Yii 2.0.16 is released


We are very pleased to announce the release of Yii Framework version 2.0.16.
Please refer to the instructions at https://www.yiiframework.com/download/ to install or upgrade to this version.

Version 2.0.16 is a minor release of Yii 2.0 which contains more than a hundred enhancements and bug fixes including security fixes.

Yii 2.0 reached feature freeze more than a year ago, meaning that the 2.0 branch will only receive bug fixes. That was done in order to allow the Yii Team to focus on the upcoming Yii 3 rewrite. There’s more on Yii 3 at the very end of this announcement.

There are minor changes that may affect your existing applications, so make sure to check the UPGRADE.md file.

Huge thanks to all Yii community members who contribute to the framework. It wouldn’t have been possible without you. Additional thanks to translators who are keeping international documentation up to date.

There are many active Yii communities so if you need help or want to share your experience, feel free to join them.

Below we summarize some of the enhancements and changes that slipped into this release.
A complete list of changes can be found in the CHANGELOG.

Active Record

A behavior for optimistic locking was added by Salem Ouerdani, @tunecino.

Optimistic locking allows multiple users to access the same record for edits and avoids
potential conflicts. In case when a user attempts to save the record upon some staled data
(because another user has modified the data), a StaleObjectException exception will be thrown,
and the update or deletion is skipped.

The locking itself was implemented from the first versions of Yii but using it properly wasn’t easy. Now it is.
You can find details in the guide section on optimistic locks
and in OptimisticLockBehavior itself.


Console migration generator defaults were changed so that the migrations are generated with table prefixes used. If you
want to disable this behavior, set yii\console\controllers\MigrateController::useTablePrefix to false via console
command mappings.


  • The MySQL driver now supports fractional seconds for time types (require MySQL >= 5.6.4).
  • The Oracle driver now supports resetting sequences.


  • yii\helpers\Inflector now works correctly with UTF-8.
  • Added yii\mutex\FileMutex::$isWindows for Windows file shares on Unix guest machines.
  • yii\helpers\UnsetArrayValue, yii\helpers\ReplaceArrayValue object can now be restored after serialization using var_export() function.


Added $filterOnFocusOut option that allows to toggle if filtering should be triggerd when filter field is losing focus.


jQuery 3.3 is now allowed to be installed.


  • Increased frequency of lock tries for yii\mutex\FileMutex::acquireLock() when $timeout is provided.
  • Added support for $timeout in yii\mutex\PgsqlMutex::acquire().

Security fixes

Two security issues were fixed in this release:

  • CVE-2018-14578: CSRF token check bypassing in \yii\web\Request::getMethod()
  • CVE-2018-19454: Excess logging of sensitive information in \yii\log\Target

Project templates

  • Codeception configs were cleaned up in both basic and advanced project templates.
  • A basic Docker configuration was added to the Advanced project template, allowing you to quickly start developing.
  • Advanced template tests require newer version of Codeception that works starting with PHP 7.0. Old applications will work with older versions
    of Codeception so there’s no need for upgrade if you don’t want it.

A bit about Yii 3.0

Yii 3 will be the next major version of the Yii framework. A separate announcement will be made subsequently,
but here’s a brief overview of the future:

A new architecture: The Yii framework has been split into several packages.
This will allow you to pick the packages you need to compose your Yii application instead of installing one package that provides everything.

JavaScript-agnostic: With the reorganization of the source code, Yii will no longer tie you to a specific JavaScript framework.
Core features of Yii have been rewritten to be jQuery-free.

PSR Compatibility: Yii 3 will embrace the PHP-FIG recommendations, and implement many PSRs: Logging, Caching, DI, etc.

Yii 3.0 is currently being developed. We will make separate announcements when it reaches alpha stability.


CVE-2018-19454 - does not prevent password logging eg from login forms…
For example - $_POST[‘CustomerLoginForm’][‘password’] …

are you noticing a problem with the fix?

Congratulations to the team and to all involved!

1 Like

Realy good news. Thank you very much for your engagement!

you can configure additional patterns for your application.

Useful feature, thanks!

Waiting for Yii3


Congratulations Team Yii!!!
Best of Luck :slight_smile:

1 Like