Symfony version(s) affected

5.3.9

Description

When using only environment variables to configure Symfony, you end up with debug mode enabled even when APP_ENV=prod. This only happens when symfony/dotenv is not installed.

Installing dotenv will disable debug in prod mode by default. Even if you do not use .env files, installing this package will change this behavior. See \Symfony\Component\Runtime\SymfonyRuntime.

One might not have dotenv installed in a production environment as it should not be needed or when using an older setup. Past versions of the Symfony Skeleton did have symfony/dotenv as require-dev and not require dependency.

How to reproduce

• $ composer create-project symfony/skeleton sf
• $ cd sf
• $ bin/console
• will print (env: dev, debug: true)
• $ APP_ENV=prod bin/console
• will print (env: prod, debug: false)
• $ composer remove symfony/dotenv
• $ APP_ENV=prod bin/console
• will print (env: prod, debug: true)
• $ APP_ENV=prod APP_DEBUG=false bin/console
• will print (env: prod, debug: false)

Possible Solution

I would suggest to always disable debug mode within the prod environment unless explicitly enabled. It is hard to notice and unexpected otherwise.

E.g. change the fallback to false in \Symfony\Component\Runtime\GenericRuntime which currently is true:

$debug = $options['debug'] ?? $_SERVER['APP_DEBUG'] ?? $_ENV['APP_DEBUG'] ?? true;

Additional Context

No response