Merge branch '4.2' into 4.3

* 4.2:
  Updated the setup articles to always use the Symfony local web server

Author: javiereguiluz

_build/redirection_map

@@ -427,3 +427,4 @@
 /contributing/community/other /contributing/community
 /profiler/storage /profiler
 /setup/composer /setup
+/security/security_checker /setup

contributing/code/security.rst

@@ -169,7 +169,8 @@ Security Advisories
 .. tip::
 
     You can check your Symfony application for known security vulnerabilities
-    using the ``security:check`` command (see :doc:`/security/security_checker`).
+    using the ``security:check`` command provided by the
+    :ref:`Symfony security checker <security-checker>`.
 
 Check the `Security Advisories`_ blog category for a list of all security
 vulnerabilities that were fixed in Symfony releases, starting from Symfony

quick_tour/the_big_picture.rst

@@ -41,13 +41,13 @@ Symfony application:
 
 Can we already load the project in a browser? Yes! You can setup
 :doc:`Nginx or Apache </setup/web_server_configuration>` and configure their
-document root to be the ``public/`` directory. But, for development, Symfony has
-its own server. Install and run it with:
+document root to be the ``public/`` directory. But, for development, it's better
+to :doc:`install the Symfony local web server </setup/symfony_server>` and run
+it as follows:
 
 .. code-block:: terminal
 
-    $ composer require --dev server
-    $ php bin/console server:start
+    $ symfony server:start
 
 Try your new app by going to ``http://localhost:8000`` in a browser!
 

security.rst

@@ -928,11 +928,6 @@ For example, in a controller extending from the :ref:`base controller <the-base-
     :doc:`security voter </security/voters>` that looks for the user roles
     in the database.
 
-Checking for Security Vulnerabilities in your Dependencies
-----------------------------------------------------------
-
-See :doc:`/security/security_checker`.
-
 Frequently Asked Questions
 --------------------------
 
@@ -1005,7 +1000,6 @@ Authorization (Denying Access)
     security/access_denied_handler
     security/acl
     security/force_https
-    security/security_checker
 
 .. _`frameworkextrabundle documentation`: https://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/index.html
 .. _`HWIOAuthBundle`: https://github.com/hwi/HWIOAuthBundle

security/security_checker.rst

@@ -10,43 +10,57 @@ Installing & Setting up the Symfony Framework
     Do you prefer video tutorials? Check out the `Stellar Development with Symfony`_
     screencast series.
 
-To create your new Symfony application, first make sure you're using PHP 7.1 or
-higher and have `Composer`_ installed. If you don't, start by `installing Composer`_.
+Installing Symfony
+------------------
 
-Create your new project by running:
+Before creating your first Symfony application, make sure to meet the following
+requirements:
+
+* Your server has PHP 7.1 or higher installed (and :doc:`these PHP extensions </reference/requirements>`
+  which are installed and enabled by default by PHP);
+* You have `installed Composer`_, which is used to install PHP packages;
+* You have installed the :doc:`Symfony local web server </setup/symfony_server>`,
+  which provides all the tools you need to develop your application locally.
+
+Once these requirements are installed, open your terminal and run any of these
+commands to create the Symfony application:
 
 .. code-block:: terminal
 
-    $ composer create-project symfony/website-skeleton my-project
+    # run this if you are building a traditional web application
+    $ symfony new --full my_project
 
-This will create a new ``my-project`` directory, download some dependencies into
-it and even generate the basic directories and files you'll need to get started.
-In other words, your new app is ready!
+    # run this if you are building a microservice, console application or API
+    $ symfony new my-project
 
-.. tip::
+The only difference between these two commands is the number of packages
+installed. The ``--full`` option installs all the packages that you usually
+need to build web apps. Therefore, the installation size will be much bigger.
 
-    The ``website-skeleton`` is optimized for traditional web applications. If
-    you are building microservices, console applications or APIs, consider
-    using the much simpler ``skeleton`` project:
+Both commands will create a new ``my-project/`` directory, download some
+dependencies into it and even generate the basic directories and files you'll
+need to get started. In other words, your new app is ready!
 
-    .. code-block:: terminal
+.. seealso::
 
-        $ composer create-project symfony/skeleton my-project
+    If you can't use the ``symfony`` command provided by the Symfony local web
+    server, use the alternative installation commands based on Composer and
+    displayed on the `Symfony download page`_.
 
 Running your Symfony Application
 --------------------------------
 
 On production, you should use a web server like Nginx or Apache (see
 :doc:`configuring a web server to run Symfony </setup/web_server_configuration>`).
 But for development, it's more convenient to use the
-:doc:`Symfony Local Web Server </setup/symfony_server>`.
+:doc:`Symfony Local Web Server </setup/symfony_server>` installed earlier.
 
 This local server provides support for HTTP/2, TLS/SSL, automatic generation of
 security certificates and many other features. It works with any PHP application,
 not only Symfony projects, so it's a very useful development tool.
 
-`Download the Symfony local web server`_, install it, move into your new project
-directory and start the local web server as follows:
+Open your terminal, move into your new project directory and start the local web
+server as follows:
 
 .. code-block:: terminal
 
@@ -113,13 +127,6 @@ command which displays information about the app:
 
     $ php bin/console about
 
-Checking for Security Vulnerabilities
--------------------------------------
-
-Symfony provides a utility called the "Security Checker" to check whether your
-project's dependencies contain any known security vulnerability. Check out
-the integration instructions for `the Security Checker`_ to set it up.
-
 The Symfony Demo application
 ----------------------------
 
@@ -153,8 +160,9 @@ Go Deeper with Setup
 
 .. _`Stellar Development with Symfony`: http://symfonycasts.com/screencast/symfony
 .. _`Composer`: https://getcomposer.org/
-.. _`installing Composer`: https://getcomposer.org/download/
+.. _`installed Composer`: https://getcomposer.org/download/
 .. _`Download the Symfony local web server`: https://symfony.com/download
+.. _`Symfony download page`: https://symfony.com/download
 .. _`the Security Checker`: https://github.com/sensiolabs/security-checker#integration
 .. _`The Symfony Demo application`: https://github.com/symfony/demo
 .. _`symfony/symfony-demo`: https://github.com/symfony/demo

setup.rst

@@ -4,16 +4,17 @@
 How to Use PHP's built-in Web Server
 ====================================
 
+.. caution::
+
+    This article explains how to use the web server based on the WebServerBundle.
+    This is no longer recommended in new Symfony applications. Instead, use the
+    :doc:`Symfony Local Web Server </setup/symfony_server>`.
+
 The PHP CLI SAPI comes with a `built-in web server`_. It can be used to run your
 PHP applications locally during development, for testing or for application
 demonstrations. This way, you don't have to bother configuring a full-featured
 web server such as :doc:`Apache or Nginx </setup/web_server_configuration>`.
 
-.. tip::
-
-    The preferred way to develop your Symfony application is to use
-    :doc:`Symfony Local Web Server </setup/symfony_server>`.
-
 .. caution::
 
     The built-in web server is meant to be run in a controlled environment.

setup/built_in_web_server.rst

@@ -321,20 +321,29 @@ Bonus Features
 In addition to being a local web server, the Symfony server provides other
 useful features:
 
+.. _security-checker:
+
 Looking for Security Vulnerabilities
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Instead of installing the :doc:`Symfony Security Checker </security/security_checker>`
-as a dependency of your projects, you can run the following command:
+Run the following command to check whether your project's dependencies contain
+any known security vulnerability:
 
 .. code-block:: terminal
 
     $ symfony security:check
 
-This command uses the same vulnerability database as the Symfony Security
-Checker but it does not make HTTP calls to the official API endpoint. Everything
-(except cloning the public database) is done locally, which is the best for CI
-(*continuous integration*) scenarios.
+A good security practice is to execute this command regularly to be able to
+update or replace compromised dependencies as soon as possible. The security
+check is done locally by cloning the public `PHP security advisories database`_,
+so your ``composer.lock`` file is not sent on the network.
+
+.. tip::
+
+    The ``security:check`` command terminates with a non-zero exit code if
+    any of your dependencies is affected by a known security vulnerability.
+    This way you can add it to your project build process and your continuous
+    integration workflows to make them fail when there are vulnerabilities.
 
 Creating Symfony Projects
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -370,3 +379,4 @@ that Composer will also set the stability to ``dev`` for all root dependencies):
 .. _`Docker`: https://en.wikipedia.org/wiki/Docker_(software)
 .. _`SymfonyCloud`: https://symfony.com/cloud/
 .. _`Read SymfonyCloud technical docs`: https://symfony.com/doc/master/cloud/intro.html
+.. _`PHP security advisories database`: https://github.com/FriendsOfPHP/security-advisories