Yii ≥ 2.0.50: What's New, Release History & EOL Status

2.0.54

Latest release in branch ≥ 2.0.50
Released 3 months ago (January 09, 2026)

Software	Yii
Branch	≥ 2.0.50
Status	Supported
Feature freeze	May 30, 2024
Security & PHP compatibility fixes only	November 23, 2026
End of life	November 23, 2027
First official release version	2.0.50
First official release date	1 year ago (May 30, 2024)
Supported PHP versions	≥ 7.3, ≤ 8.4
Release notes	https://github.com/yiisoft/yii2/releases/tag/2.0.54
Source code	https://github.com/yiisoft/yii2/tree/2.0.54
Documentation	https://www.yiiframework.com/doc/guide/2.0
Download	https://www.yiiframework.com/download
Yii ≥ 2.0.50 Releases	View full list

What Is New in Yii 2.0.50

This release brings a mix of enhancements, bug fixes, and new features to the framework. The changes primarily focus on the database layer, security, and overall code quality.

Category	Description
New Features	Added `yii\behaviors\SluggableBehavior::skipOnEmpty`, `yii\validators\IpValidator::ipv6Pattern`, and more.
Improvements	Enhanced MSSQL and PostgreSQL query builders, RBAC, and error handling.
Bug Fixes	Fixed issues in `yii\i18n\Formatter`, `yii\db\Query`, and URL rule matching.
Security	Added `yii\filters\HostControl` filter to prevent host header attacks.

What database improvements were made?

The database layer received significant attention in this release. For MSSQL, the query builder now supports SELECT ... FOR UPDATE statements, which is crucial for handling row-level locking in transactional operations.

PostgreSQL users get a fix for the yii\db\pgsql\QueryBuilder that ensures the ::character varying type cast is applied correctly in IN conditions. This prevents type mismatch errors when querying against string primary keys.

Code Example: MSSQL FOR UPDATE

$users = (new \yii\db\Query())
    ->from('users')
    ->where(['status' => 1])
    ->forUpdate()
    ->all();

How is host header security handled?

A new security filter, yii\filters\HostControl, has been introduced to mitigate host header attacks. This filter allows you to specify a whitelist of allowed hostnames for the application.

In practice, this prevents attackers from exploiting the host header to poison password reset emails or conduct cache poisoning. You can enable it by adding it to your application's bootstrap configuration.

Configuration Example

'bootstrap' => [
    [
        'class' => 'yii\filters\HostControl',
        'allowedHosts' => [
            'example.com',
            '*.example.com',
        ],
        'fallbackHostInfo' => 'https://example.com',
    ],
],

What new behaviors and validators are available?

The SluggableBehavior now includes a skipOnEmpty property. When set to true, the behavior will not generate a slug if the source attribute is empty, leaving the slug attribute unchanged.

For IP validation, the IpValidator exposes its ipv6Pattern property, allowing for deeper customization of the validation pattern for IPv6 addresses if the default one doesn't fit your needs.

SluggableBehavior Usage

public function behaviors()
{
    return [
        [
            'class' => SluggableBehavior::class,
            'attribute' => 'title',
            'skipOnEmpty' => true, // New property
        ],
    ];
}

Were there any notable bug fixes?

Yes, several important bugs were squashed. A critical fix was applied to the yii\i18n\Formatter where the asRelativeTime method could previously throw an exception when comparing dates with different timezones.

Another fix resolved an issue with URL rule matching. The problem occurred when a rule's pattern contained a slash at the end and the requested URL had parameters, causing the rule to fail to match correctly.

RBAC managers (DbManager and PhpManager) were also updated to properly handle the yii\rbac\Item::updatedAt property during assignment updates.

FAQ

Is the new HostControl filter enabled by default?
No, it is not enabled by default. You must manually configure and add it to your application's bootstrap or controller behavior array to benefit from the protection against host header attacks.

I use PostgreSQL and have string PKs. Does this update affect me?
Yes, it fixes a specific issue for you. The update ensures that queries using the IN condition with an array of string primary keys will now have the proper type cast applied, preventing potential errors.

What happens if SluggableBehavior's skipOnEmpty is true and the source attribute is empty?
The slug generation process will be skipped entirely. The value of the slug attribute will remain whatever it was before, which could be null or an existing value, instead of being overwritten with an empty string.

Was the relative time formatting issue a breaking change?
No, it was a bug fix. The method asRelativeTime in yii\i18n\Formatter was throwing an exception in a specific edge case involving timezones. The fix makes it work correctly without changing its public API.

Does the SELECT FOR UPDATE support work for all databases?
No, it is specifically implemented for MSSQL in this release. The support and syntax for row locking clauses like FOR UPDATE vary between different database management systems (DBMS) like MySQL, PostgreSQL, and Oracle.

Releases In Branch ≥ 2.0.50

Version	Release date
2.0.54	3 months ago (January 09, 2026)
2.0.53	9 months ago (June 27, 2025)
2.0.52	1 year ago (February 13, 2025)
2.0.51	1 year ago (July 18, 2024)
2.0.50	1 year ago (May 30, 2024)