🔒 Security
Fixes CVE-2026-54164 (GHSA-9rjg-x2p2-h68h) — type confusion: relation IRIs were not type-checked, so a writable relation could be assigned a resource of the wrong type.
- fix(serializer): validate IRI target class on relation denormalization (6bcbeb2)
What's Changed
- fix(doctrine): guard unmapped relation links in ORM handleLinks by @soyuka in #8293
- fix(graphql): honor custom mutation output class in payload type by @soyuka in #8300
Full Changelog: v4.3.11...v4.3.12