Bump symfony/security-http from 7.4.3 to 7.4.13

[dependabot]

Bumps symfony/security-http from 7.4.3 to 7.4.13.

Release notes

Sourced from symfony/security-http's releases.

v7.4.13

Changelog (symfony/security-http@v7.4.12...v7.4.13)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@​nicolas-grekas)
• bug #64337 Initialize lazy users before serializing them (@​MatTheCat)

v7.4.12

Changelog (symfony/security-http@v7.4.11...v7.4.12)

• security #cve-2026-45069 Add missing claims in OidcTokenHandler (@​alexandre-daubois)
• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@​alexandre-daubois)
• security #cve-2026-45074 Require configuring trusted hosts when using CAS authentication (@​nicolas-grekas)
• security #cve-2026-45075 Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@​nicolas-grekas)
• bug #64213 Fix impersonation being deauthenticated on every request (@​nicolas-grekas)

v7.4.11

Changelog (symfony/security-http@v7.4.9...v7.4.11)

• bug #64181 Preserve webserver base URL in HttpUtils::createRequest() (@​ousamabenyounes)

v7.4.9

Changelog (symfony/security-http@v7.4.3...v7.4.9)

• bug #63983 Throw BadCredentialsException on empty JSON login username/password (@​ousamabenyounes)

v7.4.8

Changelog (symfony/security-http@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/security-http@v7.4.5...v7.4.6)

• no significant changes

v7.4.4

Changelog (symfony/security-http@v7.4.3...v7.4.4)

• no significant changes

Commits

• da3c280 Merge branch '6.4' into 7.4
• 1a01cd7 CS fix
• 7ea7162 Merge branch '6.4' into 7.4
• b4acd83 Merge branch '5.4' into 6.4
• 119cc48 [Security] Don't honor user-supplied _failure_path on failure_forward
• 5312b62 Merge branch '6.4' into 7.4
• 8602860 Fix tests and merge resolution after merging 6.4 into 7.4
• 1081160 Merge branch '6.4' into 7.4
• 4523a53 Remove protectedHeaderOnly from claim checkers
• 20636d3 [Security] Initialize lazy users before serializing them in the session
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.