Merge branch '5.1' into 2026.x

Author: dpfaffenbauer

.github/dependabot.yml

@@ -6,9 +6,44 @@ updates:
       interval: "weekly"
     open-pull-requests-limit: 10
     groups:
+      symfony:
+        patterns:
+          - "symfony/*"
+        update-types:
+          - "minor"
+          - "patch"
+      doctrine:
+        patterns:
+          - "doctrine/*"
+        update-types:
+          - "minor"
+          - "patch"
       composer:
         patterns:
           - "*"
+        exclude-patterns:
+          - "symfony/*"
+          - "doctrine/*"
+        update-types:
+          - "minor"
+          - "patch"
+    ignore:
+      # Symfony major bumps must be coordinated across all symfony/* packages
+      # and aligned with pimcore's symfony constraint.
+      - dependency-name: "symfony/*"
+        update-types: ["version-update:semver-major"]
+      # Doctrine ORM/DBAL/Fixtures majors require coordinated upgrades.
+      - dependency-name: "doctrine/*"
+        update-types: ["version-update:semver-major"]
+      # Known BC-breaking majors — upgrade manually.
+      - dependency-name: "webmozart/assert"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "symplify/easy-coding-standard"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "phpstan/phpstan"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "vimeo/psalm"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "github-actions"
     directory: "/"

CHANGELOG-4.1.x.md

@@ -1,3 +1,9 @@
+## 4.1.11
+* Fix order token generator entropy using CSPRNG and 32-char tokens by @Copilot in https://github.com/coreshop/CoreShop/pull/2964
+* Fix password reset security: user enumeration, weak tokens, plaintext storage, missing TTL by @Copilot in https://github.com/coreshop/CoreShop/pull/2961
+* backport passwordResetHashCreatedAt user migration from 2026.x by @dpfaffenbauer in https://github.com/coreshop/CoreShop/pull/3008
+* [IndexBundle] OpenSearchWorker: Refactor delete methods for index operations by @aarongerig in https://github.com/coreshop/CoreShop/pull/3028
+
 ## 4.1.10
 * Fix outdated Menu Bundle docs for ExtJs event handling by @Copilot in https://github.com/coreshop/CoreShop/pull/2966
 * Add multi-select drag & drop support for objectMultihref condition lists by @Copilot in https://github.com/coreshop/CoreShop/pull/2960

CHANGELOG-5.0.x.md

@@ -1,3 +1,7 @@
+## 5.0.1
+* All changes merged from 4.1.*
+* Dependency Updates in FrontendBundle Design v2
+ 
 ## 5.0.0
 
 > CoreShop is now Licensed under CCL only! If you update to Version 5 make sure to read