshellarg(), letting shell metacharacters in the locally-supplied argument be interpreted by /bin/sh.command() helper function did not properly clean up output buffers, which could lead to risky tests when exceptions were thrown.BaseConnection::listTables() could return a sparse array when using cached table names after a table was dropped.increment() and decrement() methods were not working for numeric columns.$castTextToInt was false.zlib.output_compression guard rejected the valid disabled value Off.Entity::normalizeValue() did not handle UnitEnum before checking for toArray(), causing enums implementing toArray() to be incorrectly normalized as generic objects instead of enums.Language::getLine() returned the literal dot-notation key instead of the nested array value when the requested key resolved to an intermediate array three or more levels deep.Time::createFromTimestamp() could fail for microsecond timestamps when LC_NUMERIC used a comma decimal separator.Validation::getValidated() dropped fields whose validated value was explicitly null.frankenphp-worker.php template caused a Cannot redeclare class Config\Paths fatal error when FrankenPHP's watcher re-executed the worker script after a watched file changed.See the repo's
CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>_
for a complete list of bugs fixed.